feat: add automatic re-authentication with MFA support

Implement automatic token refresh using stored credentials and TOTP MFA secret. When an API call fails with a 401/unauthorized error, the system now transparently re-authenticates using MONARCH_EMAIL, MONARCH_PASSWORD, and MONARCH_MFA_SECRET, then retries the original request. Changes: - Add refresh_authentication() function in auth.py for credential-based login - Create @retry_on_auth_error decorator to handle and retry failed auth calls - Apply decorator to all MCP tools (get_accounts, get_transactions, etc.) - Add MONARCH_MFA_SECRET to .env.example with documentation - Update login_setup.py to instruct users about required env vars - Replace PROBLEM.md with PLAN.md documenting the implementation
2025-12-24 15:45:43 +00:00
parent 27ef7f0e1e
commit 6fc09d956f
6 changed files with 153 additions and 65 deletions
--- a/.env.example
+++ b/.env.example
@@ -2,10 +2,15 @@
 # You can use MONARCH_TOKEN (recommended) OR Email/Password
 MONARCH_TOKEN=
-# Fallback credentials
+# Credentials for automatic re-authentication (required for token refresh)
 MONARCH_EMAIL=
 MONARCH_PASSWORD=
 # MFA Secret for TOTP-based re-authentication
 # This is the secret you saved when you first set up 2FA for Monarch Money
 # Required if you have MFA enabled on your Monarch account
 MONARCH_MFA_SECRET=
 # Server Configuration
 PORT=8000
 MONARCH_PORT=8070
--- a/PLAN.md
+++ b/PLAN.md
@@ -0,0 +1,41 @@
 # Implementation Plan: Automatic Re-authentication with MFA
 ## Problem
 The Monarch Money API token expires periodically. Currently, there is no automatic refresh mechanism, causing the MCP server to fail until manually re-authenticated.
 ## Objective
 Implement automatic re-authentication functionality that detects expired tokens and transparently re-authenticates using stored credentials and an MFA secret (TOTP).
 ## Proposed Solution
 Use `pyotp` to generate MFA codes programmatically and wrap API calls with retry logic that handles authentication failures.
 ## Prerequisites
 - `pyotp` library (Installed)
 - User needs to add `MONARCH_MFA_SECRET` to their environment variables.
 ## Implementation Steps
 ### 1. Update `auth.py`
 - Add logic to handle re-authentication using `pyotp`.
 - Implement a `login_with_mfa()` function that:
    - Uses `MONARCH_EMAIL` and `MONARCH_PASSWORD`.
    - Uses `MONARCH_MFA_SECRET` with `pyotp` to generate a TOTP code if MFA is requested.
    - Updates the active client session.
 ### 2. Create Re-authentication Decorator/Wrapper
 - Create a Python decorator (e.g., `@retry_on_auth_error`) in `auth.py` or a new utility module.
 - This decorator will:
    1. Execute the decorated function (API call).
    2. Catch specific exceptions indicating authentication failure (e.g., `LoginFailedException`, `RequestFailedException` with 401/403 status).
    3. Call the re-authentication logic.
    4. Retry the original function.
 ### 3. Apply Wrapper in `server.py`
 - Apply the decorator to the MCP tool implementations (`get_accounts`, `get_transactions`, etc.) or wrap the client calls to ensure they auto-recover from expired tokens.
 ### 4. Update `login_setup.py`
 - Modify the setup script to display the MFA Secret (seed) to the user during the initial login process.
 - Instruct the user to save this as `MONARCH_MFA_SECRET` in their `.env` file alongside `MONARCH_TOKEN`.
 ## Verification
 - Test by simulating an expired token and verifying that the system automatically logs in using the MFA secret and completes the request.
--- a/PROBLEM.md
+++ b/PROBLEM.md
@@ -1,45 +0,0 @@
 # PROBLEM: Monarch MCP Server SSE Routing and Handshake Failures
 ## Issue Description
 The Monarch MCP server, implemented using `FastMCP` and `Starlette`, is experiencing persistent `404 Not Found`, `TypeError`, or `400 Bad Request` errors when AI agent clients attempt to establish an SSE connection at `http://docker.local.ben.io:8070/mcp`. While the `/health` endpoint is functioning correctly, the MCP handshake fails to complete or routes to non-existent endpoints.
 ## Root Cause Analysis (Suspected)
 The primary issue stems from the complexity of mounting a `FastMCP` HTTP application within a `Starlette` wrapper. 
 1. **Endpoint Overlap:** `FastMCP.http_app()` generates its own internal routing (e.g., `/mcp` or `/sse`). When this app is mounted at `/mcp` in a parent `Starlette` app, the resulting path becomes `/mcp/mcp`, leading to `404` errors on the expected `/mcp` path.
