feat(auth): implement runtime configuration handling for callable fields

aschlean · aschlean · commit b41fadc324a8 · 2026-01-30T13:03:17.000+01:00
diff --git a/src/golf/core/builder.py b/src/golf/core/builder.py
@@ -861,6 +861,16 @@ def _generate_server(self) -> None:
             transport=self.settings.transport,
         )
 
+        # Copy auth.py to dist if it contains callable fields (dynamic config)
+        if auth_components.get("copy_auth_file"):
+            auth_src = self.project_path / "auth.py"
+            auth_dst = self.output_dir / "auth.py"
+            if auth_src.exists():
+                shutil.copy(auth_src, auth_dst)
+                console.print("[dim]Copied auth.py for runtime configuration[/dim]")
+            else:
+                console.print("[yellow]Warning: auth.py not found but copy_auth_file was requested[/yellow]")
+
         # Create imports section
         imports = [
             "from fastmcp import FastMCP",
diff --git a/src/golf/core/builder_auth.py b/src/golf/core/builder_auth.py
@@ -10,6 +10,27 @@
 from golf.auth.providers import AuthConfig
 
 
+def _config_has_callables(config: AuthConfig) -> bool:
+    """Check if an auth config has any callable fields that can't be serialized.
+
+    Callable fields (like allowed_redirect_patterns_func) cannot be embedded
+    in generated code using repr(), so configs with callables need to use
+    runtime config loading instead.
+    """
+    # Check for OAuthProxyConfig callable fields
+    callable_fields = [
+        "allowed_redirect_patterns_func",
+        "allowed_redirect_schemes_func",
+        "redirect_uri_validator",
+    ]
+
+    for field_name in callable_fields:
+        if hasattr(config, field_name) and getattr(config, field_name) is not None:
+            return True
+
+    return False
+
+
 def generate_auth_code(
     server_name: str,
     host: str = "localhost",
@@ -47,29 +68,60 @@ def generate_auth_code(
             "Please update your auth.py file."
         )
 
-    # Generate modern auth components with embedded configuration
-    auth_imports = [
-        "import os",
-        "import sys",
-        "from golf.auth.factory import create_auth_provider",
-        "from golf.auth.providers import RemoteAuthConfig, JWTAuthConfig, StaticTokenConfig, OAuthServerConfig, OAuthProxyConfig",
-    ]
+    # Check if the auth config has callable fields (can't be embedded with repr)
+    has_callable_fields = _config_has_callables(auth_config)
 
-    # Embed the auth configuration directly in the generated code
-    # Convert the auth config to its string representation for embedding
-    auth_config_repr = repr(auth_config)
+    if has_callable_fields:
+        # For configs with callables, import and use auth module at runtime
+        # auth.py is copied to dist and imported to register the config
+        auth_imports = [
+            "import os",
+            "import sys",
+            "from golf.auth import get_auth_config",
+            "from golf.auth.factory import create_auth_provider",
+            "# Import auth module to execute configure_*() and register auth config",
+            "import auth  # noqa: F401 - executes auth.py to register config",
+        ]
 
-    setup_code_lines = [
-        "# Modern FastMCP 2.11+ authentication setup with embedded configuration",
-        f"auth_config = {auth_config_repr}",
-        "try:",
-        "    auth_provider = create_auth_provider(auth_config)",
-        "    # Authentication configured with {auth_config.provider_type} provider",
-        "except Exception as e:",
-        "    print(f'Authentication setup failed: {e}', file=sys.stderr)",
-        "    auth_provider = None",
-        "",
-    ]
+        setup_code_lines = [
+            "# Modern FastMCP 2.11+ authentication setup (runtime config with callables)",
+            "# Auth config registered by auth.py import above",
+            "auth_config = get_auth_config()",
+            "try:",
+            "    auth_provider = create_auth_provider(auth_config)",
+            f"    # Authentication configured with {auth_config.provider_type} provider",
+            "except Exception as e:",
+            "    print(f'Authentication setup failed: {{e}}', file=sys.stderr)",
+            "    auth_provider = None",
+            "",
+        ]
+    else:
+        # For configs without callables, embed the configuration directly
+        auth_imports = [
+            "import os",
+            "import sys",
+            "from golf.auth.factory import create_auth_provider",
+            "from golf.auth.providers import (",
+            "    RemoteAuthConfig, JWTAuthConfig, StaticTokenConfig,",
+            "    OAuthServerConfig, OAuthProxyConfig,",
+            ")",
+        ]
+
+        # Embed the auth configuration directly in the generated code
+        # Convert the auth config to its string representation for embedding
+        auth_config_repr = repr(auth_config)
+
+        setup_code_lines = [
+            "# Modern FastMCP 2.11+ authentication setup with embedded configuration",
+            f"auth_config = {auth_config_repr}",
+            "try:",
+            "    auth_provider = create_auth_provider(auth_config)",
+            f"    # Authentication configured with {auth_config.provider_type} provider",
+            "except Exception as e:",
+            "    print(f'Authentication setup failed: {{e}}', file=sys.stderr)",
+            "    auth_provider = None",
+            "",
+        ]
 
     # FastMCP constructor arguments - FastMCP 2.11+ uses auth parameter
     fastmcp_args = {"auth": "auth_provider"}
@@ -79,6 +131,7 @@ def generate_auth_code(
         "setup_code": setup_code_lines,
         "fastmcp_args": fastmcp_args,
         "has_auth": True,
+        "copy_auth_file": has_callable_fields,  # Copy auth.py to dist for runtime loading
     }
 
 
diff --git a/tests/auth/test_providers.py b/tests/auth/test_providers.py
@@ -12,6 +12,7 @@
     _create_remote_provider,
     _create_oauth_proxy_provider,
 )
+from golf.core.builder_auth import _config_has_callables
 
 
 class TestJWTProviderCreation:
@@ -615,3 +616,64 @@ def sync_db_lookup_wrapper(uri: str) -> bool:
 
         # Validator should now accept the new URI
         assert config.redirect_uri_validator("https://new-uri.example.com/callback") is True
+
+
+class TestConfigHasCallables:
+    """Test the _config_has_callables helper function for builder_auth."""
+
+    def _create_base_config(self, **kwargs) -> OAuthProxyConfig:
+        """Create a base OAuth proxy config with required fields for testing."""
+        token_verifier = StaticTokenConfig(tokens={"test-token": {"client_id": "test", "scopes": ["read"]}})
+        defaults = {
+            "authorization_endpoint": "https://auth.example.com/authorize",
+            "token_endpoint": "https://auth.example.com/token",
+            "client_id": "test-client",
+            "client_secret": "test-secret",
+            "base_url": "https://proxy.example.com",
+            "token_verifier_config": token_verifier,
+        }
+        defaults.update(kwargs)
+        return OAuthProxyConfig(**defaults)
+
+    def test_config_without_callables_returns_false(self) -> None:
+        """Test that config without callable fields returns False."""
+        config = self._create_base_config(
+            allowed_redirect_patterns=["https://example.com/*"],
+            allowed_redirect_schemes=["https"],
+        )
+        assert _config_has_callables(config) is False
+
+    def test_config_with_patterns_func_returns_true(self) -> None:
+        """Test that config with allowed_redirect_patterns_func returns True."""
+        config = self._create_base_config(
+            allowed_redirect_patterns_func=lambda: ["https://example.com/*"],
+        )
+        assert _config_has_callables(config) is True
+
+    def test_config_with_schemes_func_returns_true(self) -> None:
+        """Test that config with allowed_redirect_schemes_func returns True."""
+        config = self._create_base_config(
+            allowed_redirect_schemes_func=lambda: ["myapp"],
+        )
+        assert _config_has_callables(config) is True
+
+    def test_config_with_validator_returns_true(self) -> None:
+        """Test that config with redirect_uri_validator returns True."""
+        config = self._create_base_config(
+            redirect_uri_validator=lambda uri: True,
+        )
+        assert _config_has_callables(config) is True
+
+    def test_jwt_config_returns_false(self) -> None:
+        """Test that JWT config (no callable fields) returns False."""
+        config = JWTAuthConfig(
+            jwks_uri="https://auth.example.com/.well-known/jwks.json",
+            issuer="https://auth.example.com",
+            audience="my-api",
+        )
+        assert _config_has_callables(config) is False
+
+    def test_static_token_config_returns_false(self) -> None:
+        """Test that StaticTokenConfig (no callable fields) returns False."""
+        config = StaticTokenConfig(tokens={"test-token": {"client_id": "test", "scopes": ["read"]}})
+        assert _config_has_callables(config) is False
