mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): fall back to GITEA_MCP_DEFAULT_TOKEN when no Bearer header
All checks were successful
CD / Lint / Test / Vet (push) Successful in 6s
Details
CD / Build & Import (push) Successful in 11s
Details
CD / Deploy via GitOps (push) Successful in 3s
Details

Browse Source 
claude.ai connectors call the server with no Authorization header (confirmed
via request logging). Add a configurable default Gitea PAT so unauthenticated
clients (like claude.ai) can still reach the server.

Claude Code continues to pass per-request PATs; defaultToken="" preserves
the existing strict behaviour when the env var is unset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Bergqvist
2026-05-09 22:22:04 +02:00
parent 70173875d8
commit 9d08352324
4 changed files with 41 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/gitea-mcp/main.go
View File

@@ -73,7 +73,7 @@ func main() {
mux := http.NewServeMux() mux := http.NewServeMux()
mux.Handle("/mcp", logReq(mcp.OriginAllowlist(cfg.OriginAllowlist)( mux.Handle("/mcp", logReq(mcp.OriginAllowlist(cfg.OriginAllowlist)(
auth.BearerMiddleware(cfg.GiteaBaseURL, auth.BearerMiddleware(cfg.GiteaBaseURL, cfg.DefaultToken,
auth.CallerMiddleware(mcpSrv), auth.CallerMiddleware(mcpSrv),
)), )),
)) ))

8
internal/auth/bearer.go
View File

@@ -12,14 +12,20 @@ type tokenKey struct{}
// BearerMiddleware validates the incoming bearer token as a Gitea PAT by // BearerMiddleware validates the incoming bearer token as a Gitea PAT by
// calling GET /api/v1/user. The validated token is stored in context for // calling GET /api/v1/user. The validated token is stored in context for
// downstream use by the Gitea client. // downstream use by the Gitea client.
func BearerMiddleware(giteaBaseURL string, next http.Handler) http.Handler { //
// defaultToken, if non-empty, is used when no Authorization header is present
// (e.g. claude.ai connectors which do not inject Bearer tokens).
func BearerMiddleware(giteaBaseURL, defaultToken string, next http.Handler) http.Handler {
hc := &http.Client{Timeout: 5 * time.Second} hc := &http.Client{Timeout: 5 * time.Second}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
token, ok := strings.CutPrefix(r.Header.Get("Authorization"), "Bearer ") token, ok := strings.CutPrefix(r.Header.Get("Authorization"), "Bearer ")
if !ok || token == "" { if !ok || token == "" {
if defaultToken == "" {
http.Error(w, "unauthorized", http.StatusUnauthorized) http.Error(w, "unauthorized", http.StatusUnauthorized)
return return
} }
token = defaultToken
}
req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, giteaBaseURL+"/api/v1/user", nil) req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, giteaBaseURL+"/api/v1/user", nil)
if err != nil { if err != nil {
http.Error(w, "unauthorized", http.StatusUnauthorized) http.Error(w, "unauthorized", http.StatusUnauthorized)

32
internal/auth/bearer_test.go
View File

@@ -11,7 +11,7 @@ import (
) )
func TestBearerMiddleware_NoAuthHeader(t *testing.T) { func TestBearerMiddleware_NoAuthHeader(t *testing.T) {
srv := httptest.NewServer(auth.BearerMiddleware("https://gitea.example.com", srv := httptest.NewServer(auth.BearerMiddleware("https://gitea.example.com", "",
http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
}), }),
@@ -24,6 +24,32 @@ func TestBearerMiddleware_NoAuthHeader(t *testing.T) {
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
} }
func TestBearerMiddleware_NoAuthHeaderWithDefault(t *testing.T) {
const defaultToken = "default-pat"
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, "token "+defaultToken, r.Header.Get("Authorization"))
w.WriteHeader(http.StatusOK)
}))
defer giteaMock.Close()
called := false
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, defaultToken,
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
assert.Equal(t, defaultToken, auth.TokenFromContext(r.Context()))
w.WriteHeader(http.StatusOK)
}),
))
defer srv.Close()
resp, err := http.Post(srv.URL+"/mcp", "application/json", nil)
require.NoError(t, err)
defer func() { _ = resp.Body.Close() }()
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.True(t, called)
}
func TestBearerMiddleware_InvalidToken(t *testing.T) { func TestBearerMiddleware_InvalidToken(t *testing.T) {
// Mock Gitea that rejects the token // Mock Gitea that rejects the token
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -31,7 +57,7 @@ func TestBearerMiddleware_InvalidToken(t *testing.T) {
})) }))
defer giteaMock.Close() defer giteaMock.Close()
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, "",
http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
}), }),
@@ -57,7 +83,7 @@ func TestBearerMiddleware_ValidToken(t *testing.T) {
defer giteaMock.Close() defer giteaMock.Close()
called := false called := false
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, "",
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true called = true
// Token must be available in context for downstream Gitea client // Token must be available in context for downstream Gitea client

2
internal/config/config.go
View File

@@ -8,6 +8,7 @@ import (
type Config struct { type Config struct {
Port string // GITEA_MCP_PORT, default 8080 Port string // GITEA_MCP_PORT, default 8080
GiteaBaseURL string // GITEA_BASE_URL, e.g. https://gitea.d-ma.be GiteaBaseURL string // GITEA_BASE_URL, e.g. https://gitea.d-ma.be
DefaultToken string // GITEA_MCP_DEFAULT_TOKEN, fallback PAT when no Bearer header present (e.g. claude.ai)
AllowedOwners []string // GITEA_MCP_ALLOWED_OWNERS, comma-separated, default "mathias" AllowedOwners []string // GITEA_MCP_ALLOWED_OWNERS, comma-separated, default "mathias"
OriginAllowlist []string // GITEA_MCP_ORIGIN_ALLOWLIST, comma-separated OriginAllowlist []string // GITEA_MCP_ORIGIN_ALLOWLIST, comma-separated
} }
@@ -16,6 +17,7 @@ func Load() (Config, error) {
cfg := Config{ cfg := Config{
Port: envOr("GITEA_MCP_PORT", "8080"), Port: envOr("GITEA_MCP_PORT", "8080"),
GiteaBaseURL: os.Getenv("GITEA_BASE_URL"), GiteaBaseURL: os.Getenv("GITEA_BASE_URL"),
DefaultToken: os.Getenv("GITEA_MCP_DEFAULT_TOKEN"),
AllowedOwners: splitCSV(envOr("GITEA_MCP_ALLOWED_OWNERS", "mathias")), AllowedOwners: splitCSV(envOr("GITEA_MCP_ALLOWED_OWNERS", "mathias")),
OriginAllowlist: splitCSV(os.Getenv("GITEA_MCP_ORIGIN_ALLOWLIST")), OriginAllowlist: splitCSV(os.Getenv("GITEA_MCP_ORIGIN_ALLOWLIST")),
} }