Harden server; add authenticated Streamable HTTP transport and Nix module
- Streamable HTTP transport (MCP_TRANSPORT=http) with mandatory auth: static bearer tokens or OIDC resource-server mode (JWT via JWKS, or RFC 7662 introspection), RFC 9728 protected-resource metadata, and DNS-rebinding protection - secrets loadable from files via *_FILE variants - timeouts on all outbound requests; JORTT_READ_ONLY tool filtering - OpenAPI spec committed and bundled; no implicit network fetches - Nix flake: sandboxed package build + hardened NixOS module taking an EnvironmentFile (agenix-friendly) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
240a53fade
commit
a73af353d4
17 changed files with 1255 additions and 77 deletions
30
.env.example
30
.env.example
|
|
@ -1,6 +1,36 @@
|
|||
# Copy to .env and fill in credentials from your registered Jortt API application:
|
||||
# https://app.jortt.nl/new_profile/api/jortt/oauth_applications/list
|
||||
# Every secret below can alternatively be read from a file via <NAME>_FILE,
|
||||
# e.g. JORTT_CLIENT_SECRET_FILE=/run/agenix/jortt-client-secret
|
||||
JORTT_CLIENT_ID=
|
||||
JORTT_CLIENT_SECRET=
|
||||
|
||||
# Optional: space-separated scopes to request (defaults to all registered scopes)
|
||||
# JORTT_SCOPES=invoices:read customers:read reports:read
|
||||
|
||||
# Optional: expose only GET (list/get) tools
|
||||
# JORTT_READ_ONLY=1
|
||||
|
||||
# --- HTTP transport (default is stdio) ---
|
||||
# MCP_TRANSPORT=http
|
||||
# MCP_HOST=127.0.0.1
|
||||
# MCP_PORT=3910
|
||||
|
||||
# Authentication for incoming MCP requests: "token" or "oidc" (required for http)
|
||||
# MCP_AUTH_MODE=token
|
||||
# MCP_AUTH_TOKEN= # generate with: openssl rand -hex 32
|
||||
|
||||
# OIDC resource-server mode (auth by an external OAuth provider / proxy):
|
||||
# MCP_AUTH_MODE=oidc
|
||||
# MCP_OIDC_ISSUER=https://auth.example.com
|
||||
# MCP_RESOURCE_URL=https://jortt-mcp.example.com/mcp
|
||||
# MCP_OIDC_AUDIENCE= # defaults to MCP_RESOURCE_URL
|
||||
# MCP_OIDC_ALLOWED_SUBJECTS=kate,kate@example.com
|
||||
# For issuers with opaque tokens (e.g. Authelia), use RFC 7662 introspection:
|
||||
# MCP_OIDC_INTROSPECTION_URL= # discovered from the issuer when omitted
|
||||
# MCP_OIDC_CLIENT_ID=
|
||||
# MCP_OIDC_CLIENT_SECRET=
|
||||
|
||||
# DNS-rebinding protection: exact Host / Origin header allowlists
|
||||
# MCP_ALLOWED_HOSTS=jortt-mcp.example.com
|
||||
# MCP_ALLOWED_ORIGINS=
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue