feat(auth): Implement GitHub OAuth authentication flow for package publishing

- Added authentication service and GitHub OAuth integration.
- Introduced new authentication methods and structures in the model.
- Updated the API to handle authentication during the publishing process.
- Created handlers for starting and checking the status of the OAuth flow.
- Enhanced the publish handler to validate authentication credentials.
- Updated configuration to include GitHub OAuth settings.
- Added tests for the OAuth flow and publishing with authentication.
- Updated documentation to reflect changes in the API and authentication process.

Author: sridharavinash

.gitignore

@@ -1,2 +1,3 @@
 build/*
 data
+.env

.vscode/launch.json

@@ -0,0 +1,28 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+
+        {
+            "name": "Launch server",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/registry",
+            "envFile": "${workspaceFolder}/.env",
+        },
+        {
+            "name": "Launch publisher",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/tools/publisher/main.go",
+            "args": [
+                "-registry-url=http://localhost:8080",
+                "-mcp-file=${workspaceFolder}/tools/publisher/mcp.json",
+            ],
+        }
+    ]
+}

Makefile

@@ -79,10 +79,10 @@ lint:
 build-all: clean
 	@echo "Building for multiple platforms..."
 	@mkdir -p $(BUILD_DIR)
-	@GOOS=linux GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 $(MAIN_PATH)
-	@GOOS=darwin GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-amd64 $(MAIN_PATH)
-	@GOOS=darwin GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 $(MAIN_PATH)
-	@GOOS=windows GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe $(MAIN_PATH)
+	@GOOS=linux GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 $(MAIN_PACKAGE)
+	@GOOS=darwin GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-amd64 $(MAIN_PACKAGE)
+	@GOOS=darwin GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 $(MAIN_PACKAGE)
+	@GOOS=windows GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe $(MAIN_PACKAGE)
 	@echo "Cross-compilation complete!"
 
 # Show help

cmd/registry/main.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/modelcontextprotocol/registry/internal/api"
+	"github.com/modelcontextprotocol/registry/internal/auth"
 	"github.com/modelcontextprotocol/registry/internal/config"
 	"github.com/modelcontextprotocol/registry/internal/database"
 	"github.com/modelcontextprotocol/registry/internal/service"
@@ -70,8 +71,23 @@ func main() {
 		}()
 	}
 
+	// Initialize authentication services
+	authService := auth.NewAuthService(cfg)
+
+	if cfg.RequireAuth {
+		log.Println("Authentication is required for package publishing")
+
+		if cfg.GithubClientID == "" || cfg.GithubClientSecret == "" {
+			log.Println("Warning: GitHub OAuth credentials not configured but authentication is required")
+		} else {
+			log.Println("GitHub OAuth authentication is configured")
+		}
+	} else {
+		log.Println("Authentication is optional for package publishing")
+	}
+
 	// Initialize HTTP server
-	server := api.NewServer(cfg, registryService)
+	server := api.NewServer(cfg, registryService, authService)
 
