feat: add API key bearer token authentication

- ApiKeyVerifier(TokenVerifier) — validates Authorization: Bearer <key> against UNRAID_MCP_API_KEY; guards against empty-key bypass - _build_auth() replaces module-level _build_google_auth() call: returns MultiAuth(server=google, verifiers=[api_key]) when both set, GoogleProvider alone, ApiKeyVerifier alone, or None - settings.py: add UNRAID_MCP_API_KEY + is_api_key_auth_configured() + api_key_auth_enabled in get_config_summary() - run_server(): improved auth status logging for all three states - tests/test_api_key_auth.py: 9 tests covering verifier + _build_auth - .env.example: add UNRAID_MCP_API_KEY section - docs/GOOGLE_OAUTH.md: add API Key section - README.md / CLAUDE.md: rename section, document both auth methods - Fix pre-existing: test_health.py patched cache_middleware/error_middleware now match renamed _cache_middleware/_error_middleware in server.py
2026-03-16 11:11:38 -04:00
parent 6f7a58a0f9
commit cc24f1ec62
16 changed files with 406 additions and 69 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -61,29 +61,33 @@ docker compose down
  - `UNRAID_MCP_PORT`: Server port (default: 6970)
  - `UNRAID_MCP_HOST`: Server host (default: 0.0.0.0)

-### Google OAuth (Optional — protects the HTTP server)
+### Authentication (Optional — protects the HTTP server)

-When `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, and `UNRAID_MCP_BASE_URL` are all set,
-the MCP server requires Google login before any tool call.
+Two independent methods. Use either or both — when both are set, `MultiAuth` accepts either.

-| Env Var | Required | Purpose |
-|---------|----------|---------|
-| `GOOGLE_CLIENT_ID` | For OAuth | Google OAuth 2.0 Client ID |
-| `GOOGLE_CLIENT_SECRET` | For OAuth | Google OAuth 2.0 Client Secret |
-| `UNRAID_MCP_BASE_URL` | For OAuth | Public URL of this server (e.g. `http://10.1.0.2:6970`) |
-| `UNRAID_MCP_JWT_SIGNING_KEY` | Recommended | Stable 32+ char secret — prevents token invalidation on restart |
+**Google OAuth** — requires all three vars:

-**Google Cloud Console setup:**
-1. APIs & Services → Credentials → Create OAuth 2.0 Client ID (Web application)
-2. Authorized redirect URIs: `<UNRAID_MCP_BASE_URL>/auth/callback`
-3. Copy Client ID + Secret to `~/.unraid-mcp/.env`
+| Env Var | Purpose |
+|---------|---------|
+| `GOOGLE_CLIENT_ID` | Google OAuth 2.0 Client ID |
+| `GOOGLE_CLIENT_SECRET` | Google OAuth 2.0 Client Secret |
+| `UNRAID_MCP_BASE_URL` | Public URL of this server (e.g. `http://10.1.0.2:6970`) |
+| `UNRAID_MCP_JWT_SIGNING_KEY` | Stable 32+ char secret — prevents token invalidation on restart |
+
+Google Cloud Console setup: APIs & Services → Credentials → OAuth 2.0 Client ID (Web application) → Authorized redirect URIs: `<UNRAID_MCP_BASE_URL>/auth/callback`
+
+**API Key** — clients present as `Authorization: Bearer <key>`:
+
+| Env Var | Purpose |
+|---------|---------|
+| `UNRAID_MCP_API_KEY` | Static bearer token (can be same value as `UNRAID_API_KEY`) |

 **Generate a stable JWT signing key:**
 ```bash
 python3 -c "import secrets; print(secrets.token_hex(32))"
 ```

-**Omit `GOOGLE_CLIENT_ID` to run without auth** (default — preserves existing behaviour).
+**Omit all auth vars to run without auth** (default — open server).

 **Full guide:** [`docs/GOOGLE_OAUTH.md`](docs/GOOGLE_OAUTH.md)