working-sse-with-n8n-and-authentication

R-Rudolf · R-Rudolf · commit 89dcdc76acaa · 2025-07-27T14:19:12.000+02:00
diff --git a/spendee/spendee_mcp.py b/spendee/spendee_mcp.py
@@ -6,26 +6,33 @@
 from fastapi import FastAPI, HTTPException, Request
 from mcp.server.fastmcp import FastMCP
 from mcp.server.streamable_http_manager import StreamableHTTPSessionManager
-import contextlib
-
+from starlette.routing import Route, Mount
 from starlette.applications import Starlette
-from starlette.routing import Mount
-
-from mcp.server.fastmcp import FastMCP
+from starlette.requests import Request
+from starlette.responses import Response
+from starlette.types import Scope, Receive, Send
+from mcp.server.sse import SseServerTransport
+import hashlib
+import secrets
 
 # to start (after .venv setup):
 #   python spendee/spendee_mcp.py
 
 # to test:
 #   mcp dev spendee/spendee_mcp.py
 # Then on the url: http://localhost:6274/
-# setup "Transport Type" to "Streamable HTTP"
-# and "Server URL" to "http://localhost:8000/mcp"
+# setup for "Transport Type": "Streamable HTTP"
+#    "Server URL" to "http://localhost:8000/mcp"
+# setup for "Transport Type": "SSE"
+#    "Server URL" to "http://localhost:8000/sse"
 
 ACCEPTED_TOKEN = os.environ.get("MCP_TOKEN", "spendee-token")
 PORT = int(os.environ.get("MCP_PORT", 8000))
 DEBUG_MODE = os.environ.get("DEBUG_MODE", "") != ""
-DISABLE_AUTH = os.environ.get("DISABLE_AUTH", "") != ""
+TRANSFER_MODE = os.environ.get("TRANSFER_MODE", "sse").lower()
+
+if TRANSFER_MODE not in ["sse", "streamable-http"]:
+    raise ValueError("TRANSFER_MODE must be either 'sse' or 'streamable-http'")
 
 logging.basicConfig(level=logging.DEBUG)
 logger = logging.getLogger(__name__)
@@ -40,30 +47,40 @@ def get_wallets():
         {"id": 2, "name": "Savings", "currency": "EUR", "balance": 7890.12},
     ]
 
+# Authentication middleware and server setup
 
-def server_with_authentication():
-    session_manager = StreamableHTTPSessionManager(
-        app=mcp._mcp_server,  # Use the underlying MCPServer instance
-    )
+async def check_bearer_auth(request, error_response=None):
+    if DEBUG_MODE:
+        logger.debug(f"Incoming request: method={request.method}, url={request.url}")
+        logger.debug(f"Request headers: {dict(request.headers)}")
 
-    async def auth_middleware(scope, receive, send):
-        request = Request(scope, receive)
-        # Log request method, url, and headers for troubleshooting
-        if DEBUG_MODE:
-            logger.debug(f"Incoming request: method={request.method}, url={request.url}")
-            logger.debug(f"Request headers: {dict(request.headers)}")
+    auth_header = request.headers.get("authorization")
+    if not auth_header or not auth_header.lower().startswith("bearer "):
+        logger.warning("Missing or invalid Authorization header.")
+        if error_response:
+            return await error_response("Missing or invalid Authorization header.", 401)
+        raise HTTPException(401, "Missing or invalid Authorization header.")
 
-        auth_header = request.headers.get("authorization")
+    token = auth_header.split(" ", 1)[1]
+    if token != ACCEPTED_TOKEN:
+        logger.warning("Invalid token.")
+        logger.debug(f"Expected token: '{ACCEPTED_TOKEN}', received token: '{token}'")
+        if error_response:
+            return await error_response("Invalid token.", 401)
+        raise HTTPException(401, "Invalid token.")
+    return None
 
-        if not auth_header or not auth_header.lower().startswith("bearer "):
-            logger.warning("Missing or invalid Authorization header.")
-            raise HTTPException(401, "Missing or invalid Authorization header.")
 
