barrel_server_mcp_auth (barrel_server v1.0.1)

View Source

barrel_mcp_auth provider for the /mcp endpoint, and the authorization helpers the MCP tools consume.

Three principals: - a server bearer (checked against the same SHA-256 hash set as the REST middleware, see barrel_server_auth:hashes/0) is subject server with the admin scope everywhere; - a capability bearer (bsp_...) resolves through barrel_caps:auth_context/1: subject and scopes come from the grant and the claims carry the granted space; - with no auth configured (open server) every caller is an anonymous full-rights principal, matching the open REST surface. A presented capability token is enforced even on an open server.

allow/3 is the per-tool gate: server/anonymous principals pass, capability principals need the database to be their space and the right within their scopes. prov/2 shapes the provenance map (actor/session/source) every MCP write carries.

Summary

Functions

Gate a tool call touching database Db with Right. Server and anonymous principals pass; a capability principal needs Db to be its granted space (branch databases of a space are deferred) and the right within its scopes.

The provenance of an MCP write: the authenticated subject as actor, the caller's session (a session tool argument wins over the MCP session id), source mcp.

Functions

allow(Ctx, Db, Right)

-spec allow(map(), binary(), read | write | admin) -> ok | {error, forbidden}.

Gate a tool call touching database Db with Right. Server and anonymous principals pass; a capability principal needs Db to be its granted space (branch databases of a space are deferred) and the right within its scopes.

auth_headers(State)

authenticate(Request, State)

challenge(Reason, State)

init(Opts)

prov(Ctx, Args)

-spec prov(map(), map()) -> map().

The provenance of an MCP write: the authenticated subject as actor, the caller's session (a session tool argument wins over the MCP session id), source mcp.