Merge pull request #2 from sigbit/add-password-auth

Add password auth

Author: hrntknr

README.md

@@ -11,17 +11,29 @@ docker run --rm -p 8081:8081 --net=host \
   -e EXTERNAL_URL=http://localhost:8081 \
   -e PROXY_URL=http://localhost:8080 \
   -e GLOBAL_SECRET=$(openssl rand -hex 32) \
-  -e GOOGLE_CLIENT_ID=... \
-  -e GOOGLE_CLIENT_SECRET=... \
-  -e GOOGLE_ALLOWED_USERS=... \
+  -e PASSWORD=changeme \
+  -v ./data:/data \
   ghcr.io/sigbit/mcp-auth-proxy:latest
 ```
 
+.mcp.json
+```json
+{
+  "mcpServers": {
+    "mcp": {
+      "type": "http",
+      "url": "http://localhost:8081/mcp"
+    }
+  }
+}
+```
+
+
 ## Overview
 
 MCP Auth Proxy is a secure OAuth 2.1 authentication proxy for Model Context Protocol (MCP) servers. MCP servers are expected to support not only standard OAuth 2.1 flows but also Dynamic Client support (e.g., dynamic client registration) and authentication-related .well-known metadata. On top of that, different MCP clients handle tokens differently, which makes implementation tricky.
 
-MCP Auth Proxy sits in front of your MCP services and enforces sign-in with OAuth providers (such as Google or GitHub) before users can access protected MCP resources.
+MCP Auth Proxy sits in front of your MCP services and enforces sign-in with OAuth providers (such as Google or GitHub) or password before users can access protected MCP resources.
 
 ## Note
 
@@ -38,16 +50,16 @@ For a simpler approach to publish local MCP servers over OAuth, consider [MCP Wa
 | `EXTERNAL_URL`         | No       | External URL for OAuth callbacks                 | `http://localhost:8081` |
 | `PROXY_URL`            | No       | Target MCP server URL                            | `http://localhost:8080` |
 | `GLOBAL_SECRET`        | No       | Global secret for session encryption             | `supersecret`           |
-| `GOOGLE_CLIENT_ID`     | No*      | Google OAuth client ID                           | -                       |
-| `GOOGLE_CLIENT_SECRET` | No*      | Google OAuth client secret                       | -                       |
-| `GOOGLE_ALLOWED_USERS` | No*      | Comma-separated list of allowed Google emails    | -                       |
-| `GITHUB_CLIENT_ID`     | No*      | GitHub OAuth client ID                           | -                       |
-| `GITHUB_CLIENT_SECRET` | No*      | GitHub OAuth client secret                       | -                       |
-| `GITHUB_ALLOWED_USERS` | No*      | Comma-separated list of allowed GitHub usernames | -                       |
+| `GOOGLE_CLIENT_ID`     | No       | Google OAuth client ID                           | -                       |
+| `GOOGLE_CLIENT_SECRET` | No       | Google OAuth client secret                       | -                       |
+| `GOOGLE_ALLOWED_USERS` | No       | Comma-separated list of allowed Google emails    | -                       |
+| `GITHUB_CLIENT_ID`     | No       | GitHub OAuth client ID                           | -                       |
+| `GITHUB_CLIENT_SECRET` | No       | GitHub OAuth client secret                       | -                       |
+| `GITHUB_ALLOWED_USERS` | No       | Comma-separated list of allowed GitHub usernames | -                       |
+| `PASSWORD`             | No       | Password for authentication                      | -                       |
+| `PASSWORD_HASH`        | No       | Hash of the password for authentication          | -                       |
 | `MODE`                 | No       | Set to `debug` for development mode              | `production`            |
 
-*At least one OAuth provider must be configured (Google or GitHub)
-
 ### OAuth Provider Setup
 
 #### Google OAuth Setup
@@ -61,57 +73,40 @@ For a simpler approach to publish local MCP servers over OAuth, consider [MCP Wa
 1. Go to the [Register new GitHub App](https://github.com/settings/apps/new)
 2. Set Authorization callback URL: `{EXTERNAL_URL}/.auth/github/callback`
 
-## 🚀 Installation & Usage
+## 🚀 Usage
 
-### Method 1: Direct Binary
+### Method 1: Download Binary
 
-```bash
-# Clone the repository
-git clone https://github.com/sigbit/mcp-auth-proxy.git
-cd mcp-auth-proxy
-
-# Build the binary
-go build -o mcp-auth-proxy .
