Add scopes challenge middleware to HTTP handler and initialize global tool scope map

omgitsads · omgitsads · commit 4b690f5702b6 · 2026-01-29T17:01:01.000+01:00
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -135,7 +135,6 @@ func init() {
 	rootCmd.PersistentFlags().Bool("lockdown-mode", false, "Enable lockdown mode")
 	rootCmd.PersistentFlags().Bool("insiders", false, "Enable insiders features")
 	rootCmd.PersistentFlags().Duration("repo-access-cache-ttl", 5*time.Minute, "Override the repo access cache TTL (e.g. 1m, 0s to disable)")
-	rootCmd.PersistentFlags().Int("port", 8082, "HTTP server port")
 
 	// Add port flag to http command
 	httpCmd.PersistentFlags().Int("port", 8082, "HTTP server port")
diff --git a/pkg/http/handler.go b/pkg/http/handler.go
@@ -90,11 +90,19 @@ func NewHTTPMcpHandler(
 	}
 }
 
+func (h *Handler) RegisterMiddleware(r chi.Router) {
+	r.Use(
+		middleware.ExtractUserToken(h.oauthCfg),
+		middleware.WithRequestConfig,
+		middleware.WithScopeChallenge(h.oauthCfg),
+	)
+
+	r.Use(middleware.WithScopeChallenge(h.oauthCfg))
+}
+
 // RegisterRoutes registers the routes for the MCP server
 // URL-based values take precedence over header-based values
 func (h *Handler) RegisterRoutes(r chi.Router) {
-	r.Use(middleware.WithRequestConfig)
-
 	r.Mount("/", h)
 	// Mount readonly and toolset routes
 	r.With(withToolset).Mount("/x/{toolset}", h)
@@ -144,7 +152,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		Stateless: true,
 	})
 
-	middleware.ExtractUserToken(h.oauthCfg)(mcpHandler).ServeHTTP(w, r)
+	mcpHandler.ServeHTTP(w, r)
 }
 
 func DefaultGitHubMCPServerFactory(r *http.Request, deps github.ToolDependencies, inventory *inventory.Inventory, cfg *github.MCPServerConfig) (*mcp.Server, error) {
diff --git a/pkg/http/middleware/scope_challenge.go b/pkg/http/middleware/scope_challenge.go
@@ -12,14 +12,15 @@ import (
 
 	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	"github.com/github/github-mcp-server/pkg/http/oauth"
+	"github.com/github/github-mcp-server/pkg/scopes"
 	"github.com/github/github-mcp-server/pkg/utils"
 )
 
 // FetchScopesFromGitHubAPI fetches the OAuth scopes from the GitHub API by making
 // a HEAD request and reading the X-OAuth-Scopes header. This is used as a fallback
 // when scopes are not provided in the token info header.
-func FetchScopesFromGitHubAPI(ctx context.Context, token string, apiUrls *utils.APIHost) ([]string, error) {
-	baseUrl, err := apiUrls.BaseRESTURL(ctx)
+func FetchScopesFromGitHubAPI(ctx context.Context, token string, apiHost utils.APIHostResolver) ([]string, error) {
+	baseUrl, err := apiHost.BaseRESTURL(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -56,7 +57,7 @@ func FetchScopesFromGitHubAPI(ctx context.Context, token string, apiUrls *utils.
 
 // WithScopeChallenge creates a new middleware that determines if an OAuth request contains sufficient scopes to
 // complete the request and returns a scope challenge if not.
-func WithScopeChallenge(oauthCfg *oauth.Config, apiUrls *utils.APIHost) func(http.Handler) http.Handler {
+func WithScopeChallenge(oauthCfg *oauth.Config) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
@@ -135,7 +136,7 @@ func WithScopeChallenge(oauthCfg *oauth.Config, apiUrls *utils.APIHost) func(htt
 			}
 
 			// Get OAuth scopes from GitHub API
-			activeScopes, err := FetchScopesFromGitHubAPI(ctx, tokenInfo.Token, apiUrls)
+			activeScopes, err := FetchScopesFromGitHubAPI(ctx, tokenInfo.Token, oauthCfg.ApiHosts)
 
 			// Check if user has the required scopes
 			if toolScopeInfo.HasAcceptedScope(activeScopes...) {
diff --git a/pkg/http/oauth/oauth.go b/pkg/http/oauth/oauth.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/github/github-mcp-server/pkg/http/headers"
+	"github.com/github/github-mcp-server/pkg/utils"
 	"github.com/go-chi/chi/v5"
 	"github.com/modelcontextprotocol/go-sdk/auth"
 	"github.com/modelcontextprotocol/go-sdk/oauthex"
@@ -40,6 +41,8 @@ var SupportedScopes = []string{
 
 // Config holds the OAuth configuration for the MCP server.
 type Config struct {
+	ApiHosts utils.APIHostResolver
+
 	// BaseURL is the publicly accessible URL where this server is hosted.
 	// This is used to construct the OAuth resource URL.
 	BaseURL string
diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -13,7 +13,9 @@ import (
 
 	"github.com/github/github-mcp-server/pkg/github"
 	"github.com/github/github-mcp-server/pkg/http/oauth"
+	"github.com/github/github-mcp-server/pkg/inventory"
 	"github.com/github/github-mcp-server/pkg/lockdown"
+	"github.com/github/github-mcp-server/pkg/scopes"
 	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/github/github-mcp-server/pkg/utils"
 	"github.com/go-chi/chi/v5"
@@ -98,21 +100,39 @@ func RunHTTPServer(cfg ServerConfig) error {
 		nil,
 	)
 
-	r := chi.NewRouter()
+	// Initialize the global tool scope map
+	err = initGlobalToolScopeMap(t)
+	if err != nil {
+		return fmt.Errorf("failed to initialize tool scope map: %w", err)
+	}
 
 	// Register OAuth protected resource metadata endpoints
 	oauthCfg := &oauth.Config{
-		BaseURL: cfg.BaseURL,
+		BaseURL:  cfg.BaseURL,
+		ApiHosts: apiHost,
 	}
+
+	r := chi.NewRouter()
+	handler := NewHTTPMcpHandler(ctx, &cfg, deps, t, logger, WithOAuthConfig(oauthCfg))
 	oauthHandler, err := oauth.NewAuthHandler(oauthCfg)
 	if err != nil {
 		return fmt.Errorf("failed to create OAuth handler: %w", err)
 	}
-	oauthHandler.RegisterRoutes(r)
-	logger.Info("OAuth protected resource endpoints registered", "baseURL", cfg.BaseURL)
 
-	handler := NewHTTPMcpHandler(ctx, &cfg, deps, t, logger, WithOAuthConfig(oauthCfg))
-	handler.RegisterRoutes(r)
+	r.Group(func(r chi.Router) {
+		// Register Middleware First, needs to be before route registration
+		handler.RegisterMiddleware(r)
+
+		// Register MCP server routes
+		handler.RegisterRoutes(r)
+		logger.Info("MCP server routes registered")
+	})
+
+	r.Group(func(r chi.Router) {
+		// Register OAuth protected resource metadata endpoints
+		oauthHandler.RegisterRoutes(r)
+		logger.Info("OAuth protected resource endpoints registered", "baseURL", cfg.BaseURL)
+	})
 
