| 11 | ) |
| 12 | |
| 13 | func ExtractUserToken(oauthCfg *oauth.Config) func(next http.Handler) http.Handler { |
| 14 | return func(next http.Handler) http.Handler { |
| 15 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 16 | ctx := r.Context() |
| 17 | |
| 18 | // Check if token info already exists in context, if it does, skip extraction. |
| 19 | // In remote setup, we may have already extracted token info earlier. |
| 20 | if _, ok := ghcontext.GetTokenInfo(ctx); ok { |
| 21 | // Token info already exists in context, skip extraction |
| 22 | next.ServeHTTP(w, r) |
| 23 | return |
| 24 | } |
| 25 | |
| 26 | tokenType, token, err := utils.ParseAuthorizationHeader(r) |
| 27 | if err != nil { |
| 28 | // For missing Authorization header, return 401 with WWW-Authenticate header per MCP spec |
| 29 | if errors.Is(err, utils.ErrMissingAuthorizationHeader) { |
| 30 | sendAuthChallenge(w, r, oauthCfg) |
| 31 | return |
| 32 | } |
| 33 | // For other auth errors (bad format, unsupported), return 400 |
| 34 | http.Error(w, err.Error(), http.StatusBadRequest) |
| 35 | return |
| 36 | } |
| 37 | |
| 38 | ctx = ghcontext.WithTokenInfo(ctx, &ghcontext.TokenInfo{ |
| 39 | Token: token, |
| 40 | TokenType: tokenType, |
| 41 | }) |
| 42 | r = r.WithContext(ctx) |
| 43 | |
| 44 | next.ServeHTTP(w, r) |
| 45 | }) |
| 46 | } |
| 47 | } |
| 48 | |
| 49 | // sendAuthChallenge sends a 401 Unauthorized response with WWW-Authenticate header |
| 50 | // containing the OAuth protected resource metadata URL as per RFC 6750 and MCP spec. |