Remove IDE token support, these will never work. Add tests.

Author: omgitsads

pkg/http/middleware/token_test.go

@@ -0,0 +1,320 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+	"github.com/github/github-mcp-server/pkg/http/oauth"
+	"github.com/github/github-mcp-server/pkg/utils"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExtractUserToken(t *testing.T) {
+	oauthCfg := &oauth.Config{
+		BaseURL:             "https://example.com",
+		AuthorizationServer: "https://github.com/login/oauth",
+	}
+
+	tests := []struct {
+		name               string
+		authHeader         string
+		expectedStatusCode int
+		expectedTokenType  utils.TokenType
+		expectedToken      string
+		expectTokenInfo    bool
+		expectWWWAuth      bool
+	}{
+		// Missing authorization header
+		{
+			name:               "missing Authorization header returns 401 with WWW-Authenticate",
+			authHeader:         "",
+			expectedStatusCode: http.StatusUnauthorized,
+			expectTokenInfo:    false,
+			expectWWWAuth:      true,
+		},
+		// Personal Access Token (classic) - ghp_ prefix
+		{
+			name:               "personal access token (classic) with Bearer prefix",
+			authHeader:         "Bearer ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypePersonalAccessToken,
+			expectedToken:      "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "personal access token (classic) with bearer lowercase",
+			authHeader:         "bearer ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypePersonalAccessToken,
+			expectedToken:      "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "personal access token (classic) without Bearer prefix",
+			authHeader:         "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypePersonalAccessToken,
+			expectedToken:      "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		// Fine-grained Personal Access Token - github_pat_ prefix
+		{
+			name:               "fine-grained personal access token with Bearer prefix",
+			authHeader:         "Bearer github_pat_xxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeFineGrainedPersonalAccessToken,
+			expectedToken:      "github_pat_xxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "fine-grained personal access token without Bearer prefix",
+			authHeader:         "github_pat_xxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeFineGrainedPersonalAccessToken,
+			expectedToken:      "github_pat_xxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		// OAuth Access Token - gho_ prefix
+		{
+			name:               "OAuth access token with Bearer prefix",
+			authHeader:         "Bearer gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeOAuthAccessToken,
+			expectedToken:      "gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "OAuth access token without Bearer prefix",
+			authHeader:         "gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeOAuthAccessToken,
+			expectedToken:      "gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		// User-to-Server GitHub App Token - ghu_ prefix
+		{
+			name:               "user-to-server GitHub App token with Bearer prefix",
+			authHeader:         "Bearer ghu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeUserToServerGitHubAppToken,
+			expectedToken:      "ghu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "user-to-server GitHub App token without Bearer prefix",
+			authHeader:         "ghu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeUserToServerGitHubAppToken,
+			expectedToken:      "ghu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		// Server-to-Server GitHub App Token (installation token) - ghs_ prefix
+		{
+			name:               "server-to-server GitHub App token with Bearer prefix",
+			authHeader:         "Bearer ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeServerToServerGitHubAppToken,
+			expectedToken:      "ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "server-to-server GitHub App token without Bearer prefix",
+			authHeader:         "ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypeServerToServerGitHubAppToken,
+			expectedToken:      "ghs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+			expectTokenInfo:    true,
+		},
+		// Old-style Personal Access Token (40 hex characters, pre-2021)
+		{
+			name:               "old-style personal access token (40 hex chars) with Bearer prefix",
+			authHeader:         "Bearer 0123456789abcdef0123456789abcdef01234567",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypePersonalAccessToken,
+			expectedToken:      "0123456789abcdef0123456789abcdef01234567",
+			expectTokenInfo:    true,
+		},
+		{
+			name:               "old-style personal access token (40 hex chars) without Bearer prefix",
+			authHeader:         "0123456789abcdef0123456789abcdef01234567",
+			expectedStatusCode: http.StatusOK,
+			expectedTokenType:  utils.TokenTypePersonalAccessToken,
+			expectedToken:      "0123456789abcdef0123456789abcdef01234567",
+			expectTokenInfo:    true,
+		},
+		// Error cases
+		{
+			name:               "unsupported GitHub-Bearer header returns 400",
+			authHeader:         "GitHub-Bearer some_encrypted_token",
+			expectedStatusCode: http.StatusBadRequest,
+			expectTokenInfo:    false,
+		},
+		{
