fix: Autenticación por token para MCP Server

- Ruta /api/mcp agregada a rutas públicas de Traefik - Validación de token Bearer en el endpoint - Token configurado como secret MCP_AUTH_TOKEN
2025-11-25 12:56:04 -06:00
parent 0e86f9d7a9
commit bc5eb826e8
15 changed files with 154 additions and 1 deletions
--- a/.gitea/workflows/build-and-deploy.yml
+++ b/.gitea/workflows/build-and-deploy.yml
@@ -19,6 +19,8 @@ jobs:
      # Authentik configuration
      NUXT_PUBLIC_AUTHENTIK_URL: ${{ vars.NUXT_PUBLIC_AUTHENTIK_URL }}
      NUXT_PUBLIC_AUTH_ENABLED: ${{ vars.NUXT_PUBLIC_AUTH_ENABLED }}
+      # MCP Server authentication
+      MCP_AUTH_TOKEN: ${{ secrets.MCP_AUTH_TOKEN }}
    steps:
      - name: Build, Push and Deploy
        run: |
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,8 @@ services:
      # Authentik configuration
      - NUXT_PUBLIC_AUTHENTIK_URL=${NUXT_PUBLIC_AUTHENTIK_URL:-https://authentik.nucleoriofrio.com}
      - NUXT_PUBLIC_AUTH_ENABLED=${NUXT_PUBLIC_AUTH_ENABLED:-false}
+      # MCP Server token
+      - MCP_AUTH_TOKEN=${MCP_AUTH_TOKEN:-}
    volumes:
      - printercentral-data:/app/data
    networks:
@@ -32,7 +34,7 @@ services:

      # Router para assets estaticos de Nuxt y PWA (sin autenticacion) - mayor prioridad
      # Incluye recursos PWA y .well-known para scope extensions
-      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/_nuxt`) || PathPrefix(`/.well-known`) || PathPrefix(`/icons`) || Path(`/manifest.webmanifest`) || Path(`/sw.js`) || PathPrefix(`/workbox-`) || Path(`/favicon.ico`) || Path(`/offline.html`))"
+      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/_nuxt`) || PathPrefix(`/.well-known`) || PathPrefix(`/icons`) || Path(`/manifest.webmanifest`) || Path(`/sw.js`) || PathPrefix(`/workbox-`) || Path(`/favicon.ico`) || Path(`/offline.html`) || PathPrefix(`/api/mcp`))"
      - "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
      - "traefik.http.routers.${APP_NAME}-public.tls=true"
      - "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
--- a/pwa/icon.png
+++ b/pwa/icon.png
--- a/pwa/icons/icon-128.png
+++ b/pwa/icons/icon-128.png
--- a/pwa/icons/icon-144.png
+++ b/pwa/icons/icon-144.png
--- a/pwa/icons/icon-152.png
+++ b/pwa/icons/icon-152.png
--- a/pwa/icons/icon-192.png
+++ b/pwa/icons/icon-192.png
--- a/pwa/icons/icon-384.png
+++ b/pwa/icons/icon-384.png
--- a/pwa/icons/icon-512.png
+++ b/pwa/icons/icon-512.png
--- a/pwa/icons/icon-72.png
+++ b/pwa/icons/icon-72.png
--- a/pwa/icons/icon-96.png
+++ b/pwa/icons/icon-96.png
--- a/pwa/index.html
+++ b/pwa/index.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html lang="es">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Printer Central</title>
+  <link rel="manifest" href="manifest.json">
+  <link rel="icon" type="image/png" href="icons/icon-192.png">
+  <meta name="theme-color" content="#3f75d2">
+  <style>
+    body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; align-items: center; justify-content: center; min-height: 100vh; background: #f2f2f2; }
+    .container { text-align: center; }
+    .logo { width: 200px; height: 200px; }
+    button { padding: 10px 20px; margin-top: 20px; font-size: 16px; cursor: pointer; background-color: #3f75d2; color: #fff; border: none; border-radius: 5px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <img src="icon.png" alt="Printer Central Logo" class="logo">
+    <h1>Bienvenido a Printer Central</h1>
+    <p>Administra tus impresoras de forma fácil y rápida.</p>
+    <button onclick="alert('PWA Funcionando!')">Probar</button>
+  </div>
+
+  <script>
+    if ('serviceWorker' in navigator) {
+      window.addEventListener('load', function() {
+        navigator.serviceWorker.register('sw.js').then(function(registration) {
+          console.log('ServiceWorker registrado con éxito', registration.scope);
+        }, function(err) {
+          console.log('ServiceWorker fallo en registrarse: ', err);
+        });
+      });
+    }
+  </script>
+</body>
+</html>
--- a/pwa/manifest.json
+++ b/pwa/manifest.json
@@ -0,0 +1,51 @@
+{
+  "name": "Printer Central",
+  "short_name": "Printer",
+  "description": "Manage your printers from one central app.",
+  "start_url": "index.html",
+  "display": "standalone",
+  "background_color": "#ffffff",
+  "theme_color": "#3f75d2",
+  "icons": [
+    {
+      "src": "icons/icon-72.png",
+      "sizes": "72x72",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-96.png",
+      "sizes": "96x96",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-128.png",
+      "sizes": "128x128",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-144.png",
+      "sizes": "144x144",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-152.png",
+      "sizes": "152x152",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-384.png",
+      "sizes": "384x384",
+      "type": "image/png"
+    },
+    {
+      "src": "icons/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    }
+  ]
+}
--- a/pwa/sw.js
+++ b/pwa/sw.js
@@ -0,0 +1,49 @@
+const CACHE_NAME = 'printer-central-cache-v1';
+const urlsToCache = [
+  'index.html',
+  'manifest.json',
+  'icon.png',
+  'icons/icon-72.png',
+  'icons/icon-96.png',
+  'icons/icon-128.png',
+  'icons/icon-144.png',
+  'icons/icon-152.png',
+  'icons/icon-192.png',
+  'icons/icon-384.png',
+  'icons/icon-512.png'
+];
+
+self.addEventListener('install', event => {
+  event.waitUntil(
+    caches.open(CACHE_NAME)
+      .then(cache => {
+        return cache.addAll(urlsToCache);
+      })
+  );
+});
+
+self.addEventListener('fetch', event => {
+  event.respondWith(
+    caches.match(event.request)
+      .then(response => {
+        // Cache hit - return response
+        if (response) {
+          return response;
+        }
+        return fetch(event.request);
+      })
+  );
+});
+
+self.addEventListener('activate', event => {
+  const cacheWhitelist = [CACHE_NAME];
+  event.waitUntil(
+    caches.keys().then(keyList => {
+      return Promise.all(keyList.map(key => {
+        if (cacheWhitelist.indexOf(key) === -1) {
+          return caches.delete(key);
+        }
+      }));
+    })
+  );
+});
--- a/server/api/mcp/index.post.ts
+++ b/server/api/mcp/index.post.ts
@@ -22,6 +22,18 @@ interface JsonRpcResponse {
 }

 export default defineEventHandler(async (event) => {
+  // Validar token de autenticación
+  const authHeader = getHeader(event, 'Authorization')
+  const expectedToken = process.env.MCP_AUTH_TOKEN
+
+  if (expectedToken) {
+    const providedToken = authHeader?.replace('Bearer ', '')
+    if (!providedToken || providedToken !== expectedToken) {
+      setResponseStatus(event, 401)
+      return createJsonRpcError(null, -32000, 'Unauthorized: Invalid or missing token')
+    }
+  }
+
  try {
    const body = await readBody(event) as JsonRpcRequest