Add http server with github app auth

Huw-man · Huw-man · commit 13035424cce2 · 2025-07-22T15:03:43.000-07:00
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -58,6 +58,53 @@ var (
 			return ghmcp.RunStdioServer(stdioServerConfig)
 		},
 	}
+
+	httpCmd = &cobra.Command{
+		Use:   "http",
+		Short: "Start HTTP server",
+		Long:  `Start a server that communicates via HTTP using the Streamable-HTTP transport.`,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			// Check if we have either a personal access token or GitHub App credentials
+			token := viper.GetString("personal_access_token")
+			appID := viper.GetString("app_id")
+			appPrivateKey := viper.GetString("app_private_key")
+			enableGitHubAppAuth := viper.GetBool("enable_github_app_auth")
+
+			if token == "" && (!enableGitHubAppAuth || appID == "" || appPrivateKey == "") {
+				return errors.New("either GITHUB_PERSONAL_ACCESS_TOKEN or GitHub App credentials (GITHUB_APP_ID, GITHUB_APP_PRIVATE_KEY) must be set")
+			}
+
+			// If you're wondering why we're not using viper.GetStringSlice("toolsets"),
+			// it's because viper doesn't handle comma-separated values correctly for env
+			// vars when using GetStringSlice.
+			// https://github.com/spf13/viper/issues/380
+			var enabledToolsets []string
+			if err := viper.UnmarshalKey("toolsets", &enabledToolsets); err != nil {
+				return fmt.Errorf("failed to unmarshal toolsets: %w", err)
+			}
+
+			httpServerConfig := ghmcp.HttpServerConfig{
+				Version:              version,
+				Host:                 viper.GetString("host"),
+				Token:                token,
+				EnabledToolsets:      enabledToolsets,
+				DynamicToolsets:      viper.GetBool("dynamic_toolsets"),
+				ReadOnly:             viper.GetBool("read-only"),
+				ExportTranslations:   viper.GetBool("export-translations"),
+				EnableCommandLogging: viper.GetBool("enable-command-logging"),
+				LogFilePath:          viper.GetString("log-file"),
+				Address:              viper.GetString("http_address"),
+				MCPPath:              viper.GetString("http_mcp_path"),
+				EnableCORS:           viper.GetBool("http_enable_cors"),
+				AppID:                appID,
+				AppPrivateKey:        appPrivateKey,
+				EnableGitHubAppAuth:  enableGitHubAppAuth,
+				InstallationIDHeader: viper.GetString("installation_id_header"),
+			}
+
+			return ghmcp.RunHTTPServer(httpServerConfig)
+		},
+	}
 )
 
 func init() {
@@ -74,17 +121,36 @@ func init() {
 	rootCmd.PersistentFlags().Bool("export-translations", false, "Save translations to a JSON file")
 	rootCmd.PersistentFlags().String("gh-host", "", "Specify the GitHub hostname (for GitHub Enterprise etc.)")
 
-	// Bind flag to viper
+	// GitHub App authentication flags
+	rootCmd.PersistentFlags().String("app-id", "", "GitHub App ID for authentication")
+	rootCmd.PersistentFlags().String("app-private-key", "", "GitHub App private key for authentication")
+	rootCmd.PersistentFlags().Bool("enable-github-app-auth", false, "Enable GitHub App authentication via custom headers")
+	rootCmd.PersistentFlags().String("installation-id-header", "X-GitHub-Installation-ID", "Custom header name to read installation ID from")
+
+	// HTTP server specific flags
+	httpCmd.Flags().String("http-address", ":8080", "HTTP server address to bind to")
+	httpCmd.Flags().String("http-mcp-path", "/mcp", "HTTP path for MCP endpoint")
+	httpCmd.Flags().Bool("http-enable-cors", false, "Enable CORS for cross-origin requests")
+
+	// Bind flags to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
 	_ = viper.BindPFlag("dynamic_toolsets", rootCmd.PersistentFlags().Lookup("dynamic-toolsets"))
 	_ = viper.BindPFlag("read-only", rootCmd.PersistentFlags().Lookup("read-only"))
 	_ = viper.BindPFlag("log-file", rootCmd.PersistentFlags().Lookup("log-file"))
 	_ = viper.BindPFlag("enable-command-logging", rootCmd.PersistentFlags().Lookup("enable-command-logging"))
 	_ = viper.BindPFlag("export-translations", rootCmd.PersistentFlags().Lookup("export-translations"))
 	_ = viper.BindPFlag("host", rootCmd.PersistentFlags().Lookup("gh-host"))
+	_ = viper.BindPFlag("app_id", rootCmd.PersistentFlags().Lookup("app-id"))
+	_ = viper.BindPFlag("app_private_key", rootCmd.PersistentFlags().Lookup("app-private-key"))
+	_ = viper.BindPFlag("enable_github_app_auth", rootCmd.PersistentFlags().Lookup("enable-github-app-auth"))
+	_ = viper.BindPFlag("installation_id_header", rootCmd.PersistentFlags().Lookup("installation-id-header"))
+	_ = viper.BindPFlag("http_address", httpCmd.Flags().Lookup("http-address"))
+	_ = viper.BindPFlag("http_mcp_path", httpCmd.Flags().Lookup("http-mcp-path"))
+	_ = viper.BindPFlag("http_enable_cors", httpCmd.Flags().Lookup("http-enable-cors"))
 
 	// Add subcommands
 	rootCmd.AddCommand(stdioCmd)
+	rootCmd.AddCommand(httpCmd)
 }
 
 func initConfig() {
diff --git a/internal/ghmcp/http_server.go b/internal/ghmcp/http_server.go
@@ -0,0 +1,229 @@
+package ghmcp
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"os/signal"
+	"strconv"
+	"syscall"
+	"time"
+
+	"github.com/github/github-mcp-server/pkg/translations"
+	"github.com/mark3labs/mcp-go/server"
+	"github.com/sirupsen/logrus"
+)
+
+type HttpServerConfig struct {
+	// Version of the server
+	Version string
+
+	// GitHub Host to target for API requests (e.g. github.com or github.enterprise.com)
+	Host string
+
+	// GitHub Token to authenticate with the GitHub API
+	Token string
+
+	// EnabledToolsets is a list of toolsets to enable
+	// See: https://github.com/github/github-mcp-server?tab=readme-ov-file#tool-configuration
+	EnabledToolsets []string
+
+	// Whether to enable dynamic toolsets
+	// See: https://github.com/github/github-mcp-server?tab=readme-ov-file#dynamic-tool-discovery
+	DynamicToolsets bool
+
+	// ReadOnly indicates if we should only register read-only tools
+	ReadOnly bool
+
+	// ExportTranslations indicates if we should export translations
+	// See: https://github.com/github/github-mcp-server?tab=readme-ov-file#i18n--overriding-descriptions
+	ExportTranslations bool
+
+	// EnableCommandLogging indicates if we should log commands
+	EnableCommandLogging bool
+
+	// Path to the log file if not stderr
+	LogFilePath string
+
+	// HTTP server configuration
+	Address string
+
+	// MCP endpoint path (defaults to "/mcp")
+	MCPPath string
+
+	// Enable CORS for cross-origin requests
+	EnableCORS bool
+
+	// GITHUB APP ID
+	AppID string
+
+	// GITHUB APP PRIVATE KEY
+	AppPrivateKey string
+
+	// Whether to enable GitHub App authentication via headers
+	EnableGitHubAppAuth bool
+
+	// Custom header name to read installation ID from (defaults to "X-GitHub-Installation-ID")
+	InstallationIDHeader string
+}
+
+const installationContextKey = "installation_id"
+
+// RunHTTPServer is not concurrent safe.
+func RunHTTPServer(cfg HttpServerConfig) error {
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
+	t, dumpTranslations := translations.TranslationHelper()
+
+	mcpCfg := MCPServerConfig{
+		Version:              cfg.Version,
+		Host:                 cfg.Host,
+		Token:                cfg.Token,
+		EnabledToolsets:      cfg.EnabledToolsets,
+		DynamicToolsets:      cfg.DynamicToolsets,
+		ReadOnly:             cfg.ReadOnly,
+		Translator:           t,
+		AppID:                cfg.AppID,
+		AppPrivateKey:        cfg.AppPrivateKey,
+		EnableGitHubAppAuth:  cfg.EnableGitHubAppAuth,
+		InstallationIDHeader: cfg.InstallationIDHeader,
+	}
+
+	ghServer, err := NewMCPServer(mcpCfg)
+	if err != nil {
+		return fmt.Errorf("failed to create MCP server: %w", err)
+	}
+
+	httpServer := server.NewStreamableHTTPServer(ghServer)
+
+	logrusLogger := logrus.New()
+	if cfg.LogFilePath != "" {
+		file, err := os.OpenFile(cfg.LogFilePath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
+		if err != nil {
+			return fmt.Errorf("failed to open log file: %w", err)
+		}
+		logrusLogger.SetLevel(logrus.DebugLevel)
+		logrusLogger.SetOutput(file)
+	} else {
+		logrusLogger.SetLevel(logrus.InfoLevel)
+	}
+
+	if cfg.Address == "" {
+		cfg.Address = ":8080"
+	}
+	if cfg.MCPPath == "" {
+		cfg.MCPPath = "/mcp"