 2. **ASGI Signature Mismatches:** Manual attempts to bridge the `SseServerTransport` with Starlette routes led to `TypeError: 'NoneType' object is not callable` or missing positional arguments (`receive`, `send`), indicating that the custom endpoint wrappers were not correctly following the ASGI/Starlette interface.
 3. **Transport Defaults:** `FastMCP` default transport ("streamable-http") expects specific headers and session IDs that differ from standard MCP SSE implementations, causing `400 Bad Request: Missing session ID` when using generic tools like `curl`.
 ## Troubleshooting Steps Taken
 1. **Refactored Auth:** Removed `keyring` from the Docker runtime to prevent headless environment crashes; moved to `MONARCH_TOKEN` environment variable.
 2. **Infrastructure Validation:** Verified port `8070` is unique on the `local.ben.io` server.
 3. **Internal Logic Debugging:**
   - Attempted mounting `FastMCP` at root (`/`) and sub-paths (`/mcp`).
   - Inspected `FastMCP` source code to identify internal attributes (`_mcp_server`, `_lifespan`).
   - Switched from manual `SseServerTransport` handling to `mcp.http_app()`.
 4. **Endpoint Verification:** 
   - Confirmed `/health` returns `200 OK`.
   - Tested `/mcp` with `Accept: text/event-stream`, which yielded `400 Bad Request` or `406 Not Acceptable` depending on the mount point.
 5. **Session Exploration:** Investigated OpenCode session storage (`~/.local/share/opencode/storage/session/`) to understand how clients identify and connect to projects.
 ## Current State
 The server is running in a Komodo stack, healthy on port `8070`, and visible at `https://monarch-mcp.ext.ben.io`. However, the handshake remains broken. 
 ## Resolution (Applied)
 The fix was to match the working pattern from `komodo-mcp-custom`:
 ```python
 def create_app():
    mcp_app = mcp.http_app()
    routes = [
        Route("/health", health, methods=["GET"]),
        Mount("/", app=mcp_app),  # MCP handles /mcp endpoint internally
    ]
    return Starlette(routes=routes, lifespan=mcp_app.lifespan)
 app = create_app()
 ```
 Key changes:
 1. **Mount at root:** `Mount("/", app=mcp_app)` lets FastMCP handle `/mcp` internally
 2. **Pass lifespan:** `lifespan=mcp_app.lifespan` ensures proper task group initialization
 3. **Separate health route:** `/health` is a standalone route in the parent Starlette app
--- a/login_setup.py
+++ b/login_setup.py
@@ -5,7 +5,6 @@ Saves session securely and provides the token for Docker environment.
 """
 import asyncio
 import os
 import getpass
 import sys
 from pathlib import Path
@@ -53,6 +52,21 @@ async def main():
            # Also save to local keyring for convenience
            save_token(token)
            print("\n✅ Token also saved to local system keyring.")
            print("\n" + "=" * 50)
            print("📝 IMPORTANT: For automatic re-authentication")
            print("=" * 50)
            print("\nIf you have MFA enabled on your Monarch account,")
            print("add your MONARCH_MFA_SECRET to your .env file:")
            print("\n  MONARCH_MFA_SECRET=your_totp_secret_here")
            print("\nYou should have saved this secret when you first")
            print("set up Google Authenticator/Authy for Monarch Money.")
            print("\nThis allows the MCP server to automatically re-authenticate")
            print("when your token expires.")
            print("\nYou also need to add your credentials:")
            print("  MONARCH_EMAIL=your_email@example.com")
            print("  MONARCH_PASSWORD=your_password")
            print("=" * 50)
        else:
            print("❌ Failed to retrieve token from MonarchMoney instance.")
--- a/src/monarch_mcp_custom/auth.py
+++ b/src/monarch_mcp_custom/auth.py
@@ -6,10 +6,14 @@ Prioritizes environment variables for Docker compatibility.
 import os
 import logging
 from typing import Optional
-from monarchmoney import MonarchMoney
+from functools import wraps
 from monarchmoney import MonarchMoney, LoginFailedException, RequestFailedException
 import pyotp
 logger = logging.getLogger(__name__)
 _client_instance: Optional[MonarchMoney] = None
 def load_token() -> Optional[str]:
    """
@@ -43,28 +47,93 @@ async def get_authenticated_client() -> MonarchMoney:
    Returns an authenticated MonarchMoney client.
    Raises RuntimeError if no authentication is found.
