feat(lightspeed): Address PR reviews, add changeset

Assisted-by: Claude Opus 4.6

Generated-by: Cursor
Signed-off-by: Maysun J Faisal <maysunaneek@gmail.com>

Author: maysunfaisal

workspaces/lightspeed/.changeset/lemon-walls-fly.md

@@ -0,0 +1,6 @@
+---
+'@red-hat-developer-hub/backstage-plugin-lightspeed-backend': minor
+'@red-hat-developer-hub/backstage-plugin-lightspeed-common': minor
+---
+
+Added MCP Server management backend APIs with per-user preferences, on-demand validation, and new permissions (lightspeed.mcp.read, lightspeed.mcp.manage)

workspaces/lightspeed/app-config.yaml

@@ -30,9 +30,9 @@ backend:
   database:
     client: better-sqlite3
     connection: ':memory:'
-      # Use the directory property to store the database in a file for local development
-      # The database is used for the user preferences and MCP servers settings
-      # directory: './sqlite-data'
+    # To persist the database to a file for local development, replace the above with:
+    # connection:
+    #   directory: './sqlite-data'
     # OpenShift / RHDH production — uses the PostgreSQL instance managed by the
     # RHDH Helm chart or Operator.  These env vars are injected from the
     # PostgreSQL Secret into the Backstage container by the deployment config.

workspaces/lightspeed/plugins/lightspeed-backend/src/service/mcp-server-store.ts

@@ -49,29 +49,14 @@ export class McpUserSettingsStore {
       .first();
   }
 
-  /** Create or update user settings for a server. */
+  /** Create or update user settings for a server (atomic). */
   async upsert(
     serverName: string,
     userEntityRef: string,
     updates: { enabled?: boolean; token?: string | null },
   ): Promise<McpUserSettingsRow> {
-    const existing = await this.get(serverName, userEntityRef);
     const now = new Date().toISOString();
 
-    if (existing) {
-      const fields: Partial<McpUserSettingsRow> = { updated_at: now };
-      if (updates.enabled !== undefined) fields.enabled = updates.enabled;
-      if (updates.token !== undefined) {
-        fields.token = updates.token;
-        if (updates.token) fields.status = 'unknown';
-      }
-
-      await this.db(TABLE)
-        .where({ server_name: serverName, user_entity_ref: userEntityRef })
-        .update(fields);
-      return (await this.get(serverName, userEntityRef))!;
-    }
-
     const row: McpUserSettingsRow = {
       id: randomUUID(),
       server_name: serverName,
@@ -83,26 +68,41 @@ export class McpUserSettingsStore {
       created_at: now,
       updated_at: now,
     };
-    await this.db(TABLE).insert(row);
-    return row;
+
+    const mergeFields: Partial<McpUserSettingsRow> = { updated_at: now };
+    if (updates.enabled !== undefined) mergeFields.enabled = updates.enabled;
+    if (updates.token !== undefined) {
+      mergeFields.token = updates.token;
+      // Reset cached validation when token changes (new or cleared)
+      mergeFields.status = 'unknown';
+      mergeFields.tool_count = 0;
+    }
+
+    await this.db(TABLE)
+      .insert(row)
+      .onConflict(['server_name', 'user_entity_ref'])
+      .merge(mergeFields);
+
+    const result = await this.get(serverName, userEntityRef);
+    if (!result) {
+      throw new Error(
+        `Failed to upsert settings for ${serverName}/${userEntityRef}`,
+      );
+    }
+    return result;
   }
 
-  /** Update cached validation status for a user's server setting. */
+  /** Update cached validation status for a user's server setting (atomic). */
   async updateStatus(
     serverName: string,
     userEntityRef: string,
     status: McpServerStatus,
     toolCount: number,
   ): Promise<void> {
-    const existing = await this.get(serverName, userEntityRef);
     const now = new Date().toISOString();
 
-    if (existing) {
-      await this.db(TABLE)
-        .where({ server_name: serverName, user_entity_ref: userEntityRef })
-        .update({ status, tool_count: toolCount, updated_at: now });
-    } else {
-      await this.db(TABLE).insert({
+    await this.db(TABLE)
+      .insert({
         id: randomUUID(),
         server_name: serverName,
         user_entity_ref: userEntityRef,
@@ -112,7 +112,8 @@ export class McpUserSettingsStore {
         tool_count: toolCount,
         created_at: now,
         updated_at: now,
-      });
-    }
+      })
+      .onConflict(['server_name', 'user_entity_ref'])
+      .merge({ status, tool_count: toolCount, updated_at: now });
   }
 }

workspaces/lightspeed/plugins/lightspeed-backend/src/service/mcp-server-validator.ts