+	}
+	if cfg.InstallationIDHeader == "" {
+		cfg.InstallationIDHeader = "X-GitHub-Installation-ID"
+	}
+
+	mux := http.NewServeMux()
+	var handler http.Handler = httpServer
+
+	// Apply middlewares in the correct order: CORS first, then auth
+	if cfg.EnableCORS {
+		handler = corsMiddleware(handler)
+	}
+	if cfg.EnableGitHubAppAuth {
+		handler = authMiddleware(handler, cfg.InstallationIDHeader, logrusLogger)
+	}
+
+	mux.Handle(cfg.MCPPath, handler)
+
+	srv := &http.Server{
+		Addr:    cfg.Address,
+		Handler: mux,
+	}
+
+	if cfg.ExportTranslations {
+		dumpTranslations()
+	}
+
+	errC := make(chan error, 1)
+	go func() {
+		logrusLogger.Infof("Starting HTTP server on %s", cfg.Address)
+		logrusLogger.Infof("MCP endpoint available at http://localhost%s%s", cfg.Address, cfg.MCPPath)
+		if cfg.EnableGitHubAppAuth {
+			logrusLogger.Infof("GitHub App authentication enabled with header: %s", cfg.InstallationIDHeader)
+		}
+		errC <- srv.ListenAndServe()
+	}()
+
+	_, _ = fmt.Fprintf(os.Stderr, "GitHub MCP Server running on HTTP at %s\n", cfg.Address)
+	_, _ = fmt.Fprintf(os.Stderr, "MCP endpoint: http://localhost%s%s\n", cfg.Address, cfg.MCPPath)
+	if cfg.EnableGitHubAppAuth {
+		_, _ = fmt.Fprintf(os.Stderr, "GitHub App authentication enabled with header: %s\n", cfg.InstallationIDHeader)
+	}
+
+	select {
+	case <-ctx.Done():
+		logrusLogger.Infof("shutting down server...")
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := srv.Shutdown(shutdownCtx); err != nil {
+			logrusLogger.Errorf("error during server shutdown: %v", err)
+		}
+	case err := <-errC:
+		if err != nil && err != http.ErrServerClosed {
+			return fmt.Errorf("error running server: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// corsMiddleware adds CORS headers to allow cross-origin requests
+func corsMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Set CORS headers
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, Accept-Encoding, Accept-Language, Cache-Control, Connection, Host, Origin, Referer, User-Agent")
+
+		// Handle preflight requests
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+// authMiddleware extracts installation IDs from custom headers and adds them to the request context
+func authMiddleware(next http.Handler, headerName string, logger *logrus.Logger) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		installationIDStr := r.Header.Get(headerName)
+		if installationIDStr == "" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		installationID, err := strconv.ParseInt(installationIDStr, 10, 64)
+		if err != nil {
+			logger.Warnf("Invalid installation ID format in header %s", headerName)
+			http.Error(w, "Invalid installation ID format", http.StatusBadRequest)
+			return
+		}
+
+		if installationID <= 0 {
+			logger.Warnf("Invalid installation ID value: %d", installationID)
+			http.Error(w, "Invalid installation ID value", http.StatusBadRequest)
+			return
+		}
+
+		ctx := context.WithValue(r.Context(), installationContextKey, installationID)
+		r = r.WithContext(ctx)
+
+		if logger.GetLevel() == logrus.DebugLevel {
+			logger.Debugf("Authenticated request with installation ID %d", installationID)
+		} else {
+			logger.Debug("Request authenticated with GitHub App installation")
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/internal/ghmcp/server.go b/internal/ghmcp/server.go
