22766270458

Committed 06 Mar 2026 01:50PM UTC coverage: 63.911% (+0.009%) from 63.902%

Build # 22766270458

Build Type

push

github

Committed by

web-flow

Commit Message

fix: oauth issues and add tokenResponseMapping for non-standard providers (#4009)

* Fix TOOLHIVE_DEBUG env var not enabling debug logging

The logger was initialized in main.go before viper.BindEnv was called
in commands.go, so TOOLHIVE_DEBUG had no effect on log level. Move the
env var binding before the logger initialization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Propagate upstream user name and email into JWT claims

The embedded auth server resolved user identity (name, email) from the
upstream IDP via the userInfo endpoint but only stored the subject
claim in the JWT. This caused audit logs to show "anonymous" for the
user field despite successful authentication.

Propagate name and email from the upstream Identity through to the
session's JWT claims as standard OIDC claims (name, email per OIDC
Core Section 5.1). The auth middleware's claimsToIdentity function
already reads these claims, so the audit middleware will now display
the actual user name.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix remote URL path not forwarded to backend server

When the remote URL has a path (e.g., https://mcp.asana.com/v2/mcp),
the proxy stripped it and only used the scheme+host as the target.
Client requests to /mcp were forwarded to https://mcp.asana.com/mcp
instead of https://mcp.asana.com/v2/mcp, causing Asana to return
401 invalid_token because the endpoint doesn't exist at /mcp.

Extract the remote URL's path and pass it to the transparent proxy
via WithRemoteBasePath. The proxy's Director rewrites incoming
request paths to the remote server's configured path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add tokenResponseMapping for non-standard OAuth token responses

Some OAuth providers (e.g., GovSlack) nest token fields under
non-standard paths instead of returning them at the top level.
GovSlack returns access_token under authed_user.access_token,
causing the ... (continued)

Run Details

124 of 195 new or added lines in 14 files covered. (63.59%)

10 existing lines in 4 files now uncovered.

47254 of 73937 relevant lines covered (63.91%)

74.95 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.31

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 22766270458

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous