feat(auth): add _build_google_auth() builder with stdio warning

Adds _build_google_auth() to server.py that reads Google OAuth settings and returns a configured GoogleProvider instance or None when unconfigured. Includes warning for stdio transport incompatibility and conditional jwt_signing_key passthrough. 4 new TDD tests in tests/test_auth_builder.py.
2026-03-23 12:39:24 -07:00 · 2026-03-16 10:36:41 -04:00
parent f69aa94826
commit 4a1ffcfd51
2 changed files with 143 additions and 0 deletions
--- a/unraid_mcp/server.py
+++ b/unraid_mcp/server.py
@@ -7,6 +7,7 @@ separate modules for configuration, core functionality, subscriptions, and tools
 import sys

 from fastmcp import FastMCP
+from fastmcp.server.auth.providers.google import GoogleProvider
 from fastmcp.server.middleware.caching import CallToolSettings, ResponseCachingMiddleware
 from fastmcp.server.middleware.error_handling import ErrorHandlingMiddleware
 from fastmcp.server.middleware.logging import LoggingMiddleware
@@ -68,6 +69,53 @@ cache_middleware = ResponseCachingMiddleware(
    get_prompt_settings={"enabled": False},
 )

+
+def _build_google_auth() -> "GoogleProvider | None":
+    """Build GoogleProvider when OAuth env vars are configured, else return None.
+
+    Returns None (no auth) when GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET are absent,
+    preserving backward compatibility for existing unprotected setups.
+    """
+    from .config.settings import (
+        GOOGLE_CLIENT_ID,
+        GOOGLE_CLIENT_SECRET,
+        UNRAID_MCP_BASE_URL,
+        UNRAID_MCP_JWT_SIGNING_KEY,
+        UNRAID_MCP_TRANSPORT,
+        is_google_auth_configured,
+    )
+
+    if not is_google_auth_configured():
+        return None
+
+    if UNRAID_MCP_TRANSPORT == "stdio":
+        logger.warning(
+            "Google OAuth is configured but UNRAID_MCP_TRANSPORT=stdio. "
+            "OAuth requires HTTP transport (streamable-http or sse). "
+            "Auth will be applied but may not work as expected."
+        )
+
+    kwargs: dict[str, str] = {
+        "client_id": GOOGLE_CLIENT_ID,
+        "client_secret": GOOGLE_CLIENT_SECRET,
+        "base_url": UNRAID_MCP_BASE_URL,
+    }
+    if UNRAID_MCP_JWT_SIGNING_KEY:
+        kwargs["jwt_signing_key"] = UNRAID_MCP_JWT_SIGNING_KEY
+    else:
+        logger.warning(
+            "UNRAID_MCP_JWT_SIGNING_KEY is not set. FastMCP will derive a key automatically, "
+            "but tokens may be invalidated on server restart. "
+            "Set UNRAID_MCP_JWT_SIGNING_KEY to a stable secret."
+        )
+
+    logger.info(
+        f"Google OAuth enabled — base_url={UNRAID_MCP_BASE_URL}, "
+        f"redirect_uri={UNRAID_MCP_BASE_URL}/auth/callback"
+    )
+    return GoogleProvider(**kwargs)
+
+
 # Initialize FastMCP instance
 mcp = FastMCP(
    name="Unraid MCP Server",