Documentation
¶
Index ¶
- func AuthMiddleware(requireAuth bool) func(http.Handler) http.Handler
- func MCPAuthGateway(authenticator middleware.Authenticator, resourceMetadataURL string) func(http.Handler) http.Handler
- func OptionalAuth() func(http.Handler) http.Handler
- func RequireAuth() func(http.Handler) http.Handler
- func RequireAuthWithOAuth(authenticator middleware.Authenticator, resourceMetadataURL string) func(http.Handler) http.Handler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthMiddleware ¶
AuthMiddleware extracts authentication tokens from HTTP headers and adds them to the request context. This middleware should be applied to SSE handlers to enable HTTP-level authentication.
func MCPAuthGateway ¶ added in v0.13.2
func MCPAuthGateway(authenticator middleware.Authenticator, resourceMetadataURL string) func(http.Handler) http.Handler
MCPAuthGateway creates HTTP middleware that gates access for MCP endpoints.
When no credentials (Bearer token or API key) are present, it returns HTTP 401 with a WWW-Authenticate header that triggers the OAuth discovery flow in MCP clients (Claude.ai, Claude Desktop).
Per the MCP authorization spec and RFC 9728, the header includes:
WWW-Authenticate: Bearer resource_metadata="<url>"
The resourceMetadataURL should point to the server's /.well-known/oauth-protected-resource endpoint.
When authenticator is non-nil, a present credential is validated at the HTTP layer: an expired/revoked/unknown token is rejected with the same HTTP 401 + WWW-Authenticate, adding RFC 6750's error="invalid_token" (issue #926). This is the conformance surface MCP clients key their re-auth flow off — a client holding an expired token must see a 401, not an in-band protocol error on a 200 response. The gate calls the same authenticator the protocol middleware uses, so a valid API key still passes (it is authenticated here) while an invalid credential is rejected. MCPToolCallMiddleware re-validates as defense in depth and is what builds the PlatformContext identity; this HTTP check does not replace it.
When authenticator is nil the gate is presence-only (the platform is nil in transport-level tests).
func OptionalAuth ¶
OptionalAuth returns middleware that allows anonymous requests.
func RequireAuth ¶
RequireAuth returns middleware that requires authentication.
func RequireAuthWithOAuth ¶ added in v0.13.2
func RequireAuthWithOAuth(authenticator middleware.Authenticator, resourceMetadataURL string) func(http.Handler) http.Handler
RequireAuthWithOAuth returns middleware that requires authentication and includes the WWW-Authenticate header with resource metadata URL in 401 responses, enabling OAuth discovery for MCP clients. It is the SSE counterpart to MCPAuthGateway and shares its validation semantics: when authenticator is non-nil, a present-but-invalid token receives HTTP 401 + WWW-Authenticate with error="invalid_token" (issue #926) rather than passing the HTTP layer to fail in-band. When authenticator is nil the gate is presence-only.
Types ¶
This section is empty.