mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efbbd37882cd9c39a9e9865c9603c2301e20916e
gitea-mcp/internal/auth/bearer_test.go
Mathias Bergqvist 9d08352324
All checks were successful
CD / Lint / Test / Vet (push) Successful in 6s
Details
CD / Build & Import (push) Successful in 11s
Details
CD / Deploy via GitOps (push) Successful in 3s
Details
feat(auth): fall back to GITEA_MCP_DEFAULT_TOKEN when no Bearer header 
claude.ai connectors call the server with no Authorization header (confirmed
via request logging). Add a configurable default Gitea PAT so unauthenticated
clients (like claude.ai) can still reach the server.

Claude Code continues to pass per-request PATs; defaultToken="" preserves
the existing strict behaviour when the env var is unset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-09 22:22:04 +02:00

109 lines
3.4 KiB
Go
Raw Blame History

package auth_test
import (
"net/http"
"net/http/httptest"
"testing"
"gitea.d-ma.be/mathias/gitea-mcp/internal/auth"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestBearerMiddleware_NoAuthHeader(t *testing.T) {
srv := httptest.NewServer(auth.BearerMiddleware("https://gitea.example.com", "",
http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK)
}),
))
defer srv.Close()
resp, err := http.Post(srv.URL+"/mcp", "application/json", nil)
require.NoError(t, err)
defer func() { _ = resp.Body.Close() }()
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}
func TestBearerMiddleware_NoAuthHeaderWithDefault(t *testing.T) {
const defaultToken = "default-pat"
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, "token "+defaultToken, r.Header.Get("Authorization"))
w.WriteHeader(http.StatusOK)
}))
defer giteaMock.Close()
called := false
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, defaultToken,
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
assert.Equal(t, defaultToken, auth.TokenFromContext(r.Context()))
w.WriteHeader(http.StatusOK)
}),
))
defer srv.Close()
resp, err := http.Post(srv.URL+"/mcp", "application/json", nil)
require.NoError(t, err)
defer func() { _ = resp.Body.Close() }()
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.True(t, called)
}
func TestBearerMiddleware_InvalidToken(t *testing.T) {
// Mock Gitea that rejects the token
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusUnauthorized)
}))
defer giteaMock.Close()
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, "",
http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK)
}),
))
defer srv.Close()
req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil)
req.Header.Set("Authorization", "Bearer bad-token")
resp, err := http.DefaultClient.Do(req)
require.NoError(t, err)
defer func() { _ = resp.Body.Close() }()
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}
func TestBearerMiddleware_ValidToken(t *testing.T) {
const token = "valid-pat"
// Mock Gitea that accepts the token and returns a user
giteaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, "token "+token, r.Header.Get("Authorization"))
w.WriteHeader(http.StatusOK)
}))
defer giteaMock.Close()
called := false
srv := httptest.NewServer(auth.BearerMiddleware(giteaMock.URL, "",
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
// Token must be available in context for downstream Gitea client
assert.Equal(t, token, auth.TokenFromContext(r.Context()))
w.WriteHeader(http.StatusOK)
}),
))
defer srv.Close()
req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil)
req.Header.Set("Authorization", "Bearer "+token)
resp, err := http.DefaultClient.Do(req)
require.NoError(t, err)
defer func() { _ = resp.Body.Close() }()
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.True(t, called)
}
func TestTokenFromContext_Empty(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, "/", nil)
assert.Equal(t, "", auth.TokenFromContext(req.Context()))
}
Reference in New Issue View Git Blame Copy Permalink