feat(mcp) : add McpHeaderAuthenticator with rate limiting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 12:07:32 +01:00
parent 523eed927e
commit 98caaa148d
7 changed files with 276 additions and 2 deletions
--- a/tests/Mcp/Security/McpHeaderAuthenticatorTest.php
+++ b/tests/Mcp/Security/McpHeaderAuthenticatorTest.php
@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Mcp\Security;
+
+use App\Tests\AbstractApiTestCase;
+use stdClass;
+
+/**
+ * @internal
+ */
+class McpHeaderAuthenticatorTest extends AbstractApiTestCase
+{
+    public function testMcpEndpointRejectsWithoutCredentials(): void
+    {
+        $client = static::createClient();
+
+        $client->request('POST', '/_mcp', [
+            'headers' => ['Content-Type' => 'application/json'],
+            'body'    => $this->mcpRequest(),
+        ]);
+
+        $this->assertResponseStatusCodeSame(401);
+    }
+
+    public function testMcpEndpointRejectsInvalidPassword(): void
+    {
+        $profile = $this->createProfile(
+            roles: ['ROLE_VIEWER'],
+            password: 'correct-password',
+        );
+
+        $client = static::createClient();
+
+        $client->request('POST', '/_mcp', [
+            'headers' => [
+                'Content-Type'       => 'application/json',
+                'X-Profile-Id'       => $profile->getId(),
+                'X-Profile-Password' => 'wrong-password',
+            ],
+            'body' => $this->mcpRequest(),
+        ]);
+
+        $this->assertResponseStatusCodeSame(401);
+    }
+
+    public function testMcpEndpointAcceptsValidCredentials(): void
+    {
+        $profile = $this->createProfile(
+            roles: ['ROLE_VIEWER'],
+            password: 'valid-password',
+        );
+
+        $client = static::createClient();
+
+        $client->request('POST', '/_mcp', [
+            'headers' => [
+                'Content-Type'       => 'application/json',
+                'X-Profile-Id'       => $profile->getId(),
+                'X-Profile-Password' => 'valid-password',
+            ],
+            'body' => $this->mcpRequest(),
+        ]);
+
+        $this->assertResponseStatusCodeSame(200);
+    }
+
+    private function mcpRequest(array $headers = [], array $body = []): string
+    {
+        $default = [
+            'jsonrpc' => '2.0',
+            'method'  => 'initialize',
+            'params'  => [
+                'protocolVersion' => '2025-03-26',
+                'capabilities'    => new stdClass(),
+                'clientInfo'      => ['name' => 'test', 'version' => '1.0'],
+            ],
+            'id' => 1,
+        ];
+
+        return json_encode(array_merge($default, $body));
+    }
+}