-
-# Run with environment variables
-export GOOGLE_CLIENT_ID="your-google-client-id"
-export GOOGLE_CLIENT_SECRET="your-google-client-secret"
-export GOOGLE_ALLOWED_USERS="[email protected],[email protected]"
-./mcp-auth-proxy
-```
-
-### Method 2: Command Line Arguments
+Download the latest binary from [releases](https://github.com/sigbit/mcp-auth-proxy/releases) and run with command line options:
 
 ```bash
 ./mcp-auth-proxy \
-  --external-url "https://your-domain.com" \
-  --proxy-url "http://your-mcp-server:8080" \
+  --external-url "http://localhost:8081" \
+  --proxy-url "http://localhost:8080" \
+  --global-secret "$(openssl rand -hex 32)" \
   --google-client-id "your-google-client-id" \
   --google-client-secret "your-google-client-secret" \
-  --google-allowed-users "[email protected],[email protected]"
+  --google-allowed-users "[email protected],[email protected]" \
+  --github-client-id "your-github-client-id" \
+  --github-client-secret "your-github-client-secret" \
+  --github-allowed-users "username1,username2" \
+  --password "changeme"
 ```
 
-### Method 3: Docker Compose (Recommended)
-
-1. Create a `.env` file in the `example/` directory:
-
-```env
-GLOBAL_SECRET=your-super-secret-key-here
-GOOGLE_CLIENT_ID=your-google-client-id
-GOOGLE_CLIENT_SECRET=your-google-client-secret
-[email protected],[email protected]
-GITHUB_CLIENT_ID=your-github-client-id
-GITHUB_CLIENT_SECRET=your-github-client-secret
-GITHUB_ALLOWED_USERS=username1,username2
-```
-
-2. Run with Docker Compose:
+### Method 2: Docker
 
 ```bash
-cd example/
-docker compose up -d
+docker run --rm -p 8081:8081 --net=host \
+  -e EXTERNAL_URL=http://localhost:8081 \
+  -e PROXY_URL=http://localhost:8080 \
+  -e GLOBAL_SECRET=$(openssl rand -hex 32) \
+  -e GOOGLE_CLIENT_ID="your-google-client-id" \
+  -e GOOGLE_CLIENT_SECRET="your-google-client-secret" \
+  -e GOOGLE_ALLOWED_USERS="[email protected],[email protected]" \
+  -e GITHUB_CLIENT_ID="your-github-client-id" \
+  -e GITHUB_CLIENT_SECRET="your-github-client-secret" \
+  -e GITHUB_ALLOWED_USERS="username1,username2" \
+  -e PASSWORD=changeme \
+  -v ./data:/data \
+  ghcr.io/sigbit/mcp-auth-proxy:latest
 ```
-
-This will start:
-- MCP Auth Proxy on port 8081
-- Playwright MCP server on port 8931 (as an example backend)

example/.env.example

@@ -1,3 +1,6 @@
+# for google oauth Authentication
 GOOGLE_CLIENT_ID=**********************
 GOOGLE_CLIENT_SECRET=**********************
 GOOGLE_ALLOWED_USERS=[email protected],[email protected]
+# for Password Authentication
+PASSWORD=changeme

main.go

@@ -27,6 +27,8 @@ func main() {
 	var githubClientID string
 	var githubClientSecret string
 	var githubAllowedUsers string
+	var password string
+	var passwordHash string
 
 	rootCmd := &cobra.Command{
 		Use: "mcp-warp",
@@ -59,6 +61,8 @@ func main() {
 				githubClientID,
 				githubClientSecret,
 				githubAllowedUsersList,
+				password,
+				passwordHash,
 			); err != nil {
 				panic(err)
 			}
@@ -70,17 +74,21 @@ func main() {
 	rootCmd.Flags().StringVarP(&externalURL, "external-url", "e", getEnvWithDefault("EXTERNAL_URL", "http://localhost:8081"), "External URL for the proxy")
