Fix MCP config: replace hardcoded token with env-var wrapper script
MCP_AUTH_TOKEN was stored in plain text in .mcp.json and thus in git history. Now connect.sh reads the token from the environment variable MCP_AUTH_TOKEN — set via export in ~/.bashrc or a secrets manager. ⚠️ Old token is in git history and should be rotated on the server. Rotate: python manage.py create_agent_token <username> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SysAdmin Agent
16
app/mcp_server/connect.sh
Normal file
16
app/mcp_server/connect.sh
Normal file
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env bash
|
||||
# MCP-Verbindungsskript zum Remote-Server
|
||||
# Token wird aus der Umgebungsvariable MCP_AUTH_TOKEN gelesen – nie hardcoden.
|
||||
# Einrichten: export MCP_AUTH_TOKEN=<token> in ~/.bashrc oder per Secrets-Manager.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
: "${MCP_AUTH_TOKEN:?MCP_AUTH_TOKEN nicht gesetzt. Bitte in ~/.bashrc oder ~/.profile exportieren.}"
|
||||
|
||||
exec ssh \
|
||||
-o StrictHostKeyChecking=no \
|
||||
deployment@217.154.84.225 \
|
||||
"cd /opt/stiftung && docker compose run --rm -T \
|
||||
-e MCP_AUTH_TOKEN=${MCP_AUTH_TOKEN} \
|
||||
-e DJANGO_ALLOW_ASYNC_UNSAFE=true \
|
||||
mcp"
|
||||
Reference in New Issue
Block a user