Skip to content

Merge test to main#140

Merged
sweetmantech merged 4 commits intomainfrom
test
Jan 20, 2026
Merged

Merge test to main#140
sweetmantech merged 4 commits intomainfrom
test

Conversation

@sweetmantech
Copy link
Contributor

@sweetmantech sweetmantech commented Jan 20, 2026
edited by coderabbitai bot
Loading

Merge test branch changes to main

Summary by CodeRabbit

  • New Features

    • Added authentication token support for improved tool access control

  • Improvements

    • Enhanced CORS header configuration to support API key authentication in requests

✏️ Tip: You can customize this high-level summary in your review settings.

sweetmantech and others added 4 commits January 19, 2026 21:19
@sweetmantech @claude
Add logging to MCP auth verification for debugging
ee1700a 
Logs Privy JWT and API key validation attempts to help debug
authentication failures in tool calls.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sweetmantech
Revert "Add logging to MCP auth verification for debugging"
832df65 
This reverts commit ee1700a.
@sweetmantech @claude
fix: add CORS headers to streaming chat response (#138)
3b9d4b7 
- Add CORS headers to createUIMessageStreamResponse call in handleChatStream
- Add x-api-key to Access-Control-Allow-Headers in getCorsHeaders
- Update handleChatStream test to expect CORS headers

Fixes cross-origin requests to /api/chat endpoint being blocked.

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
@sweetmantech @claude
refactor: Use HTTP transport for MCP to properly pass authInfo (#139)
99ed986 
* refactor: Use HTTP transport for MCP to properly pass authInfo

Replace InMemoryTransport with StreamableHTTPClientTransport to make
HTTP requests to /api/mcp endpoint with forwarded auth token. This
ensures MCP tool handlers receive proper authInfo through the
established withMcpAuth middleware flow.

- Add authToken to ChatRequestBody type
- Extract auth token from request headers in validateChatRequest
- Use HTTP transport to /api/mcp with Authorization header
- Update tests to include authToken in request bodies

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Make authToken optional for internal flows

Internal flows like email processing don't have an auth token from
HTTP headers. Make authToken optional and skip MCP tools when not
present.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: Extract getBaseUrl to lib/networking

Move getBaseUrl utility to its own file following SRP.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: Extract getMcpTools to lib/mcp

Move MCP tools fetching logic to its own file following SRP.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Add unit tests for getBaseUrl and getMcpTools

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: Use AI SDK built-in SSE transport for MCP

Replace StreamableHTTPClientTransport with AI SDK's built-in transport
config which provides a simpler API:

  transport: {
    type: "sse",
    url: "...",
    headers: { Authorization: "..." }
  }

This should fix the "Streamable HTTP error" issue.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Correct MCP endpoint URL to /mcp

The MCP route is at app/mcp/route.ts, not app/api/mcp/route.ts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Use HTTP transport instead of SSE for MCP

The mcp-handler server only supports HTTP transport, not SSE.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
@vercel
Copy link
Contributor

vercel bot commented Jan 20, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
recoup-api Ready Ready Preview Jan 20, 2026 6:32pm

@sweetmantech sweetmantech merged commit c991b55 into main Jan 20, 2026
2 of 4 checks passed
@coderabbitai
Copy link

coderabbitai bot commented Jan 20, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR refactors the MCP tool retrieval mechanism from in-process to HTTP-based, adds optional authentication token support throughout the chat request pipeline, and enhances streaming responses with CORS headers. The changes include new utility functions for base URL resolution and updated CORS header handling.

Changes

Cohort / File(s) Summary
Streaming Response CORS Enhancement
lib/chat/__tests__/handleChatStream.test.ts, lib/chat/handleChatStream.ts		 Updated createUIMessageStreamResponse signature to accept object with stream and optional headers fields; integrated CORS headers via getCorsHeaders() call in streaming response
Authentication Token Pipeline
lib/chat/validateChatRequest.ts, lib/chat/__tests__/setupToolsForRequest.test.ts, lib/chat/setupToolsForRequest.ts		 Added optional authToken?: string field to ChatRequestBody type; extracted token from request headers; updated setupToolsForRequest to gate MCP tool retrieval on token presence
MCP Tool Retrieval via HTTP
lib/mcp/getMcpTools.ts, lib/mcp/__tests__/getMcpTools.test.ts		 New module introducing getMcpTools(authToken) function that fetches tools over HTTP with Bearer token authentication; includes unit tests validating HTTP transport configuration and token header propagation
Networking Utilities
lib/networking/getBaseUrl.ts, lib/networking/__tests__/getBaseUrl.test.ts, lib/networking/getCorsHeaders.ts		 Introduced getBaseUrl() utility returning Vercel or localhost URLs; added test coverage for VERCEL_URL conditions; updated CORS headers to include "x-api-key" in allowed headers

Sequence Diagram

sequenceDiagram
    participant Client
    participant ChatHandler as Chat Request Handler
    participant Validator as Validator
    participant MCP as MCP Service (HTTP)
    participant Sheets as Google Sheets Service
    participant Aggregator as Tool Aggregator

    Client->>ChatHandler: POST /chat with request body
    ChatHandler->>Validator: validateChatRequest(body)
    Validator->>Validator: Extract authToken from headers
    Validator-->>ChatHandler: Return ChatRequestBody + authToken
    
    ChatHandler->>Aggregator: setupToolsForRequest(body + authToken)
    
    alt authToken present
        Aggregator->>MCP: getMcpTools(authToken)
        MCP-->>Aggregator: ToolSet from HTTP endpoint
    else authToken absent
        Aggregator->>Aggregator: Skip MCP tools (empty set)
    end
    
    Aggregator->>Sheets: getGoogleSheetsTools()
    Sheets-->>Aggregator: Google Sheets ToolSet
    
    Aggregator->>Aggregator: Merge tools (Sheets takes precedence)
    Aggregator-->>ChatHandler: Combined ToolSet
    
    ChatHandler->>ChatHandler: Create streaming response
    ChatHandler->>ChatHandler: Add CORS headers via getCorsHeaders()
    ChatHandler-->>Client: UIMessageStream with CORS headers
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Poem

🐰 Hops through the MCP tunnel with a token in paw,
HTTP brings tools from afar without flaw,
CORS headers flow like carrots in spring,
Authentication's the key to everything! 🔑

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sweetmantech

Comments