OAuthMCPBridge.Guard (oauth_mcp_bridge v0.1.0-dev.0)

Copy Markdown View Source

Bearer-token enforcement for the MCP endpoint. Which paths need the guard is app-specific route knowledge, so this only provides the check itself — call require_bearer/1 from your own router on whichever paths you gate:

defp mcp_guard(conn, _opts) do
  if public_path?(conn), do: conn, else: OAuthMCPBridge.Guard.require_bearer(conn)
end

Summary

Functions

Require a valid Authorization: Bearer <token> header; on success, assigns :github_login on the conn. On failure, sends a 401 with a WWW-Authenticate header pointing at the protected-resource metadata (so clients discover the OAuth flow) and halts the conn.

Send the 401 + WWW-Authenticate response directly (rarely needed outside require_bearer/1).

Functions

require_bearer(conn)

@spec require_bearer(Plug.Conn.t()) :: Plug.Conn.t()

Require a valid Authorization: Bearer <token> header; on success, assigns :github_login on the conn. On failure, sends a 401 with a WWW-Authenticate header pointing at the protected-resource metadata (so clients discover the OAuth flow) and halts the conn.

unauthorized(conn)

@spec unauthorized(Plug.Conn.t()) :: Plug.Conn.t()

Send the 401 + WWW-Authenticate response directly (rarely needed outside require_bearer/1).