stacklok / toolhive / 22766270458
64%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 538
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 63.911% (+0.009%) from 63.902%
22766270458

push

github

web-flow 
fix: oauth issues and add tokenResponseMapping for non-standard providers (#4009)

* Fix TOOLHIVE_DEBUG env var not enabling debug logging

The logger was initialized in main.go before viper.BindEnv was called
in commands.go, so TOOLHIVE_DEBUG had no effect on log level. Move the
env var binding before the logger initialization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Propagate upstream user name and email into JWT claims

The embedded auth server resolved user identity (name, email) from the
upstream IDP via the userInfo endpoint but only stored the subject
claim in the JWT. This caused audit logs to show "anonymous" for the
user field despite successful authentication.

Propagate name and email from the upstream Identity through to the
session's JWT claims as standard OIDC claims (name, email per OIDC
Core Section 5.1). The auth middleware's claimsToIdentity function
already reads these claims, so the audit middleware will now display
the actual user name.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix remote URL path not forwarded to backend server

When the remote URL has a path (e.g., https://mcp.asana.com/v2/mcp),
the proxy stripped it and only used the scheme+host as the target.
Client requests to /mcp were forwarded to https://mcp.asana.com/mcp
instead of https://mcp.asana.com/v2/mcp, causing Asana to return
401 invalid_token because the endpoint doesn't exist at /mcp.

Extract the remote URL's path and pass it to the transparent proxy
via WithRemoteBasePath. The proxy's Director rewrites incoming
request paths to the remote server's configured path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add tokenResponseMapping for non-standard OAuth token responses

Some OAuth providers (e.g., GovSlack) nest token fields under
non-standard paths instead of returning them at the top level.
GovSlack returns access_token under authed_user.access_token,
causing the ... (continued)

124 of 195 new or added lines in 14 files covered. (63.59%)

10 existing lines in 4 files now uncovered.

47254 of 73937 relevant lines covered (63.91%)

74.95 hits per line

New Missed Lines in Diff

Lines Coverage File
4
86.43
 -0.84% pkg/authserver/upstream/oidc.go
6
0.0
 0.0% cmd/thv-proxyrunner/main.go
6
0.0
 0.0% cmd/thv/main.go
6
91.55
 pkg/authserver/upstream/token_exchange.go
7
89.87
 -1.96% pkg/authserver/runner/embeddedauthserver.go
8
91.88
 -2.16% cmd/thv-operator/pkg/controllerutil/authserver.go
15
35.16
 -0.26% cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go
19
19.93
 -1.03% pkg/transport/http.go

Uncovered Existing Lines

Lines Coverage File
2
82.83
 -0.26% pkg/vmcp/composer/workflow_engine.go
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
3
80.31
 -0.79% pkg/transport/proxy/httpsse/http_proxy.go
3
45.17
 -0.67% pkg/transport/stdio.go
Jobs
ID Job ID Ran Files Coverage
1 22766270458.1 538
63.91
 GitHub Action Run
Source Files on build 22766270458