rianvdm
diff --git a/‎README.md‎
Lines changed: 93 additions & 85 deletions b/‎README.md‎
Lines changed: 93 additions & 85 deletions
diff --git a/‎src/auth/oauth-handler.ts‎
Lines changed: 36 additions & 0 deletions b/‎src/auth/oauth-handler.ts‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎src/index-oauth.ts‎
Lines changed: 32 additions & 0 deletions b/‎src/index-oauth.ts‎
Lines changed: 32 additions & 0 deletions
@@ -18,59 +18,110 @@ A powerful **Model Context Protocol (MCP) server** that enables AI assistants to
 - ⚡ **Edge Computing**: Global low-latency responses via Cloudflare Workers
 - 🗂️ **Smart Caching**: Intelligent KV-based caching for optimal performance
 
-## 🚀 Quick Start
+## ⚠️ This Is Not a Shared Service
 
-### Claude Desktop
+**`discogs-mcp.com` is the maintainer's private instance.** It's locked to a single Discogs account and will return a 403 for anyone else.
 
-1. Open Claude Desktop → **Settings** → **Integrations**
-2. Click **Add Integration**
-3. Enter the URL:
-   ```
-   https://discogs-mcp.com/mcp
-   ```
-4. Click **Add** - authenticate with Discogs when prompted
+Why? The Discogs API rate limit (60 requests per minute, per registered app) is too tight to share across users. One active collection query from a single user can saturate it. Rather than run a broken multi-tenant service, **each user deploys their own Worker with their own Discogs API credentials**.
 
-### Claude Code
+The good news: deploying your own copy is straightforward, runs on the Cloudflare Workers free tier, and takes about 10 minutes. See [Self-Hosting](#-self-hosting) below.
+
+## 🚀 Self-Hosting
+
+### Prerequisites
+
+- Node.js 18+
+- Cloudflare account (free tier is fine)
+- Discogs account with a [registered developer app](https://www.discogs.com/settings/developers) (you'll need a **Consumer Key** and **Consumer Secret**)
+
+### 1. Clone and install
 
 ```bash
-claude mcp add --transport http discogs https://discogs-mcp.com/mcp
+git clone https://github.com/rianvdm/discogs-mcp.git
+cd discogs-mcp
+npm install
 ```
 
-### Windsurf
+### 2. Create KV namespaces
 
-Add to your Windsurf MCP config (`~/.codeium/windsurf/mcp_config.json`):
+```bash
+wrangler kv namespace create MCP_SESSIONS --env production
+wrangler kv namespace create MCP_LOGS --env production
+wrangler kv namespace create OAUTH_KV --env production
+```
 
-```json
-{
-	"mcpServers": {
-		"discogs": {
-			"serverUrl": "https://discogs-mcp.com/mcp"
-		}
-	}
-}
+Copy the returned IDs into `wrangler.toml` under `[env.production]`.
+
+### 3. Set your Discogs credentials
+
+```bash
+wrangler secret put DISCOGS_CONSUMER_KEY --env production
+wrangler secret put DISCOGS_CONSUMER_SECRET --env production
+wrangler secret put JWT_SECRET --env production   # any random string
 ```
 
-### MCP Inspector (Testing)
+### 4. (Optional but recommended) Lock your instance to your own Discogs user
+
+By default, anyone with a Discogs account who discovers your Worker URL can authenticate and consume your rate-limit budget. To restrict it to just you, set `ALLOWED_DISCOGS_USER_ID` in `wrangler.toml` under `[env.production.vars]` to your numeric Discogs user ID:
+
+```toml
+[env.production.vars]
+ALLOWED_DISCOGS_USER_ID = "123456"
+```
+
+You can find your numeric ID by visiting `https://api.discogs.com/users/<your-username>` and looking at the `id` field. Leave the value empty to run an open instance.
+
+### 5. Deploy
+
+```bash
+npm run deploy:prod
+```
+
+Your Worker URL will be something like `https://discogs-mcp.<your-subdomain>.workers.dev`. The MCP endpoint is `/mcp`.
+
+### 6. Connect your MCP client
+
+Replace `https://your-worker.workers.dev` below with your own URL.
+
+**Claude Desktop** — Settings → Integrations → Add Integration → `https://your-worker.workers.dev/mcp`
+
+**Claude Code**:
 
