fix(plugin-mcp): correctly uses local access controls (#14457)

Fix:
- Local requests correctly honor user access controls on CRUD tools

Feat:
- Allows config of a custom user collection with API Keys
- adds allow/disallow capability for custom `resources` and `prompts`
- tool descriptions are now optional -- we use a default description if
one isn't in the config

Author: kendelljoseph

packages/plugin-mcp/src/collections/createApiKeysCollection.ts

@@ -106,6 +106,7 @@ const addEnabledCollectionTools = (collections: PluginMCPServerConfig['collectio
               ]
             : []),
         ],
+        label: false as const,
       },
     ],
     label: `${enabledCollectionSlug.charAt(0).toUpperCase() + toCamelCase(enabledCollectionSlug).slice(1)}`,
@@ -116,6 +117,7 @@ export const createAPIKeysCollection = (
   collections: PluginMCPServerConfig['collections'],
   customTools: Array<{ description: string; name: string }> = [],
   experimentalTools: NonNullable<PluginMCPServerConfig['experimental']>['tools'] = {},
+  pluginOptions: PluginMCPServerConfig,
 ): CollectionConfig => {
   const customToolsFields = customTools.map((tool) => {
     const camelCasedName = toCamelCase(tool.name)
@@ -130,6 +132,40 @@ export const createAPIKeysCollection = (
     }
   })
 
+  const customResourceFields =
+    pluginOptions.mcp?.resources?.map((resource) => {
+      const camelCasedName = toCamelCase(resource.name)
+      return {
+        name: camelCasedName,
+        type: 'checkbox' as const,
+        admin: {
+          description: resource.description,
+        },
+        defaultValue: true,
+        label: camelCasedName,
+      }
+    }) || []
+
+  const customPromptFields =
+    pluginOptions.mcp?.prompts?.map((prompt) => {
+      const camelCasedName = toCamelCase(prompt.name)
+      return {
+        name: camelCasedName,
+        type: 'checkbox' as const,
+        admin: {
+          description: prompt.description,
+        },
+        defaultValue: true,
+        label: camelCasedName,
+      }
+    }) || []
+
+  const userCollection = pluginOptions.userCollection
+    ? typeof pluginOptions.userCollection === 'string'
+      ? pluginOptions.userCollection
+      : pluginOptions.userCollection.slug
+    : 'users'
+
   return {
     slug: 'payload-mcp-api-keys',
     admin: {
@@ -147,7 +183,7 @@ export const createAPIKeysCollection = (
         admin: {
           description: 'The user that the API key is associated with.',
         },
-        relationTo: 'users',
+        relationTo: userCollection,
         required: true,
       },
       {
@@ -176,12 +212,53 @@ export const createAPIKeysCollection = (
               },
               fields: [
                 {
-                  name: 'custom',
+                  name: 'payload-mcp-tool',
                   type: 'group' as const,
                   fields: customToolsFields,
+                  label: false as const,
+                },
+              ],
+              label: 'Tools',
+            },
+          ]
+        : []),
+
+      ...(pluginOptions.mcp?.resources && pluginOptions.mcp?.resources.length > 0
+        ? [
+            {
+              type: 'collapsible' as const,
+              admin: {
+                position: 'sidebar' as const,
+              },
+              fields: [
+                {
+                  name: 'payload-mcp-resource',
+                  type: 'group' as const,
+                  fields: customResourceFields,
+                  label: false as const,
+                },
+              ],
+              label: 'Resources',
+            },
+          ]
+        : []),
+
+      ...(pluginOptions.mcp?.prompts && pluginOptions.mcp?.prompts.length > 0
+        ? [
+            {
+              type: 'collapsible' as const,
+              admin: {
+                position: 'sidebar' as const,
+              },
+              fields: [
+                {
+                  name: 'payload-mcp-prompt',
+                  type: 'group' as const,
+                  fields: customPromptFields,
+                  label: false as const,
                 },
               ],
-              label: 'Custom Tools',
+              label: 'Prompts',
             },
           ]
         : []),

packages/plugin-mcp/src/endpoints/mcp.ts

@@ -1,7 +1,7 @@
 import crypto from 'crypto'
 import { APIError, type PayloadHandler, type Where } from 'payload'
 
-import type { PluginMCPServerConfig, ToolSettings } from '../types.js'
+import type { MCPAccessSettings, PluginMCPServerConfig } from '../types.js'
 
 import { createRequestFromPayloadRequest } from '../mcp/createRequest.js'
 import { getMCPHandler } from '../mcp/getMcpHandler.js'
@@ -46,13 +46,13 @@ export const initializeMCPHandler = (pluginOptions: PluginMCPServerConfig) => {
       throw new APIError('API Key is invalid', 401)
     }
 
-    const toolSettings = docs[0] as ToolSettings
+    const mcpAccessSettings = docs[0] as MCPAccessSettings
 
     if (useVerboseLogs) {
       payload.logger.info('[payload-mcp] API Key is valid')
     }
 
-    const handler = getMCPHandler(pluginOptions, toolSettings, req)
+    const handler = getMCPHandler(pluginOptions, mcpAccessSettings, req)
     const request = createRequestFromPayloadRequest(req)
     return await handler(request)
   }

packages/plugin-mcp/src/index.ts

@@ -42,7 +42,12 @@ export const mcpPlugin =
      *  - If a custom tool has gone haywire, admins can disallow that tool.
      *
      */
-    const apiKeyCollection = createAPIKeysCollection(collections, customTools, experimentalTools)
+    const apiKeyCollection = createAPIKeysCollection(
+      collections,
+      customTools,
+      experimentalTools,
+      pluginOptions,
+    )
     if (pluginOptions.overrideApiKeyCollection) {
       config.collections.push(pluginOptions.overrideApiKeyCollection(apiKeyCollection))
     } else {