o i~0@sdZddlmZddlZddlmZddlmZmZm Z ddl m Z m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZmZeeZGddde ZGdddeZGdddeZ dS)aTGitHub OAuth provider for FastMCP. This module provides a complete GitHub OAuth integration that's ready to use with just a client ID and client secret. It handles all the complexity of GitHub's OAuth flow, token validation, and user management. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider # Simple GitHub OAuth protection auth = GitHubProvider( client_id="your-github-client-id", client_secret="your-github-client-secret" ) mcp = FastMCP("My Protected Server", auth=auth) ``` ) annotationsN) AsyncKeyValue) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) TokenVerifier) AccessToken) OAuthProxy)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc@seZdZUdZededdZdZded<dZ ded <dZ d ed <dZ d ed <dZ ded <dZ ded<dZded<dZded<dZded<edddeddZdS)GitHubProviderSettingsz#Settings for GitHub OAuth provider.FASTMCP_SERVER_AUTH_GITHUB_ignore) env_prefixenv_fileextraNz str | None client_idzSecretStr | None client_secretzAnyHttpUrl | str | Nonebase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesz int | Nonetimeout_secondsallowed_client_redirect_urisjwt_signing_keybefore)modecCst|S)Nr )clsvr&j/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/github.py _parse_scopes;sz$GitHubProviderSettings._parse_scopes)__name__ __module__ __qualname____doc__rr model_configr__annotations__rrrrrrr r!r classmethodr(r&r&r&r'r(s&           rcs4eZdZdZddddfd d ZdddZZS)GitHubTokenVerifierzToken verifier for GitHub OAuth tokens. GitHub OAuth tokens are opaque (not JWTs), so we verify them by calling GitHub's API to check if they're valid and get user info. N rrrrrintcstj|d||_dS)zInitialize the GitHub token verifier. Args: required_scopes: Required OAuth scopes (e.g., ['user:email']) timeout_seconds: HTTP request timeout )rN)super__init__r)selfrr __class__r&r'r5Hs zGitHubTokenVerifier.__init__tokenstrreturnAccessToken | Nonec sztj|jd4IdH}|jdd|ddddIdH}|jd kr>td |j|jdd  WdIdHWdS|}|jd d|ddddIdH}|j d d }dd| dD}|sidg}|j rt |}t |j } | |stdt|t|  WdIdHWdSt|t|dd|dt|d|d|d|d|d|ddWdIdHWS1IdHswYWdStjy} z td| WYd} ~ dSd} ~ wty} z td| WYd} ~ dSd} ~ ww)z0Verify GitHub OAuth token by calling GitHub API.)timeoutNzhttps://api.github.com/userzBearer zapplication/vnd.github.v3+jsonzFastMCP-GitHub-OAuth) AuthorizationAcceptz User-Agent)headersz)GitHub token verification failed: %d - %sz!https://api.github.com/user/reposzx-oauth-scopescSsg|] }|r|qSr&)strip).0scoper&r&r' |s z4GitHubTokenVerifier.verify_token..,userz6GitHub token missing required scopes. Has %d, needs %didunknownloginnameemail avatar_url)subrKrLrMrNgithub_user_data)r9rscopes expires_atclaimsz!Failed to verify GitHub token: %sz#GitHub token verification error: %s)httpx AsyncClientrget status_codeloggerdebugtextjsonr@splitrsetissubsetlenr r: RequestError Exception) r6r9clientresponse user_datascopes_responseoauth_scopes_header token_scopestoken_scopes_setrequired_scopes_seter&r&r' verify_tokenWs      9 4H  z GitHubTokenVerifier.verify_token)rrrr3)r9r:r;r<)r)r*r+r,r5rk __classcell__r&r&r7r'r0As  r0c s<eZdZdZeeeeeeeededd dfddZZS)GitHubProvideraComplete GitHub OAuth provider for FastMCP. This provider makes it trivial to add GitHub OAuth protection to any FastMCP server. Just provide your GitHub OAuth app credentials and a base URL, and you're ready to go. Features: - Transparent OAuth proxy to GitHub - Automatic token validation via GitHub API - User information extraction - Minimal configuration required Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider auth = GitHubProvider( client_id="Ov23li...", client_secret="abc123...", base_url="https://my-server.com" ) mcp = FastMCP("My App", auth=auth) ``` NT) rrrrrrrr client_storager!require_authorization_consentr str | NotSetTrrAnyHttpUrl | str | NotSetTrrrlist[str] | NotSetTr int | NotSetTr rnAsyncKeyValue | Noner!str | bytes | NotSetTroboolc stdd||||||||| d D} | jstd| js$td| jp(d} | jp.dg}| j}t || d}| jr@| j nd }t j d d | j||| j | j| jpT| j || | j| d td | j|dS)a|Initialize GitHub OAuth provider. Args: client_id: GitHub OAuth app client ID (e.g., "Ov23li...") client_secret: GitHub OAuth app client secret base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in GitHub OAuth app (defaults to "/auth/callback") required_scopes: Required GitHub scopes (defaults to ["user"]) timeout_seconds: HTTP request timeout for GitHub API calls allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to GitHub. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. cSsi|] \}}|tur||qSr&)r)rDkr%r&r&r' s   z+GitHubProvider.__init__..) rrrrrrrr r!zQclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_IDzYclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRETr1rHr2rBz(https://github.com/login/oauth/authorizez+https://github.com/login/oauth/access_token) upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secrettoken_verifierrrrr rnr!roz?Initialized GitHub OAuth provider for client %s with scopes: %sN)rmodel_validateitemsr ValueErrorrrrr r0get_secret_valuer4r5rrrr!rXrY)r6rrrrrrrr rnr!rosettingstimeout_seconds_finalrequired_scopes_final"allowed_client_redirect_uris_finalr}client_secret_strr7r&r'r5sh(   zGitHubProvider.__init__)rrprrprrqrrqrrprrrrrsr rrrnrtr!rurorv)r)r*r+r,rr5rlr&r&r7r'rmsrm)!r, __future__rrTkey_value.aio.protocolsrpydanticrrrpydantic_settingsrrfastmcp.server.authr fastmcp.server.auth.authr fastmcp.server.auth.oauth_proxyr fastmcp.settingsr fastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr)rXrr0rmr&r&r&r's"        i