Spaces:

MCP-1st-Birthday
/

Vault.MCP

Sleeping

App Files Files Community

bigwolfe commited on 25 days ago

Commit

8378c97

1 Parent(s): 24137a8

Update MCP server and config for ChatGPT Apps SDK integration

Browse files

Files changed (3) hide show

backend/src/mcp/server.py +6 -0
backend/src/services/config.py +6 -0
specs/003-chatgpt-app-integration/spec.md +3 -3

backend/src/mcp/server.py CHANGED Viewed

@@ -51,8 +51,14 @@ def _current_user_id() -> str:
             request = None
         if request is not None:
             header = request.headers.get("Authorization")
             if not header:
                 raise PermissionError("Authorization header required")
             scheme, _, token = header.partition(" ")
             if scheme.lower() != "bearer" or not token:
                 raise PermissionError("Authorization header must be 'Bearer <token>'")

             request = None
         if request is not None:
             header = request.headers.get("Authorization")
+            # Check for No-Auth mode if header is missing
             if not header:
+                config = get_config()
+                if config.enable_noauth_mcp:
+                    return "demo-user"
                 raise PermissionError("Authorization header required")
             scheme, _, token = header.partition(" ")
             if scheme.lower() != "bearer" or not token:
                 raise PermissionError("Authorization header must be 'Bearer <token>'")

backend/src/services/config.py CHANGED Viewed

@@ -38,6 +38,10 @@ class AppConfig(BaseModel):
         default="https://chatgpt.com",
         description="Allowed CORS origin for ChatGPT",
     )
     vault_base_path: Path = Field(..., description="Base directory for per-user vaults")
     hf_oauth_client_id: Optional[str] = Field(
         None, description="Hugging Face OAuth client ID (optional)"
@@ -96,6 +100,7 @@ def get_config() -> AppConfig:
     local_dev_token = _read_env("LOCAL_DEV_TOKEN", "local-dev-token")
     chatgpt_service_token = _read_env("CHATGPT_SERVICE_TOKEN")
     chatgpt_cors_origin = _read_env("CHATGPT_CORS_ORIGIN", "https://chatgpt.com")
     config = AppConfig(
         jwt_secret_key=jwt_secret,
@@ -103,6 +108,7 @@ def get_config() -> AppConfig:
         local_dev_token=local_dev_token,
         chatgpt_service_token=chatgpt_service_token,
         chatgpt_cors_origin=chatgpt_cors_origin,
         vault_base_path=vault_base,
         hf_oauth_client_id=hf_client_id,
         hf_oauth_client_secret=hf_client_secret,

         default="https://chatgpt.com",
         description="Allowed CORS origin for ChatGPT",
     )
+    enable_noauth_mcp: bool = Field(
+        default=False,
+        description="DANGEROUS: Allow unauthenticated MCP access as demo-user (for hackathon)",
+    )
     vault_base_path: Path = Field(..., description="Base directory for per-user vaults")
     hf_oauth_client_id: Optional[str] = Field(
         None, description="Hugging Face OAuth client ID (optional)"
     local_dev_token = _read_env("LOCAL_DEV_TOKEN", "local-dev-token")
     chatgpt_service_token = _read_env("CHATGPT_SERVICE_TOKEN")
     chatgpt_cors_origin = _read_env("CHATGPT_CORS_ORIGIN", "https://chatgpt.com")
+    enable_noauth_mcp = _read_env("ENABLE_NOAUTH_MCP", "false").lower() in {"true", "1", "yes"}
     config = AppConfig(
         jwt_secret_key=jwt_secret,
         local_dev_token=local_dev_token,
         chatgpt_service_token=chatgpt_service_token,
         chatgpt_cors_origin=chatgpt_cors_origin,
+        enable_noauth_mcp=enable_noauth_mcp,
         vault_base_path=vault_base,
         hf_oauth_client_id=hf_client_id,
         hf_oauth_client_secret=hf_client_secret,

specs/003-chatgpt-app-integration/spec.md CHANGED Viewed

@@ -22,11 +22,11 @@ Transform the Document-MCP project into a "ChatGPT App" compatible with the Open
     -   Note Viewing (with Markdown rendering and Wikilink support)
     -   Search Results (clean list with snippets)
 -   **Dual-Mode Operation**: Ensure the application continues to function as a standalone web app and standard MCP server while supporting the ChatGPT App mode.
--   **Hackathon Readiness**: Prioritize a functional "demo user" or "service token" auth flow to ensure valid submission for the "Best ChatGPT App" category.
 ### Non-Goals
 -   **Full Obsidian UI in Chat**: We will not iframe the entire application (sidebar, graph view, settings) into ChatGPT.
--   **Production OAuth**: We will not implement a full OIDC provider for multi-tenant public access at this stage; a simplified auth strategy is sufficient for the hackathon.
 -   **Complex Graph Viz**: The Graph View widget is out of scope for the initial V1 integration.
 ## 4. User Scenarios
@@ -49,7 +49,7 @@ Transform the Document-MCP project into a "ChatGPT App" compatible with the Open
 ### 5.1 Backend & MCP
 -   **Metadata Injection**: The `read_note` and `search_notes` tools must return a `CallToolResult` containing the `_meta.openai.outputTemplate` field to trigger widgets.
 -   **CORS**: The API must allow requests from `https://chatgpt.com` to support iframe loading.
--   **Service Token**: The backend must support a configured `CHATGPT_SERVICE_TOKEN` to allow the OpenAI Apps SDK to authenticate without full user-facing OAuth.
 ### 5.2 Frontend Widgets
 -   **Widget Entry Point**: A new build target (`widget.html` + `widget.tsx`) must be created to serve simplified UI components.

     -   Note Viewing (with Markdown rendering and Wikilink support)
     -   Search Results (clean list with snippets)
 -   **Dual-Mode Operation**: Ensure the application continues to function as a standalone web app and standard MCP server while supporting the ChatGPT App mode.
+-   **Hackathon Readiness**: Prioritize a functional integration. We will use "No Authentication" mode for the hackathon submission to bypass OAuth complexity, securing it via obscurity (hidden URL) and "demo-user" isolation.
 ### Non-Goals
 -   **Full Obsidian UI in Chat**: We will not iframe the entire application (sidebar, graph view, settings) into ChatGPT.
+-   **Production OAuth**: We will not implement a full OIDC provider. **Future Work**: Implement a "Headless OAuth" provider to secure the endpoint properly using Client Credentials semantics wrapped in Authorization Code flow.
 -   **Complex Graph Viz**: The Graph View widget is out of scope for the initial V1 integration.
 ## 4. User Scenarios
 ### 5.1 Backend & MCP
 -   **Metadata Injection**: The `read_note` and `search_notes` tools must return a `CallToolResult` containing the `_meta.openai.outputTemplate` field to trigger widgets.
 -   **CORS**: The API must allow requests from `https://chatgpt.com` to support iframe loading.
+-   **No Auth Mode**: The backend must support a configured `ENABLE_NOAUTH_MCP` flag. When enabled, MCP tools will default to the "demo-user" context if no Authorization header is present, bypassing strict checks.
 ### 5.2 Frontend Widgets
 -   **Widget Entry Point**: A new build target (`widget.html` + `widget.tsx`) must be created to serve simplified UI components.