chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 12:37:57 +08:00
commit e30f8ba47c
533 changed files with 115926 additions and 0 deletions
+287
View File
@@ -0,0 +1,287 @@
// Package oauth provides OAuth 2.0 Protected Resource Metadata (RFC 9728) support
// for the GitHub MCP Server HTTP mode.
package oauth
import (
"fmt"
"net/http"
"strings"
"github.com/github/github-mcp-server/pkg/http/headers"
"github.com/github/github-mcp-server/pkg/utils"
"github.com/go-chi/chi/v5"
"github.com/modelcontextprotocol/go-sdk/auth"
"github.com/modelcontextprotocol/go-sdk/oauthex"
)
const (
// OAuthProtectedResourcePrefix is the well-known path prefix for OAuth protected resource metadata.
OAuthProtectedResourcePrefix = "/.well-known/oauth-protected-resource"
)
// SupportedScopes lists every OAuth scope that an MCP tool may require. It is the
// source of truth in two places: HTTP mode advertises it as scopes_supported in
// the protected-resource metadata, and stdio OAuth login requests it by default
// and then filters the exposed tools to the granted scopes. A tool whose required
// scope is absent here is therefore hidden under default OAuth even though a PAT
// carrying that scope would expose it, so keep this list in sync with tool scope
// requirements when scopes change.
var SupportedScopes = []string{
"repo",
"read:org",
"read:user",
"user:email",
"read:packages",
"write:packages",
"read:project",
"project",
"gist",
"notifications",
"workflow",
"codespace",
}
// Config holds the OAuth configuration for the MCP server.
type Config struct {
// BaseURL is the publicly accessible URL where this server is hosted.
// This is used to construct the OAuth resource URL.
BaseURL string
// AuthorizationServer is the OAuth authorization server URL.
// Defaults to GitHub's OAuth server if not specified.
AuthorizationServer string
// ResourcePath is the externally visible base path for the MCP server (e.g., "/mcp").
// This is used to restore the original path when a proxy strips a base path before forwarding.
// If empty, requests are treated as already using the external path.
ResourcePath string
// TrustProxyHeaders indicates whether X-Forwarded-Host and X-Forwarded-Proto
// should be honored when deriving the effective host and scheme for OAuth
// resource URLs. This must only be enabled when the server is deployed
// behind a trusted proxy that sets these headers; otherwise an untrusted
// client can influence the OAuth resource metadata URL advertised to MCP
// clients. When BaseURL is set, it always takes precedence and these
// headers are unused.
TrustProxyHeaders bool
}
// AuthHandler handles OAuth-related HTTP endpoints.
type AuthHandler struct {
cfg *Config
apiHost utils.APIHostResolver
}
// NewAuthHandler creates a new OAuth auth handler.
func NewAuthHandler(cfg *Config, apiHost utils.APIHostResolver) (*AuthHandler, error) {
if cfg == nil {
cfg = &Config{}
}
if apiHost == nil {
var err error
apiHost, err = utils.NewAPIHost("https://api.github.com")
if err != nil {
return nil, fmt.Errorf("failed to create default API host: %w", err)
}
}
return &AuthHandler{
cfg: cfg,
apiHost: apiHost,
}, nil
}
// routePatterns defines the route patterns for OAuth protected resource metadata.
var routePatterns = []string{
"", // Root: /.well-known/oauth-protected-resource
"/readonly", // Read-only mode
"/insiders", // Insiders mode
"/x/{toolset}",
"/x/{toolset}/readonly",
}
// RegisterRoutes registers the OAuth protected resource metadata routes.