 ```bash
-npx @modelcontextprotocol/inspector https://discogs-mcp.com/mcp
+claude mcp add --transport http discogs https://your-worker.workers.dev/mcp
 ```
 
-### Other MCP Clients
+**Windsurf** (`~/.codeium/windsurf/mcp_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "discogs": {
+      "serverUrl": "https://your-worker.workers.dev/mcp"
+    }
+  }
+}
+```
 
 **Continue.dev / Zed / Generic:**
 
 ```json
 {
-	"mcpServers": {
-		"discogs": {
-			"command": "npx",
-			"args": ["-y", "mcp-remote", "https://discogs-mcp.com/mcp"]
-		}
-	}
+  "mcpServers": {
+    "discogs": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "https://your-worker.workers.dev/mcp"]
+    }
+  }
 }
 ```
 
+**MCP Inspector (testing)**:
+
+```bash
+npx @modelcontextprotocol/inspector https://your-worker.workers.dev/mcp
+```
+
 ## 🔐 Authentication
 
 This server uses **MCP OAuth 2.1** with Discogs as the identity provider. When you connect for the first time:
@@ -110,65 +161,22 @@ discogs://release/{id}           # Specific release details
 discogs://search?q={query}       # Search results
 ```
 
-## 🏗️ Development
-
-### Prerequisites
-
-- Node.js 18+
-- Cloudflare account
-- Discogs Developer Account (for API keys)
-
-### Local Setup
-
-1. **Clone and install**:
-
-   ```bash
-   git clone https://github.com/rianvdm/discogs-mcp.git
-   cd discogs-mcp
-   npm install
-   ```
-
-2. **Configure environment**:
-
-   ```bash
-   # Set your Discogs API credentials as Wrangler secrets
-   wrangler secret put DISCOGS_CONSUMER_KEY
-   wrangler secret put DISCOGS_CONSUMER_SECRET
-   ```
-
-3. **Start development server**:
+## 🏗️ Local Development
 
-   ```bash
-   npm run dev
-   ```
-
-4. **Test with MCP Inspector**:
-   ```bash
-   npx @modelcontextprotocol/inspector http://localhost:8787/mcp
-   ```
-
-## 🚀 Deployment
-
-1. **Create KV namespaces** and add their IDs to `wrangler.toml` under `[env.production]`:
-
-   ```bash
-   wrangler kv namespace create MCP_SESSIONS --env production
-   wrangler kv namespace create MCP_LOGS --env production
-   wrangler kv namespace create MCP_RL --env production
-   wrangler kv namespace create OAUTH_KV --env production
-   ```
+```bash
+# Set dev secrets (same Discogs app is fine for dev)
+wrangler secret put DISCOGS_CONSUMER_KEY
+wrangler secret put DISCOGS_CONSUMER_SECRET
+wrangler secret put JWT_SECRET
 
-2. **Set production secrets**:
+# Run the Worker locally
+npm run dev
 
-   ```bash
-   wrangler secret put DISCOGS_CONSUMER_KEY --env production
-   wrangler secret put DISCOGS_CONSUMER_SECRET --env production
-   ```
+# Test with MCP Inspector
+npx @modelcontextprotocol/inspector http://localhost:8787/mcp
+```
 
-3. **Deploy**:
-   ```bash
-   npm run deploy:prod
-   ```
+The default `[vars]` block in `wrangler.toml` leaves `ALLOWED_DISCOGS_USER_ID` empty, so local dev is open to any Discogs account — convenient for testing.
 
 ## 🧪 Testing
 
 
@@ -21,6 +21,33 @@ export interface DiscogsUserProps {
   accessTokenSecret: string
 }
 
