Skip to content

Revert "feat: add bot protection to Cloudflare Worker (#330)" #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dcramer merged 1 commit into from
Jun 28, 2025
Merged

Revert "feat: add bot protection to Cloudflare Worker (#330)" #335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 0 additions & 39 deletions docs/security.mdc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,44 +150,6 @@ SENTRY_CLIENT_SECRET=your_oauth_app_secret
COOKIE_SECRET=random_32_char_string
```

## Bot Protection

The MCP server includes bot protection at the Cloudflare Worker level to prevent abuse from generic HTTP clients.

### Implementation

Bot protection is implemented as a wrapper around the worker's fetch handler:

```typescript
export default withBotProtection(
Sentry.withSentry(
getSentryConfig,
oAuthProvider,
)
) satisfies ExportedHandler<Env>;
```

### Blocked User Agents

Generic bot user agents are blocked, including:
- Python clients: `python-requests`, `aiohttp`, `python-urllib`
- Go clients: `go-http-client`
- Java clients: `okhttp`, `apache-httpclient`
- Command line tools: `curl`, `wget`
- Other generic clients: `libwww-perl`, `bot`, `spider`, `crawler`

### Allowed Bots

Well-behaved bots are allowed, including:
- Search engines: Googlebot, Bingbot, DuckDuckBot
- Social media: FacebookExternalHit, TwitterBot
- Development tools: Postman, Insomnia
- Monitoring services: UptimeRobot, Pingdom, NewRelic

### Response

Blocked requests receive a `403 Forbidden` response with the message "Access denied".

## CORS Configuration

```typescript
Expand All @@ -203,5 +165,4 @@ const ALLOWED_ORIGINS = [
- OAuth implementation: `packages/mcp-cloudflare/src/server/routes/sentry-oauth.ts`
- Cookie utilities: `packages/mcp-cloudflare/src/server/utils/cookies.ts`
- OAuth Provider: `packages/mcp-cloudflare/src/server/bindings.ts`
- Bot protection: `packages/mcp-cloudflare/src/server/lib/bot-protection.ts`
- Sentry OAuth docs: https://docs.sentry.io/api/guides/oauth/
6 changes: 3 additions & 3 deletions packages/mcp-cloudflare/src/server/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import app from "./app";
import { SCOPES } from "../constants";
import type { Env } from "./types";
import getSentryConfig from "./sentry.config";
import { withBotProtection } from "./lib/bot-protection";

// required for Durable Objects
export { SentryMCP };
Expand All @@ -24,6 +23,7 @@ const oAuthProvider = new OAuthProvider({
scopesSupported: Object.keys(SCOPES),
});

export default withBotProtection(
Sentry.withSentry(getSentryConfig, oAuthProvider),
export default Sentry.withSentry(
getSentryConfig,
oAuthProvider,
) satisfies ExportedHandler<Env>;
245 changes: 0 additions & 245 deletions packages/mcp-cloudflare/src/server/lib/bot-protection.test.ts
View file
Open in desktop

This file was deleted.

Loading