feat: add forward_auth support (#16)

Signed-off-by: Donnie Adams <donnie@obot.ai>

Author: thedadams

main.go

@@ -28,6 +28,6 @@ func main() {
 	handler := proxy.GetHandler()
 
 	// Start server
-	log.Printf("Starting OAuth proxy server on localhost:8080")
-	log.Fatal(http.ListenAndServe(":8080", handler))
+	log.Printf("Starting OAuth proxy server on localhost:" + config.Port)
+	log.Fatal(http.ListenAndServe(":"+config.Port, handler))
 }

main_test.go

@@ -121,6 +121,17 @@ func TestIntegrationFlow(t *testing.T) {
 		assert.Contains(t, w.Header().Get("WWW-Authenticate"), "Bearer")
 	})
 
+	// Test protected resource metadata with path parameter
+	t.Run("ProtectedResourceMetadataWithPath", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/.well-known/oauth-protected-resource/test/path", nil)
+		handler.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "resource")
+		assert.Contains(t, w.Body.String(), "authorization_servers")
+	})
+
 	// Test authorization endpoint redirects (basic validation)
 	t.Run("AuthorizationEndpointRedirect", func(t *testing.T) {
 		w := httptest.NewRecorder()
@@ -259,3 +270,161 @@ func TestOAuthProxyStart(t *testing.T) {
 		t.Fatal("Server did not stop within timeout")
 	}
 }
+
+func TestForwardAuthIntegrationFlow(t *testing.T) {
+	// Skip if running in short mode
+	if testing.Short() {
+		t.Skip("Skipping integration tests in short mode")
+	}
+
+	// Set required environment variables for forward auth testing
+	oldVars := map[string]string{
+		"OAUTH_CLIENT_ID":     os.Getenv("OAUTH_CLIENT_ID"),
+		"OAUTH_CLIENT_SECRET": os.Getenv("OAUTH_CLIENT_SECRET"),
+		"OAUTH_AUTHORIZE_URL": os.Getenv("OAUTH_AUTHORIZE_URL"),
+		"SCOPES_SUPPORTED":    os.Getenv("SCOPES_SUPPORTED"),
+		"MCP_SERVER_URL":      os.Getenv("MCP_SERVER_URL"),
+		"DATABASE_DSN":        os.Getenv("DATABASE_DSN"),
+		"PROXY_MODE":          os.Getenv("PROXY_MODE"),
+		"PORT":                os.Getenv("PORT"),
+	}
+
+	// Set test environment variables for forward auth mode
+	testEnvVars := map[string]string{
+		"OAUTH_CLIENT_ID":     "test_client_id",
+		"OAUTH_CLIENT_SECRET": "test_client_secret",
+		"OAUTH_AUTHORIZE_URL": "https://accounts.google.com",
+		"SCOPES_SUPPORTED":    "openid,profile,email",
+		"PROXY_MODE":          "forward_auth",
+		"PORT":                "8082", // Different port to avoid conflicts
+		"DATABASE_DSN":        os.Getenv("TEST_DATABASE_DSN"), // Use test database if available
+	}
+
+	for key, value := range testEnvVars {
+		if value != "" {
+			if err := os.Setenv(key, value); err != nil {
+				t.Logf("Failed to set %s: %v", key, err)
+			}
+		}
+	}
+
+	// Restore environment variables after test
+	defer func() {
+		for key, value := range oldVars {
+			if value != "" {
+				_ = os.Setenv(key, value)
+			} else {
+				_ = os.Unsetenv(key)
+			}
+		}
+	}()
+
+	// Create OAuth proxy in forward auth mode
+	config, err := proxy.LoadConfigFromEnv()
+	if err != nil {
+		log.Fatalf("Failed to load configuration: %v", err)
+	}
+	require.Equal(t, "forward_auth", config.Mode)
+	require.Equal(t, "8082", config.Port)
+
+	oauthProxy, err := proxy.NewOAuthProxy(config)
+	if err != nil {
+		t.Skipf("Skipping test due to database connection error: %v", err)
+	}
+	defer func() {
+		if err := oauthProxy.Close(); err != nil {
+			t.Logf("Error closing OAuth proxy: %v", err)
+		}
+	}()
+
+	// Get HTTP handler
+	handler := oauthProxy.GetHandler()
+
+	// Test health endpoint works in forward auth mode
+	t.Run("ForwardAuthHealthEndpoint", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/health", nil)
+		handler.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "ok")
+	})
+
+	// Test OAuth metadata endpoints work in forward auth mode
+	t.Run("ForwardAuthOAuthMetadata", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/.well-known/oauth-authorization-server", nil)
