Skip to content

feat: change Atlas API auth to service accounts #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 11, 2025
Merged

feat: change Atlas API auth to service accounts #59

merged 3 commits into from
Apr 11, 2025

Conversation

fmenezes
Copy link
Collaborator

@fmenezes fmenezes commented Apr 11, 2025
edited
Loading

fixes #39

@fmenezes fmenezes marked this pull request as ready for review April 11, 2025 10:30
gagik
gagik reviewed Apr 11, 2025
View reviewed changes
blva
blva reviewed Apr 11, 2025
View reviewed changes
Copy link
Collaborator

@blva blva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nirinchev
nirinchev approved these changes Apr 11, 2025
View reviewed changes
README.md Outdated
| ------------------ | --------------------------------------------------------------------------- |
| `apiClientId` | Atlas API client ID for authentication |
| `apiClientSecret` | Atlas API client secret for authentication |
| `stateFile` | Path to store application state (default ~/.mongodb/mongodb-mcp/state.json) |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can drop this now - I forgot to remove it as part of #48 😅

README.md Outdated
| `apiClientId` | Atlas API client ID for authentication |
| `apiClientSecret` | Atlas API client secret for authentication |
| `stateFile` | Path to store application state (default ~/.mongodb/mongodb-mcp/state.json) |
| `connectionString` | MongoDB connection string for direct database connections |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably indicate this is optional and if not provided, the connect tool should be used.

src/state.ts
status: "not_auth" | "requested" | "issued";
code?: OauthDeviceCode;
token?: OAuthToken;
};
connectionString?: string;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per slack discussion, let's drop the connection string storage and rely on users either providing it every time or supplying it as env variable. I know this will turn the credentials field to an empty object, but we could keep it around for persisting sensitive data after we go through security review. It will also allow the security team to review the mechanisms we intend to use for secure storage.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will do that on a follow up PR

src/tools/atlas/atlasTool.ts Outdated

export abstract class AtlasToolBase extends ToolBase {
constructor(
state: State,
protected apiClient: ApiClient
protected apiClient?: ApiClient
) {
super(state);
}

protected async ensureAuthenticated(): Promise<void> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
protected async ensureAuthenticated(): Promise<void> {
protected ensureAuthenticated(): void {

gagik
gagik reviewed Apr 11, 2025
View reviewed changes
src/tools/atlas/atlasTool.ts Outdated

export abstract class AtlasToolBase extends ToolBase {
constructor(
state: State,
protected apiClient: ApiClient
protected apiClient?: ApiClient
) {
super(state);
}

protected async ensureAuthenticated(): Promise<void> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
protected async ensureAuthenticated(): Promise<void> {
protected ensureAuthenticated(): asserts this is { apiClient: ApiClient } {

should let you get rid of all ! if you remove the await-s

@fmenezes fmenezes merged commit 9e09c1e into main Apr 11, 2025
2 checks passed
@fmenezes fmenezes deleted the fmenezes/serviceAccounts branch April 11, 2025 10:55
nirinchev added a commit that referenced this pull request Apr 11, 2025
@nirinchev
Merge branch 'main' into ni/integration-tests
515973f 
* main:
  feat: change Atlas API auth to service accounts (#59)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gagik gagik gagik left review comments

@blva blva blva left review comments

@nirinchev nirinchev nirinchev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Atlas] Use service accounts for auth
4 participants
@fmenezes @nirinchev @gagik @blva