Merge pull request 'fix: add OAuth discovery endpoints for claude.ai handshake' (#3 ) from fix/oauth-discovery-endpoints into main

Reviewed-on: http://gitea.d-ma.be/mathias/gitea-mcp/pulls/3
fix: add OAuth discovery endpoints for claude.ai handshake
2026-05-06 15:20:58 +00:00 · 2026-05-06 17:19:14 +02:00
3 changed files with 24 additions and 0 deletions
--- a/cmd/gitea-mcp/main.go
+++ b/cmd/gitea-mcp/main.go
@@ -54,6 +54,18 @@ func main() {
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte("ok"))
 	})
+	mux.HandleFunc("/.well-known/oauth-protected-resource", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"authorization_servers":[]}`))
+	})
+	mux.HandleFunc("/.well-known/oauth-authorization-server", func(w http.ResponseWriter, r *http.Request) {
+		http.NotFound(w, r)
+	})

 	addr := ":" + cfg.Port
 	logger.Info("gitea-mcp starting", "addr", addr, "version", "0.1.0")
--- a/internal/mcp/server.go
+++ b/internal/mcp/server.go
@@ -31,6 +31,9 @@ func NewServer(opts ServerOptions) *Server {

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
+	case http.MethodHead:
+		w.Header().Set("MCP-Protocol-Version", ProtocolVersion)
+		w.WriteHeader(http.StatusOK)
 	case http.MethodGet:
 		s.handleGET(w, r)
 	case http.MethodPost:
--- a/internal/mcp/server_test.go
+++ b/internal/mcp/server_test.go
@@ -118,6 +118,15 @@ func TestPostBodyTooLarge(t *testing.T) {
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }

+func TestHEADReturnsMCPProtocolVersionHeader(t *testing.T) {
+	srv := newServer(t)
+	req := httptest.NewRequest(http.MethodHead, "/mcp", nil)
+	rr := httptest.NewRecorder()
+	srv.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Code)
+	assert.Equal(t, mcp.ProtocolVersion, rr.Header().Get("MCP-Protocol-Version"))
+}
+
 func TestToolsCallToolNotFound(t *testing.T) {
 	srv := newServer(t)
 	// Initialize to get a session ID.
Author	SHA1	Message	Date
mathias	4f0f65e26a	Merge pull request 'fix: add OAuth discovery endpoints for claude.ai handshake' (#3 ) from fix/oauth-discovery-endpoints into main All checks were successful CD / Lint / Test / Vet (push) Successful in 5s Details CD / Build & Import (push) Successful in 12s Details CD / Deploy via GitOps (push) Successful in 3s Details Reviewed-on: http://gitea.d-ma.be/mathias/gitea-mcp/pulls/3	2026-05-06 15:20:58 +00:00
Mathias Bergqvist	9cbb564cd9	fix: add OAuth discovery endpoints for claude.ai handshake All checks were successful CD / Lint / Test / Vet (pull_request) Successful in 5s Details CD / Build & Import (pull_request) Has been skipped Details CD / Deploy via GitOps (pull_request) Has been skipped Details Implements RFC 9728 protected resource metadata and HEAD probe so claude.ai can complete its pre-handshake discovery without hitting 404. - GET /.well-known/oauth-protected-resource → 200 {"authorization_servers":[]} - GET /.well-known/oauth-authorization-server → 404 (no auth server) - HEAD /mcp → 200 + MCP-Protocol-Version: 2025-06-18 header Closes #2 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-06 17:19:14 +02:00