-        token = auth_header.split(" ", 1)[1]
-        if token != ACCEPTED_TOKEN:
-            logger.warning("Invalid or expired token.")
-            raise HTTPException(401, "Invalid or expired token.")
+def streaming_server():
+    session_manager = StreamableHTTPSessionManager(
+        app=mcp._mcp_server,
+    )
 
+    async def auth_middleware(scope, receive, send):
+        request = Request(scope, receive)
+        err = await check_bearer_auth(request)
+        if err:
+            return
         await session_manager.handle_request(scope, receive, send)
 
     @contextlib.asynccontextmanager
@@ -80,59 +97,36 @@ async def lifespan(app: FastAPI):
     logger.info(f"Access the MCP endpoint at http://0.0.0.0:{PORT}/mcp")
     uvicorn.run(app, host="0.0.0.0", port=PORT)
 
-def server_with_sse():
 
-    # Persistent SSE transport instance
-    sse_transport = mcp._sse_transport if hasattr(mcp, "_sse_transport") else None
-    if not sse_transport:
-        # Create and cache the transport instance
-        from mcp.server.sse import SseServerTransport
-        sse_transport = SseServerTransport("/messages/")
-        mcp._sse_transport = sse_transport
+def sse_server():
+    sse_transport = SseServerTransport("/messages/")
+
+    async def error_response(msg, status):
+        response = Response(msg, status_code=status)
+        async def responder(scope, receive, send):
+            await response(scope, receive, send)
+        return responder
 
-    from starlette.requests import Request
-    from starlette.responses import Response
-    from starlette.types import Scope, Receive, Send
+    async def handle_sse(request):
+        async with sse_transport.connect_sse(request.scope, request.receive, request._send) as streams:
+            await mcp._mcp_server.run(streams[0], streams[1], mcp._mcp_server.create_initialization_options())
+        return Response()
+
+    routes = [
+        Route("/sse", endpoint=handle_sse, methods=["GET"]),
+        Mount("/messages/", app=sse_transport.handle_post_message),
+    ]
+    starlette_sse_app = Starlette(routes=routes)
 
     async def sse_auth_middleware(scope: Scope, receive: Receive, send: Send):
         request = Request(scope, receive)
-        if DEBUG_MODE:
-            logger.debug(f"Incoming request: method={request.method}, url={request.url}")
-            logger.debug(f"Request headers: {dict(request.headers)}")
-
-        auth_header = request.headers.get("authorization")
-        if not auth_header or not auth_header.lower().startswith("bearer "):
-            logger.warning("Missing or invalid Authorization header.")
-            response = Response("Missing or invalid Authorization header.", status_code=401)
-            return await response(scope, receive, send)
-
-        token = auth_header.split(" ", 1)[1]
-        if token != ACCEPTED_TOKEN:
-            logger.warning("Invalid or expired token.")
-            response = Response("Invalid or expired token.", status_code=401)
-            return await response(scope, receive, send)
-
-        # If auth passes, route to the persistent SSE transport
-        # Mount /sse and /messages/ endpoints
-        from starlette.routing import Route, Mount
-        from starlette.applications import Starlette
-
-        # Only create the app once
-        if not hasattr(mcp, "_starlette_sse_app"):
-            async def handle_sse(request):
-                async with sse_transport.connect_sse(request.scope, request.receive, request._send) as streams:
-                    await mcp._mcp_server.run(streams[0], streams[1], mcp._mcp_server.create_initialization_options())
-                return Response()
-
-            routes = [
-                Route("/sse", endpoint=handle_sse, methods=["GET"]),
-                Mount("/messages/", app=sse_transport.handle_post_message),
-            ]
-            mcp._starlette_sse_app = Starlette(routes=routes)
-
-        await mcp._starlette_sse_app(scope, receive, send)
-
-    # Mount the auth middleware at root
+        err = await check_bearer_auth(request, error_response)
+        if err:
+            await err(scope, receive, send)
+            return
+
+        await starlette_sse_app(scope, receive, send)
+
     app = Starlette(
         routes=[
             Mount("/", sse_auth_middleware),
@@ -142,16 +136,19 @@ async def handle_sse(request):
 
 
 if __name__ == "__main__":
-    logger.info("Starting Spendee MCP Server as SSE without authentication")
-    # for n8n compatibility, authentication implemented on cloudflare level
-    server_with_sse()
-
-    # if DISABLE_AUTH:
-    #     logger.warning("Running without authentication! This is insecure and should only be used for local testing.")
-    #     #mcp.run(transport="streamable-http")
-    #     mcp.run(transport="sse")
-    # else:
-    #     server_with_authentication()
+    logger.info("Starting Spendee MCP Server")
+    salt = secrets.token_hex(5)
+    token_hash = hashlib.sha256((salt + ACCEPTED_TOKEN).encode()).hexdigest()
+    logger.debug(f"sha256('{salt}' + token): {token_hash}")
+    logger.debug(f"You can verify with: echo -n \"{salt}$MCP_TOKEN\" | sha256sum")
+
+    # I failed to unify both transfer modes, because of some lifecycle issues
+    if TRANSFER_MODE == "streamable-http":
+        logger.info("Using Streamable HTTP transport")
+        streaming_server()
+    else:
+        logger.info("Using SSE transport")
+        sse_server()
 
 
 # relevant URLs for learning:
