Mc/authentication

[ayomaska18]

Summary

• Add AUTH_ENABLED environment variable to toggle authentication on/off
• Implement browser OAuth flow for Swagger UI (/login, /login/callback, /logout)
• Refactor auth code into dedicated auth.py module
• Add Postman compatibility via monkey patches

Changes

New Features:

• AUTH_ENABLED=true (default): Full OAuth authentication required
• AUTH_ENABLED=false: No auth required, but Bearer tokens still work for Google tools
• Browser login flow with PKCE for Swagger UI users
• Cookie-based session management for REST endpoints

Files Changed:

• src/humcp/auth.py - New auth module with GoogleProvider configuration and patches
• src/humcp/routes.py - REST auth dependencies and login endpoints
• src/humcp/server.py - Auth provider creation moved into create_app()
• src/tools/google/auth.py - Context variable for passing tokens to Google tools

Authentication Flow

MCP Clients: Google OAuth → FastMCP JWT → Server verifies JWT
REST/Browser: Google OAuth → FastMCP JWT → Unwrap → Google token in cookie

Current problem

• REST endpoints unwrap the JWT to get the Google token and store it in a cookie, where non-Google endpoints only check if the token exists, and can call the tool directly, no authentication step. A solution would be add token authentication every time when calling non-google tool, as well as from Google, but will add latency and cost