feat(mcpkit): HTTP-level auth, ServeHTTPWithShutdown, drop unused SSE#3
Merged
Conversation
ServeHTTP and ServeSSE were unauthenticated by default, and mcp-go's server package has no built-in bearer/OAuth enforcement (only generic WithHTTPContextFunc/WithSSEContextFunc hooks that inject context but can't reject a request themselves). RequireBearerToken wires a context func (validates the Authorization header) together with a tool-handler middleware (checks the resulting context marker before invoking any tool), registered lazily via the mcp-go Use() method only inside ServeHTTP/ ServeSSE — so ServeStdio, a locally-spawned trusted child process, is never affected regardless of whether a token is configured. Covers tool calls only; mcp-go's resource/prompt middleware are construction-time-only options with no post-construction equivalent, documented as a deliberate scope limitation rather than a silent gap.
ServeHTTPWithShutdown runs the streamable HTTP listener in a background goroutine and returns the server handle so callers can shut it down gracefully (fixed an earlier version that blocked on Start and never returned). WithHTTPToken gates the whole HTTP surface (bearer or X-API-Key) at the transport boundary, capping the request body at MaxMCPRequestBodySize. ServeStdio is unaffected by either mode. Added tests for the shutdown path and the HTTP-token accept/reject cases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
The kit documented scope is stdio + streamable HTTP. SSE was unexercised surface and lagged the HTTP transport on auth + body limiting, so removing it shrinks the API and closes the parity gap.
Verification