stacklok / toolhive / 21251337866 / 1
60%
main: 60%

DEFAULT BRANCH: main
Ran
Files 459
Run time 22s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 59.888% (+0.5%) from 59.424%
21251337866.1

push

github

web-flow 
Add authorization and callback handlers for authserver (#3370)

* Add authorization and callback handlers for authserver

This patch implements the OAuth 2.0 authorization code flow handlers for the
authserver.

The authorize handler validates incoming requests via fosite,
generates cryptographic secrets for upstream correlation (state, PKCE
verifier, nonce), stores the pending authorization, and redirects clients to
the upstream identity provider.

The callback handler receives the upstream response, exchanges the
authorization code using the stored PKCE verifier, resolves the user identity
through the UserResolver which maps provider subjects to internal users,
stores the upstream tokens with session binding, and issues our own
authorization code back to the client. Both handlers use fosite's RFC 6749
compliant error responses and properly clean up state on failure.

These handlers integrate into the authserver as the core authentication entry
points, sitting between downstream clients and the upstream identity provider.
They rely on the storage layer for persisting pending authorizations, upstream
tokens, users, and provider identities.

The UserResolver provides identity mapping by maintaining a link between
upstream provider subjects and internal user IDs, enabling a single user to
potentially link multiple provider identities. The handlers connect to the
upstream OAuth2Provider interface which abstracts the specific identity
provider implementation, allowing the authserver to work with different OIDC
providers without handler changes.

* Remove unnecessary logging from authorize handler

Remove two logs that don't align with ToolHive logging guidelines:

- Remove INFO log on successful redirect to upstream IDP. Per logging
  guidelines, successful operations should be silent by default.

- Remove WARN log for missing state parameter. Since PKCE is required
  and provides equivalent CSRF protection per OAuth Security BCP
  Section 4.7.1, the stat... (continued)

36833 of 61503 relevant lines covered (59.89%)

79.89 hits per line

Source Files on job 21251337866.1