Merge branch 'http-stack-2' into scope-challenge-http

Author: omgitsads

.github/workflows/docker-publish.yml

@@ -60,7 +60,7 @@ jobs:
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

internal/ghmcp/server.go

@@ -133,7 +133,7 @@ func NewStdioMCPServer(ctx context.Context, cfg github.MCPServerConfig) (*mcp.Se
 	inventoryBuilder := github.NewInventory(cfg.Translator).
 		WithDeprecatedAliases(github.DeprecatedToolAliases).
 		WithReadOnly(cfg.ReadOnly).
-		WithToolsets(cfg.EnabledToolsets).
+		WithToolsets(github.ResolvedEnabledToolsets(cfg.DynamicToolsets, cfg.EnabledToolsets, cfg.EnabledTools)).
 		WithTools(github.CleanTools(cfg.EnabledTools)).
 		WithServerInstructions().
 		WithFeatureChecker(featureChecker)

pkg/github/dependencies.go

@@ -320,10 +320,14 @@ func (d *RequestDeps) GetGQLClient(ctx context.Context) (*githubv4.Client, error
 
 	// Construct GraphQL client
 	// We use NewEnterpriseClient unconditionally since we already parsed the API host
+	// Wrap transport with GraphQLFeaturesTransport to inject feature flags from context,
+	// matching the transport chain used by the remote server.
 	gqlHTTPClient := &http.Client{
 		Transport: &transport.BearerAuthTransport{
-			Transport: http.DefaultTransport,
-			Token:     token,
+			Transport: &transport.GraphQLFeaturesTransport{
+				Transport: http.DefaultTransport,
+			},
+			Token: token,
 		},
 	}
 

pkg/github/pullrequests.go

@@ -1519,7 +1519,7 @@ func SubmitPendingPullRequestReview(ctx context.Context, client *githubv4.Client
 		"prNum":  githubv4.Int(params.PullNumber),
 	}
 
-	if err := client.Query(context.Background(), &getLatestReviewForViewerQuery, vars); err != nil {
+	if err := client.Query(ctx, &getLatestReviewForViewerQuery, vars); err != nil {
 		return ghErrors.NewGitHubGraphQLErrorResponse(ctx,
 			"failed to get latest review for current user",
 			err,
@@ -1604,7 +1604,7 @@ func DeletePendingPullRequestReview(ctx context.Context, client *githubv4.Client
 		"prNum":  githubv4.Int(params.PullNumber),
 	}
 
-	if err := client.Query(context.Background(), &getLatestReviewForViewerQuery, vars); err != nil {
+	if err := client.Query(ctx, &getLatestReviewForViewerQuery, vars); err != nil {
 		return ghErrors.NewGitHubGraphQLErrorResponse(ctx,
 			"failed to get latest review for current user",
 			err,
@@ -1778,7 +1778,7 @@ func AddCommentToPendingReview(t translations.TranslationHelperFunc) inventory.S
 				"prNum":  githubv4.Int(params.PullNumber),
 			}
 
-			if err := client.Query(context.Background(), &getLatestReviewForViewerQuery, vars); err != nil {
+			if err := client.Query(ctx, &getLatestReviewForViewerQuery, vars); err != nil {
 				return ghErrors.NewGitHubGraphQLErrorResponse(ctx,
 					"failed to get latest review for current user",
 					err,

pkg/github/server.go

@@ -140,25 +140,23 @@ func registerDynamicTools(server *mcp.Server, inventory *inventory.Inventory, de
 	}
 }
 
-// resolveEnabledToolsets determines which toolsets should be enabled based on config.
+// ResolvedEnabledToolsets determines which toolsets should be enabled based on config.
 // Returns nil for "use defaults", empty slice for "none", or explicit list.
-func resolveEnabledToolsets(cfg *MCPServerConfig) []string {
-	enabledToolsets := cfg.EnabledToolsets
-
+func ResolvedEnabledToolsets(dynamicToolsets bool, enabledToolsets []string, enabledTools []string) []string {
 	// In dynamic mode, remove "all" and "default" since users enable toolsets on demand
-	if cfg.DynamicToolsets && enabledToolsets != nil {
+	if dynamicToolsets && enabledToolsets != nil {
 		enabledToolsets = RemoveToolset(enabledToolsets, string(ToolsetMetadataAll.ID))
 		enabledToolsets = RemoveToolset(enabledToolsets, string(ToolsetMetadataDefault.ID))
 	}
 
 	if enabledToolsets != nil {
 		return enabledToolsets
 	}
-	if cfg.DynamicToolsets {
+	if dynamicToolsets {
 		// Dynamic mode with no toolsets specified: start empty so users enable on demand
 		return []string{}
 	}
-	if len(cfg.EnabledTools) > 0 {
+	if len(enabledTools) > 0 {
 		// When specific tools are requested but no toolsets, don't use default toolsets
 		// This matches the original behavior: --tools=X alone registers only X
 		return []string{}

pkg/github/server_test.go

@@ -214,7 +214,7 @@ func TestResolveEnabledToolsets(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			result := resolveEnabledToolsets(&tc.cfg)
+			result := ResolvedEnabledToolsets(tc.cfg.DynamicToolsets, tc.cfg.EnabledToolsets, tc.cfg.EnabledTools)
 			assert.Equal(t, tc.expectedResult, result)
 		})
 	}

pkg/http/handler.go

@@ -225,12 +225,15 @@ func InventoryFiltersForRequest(r *http.Request, builder *inventory.Builder) *in
 		builder = builder.WithReadOnly(true)
 	}
 
