fix(mcp): wire APIKey through HTTP transport (Bugbot PR #17)

Bugbot flagged (high severity): the help text advertised --api-key for the
http transport but the code passed an empty APIKey to SSEConfig, so users
following the security guidance would have ended up with an unauthenticated
server they believed was protected.

- http case now reads config.APIKey() and passes it through, matching the
  sse case's behavior (but auth stays optional for http, not required, so
  basic-host and local MCP Apps dev still work without a key)
- Startup log now discloses auth state and warns when binding a
  non-loopback address without auth (tunnel-like exposure)
- Help text reworded to point at the actual ways to configure the key
  ('jc auth login', JC_API_KEY env var, --api-key global flag) rather than
  vaguely saying "use --api-key"

Three regression tests added:
- TestHTTP_AuthRejectsUnauthenticated — no header → 401 when key configured
- TestHTTP_AuthAcceptsCorrectKey — correct x-api-key → 200
- TestHTTP_NoAuthWhenNoKey — permissive default preserved for local dev

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: juergen-kc

internal/cmd/mcp.go

@@ -94,8 +94,9 @@ Streamable HTTP Examples (for Claude Desktop custom connectors and MCP Apps):
 Security: the http transport is stateless and permissive by default (wide-open
 CORS, cross-origin checks disabled) so browser-based MCP clients like basic-host
 and MCP Apps UIs can connect. When exposing the server via a tunnel (cloudflared,
-ngrok, etc.), use --api-key to prevent unauthenticated tool calls from anyone
-who discovers the URL.
+ngrok, etc.), configure an API key — via 'jc auth login', the JC_API_KEY env
+var, or the --api-key global flag — so the auth middleware rejects
+unauthenticated tool calls from anyone who discovers the URL.
 
 Use JC_PROFILE environment variable to select which JumpCloud org to use.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -231,14 +232,32 @@ func runMcpServe(rateLimit int, readOnly bool, transport, addr string, port int,
 
 	case "http":
 		// Streamable HTTP transport for Claude Desktop custom connectors and MCP Apps.
-		// No auth by default on loopback — designed for local use with cloudflared tunnels.
+		// Auth is optional here (unlike sse) so browser-based MCP clients like
+		// basic-host can connect during local development. When the operator has
+		// configured an API key (via `jc auth login`, JC_API_KEY, or --api-key),
+		// we pass it through so the server's auth middleware rejects unauth'd
+		// calls — critical when exposing via a cloudflared tunnel.
 		listenAddr := resolveSSEAddr(addr, port)
+		apiKey := config.APIKey()
 
-		fmt.Fprintf(os.Stderr, "jc: starting MCP server on Streamable HTTP transport at http://%s/mcp\n", listenAddr)
+		scheme := "http"
+		fmt.Fprintf(os.Stderr, "jc: starting MCP server on Streamable HTTP transport at %s://%s/mcp\n", scheme, listenAddr)
+		if apiKey == "" {
+			// Warn if binding beyond loopback without auth — that's the
+			// combination a tunnel creates, too.
+			if host, _, err := net.SplitHostPort(listenAddr); err == nil {
+				if host != "127.0.0.1" && host != "::1" && host != "localhost" {
+					fmt.Fprintln(os.Stderr, "jc: WARNING: HTTP transport running without an API key. Anyone who reaches the server can call all tools.")
+				}
+			}
+		} else {
+			fmt.Fprintln(os.Stderr, "jc: HTTP transport requires x-api-key or Authorization: Bearer header for all requests.")
+		}
 
 		return server.RunStreamableHTTP(ctx, mcp.SSEConfig{
 			Addr:       listenAddr,
 			CORSOrigin: "*",
+			APIKey:     apiKey,
 		})
 
 	default:

internal/mcp/sse_test.go

@@ -597,3 +597,111 @@ func generateTestCert(t *testing.T) (certFile, keyFile string) {
 
 	return certFile, keyFile
 }
+
+// startHTTPStreamServer mirrors startSSEServer but for the Streamable HTTP
+// transport. Returns the base URL (including the /mcp path).
+func startHTTPStreamServer(t *testing.T, cfg SSEConfig) (*Server, string) {
+	t.Helper()
+	setupTest(t)
+
+	if cfg.Addr == "" {
+		cfg.Addr = ":0"
+	}
+
+	server := NewServer(Options{
+		RateLimit:    60,
+		AuditLogPath: filepath.Join(t.TempDir(), "audit.log"),
+	})
+
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	errCh := make(chan error, 1)
+	go func() { errCh <- server.RunStreamableHTTP(ctx, cfg) }()
+
+	var addr net.Addr
+	for i := 0; i < 50; i++ {
+		addr = server.Listener()
+		if addr != nil {
+			break
+		}
+		time.Sleep(10 * time.Millisecond)
+	}
+	if addr == nil {
+		t.Fatal("HTTP stream server did not start listening")
+	}
+
+	return server, "http://" + addr.String() + "/mcp"
+}
+
+// TestHTTP_AuthRejectsUnauthenticated is the regression guard for the high-
+// severity Bugbot finding: when APIKey is set on the http transport, requests
+// without credentials must be rejected.
+func TestHTTP_AuthRejectsUnauthenticated(t *testing.T) {
+	_, baseURL := startHTTPStreamServer(t, SSEConfig{
+		APIKey:     "test-key",
+		CORSOrigin: "*",
+	})
+
+	body := strings.NewReader(`{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"t","version":"1"}}}`)
+	req, _ := http.NewRequest(http.MethodPost, baseURL, body)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json, text/event-stream")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("POST: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("expected 401 Unauthorized without x-api-key, got %d", resp.StatusCode)
+	}
+}
+
+// TestHTTP_AuthAcceptsCorrectKey confirms auth is actually checked, not bypassed.
+func TestHTTP_AuthAcceptsCorrectKey(t *testing.T) {
+	_, baseURL := startHTTPStreamServer(t, SSEConfig{
+		APIKey:     "test-key",
+		CORSOrigin: "*",
+	})
+
+	body := strings.NewReader(`{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"t","version":"1"}}}`)
+	req, _ := http.NewRequest(http.MethodPost, baseURL, body)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json, text/event-stream")
+	req.Header.Set("x-api-key", "test-key")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("POST: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200 with correct x-api-key, got %d", resp.StatusCode)
+	}
+}
+
+// TestHTTP_NoAuthWhenNoKey asserts the permissive default: no API key → any
+// client can connect (needed for basic-host and local MCP Apps dev).
+func TestHTTP_NoAuthWhenNoKey(t *testing.T) {
+	_, baseURL := startHTTPStreamServer(t, SSEConfig{
+		CORSOrigin: "*",
+	})
+
+	body := strings.NewReader(`{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"t","version":"1"}}}`)
+	req, _ := http.NewRequest(http.MethodPost, baseURL, body)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json, text/event-stream")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("POST: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200 without auth when no API key configured, got %d", resp.StatusCode)
+	}
+}