Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
40 Commits 1 Branch 0 Tags
71c993e4cd385853094aa180eb886cde18db2ccd
Commit Graph

16 Commits

Author SHA1 Message Date
latte
71c993e4cd Use GITEA_TOKEN as service PAT for API calls in OAuth mode
Some checks failed
docker / lint (push) Failing after 21s
Details
docker / test (push) Failing after 17s
Details
lint / lint (push) Failing after 22s
Details
test / test (push) Failing after 17s
Details
docker / docker-test (push) Has been skipped
Details
docker / docker-publish (push) Has been skipped
Details 
Gitea OIDC access_tokens only carry OIDC scopes and cannot call the
Gitea REST API. Fall back to GITEA_TOKEN (service PAT) for actual tool
execution when configured, while OIDC still handles user identity.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-04 17:06:28 +00:00
latte
bf35a0c712 Enhance OAuth metadata endpoints and update authorization server URLs in responses
Some checks failed
test / test (push) Failing after 19s
Details
docker / lint (pull_request) Failing after 21s
Details
lint / lint (pull_request) Failing after 21s
Details
lint / lint (push) Failing after 1m29s
Details
docker / test (pull_request) Failing after 16s
Details
test / test (pull_request) Failing after 18s
Details
docker / docker-test (pull_request) Has been skipped
Details
docker / docker-publish (pull_request) Has been skipped
Details
2026-03-04 16:54:36 +00:00
latte
2f9750dcce Return explicit error for tokens lacking scopes
All checks were successful
lint / lint (push) Successful in 24s
Details
test / test (push) Successful in 19s
Details
docker / lint (pull_request) Successful in 23s
Details
docker / test (pull_request) Successful in 18s
Details
lint / lint (pull_request) Successful in 24s
Details
test / test (pull_request) Successful in 20s
Details
docker / docker-test (pull_request) Successful in 39s
Details
docker / docker-publish (pull_request) Has been skipped
Details
2026-02-27 19:55:01 +01:00
latte
c79cc1ab9e Add PUBLIC_BASE_URL and refine OAuth scopes
Some checks failed
docker / lint (push) Has been cancelled
Details
docker / test (push) Has been cancelled
Details
docker / docker-build (push) Has been cancelled
Details
lint / lint (push) Has been cancelled
Details
test / test (push) Has been cancelled
Details
2026-02-25 20:49:08 +01:00
latte
59e1ea53a8 Add OAuth2/OIDC per-user Gitea authentication
Some checks failed
docker / lint (push) Has been cancelled
Details
docker / test (push) Has been cancelled
Details
docker / docker-build (push) Has been cancelled
Details
lint / lint (push) Has been cancelled
Details
test / test (push) Has been cancelled
Details 
Introduce a GiteaOAuthValidator for JWT and userinfo validation and
fallbacks, add /oauth/token proxy, and thread per-user tokens through
the
request context and automation paths. Update config and .env.example for
OAuth-first mode, add OpenAPI, extensive unit/integration tests,
GitHub/Gitea CI workflows, docs, and lint/test enforcement (>=80% cov).
 2026-02-25 16:54:01 +01:00
latte
a00b6a0ba2 update 2026-02-14 18:18:34 +01:00
latte
ecc87cbb65 quick fix 2026-02-14 17:18:30 +01:00
latte
5969892af3 feat: harden gateway with policy engine, secure tools, and governance docs 2026-02-14 16:06:43 +01:00
latte
d82fe87113 update 2026-02-11 18:16:00 +01:00
Ubuntu
dd7bbd1f9a IT WORKS 2026-01-31 16:03:17 +00:00
Ubuntu
3c71d5da0a update 2026-01-31 15:55:22 +00:00
latte
833eb21c79 quick fix 2026-01-31 14:23:51 +01:00
latte
0a2a21cc52 feat: scope query param auth to MCP endpoints 
Restrict api_key query parameter to /mcp/tools, /mcp/tool/call,
and /mcp/sse only. Updated documentation to reflect query param
usage for ChatGPT UI without header support.
 2026-01-29 21:07:37 +01:00
latte
b990c6c527 feat: allow api_key query parameter for ChatGPT UI 
ChatGPT UI lacks custom header support for MCP servers. Added
query parameter fallback (?api_key=) alongside Authorization
header to authenticate requests.

Updated tests to cover query param authentication.
 2026-01-29 21:03:05 +01:00
latte
eeaad748a6 feat: add API key authentication system for ChatGPT Business 
Implements comprehensive Bearer token authentication to ensure only
authorized ChatGPT workspaces can access the MCP server.

Core Features:
- API key validation with constant-time comparison
- Multi-key support for rotation grace periods
- Rate limiting (5 failures per IP per 5 min)
- Comprehensive audit logging of all auth attempts
- IP-based failed attempt tracking

Key Management:
- generate_api_key.py: Create secure 64-char keys
- rotate_api_key.py: Guided key rotation with backup
- check_key_age.py: Automated expiration monitoring

Infrastructure:
- Traefik labels for HTTPS and rate limiting
- Security headers (HSTS, CSP, X-Frame-Options)
- Environment-based configuration
- Docker secrets support

Documentation:
- AUTH_SETUP.md: Complete authentication setup guide
- CHATGPT_SETUP.md: ChatGPT Business integration guide
- KEY_ROTATION.md: Key rotation procedures and automation

Security:
- Read-only operations enforced
- No write access to Gitea possible
- All auth attempts logged with correlation IDs
- Failed attempts trigger IP rate limits
- Keys never logged in full (only hints)

Breaking Changes:
- AUTH_ENABLED defaults to true
- MCP_API_KEYS environment variable now required
- Minimum key length: 32 characters (64 recommended)

Migration:
1. Generate API key: make generate-key
2. Add to .env: MCP_API_KEYS=<generated-key>
3. Restart: docker-compose restart aegis-mcp
4. Configure ChatGPT with Authorization header

Closes requirements for ChatGPT Business exclusive access.
 2026-01-29 20:05:49 +01:00
latte
a9708b33e2 . 2026-01-29 19:53:36 +01:00