gitea-mcp

mathias/gitea-mcp

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mathias Bergqvist	91be18c100	feat(auth): JWT-or-static middleware + /.well-known/oauth-protected-resource (issue #5 ) Some checks failed CD / Lint / Test / Vet (push) Failing after 2s Details CD / Build & Import (push) Has been skipped Details CD / Deploy via GitOps (push) Has been skipped Details - internal/auth/jwt.go: JWTValidator via lestrrat-go/jwx/v2, JWKS auto-refresh - internal/auth/bearer.go: replace Gitea PAT validation with JWT->static->default chain - internal/gitea/client.go: always use service PAT; remove TokenFromContext lookup - internal/config/config.go: add DexIssuerURL, MCPAudience, MCPResourceURL, StaticToken - cmd/gitea-mcp/main.go: wire validator, fix /.well-known to return real AS list - bearer_test.go: rewrite for new API	2026-05-12 11:30:52 +02:00
Mathias Bergqvist	9d08352324	feat(auth): fall back to GITEA_MCP_DEFAULT_TOKEN when no Bearer header All checks were successful CD / Lint / Test / Vet (push) Successful in 6s Details CD / Build & Import (push) Successful in 11s Details CD / Deploy via GitOps (push) Successful in 3s Details claude.ai connectors call the server with no Authorization header (confirmed via request logging). Add a configurable default Gitea PAT so unauthenticated clients (like claude.ai) can still reach the server. Claude Code continues to pass per-request PATs; defaultToken="" preserves the existing strict behaviour when the env var is unset. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 22:22:04 +02:00
Mathias Bergqvist	923689afa5	feat: replace static API token with per-request Gitea PAT pass-through Callers now supply their own Gitea PAT as a Bearer token; the server validates it against GET /api/v1/user and threads it through context to all downstream Gitea API calls. GITEA_API_TOKEN env var and the GiteaAPIToken config field are removed.	2026-05-07 21:04:47 +02:00

Author

SHA1

Message

Date

Mathias Bergqvist

91be18c100

feat(auth): JWT-or-static middleware + /.well-known/oauth-protected-resource (issue #5 )

CD / Lint / Test / Vet (push) Failing after 2s

Details

CD / Build & Import (push) Has been skipped

Details

CD / Deploy via GitOps (push) Has been skipped

Details

- internal/auth/jwt.go: JWTValidator via lestrrat-go/jwx/v2, JWKS auto-refresh
- internal/auth/bearer.go: replace Gitea PAT validation with JWT->static->default chain
- internal/gitea/client.go: always use service PAT; remove TokenFromContext lookup
- internal/config/config.go: add DexIssuerURL, MCPAudience, MCPResourceURL, StaticToken
- cmd/gitea-mcp/main.go: wire validator, fix /.well-known to return real AS list
- bearer_test.go: rewrite for new API

2026-05-12 11:30:52 +02:00

Mathias Bergqvist

9d08352324

feat(auth): fall back to GITEA_MCP_DEFAULT_TOKEN when no Bearer header

CD / Lint / Test / Vet (push) Successful in 6s

Details

CD / Build & Import (push) Successful in 11s

Details

CD / Deploy via GitOps (push) Successful in 3s

Details

claude.ai connectors call the server with no Authorization header (confirmed
via request logging). Add a configurable default Gitea PAT so unauthenticated
clients (like claude.ai) can still reach the server.

Claude Code continues to pass per-request PATs; defaultToken="" preserves
the existing strict behaviour when the env var is unset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-09 22:22:04 +02:00

Mathias Bergqvist

923689afa5

feat: replace static API token with per-request Gitea PAT pass-through

Callers now supply their own Gitea PAT as a Bearer token; the server validates
it against GET /api/v1/user and threads it through context to all downstream
Gitea API calls. GITEA_API_TOKEN env var and the GiteaAPIToken config field are
removed.

2026-05-07 21:04:47 +02:00

3 Commits