 	rootCmd.Flags().StringVarP(&proxyURL, "proxy-url", "p", getEnvWithDefault("PROXY_URL", "http://localhost:8080"), "Proxy URL for the proxy")
 	rootCmd.Flags().StringVarP(&globalSecret, "global-secret", "s", getEnvWithDefault("GLOBAL_SECRET", "supersecret"), "Global secret for the proxy")
-	
+
 	// Google OAuth configuration
 	rootCmd.Flags().StringVar(&googleClientID, "google-client-id", getEnvWithDefault("GOOGLE_CLIENT_ID", ""), "Google OAuth client ID")
 	rootCmd.Flags().StringVar(&googleClientSecret, "google-client-secret", getEnvWithDefault("GOOGLE_CLIENT_SECRET", ""), "Google OAuth client secret")
 	rootCmd.Flags().StringVar(&googleAllowedUsers, "google-allowed-users", getEnvWithDefault("GOOGLE_ALLOWED_USERS", ""), "Comma-separated list of allowed Google users (emails)")
-	
+
 	// GitHub OAuth configuration
 	rootCmd.Flags().StringVar(&githubClientID, "github-client-id", getEnvWithDefault("GITHUB_CLIENT_ID", ""), "GitHub OAuth client ID")
 	rootCmd.Flags().StringVar(&githubClientSecret, "github-client-secret", getEnvWithDefault("GITHUB_CLIENT_SECRET", ""), "GitHub OAuth client secret")
 	rootCmd.Flags().StringVar(&githubAllowedUsers, "github-allowed-users", getEnvWithDefault("GITHUB_ALLOWED_USERS", ""), "Comma-separated list of allowed GitHub users (usernames)")
 
+	// Password authentication
+	rootCmd.Flags().StringVar(&password, "password", getEnvWithDefault("PASSWORD", ""), "Plain text password for authentication (will be hashed with bcrypt)")
+	rootCmd.Flags().StringVar(&passwordHash, "password-hash", getEnvWithDefault("PASSWORD_HASH", ""), "Bcrypt hash of password for authentication")
+
 	if err := rootCmd.Execute(); err != nil {
 		panic(err)
 	}

pkg/auth/main.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 )
 
@@ -25,12 +26,13 @@ type Provider interface {
 }
 
 type AuthRouter struct {
-	providers           map[string]Provider
-	template            *template.Template
+	passwordHash         []string
+	providers            map[string]Provider
+	template             *template.Template
 	unauthorizedTemplate *template.Template
 }
 
-func NewAuthRouter(providers ...Provider) (*AuthRouter, error) {
+func NewAuthRouter(passwordHash []string, providers ...Provider) (*AuthRouter, error) {
 	providersMap := make(map[string]Provider)
 	for _, provider := range providers {
 		providersMap[provider.Name()] = provider
@@ -40,15 +42,16 @@ func NewAuthRouter(providers ...Provider) (*AuthRouter, error) {
 	if err != nil {
 		return nil, err
 	}
-	
+
 	unauthorizedTmpl, err := template.ParseFS(templateFS, "templates/unauthorized.html")
 	if err != nil {
 		return nil, err
 	}
 
 	return &AuthRouter{
-		providers:           providersMap,
-		template:            tmpl,
+		passwordHash:         passwordHash,
+		providers:            providersMap,
+		template:             tmpl,
 		unauthorizedTemplate: unauthorizedTmpl,
 	}, nil
 }
@@ -60,10 +63,14 @@ const (
 	GoogleCallbackEndpoint = "/.auth/google/callback"
 	GitHubAuthEndpoint     = "/.auth/github"
 	GitHubCallbackEndpoint = "/.auth/github/callback"
+	
+	PasswordProvider = "password"
+	PasswordUserID   = "password_user"
 )
 
 func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
 	router.GET(LoginEndpoint, a.handleLogin)
+	router.POST(LoginEndpoint, a.handleLoginPost)
 	router.GET(LogoutEndpoint, a.handleLogout)
 	for providerName, provider := range a.providers {
 		router.GET(provider.RedirectURL(), func(c *gin.Context) {
@@ -103,6 +110,11 @@ type ProviderData struct {
 }
 
 func (a *AuthRouter) handleLogin(c *gin.Context) {
+	if c.Request.Method == "POST" {
+		a.handleLoginPost(c)
+		return
+	}
+
 	var providersData []ProviderData
 	for name := range a.providers {
 		providersData = append(providersData, ProviderData{
@@ -112,9 +124,13 @@ func (a *AuthRouter) handleLogin(c *gin.Context) {
 	}
 
 	data := struct {
-		Providers []ProviderData
+		Providers     []ProviderData
+		HasPassword   bool
+		PasswordError string
 	}{
-		Providers: providersData,
+		Providers:     providersData,
+		HasPassword:   len(a.passwordHash) > 0,
+		PasswordError: "",
 	}
 
 	c.Header("Content-Type", "text/html; charset=utf-8")
@@ -124,11 +140,73 @@ func (a *AuthRouter) handleLogin(c *gin.Context) {
 	}
 }
 
+func (a *AuthRouter) handleLoginPost(c *gin.Context) {
+	password := c.PostForm("password")
+	var errorMessage string
+
+	if password == "" {
+		errorMessage = "Password is required"
+	} else {
+		var isValid bool
+		for _, hash := range a.passwordHash {
+			err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+			if err == nil {
+				isValid = true
+				break
+			}
+		}
+
+		if !isValid {
+			errorMessage = "Invalid password"
+		}
+	}
+
+	if errorMessage != "" {
+		var providersData []ProviderData
+		for name := range a.providers {
+			providersData = append(providersData, ProviderData{
+				Name: name,
+				URL:  a.providers[name].AuthURL(),
+			})
+		}
+
+		data := struct {
+			Providers     []ProviderData
+			HasPassword   bool
+			PasswordError string
+		}{
+			Providers:     providersData,
+			HasPassword:   len(a.passwordHash) > 0,
+			PasswordError: errorMessage,
+		}
+
+		c.Header("Content-Type", "text/html; charset=utf-8")
+		c.Status(http.StatusBadRequest)
+		if err := a.template.Execute(c.Writer, data); err != nil {
+			c.AbortWithError(http.StatusInternalServerError, err)
+			return
+		}
+		return
+	}
+
+	session := sessions.Default(c)
+	session.Set("provider", PasswordProvider)
+	session.Set("user_id", PasswordUserID)
+	session.Save()
+
+	redirectURL := session.Get("redirect_url")
+	if redirectURL == nil {
+		c.Redirect(http.StatusFound, "/")
+		return
+	}
+	c.Redirect(http.StatusFound, redirectURL.(string))
+}
+
 func (a *AuthRouter) handleLogout(c *gin.Context) {
 	session := sessions.Default(c)
 	session.Clear()
 	session.Save()
-	c.Redirect(http.StatusFound, LoginEndpoint)
+	c.String(http.StatusOK, "Logged out")
 }
 
 func (a *AuthRouter) RequireAuth() gin.HandlerFunc {
@@ -142,6 +220,13 @@ func (a *AuthRouter) RequireAuth() gin.HandlerFunc {
 			c.Redirect(http.StatusFound, LoginEndpoint)
 			return
 		}
+
+		// Allow password authentication
+		if providerName.(string) == PasswordProvider {
+			c.Next()
+			return
+		}
+
 		p, ok := a.providers[providerName.(string)]
 		if !ok {
 			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Unknown provider"})