MCPcopy Index your code
hub / github.com/coder/coder / buildAuthHeaders

Function buildAuthHeaders

coderd/x/chatd/mcpclient/mcpclient.go:322–430  ·  view source on GitHub ↗

buildAuthHeaders constructs HTTP headers for authenticating with the MCP server based on the configured auth type.

(
	ctx context.Context,
	logger slog.Logger,
	cfg database.MCPServerConfig,
	tokensByConfigID map[uuid.UUID]database.MCPServerUserToken,
	userID uuid.UUID,
	oidcSrc UserOIDCTokenSource,
)

Source from the content-addressed store, hash-verified

320// buildAuthHeaders constructs HTTP headers for authenticating
321// with the MCP server based on the configured auth type.
322func buildAuthHeaders(
323 ctx context.Context,
324 logger slog.Logger,
325 cfg database.MCPServerConfig,
326 tokensByConfigID map[uuid.UUID]database.MCPServerUserToken,
327 userID uuid.UUID,
328 oidcSrc UserOIDCTokenSource,
329) map[string]string {
330 // Using map[string]string rather than http.Header because
331 // the mcp-go transport options accept map[string]string.
332 // MCP servers typically don't require multi-valued headers.
333 headers := make(map[string]string)
334
335 switch cfg.AuthType {
336 case "oauth2":
337 tok, ok := tokensByConfigID[cfg.ID]
338 if !ok {
339 logger.Warn(ctx,
340 "no oauth2 token found for MCP server",
341 slog.F("server_slug", cfg.Slug),
342 )
343 break
344 }
345 if tok.Expiry.Valid && tok.Expiry.Time.Before(time.Now()) {
346 logger.Warn(ctx,
347 "oauth2 token for MCP server is expired",
348 slog.F("server_slug", cfg.Slug),
349 slog.F("expired_at", tok.Expiry.Time),
350 )
351 }
352 if tok.AccessToken == "" {
353 logger.Warn(ctx,
354 "oauth2 token record has empty access token",
355 slog.F("server_slug", cfg.Slug),
356 )
357 break
358 }
359 tokenType := tok.TokenType
360 if tokenType == "" {
361 tokenType = "Bearer"
362 }
363 // RFC 6750 says the scheme is case-insensitive, but
364 // some servers (e.g. Linear) reject lowercase
365 // "bearer". Normalize to the canonical form.
366 if strings.EqualFold(tokenType, "bearer") {
367 tokenType = "Bearer"
368 }
369 headers["Authorization"] = tokenType + " " + tok.AccessToken
370 case "api_key":
371 if cfg.APIKeyHeader != "" && cfg.APIKeyValue != "" {
372 headers[cfg.APIKeyHeader] = cfg.APIKeyValue
373 }
374 case "custom_headers":
375 if cfg.CustomHeaders != "" {
376 var custom map[string]string
377 if err := json.Unmarshal(
378 []byte(cfg.CustomHeaders), &custom,
379 ); err != nil {

Callers 1

connectOneFunction · 0.85

Calls 3

OIDCAccessTokenMethod · 0.65
UnmarshalMethod · 0.45
ErrorMethod · 0.45

Tested by

no test coverage detected