Skip to content

MCP HTTP bridge should use per-request bearer token authentication #54

Description

@edspencer

Problem

The MCP HTTP bridge (packages/core/src/runner/runtime/mcp-http-bridge.ts) binds to 0.0.0.0 on a random port to expose injected MCP tools to Docker-containerized agents. This is necessary because the agent container needs to reach the bridge over the Docker network — binding to 127.0.0.1 would make it unreachable from inside the container.

However, binding to all interfaces means any other container on the same Docker network (or on a multi-tenant Docker host) could discover the port and call the MCP tools without authentication.

Relevant code (mcp-http-bridge.ts:246):

server.listen(0, "0.0.0.0", () => { ... });

The bridge currently accepts any incoming request with no authentication check.

Suggested Fix

Generate a per-instance bearer token when starting the bridge and require it on every request:

  1. On bridge startup: Generate a random token (e.g. crypto.randomUUID() or crypto.randomBytes(32).toString('hex'))
  2. Pass token to container: Include the token in the MCP server URL or as an environment variable passed to the Docker container
  3. Validate on each request: The bridge's request handler checks Authorization: Bearer <token> and rejects requests without a valid token

This keeps the bridge bound to 0.0.0.0 (required for Docker networking) while preventing unauthorized access from other containers.

Impact

Low risk in practice — the bridge only lives for the duration of a single agent job, listens on a random ephemeral port, and is only relevant when using Docker runtime. But it's a defense-in-depth measure worth adding.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions