mcp-hub-007: Auth hardening — per-service secrets and env-based config

2026-03-13 10:17:45 +00:00 · 2026-03-13 10:17:45 +00:00 · 85b3f5b6e2
commit 85b3f5b6e2
parent 91f0ce271b
4 changed files with 36 additions and 6 deletions
--- a/src/config.js
+++ b/src/config.js
@ -1,4 +1,27 @@
+const DEV_SECRET = 'dev-secret';
+
+let serviceAuthMap = null;
+if (process.env.HUB_AUTH) {
+  try {
+    serviceAuthMap = JSON.parse(process.env.HUB_AUTH);
+  } catch (e) {
+    console.error('[config] Failed to parse HUB_AUTH JSON:', e.message);
+    process.exit(1);
+  }
+} else if (process.env.NODE_ENV === 'production') {
+  console.error('[config] HUB_AUTH must be set in production');
+  process.exit(1);
+}
+
+function getServiceSecret(serviceId) {
+  if (serviceAuthMap) {
+    return serviceAuthMap[serviceId] !== undefined ? serviceAuthMap[serviceId] : null;
+  }
+  // Dev fallback: accept dev-secret for any service
+  return DEV_SECRET;
+}
+
 module.exports = {
  PORT: parseInt(process.env.PORT, 10) || 3000,
-  HUB_SECRET: process.env.HUB_SECRET || 'dev-secret',
+  getServiceSecret,
 };