stacklok / toolhive / 19029892023
51%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 336
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 47.74% (+0.2%) from 47.58%
19029892023

push

github

web-flow 
Implement core authentication infrastructure for vMCP (#2393)

* Add context helpers for Identity propagation in vmcp auth

Adds several context-related helpers that will be used to propagate
Identity through vMCP.

Related: #2377

* Add OIDC incoming authenticator for vmcp

Implement IncomingAuthenticator interface using existing TokenValidator from
pkg/auth. This adapter validates JWT tokens from clients connecting to the
Virtual MCP Server and extracts identity information.

Related: #2377

* Add a registry of outgoing auth strategies with a stub of AuthenticateRequest()

Implement OutgoingAuthenticator interface with pluggable authentication
strategies for backend MCP server connections.

The actual strategies will be implemented in a follow-up commit.

Fixes: #2377

* Add token redaction to Identity serialization

Implement String() and MarshalJSON() methods on the Identity struct to
prevent accidental token leakage when logging or serializing identities.

* Document Groups field design decision

Add concise documentation explaining why Identity.Groups is intentionally
not populated by OIDCIncomingAuthenticator. This clarifies that group
extraction is an authorization concern handled via the Claims map, as
different OIDC providers use different claim names.

* Document thread-safety guarantees for outgoing auth

Add explicit documentation that RegisterStrategy and AuthenticateRequest
are safe for concurrent use, and that Strategy implementations must be
thread-safe.

* Add metadata validation to AuthenticateRequest

Call strategy.Validate() before strategy.Authenticate() to catch invalid
or malicious metadata early. This prevents type confusion, injection
attacks, and panics from invalid metadata in strategy implementations.

Changes:
- Add Validate() call in AuthenticateRequest()
- Proper error wrapping with strategy name
- Add test verifying validation is enforced
- Update existing tests to expect Validate() calls

* Add Claims-to-Identity conv... (continued)

189 of 278 new or added lines in 11 files covered. (67.99%)

21029 of 44049 relevant lines covered (47.74%)

38.12 hits per line

New Missed Lines in Diff

Lines Coverage File
2
94.12
 pkg/vmcp/auth/auth.go
4
35.67
 1.26% pkg/transport/proxy/transparent/transparent_proxy.go
6
65.18
 -0.86% pkg/vmcp/server/server.go
15
0.0
 0.0% cmd/vmcp/app/commands.go
24
62.5
 pkg/vmcp/auth/incoming_factory.go
38
0.0
 pkg/vmcp/auth/mocks/mock_strategy.go
Jobs
ID Job ID Ran Files Coverage
1 19029892023.1 336
47.74
 GitHub Action Run
Source Files on build 19029892023