marcus/mcp-sonarqube-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): forward SONARQUBE_TOKEN to upstream as Bearer header

Browse Source 
The upstream MCP container requires a SonarQube user token in the
Authorization header. Without one, every call returns 401.

- proxy: read SONARQUBE_TOKEN via sonarqube_token() at session-open
  time; raise TokenMissingError when unset/blank. upstream_session()
  attaches the token as "Authorization: Bearer <token>" via
  streamablehttp_client(headers=...).
- cli: fail fast in serve and check with a clear stderr message and
  exit 1 when the token is missing, before any network attempt. All
  exception text written to stderr passes through _redact() so an
  accidentally-leaked token from a third-party exception is replaced
  with [REDACTED] before display.
- The token is never stored on any object, never logged, and the
  TokenMissingError message contains no token material (it only
  describes how to generate one in SonarQube).
- Tests: header forwarding via mocked streamablehttp_client, missing-
  token exit code, redaction in CLI error paths, whitespace stripping
  on the token. Total: 25 tests.
- Docs: README/CLAUDE updated with the new env-var, Claude Desktop
  config snippet, and the security guarantees. CHANGELOG added.

Bumps version to 0.2.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Marcus van Elst
2026-05-06 20:42:51 +02:00
parent a6fd188c14
commit d76c16d9a7
10 changed files with 307 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+42
View File
@@ -0,0 +1,42 @@
# Changelog
All notable changes to this project are documented here. The format follows
[Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project
adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.2.0] — 2026-05-06
### Added
- **`SONARQUBE_TOKEN` (required).** The upstream MCP server expects a SonarQube
user token in the `Authorization` header. The proxy now reads the token from
the environment and forwards it as `Bearer <token>` on every connection.
- `TokenMissingError` raised by `proxy.sonarqube_token()` when the variable is
unset or blank.
- Early fail-fast token check in `serve` and `check` — exits with code 1 and a
clear stderr message pointing to *My Account → Security* in SonarQube.
- Defensive token redaction: any stderr output that includes exception text
has occurrences of the live token replaced with `[REDACTED]` before display.
- Test coverage for header forwarding, missing-token exit, and token
non-leakage in error paths.
### Changed
- `upstream_session()` now opens the streamable-HTTP client with the
`Authorization` header attached.
- README and CLAUDE.md updated with the new env-var, the Claude Desktop config
snippet now includes `SONARQUBE_TOKEN`, and the security guarantees are
documented.
## [0.1.0] — 2026-05-06
### Added
- Initial transparent stdio MCP proxy implementation. Forwards `tools/list` and
`tools/call` 1:1 to an upstream streamable-HTTP MCP server.
- Schema preservation: `Tool` objects (`inputSchema`, `outputSchema`,
`annotations`, `title`, `_meta`) and `CallToolResult` (`isError`,
`structuredContent`, content blocks) are passed through unchanged.
- Click-based CLI with `serve` (stdio) and `check` (probe-and-list) commands.
- pytest suite (14 tests) covering env resolution, schema passthrough,
forwarding, registration, end-to-end dispatch, and CLI error paths.