func (h *AuthHandler) RegisterRoutes(r chi.Router) {
for _, pattern := range routePatterns {
for _, route := range h.routesForPattern(pattern) {
path := OAuthProtectedResourcePrefix + route
r.Handle(path, h.metadataHandler())
}
}
}
func (h *AuthHandler) metadataHandler() http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
resourcePath := resolveResourcePath(
strings.TrimPrefix(r.URL.Path, OAuthProtectedResourcePrefix),
h.cfg.ResourcePath,
)
resourceURL := h.buildResourceURL(r, resourcePath)
var authorizationServerURL string
if h.cfg.AuthorizationServer != "" {
authorizationServerURL = h.cfg.AuthorizationServer
} else {
authURL, err := h.apiHost.AuthorizationServerURL(ctx)
if err != nil {
http.Error(w, fmt.Sprintf("failed to resolve authorization server URL: %v", err), http.StatusInternalServerError)
return
}
authorizationServerURL = authURL.String()
}
metadata := &oauthex.ProtectedResourceMetadata{
Resource: resourceURL,
AuthorizationServers: []string{authorizationServerURL},
ResourceName: "GitHub MCP Server",
ScopesSupported: SupportedScopes,
BearerMethodsSupported: []string{"header"},
}
auth.ProtectedResourceMetadataHandler(metadata).ServeHTTP(w, r)
})
}
// routesForPattern generates route variants for a given pattern.
// GitHub strips the /mcp prefix before forwarding, so we register both variants:
// - With /mcp prefix: for direct access or when GitHub doesn't strip
// - Without /mcp prefix: for when GitHub has stripped the prefix
func (h *AuthHandler) routesForPattern(pattern string) []string {
basePaths := []string{""}
if basePath := normalizeBasePath(h.cfg.ResourcePath); basePath != "" {
basePaths = append(basePaths, basePath)
} else {
basePaths = append(basePaths, "/mcp")
}
routes := make([]string, 0, len(basePaths)*2)
for _, basePath := range basePaths {
routes = append(routes, joinRoute(basePath, pattern))
routes = append(routes, joinRoute(basePath, pattern)+"/")
}
return routes
}
// resolveResourcePath returns the externally visible resource path,
// restoring the configured base path when proxies strip it before forwarding.
func resolveResourcePath(path, basePath string) string {
if path == "" {
path = "/"
}
base := normalizeBasePath(basePath)
if base == "" {
return path
}
if path == "/" {
return base
}
if path == base || strings.HasPrefix(path, base+"/") {
return path
}
return base + path
}
// ResolveResourcePath returns the externally visible resource path for a request.
// Exported for use by middleware.
func ResolveResourcePath(r *http.Request, cfg *Config) string {
basePath := ""
if cfg != nil {
basePath = cfg.ResourcePath
}
return resolveResourcePath(r.URL.Path, basePath)
}
// buildResourceURL constructs the full resource URL for OAuth metadata.
func (h *AuthHandler) buildResourceURL(r *http.Request, resourcePath string) string {
host, scheme := GetEffectiveHostAndScheme(r, h.cfg)
baseURL := fmt.Sprintf("%s://%s", scheme, host)
if h.cfg.BaseURL != "" {
baseURL = strings.TrimSuffix(h.cfg.BaseURL, "/")
}
if resourcePath == "" {
resourcePath = "/"
}
if !strings.HasPrefix(resourcePath, "/") {
resourcePath = "/" + resourcePath
}
return baseURL + resourcePath
}
// GetEffectiveHostAndScheme returns the effective host and scheme for a request.
//
// X-Forwarded-Host and X-Forwarded-Proto are only honored when cfg.TrustProxyHeaders
// is true. Without that opt-in, an untrusted client could otherwise influence the
// OAuth resource metadata URL advertised to MCP clients.
func GetEffectiveHostAndScheme(r *http.Request, cfg *Config) (host, scheme string) { //nolint:revive
trustProxy := cfg != nil && cfg.TrustProxyHeaders
if trustProxy {
if fh := r.Header.Get(headers.ForwardedHostHeader); fh != "" {
host = fh
}
}
if host == "" {
host = r.Host
}
if host == "" {
host = "localhost"
}
if trustProxy {
if fp := r.Header.Get(headers.ForwardedProtoHeader); fp != "" {
scheme = strings.ToLower(fp)
}
}
if scheme == "" {
if r.TLS != nil {
scheme = "https"
} else {
scheme = "http"
}
}
return
}
// BuildResourceMetadataURL constructs the full URL to the OAuth protected resource metadata endpoint.
