feat: add API key bearer token authentication

- ApiKeyVerifier(TokenVerifier) — validates Authorization: Bearer <key> against UNRAID_MCP_API_KEY; guards against empty-key bypass - _build_auth() replaces module-level _build_google_auth() call: returns MultiAuth(server=google, verifiers=[api_key]) when both set, GoogleProvider alone, ApiKeyVerifier alone, or None - settings.py: add UNRAID_MCP_API_KEY + is_api_key_auth_configured() + api_key_auth_enabled in get_config_summary() - run_server(): improved auth status logging for all three states - tests/test_api_key_auth.py: 9 tests covering verifier + _build_auth - .env.example: add UNRAID_MCP_API_KEY section - docs/GOOGLE_OAUTH.md: add API Key section - README.md / CLAUDE.md: rename section, document both auth methods - Fix pre-existing: test_health.py patched cache_middleware/error_middleware now match renamed _cache_middleware/_error_middleware in server.py
2026-03-16 11:11:38 -04:00
parent 6f7a58a0f9
commit cc24f1ec62
16 changed files with 406 additions and 69 deletions
--- a/.env.example
+++ b/.env.example
@@ -61,4 +61,16 @@ UNRAID_MAX_RECONNECT_ATTEMPTS=10
 # GOOGLE_CLIENT_ID=
 # GOOGLE_CLIENT_SECRET=
 # UNRAID_MCP_BASE_URL=http://10.1.0.2:6970
-# UNRAID_MCP_JWT_SIGNING_KEY=<generate with command above>
+# UNRAID_MCP_JWT_SIGNING_KEY=<generate with command above>
+
+# API Key Authentication (Optional)
+# -----------------------------------
+# Alternative to Google OAuth — clients present this key as a bearer token:
+#   Authorization: Bearer <UNRAID_MCP_API_KEY>
+#
+# Can be the same value as UNRAID_API_KEY (reuse your Unraid key), or a
+# separate dedicated secret.  Set both GOOGLE_CLIENT_ID and UNRAID_MCP_API_KEY
+# to accept either auth method (MultiAuth).
+#
+# Leave empty to disable API key auth.
+# UNRAID_MCP_API_KEY=