google-calendar-streamable-mcp-server
by alexrv98
Overview
This server allows seamless interaction with Google Calendar for managing events (create, retrieve, update, delete, respond, check availability) via the Model Context Protocol (MCP).
Installation
bun run startEnvironment Variables
- OAUTH_SCOPES
- OAUTH_REDIRECT_URI
- PROVIDER_CLIENT_ID
- PROVIDER_CLIENT_SECRET
- RS_TOKENS_ENC_KEY
- MCP_TITLE
- MCP_INSTRUCTIONS
- MCP_PROTOCOL_VERSION
- OAUTH_AUTHORIZATION_URL
- OAUTH_TOKEN_URL
- OAUTH_REVOCATION_URL
- OAUTH_EXTRA_AUTH_PARAMS
- OAUTH_REDIRECT_ALLOWLIST
- OAUTH_REDIRECT_ALLOW_ALL
- AUTH_STRATEGY
- AUTH_ENABLED
- AUTH_REQUIRE_RS
- AUTH_ALLOW_DIRECT_BEARER
Security Notes
The application uses strong cryptographic practices for token storage (AES-256-GCM) and implements a robust OAuth 2.1 PKCE flow. Secrets are correctly externalized via environment variables. Rate limiting and concurrency controls are in place. However, the `isAllowedOrigin` function in `src/shared/mcp/security.ts` is a placeholder that returns `true` in production mode by default, effectively disabling origin validation. This presents a critical security vulnerability for production deployments if not properly configured with an explicit allowlist, making the server susceptible to attacks from unverified origins.
Similar Servers
google-calendar-streamable-mcp-server
Manages Google Calendar events, checks availability, and schedules meetings via the Model Context Protocol (MCP) using OAuth 2.1.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.
mcp-oauth-server
This server provides an OAuth 2.1 Authorization Server implementation, compliant with the MCP Authorization Spec, to handle authentication and authorization for MCP clients and resource servers.
gcal-mcp
Serves as a Model Context Protocol (MCP) server for Google Calendar to query upcoming, date-specific, and searchable events.