golf-mcp 0.1.20__py3-none-any.whl → 0.2.1__py3-none-any.whl

golf/__init__.py

@@ -1 +1,9 @@
-__version__ = "0.1.20"
+__version__ = "0.2.1"
+
+# Import endpoints with fallback for dev mode
+try:
+    # In built wheels, this exists (generated from _endpoints.py.in)
+    from . import _endpoints
+except ImportError:
+    # In editable/dev installs, fall back to env-based values
+    from . import _endpoints_fallback as _endpoints

golf/_endpoints.py

@@ -0,0 +1,6 @@
+# Auto-generated at build time by setup.py:build_py
+# This template contains placeholders that are replaced during build
+
+# Platform endpoints
+PLATFORM_API_URL = "https://platform.golf.dev"
+OTEL_ENDPOINT = "https://telemetry.golf.dev"

golf/_endpoints_fallback.py

@@ -0,0 +1,10 @@
+"""Fallback endpoints for development/editable installs."""
+
+import os
+
+# These are used when the generated _endpoints.py doesn't exist (dev mode)
+# or when environment variables override the built-in values
+
+PLATFORM_API_URL = os.getenv("GOLF_PLATFORM_API_URL", "http://localhost:8000/api/resources")
+
+OTEL_ENDPOINT = os.getenv("GOLF_OTEL_ENDPOINT", "http://localhost:4318/v1/traces")

golf/auth/__init__.py

@@ -1,122 +1,274 @@
-"""Authentication module for GolfMCP servers.
+"""Modern authentication for Golf MCP servers using FastMCP 2.11+ providers.
 
-This module provides a simple API for configuring OAuth authentication
-for GolfMCP servers. Users can configure authentication in their pre_build.py
-file without needing to understand the complexities of the MCP SDK.
+This module provides authentication configuration and utilities for Golf servers,
+leveraging FastMCP's built-in authentication system with JWT verification,
+OAuth providers, and token management.
 """
 
-from typing import List, Optional, Tuple
+from typing import Any
 
-from mcp.server.auth.settings import AuthSettings, ClientRegistrationOptions
+# Modern auth provider configurations and factory functions
+from .providers import (
+    AuthConfig,
+    JWTAuthConfig,
+    StaticTokenConfig,
+    OAuthServerConfig,
+    RemoteAuthConfig,
+    OAuthProxyConfig,
+)
+from .factory import (
+    create_auth_provider,
+    create_simple_jwt_provider,
+    create_dev_token_provider,
+)
+from .registry import (
+    BaseProviderPlugin,
+    AuthProviderFactory,
+    get_provider_registry,
+    register_provider_factory,
+    register_provider_plugin,
+)
 
+# Re-export for backward compatibility
 from .api_key import configure_api_key, get_api_key_config, is_api_key_configured
 from .helpers import (
     debug_api_key_context,
     extract_token_from_header,
-    get_access_token,
     get_api_key,
     get_provider_token,
     set_api_key,
 )
-from .oauth import GolfOAuthProvider, create_callback_handler
-from .provider import ProviderConfig
-
-
-class AuthConfig:
-    """Configuration for OAuth authentication in GolfMCP."""
-
-    def __init__(
-        self,
-        provider_config: ProviderConfig,
-        required_scopes: list[str],
-        callback_path: str = "/auth/callback",
-        login_path: str = "/login",
-        error_path: str = "/auth-error",
-    ) -> None:
-        """Initialize authentication configuration.
-
-        Args:
-            provider_config: Configuration for the OAuth provider
-            required_scopes: Scopes required for all authenticated requests
-            callback_path: Path for the OAuth callback
-            login_path: Path for the login redirect
-            error_path: Path for displaying authentication errors
-        """
-        self.provider_config = provider_config
-        self.required_scopes = required_scopes
-        self.callback_path = callback_path
-        self.login_path = login_path
-        self.error_path = error_path
-
-        # Create the OAuth provider
-        self.provider = GolfOAuthProvider(provider_config)
-
-        # Create auth settings for FastMCP
-        self.auth_settings = AuthSettings(
-            issuer_url=provider_config.issuer_url or "http://localhost:3000",
-            client_registration_options=ClientRegistrationOptions(
-                enabled=True,
-                valid_scopes=provider_config.scopes,
-                default_scopes=provider_config.scopes,
-            ),
-            required_scopes=required_scopes or provider_config.scopes,
-        )
 
+# Public API
+__all__ = [
+    # Main configuration functions
+    "configure_auth",
+    "configure_jwt_auth",
+    "configure_dev_auth",
+    "configure_oauth_proxy",
+    "get_auth_config",
+    # Provider configurations
+    "AuthConfig",
+    "JWTAuthConfig",
+    "StaticTokenConfig",
+    "OAuthServerConfig",
+    "RemoteAuthConfig",
+    "OAuthProxyConfig",
+    # Factory functions
+    "create_auth_provider",
+    "create_simple_jwt_provider",
+    "create_dev_token_provider",
+    # Provider registry and plugins
+    "BaseProviderPlugin",
+    "AuthProviderFactory",
+    "get_provider_registry",
+    "register_provider_factory",
+    "register_provider_plugin",
+    # API key functions (backward compatibility)
+    "configure_api_key",
+    "get_api_key_config",
+    "is_api_key_configured",
+    # Helper functions
+    "debug_api_key_context",
+    "extract_token_from_header",
+    "get_api_key",
+    "get_provider_token",
+    "set_api_key",
+]
 
