mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

auth: silent JWT degradation when Dex is unreachable #6

New Issue
Open
opened 2026-05-14 08:44:09 +00:00 by mathias · 0 comments
mathias commented 2026-05-14 08:44:09 +00:00
Owner
Copy Link

When Dex is unreachable at startup, NewJWTValidator returns nil, nil and emits a warning. All subsequent JWT validation calls silently return false, falling through to the static token check. The resulting 401 gives the caller no indication of whether their JWT was invalid or Dex was unavailable.

Files:

  • cmd/gitea-mcp/main.go:30-33 — silent nil return on Dex failure
  • internal/auth/jwt.go:61-63 — Validate returns false when validator is nil

Suggestions:

  • Expose a GET /healthz that reports JWT validator status (enabled/disabled/last-error)
  • Log Dex availability state on each auth attempt when the validator is nil so ops can correlate with Dex outage windows
  • Consider returning a 503 with WWW-Authenticate: Bearer error="temporarily_unavailable" when Dex is known-down vs a generic 401
When Dex is unreachable at startup, `NewJWTValidator` returns `nil, nil` and emits a warning. All subsequent JWT validation calls silently return `false`, falling through to the static token check. The resulting 401 gives the caller no indication of whether their JWT was invalid or Dex was unavailable. **Files:** - `cmd/gitea-mcp/main.go:30-33` — silent nil return on Dex failure - `internal/auth/jwt.go:61-63` — Validate returns false when validator is nil **Suggestions:** - Expose a `GET /healthz` that reports JWT validator status (enabled/disabled/last-error) - Log Dex availability state on each auth attempt when the validator is nil so ops can correlate with Dex outage windows - Consider returning a `503` with `WWW-Authenticate: Bearer error="temporarily_unavailable"` when Dex is known-down vs a generic 401
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
mathias
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mathias/gitea-mcp#6
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?