Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add API key authentication system for ChatGPT Business

Browse Source 
Implements comprehensive Bearer token authentication to ensure only
authorized ChatGPT workspaces can access the MCP server.

Core Features:
- API key validation with constant-time comparison
- Multi-key support for rotation grace periods
- Rate limiting (5 failures per IP per 5 min)
- Comprehensive audit logging of all auth attempts
- IP-based failed attempt tracking

Key Management:
- generate_api_key.py: Create secure 64-char keys
- rotate_api_key.py: Guided key rotation with backup
- check_key_age.py: Automated expiration monitoring

Infrastructure:
- Traefik labels for HTTPS and rate limiting
- Security headers (HSTS, CSP, X-Frame-Options)
- Environment-based configuration
- Docker secrets support

Documentation:
- AUTH_SETUP.md: Complete authentication setup guide
- CHATGPT_SETUP.md: ChatGPT Business integration guide
- KEY_ROTATION.md: Key rotation procedures and automation

Security:
- Read-only operations enforced
- No write access to Gitea possible
- All auth attempts logged with correlation IDs
- Failed attempts trigger IP rate limits
- Keys never logged in full (only hints)

Breaking Changes:
- AUTH_ENABLED defaults to true
- MCP_API_KEYS environment variable now required
- Minimum key length: 32 characters (64 recommended)

Migration:
1. Generate API key: make generate-key
2. Add to .env: MCP_API_KEYS=<generated-key>
3. Restart: docker-compose restart aegis-mcp
4. Configure ChatGPT with Authorization header

Closes requirements for ChatGPT Business exclusive access.
This commit is contained in:
Latte
2026-01-29 20:05:49 +01:00
parent a9708b33e2
commit eeaad748a6
13 changed files with 2263 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.env.example
View File

@@ -5,6 +5,19 @@ GITEA_TOKEN=your-bot-user-token-here
# MCP Server Configuration
MCP_HOST=0.0.0.0
MCP_PORT=8080
MCP_DOMAIN=mcp.yourdomain.com # Domain for Traefik (if using)
# Authentication Configuration (REQUIRED)
# Generate key with: python scripts/generate_api_key.py
AUTH_ENABLED=true
MCP_API_KEYS=your-generated-api-key-here
# Multiple keys (comma-separated for grace period during rotation):
# MCP_API_KEYS=key1,key2,key3
# Authentication limits
MAX_AUTH_FAILURES=5 # Max failures before rate limiting
AUTH_FAILURE_WINDOW=300 # Time window in seconds (5 min)
# Logging Configuration
LOG_LEVEL=INFO