mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-02 12:22:22 +00:00
resolveMCPAllowlists now returns appsEnabled from the merged tenant-scoped config, so a tenant/role/user override of mcpSettings.apps reaches the registry's per-request resolution and callTool attaches no UI resource for users whose tenant disabled apps. Authorize app-driven resource reads in the canonical (fully percent-decoded) space the server resolves and reject any relative path segment, so a percent-encoded traversal such as %2e%2e%2f can no longer match an advertised template. Exact resources/list matches are unaffected. Trim narrating comments across the MCP Apps changes so the code is self-documenting.
62 lines
2.2 KiB
JavaScript
62 lines
2.2 KiB
JavaScript
const mongoose = require('mongoose');
|
|
const { logger } = require('@librechat/data-schemas');
|
|
const { mergeAppTools, getAppConfig } = require('./Config');
|
|
const { createMCPServersRegistry, createMCPManager } = require('~/config');
|
|
|
|
/**
|
|
* Resolves the current request's effective MCP allowlists from the merged (tenant-scoped)
|
|
* config. The registry calls this per inspection/connection so admin-panel `mcpSettings`
|
|
* overrides are honored without a restart. Tenant comes from the ALS context inside
|
|
* `getAppConfig`; `userId`/`role` pick up user/role-scoped overrides when an actor exists.
|
|
* @param {{ userId?: string, role?: string }} [ctx]
|
|
*/
|
|
async function resolveMCPAllowlists(ctx) {
|
|
const appConfig = await getAppConfig({ role: ctx?.role, userId: ctx?.userId });
|
|
return {
|
|
allowedDomains: appConfig?.mcpSettings?.allowedDomains,
|
|
allowedAddresses: appConfig?.mcpSettings?.allowedAddresses,
|
|
appsEnabled: appConfig?.mcpSettings?.apps,
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Initialize MCP servers
|
|
*/
|
|
async function initializeMCPs() {
|
|
const appConfig = await getAppConfig({ baseOnly: true });
|
|
const mcpServers = appConfig.mcpConfig;
|
|
|
|
try {
|
|
createMCPServersRegistry(
|
|
mongoose,
|
|
appConfig?.mcpSettings?.allowedDomains,
|
|
appConfig?.mcpSettings?.allowedAddresses,
|
|
resolveMCPAllowlists,
|
|
appConfig?.mcpSettings?.apps,
|
|
);
|
|
} catch (error) {
|
|
logger.error('[MCP] Failed to initialize MCPServersRegistry:', error);
|
|
throw error;
|
|
}
|
|
|
|
try {
|
|
const mcpManager = await createMCPManager(mcpServers || {});
|
|
|
|
if (mcpServers && Object.keys(mcpServers).length > 0) {
|
|
const mcpTools = (await mcpManager.getAppToolFunctions()) || {};
|
|
await mergeAppTools(mcpTools);
|
|
const serverCount = Object.keys(mcpServers).length;
|
|
const toolCount = Object.keys(mcpTools).length;
|
|
logger.info(
|
|
`[MCP] Initialized with ${serverCount} configured ${serverCount === 1 ? 'server' : 'servers'} and ${toolCount} ${toolCount === 1 ? 'tool' : 'tools'}.`,
|
|
);
|
|
} else {
|
|
logger.debug('[MCP] No servers configured. MCPManager ready for UI-based servers.');
|
|
}
|
|
} catch (error) {
|
|
logger.error('[MCP] Failed to initialize MCPManager:', error);
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
module.exports = initializeMCPs;
|