ї
    "Ў<i~0  Ц                  С  ≈ d Z ddlmZ ddlZddlmZ ddlmZmZm	Z	 ddl
mZmZ ddlmZ ddlmZ dd	lmZ dd
lmZ ddlmZ ddlmZ ddlmZmZ  eeі  ╚        Z G d└ deі  ╚        Z G d└ deі  ╚        Z G d└ deі  ╚        Z dS )aT  GitHub OAuth provider for FastMCP.

This module provides a complete GitHub OAuth integration that's ready to use
with just a client ID and client secret. It handles all the complexity of
GitHub's OAuth flow, token validation, and user management.

Example:
    ```python
    from fastmcp import FastMCP
    from fastmcp.server.auth.providers.github import GitHubProvider

    # Simple GitHub OAuth protection
    auth = GitHubProvider(
        client_id="your-github-client-id",
        client_secret="your-github-client-secret"
    )

    mcp = FastMCP("My Protected Server", auth=auth)
    ```
И    )зannotationsN)зAsyncKeyValue)з
AnyHttpUrlз	SecretStrзfield_validator)зBaseSettingsзSettingsConfigDict)зTokenVerifier)зAccessToken)з
OAuthProxy)зENV_FILE╘зparse_scopes)з
get_logger)зNotSetзNotSetTc                  СЙ   ≈ e Zd ZU dZ eded╛і  ╚        ZdZded<   dZ	ded	<   dZ
d
ed<   dZd
ed<   dZded<   dZded<   dZded<   dZded<   dZded<    edd╛і  ╚        ed└ і   ╚         і   ╚         ZdS )зGitHubProviderSettingsz#Settings for GitHub OAuth provider.зFASTMCP_SERVER_AUTH_GITHUB_зignore)з
env_prefixзenv_fileзextraNz
str | Noneз	client_idzSecretStr | Noneзclient_secretzAnyHttpUrl | str | Noneзbase_urlз
issuer_urlзredirect_pathЗlist[str] | Noneзrequired_scopesz
int | Noneзtimeout_secondsзallowed_client_redirect_urisзjwt_signing_keyзbefore)зmodec                С    ≈ t          |і  ╚        S )Nr   )зclsзvs     З÷/Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/.venv/lib/python3.11/site-packages/fastmcp/server/auth/providers/github.pyз_parse_scopesz$GitHubProviderSettings._parse_scopes;   s   ─ У ≤A┴▄пС    )з__name__з
__module__з__qualname__з__doc__r	   r   зmodel_configr   з__annotations__r   r   r   r   r    r!   r"   r#   r   зclassmethodr*   ╘ r+   r)   r   r   (   s  ─ ─ ─ ─ ─ ─ ь-п-Ю%п%ь0ььПЯ Т ─LП !─Iп п п я ь&*─Mп*п*п*я*ь(,─Hп,п,п,я,ь*.─Jп.п.п.я.ь $─Mп$п$п$я$ь(,─Oп,п,п,я,ь"&─Oп&п&п&я&ь59п п9п9п9я9ь"&─Oп&п&п&я&Ю─_п&╗Xп6я6т6ьПП Я └[Я 7т6ПП П r+   r   c                  С4   ┤ ≈ e Zd ZdZddd°d┬ fd	└Zdd└Z┬ xZS )зGitHubTokenVerifierzЇToken verifier for GitHub OAuth tokens.

    GitHub OAuth tokens are opaque (not JWTs), so we verify them
    by calling GitHub's API to check if they're valid and get user info.
    NИ
   ╘r    r!   r    r   r!   зintc               СZ   ∙≈ t          і   ╚         ═                    |╛і  ╚         || _        dS )z╧Initialize the GitHub token verifier.

        Args:
            required_scopes: Required OAuth scopes (e.g., ['user:email'])
            timeout_seconds: HTTP request timeout
        )r    N)зsuperз__init__r!   )зselfr    r!   з	__class__s      ─r)   r;   zGitHubTokenVerifier.__init__H   s.   Ь─ У 	┴▄вр╗пя9т9п9ь.┬тппr+   зtokenзstrзreturnЗAccessToken | Nonec              ┐  Сx  K  ≈ 	 t          j        | j        ╛і  ╚        4 ┐d{V ≈├}|═                    dd|⌡ ²ddd°╛і  ╚        ┐ d{V ≈├}|j        d	k    rBt
          ═                    d
|j        |j        dd	┘         і  ╚         	 dddі  ╚        ┐d{V ≈├ dS |═                    і   ╚         }|═                    dd|⌡ ²ddd°╛і  ╚        ┐ d{V ≈├}|j	        ═                    ddі  ╚        }d└ |═
                    dі  ╚        D і   ╚         }|sdg}| j        r┌t          |і  ╚        }t          | j        і  ╚        }	|	═                    |і  ╚        sJt
          ═                    dt          |і  ╚        t          |	і  ╚        і  ╚         	 dddі  ╚        ┐d{V ≈├ dS t          |t!          |═                    ddі  ╚        і  ╚        |dt!          |d         і  ╚        |═                    dі  ╚        |═                    dі  ╚        |═                    dі  ╚        |═                    dі  ╚        |d°╛і  ╚        cdddі  ╚        ┐d{V ≈├ S # 1 ┐d{V ≈├swxY w Y   dS # t           j        $ r&}
t
          ═                    d|
і  ╚         Y d}
~
dS d}
~
wt$          $ r&}
t
          ═                    d|
і  ╚         Y d}
~
dS d}
~
ww xY w)z0Verify GitHub OAuth token by calling GitHub API.)зtimeoutNzhttps://api.github.com/userzBearer zapplication/vnd.github.v3+jsonzFastMCP-GitHub-OAuth)зAuthorizationзAcceptz
User-Agent)зheadersИх   z)GitHub token verification failed: %d - %sz!https://api.github.com/user/reposzx-oauth-scopesз c                С^   ≈ g | ]*}|═                     і   ╚         ╞|═                     і   ╚         ▒▄+S r3   )зstrip)з.0зscopes     r)   З
<listcomp>z4GitHubTokenVerifier.verify_token.<locals>.<listcomp>|   s>   ─ П  П  П  Юь≈{▓{▒}■}П ь≈K▓K▒M■MП П  П  r+   З,зuserz6GitHub token missing required scopes. Has %d, needs %dзidзunknownзloginзnameзemailз
avatar_url)зsubrR   rS   rT   rU   зgithub_user_data)r>   r   зscopesз
expires_atзclaimsz!Failed to verify GitHub token: %sz#GitHub token verification error: %s)зhttpxзAsyncClientr!   зgetзstatus_codeзloggerзdebugзtextзjsonrF   зsplitr    зsetзissubsetзlenr   r?   зRequestErrorз	Exception)r<   r>   зclientзresponseз	user_dataзscopes_responseзoauth_scopes_headerзtoken_scopesзtoken_scopes_setзrequired_scopes_setзes              r)   зverify_tokenz GitHubTokenVerifier.verify_tokenW   s┴  Х Х ─ ПN	щт(╟т1EпFяFтFП FП FП FП FП FП FП Fх&Ю!'ї╒ь1Ю):╟5п):п):ь"Bь&<ПП П ",Я "Т "П П П П П П ░П т'╗3р.п.щ≈L▓LьCь т,ь °═d═s═dт+ЯТ П П
  П#FП FП FЯ FТ FП FП FП FП FП FП FП FП FП FП& %÷M M≥O°O░	П )/╞
╙
ь7Ю):╟5п):п):ь"Bь&<ПП П )3Я )Т )П #П #П #П #П #П #░П '6т&=в&Aр&AпBRпTVя&Wт&Wп#П П  Ю!4в!:р!:╦3я!?т!?П Я  Т  ░П $П ,ь$*═8░LП т'П 	$щ'*╗<я'8т'8п$щ*-╗dт.Bя*Cт*Cп'ь.в7р7п8HяIтIП $щ÷ ьTщп 0я1т1щп 3я4т4ЯТ П П
  $ПmFП FП FЯ FТ FП FП FП FП FП FП FП FП FП FУr #ьщ!═)ї-╒-╟╟iя"@т"@яAтAь'ь#Е"═9╗Tє?я3т3ь!*ї╒╗wя!7т!7ь )ї╒╗fя 5т 5ь!*ї╒╗wя!7т!7ь&/їm╒m╟Lя&Aт&Aь,5ПП ПЯ Т ПsFП FП FП FЯ FТ FП FП FП FП FП FП FП FП FП FП FП FП FП FП FП FП FП FП FЬЬЬП FП FП FП FП FП FЬУP т!П 	П 	П 	щ▐L┼Lп<╦aя@т@п@ь░4░4░4░4░4ЬЬЬЬщП 	П 	П 	щ▐L┼Lп>юяBтBпBь░4░4░4░4░4ЬЬЬЬП	ЬЬЬsa   └ I єAIбI бC-IфI фBIх0I и
IиI иIиI иJ9и%JйJ9йJ4й4J9)r    r   r!   r8   )r>   r?   r@   rA   )r,   r-   r.   r/   r;   rr   з__classcell__╘r=   s   @r)   r5   r5   A   su   Ь─ ─ ─ ─ ─ ПП П -1ь!П	/П /П /П /П /П /П /П /ПPП PП PП PП PП PП PП Pr+   r5   c                  С>   ┤ ≈ e Zd ZdZeeeeeeeededd°d┬ fd└Z┬ xZS )зGitHubProvideraЭ  Complete GitHub OAuth provider for FastMCP.

    This provider makes it trivial to add GitHub OAuth protection to any
    FastMCP server. Just provide your GitHub OAuth app credentials and
    a base URL, and you're ready to go.

    Features:
    - Transparent OAuth proxy to GitHub
    - Automatic token validation via GitHub API
    - User information extraction
    - Minimal configuration required

    Example:
        ```python
        from fastmcp import FastMCP
        from fastmcp.server.auth.providers.github import GitHubProvider

        auth = GitHubProvider(
            client_id="Ov23li...",
            client_secret="abc123...",
            base_url="https://my-server.com"
        )

        mcp = FastMCP("My App", auth=auth)
        ```
    NT)r   r   r   r   r   r    r!   r"   зclient_storager#   зrequire_authorization_consentr   Зstr | NotSetTr   r   ЗAnyHttpUrl | str | NotSetTr   r   r    Зlist[str] | NotSetTr!   Зint | NotSetTr"   rw   ЗAsyncKeyValue | Noner#   Зstr | bytes | NotSetTrx   зboolc               СV  ∙≈ t           ═                    d└ |||||||||
d°	═                    і   ╚         D і   ╚         і  ╚        }|j        st	          dі  ╚        ┌|j        st	          dі  ╚        ┌|j        pd}|j        pdg}|j        }t          ||╛і  ╚        }|j        r|j        ═
                    і   ╚         nd}t          і   ╚         ═                    d	d
|j        |||j        |j        |j        p|j        ||	|j        |╛і  ╚         t"          ═                    d|j        |і  ╚         dS )a|  Initialize GitHub OAuth provider.

