Add OAuth 2.1 resource-server package (#70)

* Add OAuth 2.1 resource-server package

pkg/oauth implements the resource-server side of OAuth for the MCP
server, validated against the authorization server by RFC 7662 token
introspection (the MCP server has no direct access to token storage):

- Config loaded from OAUTH_* env vars, validated at startup, with the
  resource URI held in RFC 3986 canonical form so audience comparison
  is immune to equivalent spellings.
- RFC 9728 protected-resource metadata document, served at both the
  path-insertion well-known URI (RFC 9728 section 3.1) and the root
  form.
- RFC 6750 bearer middleware: introspected OAuth tokens are checked
  against this server's audience; non-OAuth bearers pass through to the
  Render API unchanged so existing API-key users are unaffected.
  Introspection outages fail closed as 503, not invalid_token, so
  clients don't discard valid tokens during a blip.
- Introspection client with a bounded in-process cache (sha256 keys,
  TTL capped by token expiry, negative caching) and collapsing of
  concurrent lookups for the same token.

Nothing is wired into the server yet; that lands separately behind
OAUTH_ENABLED.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Reject query and fragment components in OAuth config URLs

A query on either URL would corrupt derived URLs built by concatenation
(the introspection endpoint, the RFC 9728 path-insertion metadata URL —
which previously dropped the query while audience matching preserved
it), and RFC 8707 forbids fragments in resource indicators. Neither
component identifies anything for these values, so fail at startup
instead of carrying them inconsistently.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Accept bare API keys through the OAuth middleware and harden config edges

Round-2 self-review fixes:

- Clients may send API keys without the Bearer scheme — the existing
  header parsing accepts that, so enabling OAuth must not 401 them.
  Credential extraction moves to a shared authn.BearerToken helper
  (strip the scheme case-insensitively when present, else use the raw
  value) so the middleware and the server's context func can never
  disagree about what the credential is. Bare credentials flow through
  the same introspection path: bare API keys pass through exactly as
  before, and a bare OAuth token still gets the full audience check.
- Boolean env vars now reject unrecognized values instead of silently
  treating them as false: OAUTH_ENABLED=on previously disabled OAuth
  and skipped all startup validation; a typo'd OAUTH_API_KEY_PASSTHROUGH
  silently enabled strict mode.
- The query/fragment guard checks the raw string, catching a bare
  trailing "?" or "#" (url.Parse reports those as no query/fragment)
  that would corrupt the concatenated introspection URL.
- Audience values are canonicalized once at decode, so the per-request
  audience check is plain string equality; the middleware canonicalizes
  its configured resource at construction so hand-built Configs can't
  silently break matching, and precomputes the challenge string.
- Client disconnects while waiting on introspection are no longer
  logged as introspection failures (they'd pollute the outage signal).
- The introspection 401 error distinguishes "no service token
  configured" from "service token rejected".
- Drop the unused IssuedAt field; consolidate duplicate test fixtures.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Use BearerToken in ContextWithAPITokenFromHeader

The helper's contract is that every Authorization parser goes through
it; adopt it at the one existing parse site in the same PR that
introduces it. Behavior change is limited to case-variant schemes
("bearer x"), which RFC 7235 says must be accepted and which previously
failed downstream with the prefix left in place.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Address PR review: split cache file, nearest-expiry eviction, table tests

- Move tokenCache into its own file (tokencache.go) so introspect.go is
  just the introspection client; tests move alongside it.
- Eviction now drops the entries closest to expiry (not arbitrary
  map-iteration order) down to three-quarters capacity, so it sheds the
  entries with the least useful life left and the policy is described
  accurately.
- Collapse the formulaic FromEnv validation-error subtests into a
  table (TestFromEnv_Errors); behavior coverage is unchanged.
- Note in wellknown.go that the metadata body is marshaled once at
  startup, not per request.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Address review: table-driven middleware/metadata tests, trim comments

