b3nw/monarch-mcp-custom
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a229537599fe2eb4a9815f50211eeb1c8086b254
monarch-mcp-custom/PLAN.md
Ben 6fc09d956f
All checks were successful
Build and Push Monarch MCP Docker Image / build (push) Successful in 8s
Details
feat: add automatic re-authentication with MFA support 
Implement automatic token refresh using stored credentials and TOTP MFA secret. When an API call fails with a 401/unauthorized error, the system now transparently re-authenticates using MONARCH_EMAIL, MONARCH_PASSWORD, and MONARCH_MFA_SECRET, then retries the original request.

Changes:
- Add refresh_authentication() function in auth.py for credential-based login
- Create @retry_on_auth_error decorator to handle and retry failed auth calls
- Apply decorator to all MCP tools (get_accounts, get_transactions, etc.)
- Add MONARCH_MFA_SECRET to .env.example with documentation
- Update login_setup.py to instruct users about required env vars
- Replace PROBLEM.md with PLAN.md documenting the implementation
2025-12-24 15:45:43 +00:00

42 lines
2.0 KiB
Markdown
Raw Blame History

# Implementation Plan: Automatic Re-authentication with MFA
## Problem
The Monarch Money API token expires periodically. Currently, there is no automatic refresh mechanism, causing the MCP server to fail until manually re-authenticated.
## Objective
Implement automatic re-authentication functionality that detects expired tokens and transparently re-authenticates using stored credentials and an MFA secret (TOTP).
## Proposed Solution
Use `pyotp` to generate MFA codes programmatically and wrap API calls with retry logic that handles authentication failures.
## Prerequisites
- `pyotp` library (Installed)
- User needs to add `MONARCH_MFA_SECRET` to their environment variables.
## Implementation Steps
### 1. Update `auth.py`
- Add logic to handle re-authentication using `pyotp`.
- Implement a `login_with_mfa()` function that:
- Uses `MONARCH_EMAIL` and `MONARCH_PASSWORD`.
- Uses `MONARCH_MFA_SECRET` with `pyotp` to generate a TOTP code if MFA is requested.
- Updates the active client session.
### 2. Create Re-authentication Decorator/Wrapper
- Create a Python decorator (e.g., `@retry_on_auth_error`) in `auth.py` or a new utility module.
- This decorator will:
1. Execute the decorated function (API call).
2. Catch specific exceptions indicating authentication failure (e.g., `LoginFailedException`, `RequestFailedException` with 401/403 status).
3. Call the re-authentication logic.
4. Retry the original function.
### 3. Apply Wrapper in `server.py`
- Apply the decorator to the MCP tool implementations (`get_accounts`, `get_transactions`, etc.) or wrap the client calls to ensure they auto-recover from expired tokens.
### 4. Update `login_setup.py`
- Modify the setup script to display the MFA Secret (seed) to the user during the initial login process.
- Instruct the user to save this as `MONARCH_MFA_SECRET` in their `.env` file alongside `MONARCH_TOKEN`.
## Verification
- Test by simulating an expired token and verifying that the system automatically logs in using the MFA secret and completes the request.
Reference in New Issue View Git Blame Copy Permalink