feat(test): add rate limit testing support to OAuth test server

Add rate limit injection capabilities to the OAuth test server for testing
autoDetectResource() retry behavior with 429 responses.

## Changes
- Add MCPRateLimitCount, MCPRateLimitRetryAfter, MCPRateLimitUseResetAt to ErrorMode
- Add rate limit check to oauthMiddleware (before auth check)
- Add /.well-known/oauth-protected-resource endpoint (RFC 9728)
- Add ProtectedResourceMetadata type
- Add MCPURL and ProtectedResourceMetadataURL to ServerResult
- Add ResetRateLimitCounter() helper for tests
- Add tests for rate limiting and protected resource metadata

## Usage
```go
server := oauthserver.Start(t, oauthserver.Options{
    ErrorMode: oauthserver.ErrorMode{
        MCPRateLimitCount:      2,  // Return 429 twice
        MCPRateLimitRetryAfter: 5,  // With Retry-After: 5
    },
})
```

Author: technicalpickles

tests/oauthserver/discovery.go

@@ -66,3 +66,31 @@ func (s *OAuthTestServer) handleDiscovery(w http.ResponseWriter, r *http.Request
 		return
 	}
 }
+
+// buildProtectedResourceMetadata constructs RFC 9728 Protected Resource Metadata.
+func (s *OAuthTestServer) buildProtectedResourceMetadata() *ProtectedResourceMetadata {
+	return &ProtectedResourceMetadata{
+		Resource:              s.issuerURL + "/mcp",
+		AuthorizationServers:  []string{s.issuerURL},
+		ScopesSupported:       s.options.SupportedScopes,
+		BearerMethodsSupported: []string{"header"},
+	}
+}
+
+// handleProtectedResourceMetadata handles GET /.well-known/oauth-protected-resource requests.
+// This implements RFC 9728 Protected Resource Metadata for resource auto-detection.
+func (s *OAuthTestServer) handleProtectedResourceMetadata(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	metadata := s.buildProtectedResourceMetadata()
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Cache-Control", "public, max-age=3600")
+	if err := json.NewEncoder(w).Encode(metadata); err != nil {
+		http.Error(w, "Failed to encode metadata", http.StatusInternalServerError)
+		return
+	}
+}

tests/oauthserver/mcp.go

@@ -55,6 +55,19 @@ func (s *OAuthTestServer) createMCPServer() *mcpserver.MCPServer {
 // oauthMiddleware wraps the MCP handler with OAuth authentication
 func (s *OAuthTestServer) oauthMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check for rate limit injection BEFORE auth check
+		if s.options.ErrorMode.MCPRateLimitCount > 0 {
+			s.mu.Lock()
+			s.mcpRateLimitHits++
+			hits := s.mcpRateLimitHits
+			s.mu.Unlock()
+
+			if hits <= s.options.ErrorMode.MCPRateLimitCount {
+				s.sendMCPRateLimited(w)
+				return
+			}
+		}
+
 		// Check for Bearer token authentication
 		authHeader := r.Header.Get("Authorization")
 		if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
@@ -109,3 +122,21 @@ func (s *OAuthTestServer) sendMCPUnauthorized(w http.ResponseWriter) {
 	w.WriteHeader(http.StatusUnauthorized)
 	w.Write([]byte(`{"error": "unauthorized", "error_description": "Bearer token required"}`))
 }
+
+// sendMCPRateLimited sends a 429 response for rate limit testing
+func (s *OAuthTestServer) sendMCPRateLimited(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "application/json")
+
+	if s.options.ErrorMode.MCPRateLimitRetryAfter > 0 && !s.options.ErrorMode.MCPRateLimitUseResetAt {
+		w.Header().Set("Retry-After", fmt.Sprintf("%d", s.options.ErrorMode.MCPRateLimitRetryAfter))
+	}
+
+	w.WriteHeader(http.StatusTooManyRequests)
+
+	if s.options.ErrorMode.MCPRateLimitUseResetAt {
+		resetAt := time.Now().Add(time.Duration(s.options.ErrorMode.MCPRateLimitRetryAfter) * time.Second).Unix()
+		w.Write([]byte(fmt.Sprintf(`{"error": "rate_limited", "reset_at": %d}`, resetAt)))
+	} else {
+		w.Write([]byte(`{"error": "rate_limited", "error_description": "Too many requests"}`))
+	}
+}

