mcp

Critical security risks identified: 1. **Hardcoded Empty Passwords:** `application.yml` contains hardcoded empty passwords for MySQL (`password: ''`) and Redis (`password: ''`). This is highly insecure and makes the server vulnerable to unauthorized access. 2. **Hardcoded API Keys:** The client's `application.yml` (though not the primary focus, it's part of the repo) contains a hardcoded DeepSeek/OpenAI API key (`api-key: sk-413c6606010c4852939181278ed7e4a2`), which is a critical secret exposure. 3. **Custom Authentication via Query Params:** The `McpFilter` implements custom authentication using `key` or `sessionId` passed as query parameters. Relying on query parameters for sensitive authentication tokens is generally less secure than using HTTP headers, as query parameters can be logged more easily and persist in browser history/proxy logs. 4. **Extensive Logging:** The `McpFilter` logs full request and response bodies, which could inadvertently expose sensitive data if not handled with caution in production environments. 5. **Test Secrets:** The `ClientSse.java` test file contains a hardcoded key (`sk-e7030e17d1d64881a44a53b359af1644`), which is poor practice even in test code as it could be mistakenly deployed or reveal patterns.