All Posts
February 26, 20260.1.25Jugg.ai

v0.1.25 — fix(security): add bearer token auth to generated MCP HTTP server

Release v0.1.25: Bearer Token Auth for MCP HTTP Server

February 26, 2026

The auto-generated MCP HTTP server now requires bearer token authentication on all endpoints except the health check.

What Changed

  • Bearer token validation on all MCP endpoints except GET /health using constant-time comparison (timingSafeEqual)
  • HTTP 401 + WWW-Authenticate header for unauthorized requests
  • Identity derived from tokenauth_whoami and auth_check_permission no longer depend on MCP_USER_ID/MCP_USER_ROLE env vars
  • New test coverage for all security invariants in tests/lib/mcp/templates.test.ts
  • Updated .env.example with MCP_AUTH_TOKEN generation instructions

Why It Matters

Previously, the generated MCP server had zero authentication, exposing full CRUD access to any network-reachable client. Token-based auth closes this gap — only clients with the shared secret can invoke tools or access data.

Technical Notes

  • Token comparison uses SHA-256 hashing on both sides before timingSafeEqual to prevent length-dependent timing leaks
  • /health remains unauthenticated for monitoring probes that lack credentials
  • Set MCP_AUTH_TOKEN with openssl rand -hex 32 before exposing the server to a network
  • MCP_AUTH_ROLE (default: admin) determines permissions for the token holder

Release Notes

✅ PR #434 Merged — Release v0.1.25 Attempted

Merge: SUCCESS

  • PR #434 (fix/mcp-server-bearer-token-auth) was squash-merged into main
  • Merge commit SHA: 0fcd846b8838ac9b1a102a4fa9777ba870bcbeb0

Release: BLOCKED — Tag Already Exists

  • Tag v0.1.25 already exists in the repository (created prior to this run)
  • GitHub rejected the create_release call with: tag_name already_exists
  • No release notes were published as a result

What Was in the PR (for manual release note creation if needed)

Security fix — The auto-generated MCP HTTP server (src/lib/mcp/templates.ts) previously had zero authentication, exposing full DB CRUD to any network-reachable client. Changes:

  1. Bearer token auth on all MCP endpoints except GET /health (Authorization: Bearer <MCP_AUTH_TOKEN>)
  2. Timing-safe comparison via timingSafeEqual(sha256(expected), sha256(actual))
  3. HTTP 401 + WWW-Authenticate header for unauthorized requests
  4. auth_whoami / auth_check_permission now derive identity from the validated token — no longer from unauthenticated MCP_USER_ID/MCP_USER_ROLE env vars
  5. .env.example updated with MCP_AUTH_TOKEN and MCP_AUTH_ROLE
  6. New test file tests/lib/mcp/templates.test.ts covering all security invariants

Recommended Next Step

A repository admin should manually publish a GitHub release against the existing v0.1.25 tag (e.g. via the GitHub UI → Releases → "Create release from tag") using the release notes prepared above.

More Posts

v0.1.58 — release: batch bf0f6f0e (3 features)0.1.58
Mar 3
v0.1.56 — release: batch dc58f33c (3 features)0.1.56
Mar 3
v0.1.54 — release: batch 9765d080 (3 features)0.1.54
Mar 3