feat(server): make WWW-Authenticate header value configurable

wolfeidau · wolfeidau · commit d3ca549162af · 2026-03-23T13:16:40.000+11:00
NewHTTPUnauthorizedHandler now accepts the WWW-Authenticate header
value as a parameter rather than hardcoding 'Bearer realm="buildkite"',
allowing callers to set any valid challenge scheme.
diff --git a/internal/commands/http.go b/internal/commands/http.go
@@ -59,6 +59,7 @@ func (c *HTTPCmd) Run(ctx context.Context, globals *Globals) error {
 		mcp.NewStreamableHTTPHandler(factory, &mcp.StreamableHTTPOptions{
 			Stateless: true,
 		}),
+		`Bearer realm="buildkite"`,
 	)
 	mux.Handle("/mcp", handler)
 
diff --git a/pkg/server/unauthorized.go b/pkg/server/unauthorized.go
@@ -19,7 +19,10 @@ func signalUnauthorized(ctx context.Context) {
 // NewHTTPUnauthorizedHandler wraps an HTTP handler to return HTTP 401 when the
 // Buildkite API returns a 401, instead of a 200 with a JSON-RPC error body.
 // Works for both JSON and SSE transport modes in stateless operation.
-func NewHTTPUnauthorizedHandler(handler http.Handler) http.Handler {
+//
+// wwwAuthenticate is the value of the WWW-Authenticate header sent on 401
+// responses (e.g. `Bearer realm="buildkite"`).
+func NewHTTPUnauthorizedHandler(handler http.Handler, wwwAuthenticate string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		flag := &atomic.Bool{}
 		ctx := context.WithValue(r.Context(), unauthorizedContextKey{}, flag)
@@ -34,7 +37,7 @@ func NewHTTPUnauthorizedHandler(handler http.Handler) http.Handler {
 			for k := range h {
 				delete(h, k)
 			}
-			h.Set("WWW-Authenticate", `Bearer realm="buildkite"`)
+			h.Set("WWW-Authenticate", wwwAuthenticate)
 			w.WriteHeader(http.StatusUnauthorized)
 		}
 	})
diff --git a/pkg/server/unauthorized_test.go b/pkg/server/unauthorized_test.go
@@ -16,7 +16,7 @@ func TestNewHTTPUnauthorizedHandler_NormalRequest(t *testing.T) {
 		_, _ = w.Write([]byte(`{"result":"ok"}`))
 	})
 
-	handler := NewHTTPUnauthorizedHandler(inner)
+	handler := NewHTTPUnauthorizedHandler(inner, `Bearer realm="buildkite"`)
 	rec := httptest.NewRecorder()
 	req := httptest.NewRequest(http.MethodPost, "/mcp", nil)
 
@@ -37,7 +37,7 @@ func TestNewHTTPUnauthorizedHandler_UnauthorizedSignal(t *testing.T) {
 		_, _ = w.Write([]byte(`{"error":"unauthorized"}`))
 	})
 
-	handler := NewHTTPUnauthorizedHandler(inner)
+	handler := NewHTTPUnauthorizedHandler(inner, `Bearer realm="buildkite"`)
 	rec := httptest.NewRecorder()
 	req := httptest.NewRequest(http.MethodPost, "/mcp", nil)
 

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ func (c HTTPCmd) Run(ctx context.Context, globals Globals) error {`
`59`	`59`	`mcp.NewStreamableHTTPHandler(factory, &mcp.StreamableHTTPOptions{`
`60`	`60`	`Stateless: true,`
`61`	`61`	`}),`
	`62`	+ `Bearer realm="buildkite"`,
`62`	`63`	`)`
`63`	`64`	`mux.Handle("/mcp", handler)`
`64`	`65`