oauth

package
v1.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Package oauth provides GitLab-specific OAuth 2.0 token verification, caching, and HTTP middleware for the MCP server's HTTP mode.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewGitLabVerifier 

func NewGitLabVerifier(gitlabURL string, skipTLS bool, cacheTTL time.Duration, cache *TokenCache) auth.TokenVerifier

NewGitLabVerifier returns an auth.TokenVerifier that validates Bearer tokens by calling the GitLab /api/v4/user endpoint. Verified identities are cached in cache (if non-nil) to avoid redundant API calls.

The returned verifier populates auth.TokenInfo with:

  • UserID: the GitLab user's numeric ID (as string)
  • Extra["username"]: the GitLab user's login name
  • Extra["token"]: the raw token (for downstream GitLab client creation)
  • Expiration: now + cacheTTL (so the SDK middleware honors TTL)

func NewProtectedResourceHandler 

func NewProtectedResourceHandler(resourceURL, gitlabURL string) http.Handler

NewProtectedResourceHandler returns an http.Handler that serves RFC 9728 Protected Resource Metadata. MCP clients use this endpoint to discover the GitLab authorization server associated with this resource.

The handler is registered at /.well-known/oauth-protected-resource.

func NormalizeAuthHeader 

func NormalizeAuthHeader(next http.Handler) http.Handler

NormalizeAuthHeader is HTTP middleware that converts GitLab's PRIVATE-TOKEN header into a standard Authorization: Bearer header. This allows the SDK's RequireBearerToken middleware to handle both OAuth tokens and legacy PRIVATE-TOKEN headers through a unified pipeline.

If the request already has an Authorization header, PRIVATE-TOKEN is ignored.

Types

type TokenCache 

type TokenCache struct {
	// contains filtered or unexported fields
}

TokenCache is a thread-safe, TTL-based cache for verified token identities. Keys are SHA-256 hashes of raw tokens to avoid storing sensitive material.

func NewTokenCache 

func NewTokenCache() *TokenCache

NewTokenCache creates an empty TokenCache.

func (*TokenCache) Cleanup 

func (c *TokenCache) Cleanup()

Cleanup removes all expired entries. Intended for periodic maintenance.

func (*TokenCache) Delete 

func (c *TokenCache) Delete(token string)

Delete is an alias for [Evict] for API ergonomics.

func (*TokenCache) Evict 

func (c *TokenCache) Evict(token string)

Evict removes the cache entry for the given raw token.

func (*TokenCache) Get 

func (c *TokenCache) Get(token string) (*auth.TokenInfo, bool)

Get returns the cached auth.TokenInfo for the given raw token if present and not expired. Expired entries are lazily evicted on read.

func (*TokenCache) Len 

func (c *TokenCache) Len() int

Len returns the total number of entries (including potentially expired ones).

func (*TokenCache) Put 

func (c *TokenCache) Put(token string, info *auth.TokenInfo, ttl time.Duration)

Put stores a auth.TokenInfo for the given raw token with the specified TTL.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.