Add support for a base path (#30)

Closes #23

Author: dgellow

integration/base_path_test.go

@@ -0,0 +1,79 @@
+package integration
+
+import (
+"net/http"
+"testing"
+
+"github.com/stretchr/testify/assert"
+"github.com/stretchr/testify/require"
+)
+
+func TestBasePathRouting(t *testing.T) {
+waitForDB(t)
+
+startMCPFront(t, "config/config.base-path-test.json")
+waitForMCPFront(t)
+
+initialContainers := getMCPContainers()
+t.Cleanup(func() {
+cleanupContainers(t, initialContainers)
+})
+
+t.Run("health at root", func(t *testing.T) {
+resp, err := http.Get("http://localhost:8080/health")
+require.NoError(t, err)
+defer resp.Body.Close()
+
+assert.Equal(t, http.StatusOK, resp.StatusCode)
+})
+
+t.Run("health not under base path", func(t *testing.T) {
+resp, err := http.Get("http://localhost:8080/mcp-api/health")
+require.NoError(t, err)
+defer resp.Body.Close()
+
+assert.Equal(t, http.StatusNotFound, resp.StatusCode)
+})
+
+t.Run("MCP server at base path", func(t *testing.T) {
+req, err := http.NewRequest("GET", "http://localhost:8080/mcp-api/postgres/sse", nil)
+require.NoError(t, err)
+req.Header.Set("Authorization", "Bearer test-token")
+req.Header.Set("Accept", "text/event-stream")
+
+client := &http.Client{}
+resp, err := client.Do(req)
+require.NoError(t, err)
+defer resp.Body.Close()
+
+assert.Equal(t, http.StatusOK, resp.StatusCode)
+assert.Equal(t, "text/event-stream", resp.Header.Get("Content-Type"))
+})
+
+t.Run("MCP server not at root", func(t *testing.T) {
+req, err := http.NewRequest("GET", "http://localhost:8080/postgres/sse", nil)
+require.NoError(t, err)
+req.Header.Set("Authorization", "Bearer test-token")
+req.Header.Set("Accept", "text/event-stream")
+
+client := &http.Client{}
+resp, err := client.Do(req)
+require.NoError(t, err)
+defer resp.Body.Close()
+
+assert.Equal(t, http.StatusNotFound, resp.StatusCode)
+})
+
+t.Run("full MCP connection", func(t *testing.T) {
+client := NewMCPSSEClient("http://localhost:8080/mcp-api")
+client.SetAuthToken("test-token")
+
+err := client.ConnectToServer("postgres")
+require.NoError(t, err)
+defer client.Close()
+
+result, err := client.SendMCPRequest("tools/list", map[string]any{})
+require.NoError(t, err)
+assert.NotNil(t, result)
+})
+}

integration/config/config.base-path-test.json

@@ -0,0 +1,28 @@
+{
+ "version": "v0.0.1-DEV_EDITION_EXPECT_CHANGES",
+ "proxy": {
+ "baseURL": "http://localhost:8080/mcp-api",
+ "addr": ":8080",
+ "name": "mcp-front-base-path-test"
+ },
+ "mcpServers": {
+ "postgres": {
+ "transportType": "stdio",
+ "command": "docker",
+ "args": [
+ "run",
+ "-i",
+ "--network",
+ "host",
+ "mcp/postgres",
+ "postgresql://testuser:testpass@localhost:15432/testdb"
+ ],
+ "serviceAuths": [
+ {
+ "type": "bearer",
+ "tokens": ["test-token"]
+ }
+ ]
+ }
+ }
+}

internal/config/load.go

@@ -3,6 +3,7 @@ package config
 import (
 "encoding/json"
 "fmt"
+"net/url"
 "os"
 "strings"
 
@@ -40,6 +41,11 @@ func Load(path string) (Config, error) {
 return Config{}, fmt.Errorf("parsing config: %w", err)
 }
 
+// Extract base path from baseURL
+if err := extractBasePath(&config); err != nil {
+return Config{}, fmt.Errorf("extracting base path: %w", err)
+}
+
 if err := ValidateConfig(&config); err != nil {
 return Config{}, fmt.Errorf("config validation failed: %w", err)
 }
@@ -208,3 +214,31 @@ func validateMCPServer(name string, server *MCPClientConfig) error {
 
 return nil
 }
+
+func extractBasePath(config *Config) error {
+u, err := url.Parse(config.Proxy.BaseURL)
+if err != nil {
+return fmt.Errorf("invalid baseURL: %w", err)
+}
+
+basePath := u.Path
+if basePath == "" {
+basePath = "/"
+}
+
+if !strings.HasPrefix(basePath, "/") {
+basePath = "/" + basePath
+}
+if len(basePath) > 1 && strings.HasSuffix(basePath, "/") {
+basePath = strings.TrimSuffix(basePath, "/")
+}
+
+config.Proxy.BasePath = basePath
+
+log.LogInfoWithFields("config", "Extracted base path from baseURL", map[string]any{
+"baseURL": config.Proxy.BaseURL,
+"basePath": basePath,
+})
+
+return nil
+}

internal/config/load_test.go

@@ -215,3 +215,67 @@ func TestValidateConfig_SessionConfig(t *testing.T) {
 })
 }
 }
+
+func TestExtractBasePath(t *testing.T) {
+tests := []struct {
+name string
+baseURL string
+expectedPath string
+expectError bool
+}{
+{
+name: "root_path",
+baseURL: "http://localhost:8080",
+expectedPath: "/",
+},
+{
+name: "simple_path",
+baseURL: "http://localhost:8080/api",
+expectedPath: "/api",
+},
+{
+name: "nested_path",
+baseURL: "http://localhost:8080/api/v1",
+expectedPath: "/api/v1",
+},
+{
+name: "trailing_slash_removed",
+baseURL: "http://localhost:8080/api/",
+expectedPath: "/api",
+},
+{
+name: "root_with_trailing_slash",
+baseURL: "http://localhost:8080/",
+expectedPath: "/",
+},
+{
+name: "path_with_multiple_segments",
+baseURL: "https://mcp.company.com/mcp-api/v1",
+expectedPath: "/mcp-api/v1",
+},
+{
+name: "invalid_url",
+baseURL: "://invalid",
+expectError: true,
+},
+}
+
+for _, tt := range tests {
+t.Run(tt.name, func(t *testing.T) {
+cfg := Config{
+Proxy: ProxyConfig{
+BaseURL: tt.baseURL,
+},
+}
+
+err := extractBasePath(&cfg)
+
+if tt.expectError {
+assert.Error(t, err)
+} else {
+assert.NoError(t, err)
+assert.Equal(t, tt.expectedPath, cfg.Proxy.BasePath)
+}
+})
+}
+}

internal/config/types.go

@@ -221,6 +221,7 @@ type OAuthAuthConfig struct {
 // ProxyConfig represents the proxy configuration with resolved values
 type ProxyConfig struct {
 BaseURL string `json:"baseURL"`
+BasePath string `json:"-"` // Extracted from BaseURL, not in JSON
 Addr string `json:"addr"`
 Name string `json:"name"`
 Auth *OAuthAuthConfig `json:"auth,omitempty"` // Only OAuth is supported

internal/mcpfront.go

@@ -294,9 +294,17 @@ func buildHTTPHandler(
 userTokenService *server.UserTokenService,
 baseURL string,
 info mcp.Implementation,
-) (*http.ServeMux, error) {
+) (http.Handler, error) {
 // Create mux and register all routes with dependency injection
 mux := http.NewServeMux()
+basePath := cfg.Proxy.BasePath
+
+route := func(path string) string {
+if basePath == "/" {
+return path
+}
+return basePath + path
+}
 
 // Build common middleware
 corsMiddleware := server.NewCORSMiddleware(authConfig.AllowedOrigins)
@@ -307,7 +315,6 @@ func buildHTTPHandler(
 mcpRecover := server.NewRecoverMiddleware("mcp")
 oauthRecover := server.NewRecoverMiddleware("oauth")
 
-// Register health endpoint
 mux.Handle("/health", server.NewHealthHandler())
 
 // Create browser state token for SSO middleware (used by both OAuth and admin routes)
@@ -337,13 +344,13 @@ func buildHTTPHandler(
 )
 
 // Register OAuth endpoints
-mux.Handle("/.well-known/oauth-authorization-server", server.ChainMiddleware(http.HandlerFunc(authHandlers.WellKnownHandler), oauthMiddleware...))
-mux.Handle("/.well-known/oauth-protected-resource", server.ChainMiddleware(http.HandlerFunc(authHandlers.ProtectedResourceMetadataHandler), oauthMiddleware...))
-mux.Handle("/authorize", server.ChainMiddleware(http.HandlerFunc(authHandlers.AuthorizeHandler), oauthMiddleware...))
-mux.Handle("/oauth/callback", server.ChainMiddleware(http.HandlerFunc(authHandlers.GoogleCallbackHandler), oauthMiddleware...))
-mux.Handle("/token", server.ChainMiddleware(http.HandlerFunc(authHandlers.TokenHandler), oauthMiddleware...))
-mux.Handle("/register", server.ChainMiddleware(http.HandlerFunc(authHandlers.RegisterHandler), oauthMiddleware...))
-mux.Handle("/clients/{client_id}", server.ChainMiddleware(http.HandlerFunc(authHandlers.ClientMetadataHandler), oauthMiddleware...))
+mux.Handle(route("/.well-known/oauth-authorization-server"), server.ChainMiddleware(http.HandlerFunc(authHandlers.WellKnownHandler), oauthMiddleware...))
+mux.Handle(route("/.well-known/oauth-protected-resource"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ProtectedResourceMetadataHandler), oauthMiddleware...))
+mux.Handle(route("/authorize"), server.ChainMiddleware(http.HandlerFunc(authHandlers.AuthorizeHandler), oauthMiddleware...))
+mux.Handle(route("/oauth/callback"), server.ChainMiddleware(http.HandlerFunc(authHandlers.GoogleCallbackHandler), oauthMiddleware...))
+mux.Handle(route("/token"), server.ChainMiddleware(http.HandlerFunc(authHandlers.TokenHandler), oauthMiddleware...))
+mux.Handle(route("/register"), server.ChainMiddleware(http.HandlerFunc(authHandlers.RegisterHandler), oauthMiddleware...))
+mux.Handle(route("/clients/{client_id}"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ClientMetadataHandler), oauthMiddleware...))
 
 // Register protected token endpoints
 tokenMiddleware := []server.MiddlewareFunc{
@@ -357,19 +364,19 @@ func buildHTTPHandler(
 tokenHandlers := server.NewTokenHandlers(storage, cfg.MCPServers, true, serviceOAuthClient)
 
 // Token management UI endpoints
-mux.Handle("/my/tokens", server.ChainMiddleware(http.HandlerFunc(tokenHandlers.ListTokensHandler), tokenMiddleware...))
-mux.Handle("/my/tokens/set", server.ChainMiddleware(http.HandlerFunc(tokenHandlers.SetTokenHandler), tokenMiddleware...))
-mux.Handle("/my/tokens/delete", server.ChainMiddleware(http.HandlerFunc(tokenHandlers.DeleteTokenHandler), tokenMiddleware...))
+mux.Handle(route("/my/tokens"), server.ChainMiddleware(http.HandlerFunc(tokenHandlers.ListTokensHandler), tokenMiddleware...))
+mux.Handle(route("/my/tokens/set"), server.ChainMiddleware(http.HandlerFunc(tokenHandlers.SetTokenHandler), tokenMiddleware...))
+mux.Handle(route("/my/tokens/delete"), server.ChainMiddleware(http.HandlerFunc(tokenHandlers.DeleteTokenHandler), tokenMiddleware...))
 
 // OAuth interstitial page and completion endpoint
-mux.Handle("/oauth/services", server.ChainMiddleware(http.HandlerFunc(authHandlers.ServiceSelectionHandler), tokenMiddleware...))
-mux.Handle("/oauth/complete", server.ChainMiddleware(http.HandlerFunc(authHandlers.CompleteOAuthHandler), tokenMiddleware...))
+mux.Handle(route("/oauth/services"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ServiceSelectionHandler), tokenMiddleware...))
+mux.Handle(route("/oauth/complete"), server.ChainMiddleware(http.HandlerFunc(authHandlers.CompleteOAuthHandler), tokenMiddleware...))
 
 // Register service OAuth endpoints
 serviceAuthHandlers := server.NewServiceAuthHandlers(serviceOAuthClient, cfg.MCPServers, storage)
-mux.HandleFunc("/oauth/callback/", serviceAuthHandlers.CallbackHandler)
-mux.Handle("/oauth/connect", server.ChainMiddleware(http.HandlerFunc(serviceAuthHandlers.ConnectHandler), tokenMiddleware...))
-mux.Handle("/oauth/disconnect", server.ChainMiddleware(http.HandlerFunc(serviceAuthHandlers.DisconnectHandler), tokenMiddleware...))
+mux.HandleFunc(route("/oauth/callback/{service}"), serviceAuthHandlers.CallbackHandler)
+mux.Handle(route("/oauth/connect"), server.ChainMiddleware(http.HandlerFunc(serviceAuthHandlers.ConnectHandler), tokenMiddleware...))
+mux.Handle(route("/oauth/disconnect"), server.ChainMiddleware(http.HandlerFunc(serviceAuthHandlers.DisconnectHandler), tokenMiddleware...))
 }
 
 // Setup MCP server endpoints
@@ -411,8 +418,8 @@ func buildHTTPHandler(
 baseURL,
 info,
 sessionManager,
-sseServers[serverName], // Pass the shared SSE server (nil for non-stdio)
-mcpServer, // Pass the shared MCP server (nil for non-stdio)
+sseServers[serverName],
+mcpServer,
 userTokenService.GetUserToken,
 )
 }
@@ -436,8 +443,7 @@ func buildHTTPHandler(
 // Recovery middleware should be last (outermost)
 mcpMiddlewares = append(mcpMiddlewares, mcpRecover)
 
-// Register handler - SSE server needs to handle all paths under the server name
-mux.Handle("/"+serverName+"/", server.ChainMiddleware(handler, mcpMiddlewares...))
+mux.Handle(route("/"+serverName+"/"), server.ChainMiddleware(handler, mcpMiddlewares...))
 }
 
 // Setup admin routes if admin is enabled
@@ -474,10 +480,10 @@ func buildHTTPHandler(
 adminMiddleware = append(adminMiddleware, mcpRecover)
 
 // Register admin routes
-mux.Handle("/admin", server.ChainMiddleware(http.HandlerFunc(adminHandlers.DashboardHandler), adminMiddleware...))
-mux.Handle("/admin/users", server.ChainMiddleware(http.HandlerFunc(adminHandlers.UserActionHandler), adminMiddleware...))
-mux.Handle("/admin/sessions", server.ChainMiddleware(http.HandlerFunc(adminHandlers.SessionActionHandler), adminMiddleware...))
-mux.Handle("/admin/logging", server.ChainMiddleware(http.HandlerFunc(adminHandlers.LoggingActionHandler), adminMiddleware...))
+mux.Handle(route("/admin"), server.ChainMiddleware(http.HandlerFunc(adminHandlers.DashboardHandler), adminMiddleware...))
+mux.Handle(route("/admin/users"), server.ChainMiddleware(http.HandlerFunc(adminHandlers.UserActionHandler), adminMiddleware...))
+mux.Handle(route("/admin/sessions"), server.ChainMiddleware(http.HandlerFunc(adminHandlers.SessionActionHandler), adminMiddleware...))
+mux.Handle(route("/admin/logging"), server.ChainMiddleware(http.HandlerFunc(adminHandlers.LoggingActionHandler), adminMiddleware...))
 }
 
 log.LogInfoWithFields("server", "MCP proxy server initialized", nil)

internal/oauth/resource_indicators.go

@@ -165,7 +165,21 @@ func BuildResourceURI(issuer string, serviceName string) (string, error) {
 //	ValidateAudienceForService("/linear/sse", []string{"https://mcp.company.com/postgres"}, "https://mcp.company.com")
 //	Returns: error (invalid - linear not in audience)
 func ValidateAudienceForService(requestPath string, tokenAudience []string, issuer string) error {
-path := strings.TrimPrefix(requestPath, "/")
+u, err := url.Parse(issuer)
+if err != nil {
+return fmt.Errorf("invalid issuer URL: %w", err)
+}
+
+basePath := u.Path
+if basePath == "" {
+basePath = "/"
+}
+
+path := requestPath
+if basePath != "/" {
+path = strings.TrimPrefix(path, basePath)
+}
+path = strings.TrimPrefix(path, "/")
 parts := strings.Split(path, "/")
 
 if len(parts) == 0 || parts[0] == "" {

internal/server/service_auth_handlers.go

@@ -93,13 +93,7 @@ func (h *ServiceAuthHandlers) CallbackHandler(w http.ResponseWriter, r *http.Req
 return
 }
 
-// Extract service name from path: /oauth/callback/{service}
-pathParts := strings.Split(strings.TrimPrefix(r.URL.Path, "/"), "/")
-if len(pathParts) < 3 {
-jsonwriter.WriteBadRequest(w, "Invalid callback path")
-return
-}
-serviceName := pathParts[2]
+serviceName := r.PathValue("service")
 if serviceName == "" {
 jsonwriter.WriteBadRequest(w, "Service name is required")
 return