func BuildResourceMetadataURL(r *http.Request, cfg *Config, resourcePath string) string {
host, scheme := GetEffectiveHostAndScheme(r, cfg)
suffix := ""
if resourcePath != "" && resourcePath != "/" {
if !strings.HasPrefix(resourcePath, "/") {
suffix = "/" + resourcePath
} else {
suffix = resourcePath
}
}
if cfg != nil && cfg.BaseURL != "" {
return strings.TrimSuffix(cfg.BaseURL, "/") + OAuthProtectedResourcePrefix + suffix
}
return fmt.Sprintf("%s://%s%s%s", scheme, host, OAuthProtectedResourcePrefix, suffix)
}
func normalizeBasePath(path string) string {
trimmed := strings.TrimSpace(path)
if trimmed == "" || trimmed == "/" {
return ""
}
if !strings.HasPrefix(trimmed, "/") {
trimmed = "/" + trimmed
}
return strings.TrimSuffix(trimmed, "/")
}
func joinRoute(basePath, pattern string) string {
if basePath == "" {
return pattern
}
if pattern == "" {
return basePath
}
if before, ok := strings.CutSuffix(basePath, "/"); ok {
return before + pattern
}
return basePath + pattern
}
+763
View File
@@ -0,0 +1,763 @@
package oauth
import (
"crypto/tls"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"github.com/github/github-mcp-server/pkg/http/headers"
"github.com/github/github-mcp-server/pkg/utils"
"github.com/go-chi/chi/v5"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
var (
defaultAuthorizationServer = "https://github.com/login/oauth"
)
func TestNewAuthHandler(t *testing.T) {
t.Parallel()
dotcomHost, err := utils.NewAPIHost("https://api.github.com")
require.NoError(t, err)
tests := []struct {
name string
cfg *Config
expectedAuthServer string
expectedResourcePath string
}{
{
name: "custom authorization server",
cfg: &Config{
AuthorizationServer: "https://custom.example.com/oauth",
},
expectedAuthServer: "https://custom.example.com/oauth",
expectedResourcePath: "",
},
{
name: "custom base URL and resource path",
cfg: &Config{
BaseURL: "https://example.com",
ResourcePath: "/mcp",
},
expectedAuthServer: "",
expectedResourcePath: "/mcp",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
handler, err := NewAuthHandler(tc.cfg, dotcomHost)
require.NoError(t, err)
require.NotNil(t, handler)
assert.Equal(t, tc.expectedAuthServer, handler.cfg.AuthorizationServer)
assert.Equal(t, tc.expectedResourcePath, handler.cfg.ResourcePath)
})
}
}
func TestGetEffectiveHostAndScheme(t *testing.T) {
t.Parallel()
tests := []struct {
name string
setupRequest func() *http.Request
cfg *Config
expectedHost string
expectedScheme string
}{
{
name: "basic request without forwarding headers",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "example.com"
return req
},
cfg: &Config{},
expectedHost: "example.com",
expectedScheme: "http", // defaults to http
},
{
name: "X-Forwarded-Host ignored by default",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "internal.example.com"
req.Header.Set(headers.ForwardedHostHeader, "attacker.example.com")
req.Header.Set(headers.ForwardedProtoHeader, "https")
return req
},
cfg: &Config{},
expectedHost: "internal.example.com",
expectedScheme: "http",
},
{
name: "request with X-Forwarded-Host header",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "internal.example.com"
req.Header.Set(headers.ForwardedHostHeader, "public.example.com")
return req
},
cfg: &Config{TrustProxyHeaders: true},
expectedHost: "public.example.com",
expectedScheme: "http",
},
{
name: "request with X-Forwarded-Proto header",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "example.com"
req.Header.Set(headers.ForwardedProtoHeader, "http")
return req
},
cfg: &Config{TrustProxyHeaders: true},
expectedHost: "example.com",
expectedScheme: "http",
},
{
name: "request with both forwarding headers",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "internal.example.com"
req.Header.Set(headers.ForwardedHostHeader, "public.example.com")
req.Header.Set(headers.ForwardedProtoHeader, "https")
return req
},
cfg: &Config{TrustProxyHeaders: true},
expectedHost: "public.example.com",
expectedScheme: "https",
},
{
name: "request with TLS",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "example.com"
req.TLS = &tls.ConnectionState{}
return req
},
cfg: &Config{},
expectedHost: "example.com",
expectedScheme: "https",
},
{
name: "X-Forwarded-Proto takes precedence over TLS",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "example.com"
req.TLS = &tls.ConnectionState{}
req.Header.Set(headers.ForwardedProtoHeader, "http")
return req
},
cfg: &Config{TrustProxyHeaders: true},
expectedHost: "example.com",
expectedScheme: "http",
},
{
name: "scheme is lowercased",
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/test", nil)
req.Host = "example.com"
req.Header.Set(headers.ForwardedProtoHeader, "HTTPS")
return req
},
cfg: &Config{TrustProxyHeaders: true},
expectedHost: "example.com",
expectedScheme: "https",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
req := tc.setupRequest()
host, scheme := GetEffectiveHostAndScheme(req, tc.cfg)
assert.Equal(t, tc.expectedHost, host)
assert.Equal(t, tc.expectedScheme, scheme)
})
}
}
func TestResolveResourcePath(t *testing.T) {
t.Parallel()
tests := []struct {
name string
cfg *Config
setupRequest func() *http.Request
expectedPath string
}{
{
name: "no base path uses request path",
cfg: &Config{},
setupRequest: func() *http.Request {
return httptest.NewRequest(http.MethodGet, "/x/repos", nil)
},
expectedPath: "/x/repos",
},
{
name: "base path restored for root",
cfg: &Config{
ResourcePath: "/mcp",
},
setupRequest: func() *http.Request {
return httptest.NewRequest(http.MethodGet, "/", nil)
},
expectedPath: "/mcp",
},
{
name: "base path restored for nested",
cfg: &Config{
ResourcePath: "/mcp",
},
setupRequest: func() *http.Request {
return httptest.NewRequest(http.MethodGet, "/readonly", nil)
},
expectedPath: "/mcp/readonly",
},
{
name: "base path preserved when already present",
cfg: &Config{
ResourcePath: "/mcp",
},
setupRequest: func() *http.Request {
return httptest.NewRequest(http.MethodGet, "/mcp/readonly/", nil)
},
expectedPath: "/mcp/readonly/",
},
{
name: "custom base path restored",
cfg: &Config{
ResourcePath: "/api",
},
setupRequest: func() *http.Request {
return httptest.NewRequest(http.MethodGet, "/x/repos", nil)
},
expectedPath: "/api/x/repos",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
req := tc.setupRequest()
path := ResolveResourcePath(req, tc.cfg)
assert.Equal(t, tc.expectedPath, path)
})
}
}
func TestBuildResourceMetadataURL(t *testing.T) {
t.Parallel()
tests := []struct {
name string
cfg *Config
setupRequest func() *http.Request
resourcePath string
expectedURL string
}{
{
name: "root path",
cfg: &Config{},
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/", nil)
req.Host = "api.example.com"
return req
},
resourcePath: "/",
expectedURL: "http://api.example.com/.well-known/oauth-protected-resource",
},
{
name: "resource path preserves trailing slash",
cfg: &Config{},
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/mcp/", nil)
req.Host = "api.example.com"
return req
},
resourcePath: "/mcp/",
expectedURL: "http://api.example.com/.well-known/oauth-protected-resource/mcp/",
},
{
name: "with custom resource path",
cfg: &Config{},
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
req.Host = "api.example.com"
return req
},
resourcePath: "/mcp",
expectedURL: "http://api.example.com/.well-known/oauth-protected-resource/mcp",
},
{
name: "with base URL config",
cfg: &Config{
BaseURL: "https://custom.example.com",
},
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
req.Host = "api.example.com"
return req
},
resourcePath: "/mcp",
expectedURL: "https://custom.example.com/.well-known/oauth-protected-resource/mcp",
