nitro-mcp-server
by peterbud
Overview
This project serves as a Model Context Protocol (MCP) server demonstrating streamable HTTP transport with pluggable authentication providers (Auth0, Microsoft Entra ID) and schema-validated tools/resources.
Installation
pnpm devEnvironment Variables
- NITRO_MCP_SERVER_HOST
- NITRO_MCP_SERVER_PORT
- NITRO_MCP_SERVER_AUTH_ENABLED
- NITRO_MCP_SERVER_AUTH_DEFAULT_PROVIDER
- NITRO_MCP_SERVER_AUTH_PROVIDERS_AUTH0_CLIENT_ID
- NITRO_MCP_SERVER_AUTH_PROVIDERS_AUTH0_CLIENT_SECRET
- NITRO_MCP_SERVER_AUTH_PROVIDERS_AUTH0_DOMAIN
- NITRO_MCP_SERVER_AUTH_PROVIDERS_AUTH0_SCOPE
- NITRO_MCP_SERVER_AUTH_PROVIDERS_ENTRA_TENANT_ID
- NITRO_MCP_SERVER_AUTH_PROVIDERS_ENTRA_CLIENT_ID
- NITRO_MCP_SERVER_AUTH_PROVIDERS_ENTRA_CLIENT_SECRET
- NITRO_MCP_SERVER_AUTH_PROVIDERS_ENTRA_SCOPE
- CONSOLA_LOGGER_LEVEL
- NODE_ENV
Security Notes
CRITICAL: The server relies on local file system storage (fs driver) for `registrationStore` and `authCodeStore` to manage OAuth client registrations, authorization codes, and states. This is fundamentally insecure for production environments as it's vulnerable to local file system attacks and does not support distributed deployments or high availability. The 'Todo' section explicitly mentions a missing cleanup task for expired authorization codes, which is a significant vulnerability for resource exhaustion and potential misuse of stale codes. The `/auth/register` endpoint acts as a DCR proxy without inherent rate limiting, which is noted in the README as a point requiring external protection to prevent abuse.
Similar Servers
frontmcp
The CodeCall plugin provides AgentScript-based meta-tools for orchestrating MCP tools, enabling programmatic discovery, description, execution, and invocation of server capabilities within a sandboxed JavaScript environment.
example-remote-server
A reference server demonstrating all Model Context Protocol (MCP) features and OAuth 2.0 authentication patterns.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.
mcp-servers
Provides current weather conditions and forecasts from the Open-Meteo API for a given geographical location.