Don't use a middleware. Not sure if this is better or worse.

Author: omgitsads

pkg/github/dependencies.go

@@ -5,8 +5,8 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 
-	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	"github.com/github/github-mcp-server/pkg/http/transport"
 	"github.com/github/github-mcp-server/pkg/inventory"
 	"github.com/github/github-mcp-server/pkg/lockdown"
@@ -213,6 +213,7 @@ type RequestDeps struct {
 	RepoAccessCache *lockdown.RepoAccessCache
 
 	// Static dependencies
+	token             string
 	apiHosts          *utils.ApiHost
 	version           string
 	lockdownMode      bool
@@ -224,23 +225,29 @@ type RequestDeps struct {
 
 // NewRequestDeps creates a RequestDeps with the provided clients and configuration.
 func NewRequestDeps(
+	token string,
 	apiHosts *utils.ApiHost,
 	version string,
 	lockdownMode bool,
 	repoAccessOpts []lockdown.RepoAccessOption,
 	t translations.TranslationHelperFunc,
 	flags FeatureFlags,
 	contentWindowSize int,
-) *RequestDeps {
+) (*RequestDeps, error) {
+	if strings.TrimSpace(token) == "" {
+		return nil, fmt.Errorf("token must be provided")
+	}
+
 	return &RequestDeps{
+		token:             token,
 		apiHosts:          apiHosts,
 		version:           version,
 		lockdownMode:      lockdownMode,
 		RepoAccessOpts:    repoAccessOpts,
 		T:                 t,
 		Flags:             flags,
 		ContentWindowSize: contentWindowSize,
-	}
+	}, nil
 }
 
 // GetClient implements ToolDependencies.
@@ -249,11 +256,8 @@ func (d *RequestDeps) GetClient(ctx context.Context) (*gogithub.Client, error) {
 		return d.Client, nil
 	}
 
-	// extract the token from the context
-	token, _ := ghcontext.GetTokenInfo(ctx)
-
 	// Construct REST client
-	restClient := gogithub.NewClient(nil).WithAuthToken(token)
+	restClient := gogithub.NewClient(nil).WithAuthToken(d.token)
 	restClient.UserAgent = fmt.Sprintf("github-mcp-server/%s", d.version)
 	restClient.BaseURL = d.apiHosts.BaseRESTURL
 	restClient.UploadURL = d.apiHosts.UploadURL
@@ -266,15 +270,12 @@ func (d *RequestDeps) GetGQLClient(ctx context.Context) (*githubv4.Client, error
 		return d.GQLClient, nil
 	}
 
-	// extract the token from the context
-	token, _ := ghcontext.GetTokenInfo(ctx)
-
 	// Construct GraphQL client
 	// We use NewEnterpriseClient unconditionally since we already parsed the API host
 	gqlHTTPClient := &http.Client{
 		Transport: &transport.BearerAuthTransport{
 			Transport: http.DefaultTransport,
-			Token:     token,
+			Token:     d.token,
 		},
 	}
 	gqlClient := githubv4.NewEnterpriseClient(d.apiHosts.GraphqlURL.String(), gqlHTTPClient)

pkg/http/handler.go

@@ -1,11 +1,11 @@
 package http
 
 import (
+	"errors"
 	"log/slog"
 	"net/http"
 
 	"github.com/github/github-mcp-server/pkg/github"
-	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/lockdown"
 	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/github/github-mcp-server/pkg/utils"
@@ -35,8 +35,20 @@ func NewHttpMcpHandler(cfg *HTTPServerConfig,
 }
 
 func (s *HttpMcpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	token, err := ExtractUserToken(r)
+	if err != nil {
+		if errors.Is(err, errMissingAuthorizationHeader) {
+			// sendAuthChallenge(w, r, cfg, obsv)
+			return
+		}
+		// For other auth errors (bad format, unsupported), return 400
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
 	// Set up repo access cache for lockdown mode
-	deps := github.NewRequestDeps(
+	deps, err := github.NewRequestDeps(
+		token,
 		&s.apiHosts,
 		s.config.Version,
 		s.config.LockdownMode,
@@ -47,6 +59,11 @@ func (s *HttpMcpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		},
 		s.config.ContentWindowSize,
 	)
+	if err != nil {
+		s.logger.Error("failed to create request dependencies", "error", err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
 
 	ghServer, err := github.NewMCPServer(&github.MCPServerConfig{
 		Version:           s.config.Version,
@@ -71,5 +88,5 @@ func (s *HttpMcpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		Stateless: true,
 	})
 
-	middleware.ExtractUserToken()(mcpHandler).ServeHTTP(w, r)
+	mcpHandler.ServeHTTP(w, r)
 }

pkg/http/middleware/token.go pkg/http/token.gopkg/http/middleware/token.go renamed to pkg/http/token.go

@@ -1,7 +1,6 @@
-package middleware
+package http
 
 import (
-	"errors"
 	"fmt"
 	"net/http"
 	"regexp"
@@ -40,28 +39,17 @@ var supportedThirdPartyTokenPrefixes = []string{
 // were 40 characters long and only contained the characters a-f and 0-9.
 var oldPatternRegexp = regexp.MustCompile(`\A[a-f0-9]{40}\z`)
 
-func ExtractUserToken() func(next http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			_, token, err := parseAuthorizationHeader(r)
-			if err != nil {
-				// For missing Authorization header, return 401 with WWW-Authenticate header per MCP spec
-				if errors.Is(err, errMissingAuthorizationHeader) {
-					// 	sendAuthChallenge(w, r, cfg, obsv)
-					return
-				}
-				// For other auth errors (bad format, unsupported), return 400
-				http.Error(w, err.Error(), http.StatusBadRequest)
-				return
-			}
+func ExtractUserToken(r *http.Request) (string, error) {
+	_, token, err := parseAuthorizationHeader(r)
+	if err != nil {
+		return "", err
+	}
 
-			ctx := r.Context()
-			ctx = ghcontext.WithTokenInfo(ctx, token)
-			r = r.WithContext(ctx)
+	ctx := r.Context()
+	ctx = ghcontext.WithTokenInfo(ctx, token)
+	r = r.WithContext(ctx)
 
-			next.ServeHTTP(w, r)
-		})
-	}
+	return token, nil
 }
 func parseAuthorizationHeader(req *http.Request) (authType authType, token string, _ error) {
 	authHeader := req.Header.Get(httpheaders.AuthorizationHeader)