mcp: switch HF MCP login to https://hf.co/mcp?login and accept hf.co in strict checks

gary149 · gary149 · commit cf97806ce838 · 2025-11-12T18:20:15.000+01:00
- Update examples and Helm envs to use hf.co endpoint
- Relax isStrictHfMcpLogin to allow both hf.co and huggingface.co
- Keeps functionality identical while preferring the shorter domain
diff --git a/.env b/.env
@@ -119,7 +119,7 @@ LLM_SUMMARIZATION=true # generate conversation titles with LLMs
  
 ALLOW_IFRAME=true # Allow the app to be embedded in an iframe
 
-# Base servers list (JSON array). Example: MCP_SERVERS=[{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://huggingface.co/mcp"}]
+# Base servers list (JSON array). Example: MCP_SERVERS=[{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp"}]
 MCP_SERVERS=
 # When true, forward the logged-in user's Hugging Face access token
 MCP_FORWARD_HF_USER_TOKEN=
diff --git a/README.md b/README.md
@@ -157,7 +157,7 @@ Configure servers (base list for all users):
 # JSON array of servers: name, url, optional headers
 MCP_SERVERS=[
   {"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"},
-  {"name": "Hugging Face MCP Login", "url": "https://huggingface.co/mcp?login"}
+  {"name": "Hugging Face MCP Login", "url": "https://hf.co/mcp?login"}
 ]
 
 # Forward the signed-in user's Hugging Face token to the official HF MCP login endpoint
diff --git a/chart/env/dev.yaml b/chart/env/dev.yaml
@@ -71,7 +71,7 @@ envVars:
   LLM_ROUTER_ENABLE_TOOLS: "true"
   LLM_ROUTER_TOOLS_MODEL: "moonshotai/Kimi-K2-Instruct-0905"
   MCP_SERVERS: >
-    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://huggingface.co/mcp?login"}]
+    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp?login"}]
   PUBLIC_LLM_ROUTER_DISPLAY_NAME: "Omni"
   PUBLIC_LLM_ROUTER_LOGO_URL: "https://cdn-uploads.huggingface.co/production/uploads/5f17f0a0925b9863e28ad517/C5V0v1xZXv6M7FXsdJH9b.png"
   PUBLIC_LLM_ROUTER_ALIAS_ID: "omni"
diff --git a/chart/env/prod.yaml b/chart/env/prod.yaml
@@ -81,7 +81,7 @@ envVars:
   LLM_ROUTER_ENABLE_TOOLS: "true"
   LLM_ROUTER_TOOLS_MODEL: "moonshotai/Kimi-K2-Instruct-0905"
   MCP_SERVERS: >
-    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://huggingface.co/mcp?login"}]
+    [{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp?login"}]
   PUBLIC_LLM_ROUTER_DISPLAY_NAME: "Omni"
   PUBLIC_LLM_ROUTER_LOGO_URL: "https://cdn-uploads.huggingface.co/production/uploads/5f17f0a0925b9863e28ad517/C5V0v1xZXv6M7FXsdJH9b.png"
   PUBLIC_LLM_ROUTER_ALIAS_ID: "omni"
diff --git a/src/lib/server/mcp/hf.ts b/src/lib/server/mcp/hf.ts
@@ -4,17 +4,19 @@ export const hasAuthHeader = (h?: Record<string, string>) =>
 	!!h && Object.keys(h).some((k) => k.toLowerCase() === "authorization");
 
 export const isStrictHfMcpLogin = (urlString: string) => {
-	try {
-		const u = new URL(urlString);
-		return (
-			u.protocol === "https:" &&
-			u.hostname === "huggingface.co" &&
-			u.pathname === "/mcp" &&
-			u.search === "?login"
-		);
-	} catch {
-		return false;
-	}
+    try {
+        const u = new URL(urlString);
+        const host = u.hostname.toLowerCase();
+        const allowedHosts = new Set(["hf.co", "huggingface.co"]);
+        return (
+            u.protocol === "https:" &&
+            allowedHosts.has(host) &&
+            u.pathname === "/mcp" &&
+            u.search === "?login"
+        );
+    } catch {
+        return false;
+    }
 };
 
 export const hasNonEmptyToken = (tok: unknown): tok is string =>
diff --git a/src/lib/utils/hf.ts b/src/lib/utils/hf.ts
@@ -1,15 +1,17 @@
 // Client-safe HF utilities used in UI components
 
 export function isStrictHfMcpLogin(urlString: string): boolean {
-	try {
-		const u = new URL(urlString);
-		return (
-			u.protocol === "https:" &&
-			u.hostname === "huggingface.co" &&
-			u.pathname === "/mcp" &&
-			u.search === "?login"
-		);
-	} catch {
-		return false;
-	}
+    try {
+        const u = new URL(urlString);
+        const host = u.hostname.toLowerCase();
+        const allowedHosts = new Set(["hf.co", "huggingface.co"]);
+        return (
+            u.protocol === "https:" &&
+            allowedHosts.has(host) &&
+            u.pathname === "/mcp" &&
+            u.search === "?login"
+        );
+    } catch {
+        return false;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ Configure servers (base list for all users):`
`157`	`157`	`# JSON array of servers: name, url, optional headers`
`158`	`158`	`MCP_SERVERS=[`
`159`	`159`	`{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"},`
`160`		`- {"name": "Hugging Face MCP Login", "url": "https://huggingface.co/mcp?login"}`
	`160`	`+ {"name": "Hugging Face MCP Login", "url": "https://hf.co/mcp?login"}`
`161`	`161`	`]`
`162`	`162`
`163`	`163`	`# Forward the signed-in user's Hugging Face token to the official HF MCP login endpoint`