buildAuthHeaders constructs HTTP headers for authenticating with the MCP server based on the configured auth type.
( ctx context.Context, logger slog.Logger, cfg database.MCPServerConfig, tokensByConfigID map[uuid.UUID]database.MCPServerUserToken, userID uuid.UUID, oidcSrc UserOIDCTokenSource, )
| 320 | // buildAuthHeaders constructs HTTP headers for authenticating |
| 321 | // with the MCP server based on the configured auth type. |
| 322 | func buildAuthHeaders( |
| 323 | ctx context.Context, |
| 324 | logger slog.Logger, |
| 325 | cfg database.MCPServerConfig, |
| 326 | tokensByConfigID map[uuid.UUID]database.MCPServerUserToken, |
| 327 | userID uuid.UUID, |
| 328 | oidcSrc UserOIDCTokenSource, |
| 329 | ) map[string]string { |
| 330 | // Using map[string]string rather than http.Header because |
| 331 | // the mcp-go transport options accept map[string]string. |
| 332 | // MCP servers typically don't require multi-valued headers. |
| 333 | headers := make(map[string]string) |
| 334 | |
| 335 | switch cfg.AuthType { |
| 336 | case "oauth2": |
| 337 | tok, ok := tokensByConfigID[cfg.ID] |
| 338 | if !ok { |
| 339 | logger.Warn(ctx, |
| 340 | "no oauth2 token found for MCP server", |
| 341 | slog.F("server_slug", cfg.Slug), |
| 342 | ) |
| 343 | break |
| 344 | } |
| 345 | if tok.Expiry.Valid && tok.Expiry.Time.Before(time.Now()) { |
| 346 | logger.Warn(ctx, |
| 347 | "oauth2 token for MCP server is expired", |
| 348 | slog.F("server_slug", cfg.Slug), |
| 349 | slog.F("expired_at", tok.Expiry.Time), |
| 350 | ) |
| 351 | } |
| 352 | if tok.AccessToken == "" { |
| 353 | logger.Warn(ctx, |
| 354 | "oauth2 token record has empty access token", |
| 355 | slog.F("server_slug", cfg.Slug), |
| 356 | ) |
| 357 | break |
| 358 | } |
| 359 | tokenType := tok.TokenType |
| 360 | if tokenType == "" { |
| 361 | tokenType = "Bearer" |
| 362 | } |
| 363 | // RFC 6750 says the scheme is case-insensitive, but |
| 364 | // some servers (e.g. Linear) reject lowercase |
| 365 | // "bearer". Normalize to the canonical form. |
| 366 | if strings.EqualFold(tokenType, "bearer") { |
| 367 | tokenType = "Bearer" |
| 368 | } |
| 369 | headers["Authorization"] = tokenType + " " + tok.AccessToken |
| 370 | case "api_key": |
| 371 | if cfg.APIKeyHeader != "" && cfg.APIKeyValue != "" { |
| 372 | headers[cfg.APIKeyHeader] = cfg.APIKeyValue |
| 373 | } |
| 374 | case "custom_headers": |
| 375 | if cfg.CustomHeaders != "" { |
| 376 | var custom map[string]string |
| 377 | if err := json.Unmarshal( |
| 378 | []byte(cfg.CustomHeaders), &custom, |
| 379 | ); err != nil { |
no test coverage detected