Wire OAuth resource-server support behind OAUTH_ENABLED (#71)

* Wire OAuth resource-server support behind OAUTH_ENABLED

When OAUTH_ENABLED is unset (the default) nothing changes: the
middleware is an identity function and the metadata paths serve 404.
When enabled:

- /mcp requires either an OAuth bearer token introspected against the
  authorization server with a matching audience, or a Render API key
  (passed through unchanged; OAUTH_API_KEY_PASSTHROUGH=false rejects
  API keys for strict OAuth-only deployments).
- The RFC 9728 protected-resource metadata document is served at the
  path-insertion well-known URI derived from the resource URI, plus the
  root form.

Configuration is validated at startup: OAUTH_AUTHORIZATION_SERVER_URL
and OAUTH_CANONICAL_RESOURCE_URI are required when enabled;
OAUTH_INTROSPECTION_SERVICE_TOKEN is optional.

Route assembly is extracted into newHTTPMux and covered by tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Declare OAUTH_INTROSPECTION_SERVICE_TOKEN in the blueprint

sync: false keeps the value dashboard-managed and out of the (public)
blueprint, matching OPENAI_VERIFICATION_TOKEN. Not load-bearing yet:
introspection is unauthenticated until service-token auth ships.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
GitOrigin-RevId: 92f274e12bf8bb670e7fbf2b976e03721863d225

Author: 2 people

cmd/server.go

@@ -18,6 +18,7 @@ import (
 	"github.com/render-oss/render-mcp-server/pkg/logs"
 	"github.com/render-oss/render-mcp-server/pkg/metrics"
 	"github.com/render-oss/render-mcp-server/pkg/multicontext"
+	"github.com/render-oss/render-mcp-server/pkg/oauth"
 	"github.com/render-oss/render-mcp-server/pkg/owner"
 	"github.com/render-oss/render-mcp-server/pkg/postgres"
 	"github.com/render-oss/render-mcp-server/pkg/service"
@@ -72,21 +73,20 @@ func Serve(transport string) *server.MCPServer {
 			)),
 		)
 
-		mux := http.NewServeMux()
-		mux.Handle("/mcp", streamableServer)
-		if token := os.Getenv("OPENAI_VERIFICATION_TOKEN"); token != "" {
-			mux.HandleFunc("/.well-known/openai-apps-challenge", func(w http.ResponseWriter, r *http.Request) {
-				w.Header().Set("Content-Type", "text/plain")
-				w.Write([]byte(token))
-			})
+		// OAuth resource-server support is opt-in via OAUTH_ENABLED;
+		// pkg/oauth owns the gate. Fail at boot on misconfiguration.
+		oauthCfg, err := oauth.FromEnv()
+		if err != nil {
+			log.Fatalf("OAuth configuration: %v", err)
 		}
+		mux := newHTTPMux(streamableServer, oauthCfg, os.Getenv("OPENAI_VERIFICATION_TOKEN"))
 
 		httpServer := &http.Server{
 			Addr:        ":10000",
 			Handler:     logging.HTTPMiddleware(mux),
 			ReadTimeout: 5 * time.Second,
 		}
-		err := httpServer.ListenAndServe()
+		err = httpServer.ListenAndServe()
 		if err != nil {
 			log.Fatalf("Starting Streamable server: %v\n:", err)
 		}
@@ -102,3 +102,28 @@ func Serve(transport string) *server.MCPServer {
 
 	return s
 }
+
+// newHTTPMux serves /mcp behind the OAuth middleware plus the RFC 9728 metadata
+// routes. When OAuth is disabled the middleware is identity and metadata 404s,
+// so /mcp is unchanged. openAIToken, when set, serves the OpenAI app challenge.
+func newHTTPMux(mcpHandler http.Handler, oauthCfg oauth.Config, openAIToken string) *http.ServeMux {
+	oauthMiddleware := oauth.Middleware(oauthCfg, oauth.NewIntrospector(
+		oauthCfg.AuthorizationServerURL,
+		oauthCfg.IntrospectionServiceToken,
+		oauth.DefaultIntrospectionCacheTTL,
+	))
+
+	mux := http.NewServeMux()
+	mux.Handle("/mcp", oauthMiddleware(mcpHandler))
+	metadata := oauth.HandleProtectedResourceMetadata(oauthCfg)
+	for _, path := range oauthCfg.MetadataPaths() {
+		mux.HandleFunc(path, metadata)
+	}
+	if openAIToken != "" {
+		mux.HandleFunc("/.well-known/openai-apps-challenge", func(w http.ResponseWriter, _ *http.Request) {
+			w.Header().Set("Content-Type", "text/plain")
+			_, _ = w.Write([]byte(openAIToken))
+		})
+	}
+	return mux
+}

cmd/server_test.go

@@ -0,0 +1,78 @@
+package cmd
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/render-oss/render-mcp-server/pkg/oauth"
+	"github.com/stretchr/testify/require"
+)
+
+// recordingHandler stands in for the MCP server and reports whether it was reached.
+func recordingHandler() (http.Handler, *bool) {
+	called := false
+	h := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		called = true
+		w.WriteHeader(http.StatusOK)
+	})
+	return h, &called
+}
+
+func TestNewHTTPMux_OAuthDisabledIsPassthrough(t *testing.T) {
+	mcp, called := recordingHandler()
+	mux := newHTTPMux(mcp, oauth.Config{}, "")
+
+	// /mcp reaches the MCP handler with no challenge — unchanged from pre-OAuth.
+	rec := httptest.NewRecorder()
+	mux.ServeHTTP(rec, httptest.NewRequest(http.MethodPost, "/mcp", nil))
+	require.True(t, *called)
+	require.Equal(t, http.StatusOK, rec.Code)
+	require.Empty(t, rec.Header().Get("WWW-Authenticate"))
+
+	// Metadata is not advertised when disabled.
+	rec = httptest.NewRecorder()
+	mux.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/.well-known/oauth-protected-resource", nil))
+	require.Equal(t, http.StatusNotFound, rec.Code)
+}
+
+func TestNewHTTPMux_OAuthEnabled(t *testing.T) {
+	cfg := oauth.Config{
+		Enabled:                true,
+		AuthorizationServerURL: "https://as.example.com",
+		CanonicalResourceURI:   "https://mcp.example.com/mcp",
+		APIKeyPassthrough:      true,
+	}
+	mcp, called := recordingHandler()
+	mux := newHTTPMux(mcp, cfg, "")
+
+	// Path-aware RFC 9728 metadata is served.
+	rec := httptest.NewRecorder()
+	mux.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/.well-known/oauth-protected-resource/mcp", nil))
+	require.Equal(t, http.StatusOK, rec.Code)
+	require.Contains(t, rec.Body.String(), cfg.CanonicalResourceURI)
+
+	// /mcp without credentials is challenged and the MCP handler is not reached.
+	rec = httptest.NewRecorder()
+	mux.ServeHTTP(rec, httptest.NewRequest(http.MethodPost, "/mcp", nil))
+	require.Equal(t, http.StatusUnauthorized, rec.Code)
+	require.Contains(t, rec.Header().Get("WWW-Authenticate"), "resource_metadata=")
+	require.False(t, *called)
+}
+
+func TestNewHTTPMux_OpenAIChallenge(t *testing.T) {
+	mcp, _ := recordingHandler()
+
+	// Served only when the token is configured.
+	mux := newHTTPMux(mcp, oauth.Config{}, "verify-token")
+	rec := httptest.NewRecorder()
+	mux.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/.well-known/openai-apps-challenge", nil))
+	require.Equal(t, http.StatusOK, rec.Code)
+	require.Equal(t, "verify-token", rec.Body.String())
+
+	// Absent token: the route is not registered.
+	mux = newHTTPMux(mcp, oauth.Config{}, "")
+	rec = httptest.NewRecorder()
+	mux.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/.well-known/openai-apps-challenge", nil))
+	require.Equal(t, http.StatusNotFound, rec.Code)
+}

render.yaml

@@ -13,6 +13,8 @@ services:
   envVars:
   - key: OPENAI_VERIFICATION_TOKEN
     sync: false
+  - key: OAUTH_INTROSPECTION_SERVICE_TOKEN
+    sync: false
   - key: REDIS_URL
     fromService:
       name: mcp-kv