Implement --token and MCP_GITHUB_TOKEN login support

Signed-off-by: Radoslav Dimitrov <[email protected]>

Author: rdimitrov

cmd/publisher/auth/github-at.go

@@ -50,9 +50,10 @@ type StoredRegistryToken struct {
 
 // GitHubATProvider implements the Provider interface using GitHub's device flow
 type GitHubATProvider struct {
-	clientID    string
-	forceLogin  bool
-	registryURL string
+	clientID      string
+	forceLogin    bool
+	registryURL   string
+	providedToken string // Token provided via --token flag or MCP_GITHUB_TOKEN env var
 }
 
 // ServerHealthResponse represents the response from the health endpoint
@@ -62,10 +63,16 @@ type ServerHealthResponse struct {
 }
 
 // NewGitHubATProvider creates a new GitHub OAuth provider
-func NewGitHubATProvider(forceLogin bool, registryURL string) Provider {
+func NewGitHubATProvider(forceLogin bool, registryURL, token string) Provider {
+	// Check for token from flag or environment variable
+	if token == "" {
+		token = os.Getenv("MCP_GITHUB_TOKEN")
+	}
+
 	return &GitHubATProvider{
-		forceLogin:  forceLogin,
-		registryURL: registryURL,
+		forceLogin:    forceLogin,
+		registryURL:   registryURL,
+		providedToken: token,
 	}
 }
 
@@ -100,6 +107,11 @@ func (g *GitHubATProvider) GetToken(ctx context.Context) (string, error) {
 
 // NeedsLogin checks if a new login is required
 func (g *GitHubATProvider) NeedsLogin() bool {
+	// If a token was provided via --token or MCP_GITHUB_TOKEN, no login needed
+	if g.providedToken != "" {
+		return false
+	}
+
 	if g.forceLogin {
 		return true
 	}
@@ -123,6 +135,15 @@ func (g *GitHubATProvider) NeedsLogin() bool {
 
 // Login performs the GitHub device flow authentication
 func (g *GitHubATProvider) Login(ctx context.Context) error {
+	// If a token was provided via --token or MCP_GITHUB_TOKEN, save it and skip device flow
+	if g.providedToken != "" {
+		err := saveToken(g.providedToken)
+		if err != nil {
+			return fmt.Errorf("error saving provided token: %w", err)
+		}
+		return nil
+	}
+
 	// If clientID is not set, try to retrieve it from the server's health endpoint
 	if g.clientID == "" {
 		clientID, err := getClientID(ctx, g.registryURL)

cmd/publisher/commands/init.go

@@ -26,7 +26,7 @@ func InitCommand() error {
 	description := detectDescription()
 	version := "1.0.0"
 	repoURL := detectRepoURL()
-	repoSource := "github"
+	repoSource := MethodGitHub
 	if repoURL != "" && !strings.Contains(repoURL, "github.com") {
 		if strings.Contains(repoURL, "gitlab.com") {
 			repoSource = "gitlab"

cmd/publisher/commands/login.go

@@ -15,6 +15,11 @@ import (
 const (
 	DefaultRegistryURL = "https://registry.modelcontextprotocol.io"
 	TokenFileName      = ".mcp_publisher_token" //nolint:gosec // Not a credential, just a filename
+	MethodGitHub       = "github"
+	MethodGitHubOIDC   = "github-oidc"
+	MethodDNS          = "dns"
+	MethodHTTP         = "http"
+	MethodNone         = "none"
 )
 
 type CryptoAlgorithm auth.CryptoAlgorithm
@@ -32,56 +37,82 @@ func (c *CryptoAlgorithm) Set(v string) error {
 	return fmt.Errorf("invalid algorithm: %q (allowed: ed25519, ecdsap384)", v)
 }
 
+type loginFlags struct {
+	domain          string
+	privateKey      string
+	cryptoAlgorithm CryptoAlgorithm
+	registryURL     string
+	token           string
+}
+
 func LoginCommand(args []string) error {
 	if len(args) < 1 {
 		return errors.New("authentication method required\n\nUsage: mcp-publisher login <method>\n\nMethods:\n  github        Interactive GitHub authentication\n  github-oidc   GitHub Actions OIDC authentication\n  dns           DNS-based authentication (requires --domain and --private-key)\n  http          HTTP-based authentication (requires --domain and --private-key)\n  none          Anonymous authentication (for testing)")
 	}
 
 	method := args[0]
+	flags, err := parseLoginFlags(method, args[1:])
+	if err != nil {
+		return err
+	}
+
+	authProvider, err := createAuthProvider(method, flags)
+	if err != nil {
+		return err
+	}
 
