Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: keep OAuth flow working on read-only container roots
docker / test (push) Successful in 29s
Details
docker / lint (push) Successful in 34s
Details
test / test (push) Successful in 32s
Details
lint / lint (push) Successful in 36s
Details
docker / docker-test (push) Successful in 8s
Details
docker / docker-publish (push) Successful in 6s
Details

Browse Source 
The DCR client registry created its storage directory eagerly in __init__,
and DCR_STORAGE_PATH defaulted to /var/lib/aegis-mcp — a path that is neither
created in the image nor mounted as a writable volume. Under the hardened
read-only docker-compose, every /oauth/authorize, /oauth/token, and /register
call hit `mkdir('/var/lib/aegis-mcp')` on a read-only filesystem, raising an
unhandled OSError and returning a bare "Internal Server Error" during login.

- oauth_flow.py: defer the storage-dir mkdir from __init__ to _persist (the
  only write path). authorize/token only read the registry, so they no longer
  require a writable filesystem and stop 500-ing.
- docker/Dockerfile: create and chown /var/lib/aegis-mcp.
- docker-compose.yml + docker/docker-compose.yml: add a persistent
  aegis-mcp-data volume mounted at /var/lib/aegis-mcp so DCR registrations
  survive restarts.
- .env.example: document DCR_STORAGE_PATH and set PUBLIC_BASE_URL to the real
  MCP host.
- README.md: spell out exact values (Gitea host, MCP host, callback URL, MCP
  URL) and add a "required writable volumes" section explaining the cause of
  the login 500.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Latte
2026-06-14 16:26:28 +02:00
parent 84bbff4acb
commit b1bc726a95
6 changed files with 82 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+11 -4
View File
@@ -16,14 +16,21 @@ OAUTH_STATE_SECRET=
OAUTH_EXPECTED_AUDIENCE=
# OIDC discovery and JWKS cache TTL
OAUTH_CACHE_TTL_SECONDS=300
# Where dynamically registered OAuth clients (RFC 7591 /register) are stored.
# This file MUST live on a writable, persistent volume. The default below is
# mounted as the `aegis-mcp-data` volume in docker-compose; if you run the
# container read-only without that volume the OAuth flow returns 500 because the
# directory is not writable. Point this at any writable path if you deploy
# differently.
DCR_STORAGE_PATH=/var/lib/aegis-mcp/dcr_clients.json
# MCP server configuration
MCP_HOST=127.0.0.1
MCP_PORT=8080
# Optional external URL used in OAuth metadata and callback URLs when running behind a
# reverse proxy. When unset, the server derives these from the incoming request.
# Example: PUBLIC_BASE_URL=https://gitea-mcp.hiddenden.cafe
PUBLIC_BASE_URL=
# Public, externally-reachable base URL of THIS MCP server (no trailing slash).
# Used to build OAuth metadata and the /oauth/callback URL behind a reverse proxy.
# This is the host you give to Claude (its MCP URL is PUBLIC_BASE_URL + /mcp).
PUBLIC_BASE_URL=https://gitea-mcp.hiddenden.cafe
ALLOW_INSECURE_BIND=false
# Logging / observability