Per review feedback (wendorf):
- Collapse the per-case TestMiddleware_* functions into one
  input→output table (the structurally different disabled-identity
  case stays separate); same for the TestHandleProtectedResourceMetadata
  status matrix, with the JSON document-shape assertions kept as a
  focused test.
- Tighten the wordier doc comments (Introspector, Introspect,
  canonicalResourceURI, evictLocked, APIKeyPassthrough) without
  dropping the rationale.
- Drop the self-evident fakeAS doc comment.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Use Lock/defer Unlock consistently in test helpers

Adopt the Lock() / defer Unlock() idiom in the two test lock sites that
released manually before a trailing non-critical call. The early unlock
saved nothing here, and the deferred form is harder to get wrong and
consistent with the rest of the package.

The singleflight in Introspect keeps its manual unlock on purpose: it
releases the lock before the introspection network call, so concurrent
lookups don't serialize behind one request.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
GitOrigin-RevId: e1e811c99d6e311cbdefa824267beceb7fc6b253

Author: 2 people

pkg/authn/authn.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"log"
 	"net/http"
+	"strings"
 
 	"github.com/render-oss/render-mcp-server/pkg/cfg"
 	"github.com/render-oss/render-mcp-server/pkg/logging"
@@ -25,6 +26,18 @@ func ContextWithAPIToken(ctx context.Context, token string) context.Context {
 	return context.WithValue(ctx, apiTokenKey, token)
 }
 
+// BearerToken extracts the credential from an Authorization header value: the
+// value with its "Bearer " prefix removed (case-insensitively, per RFC 7235)
+// when present, otherwise the value unchanged — some MCP clients send bare
+// tokens without the scheme. Every parser of the Authorization header must go
+// through this so they can't disagree about what the credential is.
+func BearerToken(headerValue string) string {
+	if len(headerValue) > 7 && strings.EqualFold(headerValue[:7], "Bearer ") {
+		return headerValue[7:]
+	}
+	return headerValue
+}
+
 func ContextWithAPITokenFromHeader(ctx context.Context, req *http.Request) context.Context {
 	token := req.Header.Get("Authorization")
 
@@ -33,13 +46,7 @@ func ContextWithAPITokenFromHeader(ctx context.Context, req *http.Request) conte
 		return ctx
 	}
 
-	// Note: we strip the "Bearer " prefix if it exists
-	// MCP Inspector attaches this prefix automatically, but it's unclear how standard this is
-	if len(token) > 7 && token[:7] == "Bearer " {
-		token = token[7:]
-	}
-
-	return ContextWithAPIToken(ctx, token)
+	return ContextWithAPIToken(ctx, BearerToken(token))
 }
 
 func ContextWithAPITokenFromConfig(ctx context.Context) context.Context {

pkg/authn/authn_test.go

@@ -0,0 +1,28 @@
+package authn_test
+
+import (
+	"testing"
+
+	"github.com/render-oss/render-mcp-server/pkg/authn"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBearerToken(t *testing.T) {
+	cases := map[string]struct {
+		in   string
+		want string
+	}{
+		"strips the Bearer prefix":       {"Bearer rnd_abc", "rnd_abc"},
+		"strips case-insensitively":      {"bearer rnd_abc", "rnd_abc"},
+		"bare token passes through":      {"rnd_abc", "rnd_abc"},
+		"other schemes pass through":     {"Basic dXNlcjpwYXNz", "Basic dXNlcjpwYXNz"},
+		"empty stays empty":              {"", ""},
+		"prefix without a token is bare": {"Bearer ", "Bearer "},
+		"prefix must end with the space": {"Bearerrnd_abc", "Bearerrnd_abc"},
+	}
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			require.Equal(t, tc.want, authn.BearerToken(tc.in))
+		})
+	}
+}

pkg/oauth/config.go

@@ -0,0 +1,188 @@
+// Package oauth implements the OAuth 2.1 resource-server pieces of the Render
+// MCP server: RFC 9728 protected-resource metadata, RFC 6750 bearer-token
+// middleware, and a cached RFC 7662 token-introspection client.
+//
+// The MCP server has no direct access to token storage — it validates bearer
+// tokens by calling the authorization server's introspection endpoint.
+package oauth
+
+import (
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+)
+
+const wellKnownPath = "/.well-known/oauth-protected-resource"
+
+// Config is the OAuth resource-server configuration, loaded from environment
+// variables by FromEnv.
+type Config struct {
+	// Enabled gates the OAuth middleware. When false the server keeps its
+	// pre-OAuth behavior — bearer tokens pass through to the Render API
+	// unchanged — so enabling OAuth is opt-in per deployment.
+	Enabled bool
+
+	// AuthorizationServerURL is the base URL of the authorization server. It
+	// is advertised in the protected-resource metadata and used to build the
+	// introspection endpoint URL.
+	AuthorizationServerURL string
+
+	// CanonicalResourceURI identifies this resource server. Tokens are
+	// accepted only when their introspected audience matches it. Held in
+	// canonical form (see canonicalResourceURI).
+	CanonicalResourceURI string
+
+	// IntrospectionServiceToken optionally authenticates this server to the
+	// introspection endpoint.
+	IntrospectionServiceToken string
+
+	// APIKeyPassthrough decides what happens to tokens the authorization
+	// server reports inactive (e.g. Render API keys, which aren't OAuth
+	// tokens). True (default) forwards them to the Render API so API-key users
+	// keep working; false rejects them (strict OAuth-only mode).
+	APIKeyPassthrough bool
+}
+
+// FromEnv builds a Config from OAUTH_* environment variables. When
+// OAUTH_ENABLED is unset (or not "true"/"1"/"yes") it returns a disabled
+// Config and ignores every other variable; when set, the URL variables are
+// required and validated so a misconfigured deployment fails at startup
+// instead of rejecting every request.
+func FromEnv() (Config, error) {
+	enabled, err := boolEnv("OAUTH_ENABLED", false)
+	if err != nil {
+		return Config{}, err
+	}
+	if !enabled {
+		return Config{}, nil
+	}
+	authServer, err := requiredURLEnv("OAUTH_AUTHORIZATION_SERVER_URL")
+	if err != nil {
+		return Config{}, err
+	}
+	resource, err := requiredURLEnv("OAUTH_CANONICAL_RESOURCE_URI")
+	if err != nil {
+		return Config{}, err
+	}
+	passthrough, err := boolEnv("OAUTH_API_KEY_PASSTHROUGH", true)
+	if err != nil {
+		return Config{}, err
+	}
+	return Config{
+		Enabled:                   true,
+		AuthorizationServerURL:    strings.TrimRight(authServer, "/"),
+		CanonicalResourceURI:      canonicalResourceURI(resource),
+		IntrospectionServiceToken: os.Getenv("OAUTH_INTROSPECTION_SERVICE_TOKEN"),
+		APIKeyPassthrough:         passthrough,
+	}, nil
+}
+
+// MetadataPaths returns the request paths that serve the protected-resource
+// metadata document: the RFC 9728 §3.1 path-insertion form derived from the
+// resource URI (resource https://host/mcp → /.well-known/oauth-protected-resource/mcp)
+// plus the root form for clients that probe it directly.
+func (c Config) MetadataPaths() []string {
+	if p := metadataPath(c.CanonicalResourceURI); p != wellKnownPath {
+		return []string{p, wellKnownPath}
+	}
+	return []string{wellKnownPath}
+}
+
+// MetadataURL returns the absolute URL of the protected-resource metadata
+// document, sent in WWW-Authenticate challenges so clients can discover the
+// authorization server.
+func (c Config) MetadataURL() string {
+	u, err := url.Parse(c.CanonicalResourceURI)
+	if err != nil || u.Scheme == "" || u.Host == "" {
+		return strings.TrimRight(c.CanonicalResourceURI, "/") + wellKnownPath
+	}
+	return u.Scheme + "://" + u.Host + metadataPath(c.CanonicalResourceURI)
+}
+
+// metadataPath is the RFC 9728 §3.1 well-known path for a resource URI: the
+// well-known segment inserted between the host and the resource's path.
+func metadataPath(canonicalResource string) string {
+	u, err := url.Parse(canonicalResource)
+	if err != nil || u.EscapedPath() == "" || u.EscapedPath() == "/" {
+		return wellKnownPath
+	}
+	return wellKnownPath + u.EscapedPath()
+}
+
+// canonicalResourceURI normalizes an RFC 8707 resource indicator (RFC 3986 §6)
+// so equivalent spellings compare equal: scheme/host lowercased, default ports
+// dropped, bare "/" path treated as none; path, query, and fragment are
+// otherwise preserved. It mirrors the authorization server's audience
+// normalization so matching can't be defeated by spelling on either side.
+// Unparseable values are returned unchanged (they fail matching anyway).
+func canonicalResourceURI(raw string) string {
+	u, err := url.Parse(raw)
+	if err != nil || u.Scheme == "" || u.Host == "" {
+		return raw
+	}
+	u.Scheme = strings.ToLower(u.Scheme)
+	u.Host = strings.ToLower(u.Host)
+	if (u.Scheme == "https" && u.Port() == "443") || (u.Scheme == "http" && u.Port() == "80") {
+		// Hostname() strips the brackets from IPv6 literals ("[::1]" → "::1"),
+		// so re-bracket before assigning back to Host.
+		host := u.Hostname()
+		if strings.Contains(host, ":") {
+			host = "[" + host + "]"
+		}
+		u.Host = host
+	}
+	if u.Path == "/" {
+		u.Path = ""
+	}
+	return u.String()
+}
+
+func requiredURLEnv(name string) (string, error) {
+	v := strings.TrimSpace(os.Getenv(name))
+	if v == "" {
+		return "", fmt.Errorf("%s is required when OAUTH_ENABLED is set", name)
+	}
+	u, err := url.Parse(v)
+	if err != nil {
+		return "", fmt.Errorf("%s: %w", name, err)
+	}
+	if (u.Scheme != "http" && u.Scheme != "https") || u.Host == "" {
+		return "", fmt.Errorf("%s must be an absolute http(s) URL, got %q", name, v)
+	}
+	// A query would corrupt URLs derived by concatenation (the introspection
+	// endpoint, the RFC 9728 path-insertion metadata URL), and RFC 8707
+	// forbids fragments in resource indicators. Neither identifies anything
+	// here; reject rather than carry them inconsistently. Checked on the raw
+	// string so a bare trailing "?" or "#" (empty query/fragment, which
+	// url.Parse reports as no query/fragment) can't slip through.
+	if strings.ContainsAny(v, "?#") {
+		return "", fmt.Errorf("%s must not contain a query or fragment, got %q", name, v)
+	}
+	// These values are embedded in the WWW-Authenticate header, whose
+	// quoted-string grammar can't carry non-ASCII; require the encoded form
+	// (punycode hosts, percent-encoded paths) up front.
+	for j := 0; j < len(v); j++ {
+		if v[j] <= 0x20 || v[j] > 0x7e {
+			return "", fmt.Errorf("%s must be printable ASCII (punycode / percent-encoded), got %q", name, v)
+		}
+	}
+	return v, nil
+}
+
+// boolEnv parses a boolean environment variable, returning def when unset.
+// Unrecognized values are an error rather than silently false — for these
+// flags a typo must not flip a security posture unnoticed.
+func boolEnv(name string, def bool) (bool, error) {
+	v := strings.ToLower(strings.TrimSpace(os.Getenv(name)))
+	switch v {
+	case "":
+		return def, nil
+	case "true", "1", "yes":
+		return true, nil
+	case "false", "0", "no":
+		return false, nil
+	default:
+		return false, fmt.Errorf("%s must be true or false (also accepted: 1/0, yes/no), got %q", name, os.Getenv(name))
+	}
+}