},
{
name: "with forwarded headers ignored by default",
cfg: &Config{},
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
req.Host = "internal.example.com"
req.Header.Set(headers.ForwardedHostHeader, "attacker.example.com")
req.Header.Set(headers.ForwardedProtoHeader, "https")
return req
},
resourcePath: "/mcp",
expectedURL: "http://internal.example.com/.well-known/oauth-protected-resource/mcp",
},
{
name: "with forwarded headers",
cfg: &Config{TrustProxyHeaders: true},
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
req.Host = "internal.example.com"
req.Header.Set(headers.ForwardedHostHeader, "public.example.com")
req.Header.Set(headers.ForwardedProtoHeader, "https")
return req
},
resourcePath: "/mcp",
expectedURL: "https://public.example.com/.well-known/oauth-protected-resource/mcp",
},
{
name: "nil config uses request host",
cfg: nil,
setupRequest: func() *http.Request {
req := httptest.NewRequest(http.MethodGet, "/", nil)
req.Host = "api.example.com"
return req
},
resourcePath: "",
expectedURL: "http://api.example.com/.well-known/oauth-protected-resource",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
req := tc.setupRequest()
url := BuildResourceMetadataURL(req, tc.cfg, tc.resourcePath)
assert.Equal(t, tc.expectedURL, url)
})
}
}
func TestHandleProtectedResource(t *testing.T) {
t.Parallel()
tests := []struct {
name string
cfg *Config
path string
host string
method string
expectedStatusCode int
expectedScopes []string
validateResponse func(t *testing.T, body map[string]any)
}{
{
name: "GET request returns protected resource metadata",
cfg: &Config{
BaseURL: "https://api.example.com",
},
path: OAuthProtectedResourcePrefix,
host: "api.example.com",
method: http.MethodGet,
expectedStatusCode: http.StatusOK,
expectedScopes: SupportedScopes,
validateResponse: func(t *testing.T, body map[string]any) {
t.Helper()
assert.Equal(t, "GitHub MCP Server", body["resource_name"])
assert.Equal(t, "https://api.example.com/", body["resource"])
authServers, ok := body["authorization_servers"].([]any)
require.True(t, ok)
require.Len(t, authServers, 1)
assert.Equal(t, defaultAuthorizationServer, authServers[0])
},
},
{
name: "OPTIONS request for CORS preflight",
cfg: &Config{
BaseURL: "https://api.example.com",
},
path: OAuthProtectedResourcePrefix,
host: "api.example.com",
method: http.MethodOptions,
expectedStatusCode: http.StatusNoContent,
},
{
name: "path with /mcp suffix",
cfg: &Config{
BaseURL: "https://api.example.com",
},
path: OAuthProtectedResourcePrefix + "/mcp",
host: "api.example.com",
method: http.MethodGet,
expectedStatusCode: http.StatusOK,
validateResponse: func(t *testing.T, body map[string]any) {
t.Helper()
assert.Equal(t, "https://api.example.com/mcp", body["resource"])
},
},
{
name: "path with /readonly suffix",
cfg: &Config{
BaseURL: "https://api.example.com",
},
path: OAuthProtectedResourcePrefix + "/readonly",
host: "api.example.com",
method: http.MethodGet,
expectedStatusCode: http.StatusOK,
validateResponse: func(t *testing.T, body map[string]any) {
t.Helper()
assert.Equal(t, "https://api.example.com/readonly", body["resource"])
},
},
{
name: "path with trailing slash",
cfg: &Config{
BaseURL: "https://api.example.com",
},
path: OAuthProtectedResourcePrefix + "/mcp/",
host: "api.example.com",
method: http.MethodGet,
expectedStatusCode: http.StatusOK,
validateResponse: func(t *testing.T, body map[string]any) {
t.Helper()
assert.Equal(t, "https://api.example.com/mcp/", body["resource"])
},
},
{
name: "custom authorization server in response",
cfg: &Config{
BaseURL: "https://api.example.com",
AuthorizationServer: "https://custom.auth.example.com/oauth",
},
path: OAuthProtectedResourcePrefix,
host: "api.example.com",
method: http.MethodGet,
expectedStatusCode: http.StatusOK,