 	// Start server in a goroutine so it doesn't block signal handling
 	go func() {

internal/api/handlers/v0/auth.go

@@ -0,0 +1,117 @@
+// Package v0 contains API handlers for version 0 of the API
+package v0
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/modelcontextprotocol/registry/internal/auth"
+	"github.com/modelcontextprotocol/registry/internal/model"
+)
+
+// StartAuthHandler handles requests to start an authentication flow
+func StartAuthHandler(authService auth.Service) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Only allow POST method
+		if r.Method != http.MethodPost {
+			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		// Read the request body
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, "Error reading request body", http.StatusBadRequest)
+			return
+		}
+		defer r.Body.Close()
+
+		// Parse request body into AuthRequest struct
+		var authReq struct {
+			Method  string `json:"method"`
+			RepoRef string `json:"repo_ref"`
+		}
+		err = json.Unmarshal(body, &authReq)
+		if err != nil {
+			http.Error(w, "Invalid request payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		// Validate required fields
+		if authReq.Method == "" {
+			http.Error(w, "Auth method is required", http.StatusBadRequest)
+			return
+		}
+
+		// Convert string method to enum type
+		var method model.AuthMethod
+		switch authReq.Method {
+		case "github":
+			method = model.AuthMethodGitHub
+		default:
+			http.Error(w, "Unsupported authentication method", http.StatusBadRequest)
+			return
+		}
+
+		// Start auth flow
+		flowInfo, statusToken, err := authService.StartAuthFlow(r.Context(), method, authReq.RepoRef)
+		if err != nil {
+			http.Error(w, "Failed to start auth flow: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		// Return successful response
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"flow_info":    flowInfo,
+			"status_token": statusToken,
+			"expires_in":   300, // 5 minutes
+		})
+	}
+}
+
+// CheckAuthStatusHandler handles requests to check the status of an authentication flow
+func CheckAuthStatusHandler(authService auth.Service) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Only allow GET method
+		if r.Method != http.MethodGet {
+			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		// Get status token from query parameter
+		statusToken := r.URL.Query().Get("token")
+		if statusToken == "" {
+			http.Error(w, "Status token is required", http.StatusBadRequest)
+			return
+		}
+
+		// Check auth status
+		token, err := authService.CheckAuthStatus(r.Context(), statusToken)
+		if err != nil {
+			if err.Error() == "pending" {
+				// Auth is still pending
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				json.NewEncoder(w).Encode(map[string]interface{}{
+					"status": "pending",
+				})
+				return
+			}
+
+			// Other error
+			http.Error(w, "Failed to check auth status: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		// Authentication completed successfully
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"status": "complete",
+			"token":  token,
+		})
+	}
+}

internal/api/handlers/v0/publish.go

@@ -6,12 +6,24 @@ import (
 	"io"
 	"net/http"
 
+	"github.com/modelcontextprotocol/registry/internal/auth"
 	"github.com/modelcontextprotocol/registry/internal/model"
 	"github.com/modelcontextprotocol/registry/internal/service"
 )
 
+// httpError represents an HTTP error with a message and status code
+type httpError struct {
+	msg    string
+	status int
+}
+
+// Error returns the error message
+func (e *httpError) Error() string {
+	return e.msg
+}
+
 // PublishHandler handles requests to publish new server details to the registry
-func PublishHandler(registry service.RegistryService) http.HandlerFunc {
+func PublishHandler(registry service.RegistryService, authService auth.Service) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Only allow POST method
 		if r.Method != http.MethodPost {
@@ -27,26 +39,48 @@ func PublishHandler(registry service.RegistryService) http.HandlerFunc {
 		}
 		defer r.Body.Close()
 
-		// Parse request body into ServerDetail struct
-		var serverDetail model.ServerDetail
-		err = json.Unmarshal(body, &serverDetail)
+		// Parse request body into PublishRequest struct
+		var publishReq model.PublishRequest
+		err = json.Unmarshal(body, &publishReq)
 		if err != nil {
-			http.Error(w, "Invalid request payload", http.StatusBadRequest)
+			http.Error(w, "Invalid request payload: "+err.Error(), http.StatusBadRequest)
 			return
 		}
 
+		// Get server details from the request
+		serverDetail := publishReq.ServerDetail
+
 		// Validate required fields
 		if serverDetail.Name == "" {
 			http.Error(w, "Name is required", http.StatusBadRequest)
 			return
 		}
 
-		// version is required
+		// Version is required
 		if serverDetail.VersionDetail.Version == "" {
 			http.Error(w, "Version is required", http.StatusBadRequest)
 			return
 		}
 
+		// Validate authentication credentials
+		if authService != nil {
+			publishReq.Authentication.RepoRef = serverDetail.Name
+			valid, err := authService.ValidateAuth(r.Context(), publishReq.Authentication)
+			if err != nil {
+				if err == auth.ErrAuthRequired {
+					http.Error(w, "Authentication is required for publishing", http.StatusUnauthorized)
+					return
+				}
+				http.Error(w, "Authentication failed: "+err.Error(), http.StatusUnauthorized)
+				return
+			}
+
+			if !valid {
+				http.Error(w, "Invalid authentication credentials", http.StatusUnauthorized)
+				return
+			}
+		}
+
 		// Call the publish method on the registry service
 		err = registry.Publish(&serverDetail)
 		if err != nil {

internal/api/router/router.go

@@ -4,16 +4,17 @@ package router
 import (
 	"net/http"
 
+	"github.com/modelcontextprotocol/registry/internal/auth"
 	"github.com/modelcontextprotocol/registry/internal/config"
 	"github.com/modelcontextprotocol/registry/internal/service"
 )
 
 // New creates a new router with all API versions registered
-func New(cfg *config.Config, registry service.RegistryService) *http.ServeMux {
+func New(cfg *config.Config, registry service.RegistryService, authService auth.Service) *http.ServeMux {
 	mux := http.NewServeMux()
 
 	// Register routes for all API versions
-	RegisterV0Routes(mux, cfg, registry)
+	RegisterV0Routes(mux, cfg, registry, authService)
 
 	return mux
 }

internal/api/router/v0.go

@@ -5,18 +5,19 @@ import (
 	"net/http"
 
 	v0 "github.com/modelcontextprotocol/registry/internal/api/handlers/v0"
+	"github.com/modelcontextprotocol/registry/internal/auth"
 	"github.com/modelcontextprotocol/registry/internal/config"
 	"github.com/modelcontextprotocol/registry/internal/service"
 )
 
 // RegisterV0Routes registers all v0 API routes to the provided router
-func RegisterV0Routes(mux *http.ServeMux, cfg *config.Config, registry service.RegistryService) {
+func RegisterV0Routes(mux *http.ServeMux, cfg *config.Config, registry service.RegistryService, authService auth.Service) {
 	// Register v0 endpoints
 	mux.HandleFunc("/v0/health", v0.HealthHandler())
 	mux.HandleFunc("/v0/servers", v0.ServersHandler(registry))
 	mux.HandleFunc("/v0/servers/{id}", v0.ServersDetailHandler(registry))
 	mux.HandleFunc("/v0/ping", v0.PingHandler(cfg))
-	mux.HandleFunc("/v0/publish", v0.PublishHandler(registry))
+	mux.HandleFunc("/v0/publish", v0.PublishHandler(registry, authService))
 
 	// Register Swagger UI routes
 	mux.HandleFunc("/v0/swagger/", v0.SwaggerHandler())

internal/api/server.go

@@ -6,27 +6,30 @@ import (
 	"net/http"
 
 	"github.com/modelcontextprotocol/registry/internal/api/router"
+	"github.com/modelcontextprotocol/registry/internal/auth"
 	"github.com/modelcontextprotocol/registry/internal/config"
 	"github.com/modelcontextprotocol/registry/internal/service"
 )
 
 // Server represents the HTTP server
 type Server struct {
-	config   *config.Config
-	registry service.RegistryService
-	router   *http.ServeMux
-	server   *http.Server
+	config      *config.Config
+	registry    service.RegistryService
+	authService auth.Service
+	router      *http.ServeMux
+	server      *http.Server
 }
 
 // NewServer creates a new HTTP server
-func NewServer(cfg *config.Config, registryService service.RegistryService) *Server {
+func NewServer(cfg *config.Config, registryService service.RegistryService, authService auth.Service) *Server {
 	// Create router with all API versions registered
-	mux := router.New(cfg, registryService)
+	mux := router.New(cfg, registryService, authService)
 
 	server := &Server{
-		config:   cfg,
-		registry: registryService,
-		router:   mux,
+		config:      cfg,
+		registry:    registryService,
+		authService: authService,
+		router:      mux,
 		server: &http.Server{
 			Addr:    cfg.ServerAddress,
 			Handler: mux,

internal/auth/auth.go

@@ -0,0 +1,28 @@
+// Package auth provides authentication mechanisms for the MCP registry
+package auth
+
+import (
+	"context"
+	"errors"
+
+	"github.com/modelcontextprotocol/registry/internal/model"
+)
+
+var (
+	// ErrAuthRequired is returned when authentication is required but not provided
+	ErrAuthRequired = errors.New("authentication required")
+	// ErrUnsupportedAuthMethod is returned when an unsupported auth method is used
+	ErrUnsupportedAuthMethod = errors.New("unsupported authentication method")
+)
+
+// Service defines the authentication service interface
+type Service interface {
+	// StartAuthFlow initiates an authentication flow and returns the flow information
+	StartAuthFlow(ctx context.Context, method model.AuthMethod, repoRef string) (map[string]string, string, error)
+
+	// CheckAuthStatus checks the status of an authentication flow using a status token
+	CheckAuthStatus(ctx context.Context, statusToken string) (string, error)
+
+	// ValidateAuth validates the authentication credentials
+	ValidateAuth(ctx context.Context, auth model.Authentication) (bool, error)
+}