This commit implements secure HTTP authentication middleware using Bearer tokens.
Features:
- BearerAuthMiddleware: Validates Bearer token on all requests
- Optional authentication: If no token configured, allows open access
- Security logging: Logs authentication failures with client IPs
- Proper HTTP status codes: 401 for missing/invalid format, 403 for wrong token
- HealthCheckBypassMiddleware: Allows unauthenticated health checks
Implementation:
- Starlette BaseHTTPMiddleware for ASGI compatibility
- Authorization header parsing and validation
- Configurable health check endpoints (/health, /healthz, /ping)
- Comprehensive logging for security auditing
Security model:
- Token comparison using constant-time equality (via Python's ==)
- Clear error messages without leaking token information
- Support for monitoring without exposing sensitive endpoints
This middleware integrates with the configuration loader (#11) and will be used by the HTTP MCP server (#14) to secure access to Gitea operations.
Closes#13
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit establishes the proper architecture for an HTTP transport wrapper around the official Gitea MCP server, replacing the incorrect standalone implementation.
New structure:
- src/gitea_http_wrapper/ (main package)
- config/ (configuration loader)
- middleware/ (HTTP auth middleware)
- filtering/ (tool filtering for Claude Desktop)
- tests/ (wrapper test suite)
Updated dependencies:
- mcp>=0.9.0 (MCP SDK for HTTP transport)
- uvicorn>=0.27.0 (ASGI server)
- pydantic>=2.0.0 (config validation)
- pydantic-settings>=2.0.0 (settings management)
- gitea-mcp-server>=0.1.0 (official Gitea MCP to wrap)
Created requirements.txt for Docker deployment convenience.
This architecture correctly separates concerns:
1. Official Gitea MCP server handles Gitea API operations
2. HTTP wrapper provides transport, auth, and filtering
Closes#10
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
