stacklok / toolhive / 28260022048
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 760
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.343% (-0.06%) from 67.398%
28260022048

push

github

web-flow 
Return 401+WWW-Authenticate when vMCP upstream token is unrefreshable (#5651)

* Return 401+WWW-Authenticate when vMCP upstream token is unrefreshable

When a backend's outgoing auth strategy (upstream_inject, token_exchange,
aws_sts, obo) required an upstream IDP token that could not be refreshed,
the failure reached the MCP client as a generic backend error rather than
an HTTP 401 with a WWW-Authenticate re-auth challenge (issue #5507).

Two-part fix:

1. Add ErrUpstreamTokenNotFound to wrapBackendError: an explicit errors.Is
   branch now maps the sentinel to vmcp.ErrAuthenticationFailed, replacing
   the fragile "authentication failed" substring match that only worked
   incidentally because the authRoundTripper included that phrase in its
   error message.  A small isAuthorizationRequired helper was extracted at
   the same time to keep wrapBackendError within the cyclomatic complexity
   limit.

2. Add upstreamTokenCheckMiddleware to the vMCP server: this middleware
   runs immediately after AuthMiddleware (once the identity and its
   UpstreamTokens map are populated) and before the mcp-go SDK handler
   (while HTTP 401 can still be written).  It scans the backend registry
   for all configured outgoing-auth strategies that depend on an upstream
   provider token and, if any provider's token is absent from the identity,
   returns HTTP 401 + WWW-Authenticate Bearer challenge identical to the
   single-server upstreamswap middleware.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix misleading comment on upstream token check middleware position

Rewrite the comment in execution-order terms to avoid confusion between
wrapping order and execution order (#5507 review feedback).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Address review comments on upstream token check middleware

Addresses stacklok/toolhive#5651 review comments:
- LOW upstream_token_check.go (3477948741): use missing provider name in slog call
- LO... (continued)

44 of 45 new or added lines in 4 files covered. (97.78%)

82 existing lines in 6 files now uncovered.

69606 of 103361 relevant lines covered (67.34%)

65.51 hits per line

Uncovered Changes

Lines Coverage File
1
86.35
 0.25% pkg/auth/token.go

Coverage Regressions

Lines Coverage File
64
61.52
 -5.52% pkg/workloads/manager.go
6
20.11
 -3.45% pkg/client/manager.go
5
0.0
 -100.0% pkg/workloads/sysproc_unix.go
3
73.79
 -2.91% pkg/state/local.go
2
96.03
 0.0% pkg/authserver/storage/memory.go
2
94.77
 -1.31% pkg/vmcp/composer/dag_executor.go
Jobs
ID Job ID Ran Files Coverage
1 28260022048.1 760
67.34
 GitHub Action Run
Source Files on build 28260022048