fix: mcp auth (#6733)

* fix: mcp auth * doc * doc
2026-04-17 02:06:41 +08:00 · 2026-04-09 15:12:39 +08:00
parent d2d48fc177
commit e3b5b3788f
6 changed files with 30 additions and 25 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,26 +1,25 @@
-# 安全策略
+# Security Policy

-## 漏洞报告
+## Vulnerability Reporting

-如果您发现了 FastGPT 的安全漏洞，请按照以下步骤进行报告：
+If you discover a security vulnerability in FastGPT, please follow the steps below to report it:

-1. **报告方式**
-   发送邮件至：archer@fastgpt.io
-   请备注版本以及您的 GitHub 账号
+1. **How to Report**
+   You can submit a report at https://github.com/labring/FastGPT/security/advisories.

-3. **响应时间**
-   - 我们会在 48 小时内确认收到您的报告
-   - 一般在 3 个工作日内给出初步评估结果
+2. **Response Time**
+   - We will acknowledge receipt of your report within 48 hours.
+   - An initial assessment will generally be provided within 3 business days.

-4. **漏洞处理流程**
-   - 确认漏洞：我们会验证漏洞的存在性和影响范围
-   - 修复开发：针对已确认的漏洞进行修复
-   - 版本发布：在下一个版本更新中发布安全补丁
-   - 公开披露：在修复完成后，我们会在更新日志中公布相关信息
+3. **Vulnerability Handling Process**
+   - **Confirmation**: We will verify the existence and scope of impact of the vulnerability.
+   - **Fix Development**: A fix will be developed for confirmed vulnerabilities.
+   - **Release**: Security patches will be released in the next version update.
+   - **Public Disclosure**: After the fix is complete, relevant information will be published in the changelog.

-5. **注意事项**
-   - 在漏洞未修复前，请勿公开披露漏洞详情
-   - 我们欢迎负责任的漏洞披露
-   - 对于重大贡献者，我们会在项目致谢名单中提及
+4. **Important Notes**
+   - Please do not publicly disclose vulnerability details before a fix has been released.
+   - We welcome responsible vulnerability disclosure.
+   - Significant contributors will be acknowledged in the project's credits.

-感谢您为 FastGPT 的安全性做出贡献！
+Thank you for contributing to the security of FastGPT!
--- a/document/content/docs/self-host/upgrading/4-14/41411.mdx
+++ b/document/content/docs/self-host/upgrading/4-14/41411.mdx
@@ -12,4 +12,5 @@ description: 'FastGPT V4.14.11 更新说明'

 ## 🐛 修复

-1. 对话 Agent 模式，模型存在刷新后被重置问题。
+1. 对话 Agent 模式，模型存在刷新后被重置问题。
+2. 部分接口未正确进行权限校验。
--- a/document/data/doc-last-modified.json
+++ b/document/data/doc-last-modified.json
@@ -221,7 +221,7 @@
  "document/content/docs/self-host/upgrading/4-14/4141.en.mdx": "2026-03-03T17:39:47+08:00",
  "document/content/docs/self-host/upgrading/4-14/4141.mdx": "2026-03-03T17:39:47+08:00",
  "document/content/docs/self-host/upgrading/4-14/41410.en.mdx": "2026-03-31T23:15:29+08:00",
-  "document/content/docs/self-host/upgrading/4-14/41410.mdx": "2026-04-02T13:43:47+08:00",
+  "document/content/docs/self-host/upgrading/4-14/41410.mdx": "2026-04-08T16:15:25+08:00",
  "document/content/docs/self-host/upgrading/4-14/41411.mdx": "2026-04-07T21:48:43+08:00",
  "document/content/docs/self-host/upgrading/4-14/4142.en.mdx": "2026-03-03T17:39:47+08:00",
  "document/content/docs/self-host/upgrading/4-14/4142.mdx": "2026-03-03T17:39:47+08:00",
--- a/projects/app/src/pages/api/core/app/mcpTools/getChildren.ts
+++ b/projects/app/src/pages/api/core/app/mcpTools/getChildren.ts
@@ -1,6 +1,5 @@
 import type { ApiRequestProps, ApiResponseType } from '@fastgpt/service/type/next';
 import { NextAPI } from '@/service/middleware/entry';
-import { MongoApp } from '@fastgpt/service/core/app/schema';
 import { AppTypeEnum } from '@fastgpt/global/core/app/constants';
 import { UserError } from '@fastgpt/global/common/error/utils';
 import { getMCPChildren } from '@fastgpt/service/core/app/mcp';
@@ -11,6 +10,8 @@ import {
  type GetMcpChildrenQueryType,
  type GetMcpChildrenResponseType
 } from '@fastgpt/global/openapi/core/app/mcpTools/api';
+import { authApp } from '@fastgpt/service/support/permission/app/auth';
+import { ReadPermissionVal } from '@fastgpt/global/support/permission/constant';

 async function handler(
  req: ApiRequestProps<{}, GetMcpChildrenQueryType>,
@@ -18,9 +19,7 @@ async function handler(
 ): Promise<GetMcpChildrenResponseType> {
  const { id, searchKey } = GetMcpChildrenQuerySchema.parse(req.query);

-  const app = await MongoApp.findOne({ _id: id }).lean();
-
-  if (!app) return Promise.reject(new UserError('No Mcp Toolset found'));
+  const { app } = await authApp({ req, authToken: true, appId: id, per: ReadPermissionVal });

  if (app.type !== AppTypeEnum.mcpToolSet)
    return Promise.reject(new UserError('the parent is not a mcp toolset'));
--- a/projects/app/src/pages/api/core/app/mcpTools/getTools.ts
+++ b/projects/app/src/pages/api/core/app/mcpTools/getTools.ts
@@ -9,11 +9,14 @@ import {
  type GetMcpToolsResponseType
 } from '@fastgpt/global/openapi/core/app/mcpTools/api';
 import { isInternalAddress, PRIVATE_URL_TEXT } from '@fastgpt/service/common/system/utils';
+import { authCert } from '@fastgpt/service/support/permission/auth/common';

 async function handler(
  req: ApiRequestProps<GetMcpToolsBodyType>,
  _res: ApiResponseType<any>
 ): Promise<GetMcpToolsResponseType> {
+  await authCert({ req, authToken: true });
+
  const { url, headerSecret } = GetMcpToolsBodySchema.parse(req.body);

  if (await isInternalAddress(url)) {
--- a/projects/app/src/pages/api/core/app/mcpTools/runTool.ts
+++ b/projects/app/src/pages/api/core/app/mcpTools/runTool.ts
@@ -8,11 +8,14 @@ import {
  type RunMcpToolResponseType
 } from '@fastgpt/global/openapi/core/app/mcpTools/api';
 import { isInternalAddress, PRIVATE_URL_TEXT } from '@fastgpt/service/common/system/utils';
+import { authCert } from '@fastgpt/service/support/permission/auth/common';

 async function handler(
  req: ApiRequestProps<RunMcpToolBodyType>,
  _res: ApiResponseType<any>
 ): Promise<RunMcpToolResponseType> {
+  await authCert({ req, authToken: true });
+
  const { url, toolName, headerSecret, params } = RunMcpToolBodySchema.parse(req.body);

  if (await isInternalAddress(url)) {