-	if toolsets := ghcontext.GetToolsets(ctx); len(toolsets) > 0 {
-		builder = builder.WithToolsets(toolsets)
+	toolsets := ghcontext.GetToolsets(ctx)
+	tools := ghcontext.GetTools(ctx)
+
+	if len(toolsets) > 0 {
+		builder = builder.WithToolsets(github.ResolvedEnabledToolsets(false, toolsets, tools)) // No dynamic toolsets in HTTP mode
 	}
 
-	if tools := ghcontext.GetTools(ctx); len(tools) > 0 {
-		if len(ghcontext.GetToolsets(ctx)) == 0 {
+	if len(tools) > 0 {
+		if len(toolsets) == 0 {
 			builder = builder.WithToolsets([]string{})
 		}
 		builder = builder.WithTools(github.CleanTools(tools))

pkg/http/middleware/token.go

@@ -10,6 +10,36 @@ import (
 	"github.com/github/github-mcp-server/pkg/utils"
 )
 
+<<<<<<< HEAD
+=======
+type authType int
+
+const (
+	authTypeUnknown authType = iota
+	authTypeIDE
+	authTypeGhToken
+)
+
+var (
+	errMissingAuthorizationHeader     = fmt.Errorf("%w: missing required Authorization header", mark.ErrBadRequest)
+	errBadAuthorizationHeader         = fmt.Errorf("%w: Authorization header is badly formatted", mark.ErrBadRequest)
+	errUnsupportedAuthorizationHeader = fmt.Errorf("%w: unsupported Authorization header", mark.ErrBadRequest)
+)
+
+var supportedGitHubPrefixes = []string{
+	"ghp_",        // Personal access token (classic)
+	"github_pat_", // Fine-grained personal access token
+	"gho_",        // OAuth access token
+	"ghu_",        // User access token for a GitHub App
+	"ghs_",        // Installation access token for a GitHub App (a.k.a. server-to-server token)
+}
+
+// oldPatternRegexp is the regular expression for the old pattern of the token.
+// Until 2021, GitHub API tokens did not have an identifiable prefix. They
+// were 40 characters long and only contained the characters a-f and 0-9.
+var oldPatternRegexp = regexp.MustCompile(`\A[a-f0-9]{40}\z`)
+
+>>>>>>> http-stack-2
 func ExtractUserToken(oauthCfg *oauth.Config) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -45,3 +75,45 @@ func sendAuthChallenge(w http.ResponseWriter, r *http.Request, oauthCfg *oauth.C
 	w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Bearer resource_metadata=%q`, resourceMetadataURL))
 	http.Error(w, "Unauthorized", http.StatusUnauthorized)
 }
+<<<<<<< HEAD
+=======
+
+func parseAuthorizationHeader(req *http.Request) (authType authType, token string, _ error) {
+	authHeader := req.Header.Get(httpheaders.AuthorizationHeader)
+	if authHeader == "" {
+		return 0, "", errMissingAuthorizationHeader
+	}
+
+	switch {
+	// decrypt dotcom token and set it as token
+	case strings.HasPrefix(authHeader, "GitHub-Bearer "):
+		return 0, "", errUnsupportedAuthorizationHeader
+	default:
+		// support both "Bearer" and "bearer" to conform to api.github.com
+		if len(authHeader) > 7 && strings.EqualFold(authHeader[:7], "Bearer ") {
+			token = authHeader[7:]
+		} else {
+			token = authHeader
+		}
+	}
+
+	// Do a naïve check for a colon in the token - currently, only the IDE token has a colon in it.
+	// ex: tid=1;exp=25145314523;chat=1:<hmac>
+	if strings.Contains(token, ":") {
+		return authTypeIDE, token, nil
+	}
+
+	for _, prefix := range supportedGitHubPrefixes {
+		if strings.HasPrefix(token, prefix) {
+			return authTypeGhToken, token, nil
+		}
+	}
+
+	matchesOldTokenPattern := oldPatternRegexp.MatchString(token)
+	if matchesOldTokenPattern {
+		return authTypeGhToken, token, nil
+	}
+
+	return 0, "", errBadAuthorizationHeader
+}
+>>>>>>> http-stack-2

pkg/http/transport/graphql_features.go

@@ -17,14 +17,16 @@ import (
 //
 // Usage:
 //
+//	import "github.com/github/github-mcp-server/pkg/http/transport"
+//
 //	httpClient := &http.Client{
-//	    Transport: &github.GraphQLFeaturesTransport{
+//	    Transport: &transport.GraphQLFeaturesTransport{
 //	        Transport: http.DefaultTransport,
 //	    },
 //	}
 //	gqlClient := githubv4.NewClient(httpClient)
 //
-// Then use withGraphQLFeatures(ctx, "feature_name") when calling GraphQL operations.
+// Then use ghcontext.WithGraphQLFeatures(ctx, "feature_name") when calling GraphQL operations.
 type GraphQLFeaturesTransport struct {
 	// Transport is the underlying HTTP transport. If nil, http.DefaultTransport is used.
 	Transport http.RoundTripper

pkg/utils/api.go

@@ -102,7 +102,7 @@ func newGHECHost(hostname string) (APIHost, error) {
 		return APIHost{}, fmt.Errorf("failed to parse GHEC GraphQL URL: %w", err)
 	}
 
-	uploadURL, err := url.Parse(fmt.Sprintf("https://uploads.%s", u.Hostname()))
+	uploadURL, err := url.Parse(fmt.Sprintf("https://uploads.%s/", u.Hostname()))
 	if err != nil {
 		return APIHost{}, fmt.Errorf("failed to parse GHEC Upload URL: %w", err)
 	}