Skip to content

feat(mcpkit): HTTP-level auth, ServeHTTPWithShutdown, drop unused SSE#3

Merged
Patel230 merged 4 commits into
mainfrom
feat/mcpkit-auth-and-cleanup
Jul 15, 2026
Merged

feat(mcpkit): HTTP-level auth, ServeHTTPWithShutdown, drop unused SSE#3
Patel230 merged 4 commits into
mainfrom
feat/mcpkit-auth-and-cleanup

Conversation

@Patel230

Copy link
Copy Markdown
Contributor

Summary

  • Add WithHTTPToken HTTP-level auth gate (bearer or X-API-Key) at the transport boundary
  • Add ServeHTTPWithShutdown for graceful HTTP teardown
  • Add RequireBearerToken to gate tool calls on HTTP/SSE
  • Drop the unused ServeSSE transport and its helper/test - no consumer used it, and it lacked the body-cap + X-API-Key parity the HTTP path has
  • Add MaxMCPRequestBodySize shared cap for MCP-over-HTTP

Why

The kit documented scope is stdio + streamable HTTP. SSE was unexercised surface and lagged the HTTP transport on auth + body limiting, so removing it shrinks the API and closes the parity gap.

Verification

  • go build ./..., go vet ./..., go test ./... pass
  • All three consumers (sight, inspect, yaad) build + test green against the changes

Patel230 added 4 commits July 15, 2026 09:12
ServeHTTP and ServeSSE were unauthenticated by default, and mcp-go's server
package has no built-in bearer/OAuth enforcement (only generic
WithHTTPContextFunc/WithSSEContextFunc hooks that inject context but can't
reject a request themselves). RequireBearerToken wires a context func
(validates the Authorization header) together with a tool-handler
middleware (checks the resulting context marker before invoking any tool),
registered lazily via the mcp-go Use() method only inside ServeHTTP/
ServeSSE — so ServeStdio, a locally-spawned trusted child process, is never
affected regardless of whether a token is configured. Covers tool calls
only; mcp-go's resource/prompt middleware are construction-time-only
options with no post-construction equivalent, documented as a deliberate
scope limitation rather than a silent gap.
ServeHTTPWithShutdown runs the streamable HTTP listener in a background
goroutine and returns the server handle so callers can shut it down
gracefully (fixed an earlier version that blocked on Start and never
returned).

WithHTTPToken gates the whole HTTP surface (bearer or X-API-Key) at the
transport boundary, capping the request body at MaxMCPRequestBodySize.
ServeStdio is unaffected by either mode.

Added tests for the shutdown path and the HTTP-token accept/reject cases.
@Patel230
Patel230 merged commit 23cf61e into main Jul 15, 2026
12 checks passed
@Patel230
Patel230 deleted the feat/mcpkit-auth-and-cleanup branch July 15, 2026 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant