WIP

Author: omgitsads

cmd/github-mcp-server/main.go

@@ -88,6 +88,20 @@ var (
 			return ghmcp.RunStdioServer(stdioServerConfig)
 		},
 	}
+
+	httpCmd = &cobra.Command{
+		Use:   "http",
+		Short: "Start HTTP server",
+		Long:  `Start a server that communicates via HTTP using JSON-RPC messages.`,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			config := ghmcp.HTTPServerConfig{
+				Version: version,
+				Host:    viper.GetString("host"),
+			}
+
+			return ghmcp.RunHTTPServer(config)
+		},
+	}
 )
 
 func init() {
@@ -126,6 +140,7 @@ func init() {
 
 	// Add subcommands
 	rootCmd.AddCommand(stdioCmd)
+	rootCmd.AddCommand(httpCmd)
 }
 
 func initConfig() {

internal/ghmcp/http.go

@@ -8,12 +8,13 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"strings"
 	"syscall"
 	"time"
 
 	"github.com/github/github-mcp-server/pkg/github"
+	httpMiddleware "github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/translations"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
 )
 
 type HTTPServerConfig struct {
@@ -23,9 +24,6 @@ type HTTPServerConfig struct {
 	// GitHub Host to target for API requests (e.g. github.com or github.enterprise.com)
 	Host string
 
-	// GitHub Token to authenticate with the GitHub API
-	Token string
-
 	// EnabledToolsets is a list of toolsets to enable
 	// See: https://github.com/github/github-mcp-server?tab=readme-ov-file#tool-configuration
 	EnabledToolsets []string
@@ -90,26 +88,9 @@ func RunHTTPServer(cfg HTTPServerConfig) error {
 	logger := slog.New(slogHandler)
 	logger.Info("starting server", "version", cfg.Version, "host", cfg.Host, "dynamicToolsets", cfg.DynamicToolsets, "readOnly", cfg.ReadOnly, "lockdownEnabled", cfg.LockdownMode)
 
-	// Fetch token scopes for scope-based tool filtering (PAT tokens only)
-	// Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header.
-	// Fine-grained PATs and other token types don't support this, so we skip filtering.
-	var tokenScopes []string
-	if strings.HasPrefix(cfg.Token, "ghp_") {
-		fetchedScopes, err := github.FetchTokenScopesForHost(ctx, cfg.Token, cfg.Host)
-		if err != nil {
-			logger.Warn("failed to fetch token scopes, continuing without scope filtering", "error", err)
-		} else {
-			tokenScopes = fetchedScopes
-			logger.Info("token scopes fetched for filtering", "scopes", tokenScopes)
-		}
-	} else {
-		logger.Debug("skipping scope filtering for non-PAT token")
-	}
-
 	ghServer, err := github.NewMCPServer(github.MCPServerConfig{
 		Version:           cfg.Version,
 		Host:              cfg.Host,
-		Token:             cfg.Token,
 		EnabledToolsets:   cfg.EnabledToolsets,
 		EnabledTools:      cfg.EnabledTools,
 		EnabledFeatures:   cfg.EnabledFeatures,
@@ -120,10 +101,40 @@ func RunHTTPServer(cfg HTTPServerConfig) error {
 		LockdownMode:      cfg.LockdownMode,
 		Logger:            logger,
 		RepoAccessTTL:     cfg.RepoAccessCacheTTL,
-		TokenScopes:       tokenScopes,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to create MCP server: %w", err)
 	}
 
+	handler := mcp.NewStreamableHTTPHandler(func(r *http.Request) *mcp.Server {
+		return ghServer
+	}, &mcp.StreamableHTTPOptions{})
+
+	httpSvr := http.Server{
+		Addr:    ":8082",
+		Handler: httpMiddleware.ExtractUserToken()(handler),
+	}
+
+	go func() {
+		<-ctx.Done()
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		logger.Info("shutting down server")
+		if err := httpSvr.Shutdown(shutdownCtx); err != nil {
+			logger.Error("error during server shutdown", "error", err)
+		}
+	}()
+
+	if cfg.ExportTranslations {
+		// Once server is initialized, all translations are loaded
+		dumpTranslations()
+	}
+
+	logger.Info("HTTP server listening on :8082")
+	if err := httpSvr.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		return fmt.Errorf("HTTP server error: %w", err)
+	}
+
+	logger.Info("server stopped gracefully")
+	return nil
 }

pkg/github/dependencies.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 
+	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/inventory"
 	"github.com/github/github-mcp-server/pkg/lockdown"
 	"github.com/github/github-mcp-server/pkg/raw"
@@ -190,3 +191,44 @@ func NewToolFromHandler(
 	st.AcceptedScopes = scopes.ExpandScopes(requiredScopes...)
 	return st
 }
+
+type RequestDep struct {
+	// Pre-created clients
+	Client    *gogithub.Client
+	GQLClient *githubv4.Client
+	RawClient *raw.Client
+
+	// Static dependencies
+	RepoAccessCache   *lockdown.RepoAccessCache
+	T                 translations.TranslationHelperFunc
+	Flags             FeatureFlags
+	ContentWindowSize int
+}
+
+// GetClient implements ToolDependencies.
+func (d RequestDep) GetClient(ctx context.Context) (*gogithub.Client, error) {
+	token := middleware.Token(ctx)
+	return d.Client.WithAuthToken(token.Token), nil
+}
+
+// GetGQLClient implements ToolDependencies.
+func (d RequestDep) GetGQLClient(_ context.Context) (*githubv4.Client, error) {
+	return d.GQLClient, nil
+}
+
+// GetRawClient implements ToolDependencies.
+func (d RequestDep) GetRawClient(_ context.Context) (*raw.Client, error) {
+	return d.RawClient, nil
+}
+
+// GetRepoAccessCache implements ToolDependencies.
+func (d RequestDep) GetRepoAccessCache() *lockdown.RepoAccessCache { return d.RepoAccessCache }
+
+// GetT implements ToolDependencies.
+func (d RequestDep) GetT() translations.TranslationHelperFunc { return d.T }
+
+// GetFlags implements ToolDependencies.
+func (d RequestDep) GetFlags() FeatureFlags { return d.Flags }
+
+// GetContentWindowSize implements ToolDependencies.
+func (d RequestDep) GetContentWindowSize() int { return d.ContentWindowSize }

pkg/github/server.go

@@ -124,9 +124,9 @@ func createGitHubClients(cfg MCPServerConfig, apiHost apiHost) (*githubClients,
 	}, nil
 }
 
-// ResolveEnabledToolsets determines which toolsets should be enabled based on config.
+// resolveEnabledToolsets determines which toolsets should be enabled based on config.
 // Returns nil for "use defaults", empty slice for "none", or explicit list.
-func ResolveEnabledToolsets(cfg MCPServerConfig) []string {
+func resolveEnabledToolsets(cfg MCPServerConfig) []string {
 	enabledToolsets := cfg.EnabledToolsets
 
 	// In dynamic mode, remove "all" and "default" since users enable toolsets on demand
@@ -162,7 +162,7 @@ func NewMCPServer(cfg MCPServerConfig) (*mcp.Server, error) {
 		return nil, fmt.Errorf("failed to create GitHub clients: %w", err)
 	}
 
-	enabledToolsets := ResolveEnabledToolsets(cfg)
+	enabledToolsets := resolveEnabledToolsets(cfg)
 
 	// For instruction generation, we need actual toolset names (not nil).
 	// nil means "use defaults" in inventory, so expand it for instructions.

pkg/http/headers/headers.go

@@ -0,0 +1,26 @@
+package headers
+
+const (
+	// AuthorizationHeader is a standard HTTP Header.
+	AuthorizationHeader = "Authorization"
+	// ContentTypeHeader is a standard HTTP Header.
+	ContentTypeHeader = "Content-Type"
+	// AcceptHeader is a standard HTTP Header.
+	AcceptHeader = "Accept"
+	// UserAgentHeader is a standard HTTP Header.
+	UserAgentHeader = "User-Agent"
+
+	// ContentTypeJSON is the standard MIME type for JSON.
+	ContentTypeJSON = "application/json"
+	// ContentTypeEventStream is the standard MIME type for Event Streams.
+	ContentTypeEventStream = "text/event-stream"
+
+	// ForwardedForHeader is a standard HTTP Header used to forward the originating IP address of a client.
+	ForwardedForHeader = "X-Forwarded-For"
+
+	// RealIPHeader is a standard HTTP Header used to indicate the real IP address of the client.
+	RealIPHeader = "X-Real-IP"
+
+	// RequestHmacHeader is used to authenticate requests to the Raw API.
+	RequestHmacHeader = "Request-Hmac"
+)

pkg/http/middleware/token.go

@@ -0,0 +1,127 @@
+package middleware
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"regexp"
+	"strings"
+
+	httpheaders "github.com/github/github-mcp-server/pkg/http/headers"
+)
+
+type authType int
+
+const (
+	authTypeUnknown authType = iota
+	authTypeIDE
+	authTypeGhToken
+)
+
+var (
+	errMissingAuthorizationHeader     = errors.New("missing Authorization header")
+	errBadAuthorizationHeader         = errors.New("bad Authorization header format")
+	errUnsupportedAuthorizationHeader = errors.New("unsupported Authorization header format")
+)
+
+var supportedThirdPartyTokenPrefixes = []string{
+	"ghp_",        // Personal access token (classic)
+	"github_pat_", // Fine-grained personal access token
+	"gho_",        // OAuth access token
+	"ghu_",        // User access token for a GitHub App
+	"ghs_",        // Installation access token for a GitHub App (a.k.a. server-to-server token)
+}
+
+// oldPatternRegexp is the regular expression for the old pattern of the token.
+// Until 2021, GitHub API tokens did not have an identifiable prefix. They
+// were 40 characters long and only contained the characters a-f and 0-9.
+var oldPatternRegexp = regexp.MustCompile(`\A[a-f0-9]{40}\z`)
+
+type tokenCtxKey string
+
+var tokenContextKey tokenCtxKey = "tokenctx"
+
+type TokenData struct {
+	Token string
+}
+
+// AddToken adds the given token data to the context.
+func AddToken(ctx context.Context, data *TokenData) context.Context {
+	return context.WithValue(ctx, tokenContextKey, data)
+}
+
+// ReqData returns the request data from the context. It will panic if there is
+// no data in the context (which should never happen in production).
+func Token(ctx context.Context) *TokenData {
+	d, ok := ctx.Value(tokenContextKey).(*TokenData)
+	if !ok || d == nil {
+		// This should never happen in production, so making it a panic saves us a lot of unnecessary error handling.
+		panic(errors.New("context does not contain request context token data"))
+	}
+	return d
+}
+
+// ExtractUserToken is a middleware that extracts the user token from the request
+// and adds it to the request context. It also validates the token format.
+func ExtractUserToken() func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, token, err := parseAuthorizationHeader(r)
+			if err != nil {
+				// For missing Authorization header, return 401 with WWW-Authenticate header per MCP spec
+				if errors.Is(err, errMissingAuthorizationHeader) {
+					// sendAuthChallenge(w, r, cfg, obsv)
+					return
+				}
+				// For other auth errors (bad format, unsupported), return 400
+				http.Error(w, err.Error(), http.StatusBadRequest)
+				return
+			}
+
+			// Add token info to context
+			ctx := r.Context()
+			ctx = AddToken(ctx, &TokenData{Token: token})
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+func parseAuthorizationHeader(req *http.Request) (authType authType, token string, _ error) {
+	authHeader := req.Header.Get(httpheaders.AuthorizationHeader)
+	if authHeader == "" {
+		return 0, "", errMissingAuthorizationHeader
+	}
+
+	switch {
+	// decrypt dotcom token and set it as token
+	case strings.HasPrefix(authHeader, "GitHub-Bearer "):
+		return 0, "", errUnsupportedAuthorizationHeader
+	default:
+		// support both "Bearer" and "bearer" to conform to api.github.com
+		if len(authHeader) > 7 && strings.EqualFold(authHeader[:7], "Bearer ") {
+			token = authHeader[7:]
+		} else {
+			token = authHeader
+		}
+	}
+
+	// Do a naïve check for a colon in the token - currently, only the IDE token has a colon in it.
+	// ex: tid=1;exp=25145314523;chat=1:<hmac>
+	if strings.Contains(token, ":") {
+		return authTypeIDE, token, nil
+	}
+
+	for _, prefix := range supportedThirdPartyTokenPrefixes {
+		if strings.HasPrefix(token, prefix) {
+			return authTypeGhToken, token, nil
+		}
+	}
+
+	matchesOldTokenPattern := oldPatternRegexp.MatchString(token)
+	if matchesOldTokenPattern {
+		return authTypeGhToken, token, nil
+	}
+
+	return authTypeUnknown, "", errBadAuthorizationHeader
+}