@@ -205,7 +205,8 @@ export class McpServerValidator {
         }
       }
     } catch (error) {
-      this.logger.warn(`Failed to parse SSE tools/list response: ${error}`);
+      const msg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to parse SSE tools/list response: ${msg}`);
     }
     return undefined;
   }

workspaces/lightspeed/plugins/lightspeed-backend/src/service/mcp-server.test.ts

@@ -88,6 +88,29 @@ jest.mock('@backstage/backend-plugin-api', () => ({
   })),
 }));
 
+async function startBackendServer(
+  config?: Record<PropertyKey, unknown>,
+  authorizeResult?: AuthorizeResult.DENY | AuthorizeResult.ALLOW,
+) {
+  const features: (BackendFeature | Promise<{ default: BackendFeature }>)[] = [
+    lightspeedPlugin,
+    mockServices.rootLogger.factory(),
+    mockServices.rootConfig.factory({
+      data: { ...BASE_CONFIG, ...config },
+    }),
+    mockServices.httpAuth.factory({
+      defaultCredentials: mockCredentials.user(mockUserId),
+    }),
+    mockServices.permissions.mock({
+      authorize: async () => [
+        { result: authorizeResult ?? AuthorizeResult.ALLOW },
+      ],
+    }).factory,
+    mockServices.userInfo.factory(),
+  ];
+  return (await startTestBackend({ features })).server;
+}
+
 describe('MCP server management endpoints', () => {
   const server = setupServer(...handlers, ...lcsHandlers, ...mcpHandlers);
 
@@ -111,30 +134,6 @@ describe('MCP server management endpoints', () => {
     server.resetHandlers();
   });
 
-  async function startBackendServer(
-    config?: Record<PropertyKey, unknown>,
-    authorizeResult?: AuthorizeResult.DENY | AuthorizeResult.ALLOW,
-  ) {
-    const features: (BackendFeature | Promise<{ default: BackendFeature }>)[] =
-      [
-        lightspeedPlugin,
-        mockServices.rootLogger.factory(),
-        mockServices.rootConfig.factory({
-          data: { ...BASE_CONFIG, ...(config || {}) },
-        }),
-        mockServices.httpAuth.factory({
-          defaultCredentials: mockCredentials.user(mockUserId),
-        }),
-        mockServices.permissions.mock({
-          authorize: async () => [
-            { result: authorizeResult ?? AuthorizeResult.ALLOW },
-          ],
-        }).factory,
-        mockServices.userInfo.factory(),
-      ];
-    return (await startTestBackend({ features })).server;
-  }
-
   // ─── GET /mcp-servers ─────────────────────────────────────────────
 
   describe('GET /mcp-servers', () => {
@@ -277,6 +276,24 @@ describe('MCP server management endpoints', () => {
       expect(patchRes.status).toBe(404);
     });
 
+    it('resets status when token is cleared', async () => {
+      const backendServer = await startBackendServer(MCP_CONFIG);
+
+      // First set a valid token (triggers validation → connected)
+      await request(backendServer)
+        .patch('/api/lightspeed/mcp-servers/static-mcp')
+        .send({ token: MOCK_MCP_VALID_TOKEN });
+
+      // Clear the token
+      const clearRes = await request(backendServer)
+        .patch('/api/lightspeed/mcp-servers/static-mcp')
+        .send({ token: null });
+
+      expect(clearRes.status).toBe(200);
+      expect(clearRes.body.server.status).toBe('unknown');
+      expect(clearRes.body.server.toolCount).toBe(0);
+    });
+
     it('returns 400 when no fields provided', async () => {
       const backendServer = await startBackendServer(MCP_CONFIG);
       const patchRes = await request(backendServer)
@@ -303,8 +320,8 @@ describe('MCP server management endpoints', () => {
   // ─── POST /mcp-servers/validate (generic) ─────────────────────────
 
   describe('POST /mcp-servers/validate', () => {
-    it('validates valid credentials', async () => {
-      const backendServer = await startBackendServer();
+    it('validates valid credentials with LCS-known URL', async () => {
+      const backendServer = await startBackendServer(MCP_CONFIG);
       const response = await request(backendServer)
         .post('/api/lightspeed/mcp-servers/validate')
         .send({ url: MOCK_MCP_ADDR, token: MOCK_MCP_VALID_TOKEN });
@@ -315,8 +332,8 @@ describe('MCP server management endpoints', () => {
       expect(response.body.tools).toHaveLength(3);
     });
 
-    it('validates invalid credentials', async () => {
-      const backendServer = await startBackendServer();
+    it('validates invalid credentials with LCS-known URL', async () => {
+      const backendServer = await startBackendServer(MCP_CONFIG);
       const response = await request(backendServer)
         .post('/api/lightspeed/mcp-servers/validate')
         .send({ url: MOCK_MCP_ADDR, token: 'bad-token' });
@@ -334,6 +351,16 @@ describe('MCP server management endpoints', () => {
       expect(response.status).toBe(400);
       expect(response.body.error).toContain('url and token are required');
     });
+
+    it('rejects unknown URL (SSRF protection)', async () => {
+      const backendServer = await startBackendServer(MCP_CONFIG);
+      const response = await request(backendServer)
+        .post('/api/lightspeed/mcp-servers/validate')
+        .send({ url: 'http://internal-service:1234', token: 'some-token' });
+
+      expect(response.status).toBe(400);
+      expect(response.body.error).toContain('URL not recognized');
+    });
   });
 
   // ─── POST /mcp-servers/:name/validate (on-demand) ──────────────────

workspaces/lightspeed/plugins/lightspeed-backend/src/service/router.ts

@@ -130,7 +130,9 @@ export async function createRouter(
 
   async function refreshLcsUrlCache(): Promise<void> {
     try {
-      const response = await fetch(`http://0.0.0.0:${port}/v1/mcp-servers`);
+      const response = await fetch(`http://0.0.0.0:${port}/v1/mcp-servers`, {
+        signal: AbortSignal.timeout(5000),
+      });
       if (!response.ok) {
         logger.warn(
           `Failed to fetch MCP server URLs from LCS: HTTP ${response.status}`,
@@ -145,7 +147,8 @@ export async function createRouter(
       }
       logger.info(`Cached ${lcsUrlCache.size} MCP server URL(s) from LCS`);
     } catch (error) {
-      logger.warn(`Failed to fetch MCP server URLs from LCS: ${error}`);
+      const msg = error instanceof Error ? error.message : String(error);
+      logger.warn(`Failed to fetch MCP server URLs from LCS: ${msg}`);
     }
   }
 
@@ -186,7 +189,7 @@ export async function createRouter(
           name: server.name,
           url: resolveServerUrl(server.name),
           enabled: setting ? Boolean(setting.enabled) : true,
-          status: (setting?.status as McpServerStatus) ?? 'unknown',
+          status: setting?.status ?? 'unknown',
           toolCount: setting?.tool_count ?? 0,
           hasToken: !!(setting?.token || server.token),
         };
@@ -214,6 +217,20 @@ export async function createRouter(
         return;
       }
 
+      // SSRF protection: only allow URLs registered in LCS
+      let knownUrls = new Set(lcsUrlCache.values());
+      if (!knownUrls.has(url)) {
+        await refreshLcsUrlCache();
+        knownUrls = new Set(lcsUrlCache.values());
+      }
+      if (!knownUrls.has(url)) {
+        res.status(400).json({
+          error:
+            'URL not recognized — only MCP server URLs registered in LCS are allowed',
+        });
+        return;
+      }
+
       const result = await mcpValidator.validate(url, token);
       res.json(result);
     } catch (error) {
@@ -229,18 +246,21 @@ export async function createRouter(
   router.post('/mcp-servers/:name/validate', async (req, res) => {
     try {
       const credentials = await httpAuth.credentials(req);
-      await authorizer.authorizeUser(lightspeedMcpReadPermission, credentials);
+      await authorizer.authorizeUser(
+        lightspeedMcpManagePermission,
+        credentials,
+      );
       const user = await userInfo.getUserInfo(credentials);
 
       const { name } = req.params;
       const server = staticServers.find(s => s.name === name);
       if (!server) {
         res.status(404).json({
-          error: `MCP server '${name}' not found in configuration`,
+          error: `MCP server '${name}' is not configured — it must be defined in the Lightspeed Stack config and listed under lightspeed.mcpServers in app-config`,
         });
         return;
       }
-      // Resolve URL: config override → LCS cache → fresh LCS fetch
+      // Resolve URL: LCS cache → fresh LCS fetch
       let serverUrl = resolveServerUrl(server.name);
       if (!serverUrl) {
         await refreshLcsUrlCache();
@@ -301,7 +321,7 @@ export async function createRouter(
       const server = staticServers.find(s => s.name === name);
       if (!server) {
         res.status(404).json({
-          error: `MCP server '${name}' not found in configuration`,
+          error: `MCP server '${name}' is not configured — it must be defined in the Lightspeed Stack config and listed under lightspeed.mcpServers in app-config`,
         });
         return;
       }
@@ -320,7 +340,11 @@ export async function createRouter(
       });
 
       let validation: McpValidationResult | undefined;
-      const serverUrl = resolveServerUrl(server.name);
+      let serverUrl = resolveServerUrl(server.name);
+      if (token && !serverUrl) {
+        await refreshLcsUrlCache();
+        serverUrl = resolveServerUrl(server.name);
+      }
       if (token && serverUrl) {
         validation = await mcpValidator.validate(serverUrl, token);
         const newStatus: McpServerStatus = validation.valid
@@ -341,10 +365,10 @@ export async function createRouter(
           name: server.name,
           url: resolveServerUrl(server.name),
           enabled: Boolean(setting.enabled),
-          status: setting.status as McpServerStatus,
+          status: setting.status,
           toolCount: setting.tool_count,
           hasToken: !!(setting.token || server.token),
-        } as McpServerResponse,
+        },
       };
       if (validation) result.validation = validation;
       res.json(result);