validateResponse: func(t *testing.T, body map[string]any) {
t.Helper()
authServers, ok := body["authorization_servers"].([]any)
require.True(t, ok)
require.Len(t, authServers, 1)
assert.Equal(t, "https://custom.auth.example.com/oauth", authServers[0])
},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
dotcomHost, err := utils.NewAPIHost("https://api.github.com")
require.NoError(t, err)
handler, err := NewAuthHandler(tc.cfg, dotcomHost)
require.NoError(t, err)
router := chi.NewRouter()
handler.RegisterRoutes(router)
req := httptest.NewRequest(tc.method, tc.path, nil)
req.Host = tc.host
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
assert.Equal(t, tc.expectedStatusCode, rec.Code)
// Check CORS headers
assert.Equal(t, "*", rec.Header().Get("Access-Control-Allow-Origin"))
assert.Contains(t, rec.Header().Get("Access-Control-Allow-Methods"), "GET")
assert.Contains(t, rec.Header().Get("Access-Control-Allow-Methods"), "OPTIONS")
if tc.method == http.MethodGet && tc.validateResponse != nil {
assert.Equal(t, "application/json", rec.Header().Get("Content-Type"))
var body map[string]any
err := json.Unmarshal(rec.Body.Bytes(), &body)
require.NoError(t, err)
tc.validateResponse(t, body)
// Verify scopes if expected
if tc.expectedScopes != nil {
scopes, ok := body["scopes_supported"].([]any)
require.True(t, ok)
assert.Len(t, scopes, len(tc.expectedScopes))
}
}
})
}
}
func TestRegisterRoutes(t *testing.T) {
t.Parallel()
dotcomHost, err := utils.NewAPIHost("https://api.github.com")
require.NoError(t, err)
handler, err := NewAuthHandler(&Config{
BaseURL: "https://api.example.com",
}, dotcomHost)
require.NoError(t, err)
router := chi.NewRouter()
handler.RegisterRoutes(router)
// List of expected routes that should be registered
expectedRoutes := []string{
OAuthProtectedResourcePrefix,
OAuthProtectedResourcePrefix + "/",
OAuthProtectedResourcePrefix + "/mcp",
OAuthProtectedResourcePrefix + "/mcp/",
OAuthProtectedResourcePrefix + "/readonly",
OAuthProtectedResourcePrefix + "/readonly/",
OAuthProtectedResourcePrefix + "/mcp/readonly",
OAuthProtectedResourcePrefix + "/mcp/readonly/",
OAuthProtectedResourcePrefix + "/x/repos",
OAuthProtectedResourcePrefix + "/mcp/x/repos",
}
for _, route := range expectedRoutes {
t.Run("route:"+route, func(t *testing.T) {
// Test GET
req := httptest.NewRequest(http.MethodGet, route, nil)
req.Host = "api.example.com"
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
assert.Equal(t, http.StatusOK, rec.Code, "GET %s should return 200", route)
// Test OPTIONS (CORS preflight)
req = httptest.NewRequest(http.MethodOptions, route, nil)
req.Host = "api.example.com"
rec = httptest.NewRecorder()
router.ServeHTTP(rec, req)
assert.Equal(t, http.StatusNoContent, rec.Code, "OPTIONS %s should return 204", route)
})
}
}
func TestSupportedScopes(t *testing.T) {
t.Parallel()
// Verify all expected scopes are present
expectedScopes := []string{
"repo",
"read:org",
"read:user",
"user:email",
"read:packages",
"write:packages",
"read:project",
"project",
"gist",
"notifications",
"workflow",
"codespace",
}
assert.Equal(t, expectedScopes, SupportedScopes)
}
func TestProtectedResourceResponseFormat(t *testing.T) {
t.Parallel()
dotcomHost, err := utils.NewAPIHost("https://api.github.com")
require.NoError(t, err)
handler, err := NewAuthHandler(&Config{
BaseURL: "https://api.example.com",
}, dotcomHost)
require.NoError(t, err)
router := chi.NewRouter()
handler.RegisterRoutes(router)
req := httptest.NewRequest(http.MethodGet, OAuthProtectedResourcePrefix, nil)
req.Host = "api.example.com"
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
var response map[string]any
err = json.Unmarshal(rec.Body.Bytes(), &response)
require.NoError(t, err)
// Verify all required RFC 9728 fields are present
assert.Contains(t, response, "resource")
assert.Contains(t, response, "authorization_servers")
assert.Contains(t, response, "bearer_methods_supported")
assert.Contains(t, response, "scopes_supported")
// Verify resource name (optional but we include it)
assert.Contains(t, response, "resource_name")
assert.Equal(t, "GitHub MCP Server", response["resource_name"])
// Verify bearer_methods_supported contains "header"
bearerMethods, ok := response["bearer_methods_supported"].([]any)
require.True(t, ok)
assert.Contains(t, bearerMethods, "header")
// Verify authorization_servers is an array with GitHub OAuth
authServers, ok := response["authorization_servers"].([]any)
require.True(t, ok)
assert.Len(t, authServers, 1)
assert.Equal(t, defaultAuthorizationServer, authServers[0])
}
func TestOAuthProtectedResourcePrefix(t *testing.T) {
t.Parallel()
// RFC 9728 specifies this well-known path
assert.Equal(t, "/.well-known/oauth-protected-resource", OAuthProtectedResourcePrefix)
}
func TestDefaultAuthorizationServer(t *testing.T) {
t.Parallel()
assert.Equal(t, "https://github.com/login/oauth", defaultAuthorizationServer)
}
func TestAPIHostResolver_AuthorizationServerURL(t *testing.T) {
t.Parallel()
tests := []struct {
name string
host string
oauthConfig *Config
expectedURL string
expectedError bool
expectedStatusCode int
errorContains string
}{
{
name: "valid host returns authorization server URL",
host: "https://github.com",
expectedURL: "https://github.com/login/oauth",
expectedStatusCode: http.StatusOK,
},
{
name: "invalid host returns error",
host: "://invalid-url",
expectedURL: "",
expectedError: true,
errorContains: "could not parse host as URL",
},
{
name: "host without scheme returns error",
host: "github.com",
expectedURL: "",
expectedError: true,
errorContains: "host must have a scheme",
},
{
name: "GHEC host returns correct authorization server URL",
host: "https://test.ghe.com",
expectedURL: "https://test.ghe.com/login/oauth",
expectedStatusCode: http.StatusOK,
},
{
name: "GHES host returns correct authorization server URL",
host: "https://ghe.example.com",
expectedURL: "https://ghe.example.com/login/oauth",
expectedStatusCode: http.StatusOK,
},
{
name: "GHES with http scheme returns the correct authorization server URL",
host: "http://ghe.example.com",
expectedURL: "http://ghe.example.com/login/oauth",
expectedStatusCode: http.StatusOK,
},
{
name: "custom authorization server in config takes precedence",
host: "https://github.com",
oauthConfig: &Config{
AuthorizationServer: "https://custom.auth.example.com/oauth",
},
expectedURL: "https://custom.auth.example.com/oauth",
expectedStatusCode: http.StatusOK,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
apiHost, err := utils.NewAPIHost(tc.host)
if tc.expectedError {
require.Error(t, err)
if tc.errorContains != "" {
assert.Contains(t, err.Error(), tc.errorContains)
}
return
}
require.NoError(t, err)
config := tc.oauthConfig
if config == nil {
config = &Config{}
}
config.BaseURL = tc.host
handler, err := NewAuthHandler(config, apiHost)
require.NoError(t, err)
router := chi.NewRouter()
handler.RegisterRoutes(router)
req := httptest.NewRequest(http.MethodGet, OAuthProtectedResourcePrefix, nil)
req.Host = "api.example.com"
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
var response map[string]any
err = json.Unmarshal(rec.Body.Bytes(), &response)
require.NoError(t, err)
assert.Contains(t, response, "authorization_servers")
if tc.expectedStatusCode != http.StatusOK {
require.Equal(t, tc.expectedStatusCode, rec.Code)
if tc.errorContains != "" {
assert.Contains(t, rec.Body.String(), tc.errorContains)
}
return
}
responseAuthServers, ok := response["authorization_servers"].([]any)
require.True(t, ok)
require.Len(t, responseAuthServers, 1)
assert.Equal(t, tc.expectedURL, responseAuthServers[0])
})
}
}