feat(auth): implementa OAuth 2.0 per MCP con supporto Bearer token e login GitHub

Aggiunge authorization server OAuth 2.0 completo con discovery endpoint, dynamic client registration e PKCE per integrazione MCP con Claude Code, unifica callback OAuth per browser e MCP, migliora frontend con status authentication cliccabile

Author: strawberry-code

.env.example

@@ -3,7 +3,7 @@
 
 # GitHub OAuth (required for authentication)
 # Create an OAuth App at: https://github.com/settings/developers
-# Set callback URL to: http://localhost:8080/auth/callback
+# Set callback URL to: http://localhost:8080/oauth/github-callback
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
 

.gitignore

@@ -44,5 +44,7 @@ markdown_urls.txt
 # Docker/Container
 .env
 users.yaml
+docker-compose.yml
 !docker/users.yaml.example
+!docker-compose.yml.example
 !.env.example

CHANGELOG.md

@@ -0,0 +1,30 @@
+# Changelog
+
+Tutte le modifiche rilevanti al progetto sono documentate in questo file.
+
+Il formato segue [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+e il progetto aderisce al [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2025-12-02
+
+### Aggiunto
+- OAuth 2.0 Authorization Server per MCP (RFC 8414, RFC 7591)
+- Supporto Bearer token per autenticazione API e MCP
+- Dynamic Client Registration per client MCP
+- PKCE support (S256 e plain) per OAuth flow
+- Frontend: status light "Authenticated" cliccabile con modal login GitHub
+- Endpoint discovery `.well-known/oauth-authorization-server`
+- Docker Compose example con configurazione OAuth
+- Favicon SVG per frontend
+
+### Modificato
+- AuthMiddleware supporta sia session cookie che Bearer token
+- Callback OAuth unificato per browser e MCP (`/oauth/github-callback`)
+- Migliorata gestione errori nel middleware (JSONResponse invece di HTTPException)
+- Aggiornato .gitignore per escludere docker-compose.yml e file sensibili
+
+### Sicurezza
+- Tutte le credenziali lette da variabili d'ambiente
+- Session token firmati con itsdangerous
+- CSRF protection con state parameter OAuth
+- Whitelist utenti autorizzati via YAML

Dockerfile

@@ -39,8 +39,14 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # Install Ollama
 RUN curl -fsSL https://ollama.ai/install.sh | sh
 
-# Install Qdrant (standalone binary)
-RUN curl -L https://github.com/qdrant/qdrant/releases/download/v1.12.4/qdrant-x86_64-unknown-linux-musl.tar.gz | \
+# Install Qdrant (standalone binary - architecture aware)
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then \
+        QDRANT_ARCH="aarch64-unknown-linux-musl"; \
+    else \
+        QDRANT_ARCH="x86_64-unknown-linux-musl"; \
+    fi && \
+    curl -L "https://github.com/qdrant/qdrant/releases/download/v1.12.4/qdrant-${QDRANT_ARCH}.tar.gz" | \
     tar xz -C /usr/local/bin
 
 # Copy virtual environment from builder

Dockerfile.tika

@@ -37,14 +37,22 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     openjdk-17-jre-headless \
     && rm -rf /var/lib/apt/lists/*
 
-# Set Java environment
-ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+# Set Java environment (create symlink to avoid architecture-specific path)
+RUN ln -s /usr/lib/jvm/java-17-openjdk-* /usr/lib/jvm/java-17
+ENV JAVA_HOME=/usr/lib/jvm/java-17
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
 
 # Install Ollama
 RUN curl -fsSL https://ollama.ai/install.sh | sh
 
-# Install Qdrant (standalone binary)
-RUN curl -L https://github.com/qdrant/qdrant/releases/download/v1.12.4/qdrant-x86_64-unknown-linux-musl.tar.gz | \
+# Install Qdrant (standalone binary - architecture aware)
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then \
+        QDRANT_ARCH="aarch64-unknown-linux-musl"; \
+    else \
+        QDRANT_ARCH="x86_64-unknown-linux-musl"; \
+    fi && \
+    curl -L "https://github.com/qdrant/qdrant/releases/download/v1.12.4/qdrant-${QDRANT_ARCH}.tar.gz" | \
     tar xz -C /usr/local/bin
 
 # Copy virtual environment from builder

api/auth.py

@@ -140,7 +140,7 @@ async def login(request: Request):
     state = secrets.token_urlsafe(32)
 
     # Store state in cookie (short-lived)
-    redirect_uri = f"{BASE_URL}/auth/callback"
+    redirect_uri = f"{BASE_URL}/oauth/github-callback"
     auth_url = (
         f"{GITHUB_AUTH_URL}?"
         f"client_id={GITHUB_CLIENT_ID}&"

api/main.py

@@ -16,7 +16,7 @@
 from starlette.responses import Response
 
 from api.routes import collections, upload, search, system, mcp
-from api import auth
+from api import auth, oauth
 from api.middleware.auth_middleware import AuthMiddleware
 
 # Metrics
@@ -80,6 +80,7 @@ async def metrics_middleware(request: Request, call_next):
 app.add_middleware(AuthMiddleware)
 
 # Include routers
+app.include_router(oauth.router, tags=["OAuth"])  # OAuth at root for .well-known paths
 app.include_router(auth.router, prefix="/auth", tags=["Authentication"])
 app.include_router(collections.router, prefix="/api/collections", tags=["Collections"])
 app.include_router(upload.router, prefix="/api", tags=["Upload"])
@@ -157,6 +158,25 @@ async def metrics():
     app.mount("/static", StaticFiles(directory=str(FRONTEND_DIR / "static")), name="static")
 
 
+# Serve favicon
+@app.get("/favicon.ico", tags=["Frontend"], include_in_schema=False)
+@app.get("/favicon.svg", tags=["Frontend"], include_in_schema=False)
+async def serve_favicon():
+    """Serve favicon."""
+    favicon_path = FRONTEND_DIR / "static" / "favicon.svg"
+    if favicon_path.exists():
+        return FileResponse(str(favicon_path), media_type="image/svg+xml")
+    return Response(status_code=204)
+
+
+# Serve apple touch icons (return 204 No Content to suppress 404)
+@app.get("/apple-touch-icon.png", tags=["Frontend"], include_in_schema=False)
+@app.get("/apple-touch-icon-precomposed.png", tags=["Frontend"], include_in_schema=False)
+async def serve_apple_icon():
+    """Serve apple touch icon (or empty response)."""
+    return Response(status_code=204)
+
+
 # Serve frontend SPA (catch-all for client-side routing)
 @app.get("/", tags=["Frontend"])
 @app.get("/dashboard", tags=["Frontend"])

api/middleware/auth_middleware.py

@@ -2,13 +2,15 @@
 Authentication middleware for FastAPI.
 
 Protects routes based on authentication status and configuration.
+Supports both session cookies and Bearer tokens for OAuth 2.0.
 """
 
 from fastapi import Request, HTTPException
-from fastapi.responses import RedirectResponse
+from fastapi.responses import RedirectResponse, JSONResponse
 from starlette.middleware.base import BaseHTTPMiddleware
 
 from api.auth import is_auth_enabled, get_current_user
+from api.oauth import validate_bearer_token
 
 
 # Paths that don't require authentication
@@ -23,13 +25,16 @@
     "/api/redoc",
     "/api/openapi.json",
     "/static",
-    "/favicon.ico"
+    "/favicon.ico",
+    "/register",  # OAuth dynamic client registration
 }
 
 # Path prefixes that don't require authentication
 PUBLIC_PREFIXES = (
     "/static/",
     "/auth/",
+    "/.well-known/",  # OAuth discovery endpoints
+    "/oauth/",  # OAuth endpoints (authorize, token, register)
 )
 
 
@@ -73,21 +78,32 @@ async def dispatch(self, request: Request, call_next):
         if not is_auth_enabled():
             return await call_next(request)
 
-        # Check authentication
+        # Check for Bearer token first (for MCP/API clients)
+        auth_header = request.headers.get("Authorization", "")
+        if auth_header.startswith("Bearer "):
+            token = auth_header[7:]  # Remove "Bearer " prefix
+            token_data = validate_bearer_token(token)
+            if token_data:
+                # Token is valid, continue
+                request.state.user = token_data
+                return await call_next(request)
+
+        # Check session cookie (for browser users)
         user = get_current_user(request)
 
         if not user:
-            # API routes return 401
+            # API routes return 401 JSON response
             if path.startswith("/api/") or path.startswith("/mcp/"):
-                raise HTTPException(
+                return JSONResponse(
                     status_code=401,
-                    detail="Authentication required"
+                    content={"detail": "Authentication required"}
                 )
 
             # Browser routes redirect to login
             return RedirectResponse(url="/auth/login", status_code=302)
 
         # User is authenticated, continue
+        request.state.user = user
         return await call_next(request)
 
 
@@ -96,6 +112,7 @@ def require_auth(request: Request) -> dict:
     Dependency to require authentication.
 
     Use as a FastAPI dependency on routes that need auth.
+    Supports both session cookies and Bearer tokens.
 
     Args:
         request: FastAPI request
@@ -109,11 +126,24 @@ def require_auth(request: Request) -> dict:
     if not is_auth_enabled():
         return {"username": "anonymous", "authenticated": False}
 
+    # Check for Bearer token first
+    auth_header = request.headers.get("Authorization", "")
+    if auth_header.startswith("Bearer "):
+        token = auth_header[7:]
+        token_data = validate_bearer_token(token)
+        if token_data:
+            return {
+                "username": token_data.get("username"),
+                "authenticated": True,
+                "auth_type": "bearer"
+            }
+
+    # Check session cookie
     user = get_current_user(request)
     if not user:
         raise HTTPException(
             status_code=401,
             detail="Authentication required"
         )
 
-    return user
+    return {**user, "auth_type": "session"}