Kaltura MCP Server

# Secure .env File Management - QUICKWIN ✅ COMPLETED **Complexity**: Very Low **Impact**: High - Improves security for stdio MCP server **Time Estimate**: 15 minutes (Actual: ~30 minutes) **Dependencies**: None **Status**: ✅ **COMPLETED** - Implementation finished and tested ## Problem Currently, Kaltura credentials are stored in plaintext in Claude Desktop's config file, which creates security risks: - Config files may be backed up or shared accidentally - File permissions are often too permissive - Risk of credentials being committed to version control - No audit trail for credential usage ## Solution Use a simple `.env` file in the MCP server directory: - Store credentials in `.env` file with restrictive permissions (600) - Use the standard `.env` pattern that's already supported - Provide clear setup instructions - Keep the existing OAuth flow for the remote SSE server (already secure) ## Implementation Steps ### 1. Create .env.example Template (5 minutes) **File: `.env.example`** ```bash # Kaltura MCP Server Configuration # Copy this file to .env and fill in your actual credentials # Remember to set secure permissions: chmod 600 .env # Required: Your Kaltura API credentials KALTURA_SERVICE_URL=https://cdnapisec.kaltura.com KALTURA_PARTNER_ID=your_partner_id_here KALTURA_ADMIN_SECRET=your_admin_secret_here KALTURA_USER_ID=your_email@domain.com # Optional: Session configuration KALTURA_SESSION_EXPIRY=86400 ``` ### 2. Update .gitignore (1 minute) **File: `.gitignore` (add if not exists)** ``` # Environment variables .env .env.local .env.*.local # Python __pycache__/ *.py[cod] *$py.class *.so .Python build/ develop-eggs/ dist/ downloads/ eggs/ .eggs/ lib/ lib64/ parts/ sdist/ var/ wheels/ *.egg-info/ .installed.cfg *.egg # Virtual environments venv/ env/ ENV/ # IDE .vscode/ .idea/ *.swp *.swo ``` ### 3. Update Server to Load from .env (5 minutes) **File: `src/kaltura_mcp/server.py` (update imports and initialization)** ```python import os import sys import logging import asyncio import traceback from pathlib import Path from dotenv import load_dotenv # Add at the top of the file, before other imports # Load .env file from the MCP server directory server_dir = Path(__file__).parent.parent.parent env_file = server_dir / '.env' if env_file.exists(): load_dotenv(env_file) logger.info(f"Loaded environment from: {env_file}") else: # Try loading from current working directory as fallback load_dotenv() # Rest of imports... from .config import load_config from .kaltura_client import KalturaClientManager ``` ### 4. Create Setup Script (4 minutes) **File: `setup_env.py` (in project root)** ```python #!/usr/bin/env python3 """Simple script to help setup .env file for Kaltura MCP Server.""" import os import stat import getpass from pathlib import Path def main(): print("🔐 Kaltura MCP Server - Environment Setup") print("=========================================") print() env_file = Path('.env') if env_file.exists(): response = input(f".env file already exists. Overwrite? (y/N): ").strip().lower() if response != 'y': print("Setup cancelled.") return print("Please enter your Kaltura credentials:") print("(Find these in Kaltura KMC → Settings → Integration Settings)") print() # Get credentials service_url = input("Service URL [https://cdnapisec.kaltura.com]: ").strip() if not service_url: service_url = "https://cdnapisec.kaltura.com" partner_id = input("Partner ID: ").strip() admin_secret = getpass.getpass("Admin Secret (hidden): ").strip() user_id = input("User ID (usually your email): ").strip() session_expiry = input("Session expiry in seconds [86400]: ").strip() if not session_expiry: session_expiry = "86400" # Validate input if not all([partner_id, admin_secret, user_id]): print("❌ All fields are required!") return if not partner_id.isdigit(): print("❌ Partner ID must be a number!") return # Create .env content env_content = f"""# Kaltura MCP Server Configuration # This file contains sensitive credentials - keep it secure! KALTURA_SERVICE_URL={service_url} KALTURA_PARTNER_ID={partner_id} KALTURA_ADMIN_SECRET={admin_secret} KALTURA_USER_ID={user_id} KALTURA_SESSION_EXPIRY={session_expiry} """ # Write .env file with open(env_file, 'w') as f: f.write(env_content) # Set secure permissions (600 - owner read/write only) env_file.chmod(0o600) print() print("✅ Environment file created successfully!") print(f"📁 Location: {env_file.absolute()}") print(f"🔒 Permissions: {oct(env_file.stat().st_mode)[-3:]}") print() print("Next steps:") print("1. Update your Claude Desktop configuration:") print() print(' {') print(' "mcpServers": {') print(' "kaltura": {') print(f' "command": "python",') print(f' "args": ["-m", "kaltura_mcp.server"],') print(f' "cwd": "{Path.cwd()}"') print(' }') print(' }') print(' }') print() print("2. Restart Claude Desktop") print("3. Test with: 'Search for recent Kaltura videos'") if __name__ == "__main__": main() ``` ## Updated Claude Desktop Configuration ### Secure Configuration (No Credentials in Config) ```json { "mcpServers": { "kaltura": { "command": "python", "args": ["-m", "kaltura_mcp.server"], "cwd": "/path/to/your/kaltura-mcp-project" } } } ``` ### Setup Instructions ```bash # 1. Clone/navigate to your MCP server directory cd /path/to/kaltura-mcp # 2. Copy example environment file cp .env.example .env # 3. Edit .env with your credentials (or use setup script) python setup_env.py # 4. Verify file permissions ls -la .env # Should show: -rw------- (600 permissions) # 5. Update Claude Desktop config with correct cwd path # 6. Restart Claude Desktop ``` ### Manual .env Setup ```bash # Copy template and edit cp .env.example .env nano .env # or your preferred editor # Set secure permissions chmod 600 .env ``` ## Security Benefits - ✅ **Standard .env pattern** (familiar to developers) - ✅ **Restricted file permissions** (600 - owner only) - ✅ **Git-ignored by default** (won't be committed) - ✅ **Local to project directory** (easy to manage) - ✅ **Interactive setup script** (credentials not in command history) - ✅ **Clear error messages** when credentials are missing - ✅ **No impact on remote OAuth flow** (already secure) ## Files Created - `.env.example` (template) - `.gitignore` (if not exists) - `setup_env.py` (interactive setup) ## Files Modified - `src/kaltura_mcp/server.py` (load .env from project directory) ## Deployment Modes Summary 1. **Stdio (Local)**: `.env` file in project directory with 600 permissions 2. **Remote (SSE)**: OAuth authentication (already implemented) 3. **Development**: Same `.env` pattern works for all use cases --- ## ✅ IMPLEMENTATION COMPLETED ### What Was Built: - ✅ `.env.stdio.example` - Template for local stdio mode - ✅ `.env.remote.example` - Template for remote HTTP/SSE mode - ✅ Updated `.gitignore` - Comprehensive .env file protection - ✅ Enhanced `server.py` - Automatic .env loading from project directory - ✅ Interactive `setup_env.py` - Guided configuration with auto-detection - ✅ Updated `README.md` - Complete setup and troubleshooting docs ### Key Features: - **Secure File Permissions**: Automatic 600 permissions (owner read/write only) - **Git Protection**: All .env variants added to .gitignore - **Auto-Detection**: Setup script finds correct command paths automatically - **Mode-Specific**: Separate configurations for stdio vs remote deployment - **User-Friendly**: Interactive setup with clear Claude Desktop config output ### Tested Configuration: ```json { "mcpServers": { "kaltura": { "command": "/Users/ZoharBabinM3/.pyenv/shims/kaltura-mcp" } } } ``` This implementation significantly improves security by moving credentials out of Claude Desktop config files into secure, git-ignored .env files with proper permissions.