Move PAT Scope fetching into a middleware.

Author: omgitsads

pkg/context/token.go

@@ -23,13 +23,6 @@ func WithTokenInfo(ctx context.Context, tokenInfo *TokenInfo) context.Context {
 	return context.WithValue(ctx, tokenCtxKey, tokenInfo)
 }
 
-func SetTokenScopes(ctx context.Context, scopes []string) {
-	if tokenInfo, ok := GetTokenInfo(ctx); ok {
-		tokenInfo.Scopes = scopes
-		tokenInfo.ScopesFetched = true
-	}
-}
-
 // GetTokenInfo retrieves the authentication token from the context
 func GetTokenInfo(ctx context.Context) (*TokenInfo, bool) {
 	if tokenInfo, ok := ctx.Value(tokenCtxKey).(*TokenInfo); ok {

pkg/http/handler.go

@@ -120,6 +120,7 @@ func (h *Handler) RegisterMiddleware(r chi.Router) {
 		middleware.ExtractUserToken(h.oauthCfg),
 		middleware.WithRequestConfig,
 		middleware.WithMCPParse(),
+		middleware.WithPATScopes(h.logger, h.scopeFetcher),
 	)
 
 	if h.config.ScopeChallenge {
@@ -266,19 +267,20 @@ func PATScopeFilter(b *inventory.Builder, r *http.Request, fetcher scopes.Fetche
 		return b
 	}
 
-	// Fetch token scopes for scope-based tool filtering (PAT tokens only)
+	// Scopes should have already been fetched by the WithPATScopes middleware.
 	// Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header.
 	// Fine-grained PATs and other token types don't support this, so we skip filtering.
 	if tokenInfo.TokenType == utils.TokenTypePersonalAccessToken {
-		scopesList, err := fetcher.FetchTokenScopes(ctx, tokenInfo.Token)
-		if err != nil {
-			return b
+		if tokenInfo.ScopesFetched {
+			return b.WithFilter(github.CreateToolScopeFilter(tokenInfo.Scopes))
+		} else {
+			scopesList, err := fetcher.FetchTokenScopes(ctx, tokenInfo.Token)
+			if err != nil {
+				return b
+			}
+
+			return b.WithFilter(github.CreateToolScopeFilter(scopesList))
 		}
-
-		// Store fetched scopes in context for downstream use
-		ghcontext.SetTokenScopes(ctx, scopesList)
-
-		return b.WithFilter(github.CreateToolScopeFilter(scopesList))
 	}
 
 	return b

pkg/http/middleware/pat_scope.go

@@ -0,0 +1,48 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+	"github.com/github/github-mcp-server/pkg/scopes"
+	"github.com/github/github-mcp-server/pkg/utils"
+)
+
+// WithScopeChallenge creates a new middleware that determines if an OAuth request contains sufficient scopes to
+// complete the request and returns a scope challenge if not.
+func WithPATScopes(logger *slog.Logger, scopeFetcher scopes.FetcherInterface) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			tokenInfo, ok := ghcontext.GetTokenInfo(ctx)
+			if !ok || tokenInfo == nil {
+				logger.Warn("no token info found in context")
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Fetch token scopes for scope-based tool filtering (PAT tokens only)
+			// Only classic PATs (ghp_ prefix) return OAuth scopes via X-OAuth-Scopes header.
+			// Fine-grained PATs and other token types don't support this, so we skip filtering.
+			if tokenInfo.TokenType == utils.TokenTypePersonalAccessToken {
+				scopesList, err := scopeFetcher.FetchTokenScopes(ctx, tokenInfo.Token)
+				if err != nil {
+					logger.Warn("failed to fetch PAT scopes", "error", err)
+					next.ServeHTTP(w, r)
+					return
+				}
+
+				tokenInfo.Scopes = scopesList
+				tokenInfo.ScopesFetched = true
+
+				// Store fetched scopes in context for downstream use
+				ctx := ghcontext.WithTokenInfo(ctx, tokenInfo)
+
+				next.ServeHTTP(w, r.WithContext(ctx))
+			}
+		}
+		return http.HandlerFunc(fn)
+	}
+}

pkg/http/middleware/pat_scope_test.go

@@ -0,0 +1,187 @@
+package middleware
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+	"github.com/github/github-mcp-server/pkg/utils"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// mockScopeFetcher is a mock implementation of scopes.FetcherInterface
+type mockScopeFetcher struct {
+	scopes []string
+	err    error
+}
+
+func (m *mockScopeFetcher) FetchTokenScopes(_ context.Context, _ string) ([]string, error) {
+	return m.scopes, m.err
+}
+
+func TestWithPATScopes(t *testing.T) {
+	logger := slog.Default()
+
+	tests := []struct {
+		name                   string
+		tokenInfo              *ghcontext.TokenInfo
+		fetcherScopes          []string
+		fetcherErr             error
+		expectScopesFetched    bool
+		expectedScopes         []string
+		expectNextHandlerCalled bool
+	}{
+		{
+			name:                    "no token info in context calls next handler",
+			tokenInfo:               nil,
+			expectScopesFetched:     false,
+			expectedScopes:          nil,
+			expectNextHandlerCalled: true,
+		},
+		{
+			name: "non-PAT token type skips scope fetching",
+			tokenInfo: &ghcontext.TokenInfo{
+				Token:     "gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+				TokenType: utils.TokenTypeOAuthAccessToken,
+			},
+			expectScopesFetched:     false,
+			expectedScopes:          nil,
+			expectNextHandlerCalled: false, // middleware doesn't call next for non-PAT tokens
+		},
+		{
+			name: "fine-grained PAT skips scope fetching",
+			tokenInfo: &ghcontext.TokenInfo{
+				Token:     "github_pat_xxxxxxxxxxxxxxxxxxxxxxx",
+				TokenType: utils.TokenTypeFineGrainedPersonalAccessToken,
+			},
+			expectScopesFetched:     false,
+			expectedScopes:          nil,
+			expectNextHandlerCalled: false,
+		},
+		{
+			name: "classic PAT fetches and stores scopes",
+			tokenInfo: &ghcontext.TokenInfo{
+				Token:     "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+				TokenType: utils.TokenTypePersonalAccessToken,
+			},
+			fetcherScopes:           []string{"repo", "user", "read:org"},
+			expectScopesFetched:     true,
+			expectedScopes:          []string{"repo", "user", "read:org"},
+			expectNextHandlerCalled: true,
+		},
+		{
+			name: "classic PAT with empty scopes",
+			tokenInfo: &ghcontext.TokenInfo{
+				Token:     "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+				TokenType: utils.TokenTypePersonalAccessToken,
+			},
+			fetcherScopes:           []string{},
+			expectScopesFetched:     true,
+			expectedScopes:          []string{},
+			expectNextHandlerCalled: true,
+		},
+		{
+			name: "fetcher error calls next handler without scopes",
+			tokenInfo: &ghcontext.TokenInfo{
+				Token:     "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+				TokenType: utils.TokenTypePersonalAccessToken,
+			},
+			fetcherErr:              errors.New("network error"),
+			expectScopesFetched:     false,
+			expectedScopes:          nil,
+			expectNextHandlerCalled: true,
+		},
+		{
+			name: "old-style PAT (40 hex chars) fetches scopes",
+			tokenInfo: &ghcontext.TokenInfo{
+				Token:     "0123456789abcdef0123456789abcdef01234567",
+				TokenType: utils.TokenTypePersonalAccessToken,
+			},
+			fetcherScopes:           []string{"repo"},
+			expectScopesFetched:     true,
+			expectedScopes:          []string{"repo"},
+			expectNextHandlerCalled: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var capturedTokenInfo *ghcontext.TokenInfo
+			var nextHandlerCalled bool
+
+			nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				nextHandlerCalled = true
+				capturedTokenInfo, _ = ghcontext.GetTokenInfo(r.Context())
+				w.WriteHeader(http.StatusOK)
+			})
+
+			fetcher := &mockScopeFetcher{
+				scopes: tt.fetcherScopes,
+				err:    tt.fetcherErr,
+			}
+
+			middleware := WithPATScopes(logger, fetcher)
+			handler := middleware(nextHandler)
+
+			req := httptest.NewRequest(http.MethodGet, "/test", nil)
+
+			// Set up context with token info if provided
+			if tt.tokenInfo != nil {
+				ctx := ghcontext.WithTokenInfo(req.Context(), tt.tokenInfo)
+				req = req.WithContext(ctx)
+			}
+
+			rr := httptest.NewRecorder()
+			handler.ServeHTTP(rr, req)
+
+			assert.Equal(t, tt.expectNextHandlerCalled, nextHandlerCalled, "next handler called mismatch")
+
+			if tt.expectNextHandlerCalled && tt.tokenInfo != nil {
+				require.NotNil(t, capturedTokenInfo, "expected token info in context")
+				assert.Equal(t, tt.expectScopesFetched, capturedTokenInfo.ScopesFetched)
+				assert.Equal(t, tt.expectedScopes, capturedTokenInfo.Scopes)
+			}
+		})
+	}
+}
+
+func TestWithPATScopes_PreservesExistingTokenInfo(t *testing.T) {
+	logger := slog.Default()
+
+	var capturedTokenInfo *ghcontext.TokenInfo
+
+	nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedTokenInfo, _ = ghcontext.GetTokenInfo(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	fetcher := &mockScopeFetcher{
+		scopes: []string{"repo", "user"},
+	}
+
+	originalTokenInfo := &ghcontext.TokenInfo{
+		Token:     "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+		TokenType: utils.TokenTypePersonalAccessToken,
+	}
+
+	middleware := WithPATScopes(logger, fetcher)
+	handler := middleware(nextHandler)
+
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	ctx := ghcontext.WithTokenInfo(req.Context(), originalTokenInfo)
+	req = req.WithContext(ctx)
+
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	require.NotNil(t, capturedTokenInfo)
+	assert.Equal(t, originalTokenInfo.Token, capturedTokenInfo.Token)
+	assert.Equal(t, originalTokenInfo.TokenType, capturedTokenInfo.TokenType)
+	assert.True(t, capturedTokenInfo.ScopesFetched)
+	assert.Equal(t, []string{"repo", "user"}, capturedTokenInfo.Scopes)
+}

pkg/http/middleware/scope_challenge.go

@@ -102,7 +102,10 @@ func WithScopeChallenge(oauthCfg *oauth.Config, scopeFetcher scopes.FetcherInter
 			}
 
 			// Store active scopes in context for downstream use
-			ghcontext.SetTokenScopes(ctx, activeScopes)
+			tokenInfo.Scopes = activeScopes
+			tokenInfo.ScopesFetched = true
+			ctx = ghcontext.WithTokenInfo(ctx, tokenInfo)
+			r = r.WithContext(ctx)
 
 			// Check if user has the required scopes
 			if toolScopeInfo.HasAcceptedScope(activeScopes...) {