+			name:               "invalid token format returns 400",
+			authHeader:         "Bearer invalid_token_format",
+			expectedStatusCode: http.StatusBadRequest,
+			expectTokenInfo:    false,
+		},
+		{
+			name:               "unrecognized prefix returns 400",
+			authHeader:         "Bearer xyz_notavalidprefix",
+			expectedStatusCode: http.StatusBadRequest,
+			expectTokenInfo:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var capturedTokenInfo *ghcontext.TokenInfo
+			var tokenInfoCaptured bool
+
+			nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				capturedTokenInfo, tokenInfoCaptured = ghcontext.GetTokenInfo(r.Context())
+				w.WriteHeader(http.StatusOK)
+			})
+
+			middleware := ExtractUserToken(oauthCfg)
+			handler := middleware(nextHandler)
+
+			req := httptest.NewRequest(http.MethodGet, "/test", nil)
+			if tt.authHeader != "" {
+				req.Header.Set("Authorization", tt.authHeader)
+			}
+			rr := httptest.NewRecorder()
+
+			handler.ServeHTTP(rr, req)
+
+			assert.Equal(t, tt.expectedStatusCode, rr.Code)
+
+			if tt.expectWWWAuth {
+				wwwAuth := rr.Header().Get("WWW-Authenticate")
+				assert.NotEmpty(t, wwwAuth, "expected WWW-Authenticate header")
+				assert.Contains(t, wwwAuth, "Bearer resource_metadata=")
+			}
+
+			if tt.expectTokenInfo {
+				require.True(t, tokenInfoCaptured, "expected TokenInfo to be present in context")
+				require.NotNil(t, capturedTokenInfo)
+				assert.Equal(t, tt.expectedTokenType, capturedTokenInfo.TokenType)
+				assert.Equal(t, tt.expectedToken, capturedTokenInfo.Token)
+			} else {
+				assert.False(t, tokenInfoCaptured, "expected no TokenInfo in context")
+			}
+		})
+	}
+}
+
+func TestExtractUserToken_NilOAuthConfig(t *testing.T) {
+	var capturedTokenInfo *ghcontext.TokenInfo
+	var tokenInfoCaptured bool
+
+	nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedTokenInfo, tokenInfoCaptured = ghcontext.GetTokenInfo(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	middleware := ExtractUserToken(nil)
+	handler := middleware(nextHandler)
+
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.Header.Set("Authorization", "Bearer ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+	require.True(t, tokenInfoCaptured)
+	require.NotNil(t, capturedTokenInfo)
+	assert.Equal(t, utils.TokenTypePersonalAccessToken, capturedTokenInfo.TokenType)
+}
+
+func TestExtractUserToken_MissingAuthHeader_WWWAuthenticateFormat(t *testing.T) {
+	oauthCfg := &oauth.Config{
+		BaseURL:             "https://api.example.com",
+		AuthorizationServer: "https://github.com/login/oauth",
+		ResourcePath:        "/mcp",
+	}
+
+	nextHandler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	middleware := ExtractUserToken(oauthCfg)
+	handler := middleware(nextHandler)
+
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	// No Authorization header
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+	wwwAuth := rr.Header().Get("WWW-Authenticate")
+	assert.NotEmpty(t, wwwAuth)
+	assert.Contains(t, wwwAuth, "Bearer")
+	assert.Contains(t, wwwAuth, "resource_metadata=")
+	assert.Contains(t, wwwAuth, "/.well-known/oauth-protected-resource")
+}
+
+func TestSendAuthChallenge(t *testing.T) {
+	tests := []struct {
+		name             string
+		oauthCfg         *oauth.Config
+		requestPath      string
+		expectedContains []string
+	}{
+		{
+			name: "with base URL configured",
+			oauthCfg: &oauth.Config{
+				BaseURL: "https://mcp.example.com",
+			},
+			requestPath: "/api/test",
+			expectedContains: []string{
+				"Bearer",
+				"resource_metadata=",
+				"https://mcp.example.com/.well-known/oauth-protected-resource",
+			},
+		},
+		{
+			name:        "with nil config uses request host",
+			oauthCfg:    nil,
+			requestPath: "/api/test",
+			expectedContains: []string{
+				"Bearer",
+				"resource_metadata=",
+				"/.well-known/oauth-protected-resource",
+			},
+		},
+		{
+			name: "with resource path configured",
+			oauthCfg: &oauth.Config{
+				BaseURL:      "https://mcp.example.com",
+				ResourcePath: "/mcp",
+			},
+			requestPath: "/api/test",
+			expectedContains: []string{
+				"Bearer",
+				"resource_metadata=",
+				"/mcp",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			req := httptest.NewRequest(http.MethodGet, tt.requestPath, nil)
+
+			sendAuthChallenge(rr, req, tt.oauthCfg)
+
+			assert.Equal(t, http.StatusUnauthorized, rr.Code)
+			wwwAuth := rr.Header().Get("WWW-Authenticate")
+			for _, expected := range tt.expectedContains {
+				assert.Contains(t, wwwAuth, expected)
+			}
+		})
+	}
+}

pkg/utils/token.go

@@ -19,7 +19,6 @@ const (
 	TokenTypeOAuthAccessToken
 	TokenTypeUserToServerGitHubAppToken
 	TokenTypeServerToServerGitHubAppToken
-	TokenTypeIDEToken
 )
 
 var supportedGitHubPrefixes = map[string]TokenType{
@@ -61,12 +60,6 @@ func ParseAuthorizationHeader(req *http.Request) (tokenType TokenType, token str
 		}
 	}
 
-	// Do a naïve check for a colon in the token - currently, only the IDE token has a colon in it.
-	// ex: tid=1;exp=25145314523;chat=1:<hmac>
-	if strings.Contains(token, ":") {
-		return TokenTypeIDEToken, token, nil
-	}
-
 	for prefix, tokenType := range supportedGitHubPrefixes {
 		if strings.HasPrefix(token, prefix) {
 			return tokenType, token, nil