fix: address code review issues — MCP auth, error handling, password route

- MCP auth middleware now rejects requests without API key when users exist - Image /from-url route distinguishes validation errors (400) from server errors (500) - Password change route returns 401 when no session cookie instead of crashing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:42:34 +02:00
parent ba9662aeaf
commit 17d76761bb
3 changed files with 23 additions and 6 deletions
--- a/src/server/mcp/index.ts
+++ b/src/server/mcp/index.ts
@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { Hono } from "hono";
 import { db as prodDb } from "@/db/index.ts";
-import { verifyApiKey } from "../services/auth.service.ts";
+import { getUserCount, verifyApiKey } from "../services/auth.service.ts";
 import { getCollectionSummary } from "./resources/collection.ts";
 import {
 	categoryToolDefinitions,
@@ -90,13 +90,16 @@ mcpRoutes.use("/*", async (c, next) => {
 	const db = c.get("db") ?? prodDb;
 	const apiKey = c.req.header("X-API-Key");

-	if (apiKey) {
+	// Require API key when auth is configured (users exist)
+	if (getUserCount(db) > 0) {
+		if (!apiKey) {
+			return c.json({ error: "API key required" }, 401);
+		}
 		const valid = await verifyApiKey(db, apiKey);
 		if (!valid) {
 			return c.json({ error: "Invalid API key" }, 401);
 		}
 	}
-	// If no API key header, allow through (unauthenticated access when auth not configured)

 	return next();
 });