+/**
+ * If ALLOWED_DISCOGS_USER_ID is set (non-empty), verify that the authenticated
+ * Discogs identity matches. Returns a 403 response for unauthorized users, or
+ * null to proceed. Empty/unset = open instance (default for self-hosters).
+ */
+export function checkAllowlist(
+  identity: { id: number; username: string },
+  allowedIdRaw: string | undefined,
+): Response | null {
+  const allowedId = allowedIdRaw?.trim()
+  if (!allowedId) return null
+  if (String(identity.id) === allowedId) return null
+
+  console.warn(
+    `[AUTH] Rejected unauthorized user: ${identity.username} (${identity.id})`,
+  )
+  return new Response(
+    `<!DOCTYPE html><html><head><title>Access Restricted</title><meta name="viewport" content="width=device-width, initial-scale=1.0"><style>body{font-family:system-ui,-apple-system,sans-serif;max-width:36rem;margin:4rem auto;padding:0 1.5rem;line-height:1.6;color:#222}h1{color:#b00020}a{color:#0366d6}</style></head><body>
+       <h1>Access Restricted</h1>
+       <p>This Discogs MCP instance is private and locked to a single Discogs user. Discogs API rate limits are too strict to share across users, so each person needs to run their own deployment.</p>
+       <p>Good news: it's open source and easy to self-host on Cloudflare Workers (free tier works fine).</p>
+       <p><strong><a href="https://github.com/rianvdm/discogs-mcp#self-hosting">Self-hosting instructions →</a></strong></p>
+     </body></html>`,
+    { status: 403, headers: { 'Content-Type': 'text/html; charset=utf-8' } },
+  )
+}
+
 /**
  * DefaultHandler for @cloudflare/workers-oauth-provider.
  * Only handles auth-related routes. Static routes (/, /health, etc.) are
@@ -139,6 +166,11 @@ async function handleDiscogsCallback(request: Request, env: OAuthEnv): Promise<R
     }
 
     const identity = await identityRes.json() as { id: number; username: string }
+
+    // Allowlist gate (set on maintainer's deployment; empty = open)
+    const denied = checkAllowlist(identity, env.ALLOWED_DISCOGS_USER_ID)
+    if (denied) return denied
+
     const userProps: DiscogsUserProps = {
       numericId: String(identity.id),
       username: identity.username,
@@ -293,6 +325,10 @@ async function handleManualCallback(request: Request, env: OAuthEnv): Promise<Re
 
     const identity = await identityRes.json() as { id: number; username: string }
 
+    // Allowlist gate (set on maintainer's deployment; empty = open)
+    const denied = checkAllowlist(identity, env.ALLOWED_DISCOGS_USER_ID)
+    if (denied) return denied
+
     // Store session in KV (7 days)
     const expiresAt = Date.now() + 7 * 24 * 60 * 60 * 1000
     await env.MCP_SESSIONS.put(
 
@@ -17,6 +17,29 @@ const SERVER_VERSION = '1.0.0'
 // PKCE + standard MCP session TTL (7 days)
 const ACCESS_TOKEN_TTL = 7 * 24 * 60 * 60
 
+/**
+ * Enforce ALLOWED_DISCOGS_USER_ID on authenticated MCP requests.
+ * Primary gate is at the OAuth callback, but we also check here so that any
+ * pre-existing grants/sessions issued before the allowlist was set are
+ * invalidated on their next request.
+ */
+function isAllowedUser(numericId: string | undefined, env: Env): boolean {
+  const allowed = env.ALLOWED_DISCOGS_USER_ID?.trim()
+  if (!allowed) return true
+  return numericId === allowed
+}
+
+function accessDeniedResponse(): Response {
+  return new Response(
+    JSON.stringify({
+      error: 'access_denied',
+      error_description:
+        'This Discogs MCP instance is private. Self-host your own: https://github.com/rianvdm/discogs-mcp#self-hosting',
+    }),
+    { status: 403, headers: { 'Content-Type': 'application/json' } },
+  )
+}
+
 /**
  * OAuth provider instance — handles all OAuth 2.1 endpoints automatically:
  * - /.well-known/oauth-authorization-server (discovery)
@@ -36,6 +59,9 @@ const oauthProvider = new OAuthProvider({
       const { server, setContext } = createMcpServer(env, baseUrl)
 
       const props = (ctx as unknown as { props?: DiscogsUserProps }).props
+      if (props && !isAllowedUser(props.numericId, env)) {
+        return accessDeniedResponse()
+      }
       if (props?.username && props?.accessToken) {
         setContext({
           session: {
@@ -84,6 +110,12 @@ async function handleSessionBasedMcp(
 
   const sessionData = JSON.parse(sessionDataStr)
 
+  if (!isAllowedUser(sessionData.numericId, env)) {
+    // Delete the stale unauthorized session so retry fails cleanly with 401
+    await env.MCP_SESSIONS.delete(`session:${sessionId}`)
+    return accessDeniedResponse()
+  }
+
   if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
     return new Response(JSON.stringify({ error: 'session_expired' }), {
       status: 401,