 	addr := fmt.Sprintf(":%d", cfg.Port)
 	httpSvr := http.Server{
@@ -144,3 +164,19 @@ func RunHTTPServer(cfg ServerConfig) error {
 	logger.Info("server stopped gracefully")
 	return nil
 }
+
+func initGlobalToolScopeMap(t translations.TranslationHelperFunc) error {
+	// Build inventory with all tools to extract scope information
+	inv, err := inventory.NewBuilder().
+		SetTools(github.AllTools(t)).
+		Build()
+
+	if err != nil {
+		return fmt.Errorf("failed to build inventory for tool scope map: %w", err)
+	}
+
+	// Initialize the global scope map
+	scopes.SetToolScopeMapFromInventory(inv)
+
+	return nil
+}
diff --git a/pkg/scopes/map.go b/pkg/scopes/map.go
@@ -0,0 +1,129 @@
+package scopes
+
+import "github.com/github/github-mcp-server/pkg/inventory"
+
+// ToolScopeMap maps tool names to their scope requirements.
+type ToolScopeMap map[string]*ToolScopeInfo
+
+// ToolScopeInfo contains scope information for a single tool.
+type ToolScopeInfo struct {
+	// RequiredScopes contains the scopes that are directly required by this tool.
+	RequiredScopes []string
+
+	// AcceptedScopes contains all scopes that satisfy the requirements (including parent scopes).
+	AcceptedScopes []string
+}
+
+// globalToolScopeMap is populated from inventory when SetToolScopeMapFromInventory is called
+var globalToolScopeMap ToolScopeMap
+
+// SetToolScopeMapFromInventory builds and stores a tool scope map from an inventory.
+// This should be called after building the inventory to make scopes available for middleware.
+func SetToolScopeMapFromInventory(inv *inventory.Inventory) {
+	globalToolScopeMap = GetToolScopeMapFromInventory(inv)
+}
+
+// SetGlobalToolScopeMap sets the global tool scope map directly.
+// This is useful for testing when you don't have a full inventory.
+func SetGlobalToolScopeMap(m ToolScopeMap) {
+	globalToolScopeMap = m
+}
+
+// GetToolScopeMap returns the global tool scope map.
+// Returns an empty map if SetToolScopeMapFromInventory hasn't been called yet.
+func GetToolScopeMap() (ToolScopeMap, error) {
+	if globalToolScopeMap == nil {
+		return make(ToolScopeMap), nil
+	}
+	return globalToolScopeMap, nil
+}
+
+// GetToolScopeInfo returns scope information for a specific tool from the global scope map.
+func GetToolScopeInfo(toolName string) (*ToolScopeInfo, error) {
+	m, err := GetToolScopeMap()
+	if err != nil {
+		return nil, err
+	}
+	return m[toolName], nil
+}
+
+// GetToolScopeMapFromInventory builds a tool scope map from an inventory.
+// This extracts scope information from ServerTool.RequiredScopes and ServerTool.AcceptedScopes.
+func GetToolScopeMapFromInventory(inv *inventory.Inventory) ToolScopeMap {
+	result := make(ToolScopeMap)
+
+	// Get all tools from the inventory (both enabled and disabled)
+	// We need all tools for scope checking purposes
+	allTools := inv.AllTools()
+	for i := range allTools {
+		tool := &allTools[i]
+		if len(tool.RequiredScopes) > 0 || len(tool.AcceptedScopes) > 0 {
+			result[tool.Tool.Name] = &ToolScopeInfo{
+				RequiredScopes: tool.RequiredScopes,
+				AcceptedScopes: tool.AcceptedScopes,
+			}
+		}
+	}
+
+	return result
+}
+
+// HasAcceptedScope checks if any of the provided user scopes satisfy the tool's requirements.
+func (t *ToolScopeInfo) HasAcceptedScope(userScopes ...string) bool {
+	if t == nil || len(t.AcceptedScopes) == 0 {
+		return true // No scopes required
+	}
+
+	userScopeSet := make(map[string]bool)
+	for _, scope := range userScopes {
+		userScopeSet[scope] = true
+	}
+
+	for _, scope := range t.AcceptedScopes {
+		if userScopeSet[scope] {
+			return true
+		}
+	}
+	return false
+}
+
+// MissingScopes returns the required scopes that are not present in the user's scopes.
+func (t *ToolScopeInfo) MissingScopes(userScopes ...string) []string {
+	if t == nil || len(t.RequiredScopes) == 0 {
+		return nil
+	}
+
+	// Create a set of user scopes for O(1) lookup
+	userScopeSet := make(map[string]bool, len(userScopes))
+	for _, s := range userScopes {
+		userScopeSet[s] = true
+	}
+
+	// Check if any accepted scope is present
+	hasAccepted := false
+	for _, scope := range t.AcceptedScopes {
+		if userScopeSet[scope] {
+			hasAccepted = true
+			break
+		}
+	}
+
+	if hasAccepted {
+		return nil // User has sufficient scopes
+	}
+
+	// Return required scopes as the minimum needed
+	missing := make([]string, len(t.RequiredScopes))
+	copy(missing, t.RequiredScopes)
+	return missing
+}
+
+// GetRequiredScopesSlice returns the required scopes as a slice of strings.
+func (t *ToolScopeInfo) GetRequiredScopesSlice() []string {
+	if t == nil {
+		return nil
+	}
+	scopes := make([]string, len(t.RequiredScopes))
+	copy(scopes, t.RequiredScopes)
+	return scopes
+}
