Fix MCP local deployment detection for self-hosted projects (#78)#92
Fix MCP local deployment detection for self-hosted projects (#78)#92JustYannicc wants to merge 4 commits intoget-convex:mainfrom
Conversation
|
on it |
|
anybody going to check this? |
|
@thomasballinger you seem to be decently active here, could you maybe take a look at this? |
|
This looks like a pull request description for fixing issues with local/self-hosted deployments in an MCP (Model Context Protocol) server. Let me help you refine this to be clearer and more professional: |
- Add llms.txt documentation file from docs.convex.dev - Create test project to reproduce MCP authorization issue - Add investigation report confirming the bug in PR get-convex#92 / Issue get-convex#78 The investigation confirms that MCP returns "Not Authorized" error for local/anonymous deployments because checkAuthorization() is called unconditionally, even though local deployments don't need cloud authentication.
The MCP server was unconditionally requiring BigBrain (Convex Cloud) authentication for all tool calls, which caused local, anonymous, and self-hosted deployments to fail with "Not Authorized" error. This fix implements smart authorization checking that: - Skips BigBrain auth for self-hosted deployments (CONVEX_SELF_HOSTED_URL) - Skips BigBrain auth for CLI-specified URL/adminKey - Skips BigBrain auth for anonymous local development - Preserves BigBrain auth requirement for cloud-hosted deployments Changes: - Add requiresBigBrainAuth() method to RequestContext - Add requiresBigBrainAuthForDeployment() helper function - Modify MCP tool handler to use smart auth checking Fixes: get-convex#78 Related: PR get-convex#92
- Updated PR92-INVESTIGATION-REPORT.md with detailed fix implementation - Added comprehensive test results showing all scenarios pass - Documented the difference between this fix and PR get-convex#92 approach - Added test script for verification
The MCP server was unconditionally requiring BigBrain (Convex Cloud) authentication for all tool calls, which caused local, anonymous, and self-hosted deployments to fail with "Not Authorized" error. Changes: - Add requiresBigBrainAuth() method to RequestContext that checks deployment type before requiring cloud authentication - Add requiresBigBrainAuthForDeployment() helper function - Modify MCP tool handler to use smart auth checking - Add clear usage documentation in --help for different deployment types Deployment types that NO LONGER require cloud login: - Self-hosted (CONVEX_SELF_HOSTED_URL + CONVEX_SELF_HOSTED_ADMIN_KEY) - CLI direct (--url + --admin-key) - Anonymous local development (CONVEX_AGENT_MODE=anonymous) Deployment types that STILL require cloud login: - Cloud-hosted projects (CONVEX_DEPLOYMENT) - Deploy key based (CONVEX_DEPLOY_KEY) - Preview deployments Fixes: get-convex#78 Related: PR get-convex#92
2 participants
Local/self-hosted deployments weren’t accessible through the MCP server; every tool call crashed with “Local backend isn’t running” or “Not Authorized,” as reported in #78.
_loadExistingDeploymentCredentialsForProjectskips BigBrain access checks when a deployment is explicitly markedlocalassertLocalBackendRunningto try both the configured URL,CONVEX_URL, and localhost/127.0.0.1 variants before failinggetTeamAndProjectSlugForDeploymentscope and cleans up unused exportsLink to the issue: #78
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.