pomerium / pomerium / 22148893008
45%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 671
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 44.336% (+0.03%) from 44.305%
22148893008

push

github

web-flow 
mcp: add PendingUpstreamAuth proto and storage methods (#6118)

## Summary

Add the data model and persistence layer for tracking in-flight upstream
OAuth authorization flows.

- Define `PendingUpstreamAuth` protobuf message with fields for PKCE,
discovered endpoints, client credentials, and flow linkage
- Add CRUD methods on `Storage`: `Put`/`Get`/`Delete`
`PendingUpstreamAuth` and `GetPendingUpstreamAuthByState`
- Use a **composite record ID** (`user_id + downstream_host`) so that
the databroker naturally enforces at-most-one pending auth per user+host
— a new `Put` for the same user+host silently overwrites any stale
in-flight state, eliminating the need for explicit bulk-delete cleanup
- Register `state_id` as an **indexed field** so the OAuth callback
handler can look up the pending auth by the `state` parameter it
receives from the authorization server, without needing to know the user
or host at that point in the flow
- Configure automatic record expiry (15 min TTL) via databroker
`Options.Ttl`

## Design decisions

**Composite record ID (`user_id + downstream_host`)**  
The main consumers of pending auth state — `resolveAutoDiscoveryAuth`
(connect) and disconnect cleanup — naturally have the user ID and
downstream host available. Making these the record ID turns what would
be Query operations into direct Gets, and guarantees at most one pending
flow per user+route at the storage layer.

**Indexed `state_id`**  
The OAuth callback endpoint only receives the opaque `state` parameter
from the authorization server redirect. It needs to look up the full
pending auth record to complete the token exchange. Since `state_id` is
not the record ID, we register it as a databroker indexed field to
support efficient Query-based lookup.

## Related issues

- Depends on https://github.com/pomerium/pomerium/pull/6121 
- Fixes
[ENG-3589](https://linear.app/pomerium/issue/ENG-3589/mcp-add-pendingupstreamauth-state-storage)

## User Explanation

No user-facing ch... (continued)

64 of 74 new or added lines in 2 files covered. (86.49%)

33 existing lines in 8 files now uncovered.

32616 of 73565 relevant lines covered (44.34%)

116.61 hits per line

New Missed Lines in Diff

Lines Coverage File
2
70.23
 0.36% internal/databroker/server_backend.go
8
85.67
 0.49% internal/mcp/storage.go

Uncovered Existing Lines

Lines Coverage File
1
75.41
 0.0% pkg/storage/postgres/registry.go
2
90.91
 0.0% pkg/fanout/receive.go
2
85.4
 -0.63% pkg/grpc/databroker/syncer.go
2
95.83
 -2.08% pkg/identity/manager/schedulers.go
3
58.38
 -0.76% internal/controlplane/server.go
4
88.08
 -0.88% pkg/storage/postgres/postgres.go
9
76.78
 -2.37% pkg/storage/postgres/backend.go
10
79.7
 -0.22% pkg/ssh/manager.go
Jobs
ID Job ID Ran Files Coverage
1 22148893008.1 671
44.34
 GitHub Action Run
Source Files on build 22148893008