Merge branch 'rc-v1' into 'v1'

use express-jwt instead of manual

See merge request subtype/subspace-api!5

Author: subtype

package-lock.json

@@ -21,6 +21,7 @@
   "license": "ISC",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.9.0",
+    "express-jwt": "^8.5.1",
     "express-rate-limit": "^7.5.0",
     "jose": "^6.0.10",
     "prettier": "3.5.3",
@@ -29,6 +30,7 @@
   },
   "devDependencies": {
     "@types/express": "^5.0.1",
+    "@types/express-jwt": "^6.0.4",
     "@types/jsonwebtoken": "^9.0.9",
     "@types/node": "^22.14.1",
     "dotenv": "^16.5.0",

package.json

@@ -10,7 +10,7 @@ import helmet from 'helmet'
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js'
 import { registerTools } from './v1/mcp/registerTools.js'
-import { validateJWT, authRequired } from './utils/auth.js'
+import { logIncomingAuth, authRequired, authOptional } from './utils/auth.js'
 
 
 logger.info('Initializing MCP server...')
@@ -33,7 +33,7 @@ logger.info('Registering tools with MCP server...')
 registerTools(mcpServer)
 
 // Discovery endpoint
-server.get('/sse', authRequired, async (req: Request, res: Response) => {
+server.get('/sse', logIncomingAuth, authRequired, async (req: Request, res: Response) => {
 
   const transport = new SSEServerTransport('/messages', res)
   transports[transport.sessionId] = transport
@@ -46,7 +46,7 @@ server.get('/sse', authRequired, async (req: Request, res: Response) => {
 })
 
 // MCP Handler
-server.post('/messages', authRequired, async (req: Request, res: Response) => {
+server.post('/messages', logIncomingAuth, authRequired, async (req: Request, res: Response) => {
   const sessionId = req.query.sessionId as string
 
   if (typeof sessionId != 'string') {
@@ -63,18 +63,22 @@ server.post('/messages', authRequired, async (req: Request, res: Response) => {
   }
 })
 
+logger.info('Setting up middleware...')
+// Set up rate limiting
+const limiter = rateLimit({ windowMs: 60 * 1000, max: 60 })
+
+server.use(helmet())
+server.use(limiter)
+
 logger.info('Initializing routes...')
 // Declare regular REST API routing
 server.use('/', express.json(), statusRouter)
 server.use('/v1/trmnl', express.json(), trmnlRouter)
 server.use('/health', express.json(), statusRouter)
 
-logger.info('Setting up middleware...')
-// Set up rate limiting
-const limiter = rateLimit({ windowMs: 60 * 1000, max: 60 })
+// reverse proxy
+server.set('trust proxy', 1)
 
-server.use(limiter)
-server.use(helmet())
 
 server.listen(PORT, () => {
   logger.info(`Using log level: ${process.env.LOG_LEVEL || 'info'}`)

src/server.ts

@@ -1,38 +1,31 @@
+import { expressjwt } from 'express-jwt'
 import { Request, Response, NextFunction } from 'express'
 import { logger } from './logger.js'
-import jwt, { Secret } from 'jsonwebtoken'
 
-export function validateJWT(req: Request) {
-  const secret = process.env.JWT_SECRET
-  if (!secret) {
-    logger.error('JWT secret is not defined in the environment!')
-    return null
-  }
-  const authHeader = req.headers.authorization
+const JWT_SECRET = process.env.JWT_SECRET
+
+export function logIncomingAuth(req: Request, res: Response, next: NextFunction) {
   logger.debug('Incoming headers:', req.headers)
-  if (!authHeader?.startsWith('Bearer ')) {
-    logger.error('No auth header!')
-    return null
-  }
-  // Get token from auth header since it'd look like "Bearer <token>"
-  const token = authHeader.split(' ')[1]
-  logger.debug('Inspecting token', token)
 
-  try {
-    const decodedToken = jwt.verify(token, secret as Secret)
-    return decodedToken
-  } catch (error) {
-    logger.warn('JWT validation failed', error)
-    return null
+  const authHeader = req.headers.authorization
+  if (!authHeader?.startsWith('Bearer ')) {
+    logger.warn('No auth header or bad format')
+  } else {
+    const token = authHeader.split(' ')[1]
+    logger.debug('Inspecting token:', token)
   }
-}
 
-export async function authRequired(req: Request, res: Response, next: NextFunction) {
-  const user = validateJWT(req)
-  if (!user) {
-    logger.warn('Incoming request failed JWT validation')
-    res.status(401).send({ message: 'Unauthorized' })
-  }
-  // handle user logic way way way later
   next()
 }
+
+export const authRequired = expressjwt({
+  secret: JWT_SECRET!,
+  algorithms: ['HS256'],
+  credentialsRequired: true,
+})
+
+export const authOptional = expressjwt({
+  secret: JWT_SECRET!,
+  algorithms: ['HS256'],
+  credentialsRequired: false,
+})