release: secrets-mcp 0.5.2

Bump version: secrets-mcp-0.5.1 tag already existed while crates had further changes. Made-with: Cursor
2026-04-05 10:38:50 +08:00
parent aefad33870
commit dd24f7cc44
15 changed files with 787 additions and 66 deletions
--- a/crates/secrets-mcp/src/auth.rs
+++ b/crates/secrets-mcp/src/auth.rs
@@ -1,7 +1,5 @@
-use std::net::SocketAddr;
-
 use axum::{
-    extract::{ConnectInfo, Request, State},
+    extract::{Request, State},
    http::StatusCode,
    middleware::Next,
    response::Response,
@@ -11,29 +9,14 @@ use uuid::Uuid;

 use secrets_core::service::api_key::validate_api_key;

+use crate::client_ip;
+
 /// Injected into request extensions after Bearer token validation.
 #[derive(Clone, Debug)]
 pub struct AuthUser {
    pub user_id: Uuid,
 }

-fn log_client_ip(req: &Request) -> Option<String> {
-    if let Some(first) = req
-        .headers()
-        .get("x-forwarded-for")
-        .and_then(|v| v.to_str().ok())
-        .and_then(|s| s.split(',').next())
-    {
-        let s = first.trim();
-        if !s.is_empty() {
-            return Some(s.to_string());
-        }
-    }
-    req.extensions()
-        .get::<ConnectInfo<SocketAddr>>()
-        .map(|c| c.ip().to_string())
-}
-
 /// Axum middleware that validates Bearer API keys for the /mcp route.
 /// Passes all non-MCP paths through without authentication.
 pub async fn bearer_auth_middleware(
@@ -43,7 +26,7 @@ pub async fn bearer_auth_middleware(
 ) -> Result<Response, StatusCode> {
    let path = req.uri().path();
    let method = req.method().as_str();
-    let client_ip = log_client_ip(&req);
+    let client_ip = client_ip::extract_client_ip(&req);

    // Only authenticate /mcp paths
    if !path.starts_with("/mcp") {
@@ -66,7 +49,7 @@ pub async fn bearer_auth_middleware(
            tracing::warn!(
                method,
                path,
-                client_ip = client_ip.as_deref(),
+                %client_ip,
                "invalid Authorization header format on /mcp (expected Bearer …)"
            );
            return Err(StatusCode::UNAUTHORIZED);
@@ -75,7 +58,7 @@ pub async fn bearer_auth_middleware(
            tracing::warn!(
                method,
                path,
-                client_ip = client_ip.as_deref(),
+                %client_ip,
                "missing Authorization header on /mcp"
            );
            return Err(StatusCode::UNAUTHORIZED);
@@ -93,7 +76,7 @@ pub async fn bearer_auth_middleware(
            tracing::warn!(
                method,
                path,
-                client_ip = client_ip.as_deref(),
+                %client_ip,
                key_prefix = %&raw_key.chars().take(12).collect::<String>(),
                key_len = raw_key.len(),
                "invalid api key (not found in database — e.g. revoked key or DB was reset; update MCP client Bearer token)"
@@ -104,7 +87,7 @@ pub async fn bearer_auth_middleware(
            tracing::error!(
                method,
                path,
-                client_ip = client_ip.as_deref(),
+                %client_ip,
                error = %e,
                "api key validation error"
            );