        Args:
            client_id: GitHub OAuth app client ID (e.g., "Ov23li...")
            client_secret: GitHub OAuth app client secret
            base_url: Public URL where OAuth endpoints will be accessible (includes any mount path)
            issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL
                to avoid 404s during discovery when mounting under a path.
            redirect_path: Redirect path configured in GitHub OAuth app (defaults to "/auth/callback")
            required_scopes: Required GitHub scopes (defaults to ["user"])
            timeout_seconds: HTTP request timeout for GitHub API calls
            allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                If None (default), all URIs are allowed. If empty list, no URIs are allowed.
            client_storage: Storage backend for OAuth state (client registrations, encrypted tokens).
                If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The
                disk store will be encrypted using a key derived from the JWT Signing Key.
            jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided,
                they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not
                provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2.
            require_authorization_consent: Whether to require user consent before authorizing clients (default True).
                When True, users see a consent screen before being redirected to GitHub.
                When False, authorization proceeds directly without user confirmation.
                SECURITY WARNING: Only disable for local development or testing environments.
        c                С,   ≈ i | ]\  }}|t           u╞||⌠▄S r3   )r   )rK   зkr(   s      r)   З
<dictcomp>z+GitHubProvider.__init__.<locals>.<dictcomp>О   s3   ─ П П П А░A░qП ²F░?░?П ░1П #░?░?r+   )	r   r   r   r   r   r    r!   r"   r#   zQclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_IDzYclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRETr6   rO   r7   rH   z(https://github.com/login/oauth/authorizez+https://github.com/login/oauth/access_token)зupstream_authorization_endpointзupstream_token_endpointзupstream_client_idзupstream_client_secretзtoken_verifierr   r   r   r"   rw   r#   rx   z?Initialized GitHub OAuth provider for client %s with scopes: %sN)r   зmodel_validateзitemsr   з
ValueErrorr   r!   r    r"   r5   зget_secret_valuer:   r;   r   r   r   r#   r_   r`   )r<   r   r   r   r   r   r    r!   r"   rw   r#   rx   зsettingsзtimeout_seconds_finalзrequired_scopes_finalз"allowed_client_redirect_uris_finalr┬   зclient_secret_strr=   s                     ─r)   r;   zGitHubProvider.__init__ф   sі  Ь─ УP *в8р8ПП П "+ь%2ь (ь",ь%2ь'6ь'6ь4Pь'6П
П 
В ▓%▒'■'ПЯ Т Я
Т 
┬П& т!П 	щьcЯТ П П т%П 	щьkЯТ П П !)т 8п >╦Bпь (т 8п D╦V╦Hпь-5т-Rп*У -ь1ь1П
Я 
Т 
┬П :Bт9OпW┬Hт"в3р3я5т5п5пUWП 	У
 	┴▄врь,Vь$Qь'т1ь#4ь)ьт&ь"т0ьт*П !ьт ь)Kь)ь$т4ь*GП 	Я 	
Т 	
П 	
У  	▐┼ьMьть!Я	
Т 	
П 	
П 	
П 	
r+   )r   ry   r   ry   r   rz   r   rz   r   ry   r    r{   r!   r|   r"   r{   rw   r}   r#   r~   rx   r   )r,   r-   r.   r/   r   r;   rs   rt   s   @r)   rv   rv   ╙   s─   Ь─ ─ ─ ─ ─ ПП П< $*ь'-ь/5ь17ь'-ь/5ь)/ь<Bь/3ь17ь.2Пj
П j
П j
П j
П j
П j
П j
П j
П j
П j
П j
П j
r+   rv   )!r/   з
__future__r   r[   зkey_value.aio.protocolsr   зpydanticr   r   r   зpydantic_settingsr   r	   зfastmcp.server.authr
   зfastmcp.server.auth.authr   зfastmcp.server.auth.oauth_proxyr   зfastmcp.settingsr   зfastmcp.utilities.authr   зfastmcp.utilities.loggingr   зfastmcp.utilities.typesr   r   r,   r_   r   r5   rv   r3   r+   r)   З<module>r²      s╒  ППП П* #п "п "п "п "п "Ю ───ь 1п 1п 1п 1п 1п 1ь ;п ;п ;п ;п ;п ;п ;п ;п ;п ;ь >п >п >п >п >п >п >п >Ю -п -п -п -п -п -ь 0п 0п 0п 0п 0п 0ь 6п 6п 6п 6п 6п 6ь %п %п %п %п %п %ь /п /п /п /п /п /ь 0п 0п 0п 0п 0п 0ь 3п 3п 3п 3п 3п 3п 3п 3Ю	┬░Hя	т	─ПП П П П ≤\Я Т П П2fП fП fП fП f≤-Я fТ fП fПRF
П F
П F
П F
П F
░ZЯ F
Т F
П F
П F
П F
r+   