-# Global state for the build process
+# Global storage for auth configuration
 _auth_config: AuthConfig | None = None
 
 
-def configure_auth(
-    provider_config=None,
-    provider=None,
+def configure_auth(config: AuthConfig) -> None:
+    """Configure authentication for the Golf server.
+
+    This function should be called in auth.py to set up authentication
+    using FastMCP's modern auth providers.
+
+    Args:
+        config: Authentication configuration (JWT, OAuth, Static, or Remote)
+                The required_scopes should be specified in the config itself.
+
+    Examples:
+        # JWT authentication with Auth0
+        from golf.auth import configure_auth, JWTAuthConfig
+
+        configure_auth(
+            JWTAuthConfig(
+                jwks_uri="https://your-domain.auth0.com/.well-known/jwks.json",
+                issuer="https://your-domain.auth0.com/",
+                audience="https://your-api.example.com",
+                required_scopes=["read:data"],
+            )
+        )
+
+        # Development with static tokens
+        from golf.auth import configure_auth, StaticTokenConfig
+
+        configure_auth(
+            StaticTokenConfig(
+                tokens={
+                    "dev-token-123": {
+                        "client_id": "dev-client",
+                        "scopes": ["read", "write"],
+                    }
+                },
+                required_scopes=["read"],
+            )
+        )
+
+        # Full OAuth server
+        from golf.auth import configure_auth, OAuthServerConfig
+
+        configure_auth(
+            OAuthServerConfig(
+                base_url="https://your-server.example.com",
+                valid_scopes=["read", "write", "admin"],
+                default_scopes=["read"],
+                required_scopes=["read"],
+            )
+        )
+    """
+    global _auth_config
+    _auth_config = config
+
+
+def configure_jwt_auth(
+    *,
+    jwks_uri: str | None = None,
+    public_key: str | None = None,
+    issuer: str | None = None,
+    audience: str | list[str] | None = None,
     required_scopes: list[str] | None = None,
-    callback_path: str = "/auth/callback",
+    **env_vars: str,
 ) -> None:
-    """Configure authentication for a GolfMCP server.
+    """Convenience function to configure JWT authentication.
 
-    This function should be called in pre_build.py to set up authentication.
+    Args:
+        jwks_uri: JWKS URI for key fetching
+        public_key: Static public key (PEM format)
+        issuer: Expected issuer claim
+        audience: Expected audience claim(s)
+        required_scopes: Required scopes for all requests
+        **env_vars: Environment variable names (public_key_env_var,
+            jwks_uri_env_var, etc.)
+    """
+    config = JWTAuthConfig(
+        jwks_uri=jwks_uri,
+        public_key=public_key,
+        issuer=issuer,
+        audience=audience,
+        required_scopes=required_scopes or [],
+        **env_vars,
+    )
+    configure_auth(config)
+
+
+def configure_dev_auth(
+    tokens: dict[str, Any] | None = None,
+    required_scopes: list[str] | None = None,
+) -> None:
+    """Convenience function to configure development authentication.
 
     Args:
-        provider_config: Configuration for the OAuth provider (new parameter name)
-        provider: Configuration for the OAuth provider (old parameter name, deprecated)
-        required_scopes: Scopes required for authentication
-        callback_path: Path for the OAuth callback
-        public_paths: List of paths that don't require authentication (deprecated, no longer used)
+        tokens: Token dictionary or None for defaults
+        required_scopes: Required scopes for all requests
     """
-    global _auth_config
+    if tokens is None:
+        tokens = {
+            "dev-token-123": {
+                "client_id": "dev-client",
+                "scopes": ["read", "write"],
+            },
+            "admin-token-456": {
+                "client_id": "admin-client",
+                "scopes": ["read", "write", "admin"],
+            },
+        }
+
+    config = StaticTokenConfig(
+        tokens=tokens,
+        required_scopes=required_scopes or [],
+    )
+    configure_auth(config)
 
-    # Handle backward compatibility with old parameter name
-    if provider_config is None and provider is not None:
-        provider_config = provider
-    elif provider_config is None and provider is None:
-        raise ValueError("Either provider_config or provider must be provided")
 
