feat(16-03): wire userId into MCP server and tool registrations

- Update createMcpServer signature to accept (db, userId)
- MCP auth middleware resolves userId from API key and Bearer token
- Store userId alongside transport in session map
- All 4 tool registration functions accept and pass userId
- Collection summary resource passes userId to all service calls
This commit is contained in:
2026-04-05 10:52:43 +02:00
parent e78002208a
commit d4bf4f5c16
6 changed files with 70 additions and 54 deletions

View File

@@ -17,32 +17,32 @@ import { registerThreadTools, threadToolDefinitions } from "./tools/threads.ts";
type Db = typeof prodDb;
function createMcpServer(db: Db): McpServer {
function createMcpServer(db: Db, userId: number): McpServer {
const server = new McpServer({ name: "GearBox", version: "1.0.0" });
// Register item tools
const itemHandlers = registerItemTools(db);
const itemHandlers = registerItemTools(db, userId);
for (const def of itemToolDefinitions) {
const handler = itemHandlers[def.name as keyof typeof itemHandlers];
server.tool(def.name, def.description, def.inputSchema, handler);
}
// Register category tools
const categoryHandlers = registerCategoryTools(db);
const categoryHandlers = registerCategoryTools(db, userId);
for (const def of categoryToolDefinitions) {
const handler = categoryHandlers[def.name as keyof typeof categoryHandlers];
server.tool(def.name, def.description, def.inputSchema, handler);
}
// Register thread tools
const threadHandlers = registerThreadTools(db);
const threadHandlers = registerThreadTools(db, userId);
for (const def of threadToolDefinitions) {
const handler = threadHandlers[def.name as keyof typeof threadHandlers];
server.tool(def.name, def.description, def.inputSchema, handler);
}
// Register setup tools
const setupHandlers = registerSetupTools(db);
const setupHandlers = registerSetupTools(db, userId);
for (const def of setupToolDefinitions) {
const handler = setupHandlers[def.name as keyof typeof setupHandlers];
server.tool(def.name, def.description, def.inputSchema, handler);
@@ -65,7 +65,7 @@ function createMcpServer(db: Db): McpServer {
mimeType: "application/json",
},
async () => {
const summary = await getCollectionSummary(db);
const summary = await getCollectionSummary(db, userId);
return {
contents: [
{
@@ -81,12 +81,15 @@ function createMcpServer(db: Db): McpServer {
return server;
}
// Store active transports by session ID
const transports = new Map<string, WebStandardStreamableHTTPServerTransport>();
// Store active transports by session ID (with userId for session reuse)
const transports = new Map<
string,
{ transport: WebStandardStreamableHTTPServerTransport; userId: number }
>();
export const mcpRoutes = new Hono();
// Auth middleware for all MCP requests
// Auth middleware for all MCP requests — resolves userId
mcpRoutes.use("/*", async (c, next) => {
const db = c.get("db") ?? prodDb;
@@ -94,7 +97,9 @@ mcpRoutes.use("/*", async (c, next) => {
const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) {
const token = authHeader.slice(7);
if (await verifyAccessToken(db, token)) {
const result = await verifyAccessToken(db, token);
if (result) {
c.set("userId", result.userId);
return next();
}
return c.json({ error: "invalid_token" }, 401);
@@ -103,8 +108,9 @@ mcpRoutes.use("/*", async (c, next) => {
// Try API key
const apiKey = c.req.header("X-API-Key");
if (apiKey) {
const valid = await verifyApiKey(db, apiKey);
if (valid) {
const result = await verifyApiKey(db, apiKey);
if (result) {
c.set("userId", result.userId);
return next();
}
return c.json({ error: "Invalid API key" }, 401);
@@ -121,16 +127,17 @@ mcpRoutes.use("/*", async (c, next) => {
mcpRoutes.post("/", async (c) => {
const db = c.get("db") ?? prodDb;
const userId = c.get("userId") as number;
// Check for existing session
const sessionId = c.req.header("mcp-session-id");
if (sessionId) {
const transport = transports.get(sessionId);
if (!transport) {
const session = transports.get(sessionId);
if (!session) {
return c.json({ error: "Session not found" }, 404);
}
const response = await transport.handleRequest(c.req.raw);
const response = await session.transport.handleRequest(c.req.raw);
return response;
}
@@ -138,19 +145,19 @@ mcpRoutes.post("/", async (c) => {
const transport = new WebStandardStreamableHTTPServerTransport({
sessionIdGenerator: () => randomUUID(),
onsessioninitialized: (newSessionId) => {
transports.set(newSessionId, transport);
transports.set(newSessionId, { transport, userId });
},
});
// Clean up on close
transport.onclose = () => {
const sid = [...transports.entries()].find(
([_, t]) => t === transport,
([_, s]) => s.transport === transport,
)?.[0];
if (sid) transports.delete(sid);
};
const server = createMcpServer(db);
const server = createMcpServer(db, userId);
await server.connect(transport);
const response = await transport.handleRequest(c.req.raw);
@@ -163,12 +170,12 @@ mcpRoutes.get("/", async (c) => {
return c.json({ error: "Session ID required" }, 400);
}
const transport = transports.get(sessionId);
if (!transport) {
const session = transports.get(sessionId);
if (!session) {
return c.json({ error: "Session not found" }, 404);
}
const response = await transport.handleRequest(c.req.raw);
const response = await session.transport.handleRequest(c.req.raw);
return response;
});
@@ -178,12 +185,12 @@ mcpRoutes.delete("/", async (c) => {
return c.json({ error: "Session ID required" }, 400);
}
const transport = transports.get(sessionId);
if (!transport) {
const session = transports.get(sessionId);
if (!session) {
return c.json({ error: "Session not found" }, 404);
}
await transport.close();
await session.transport.close();
transports.delete(sessionId);
return c.text("", 200);
});