stacklok / toolhive / 23027222286

coverage: 64.424% (+0.07%) from 64.358%
23027222286

push

github

web-flow 
Make the token refresh code reusable for vMCP and testable (#4117)

* Add upstreamtoken package for upstream token lifecycle

Introduce a reusable upstreamtoken.Service interface that encapsulates
the upstream token lifecycle (read, validate expiry, refresh, dedup)
behind a single GetValidTokens call. This is designed for reuse by
vMCP, which needs the same refresh logic without depending on the
middleware layer.

InProcessService composes UpstreamTokenStorage + UpstreamTokenRefresher
with singleflight deduplication to prevent concurrent refresh attempts
from exhausting single-use refresh tokens.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Wire UpstreamTokenService into runner and middleware

Simplify the MiddlewareRunner interface from two storage-level accessors
(GetUpstreamTokenStorage, GetUpstreamTokenRefresher) to a single
service-level accessor (GetUpstreamTokenService). The upstreamswap
middleware now consumes the Service interface directly, removing its
responsibility for composing storage and refresher components.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Simplify runner startup with eager service initialization

Reorder Run() to initialize the embedded auth server before middleware
creation, eliminating the need for lazy accessor with mutex and caching
in GetUpstreamTokenService(). The service is now created eagerly and
stored as a field, making the accessor a simple field read.

Also deduplicate the createMinimalAuthServerConfig test helper, add
UpstreamTokenRefresher to the go:generate directive, and update the
middleware documentation to reflect the new interface method.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fail closed when upstream token service is unavailable

When a request carries a tsid claim (confirming it expects upstream
token injection), passing through with the original JWT would leak
the auth server token to the backend. Return 503 instead of
forwarding the request when t... (continued)

84 of 110 new or added lines in 4 files covered. (76.36%)

4 existing lines in 2 files now uncovered.

48512 of 75301 relevant lines covered (64.42%)

73.75 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.79
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available