Ki~0dZddlmZddlZddlmZddlmZmZm Z ddl m Z m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZmZeeZGdde ZGddeZGddeZ y)aTGitHub OAuth provider for FastMCP. This module provides a complete GitHub OAuth integration that's ready to use with just a client ID and client secret. It handles all the complexity of GitHub's OAuth flow, token validation, and user management. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider # Simple GitHub OAuth protection auth = GitHubProvider( client_id="your-github-client-id", client_secret="your-github-client-secret" ) mcp = FastMCP("My Protected Server", auth=auth) ``` ) annotationsN) AsyncKeyValue) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) TokenVerifier) AccessToken) OAuthProxy)ENV_FILE parse_scopes) get_logger)NotSetNotSetTceZdZUdZededZdZded<dZ ded <dZ d ed <dZ d ed <dZ ded <dZ ded<dZded<dZded<dZded<eddedZy)GitHubProviderSettingsz#Settings for GitHub OAuth provider.FASTMCP_SERVER_AUTH_GITHUB_ignore) env_prefixenv_fileextraNz str | None client_idzSecretStr | None client_secretzAnyHttpUrl | str | Nonebase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesz int | Nonetimeout_secondsallowed_client_redirect_urisjwt_signing_keybefore)modect|S)Nr)clsvs p/home/jay/workspace/scripts/.codegraph-venv/lib/python3.12/site-packages/fastmcp/server/auth/providers/github.py _parse_scopesz$GitHubProviderSettings._parse_scopes;sA)__name__ __module__ __qualname____doc__r r model_configr__annotations__rrrrr r!r"r#r classmethodr*r+r)rr(s-%0L !Iz &*M#*(,H%,*.J'. $M:$(,O%,"&OZ&59 "29"&OZ&&X67r+rc:eZdZdZddd dfdZddZxZS) GitHubTokenVerifierzToken verifier for GitHub OAuth tokens. GitHub OAuth tokens are opaque (not JWTs), so we verify them by calling GitHub's API to check if they're valid and get user info. N r r!c4t||||_y)zInitialize the GitHub token verifier. Args: required_scopes: Required OAuth scopes (e.g., ['user:email']) timeout_seconds: HTTP request timeout )r N)super__init__r!)selfr r! __class__s r)r:zGitHubTokenVerifier.__init__Hs 9.r+cnK tj|j4d{}|jdd|dddd{}|jd k7r@t j d |j|jdd  dddd{y|j}|jd d|dddd{}|jjd d }|jdDcgc]"}|jr|j$}}|sdg}|jrlt|} t|j} | j| s;t j dt| t|  dddd{yt!|t#|jdd|dt#|d|jd|jd|jd|jd|dcdddd{S7777lcc}w77#1d{7swYyxYw#tj$$r } t j d| Yd} ~ yd} ~ wt&$r } t j d| Yd} ~ yd} ~ wwxYww)z0Verify GitHub OAuth token by calling GitHub API.)timeoutNzhttps://api.github.com/userzBearer zapplication/vnd.github.v3+jsonzFastMCP-GitHub-OAuth) AuthorizationAcceptz User-Agent)headersz)GitHub token verification failed: %d - %sz!https://api.github.com/user/reposzx-oauth-scopes,userz6GitHub token missing required scopes. Has %d, needs %didunknownloginnameemail avatar_url)subrHrIrJrKgithub_user_data)tokenrscopes expires_atclaimsz!Failed to verify GitHub token: %sz#GitHub token verification error: %s)httpx AsyncClientr!get status_codeloggerdebugtextjsonrAsplitstripr setissubsetlenr str RequestError Exception) r;rNclientresponse user_datascopes_responseoauth_scopes_headerscope token_scopestoken_scopes_setrequired_scopes_setes r) verify_tokenz GitHubTokenVerifier.verify_tokenWsN ((1E1EFF F &!'1+25'):"B&<","''3.LLC ,, ds+  #F F F &%MMO )/ 7+25'):"B&<)3)#'6&=&=&A&ABRTV&W#"5!:!:3!? {{}KKM   $$*8L'''*<'8$*-d.B.B*C'.778HI T 01 34 $mF F F r#!)--i"@A'#"9T?3!*w!7 ) f 5!*w!7&/mmL&A,5  sF F F F .# EF F F F F P!!  LL B sJ5$IH.II H1 AI IH4IJ5-I H7 3I?'H:&A.I IH? I$J5%A7I I(I)I-J5.I1I4I7I:I?III I IIJ5IJ2+JJ5 J2J-(J5-J22J5)r rr!int)rNr_returnzAccessToken | None)r,r-r.r/r:rl __classcell__r<s@r)r5r5As/-1! /* / /Pr+r5c heZdZdZeeeeeeeededd dfdZxZS)GitHubProvideraComplete GitHub OAuth provider for FastMCP. This provider makes it trivial to add GitHub OAuth protection to any FastMCP server. Just provide your GitHub OAuth app credentials and a base URL, and you're ready to go. Features: - Transparent OAuth proxy to GitHub - Automatic token validation via GitHub API - User information extraction - Minimal configuration required Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider auth = GitHubProvider( client_id="Ov23li...", client_secret="abc123...", base_url="https://my-server.com" ) mcp = FastMCP("My App", auth=auth) ``` NT) rrrrrr r!r"client_storager#require_authorization_consentc tj||||||||| d jD cic]\} } | tur| | c} } }|js t d|j s t d|jxsd}|jxsdg}|j}t||}|j r|j jnd}t|5dd |j|||j|j|j xs |j|| |j"| t$j'd |j|y cc} } w) a|Initialize GitHub OAuth provider. Args: client_id: GitHub OAuth app client ID (e.g., "Ov23li...") client_secret: GitHub OAuth app client secret base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in GitHub OAuth app (defaults to "/auth/callback") required_scopes: Required GitHub scopes (defaults to ["user"]) timeout_seconds: HTTP request timeout for GitHub API calls allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to GitHub. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. ) rrrrrr r!r"r#zQclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_IDzYclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRETr6rEr7rCz(https://github.com/login/oauth/authorizez+https://github.com/login/oauth/access_token) upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secrettoken_verifierrrrr"rsr#rtz?Initialized GitHub OAuth provider for client %s with scopes: %sN)rmodel_validateitemsrr ValueErrorrr!r r"r5get_secret_valuer9r:rrrr#rVrW)r;rrrrrr r!r"rsr#rtkr(settingstimeout_seconds_finalrequired_scopes_final"allowed_client_redirect_uris_finalrzclient_secret_strr<s r)r:zGitHubProvider.__init__sP*88"+%2 (",%2'6'64P'6 %' AqF?1  &!!c %%k  !) 8 8 >B ( 8 8 DVH-5-R-R*-11 :B9O9OH " " 3 3 5UW  ,V$Q'11#4)&&"00**!  )K)$44*G   M    ! { sE )r str | NotSetTrrrAnyHttpUrl | str | NotSetTrrrrr list[str] | NotSetTr!z int | NotSetTr"rrszAsyncKeyValue | Noner#zstr | bytes | NotSetTrtbool)r,r-r.r/rr:rorps@r)rrrrs<$*'-/517'-/5)/rsf*# 1;;>-06%/03 H \2f-fRF ZF r+