    """
    global _client_instance
    if _client_instance:
        return _client_instance
    token = load_token()
    if token:
        try:
-            # The monarchmoney library supports passing the token directly
+            _client_instance = MonarchMoney(token=token)
-            return MonarchMoney(token=token)
+            return _client_instance
        except Exception as e:
            logger.error(f"❌ Failed to initialize MonarchMoney with token: {e}")
            raise
    # Fallback to email/password if token is missing (only if both are present)
    email = os.getenv("MONARCH_EMAIL")
    password = os.getenv("MONARCH_PASSWORD")
    if email and password:
        try:
            mm = MonarchMoney()
            await mm.login(email, password)
            logger.info("✅ Logged in using email/password credentials")
            return mm
        except Exception as e:
            logger.error(f"❌ Login failed: {e}")
            raise
    raise RuntimeError(
        "🔐 Authentication required. Please provide MONARCH_TOKEN or run login_setup.py"
    )
 async def refresh_authentication() -> MonarchMoney:
    """
    Re-authenticate using stored credentials and MFA secret.
    Returns a new authenticated client instance.
    """
    global _client_instance
    email = os.getenv("MONARCH_EMAIL")
    password = os.getenv("MONARCH_PASSWORD")
    mfa_secret = os.getenv("MONARCH_MFA_SECRET")
    if not email or not password:
        raise RuntimeError(
            "MONARCH_EMAIL and MONARCH_PASSWORD are required for re-authentication"
        )
    mm = MonarchMoney()
    try:
        await mm.login(email, password, mfa_secret_key=mfa_secret, save_session=False)
        logger.info("✅ Re-authentication successful")
        _client_instance = mm
        return mm
    except Exception as e:
        logger.error(f"❌ Re-authentication failed: {e}")
        raise
 def generate_totp_secret_and_uri(email: str, issuer_name: str) -> tuple[str, str]:
    """
    Generates a TOTP secret and its provisioning URI for a given email and issuer.
    """
    secret = pyotp.random_base32()
    totp = pyotp.TOTP(secret)
    provisioning_uri = totp.provisioning_uri(name=email, issuer_name=issuer_name)
    return secret, provisioning_uri
 def retry_on_auth_error(max_retries: int = 1):
    """
    Decorator to retry functions on authentication failures.
    Catches RequestFailedException and re-authenticates before retrying.
    """
    def decorator(func):
        @wraps(func)
        async def wrapper(*args, **kwargs):
            for attempt in range(max_retries + 1):
                try:
                    return await func(*args, **kwargs)
                except (RequestFailedException, LoginFailedException, Exception) as e:
                    error_str = str(e).lower()
                    is_auth_error = (
                        "401" in error_str
                        or "unauthorized" in error_str
                        or "authentication" in error_str
                        or isinstance(e, (RequestFailedException, LoginFailedException))
                    )
                    if is_auth_error and attempt < max_retries:
                        logger.warning(
                            f"⚠️  Authentication failure detected (attempt {attempt + 1}/{max_retries + 1}), re-authenticating..."
                        )
                        await refresh_authentication()
                        continue
                    else:
                        raise
        return wrapper
    return decorator
--- a/src/monarch_mcp_custom/server.py
+++ b/src/monarch_mcp_custom/server.py
@@ -2,7 +2,6 @@
 Monarch Money MCP Server - Custom SSE Implementation.
 """
 import os
 import logging
 import json
 from typing import Optional, Any
@@ -13,7 +12,7 @@ from starlette.applications import Starlette
 from starlette.responses import JSONResponse
 from starlette.routing import Route, Mount
-from monarch_mcp_custom.auth import get_authenticated_client
+from monarch_mcp_custom.auth import get_authenticated_client, retry_on_auth_error
 # Load environment variables
 load_dotenv()
@@ -39,6 +38,7 @@ def serialize_json(data: Any) -> str:
@mcp.tool()
@retry_on_auth_error()
 async def get_accounts(reason: Optional[str] = None) -> str:
    """Get all financial accounts from Monarch Money."""
    try:
@@ -64,6 +64,7 @@ async def get_accounts(reason: Optional[str] = None) -> str:
@mcp.tool()
@retry_on_auth_error()
 async def get_transactions(
    limit: int = 50,
    offset: int = 0,
@@ -112,6 +113,7 @@ async def get_transactions(
@mcp.tool()
@retry_on_auth_error()
 async def get_budgets(reason: Optional[str] = None) -> str:
    """Get current budget information."""
    try:
@@ -137,6 +139,7 @@ async def get_budgets(reason: Optional[str] = None) -> str:
@mcp.tool()
@retry_on_auth_error()
 async def get_account_holdings(account_id: str, reason: Optional[str] = None) -> str:
    """Get investment holdings for a specific account."""
    try:
@@ -150,6 +153,7 @@ async def get_account_holdings(account_id: str, reason: Optional[str] = None) ->
@mcp.tool()
@retry_on_auth_error()
 async def refresh_accounts(reason: Optional[str] = None) -> str:
    """Request a refresh of account data from financial institutions."""
    try: