Support per-request API keys and update staging/autopush config (#140)

Author: keyurva

deploy/autopush.yaml

@@ -58,6 +58,9 @@ steps:
         docker push gcr.io/$PROJECT_ID/datacommons-mcp-server:autopush-$(cat _version.txt)
 
   # 4. Deploy to Cloud Run
+  # NOTE: Using prod search root because autopush search root (autopush.datacommons.org) requires a Google login.
+  # The search root will completely go away once we start using the new resolve endpoint.
+  # TODO: Remove this once we start using the new resolve endpoint.
   - name: gcr.io/cloud-builders/gcloud
     entrypoint: bash
     args:
@@ -69,7 +72,10 @@ steps:
         --platform=managed \
         --no-allow-unauthenticated \
         --set-env-vars=MCP_VERSION=$(cat _version.txt) \
-        --set-secrets=DC_API_KEY=dc-api-key-for-mcp:latest \
+        --set-env-vars=DC_API_ROOT=https://autopush.api.datacommons.org/v2 \
+        --set-env-vars=DC_SEARCH_ROOT=https://datacommons.org \
+        --set-env-vars=DC_API_KEY_VALIDATION_ROOT=https://autopush.api.datacommons.org \
+        --set-secrets=DC_API_KEY=dc-autopush-api-key-for-mcp:latest \
         --service-account=datacommons-mcp-server@datcom-mixer-autopush.iam.gserviceaccount.com \
         --project=datcom-mixer-autopush
 

deploy/staging.yaml

@@ -67,7 +67,10 @@ steps:
         --platform=managed \
         --no-allow-unauthenticated \
         --set-env-vars=MCP_VERSION=$(cat _version.txt) \
-        --set-secrets=DC_API_KEY=dc-api-key-for-mcp:latest \
+        --set-env-vars=DC_API_ROOT=https://staging.api.datacommons.org/v2 \
+        --set-env-vars=DC_SEARCH_ROOT=https://staging.datacommons.org \
+        --set-env-vars=DC_API_KEY_VALIDATION_ROOT=https://staging.api.datacommons.org \
+        --set-secrets=DC_API_KEY=dc-staging-api-key-for-mcp:latest \
         --service-account=datacommons-mcp-server@datcom-mixer-staging.iam.gserviceaccount.com \
         --project=datcom-mixer-staging
 

packages/datacommons-mcp/.env.sample

@@ -44,16 +44,20 @@ DC_TYPE=base
 # DC_SEARCH_SCOPE=base_and_custom
 
 # =============================================================================
-# LOCAL ROOTS (optional, base DC only)
+# NON-PROD ROOTS (optional, base DC only)
 # =============================================================================
 
-# Use these variables to run the server against local instances
+# Use these variables to run the server against non-prod (autopush, staging) or local instances
 # of the Data Commons API and Search endpoints.
 # When using a local instance, you may also need to use the 
 # --skip-api-key-validation command-line flag if running without a DC_API_KEY.
 
-# Root URL for a local Data Commons API (mixer) instance
+# Root URL for a non-prod or local Data Commons API (mixer) instance
 # DC_API_ROOT=http://localhost:8081/v2
 
-# Root URL for a local Data Commons Search (website) instance
+# Root URL for a non-prod or local Data Commons Search (website) instance
 # DC_SEARCH_ROOT=http://localhost:8080
+
+# Root URL for Data Commons API key validation
+# Configure for non-prod environments
+# DC_API_KEY_VALIDATION_ROOT=https://api.datacommons.org

packages/datacommons-mcp/datacommons_mcp/cli.py

@@ -5,8 +5,10 @@
 import click
 from click.core import Context, Option, ParameterSource
 from dotenv import find_dotenv, load_dotenv
+from starlette.middleware import Middleware
 
 from .exceptions import APIKeyValidationError, InvalidAPIKeyError
+from .middleware import APIKeyMiddleware
 from .utils import validate_api_key
 from .version import __version__
 
@@ -59,7 +61,10 @@ def _run_api_key_validation(ctx: Context, *, skip_validation: bool) -> None:
         api_key = os.getenv("DC_API_KEY")
         if not api_key:
             raise InvalidAPIKeyError("DC_API_KEY is not set.")
-        validate_api_key(api_key)
+        validation_api_root = os.getenv(
+            "DC_API_KEY_VALIDATION_ROOT", "https://api.datacommons.org"
+        ).rstrip("/")
+        validate_api_key(api_key, validation_api_root)
     except (InvalidAPIKeyError, APIKeyValidationError) as e:
         click.echo(str(e), err=True)
         click.echo(
@@ -80,7 +85,13 @@ def _run_http_server(host: str, port: int) -> None:
     click.echo(f"Server URL: http://{host}:{port}")
     click.echo(f"Streamable HTTP endpoint: http://{host}:{port}/mcp")
     click.echo("Press CTRL+C to stop")
-    mcp.run(host=host, port=port, transport="streamable-http", stateless_http=True)
+    mcp.run(
+        host=host,
+        port=port,
+        transport="streamable-http",
+        stateless_http=True,
+        middleware=[Middleware(APIKeyMiddleware)],
+    )
 
 
 def _run_stdio_server() -> None:

packages/datacommons-mcp/datacommons_mcp/middleware.py

@@ -0,0 +1,33 @@
+import logging
+from collections.abc import Awaitable, Callable
+
+from datacommons_client import use_api_key
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.requests import Request
+from starlette.responses import Response
+
+logger = logging.getLogger(__name__)
+
+
+class APIKeyMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware to extract X-API-Key header and set it as the override API key
+    for the Data Commons client context.
+    """
+
+    async def dispatch(
+        self, request: Request, call_next: Callable[[Request], Awaitable[Response]]
+    ) -> Response:
+        api_key = request.headers.get("X-API-Key")
+        if api_key:
+            logger.debug("Received X-API-Key header, applying override.")
+            try:
+                with use_api_key(api_key):
+                    return await call_next(request)
+            except Exception as e:
+                # We log and re-raise to ensure we don't swallow application errors,
+                # but we want to know if the context manager itself failed.
+                logger.error("Error during API key override context propagation: %s", e)
+                raise
+        else:
+            return await call_next(request)

packages/datacommons-mcp/datacommons_mcp/utils.py

@@ -22,10 +22,10 @@
 
 logger = logging.getLogger(__name__)
 
-VALIDATION_API_URL = "https://api.datacommons.org/v2/node?nodes=geoId/06"
+VALIDATION_API_PATH = "/v2/node?nodes=geoId/06"
 
 
-def validate_api_key(api_key: str) -> None:
+def validate_api_key(api_key: str, validation_api_root: str) -> None:
     """
     Validates the Data Commons API key by making a simple API call.
 
@@ -36,9 +36,12 @@ def validate_api_key(api_key: str) -> None:
         InvalidAPIKeyError: If the API key is invalid or has expired.
         APIKeyValidationError: For other network-related validation errors.
     """
+    validation_api_url = f"{validation_api_root}{VALIDATION_API_PATH}"
+    logger.info("Validating API key with URL: %s", validation_api_url)
+
     try:
         response = requests.get(
-            VALIDATION_API_URL,
+            validation_api_url,
             headers={"X-API-Key": api_key},
             timeout=10,  # 10-second timeout
         )

packages/datacommons-mcp/pyproject.toml

@@ -9,7 +9,7 @@ dependencies = [
     "uvicorn",
     "fastmcp",
     "requests",
-    "datacommons-client",
+    "datacommons-client>=2.1.5",
     "pydantic>=2.11.7",
     "pydantic-settings",
     "python-dateutil>=2.9.0.post0",

packages/datacommons-mcp/tests/test_cli.py

@@ -110,6 +110,7 @@ def test_serve_http_accepts_http_options(mock_run):
             port=9090,
             transport="streamable-http",
             stateless_http=True,
+            middleware=mock.ANY,
         )
 
 
@@ -146,5 +147,5 @@ def test_cli_loads_dotenv_end_to_end(mock_validate, mock_run):
     result = runner.invoke(cli, ["serve", "http"])
     assert result.exit_code == 0
     # Verify validate_api_key was called with the key from .env
-    mock_validate.assert_called_with("generated-key")
+    mock_validate.assert_called_with("generated-key", "https://api.datacommons.org")
     mock_run.assert_called_once()

packages/datacommons-mcp/tests/test_middleware.py

@@ -0,0 +1,58 @@
+from unittest.mock import MagicMock, patch
+
+import pytest
+from datacommons_mcp.middleware import APIKeyMiddleware
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.responses import JSONResponse
+from starlette.routing import Route
+from starlette.testclient import TestClient
+
+
+async def homepage(request):  # noqa: ARG001
+    return JSONResponse({"status": "ok"})
+
+
+@pytest.fixture
+def client():
+    # Define a simple Starlette app with the middleware
+    middleware = [Middleware(APIKeyMiddleware)]
+    routes = [Route("/", homepage)]
+    app = Starlette(routes=routes, middleware=middleware)
+    return TestClient(app)
+
+
+def test_api_key_header_present(client):
+    """Verify use_api_key is called when X-API-Key header is present."""
+    with patch("datacommons_mcp.middleware.use_api_key") as mock_use_api_key:
+        # Configuration for the mock context manager
+        mock_context_manager = MagicMock()
+        mock_use_api_key.return_value.__enter__.return_value = mock_context_manager
+
+        headers = {"X-API-Key": "test-key-123"}
+        response = client.get("/", headers=headers)
+
+        assert response.status_code == 200
+        mock_use_api_key.assert_called_once_with("test-key-123")
+        # Ensure the context manager was actually entered
+        mock_use_api_key.return_value.__enter__.assert_called_once()
+        mock_use_api_key.return_value.__exit__.assert_called_once()
+
+
+def test_api_key_header_missing(client):
+    """Verify use_api_key is NOT called when X-API-Key header is missing."""
+    with patch("datacommons_mcp.middleware.use_api_key") as mock_use_api_key:
+        response = client.get("/")
+
+        assert response.status_code == 200
+        mock_use_api_key.assert_not_called()
+
+
+def test_api_key_header_empty(client):
+    """Verify use_api_key is NOT called when X-API-Key header is empty."""
+    with patch("datacommons_mcp.middleware.use_api_key") as mock_use_api_key:
+        headers = {"X-API-Key": ""}
+        response = client.get("/", headers=headers)
+
+        assert response.status_code == 200
+        mock_use_api_key.assert_not_called()

packages/datacommons-mcp/tests/test_utils.py

@@ -18,11 +18,13 @@
 from datacommons_mcp.data_models.observations import DateRange
 from datacommons_mcp.exceptions import APIKeyValidationError, InvalidAPIKeyError
 from datacommons_mcp.utils import (
-    VALIDATION_API_URL,
+    VALIDATION_API_PATH,
     filter_by_date,
     validate_api_key,
 )
 
+TEST_ROOT = "https://test.api.datacommons.org"
+
 
 class TestFilterByDate:
     @pytest.fixture
@@ -57,20 +59,23 @@ def test_empty_result(self, observations):
 
 class TestValidateAPIKey:
     def test_validate_api_key_success(self, requests_mock):
-        requests_mock.get(VALIDATION_API_URL, status_code=200)
+        url = f"{TEST_ROOT}{VALIDATION_API_PATH}"
+        requests_mock.get(url, status_code=200)
         api_key_to_test = "my-test-api-key"
-        validate_api_key(api_key_to_test)  # Should not raise an exception
+        validate_api_key(api_key_to_test, TEST_ROOT)  # Should not raise an exception
         assert requests_mock.last_request.headers["X-API-Key"] == api_key_to_test
 
     def test_validate_api_key_invalid(self, requests_mock):
-        requests_mock.get(VALIDATION_API_URL, status_code=403)
+        url = f"{TEST_ROOT}{VALIDATION_API_PATH}"
+        requests_mock.get(url, status_code=403)
         with pytest.raises(InvalidAPIKeyError):
-            validate_api_key("invalid_key")
+            validate_api_key("invalid_key", TEST_ROOT)
 
     def test_validate_api_key_network_error(self, requests_mock):
+        url = f"{TEST_ROOT}{VALIDATION_API_PATH}"
         requests_mock.get(
-            VALIDATION_API_URL,
+            url,
             exc=requests.exceptions.RequestException("Network error"),
         )
         with pytest.raises(APIKeyValidationError):
-            validate_api_key("any_key")
+            validate_api_key("any_key", TEST_ROOT)