stacklok / toolhive / 28121606117
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 764
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.133% (+0.06%) from 67.07%
28121606117

push

github

web-flow 
Fix multi-upstream authorization chain flows (#5590)

* Add PendingAuthorization.SingleLeg flag

A UI-initiated "connect one backend" flow builds a PendingAuthorization
for a single provider, but continueChainOrComplete consults
nextMissingUpstream after the callback and redirects into any other
configured-but-tokenless upstream — hijacking a single-backend connect
into a full chain walk.

Add a SingleLeg flag to PendingAuthorization. When set, the callback
issues the authorization code as soon as the leg completes instead of
continuing the chain. Defaults to false (today's chaining behavior) and
is threaded through the Redis and in-memory storage marshaling.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Laurel Orr <laurel@stacklok.com>

* Carry refresh token forward for synthetic IdPs

maybeCarryForwardRefreshToken preserves a prior refresh token when an
upstream omits one on re-authorization, but gated it on
prior.UpstreamSubject == providerSubject. Synthetic providers (OAuth2
with no identity config) mint a fresh rotating subject every flow, so
that equality never holds and the prior refresh token is dropped —
silently breaking refresh for userinfo-less OAuth2 backends.

Pass result.Synthetic into maybeCarryForwardRefreshToken and skip the
subject-equality guard for synthetic providers, gating only on a
non-empty prior refresh token. There is no stable upstream subject to
link by in that case, so the guard protected nothing; the lookup stays
scoped to the same internal user and provider.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Laurel Orr <laurel@stacklok.com>

* Refresh expired upstream legs during chain walk

nextMissingUpstream decided a chain leg was satisfied by token presence
alone, so a present-but-expired token counted as done and the leg was
skipped. The stale token then surfaced as a runtime auth error later at
MCP-request token-swap time instead of a clean... (continued)

79 of 82 new or added lines in 5 files covered. (96.34%)

20 existing lines in 4 files now uncovered.

69724 of 103859 relevant lines covered (67.13%)

65.6 hits per line

Uncovered Changes

Lines Coverage File
3
85.15
 0.25% pkg/authserver/server/handlers/callback.go

Coverage Regressions

Lines Coverage File
8
66.87
 4.4% pkg/workloads/manager.go
5
64.29
 -7.14% pkg/state/runconfig.go
4
87.79
 -2.33% pkg/transport/proxy/transparent/sse_response_processor.go
3
71.85
 -1.11% pkg/ignore/processor.go
Jobs
ID Job ID Ran Files Coverage
1 28121606117.1 764
67.13
 GitHub Action Run
Source Files on build 28121606117