-	// Parse remaining flags based on method
-	loginFlags := flag.NewFlagSet("login", flag.ExitOnError)
-	var domain string
-	var privateKey string
-	var cryptoAlgorithm = CryptoAlgorithm(auth.AlgorithmEd25519)
-	var registryURL string
+	return performLogin(authProvider, method, flags.registryURL)
+}
+
+func parseLoginFlags(method string, args []string) (*loginFlags, error) {
+	flags := &loginFlags{
+		cryptoAlgorithm: CryptoAlgorithm(auth.AlgorithmEd25519), // default
+	}
+	loginFlagSet := flag.NewFlagSet("login", flag.ExitOnError)
 
-	loginFlags.StringVar(&registryURL, "registry", DefaultRegistryURL, "Registry URL")
+	loginFlagSet.StringVar(&flags.registryURL, "registry", DefaultRegistryURL, "Registry URL")
 
-	if method == "dns" || method == "http" {
-		loginFlags.StringVar(&domain, "domain", "", "Domain name")
-		loginFlags.StringVar(&privateKey, "private-key", "", "Private key (hex)")
-		loginFlags.Var(&cryptoAlgorithm, "algorithm", "Cryptographic algorithm (ed25519, ecdsap384)")
+	if method == MethodGitHub {
+		loginFlagSet.StringVar(&flags.token, "token", "", "GitHub Personal Access Token")
 	}
 
-	if err := loginFlags.Parse(args[1:]); err != nil {
-		return err
+	if method == MethodDNS || method == MethodHTTP {
+		loginFlagSet.StringVar(&flags.domain, "domain", "", "Domain name")
+		loginFlagSet.StringVar(&flags.privateKey, "private-key", "", "Private key (64-char hex)")
+		loginFlagSet.Var(&flags.cryptoAlgorithm, "algorithm", "Cryptographic algorithm (ed25519, ecdsap384)")
 	}
 
-	// Create auth provider based on method
-	var authProvider auth.Provider
+	if err := loginFlagSet.Parse(args); err != nil {
+		return nil, err
+	}
+
+	return flags, nil
+}
+
+func createAuthProvider(method string, flags *loginFlags) (auth.Provider, error) {
 	switch method {
-	case "github":
-		authProvider = auth.NewGitHubATProvider(true, registryURL)
-	case "github-oidc":
-		authProvider = auth.NewGitHubOIDCProvider(registryURL)
-	case "dns":
-		if domain == "" || privateKey == "" {
-			return errors.New("dns authentication requires --domain and --private-key")
+	case MethodGitHub:
+		return auth.NewGitHubATProvider(true, flags.registryURL, flags.token), nil
+	case MethodGitHubOIDC:
+		return auth.NewGitHubOIDCProvider(flags.registryURL), nil
+	case MethodDNS:
+		if flags.domain == "" || flags.privateKey == "" {
+			return nil, errors.New("dns authentication requires --domain and --private-key")
 		}
-		authProvider = auth.NewDNSProvider(registryURL, domain, privateKey, auth.CryptoAlgorithm(cryptoAlgorithm))
-	case "http":
-		if domain == "" || privateKey == "" {
-			return errors.New("http authentication requires --domain and --private-key")
+		return auth.NewDNSProvider(flags.registryURL, flags.domain, flags.privateKey, auth.CryptoAlgorithm(flags.cryptoAlgorithm)), nil
+	case MethodHTTP:
+		if flags.domain == "" || flags.privateKey == "" {
+			return nil, errors.New("http authentication requires --domain and --private-key")
 		}
-		authProvider = auth.NewHTTPProvider(registryURL, domain, privateKey, auth.CryptoAlgorithm(cryptoAlgorithm))
-	case "none":
-		authProvider = auth.NewNoneProvider(registryURL)
+		return auth.NewHTTPProvider(flags.registryURL, flags.domain, flags.privateKey, auth.CryptoAlgorithm(flags.cryptoAlgorithm)), nil
+	case MethodNone:
+		return auth.NewNoneProvider(flags.registryURL), nil
 	default:
-		return fmt.Errorf("unknown authentication method: %s\nFor a list of available methods, run: mcp-publisher login", method)
+		return nil, fmt.Errorf("unknown authentication method: %s\nFor a list of available methods, run: mcp-publisher login", method)
 	}
+}
 
-	// Perform login
+func performLogin(authProvider auth.Provider, method, registryURL string) error {
 	ctx := context.Background()
 	_, _ = fmt.Fprintf(os.Stdout, "Logging in with %s...\n", method)