WithPATScopes is a middleware that fetches and stores scopes for classic Personal Access Tokens (PATs) in the request context.
(logger *slog.Logger, scopeFetcher scopes.FetcherInterface)
| 11 | |
| 12 | // WithPATScopes is a middleware that fetches and stores scopes for classic Personal Access Tokens (PATs) in the request context. |
| 13 | func WithPATScopes(logger *slog.Logger, scopeFetcher scopes.FetcherInterface) func(http.Handler) http.Handler { |
| 14 | return func(next http.Handler) http.Handler { |
| 15 | fn := func(w http.ResponseWriter, r *http.Request) { |
| 16 | ctx := r.Context() |
| 17 | |
| 18 | tokenInfo, ok := ghcontext.GetTokenInfo(ctx) |
| 19 | if !ok || tokenInfo == nil { |
| 20 | logger.Warn("no token info found in context") |
| 21 | next.ServeHTTP(w, r) |
| 22 | return |
| 23 | } |
| 24 | |
| 25 | // Fetch token scopes for scope-based tool filtering (PAT tokens only) |
| 26 | // Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header. |
| 27 | // Fine-grained PATs and other token types don't support this, so we skip filtering. |
| 28 | if tokenInfo.TokenType == utils.TokenTypePersonalAccessToken { |
| 29 | existingScopes, ok := ghcontext.GetTokenScopes(ctx) |
| 30 | if ok { |
| 31 | logger.Debug("using existing scopes from context", "scopes", existingScopes) |
| 32 | next.ServeHTTP(w, r) |
| 33 | return |
| 34 | } |
| 35 | |
| 36 | scopesList, err := scopeFetcher.FetchTokenScopes(ctx, tokenInfo.Token) |
| 37 | if err != nil { |
| 38 | logger.Warn("failed to fetch PAT scopes", "error", err) |
| 39 | next.ServeHTTP(w, r) |
| 40 | return |
| 41 | } |
| 42 | |
| 43 | // Store fetched scopes in context for downstream use |
| 44 | ctx = ghcontext.WithTokenScopes(ctx, scopesList) |
| 45 | |
| 46 | next.ServeHTTP(w, r.WithContext(ctx)) |
| 47 | return |
| 48 | } |
| 49 | |
| 50 | next.ServeHTTP(w, r) |
| 51 | } |
| 52 | return http.HandlerFunc(fn) |
| 53 | } |
| 54 | } |