feat(auth): fall back to GITEA_MCP_DEFAULT_TOKEN when no Bearer header
claude.ai connectors call the server with no Authorization header (confirmed via request logging). Add a configurable default Gitea PAT so unauthenticated clients (like claude.ai) can still reach the server. Claude Code continues to pass per-request PATs; defaultToken="" preserves the existing strict behaviour when the env var is unset. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Bergqvist
@@ -73,7 +73,7 @@ func main() {
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.Handle("/mcp", logReq(mcp.OriginAllowlist(cfg.OriginAllowlist)(
|
||||
auth.BearerMiddleware(cfg.GiteaBaseURL,
|
||||
auth.BearerMiddleware(cfg.GiteaBaseURL, cfg.DefaultToken,
|
||||
auth.CallerMiddleware(mcpSrv),
|
||||
)),
|
||||
))
|
||||
|
||||
@@ -12,13 +12,19 @@ type tokenKey struct{}
|
||||
// BearerMiddleware validates the incoming bearer token as a Gitea PAT by
|
||||
// calling GET /api/v1/user. The validated token is stored in context for
|
||||
// downstream use by the Gitea client.
|
||||
func BearerMiddleware(giteaBaseURL string, next http.Handler) http.Handler {
|
||||
//
|
||||
// defaultToken, if non-empty, is used when no Authorization header is present
|
||||
// (e.g. claude.ai connectors which do not inject Bearer tokens).
|
||||
func BearerMiddleware(giteaBaseURL, defaultToken string, next http.Handler) http.Handler {
|
||||
hc := &http.Client{Timeout: 5 * time.Second}
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
token, ok := strings.CutPrefix(r.Header.Get("Authorization"), "Bearer ")
|
||||
if !ok || token == "" {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
if defaultToken == "" {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
token = defaultToken
|
||||
}
|
||||
req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, giteaBaseURL+"/api/v1/user", nil)
|
||||
if err != nil {
|
||||
|
||||
@@ -11,7 +11,7 @@ import (
|
||||
)
|
||||
|
||||
func TestBearerMiddleware_NoAuthHeader(t *testing.T) {
|
||||
srv := httptest.NewServer(auth.BearerMiddleware("https://gitea.example.com",
|
||||
srv := httptest.NewServer(auth.BearerMiddleware("https://gitea.example.com", "",
|
||||
http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}),
|
||||
@@ -24,6 +24,32 @@ func TestBearerMiddleware_NoAuthHeader(t *testing.T) {
|
||||
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
|
||||
}
|
||||
|
||||
func TestBearerMiddleware_NoAuthHeaderWithDefault(t *testing.T) {
|
||||
const defaultToken = "default-pat"
|
||||
|
||||
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
assert.Equal(t, "token "+defaultToken, r.Header.Get("Authorization"))
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
defer giteaMock.Close()
|
||||
|
||||
called := false
|
||||
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, defaultToken,
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
called = true
|
||||
assert.Equal(t, defaultToken, auth.TokenFromContext(r.Context()))
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}),
|
||||
))
|
||||
defer srv.Close()
|
||||
|
||||
resp, err := http.Post(srv.URL+"/mcp", "application/json", nil)
|
||||
require.NoError(t, err)
|
||||
defer func() { _ = resp.Body.Close() }()
|
||||
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
assert.True(t, called)
|
||||
}
|
||||
|
||||
func TestBearerMiddleware_InvalidToken(t *testing.T) {
|
||||
// Mock Gitea that rejects the token
|
||||
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -31,7 +57,7 @@ func TestBearerMiddleware_InvalidToken(t *testing.T) {
|
||||
}))
|
||||
defer giteaMock.Close()
|
||||
|
||||
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL,
|
||||
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, "",
|
||||
http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}),
|
||||
@@ -57,7 +83,7 @@ func TestBearerMiddleware_ValidToken(t *testing.T) {
|
||||
defer giteaMock.Close()
|
||||
|
||||
called := false
|
||||
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL,
|
||||
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, "",
|
||||
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
called = true
|
||||
// Token must be available in context for downstream Gitea client
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
type Config struct {
|
||||
Port string // GITEA_MCP_PORT, default 8080
|
||||
GiteaBaseURL string // GITEA_BASE_URL, e.g. https://gitea.d-ma.be
|
||||
DefaultToken string // GITEA_MCP_DEFAULT_TOKEN, fallback PAT when no Bearer header present (e.g. claude.ai)
|
||||
AllowedOwners []string // GITEA_MCP_ALLOWED_OWNERS, comma-separated, default "mathias"
|
||||
OriginAllowlist []string // GITEA_MCP_ORIGIN_ALLOWLIST, comma-separated
|
||||
}
|
||||
@@ -16,6 +17,7 @@ func Load() (Config, error) {
|
||||
cfg := Config{
|
||||
Port: envOr("GITEA_MCP_PORT", "8080"),
|
||||
GiteaBaseURL: os.Getenv("GITEA_BASE_URL"),
|
||||
DefaultToken: os.Getenv("GITEA_MCP_DEFAULT_TOKEN"),
|
||||
AllowedOwners: splitCSV(envOr("GITEA_MCP_ALLOWED_OWNERS", "mathias")),
|
||||
OriginAllowlist: splitCSV(os.Getenv("GITEA_MCP_ORIGIN_ALLOWLIST")),
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user