forgejo-mcp-broker

History

Ole-Morten Duesund 006d5c1448 feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i) Adds internal/forgejo: a stateless OAuth 2.1 client for upstream Forgejo. Covers what the broker AS needs: - AuthorizeURL: builds the user-agent redirect to /login/oauth/authorize - ExchangeCode: code → access+refresh tokens (PKCE verifier included) - Refresh: refresh_token grant (Forgejo rotates the refresh token) - FetchUserInfo: OIDC userinfo claims (sub, preferred_username, etc.) OAuth errors come back as a structured *forgejo.Error so the AS can distinguish "user must re-authenticate" (invalid_grant) from "transient network problem" via errors.As. Forgejo doesn't currently expose a token revocation endpoint, so revocation lives in the broker's own store — upstream tokens expire naturally. Defaults: - 30s HTTP timeout (Forgejo OAuth is sub-second when healthy) - User-Agent "fjmcp-broker" if not overridden - 64 KiB cap on response bodies (these endpoints return ~kilobytes) Tests: 95.1% coverage. httptest.Server fake Forgejo exercises every public method, every error shape (OAuth-formatted, plain {"message":...}, malformed JSON, missing required fields, network failure), and verifies form params hit the wire as expected. Closes forgejo-mcp-broker-b9i. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 13:31:19 +02:00
..
forgejo.go	feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i)	2026-04-27 13:31:19 +02:00
forgejo_test.go	feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i)	2026-04-27 13:31:19 +02:00

Ole-Morten Duesund 006d5c1448 feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i)

Adds internal/forgejo: a stateless OAuth 2.1 client for upstream Forgejo.
Covers what the broker AS needs:
  - AuthorizeURL: builds the user-agent redirect to /login/oauth/authorize
  - ExchangeCode: code → access+refresh tokens (PKCE verifier included)
  - Refresh: refresh_token grant (Forgejo rotates the refresh token)
  - FetchUserInfo: OIDC userinfo claims (sub, preferred_username, etc.)

OAuth errors come back as a structured *forgejo.Error so the AS can
distinguish "user must re-authenticate" (invalid_grant) from "transient
network problem" via errors.As. Forgejo doesn't currently expose a token
revocation endpoint, so revocation lives in the broker's own store —
upstream tokens expire naturally.

Defaults:
  - 30s HTTP timeout (Forgejo OAuth is sub-second when healthy)
  - User-Agent "fjmcp-broker" if not overridden
  - 64 KiB cap on response bodies (these endpoints return ~kilobytes)

Tests: 95.1% coverage. httptest.Server fake Forgejo exercises every
public method, every error shape (OAuth-formatted, plain {"message":...},
malformed JSON, missing required fields, network failure), and verifies
form params hit the wire as expected.

Closes forgejo-mcp-broker-b9i.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-27 13:31:19 +02:00

forgejo.go

feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i)

2026-04-27 13:31:19 +02:00

forgejo_test.go

feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i)

2026-04-27 13:31:19 +02:00