Documentation
¶
Overview ¶
Package auth provides authentication support for MCP server registries.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrRegistryAuthRequired = errors.New("registry authentication required: run 'thv registry login' to authenticate")
ErrRegistryAuthRequired is returned when registry authentication is required but no cached tokens are available in a non-interactive context.
Functions ¶
func DeriveSecretKey ¶
DeriveSecretKey computes the secret key for storing a registry's refresh token. The key follows the formula: REGISTRY_OAUTH_<8 hex chars> where the hex is derived from sha256(registryURL + "\x00" + issuer)[:4].
func WrapTransport ¶
func WrapTransport(base http.RoundTripper, source TokenSource) http.RoundTripper
WrapTransport wraps an http.RoundTripper with authentication support. If source is nil, returns the base transport unchanged.
Types ¶
type TokenSource ¶
type TokenSource interface {
// Token returns a valid access token string, or empty string if no auth.
// Implementations should handle token refresh transparently.
Token(ctx context.Context) (string, error)
}
TokenSource provides authentication tokens for registry HTTP requests.
func NewTokenSource ¶
func NewTokenSource( cfg *config.RegistryOAuthConfig, registryURL string, secretsProvider secrets.Provider, interactive bool, ) (TokenSource, error)
NewTokenSource creates a TokenSource from registry OAuth configuration. Returns nil, nil if oauth config is nil (no auth required). The registryURL is used to derive a unique secret key for token storage. The secrets provider may be nil if secret storage is not available. The interactive flag controls whether browser-based OAuth flows are allowed.
type Transport ¶
type Transport struct {
Base http.RoundTripper
Source TokenSource
}
Transport wraps an http.RoundTripper to add OAuth authentication headers.
Source Files