origin_mcp/
serve.rs

1use std::net::SocketAddr;
2use std::sync::Arc;
3
4use axum::extract::Request;
5use axum::http::{HeaderName, Method, StatusCode};
6use axum::middleware::{self, Next};
7use axum::response::IntoResponse;
8use axum::routing::get;
9use axum::Router;
10use rmcp::transport::streamable_http_server::{
11    session::local::LocalSessionManager, StreamableHttpServerConfig, StreamableHttpService,
12};
13use tower_http::cors::CorsLayer;
14
15use crate::auth;
16use crate::client::OriginClient;
17use crate::tools::{OriginMcpServer, TransportMode};
18
19#[derive(Debug, Clone)]
20pub struct ServeConfig {
21    pub port: u16,
22    pub host: String,
23    pub origin_url: String,
24    pub token: Option<String>,
25    pub agent_name: String,
26    pub user_id: Option<String>,
27    pub allowed_origins: Vec<String>,
28}
29
30async fn health() -> impl IntoResponse {
31    axum::Json(serde_json::json!({
32        "status": "ok",
33        "server": "origin-mcp",
34        "version": env!("CARGO_PKG_VERSION"),
35    }))
36}
37
38pub async fn run_serve(config: ServeConfig) -> anyhow::Result<()> {
39    let client = OriginClient::new(config.origin_url.clone());
40    let agent_name = config.agent_name.clone();
41    let user_id = config.user_id.clone();
42    let token = config.token.clone();
43    let allowed_origins = config.allowed_origins.clone();
44
45    // rmcp's default allowed_hosts = [localhost, 127.0.0.1, ::1] is
46    // DNS-rebinding protection for loopback deployments. Every serve
47    // deployment we support is reached through a public tunnel
48    // (cloudflared, ngrok) that forwards the tunnel hostname in Host,
49    // whether or not a bearer token is used (Origin.app runs `serve
50    // --no-auth --host 127.0.0.1` and fronts it with cloudflared; auth
51    // deployments do the same with a token). Leaving the default in
52    // place rejects every tunneled request with a plain-text 403 the
53    // upstream MCP proxy cannot parse, surfacing to users as a bogus
54    // "-32600 Invalid Request". MCP's custom-header requirement
55    // already triggers CORS preflight, so the Origin allowlist catches
56    // browser-driven DNS rebinding; a local non-browser attacker
57    // bypasses Host checking anyway by hitting 127.0.0.1 directly.
58    let mcp_config = StreamableHttpServerConfig::default().disable_allowed_hosts();
59
60    let mcp_service = StreamableHttpService::new(
61        move || {
62            Ok(OriginMcpServer::new(
63                client.clone(),
64                TransportMode::Http,
65                agent_name.clone(),
66                user_id.clone(),
67            ))
68        },
69        Arc::new(LocalSessionManager::default()),
70        mcp_config,
71    );
72
73    let cors = build_cors_layer(&config.allowed_origins);
74
75    let mut router = Router::new()
76        .nest_service("/mcp", mcp_service)
77        .route("/health", get(health))
78        .layer(cors);
79
80    if let Some(ref expected_token) = token {
81        let token_for_middleware = expected_token.clone();
82        let origins_for_middleware = allowed_origins.clone();
83        router = router.layer(middleware::from_fn(move |req: Request, next: Next| {
84            let token = token_for_middleware.clone();
85            let origins = origins_for_middleware.clone();
86            async move { auth_and_origin_middleware(req, next, &token, &origins).await }
87        }));
88    }
89
90    let addr: SocketAddr = format!("{}:{}", config.host, config.port).parse()?;
91    let listener = tokio::net::TcpListener::bind(addr).await?;
92    tracing::info!("origin-mcp HTTP server listening on {}", addr);
93
94    if token.is_some() {
95        tracing::info!("Bearer token authentication enabled");
96    } else {
97        tracing::warn!("Running without authentication — only safe on loopback");
98    }
99
100    let shutdown = async {
101        #[cfg(unix)]
102        {
103            use tokio::signal::unix::{signal, SignalKind};
104            let ctrl_c = tokio::signal::ctrl_c();
105            let mut sigterm =
106                signal(SignalKind::terminate()).expect("failed to register SIGTERM handler");
107            tokio::select! {
108                _ = ctrl_c => {},
109                _ = sigterm.recv() => {},
110            }
111        }
112        #[cfg(not(unix))]
113        {
114            tokio::signal::ctrl_c().await.ok();
115        }
116        tracing::info!("Shutting down origin-mcp HTTP server");
117    };
118
119    axum::serve(listener, router)
120        .with_graceful_shutdown(shutdown)
121        .await?;
122
123    Ok(())
124}
125
126fn build_cors_layer(allowed_origins: &[String]) -> CorsLayer {
127    let cors = CorsLayer::new()
128        .allow_methods([Method::GET, Method::POST, Method::DELETE, Method::OPTIONS])
129        .allow_headers([
130            http::header::AUTHORIZATION,
131            http::header::CONTENT_TYPE,
132            http::header::ACCEPT,
133            HeaderName::from_static("mcp-session-id"),
134            HeaderName::from_static("mcp-protocol-version"),
135        ]);
136
137    if allowed_origins.iter().any(|o| o == "*") {
138        cors.allow_origin(tower_http::cors::Any)
139    } else {
140        let origins: Vec<http::HeaderValue> = allowed_origins
141            .iter()
142            .filter_map(|o| o.parse().ok())
143            .collect();
144        cors.allow_origin(origins)
145    }
146}
147
148/// Auth middleware: bearer token first (401), then Origin header (403).
149async fn auth_and_origin_middleware(
150    req: Request,
151    next: Next,
152    expected_token: &str,
153    allowed_origins: &[String],
154) -> axum::response::Response {
155    let is_preflight = req.method() == Method::OPTIONS;
156    let is_health = req.uri().path() == "/health";
157    if is_preflight || is_health {
158        return next.run(req).await;
159    }
160
161    // 1. Validate bearer token FIRST
162    let auth_header = req.headers().get(http::header::AUTHORIZATION);
163    match auth_header {
164        Some(value) => {
165            let value_str = value.to_str().unwrap_or("");
166            match auth::extract_bearer_token(value_str) {
167                Some(provided) if auth::verify_token(provided, expected_token) => {}
168                _ => return (StatusCode::UNAUTHORIZED, "Invalid bearer token").into_response(),
169            }
170        }
171        None => return (StatusCode::UNAUTHORIZED, "Authorization header required").into_response(),
172    }
173
174    // 2. Validate Origin header AFTER auth
175    if let Some(origin) = req.headers().get(http::header::ORIGIN) {
176        if let Ok(origin_str) = origin.to_str() {
177            if !auth::is_origin_allowed(origin_str, allowed_origins) {
178                return (StatusCode::FORBIDDEN, "Origin not allowed").into_response();
179            }
180        }
181    }
182
183    next.run(req).await
184}
origin_mcp/serve.rs

origin_mcp/
serve.rs
