zhengchen.tao/gitea-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial public release
Build Docker Image / build (push) Failing after 1m40s
Details

Browse Source 
MCP (Model Context Protocol) server providing read-only access to a Gitea
instance, gated by OAuth-issued JWT bearer tokens. See README.md for setup.
This commit is contained in:
Zhengchen Tao
2026-05-17 23:52:44 +08:00
commit 71600adba9
38 changed files with 2663 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Auth/JwtBearerSetup.cs
+67
View File
@@ -0,0 +1,67 @@
using GiteaMcp.Config;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;
namespace GiteaMcp.Auth;
/// <summary>
/// JWT Bearer 验签配置,HS256 对称密钥方案。
/// ValidIssuer / ValidAudience 由配置驱动;支持 Current + Previous 双密钥(轮换窗口)。
/// </summary>
public static class JwtBearerSetup
{
public static IServiceCollection AddGiteaJwtBearer(
this IServiceCollection services,
IConfiguration configuration)
{
var jwtOpts = configuration.GetSection(JwtOptions.SectionName).Get<JwtOptions>()
?? new JwtOptions();
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
// 关闭默认的入站 claim type 映射,否则 "sub"/"scope" 会被改写成
// ClaimTypes.NameIdentifier 之类的长 URI,下游 FindFirst("scope") 取不到。
options.MapInboundClaims = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwtOpts.Issuer,
ValidateAudience = true,
ValidAudience = jwtOpts.Audience,
ValidateIssuerSigningKey = true,
// ToList 物化一次,避免每次验签重建 SymmetricSecurityKey。
IssuerSigningKeys = BuildSigningKeys(jwtOpts).ToList(),
ValidateLifetime = true,
// 允许 2 分钟时钟偏差,缓解 AS 与本服务时钟漂移
ClockSkew = TimeSpan.FromMinutes(2),
};
});
return services;
}
/// <summary>
/// 构建 Current + Previous 双密钥列表,供 SDK 依次尝试验签。
/// 轮换期间两把钥匙同时有效,过期的旧 Token 会被 ValidateLifetime 自然拦截。
/// Current 未配置直接抛错,避免容器静默以"任何 token 都不通过"的状态运行。
/// </summary>
private static IEnumerable<SecurityKey> BuildSigningKeys(JwtOptions opts)
{
if (string.IsNullOrWhiteSpace(opts.SigningKey.Current))
throw new InvalidOperationException(
"Jwt:SigningKey:Current 未配置,gitea-mcp 无法启动。" +
"请通过 env Jwt__SigningKey__Current 注入与 auth server 共享的 HS256 密钥。");
yield return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(opts.SigningKey.Current));
if (!string.IsNullOrWhiteSpace(opts.SigningKey.Previous))
yield return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(opts.SigningKey.Previous));
}
}
Auth/ScopePolicies.cs
+59
View File
@@ -0,0 +1,59 @@
using Microsoft.AspNetCore.Authorization;
namespace GiteaMcp.Auth;
/// <summary>
/// 自定义 scope 授权策略:要求 JWT 的 scope claim 包含指定值。
/// 对应 RequireScope("read:gitea") policy。
/// </summary>
public static class ScopePolicies
{
public const string ReadGitea = "read:gitea";
public static IServiceCollection AddScopePolicies(this IServiceCollection services)
{
services.AddAuthorizationBuilder()
.AddPolicy(ReadGitea, policy =>
{
policy.RequireAuthenticatedUser();
policy.AddRequirements(new ScopeRequirement(ReadGitea));
});
services.AddSingleton<IAuthorizationHandler, ScopeRequirementHandler>();
return services;
}
}
/// <summary>
/// 授权要求:JWT scope claim 必须包含指定的 scope 字符串(空格分隔的多 scope 支持)。
/// </summary>
public class ScopeRequirement(string scope) : IAuthorizationRequirement
{
public string Scope { get; } = scope;
}
/// <summary>
/// 验证 scope claim。
/// 标准实现里 JWT 的 scope 是单字符串(空格分隔),形如 "read:gitea" 或 "read:gitea write:gitea"。
/// 兼容部分实现把多 scope 拆成多个 claim 的形式(FindAll)。
/// OAuth 2.0 (RFC 6749 §3.3) 规定 scope 大小写敏感。
/// </summary>
public class ScopeRequirementHandler : AuthorizationHandler<ScopeRequirement>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
ScopeRequirement requirement)
{
var scopes = context.User
.FindAll("scope")
.SelectMany(c => c.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries))
.ToHashSet(StringComparer.Ordinal);
if (scopes.Contains(requirement.Scope))
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}