MCPcopy
hub / github.com/github/github-mcp-server / ExtractUserToken

Function ExtractUserToken

pkg/http/middleware/token.go:13–47  ·  view source on GitHub ↗
(oauthCfg *oauth.Config)

Source from the content-addressed store, hash-verified

11)
12
13func ExtractUserToken(oauthCfg *oauth.Config) func(next http.Handler) http.Handler {
14 return func(next http.Handler) http.Handler {
15 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
16 ctx := r.Context()
17
18 // Check if token info already exists in context, if it does, skip extraction.
19 // In remote setup, we may have already extracted token info earlier.
20 if _, ok := ghcontext.GetTokenInfo(ctx); ok {
21 // Token info already exists in context, skip extraction
22 next.ServeHTTP(w, r)
23 return
24 }
25
26 tokenType, token, err := utils.ParseAuthorizationHeader(r)
27 if err != nil {
28 // For missing Authorization header, return 401 with WWW-Authenticate header per MCP spec
29 if errors.Is(err, utils.ErrMissingAuthorizationHeader) {
30 sendAuthChallenge(w, r, oauthCfg)
31 return
32 }
33 // For other auth errors (bad format, unsupported), return 400
34 http.Error(w, err.Error(), http.StatusBadRequest)
35 return
36 }
37
38 ctx = ghcontext.WithTokenInfo(ctx, &ghcontext.TokenInfo{
39 Token: token,
40 TokenType: tokenType,
41 })
42 r = r.WithContext(ctx)
43
44 next.ServeHTTP(w, r)
45 })
46 }
47}
48
49// sendAuthChallenge sends a 401 Unauthorized response with WWW-Authenticate header
50// containing the OAuth protected resource metadata URL as per RFC 6750 and MCP spec.

Calls 5

ParseAuthorizationHeaderFunction · 0.92
sendAuthChallengeFunction · 0.85
ServeHTTPMethod · 0.80
IsMethod · 0.45
ErrorMethod · 0.45