Skip to content

feat: enhance OAuth providers with organization and workspace support #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 24, 2025
Merged

feat: enhance OAuth providers with organization and workspace support #69

merged 3 commits into from
Aug 24, 2025

Conversation

@hrntknr
Copy link
Member

@hrntknr hrntknr commented Aug 23, 2025
edited
Loading

Summary

This PR enhances the OAuth authentication system with support for organization-based and workspace-based authorization:

  • GitHub: Added support for organization and team-based access control
  • Google: Added support for Google Workspace domain restriction
  • Architecture: Consolidated authentication flow by combining user retrieval and authorization into a single method
  • Testing: Added comprehensive test coverage for all OAuth providers
  • Utilities: Added helper utilities for better error handling
  • Session: Improved session management with proper cookie settings

Type of Change

  • feat: A new feature

Related Issues

#33

Breaking Changes

BREAKING CHANGE: The Provider interface has changed. The GetUserID and Authorization methods have been consolidated into a single Authorization(ctx, token) (bool, string, error) method that returns authorization status, user identifier, and any error in one call.

@hrntknr
feat: enhance OAuth providers with organization and workspace support
efc795d 
- Add GitHub organization and team-based authorization
- Add Google Workspace domain-based authorization
- Consolidate authentication flow by combining user retrieval and authorization
- Add comprehensive test coverage for OAuth providers
- Add utilities for better error handling
- Improve session management with proper cookie settings

BREAKING CHANGE: Authorization interface changed from separate GetUserID/Authorization calls to combined Authorization method
Copilot AI review requested due to automatic review settings August 23, 2025 18:55
@codecov
Copy link

codecov bot commented Aug 23, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 63.74269% with 62 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/auth/github.go 69.23% 16 Missing and 8 partials ⚠️
main.go 0.00% 18 Missing ⚠️
pkg/mcp-proxy/main.go 0.00% 9 Missing ⚠️
pkg/auth/auth.go 54.54% 4 Missing and 1 partial ⚠️
pkg/auth/google.go 93.33% 2 Missing ⚠️
pkg/auth/oidc.go 80.00% 2 Missing ⚠️
pkg/utils/must.go 50.00% 1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@hrntknr
refactor: remove unused getProvider method from AuthRouter
dfce241 
Remove dead code that was not being used anywhere in the codebase.
@hrntknr hrntknr requested review from Copilot and removed request for Copilot August 24, 2025 04:07
Copilot AI reviewed Aug 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the OAuth authentication system by adding organization and workspace support for GitHub and Google providers respectively, while consolidating the Provider interface to streamline the authentication flow.

  • Adds GitHub organization/team-based access control and Google Workspace domain restrictions
  • Consolidates Provider interface by merging GetUserID and Authorization methods into a single Authorization method
  • Improves session management with proper cookie settings and simplified session keys

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
pkg/utils/must.go Adds utility function for error handling
pkg/mcp-proxy/main.go Updates provider constructors and session configuration
pkg/idp/idp_test.go Updates test to use simplified session key
pkg/auth/oidc_test.go Adds comprehensive test coverage for OIDC provider
pkg/auth/oidc.go Implements consolidated Authorization method
pkg/auth/mock.go Updates mock implementation for new interface
pkg/auth/main_test.go Adds test setup configuration
pkg/auth/interface.go Consolidates interface methods
pkg/auth/google_test.go Adds test coverage for Google provider
pkg/auth/google.go Adds workspace support and consolidated authorization
pkg/auth/github_test.go Adds test coverage for GitHub provider
pkg/auth/github.go Adds organization/team support and consolidated authorization
pkg/auth/auth_test.go Updates tests for new interface
pkg/auth/auth.go Simplifies authentication flow and session management
main.go Adds command-line flags for new organization/workspace parameters

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

pkg/utils/must.go
Comment on lines +3 to +8
func Must[T any](v T, err error) T {
if err != nil {
panic(err)
}
return v
}
Copy link

Copilot AI Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Must function lacks documentation explaining its purpose and when it should be used. Add a comment describing that this function should only be used when the error is guaranteed not to occur in normal operation, as it will panic on any error.

Copilot uses AI. Check for mistakes.
pkg/auth/github.go Outdated
Comment on lines 90 to 93
resp, err := client.Get(utils.Must(url.JoinPath(p.endpoint, "/user")))
if err != nil {
return "", err
return false, "", err
}
Copy link

Copilot AI Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using Must with url.JoinPath is inappropriate here since URL construction can fail with invalid inputs. The error should be handled properly instead of potentially panicking.

Copilot uses AI. Check for mistakes.
pkg/auth/github.go Outdated
Comment on lines 125 to 128
resp, err = client.Get(utils.Must(url.JoinPath(p.endpoint, "/user/orgs")))
if err != nil {
return false, "", err
}
Copy link

Copilot AI Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using Must with url.JoinPath is inappropriate here since URL construction can fail with invalid inputs. The error should be handled properly instead of potentially panicking.

Suggested change
resp, err = client.Get(utils.Must(url.JoinPath(p.endpoint, "/user/orgs")))
if err != nil {
return false, "", err
}
orgsURL, err := url.JoinPath(p.endpoint, "/user/orgs")
if err != nil {
return false, "", err
}
resp, err = client.Get(orgsURL)
if err != nil {
return false, "", err
}

Copilot uses AI. Check for mistakes.
pkg/auth/github.go Outdated
Comment on lines 146 to 149
resp, err = client.Get(utils.Must(url.JoinPath(p.endpoint, "/user/teams")))
if err != nil {
return false, "", err
}
Copy link

Copilot AI Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using Must with url.JoinPath is inappropriate here since URL construction can fail with invalid inputs. The error should be handled properly instead of potentially panicking.

Suggested change
resp, err = client.Get(utils.Must(url.JoinPath(p.endpoint, "/user/teams")))
if err != nil {
return false, "", err
}
teamsURL, err := url.JoinPath(p.endpoint, "/user/teams")
if err != nil {
return false, "", err
}
resp, err = client.Get(teamsURL)
if err != nil {
return false, "", err
}

Copilot uses AI. Check for mistakes.
pkg/auth/github.go Outdated
Comment on lines 130 to 138
return false, "", errors.New("failed to get user info from GitHub API: " + resp.Status)
}
defer resp.Body.Close()
var orgInfo []struct {
Login string `json:"login"`
}
if err := json.NewDecoder(resp.Body).Decode(&orgInfo); err != nil {
return false, "", err
}
Copy link

Copilot AI Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The defer resp.Body.Close() statement will only close the last response body in the loop. Previous response bodies from the organizations API call are not being closed, causing potential resource leaks.

Suggested change
return false, "", errors.New("failed to get user info from GitHub API: " + resp.Status)
}
defer resp.Body.Close()
var orgInfo []struct {
Login string `json:"login"`
}
if err := json.NewDecoder(resp.Body).Decode(&orgInfo); err != nil {
return false, "", err
}
resp.Body.Close()
return false, "", errors.New("failed to get user info from GitHub API: " + resp.Status)
}
var orgInfo []struct {
Login string `json:"login"`
}
if err := json.NewDecoder(resp.Body).Decode(&orgInfo); err != nil {
resp.Body.Close()
return false, "", err
}
resp.Body.Close()

Copilot uses AI. Check for mistakes.
@hrntknr
refactor: rename response variables in GitHub OAuth for clarity
a944f70 
Renamed resp variables to resp1, resp2, resp3 to avoid variable shadowing
and improve code readability in the GitHub OAuth authorization flow.
@hrntknr hrntknr merged commit 239f2b2 into main Aug 24, 2025
8 checks passed
@sigbit-release-bot sigbit-release-bot bot mentioned this pull request Aug 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hrntknr