Update documentation and example for password authentication

hrntknr · hrntknr · commit 660c0b7f2e06 · 2025-08-16T02:44:06.000Z
- Remove .env.example file as it's no longer needed
- Update README to reflect password authentication option
- Simplify docker-compose example to use PASSWORD env var
- Change logout to return text response instead of redirect
diff --git a/README.md b/README.md
@@ -11,17 +11,29 @@ docker run --rm -p 8081:8081 --net=host \
   -e EXTERNAL_URL=http://localhost:8081 \
   -e PROXY_URL=http://localhost:8080 \
   -e GLOBAL_SECRET=$(openssl rand -hex 32) \
-  -e GOOGLE_CLIENT_ID=... \
-  -e GOOGLE_CLIENT_SECRET=... \
-  -e GOOGLE_ALLOWED_USERS=... \
+  -e PASSWORD=changeme \
+  -v ./data:/data \
   ghcr.io/sigbit/mcp-auth-proxy:latest
 ```
 
+.mcp.json
+```json
+{
+  "mcpServers": {
+    "mcp": {
+      "type": "http",
+      "url": "http://localhost:8081/mcp"
+    }
+  }
+}
+```
+
+
 ## Overview
 
 MCP Auth Proxy is a secure OAuth 2.1 authentication proxy for Model Context Protocol (MCP) servers. MCP servers are expected to support not only standard OAuth 2.1 flows but also Dynamic Client support (e.g., dynamic client registration) and authentication-related .well-known metadata. On top of that, different MCP clients handle tokens differently, which makes implementation tricky.
 
-MCP Auth Proxy sits in front of your MCP services and enforces sign-in with OAuth providers (such as Google or GitHub) before users can access protected MCP resources.
+MCP Auth Proxy sits in front of your MCP services and enforces sign-in with OAuth providers (such as Google or GitHub) or password before users can access protected MCP resources.
 
 ## Note
 
@@ -38,16 +50,16 @@ For a simpler approach to publish local MCP servers over OAuth, consider [MCP Wa
 | `EXTERNAL_URL`         | No       | External URL for OAuth callbacks                 | `http://localhost:8081` |
 | `PROXY_URL`            | No       | Target MCP server URL                            | `http://localhost:8080` |
 | `GLOBAL_SECRET`        | No       | Global secret for session encryption             | `supersecret`           |
-| `GOOGLE_CLIENT_ID`     | No*      | Google OAuth client ID                           | -                       |
-| `GOOGLE_CLIENT_SECRET` | No*      | Google OAuth client secret                       | -                       |
-| `GOOGLE_ALLOWED_USERS` | No*      | Comma-separated list of allowed Google emails    | -                       |
-| `GITHUB_CLIENT_ID`     | No*      | GitHub OAuth client ID                           | -                       |
-| `GITHUB_CLIENT_SECRET` | No*      | GitHub OAuth client secret                       | -                       |
-| `GITHUB_ALLOWED_USERS` | No*      | Comma-separated list of allowed GitHub usernames | -                       |
+| `GOOGLE_CLIENT_ID`     | No       | Google OAuth client ID                           | -                       |
+| `GOOGLE_CLIENT_SECRET` | No       | Google OAuth client secret                       | -                       |
+| `GOOGLE_ALLOWED_USERS` | No       | Comma-separated list of allowed Google emails    | -                       |
+| `GITHUB_CLIENT_ID`     | No       | GitHub OAuth client ID                           | -                       |
+| `GITHUB_CLIENT_SECRET` | No       | GitHub OAuth client secret                       | -                       |
+| `GITHUB_ALLOWED_USERS` | No       | Comma-separated list of allowed GitHub usernames | -                       |
+| `PASSWORD`             | No       | Password for authentication                      | -                       |
+| `PASSWORD_HASH`        | No       | Hash of the password for authentication          | -                       |
 | `MODE`                 | No       | Set to `debug` for development mode              | `production`            |
 
-*At least one OAuth provider must be configured (Google or GitHub)
-
 ### OAuth Provider Setup
 
 #### Google OAuth Setup
diff --git a/example/.env.example b/example/.env.example
diff --git a/example/docker-compose.yaml b/example/docker-compose.yaml
@@ -4,15 +4,14 @@ services:
       context: ..
       dockerfile: Dockerfile
     restart: unless-stopped
-    env_file:
-      - .env
     ports:
       - 8081:8081
     environment:
       # If you are accessing from outside (such as Claude Web),
       # be sure to specify a domain name that can be accessed from outside for EXTERNAL_URL.
       - EXTERNAL_URL=http://localhost:8081
       - PROXY_URL=http://playwright:8931
+      - PASSWORD=changeme
     volumes:
       - ./data:/data
   playwright:
diff --git a/pkg/auth/main.go b/pkg/auth/main.go
@@ -203,7 +203,7 @@ func (a *AuthRouter) handleLogout(c *gin.Context) {
 	session := sessions.Default(c)
 	session.Clear()
 	session.Save()
-	c.Redirect(http.StatusFound, LoginEndpoint)
+	c.String(http.StatusOK, "Logged out")
 }
 
 func (a *AuthRouter) RequireAuth() gin.HandlerFunc {

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ func (a AuthRouter) handleLogout(c gin.Context) {`
`203`	`203`	`session := sessions.Default(c)`
`204`	`204`	`session.Clear()`
`205`	`205`	`session.Save()`
`206`		`- c.Redirect(http.StatusFound, LoginEndpoint)`
	`206`	`+ c.String(http.StatusOK, "Logged out")`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`func (a *AuthRouter) RequireAuth() gin.HandlerFunc {`