tests/oauthserver/options.go

@@ -42,6 +42,11 @@ type ErrorMode struct {
 	// Device code errors
 	DeviceSlowPoll bool // Return `slow_down` on device polling
 	DeviceExpired  bool // Return `expired_token` on device polling
+
+	// MCP endpoint rate limiting (for resource auto-detection testing)
+	MCPRateLimitCount      int  // Return 429 this many times before real response
+	MCPRateLimitRetryAfter int  // Retry-After header value (seconds, 0 = omit header)
+	MCPRateLimitUseResetAt bool // Use JSON body with reset_at instead of Retry-After header
 }
 
 // Options configures the OAuth test server behavior.

tests/oauthserver/server.go

@@ -30,6 +30,9 @@ type OAuthTestServer struct {
 	refreshTokens map[string]*RefreshTokenData
 	issuedTokens  []TokenInfo
 
+	// Rate limit tracking
+	mcpRateLimitHits int
+
 	mu sync.RWMutex
 
 	// Test reference
@@ -39,13 +42,15 @@ type OAuthTestServer struct {
 // ServerResult contains everything needed to configure a test client.
 type ServerResult struct {
 	// Server URLs
-	IssuerURL                   string
-	AuthorizationEndpoint       string
-	TokenEndpoint               string
-	JWKSURL                     string
-	RegistrationEndpoint        string // Empty if DCR disabled
-	DeviceAuthorizationEndpoint string // Empty if device code disabled
-	ProtectedResourceURL        string // For WWW-Authenticate detection tests
+	IssuerURL                      string
+	AuthorizationEndpoint          string
+	TokenEndpoint                  string
+	JWKSURL                        string
+	RegistrationEndpoint           string // Empty if DCR disabled
+	DeviceAuthorizationEndpoint    string // Empty if device code disabled
+	ProtectedResourceURL           string // For WWW-Authenticate detection tests
+	MCPURL                         string // MCP endpoint URL (for resource auto-detection testing)
+	ProtectedResourceMetadataURL   string // RFC 9728 metadata URL
 
 	// Pre-registered test client (confidential)
 	ClientID     string
@@ -135,16 +140,18 @@ func StartOnPort(t *testing.T, port int, opts Options) *ServerResult {
 
 	// Build result
 	result := &ServerResult{
-		IssuerURL:             issuerURL,
-		AuthorizationEndpoint: issuerURL + "/authorize",
-		TokenEndpoint:         issuerURL + "/token",
-		JWKSURL:               issuerURL + "/jwks.json",
-		ProtectedResourceURL:  issuerURL + "/protected",
-		ClientID:              confidentialClient.ClientID,
-		ClientSecret:          confidentialClient.ClientSecret,
-		PublicClientID:        publicClient.ClientID,
-		Shutdown:              s.Shutdown,
-		Server:                s,
+		IssuerURL:                    issuerURL,
+		AuthorizationEndpoint:        issuerURL + "/authorize",
+		TokenEndpoint:                issuerURL + "/token",
+		JWKSURL:                      issuerURL + "/jwks.json",
+		ProtectedResourceURL:         issuerURL + "/protected",
+		MCPURL:                       issuerURL + "/mcp",
+		ProtectedResourceMetadataURL: issuerURL + "/.well-known/oauth-protected-resource",
+		ClientID:                     confidentialClient.ClientID,
+		ClientSecret:                 confidentialClient.ClientSecret,
+		PublicClientID:               publicClient.ClientID,
+		Shutdown:                     s.Shutdown,
+		Server:                       s,
 	}
 
 	if opts.EnableDCR {
@@ -226,16 +233,18 @@ func Start(t *testing.T, opts Options) *ServerResult {
 
 	// Build result
 	result := &ServerResult{
-		IssuerURL:             issuerURL,
-		AuthorizationEndpoint: issuerURL + "/authorize",
-		TokenEndpoint:         issuerURL + "/token",
-		JWKSURL:               issuerURL + "/jwks.json",
-		ProtectedResourceURL:  issuerURL + "/protected",
-		ClientID:              confidentialClient.ClientID,
-		ClientSecret:          confidentialClient.ClientSecret,
-		PublicClientID:        publicClient.ClientID,
-		Shutdown:              s.Shutdown,
-		Server:                s,
+		IssuerURL:                    issuerURL,
+		AuthorizationEndpoint:        issuerURL + "/authorize",
+		TokenEndpoint:                issuerURL + "/token",
+		JWKSURL:                      issuerURL + "/jwks.json",
+		ProtectedResourceURL:         issuerURL + "/protected",
+		MCPURL:                       issuerURL + "/mcp",
+		ProtectedResourceMetadataURL: issuerURL + "/.well-known/oauth-protected-resource",
+		ClientID:                     confidentialClient.ClientID,
+		ClientSecret:                 confidentialClient.ClientSecret,
+		PublicClientID:               publicClient.ClientID,
+		Shutdown:                     s.Shutdown,
+		Server:                       s,
 	}
 
 	if opts.EnableDCR {
@@ -256,6 +265,9 @@ func (s *OAuthTestServer) setupRoutes(mux *http.ServeMux) {
 		mux.HandleFunc("/.well-known/openid-configuration", s.handleDiscovery)
 	}
 
+	// Protected Resource Metadata (RFC 9728) - always available for resource auto-detection
+	mux.HandleFunc("/.well-known/oauth-protected-resource", s.handleProtectedResourceMetadata)
+
 	// JWKS endpoint
 	mux.HandleFunc("/jwks.json", s.handleJWKS)
 
@@ -446,6 +458,14 @@ func (s *OAuthTestServer) SetErrorMode(mode ErrorMode) {
 	s.options.ErrorMode = mode
 }
 
+// ResetRateLimitCounter resets the MCP rate limit hit counter.
+// Call this between tests to start fresh.
+func (s *OAuthTestServer) ResetRateLimitCounter() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.mcpRateLimitHits = 0
+}
+
 // GetAuthorizationCodes returns pending authorization codes (for debugging).
 func (s *OAuthTestServer) GetAuthorizationCodes() []AuthCodeInfo {
 	s.mu.RLock()

tests/oauthserver/server_test.go

@@ -960,3 +960,109 @@ func TestDeviceCode_VerificationPage(t *testing.T) {
 	assert.Contains(t, string(body), "Device Verification")
 	assert.Contains(t, string(body), deviceResp.UserCode) // Should pre-fill the user code
 }
+
+// --- MCP Rate Limiting Tests ---
+
+func TestMCPRateLimiting(t *testing.T) {
+	t.Run("returns 429 with Retry-After header", func(t *testing.T) {
+		server := Start(t, Options{
+			ErrorMode: ErrorMode{
+				MCPRateLimitCount:      2,
+				MCPRateLimitRetryAfter: 5,
+			},
+		})
+		defer server.Shutdown()
+
+		client := &http.Client{}
+
+		// First request should return 429
+		resp1, err := client.Post(server.MCPURL, "application/json", strings.NewReader("{}"))
+		require.NoError(t, err)
+		defer resp1.Body.Close()
+		assert.Equal(t, http.StatusTooManyRequests, resp1.StatusCode)
+		assert.Equal(t, "5", resp1.Header.Get("Retry-After"))
+
+		// Second request should also return 429
+		resp2, err := client.Post(server.MCPURL, "application/json", strings.NewReader("{}"))
+		require.NoError(t, err)
+		defer resp2.Body.Close()
+		assert.Equal(t, http.StatusTooManyRequests, resp2.StatusCode)
+
+		// Third request should return 401 (past rate limit count)
+		resp3, err := client.Post(server.MCPURL, "application/json", strings.NewReader("{}"))
+		require.NoError(t, err)
+		defer resp3.Body.Close()
+		assert.Equal(t, http.StatusUnauthorized, resp3.StatusCode)
+		assert.Contains(t, resp3.Header.Get("WWW-Authenticate"), "resource_metadata")
+	})
+
+	t.Run("returns 429 with reset_at in body", func(t *testing.T) {
+		server := Start(t, Options{
+			ErrorMode: ErrorMode{
+				MCPRateLimitCount:      1,
+				MCPRateLimitRetryAfter: 10,
+				MCPRateLimitUseResetAt: true,
+			},
+		})
+		defer server.Shutdown()
+
+		client := &http.Client{}
+
+		resp, err := client.Post(server.MCPURL, "application/json", strings.NewReader("{}"))
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, http.StatusTooManyRequests, resp.StatusCode)
+		assert.Empty(t, resp.Header.Get("Retry-After"), "Should not have Retry-After header when using reset_at")
+
+		body, _ := io.ReadAll(resp.Body)
+		assert.Contains(t, string(body), "reset_at")
+	})
+
+	t.Run("ResetRateLimitCounter works", func(t *testing.T) {
+		server := Start(t, Options{
+			ErrorMode: ErrorMode{
+				MCPRateLimitCount:      1,
+				MCPRateLimitRetryAfter: 1,
+			},
+		})
+		defer server.Shutdown()
+
+		client := &http.Client{}
+
+		// First request returns 429
+		resp1, _ := client.Post(server.MCPURL, "application/json", strings.NewReader("{}"))
+		resp1.Body.Close()
+		assert.Equal(t, http.StatusTooManyRequests, resp1.StatusCode)
+
+		// Reset counter
+		server.Server.ResetRateLimitCounter()
+
+		// Next request should return 429 again (counter reset)
+		resp2, _ := client.Post(server.MCPURL, "application/json", strings.NewReader("{}"))
+		resp2.Body.Close()
+		assert.Equal(t, http.StatusTooManyRequests, resp2.StatusCode)
+	})
+}
+
+// --- Protected Resource Metadata Tests ---
+
+func TestProtectedResourceMetadata(t *testing.T) {
+	server := Start(t, Options{})
+	defer server.Shutdown()
+
+	resp, err := http.Get(server.ProtectedResourceMetadataURL)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, "application/json", resp.Header.Get("Content-Type"))
+
+	var metadata map[string]interface{}
+	err = json.NewDecoder(resp.Body).Decode(&metadata)
+	require.NoError(t, err)
+
+	assert.Equal(t, server.MCPURL, metadata["resource"])
+	assert.Contains(t, metadata, "authorization_servers")
+	assert.Contains(t, metadata, "scopes_supported")
+}

tests/oauthserver/types.go

@@ -86,6 +86,14 @@ type TokenErrorResponse struct {
 	ErrorURI         string `json:"error_uri,omitempty"`
 }
 
+// ProtectedResourceMetadata represents OAuth 2.0 Protected Resource Metadata (RFC 9728).
+type ProtectedResourceMetadata struct {
+	Resource              string   `json:"resource"`
+	AuthorizationServers  []string `json:"authorization_servers"`
+	ScopesSupported       []string `json:"scopes_supported,omitempty"`
+	BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"`
+}
+
 // DiscoveryMetadata represents OAuth 2.0 Authorization Server Metadata (RFC 8414).
 type DiscoveryMetadata struct {
 	Issuer                            string   `json:"issuer"`