+		handler.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "authorization_endpoint")
+		assert.Contains(t, w.Body.String(), "token_endpoint")
+	})
+
+	// Test protected resource metadata with path works in forward auth mode
+	t.Run("ForwardAuthProtectedResourceMetadataWithPath", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/.well-known/oauth-protected-resource/api/v1", nil)
+		handler.ServeHTTP(w, req)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "resource")
+		assert.Contains(t, w.Body.String(), "authorization_servers")
+	})
+
+	// Test that forward auth mode requires authorization for protected endpoints
+	t.Run("ForwardAuthRequiresAuth", func(t *testing.T) {
+		testPaths := []string{"/api", "/data", "/protected", "/mcp", "/test"}
+		
+		for _, path := range testPaths {
+			t.Run("Path_"+path, func(t *testing.T) {
+				w := httptest.NewRecorder()
+				req := httptest.NewRequest("GET", path, nil)
+				handler.ServeHTTP(w, req)
+
+				assert.Equal(t, http.StatusUnauthorized, w.Code)
+				assert.Contains(t, w.Header().Get("WWW-Authenticate"), "Bearer")
+			})
+		}
+	})
+
+	// Test that forward auth mode doesn't proxy to MCP server (no proxying behavior)
+	t.Run("ForwardAuthNoProxying", func(t *testing.T) {
+		// In forward auth mode, there should be no attempt to proxy to an MCP server
+		// Instead, the proxy should validate tokens and set headers for downstream services
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/api/test", nil)
+		handler.ServeHTTP(w, req)
+
+		// Should get unauthorized (no proxying attempt)
+		assert.Equal(t, http.StatusUnauthorized, w.Code)
+		assert.Contains(t, w.Header().Get("WWW-Authenticate"), "Bearer")
+		
+		// Should not have any proxy-related error messages
+		assert.NotContains(t, w.Body.String(), "proxy")
+		assert.NotContains(t, w.Body.String(), "502")
+		assert.NotContains(t, w.Body.String(), "Bad Gateway")
+	})
+
+	// Test authorization endpoint redirects work in forward auth mode
+	t.Run("ForwardAuthAuthorizationEndpointRedirect", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/authorize?response_type=code&client_id=test&redirect_uri=http://localhost:8082/callback&scope=openid", nil)
+		handler.ServeHTTP(w, req)
+
+		// Should get a redirect to the OAuth provider or an error about invalid client
+		assert.True(t, w.Code == http.StatusFound || w.Code == http.StatusBadRequest)
+	})
+
+	// Test CORS headers work in forward auth mode
+	t.Run("ForwardAuthCORSHeaders", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("OPTIONS", "/api", nil)
+		req.Header.Set("Origin", "https://example.com")
+		req.Header.Set("Access-Control-Request-Method", "GET")
+		handler.ServeHTTP(w, req)
+
+		// Should handle CORS preflight
+		assert.Contains(t, w.Header().Get("Access-Control-Allow-Origin"), "*")
+	})
+}

pkg/handlerutils/handlerutils.go

@@ -20,7 +20,6 @@ func JSON(w http.ResponseWriter, statusCode int, obj any) {
 				"error_description": "Failed to encode JSON response",
 				"error_detail":      err.Error(),
 			})
-			w.WriteHeader(http.StatusInternalServerError)
 			_, _ = w.Write(errText)
 		}
 	}
@@ -52,6 +51,10 @@ func GetClientIP(r *http.Request) string {
 // GetBaseURL returns the URL of the request without the path and
 // infers the scheme (http or https)
 func GetBaseURL(r *http.Request) string {
+	if url := r.Header.Get("X-Mcp-Oauth-Proxy-URL"); url != "" {
+		return url
+	}
+
 	scheme := "http"
 	if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
 		scheme = "https"

pkg/oauth/register/register.go

@@ -135,7 +135,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		response["client_secret_expires_at"] = 0 // Never expires
 	}
 
-	handlerutils.JSON(w, http.StatusCreated, response)
+	handlerutils.JSON(w, http.StatusOK, response)
 }
 
 func (p *Handler) validateClientMetadata(metadata map[string]any) (*types.ClientInfo, error) {