Bearer-token enforcement for the MCP endpoint. Which paths need the guard is
app-specific route knowledge, so this only provides the check itself — call
require_bearer/1 from your own router on whichever paths you gate:
defp mcp_guard(conn, _opts) do
if public_path?(conn), do: conn, else: OAuthMCPBridge.Guard.require_bearer(conn)
end
Summary
Functions
Require a valid Authorization: Bearer <token> header; on success, assigns
:github_login on the conn. On failure, sends a 401 with a
WWW-Authenticate header pointing at the protected-resource metadata (so
clients discover the OAuth flow) and halts the conn.
Send the 401 + WWW-Authenticate response directly (rarely needed outside require_bearer/1).
Functions
@spec require_bearer(Plug.Conn.t()) :: Plug.Conn.t()
Require a valid Authorization: Bearer <token> header; on success, assigns
:github_login on the conn. On failure, sends a 401 with a
WWW-Authenticate header pointing at the protected-resource metadata (so
clients discover the OAuth flow) and halts the conn.
@spec unauthorized(Plug.Conn.t()) :: Plug.Conn.t()
Send the 401 + WWW-Authenticate response directly (rarely needed outside require_bearer/1).