Fix MCP API key bypass vulnerability

CRITICAL SECURITY FIX:
- Add strict MCP request path detection (/mcp/, /gradio_api/mcp)
- Enforce mandatory API key for all MCP endpoint requests
- Prevent bypass via --transport sse-only parameter
- Add detailed request debugging and path analysis
- Improve error messages with clear configuration examples

Changes:
- Detect MCP requests by URL path analysis
- Block Space API key usage for MCP endpoints
- Add comprehensive request logging for debugging
- Ensure MCP clients cannot access without proper API key

This prevents the security issue where MCP clients could
access the service without API keys using sse-only transport.

app.py

@@ -17,6 +17,7 @@ def get_api_client():
     # Try to get API key from multiple sources
     api_key = None
     user_agent = ""
+    request_path = ""
 
     # 1. Try from request headers (for MCP clients)
     try:
@@ -25,7 +26,10 @@ def get_api_client():
             headers = dict(request.headers)
             api_key = get_api_key_from_headers(headers)
             user_agent = headers.get('user-agent', '')
+            request_path = getattr(request, 'url', {}).path if hasattr(
+                request, 'url') else ""
             print(f"🔍 Request headers found - User-Agent: {user_agent}")
+            print(f"🔍 Request path: {request_path}")
             print(
                 f"🔍 API key from headers: {'Found' if api_key else 'Not found'}")
     except Exception as e:
@@ -39,6 +43,13 @@ def get_api_client():
 
     # 3. Determine if this is a web browser request or MCP client request
     is_web_request = False
+    is_mcp_request = False
+
+    # Check if this is an MCP request
+    if request_path and ('/mcp/' in request_path or '/gradio_api/mcp' in request_path):
+        is_mcp_request = True
+        print("🔍 Detected MCP API request")
+
     if user_agent:
         user_agent_lower = user_agent.lower()
         # Web browsers typically have 'mozilla' in user agent
@@ -52,15 +63,42 @@ def get_api_client():
         is_web_request = False
         print("🔍 No User-Agent found - assuming MCP client request")
 
-    # 4. Use Space API key ONLY for web browser requests on Hugging Face Space
-    if not api_key and is_space and space_api_key and is_web_request:
+    # 4. STRICT RULE: MCP requests MUST have API key
+    if is_mcp_request and not api_key:
+        error_msg = (
+            "🔑 API key is REQUIRED for MCP requests!\n\n"
+            "This is an MCP API endpoint. You must provide your API key.\n"
+            "Get your API key at https://a1d.ai\n\n"
+            "Configuration example:\n"
+            '{\n'
+            '  "mcpServers": {\n'
+            '    "a1d": {\n'
+            '      "command": "npx",\n'
+            '      "args": [\n'
+            '        "mcp-remote@latest",\n'
+            '        "https://aigchacker-a1d-mcp-server.hf.space/gradio_api/mcp/sse",\n'
+            '        "--header",\n'
+            '        "API_KEY:${MCP_API_KEY}"\n'
+            '      ],\n'
+            '      "env": {\n'
+            '        "MCP_API_KEY": "your_a1d_api_key_here"\n'
+            '      }\n'
+            '    }\n'
+            '  }\n'
+            '}'
+        )
+        print(f"❌ MCP API key validation failed: {error_msg}")
+        raise ValueError(error_msg)
+
+    # 5. Use Space API key ONLY for web browser requests on Hugging Face Space
+    if not api_key and is_space and space_api_key and is_web_request and not is_mcp_request:
         print("📡 Using API key from Space environment variable (web demo)")
         return A1DAPIClient(space_api_key)
 
-    # 5. For MCP clients or when no Space API key available, user API key is mandatory
+    # 6. For all other cases, user API key is mandatory
     if not api_key:
         error_msg = (
-            "🔑 API key is required for MCP clients!\n\n"
+            "🔑 API key is required!\n\n"
             "Please provide API_KEY in request headers.\n"
             "Get your API key at https://a1d.ai\n\n"
             "Configuration example:\n"

test_no_key.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+"""
+Test script to verify API key enforcement without environment variables
+"""
+
+import os
+import sys
+
+# Remove any existing API key environment variable
+if 'A1D_API_KEY' in os.environ:
+    del os.environ['A1D_API_KEY']
+
+# Import after removing environment variable
+from app import remove_bg_wrapper
+
+def test_no_api_key():
+    """Test that API key is required when not provided"""
+    try:
+        result = remove_bg_wrapper("https://example.com/test.jpg")
+        print(f"❌ FAILED: Function should have failed but returned: {result}")
+        return False
+    except Exception as e:
+        print(f"✅ SUCCESS: Function correctly failed with error: {str(e)}")
+        return True
+
+if __name__ == "__main__":
+    print("🧪 Testing API key enforcement...")
+    print("=" * 50)
+    
+    # Check environment
+    print(f"A1D_API_KEY in environment: {'A1D_API_KEY' in os.environ}")
+    print(f"SPACE_ID in environment: {'SPACE_ID' in os.environ}")
+    
+    # Run test
+    success = test_no_api_key()
+    
+    print("=" * 50)
+    if success:
+        print("✅ Test PASSED: API key enforcement is working")
+        sys.exit(0)
+    else:
+        print("❌ Test FAILED: API key enforcement is NOT working")
+        sys.exit(1)