stacklok / toolhive / 21265055373
60%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 460
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 59.78% (-0.05%) from 59.829%
21265055373

push

github

web-flow 
feat(auth): persist OAuth tokens across workload restarts (#3382)

* feat(auth): persist OAuth tokens across workload restarts

This change enables remote MCP servers (like Datadog and Glean) to
restore their OAuth sessions after workload restarts without requiring
a new browser-based login.

Changes:
- Add CachedAccessToken, CachedRefreshToken, CachedTokenExpiry fields
  to remote.Config for token persistence
- Create PersistingTokenSource wrapper to save tokens when refreshed
- Modify Handler.Authenticate to restore from cached tokens when available
- Add token persister callback in runner to save tokens to config state

Fixes #3331

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* chore: retry CI

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* refactor(auth): store OAuth tokens in secret manager

Address reviewer feedback:
- Store refresh tokens securely in secret manager instead of plain text config
- Remove access token caching (can be regenerated from refresh token)
- Add TokenTypeOAuthRefreshToken for proper secret categorization
- Gracefully handle missing secret manager (tokens won't persist but OAuth works)

Security improvement: tokens are now stored in OS keyring/encrypted storage,
config only contains the secret reference (e.g., OAUTH_REFRESH_TOKEN_workload)

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* refactor(auth): dedupe discovery calls in Authenticate

Address reviewer nit #3: DetectAuthenticationFromServer and discoverIssuerAndScopes
were called in both tryRestoreFromCachedTokens and authenticateWithOAuth.

Now these are called once in Authenticate and the results are passed to both
tryRestoreFromCachedTokens and performOAuthFlow, avoiding redundant network calls.

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* refactor: only persist when refresh token changes

Avoids unnecessary writes since refresh tokens are long-lived
and usually don't change on every access-token refresh.... (continued)

63 of 223 new or added lines in 5 files covered. (28.25%)

16 existing lines in 6 files now uncovered.

36873 of 61681 relevant lines covered (59.78%)

78.95 hits per line

New Missed Lines in Diff

Lines Coverage File
5
77.25
 -0.46% pkg/auth/discovery/discovery.go
33
39.81
 -2.64% pkg/runner/runner.go
122
43.8
 -23.49% pkg/auth/remote/handler.go

Uncovered Existing Lines

Lines Coverage File
1
77.25
 -0.46% pkg/auth/discovery/discovery.go
1
43.8
 -23.49% pkg/auth/remote/handler.go
2
80.81
 -0.54% pkg/transport/proxy/httpsse/http_proxy.go
2
57.89
 -3.51% pkg/transport/session/sse_session.go
4
53.6
 -0.4% pkg/workloads/manager.go
6
75.47
 -5.66% pkg/secrets/keyring/keyctl_linux.go
Jobs
ID Job ID Ran Files Coverage
1 21265055373.1 460
59.78
 GitHub Action Run
Source Files on build 21265055373