Address comments

Author: joelverhagen

internal/api/handlers/v0/auth/common.go

@@ -14,13 +14,16 @@ import (
 	"github.com/modelcontextprotocol/registry/internal/config"
 )
 
-// CoreTokenExchangeInput represents the common input structure for token exchange
-type CoreTokenExchangeInput struct {
+// SignatureTokenExchangeInput represents the common input structure for token exchange
+type SignatureTokenExchangeInput struct {
 	Domain          string `json:"domain" doc:"Domain name" example:"example.com" required:"true"`
 	Timestamp       string `json:"timestamp" doc:"RFC3339 timestamp" example:"2023-01-01T00:00:00Z" required:"true"`
 	SignedTimestamp string `json:"signed_timestamp" doc:"Hex-encoded Ed25519 signature of timestamp" example:"abcdef1234567890" required:"true"`
 }
 
+// KeyFetcher defines a function type for fetching keys from external sources
+type KeyFetcher func(ctx context.Context, domain string) ([]string, error)
+
 // CoreAuthHandler represents the common handler structure
 type CoreAuthHandler struct {
 	config     *config.Config
@@ -90,9 +93,6 @@ func BuildPermissions(domain string, includeSubdomains bool) []auth.Permission {
 	}
 
 	if includeSubdomains {
-		// DNS implies a hierarchy where subdomains are treated as part of the parent domain,
-		// therefore we grant permissions for all subdomains (e.g., com.example.*)
-		// This is in line with other DNS-based authentication methods e.g. ACME DNS-01 challenges
 		permissions = append(permissions, auth.Permission{
 			Action:          auth.PermissionActionPublish,
 			ResourcePattern: fmt.Sprintf("%s.*", reverseDomain),
@@ -120,6 +120,51 @@ func (h *CoreAuthHandler) CreateJWTClaimsAndToken(ctx context.Context, authMetho
 	return tokenResponse, nil
 }
 
+// ExchangeToken is a shared method for token exchange that takes a key fetcher function,
+// subdomain inclusion flag, and auth method
+func (h *CoreAuthHandler) ExchangeToken(
+	ctx context.Context,
+	domain, timestamp, signedTimestamp string,
+	keyFetcher KeyFetcher,
+	includeSubdomains bool,
+	authMethod auth.Method) (*auth.TokenResponse, error) {
+	_, err := ValidateDomainAndTimestamp(domain, timestamp)
+	if err != nil {
+		return nil, err
+	}
+
+	signature, err := DecodeAndValidateSignature(signedTimestamp)
+	if err != nil {
+		return nil, err
+	}
+
+	keyStrings, err := keyFetcher(ctx, domain)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch keys: %w", err)
+	}
+
+	publicKeys := ParseMCPKeysFromStrings(keyStrings)
+	if len(publicKeys) == 0 {
+		switch authMethod {
+		case auth.MethodHTTP:
+			return nil, fmt.Errorf("failed to parse public key")
+		case auth.MethodDNS:
+			return nil, fmt.Errorf("no valid MCP public keys found in DNS TXT records")
+		default:
+			return nil, fmt.Errorf("no valid MCP public keys found using %s authentication", authMethod)
+		}
+	}
+
+	messageBytes := []byte(timestamp)
+	if !VerifySignatureWithKeys(publicKeys, messageBytes, signature) {
+		return nil, fmt.Errorf("signature verification failed")
+	}
+
+	permissions := BuildPermissions(domain, includeSubdomains)
+
+	return h.CreateJWTClaimsAndToken(ctx, authMethod, domain, permissions)
+}
+
 func ParseMCPKeysFromStrings(inputs []string) []ed25519.PublicKey {
 	var publicKeys []ed25519.PublicKey
 	mcpPattern := regexp.MustCompile(`v=MCPv1;\s*k=ed25519;\s*p=([A-Za-z0-9+/=]+)`)

internal/api/handlers/v0/auth/dns.go

@@ -14,7 +14,7 @@ import (
 
 // DNSTokenExchangeInput represents the input for DNS-based authentication
 type DNSTokenExchangeInput struct {
-	Body CoreTokenExchangeInput
+	Body SignatureTokenExchangeInput
 }
 
 // DNSResolver defines the interface for DNS resolution
@@ -75,35 +75,18 @@ func RegisterDNSEndpoint(api huma.API, cfg *config.Config) {
 
 // ExchangeToken exchanges DNS signature for a Registry JWT token
 func (h *DNSAuthHandler) ExchangeToken(ctx context.Context, domain, timestamp, signedTimestamp string) (*auth.TokenResponse, error) {
-	_, err := ValidateDomainAndTimestamp(domain, timestamp)
-	if err != nil {
-		return nil, err
-	}
-
-	signature, err := DecodeAndValidateSignature(signedTimestamp)
-	if err != nil {
-		return nil, err
-	}
-
-	// Lookup DNS TXT records
-	txtRecords, err := h.resolver.LookupTXT(ctx, domain)
-	if err != nil {
-		return nil, fmt.Errorf("failed to lookup DNS TXT records: %w", err)
-	}
-
-	publicKeys := ParseMCPKeysFromStrings(txtRecords)
-
-	if len(publicKeys) == 0 {
-		return nil, fmt.Errorf("no valid MCP public keys found in DNS TXT records")
-	}
-
-	messageBytes := []byte(timestamp)
-	if !VerifySignatureWithKeys(publicKeys, messageBytes, signature) {
-		return nil, fmt.Errorf("signature verification failed")
+	keyFetcher := func(ctx context.Context, domain string) ([]string, error) {
+		// Lookup DNS TXT records
+		// DNS implies a hierarchy where subdomains are treated as part of the parent domain,
+		// therefore we grant permissions for all subdomains (e.g., com.example.*)
+		// This is in line with other DNS-based authentication methods e.g. ACME DNS-01 challenges
+		txtRecords, err := h.resolver.LookupTXT(ctx, domain)
+		if err != nil {
+			return nil, fmt.Errorf("failed to lookup DNS TXT records: %w", err)
+		}
+		return txtRecords, nil
 	}
 
-	// Build permissions for domain (DNS includes subdomains)
-	permissions := BuildPermissions(domain, true)
-
-	return h.CreateJWTClaimsAndToken(ctx, auth.MethodDNS, domain, permissions)
+	allowSubdomains := true
+	return h.CoreAuthHandler.ExchangeToken(ctx, domain, timestamp, signedTimestamp, keyFetcher, allowSubdomains, auth.MethodDNS)
 }

internal/api/handlers/v0/auth/http.go

@@ -19,7 +19,7 @@ const MaxKeyResponseSize = 4096
 
 // HTTPTokenExchangeInput represents the input for HTTP-based authentication
 type HTTPTokenExchangeInput struct {
-	Body CoreTokenExchangeInput
+	Body SignatureTokenExchangeInput
 }
 
 // HTTPKeyFetcher defines the interface for fetching HTTP keys
@@ -133,34 +133,14 @@ func RegisterHTTPEndpoint(api huma.API, cfg *config.Config) {
 
 // ExchangeToken exchanges HTTP signature for a Registry JWT token
 func (h *HTTPAuthHandler) ExchangeToken(ctx context.Context, domain, timestamp, signedTimestamp string) (*auth.TokenResponse, error) {
-	_, err := ValidateDomainAndTimestamp(domain, timestamp)
-	if err != nil {
-		return nil, err
-	}
-
-	signature, err := DecodeAndValidateSignature(signedTimestamp)
-	if err != nil {
-		return nil, err
-	}
-
-	// Fetch the key from well known HTTP endpoint
-	keyResponse, err := h.fetcher.FetchKey(ctx, domain)
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch public key: %w", err)
-	}
-
-	publicKeys := ParseMCPKeysFromStrings([]string{keyResponse})
-	if len(publicKeys) == 0 {
-		return nil, fmt.Errorf("failed to parse public key")
-	}
-
-	messageBytes := []byte(timestamp)
-	if !VerifySignatureWithKeys(publicKeys, messageBytes, signature) {
-		return nil, fmt.Errorf("signature verification failed")
+	keyFetcher := func(ctx context.Context, domain string) ([]string, error) {
+		keyResponse, err := h.fetcher.FetchKey(ctx, domain)
+		if err != nil {
+			return nil, fmt.Errorf("failed to fetch public key: %w", err)
+		}
+		return []string{keyResponse}, nil
 	}
 
-	// Build permissions for domain (HTTP does not include subdomains)
-	permissions := BuildPermissions(domain, false)
-
-	return h.CreateJWTClaimsAndToken(ctx, auth.MethodHTTP, domain, permissions)
+	allowSubdomains := false
+	return h.CoreAuthHandler.ExchangeToken(ctx, domain, timestamp, signedTimestamp, keyFetcher, allowSubdomains, auth.MethodHTTP)
 }