auth

package
v0.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 17, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package auth provides authentication support for MCP server registries.

Index

Constants

View Source 
const (
	// PersistentCacheSubdir is the subdirectory under toolhive's XDG cache for registry data.
	PersistentCacheSubdir = "cache"
)

Variables

View Source 
var ErrRegistryAuthRequired = errors.New("registry authentication required: run 'thv registry login' to authenticate")

ErrRegistryAuthRequired is returned when registry authentication is required but no cached tokens are available in a non-interactive context.

Functions

func ConfigureOAuth added in v0.12.2 

func ConfigureOAuth(
	ctx context.Context, issuer, clientID, audience string, scopes []string,
) (func(*config.Config), error)

ConfigureOAuth validates the OIDC issuer, resolves default scopes, and returns a config update function that persists the OAuth settings. This is the shared implementation used by both Login and AuthManager.SetOAuthAuth.

func DefaultOAuthScopes added in v0.12.2 

func DefaultOAuthScopes() []string

DefaultOAuthScopes returns the default OAuth scopes for registry authentication. openid is required for OIDC, offline_access is required for refresh tokens.

func DeriveSecretKey 

func DeriveSecretKey(registryURL, issuer string) string

DeriveSecretKey computes the secret key for storing a registry's refresh token. The key follows the formula: REGISTRY_OAUTH_<8 hex chars> where the hex is derived from sha256(registryURL + "\x00" + issuer)[:4].

func Login added in v0.12.2 

func Login(
	ctx context.Context, configProvider config.Provider, secretsProvider secrets.Provider, opts LoginOptions,
) error

Login performs an interactive OAuth login against the configured registry. If opts supplies registry URL or OAuth fields that are not yet configured, Login validates and persists them before proceeding.

func Logout added in v0.12.2 

func Logout(ctx context.Context, configProvider config.Provider, secretsProvider secrets.Provider) error

Logout clears cached OAuth credentials for the configured registry.

func RegistryCacheFilePath added in v0.12.2 

func RegistryCacheFilePath(registryURL string) (string, error)

RegistryCacheFilePath returns the XDG cache file path for the given registry URL. This creates intermediate directories if needed (suitable for write operations).

func WrapTransport 

func WrapTransport(base http.RoundTripper, source TokenSource) http.RoundTripper

WrapTransport wraps an http.RoundTripper with authentication support. If source is nil, returns the base transport unchanged.

Types

type LoginOptions added in v0.12.2 

type LoginOptions struct {
	// RegistryURL is the registry endpoint to save if none is configured.
	RegistryURL string
	// Issuer is the OIDC issuer URL to save if OAuth config is missing.
	Issuer string
	// ClientID is the OAuth client ID to save if OAuth config is missing.
	ClientID string
	// Audience is the OAuth audience (optional).
	Audience string
	// Scopes overrides the default OAuth scopes (defaults to ["openid", "offline_access"]).
	Scopes []string
}

LoginOptions holds optional flag-based overrides for Login. When provided, these values are validated and saved to config before proceeding with the OAuth flow.

type TokenSource 

type TokenSource interface {
	// Token returns a valid access token string, or empty string if no auth.
	// Implementations should handle token refresh transparently.
	Token(ctx context.Context) (string, error)
}

TokenSource provides authentication tokens for registry HTTP requests.

func NewTokenSource 

func NewTokenSource(
	cfg *config.RegistryOAuthConfig,
	registryURL string,
	secretsProvider secrets.Provider,
	interactive bool,
) (TokenSource, error)

NewTokenSource creates a TokenSource from registry OAuth configuration. Returns nil, nil if oauth config is nil (no auth required). The registryURL is used to derive a unique secret key for token storage. The secrets provider may be nil if secret storage is not available. The interactive flag controls whether browser-based OAuth flows are allowed.

type Transport 

type Transport struct {
	Base   http.RoundTripper
	Source TokenSource
}

Transport wraps an http.RoundTripper to add OAuth authentication headers.

func (*Transport) RoundTrip 

func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip executes a single HTTP transaction with authentication.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.