-    _auth_config = AuthConfig(
-        provider_config=provider_config,
-        required_scopes=required_scopes or provider_config.scopes,
-        callback_path=callback_path,
+def configure_oauth_proxy(
+    upstream_authorization_endpoint: str,
+    upstream_token_endpoint: str,
+    upstream_client_id: str,
+    upstream_client_secret: str,
+    base_url: str,
+    token_verifier_config: JWTAuthConfig | StaticTokenConfig,
+    scopes_supported: list[str] | None = None,
+    upstream_revocation_endpoint: str | None = None,
+    redirect_path: str = "/oauth/callback",
+) -> None:
+    """Configure OAuth proxy authentication for non-DCR providers.
+    
+    This sets up an OAuth proxy that bridges MCP clients (expecting DCR) with
+    traditional OAuth providers like GitHub, Google, Okta Web Apps that use
+    fixed client credentials.
+    
+    Args:
+        upstream_authorization_endpoint: Provider's authorization URL
+        upstream_token_endpoint: Provider's token endpoint URL  
+        upstream_client_id: Your client ID registered with the provider
+        upstream_client_secret: Your client secret from the provider
+        base_url: This proxy server's public URL
+        token_verifier_config: JWT or static token config for token verification
+        scopes_supported: Scopes to advertise to MCP clients
+        upstream_revocation_endpoint: Optional token revocation endpoint
+        redirect_path: OAuth callback path (default: /oauth/callback)
+        
+    Note:
+        Requires golf-mcp-enterprise package for implementation.
+    """
+    config = OAuthProxyConfig(
+        upstream_authorization_endpoint=upstream_authorization_endpoint,
+        upstream_token_endpoint=upstream_token_endpoint,
+        upstream_client_id=upstream_client_id,
+        upstream_client_secret=upstream_client_secret,
+        upstream_revocation_endpoint=upstream_revocation_endpoint,
+        base_url=base_url,
+        redirect_path=redirect_path,
+        scopes_supported=scopes_supported or [],
+        token_verifier_config=token_verifier_config,
     )
+    configure_auth(config)
+
+
+def get_auth_config() -> AuthConfig | None:
+    """Get the current auth configuration.
+
+    Returns:
+        AuthConfig if configured, None otherwise
+    """
+    return _auth_config
 
 
-def get_auth_config() -> tuple[ProviderConfig | None, list[str]]:
-    """Get the current authentication configuration.
+def is_auth_configured() -> bool:
+    """Check if authentication is configured.
 
     Returns:
-        Tuple of (provider_config, required_scopes)
+        True if authentication is configured, False otherwise
     """
-    if _auth_config:
-        return _auth_config.provider_config, _auth_config.required_scopes
-    return None, []
+    return _auth_config is not None
+
+
+# Breaking change in Golf 0.2.x: Legacy auth system removed
+# Users must migrate to modern auth configurations
 
 
-def create_auth_provider() -> GolfOAuthProvider | None:
-    """Create an OAuth provider from the configured provider settings.
+def create_auth_provider_from_config() -> object | None:
+    """Create an auth provider from the current configuration.
 
     Returns:
-        GolfOAuthProvider instance or None if not configured
+        FastMCP AuthProvider instance or None if not configured
     """
-    if not _auth_config:
+    config = get_auth_config()
+    if not config:
         return None
 
-    return _auth_config.provider
+    return create_auth_provider(config)

golf/auth/api_key.py

@@ -11,28 +11,22 @@ from pydantic import BaseModel, Field
 class ApiKeyConfig(BaseModel):
     """Configuration for API key authentication."""
 
-    header_name: str = Field(
-        "X-API-Key", description="Name of the header containing the API key"
-    )
+    header_name: str = Field("X-API-Key", description="Name of the header containing the API key")
     header_prefix: str = Field(
         "",
         description="Optional prefix to strip from the header value (e.g., 'Bearer ')",
     )
-    required: bool = Field(
-        True, description="Whether API key is required for all requests"
-    )
+    required: bool = Field(True, description="Whether API key is required for all requests")
 
 
 # Global configuration storage
 _api_key_config: ApiKeyConfig | None = None
 
 
-def configure_api_key(
-    header_name: str = "X-API-Key", header_prefix: str = "", required: bool = True
-) -> None:
+def configure_api_key(header_name: str = "X-API-Key", header_prefix: str = "", required: bool = True) -> None:
     """Configure API key extraction from request headers.
 
-    This function should be called in pre_build.py to set up API key handling.
+    This function should be called in auth.py to set up API key handling.
 
     Args:
         header_name: Name of the header containing the API key (default: "X-API-Key")
@@ -40,7 +34,7 @@ def configure_api_key(
         required: Whether API key is required for all requests (default: True)
 
     Example:
-        # In pre_build.py
+        # In auth.py
         from golf.auth.api_key import configure_api_key
 
         # Require API key for all requests
@@ -58,9 +52,7 @@ def configure_api_key(
         )
     """
     global _api_key_config
-    _api_key_config = ApiKeyConfig(
-        header_name=header_name, header_prefix=header_prefix, required=required
-    )
+    _api_key_config = ApiKeyConfig(header_name=header_name, header_prefix=header_prefix, required=required)
 
 
 def get_api_key_config() -> ApiKeyConfig | None: