mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): JWT-or-static middleware + /.well-known/oauth-protected-resource (issue #5)
Some checks failed
CD / Lint / Test / Vet (push) Failing after 2s
Details
CD / Build & Import (push) Has been skipped
Details
CD / Deploy via GitOps (push) Has been skipped
Details

Browse Source 
- internal/auth/jwt.go: JWTValidator via lestrrat-go/jwx/v2, JWKS auto-refresh
- internal/auth/bearer.go: replace Gitea PAT validation with JWT->static->default chain
- internal/gitea/client.go: always use service PAT; remove TokenFromContext lookup
- internal/config/config.go: add DexIssuerURL, MCPAudience, MCPResourceURL, StaticToken
- cmd/gitea-mcp/main.go: wire validator, fix /.well-known to return real AS list
- bearer_test.go: rewrite for new API
This commit is contained in:
Mathias Bergqvist
2026-05-12 11:30:52 +02:00
parent efbbd37882
commit 91be18c100
20 changed files with 1745 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cmd/gitea-mcp/main.go
View File

@@ -1,6 +1,8 @@
package main
import (
"context"
"encoding/json"
"log/slog"
"net/http"
"os"
@@ -23,7 +25,14 @@ func main() {
os.Exit(1)
}
giteaClient := gitea.NewClient(cfg.GiteaBaseURL, "")
ctx := context.Background()
jwtValidator, err := auth.NewJWTValidator(ctx, cfg.DexIssuerURL, cfg.MCPAudience)
if err != nil {
logger.Warn("jwt validator init failed; JWT auth disabled", "err", err)
}
giteaClient := gitea.NewClient(cfg.GiteaBaseURL, cfg.DefaultToken)
ownerAllow := allowlist.New(cfg.AllowedOwners)
reg := registry.New()
@@ -59,7 +68,7 @@ func main() {
mux := http.NewServeMux()
mux.Handle("/mcp", mcp.OriginAllowlist(cfg.OriginAllowlist)(
auth.BearerMiddleware(cfg.GiteaBaseURL, cfg.DefaultToken,
auth.BearerMiddleware(jwtValidator, cfg.StaticToken, cfg.DefaultToken,
auth.CallerMiddleware(mcpSrv),
),
))
@@ -73,11 +82,14 @@ func main() {
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte(`{"authorization_servers":[]}`))
})
mux.HandleFunc("/.well-known/oauth-authorization-server", func(w http.ResponseWriter, r *http.Request) {
http.NotFound(w, r)
payload := map[string]any{
"resource": cfg.MCPResourceURL,
"authorization_servers": []string{},
}
if cfg.DexIssuerURL != "" {
payload["authorization_servers"] = []string{cfg.DexIssuerURL}
}
_ = json.NewEncoder(w).Encode(payload)
})
addr := ":" + cfg.Port