Refactor/typed backend auth strategy (#2797)

* add auth/types package with typed strategy config structs Create a new leaf package pkg/vmcp/auth/types containing: - Strategy type constants (StrategyTypeUnauthenticated, etc.) - BackendAuthStrategy struct with typed fields (HeaderInjection, TokenExchange) - HeaderInjectionConfig and TokenExchangeConfig structs The Metadata field is retained in BackendAuthStrategy for backward compatibility - all existing code continues to work unchanged. Update all files to import BackendAuthStrategy from auth/types instead of config package. This is a structural refactoring with zero behavior change, preparing for a follow-up PR that will remove the Metadata field. * remove Metadata field and use typed auth config Remove the deprecated Metadata map[string]any field from BackendAuthStrategy and migrate all code to use typed fields (HeaderInjection, TokenExchange). Key changes: - Remove Metadata field from authtypes.BackendAuthStrategy - Update Strategy interface to accept *BackendAuthStrategy instead of map - Update all strategies (header_injection, tokenexchange, unauthenticated) - Update converters to return typed BackendAuthStrategy - Change Backend/BackendTarget structs to use AuthConfig instead of AuthStrategy + AuthMetadata - Update ResolveForBackend to return *BackendAuthStrategy - Update all consumers and tests This provides type safety, better IDE support, and eliminates runtime type assertions throughout the auth subsystem.

Author: jhrozek

cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go

@@ -213,7 +213,13 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 assert.Equal(t, tt.expectedType, strategy.Type)
 
 if tt.hasMetadata {
-assert.NotEmpty(t, strategy.Metadata)
+// For external auth config refs, check that the strategy type is set
+// The actual typed fields (HeaderInjection/TokenExchange) are resolved at runtime
+assert.Equal(t, mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef, strategy.Type)
+} else {
+// For discovered auth, there should be no typed fields populated
+assert.Nil(t, strategy.HeaderInjection)
+assert.Nil(t, strategy.TokenExchange)
 }
 })
 }

cmd/thv-operator/pkg/vmcpconfig/converter.go

@@ -9,6 +9,7 @@ import (
 "sigs.k8s.io/controller-runtime/pkg/log"
 
 mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
+authtypes "github.com/stacklok/toolhive/pkg/vmcp/auth/types"
 vmcpconfig "github.com/stacklok/toolhive/pkg/vmcp/config"
 )
 
@@ -155,7 +156,7 @@ func (c *Converter) convertOutgoingAuth(
 ) *vmcpconfig.OutgoingAuthConfig {
 outgoing := &vmcpconfig.OutgoingAuthConfig{
 Source: vmcp.Spec.OutgoingAuth.Source,
-Backends: make(map[string]*vmcpconfig.BackendAuthStrategy),
+Backends: make(map[string]*authtypes.BackendAuthStrategy),
 }
 
 // Convert Default
@@ -174,16 +175,16 @@ func (c *Converter) convertOutgoingAuth(
 // convertBackendAuthConfig converts BackendAuthConfig from CRD to vmcp config
 func (*Converter) convertBackendAuthConfig(
 crdConfig *mcpv1alpha1.BackendAuthConfig,
-) *vmcpconfig.BackendAuthStrategy {
-strategy := &vmcpconfig.BackendAuthStrategy{
-Type: crdConfig.Type,
-Metadata: make(map[string]any),
+) *authtypes.BackendAuthStrategy {
+strategy := &authtypes.BackendAuthStrategy{
+Type: crdConfig.Type,
 }
 
-// Convert type-specific configuration to metadata
-if crdConfig.ExternalAuthConfigRef != nil {
-strategy.Metadata["externalAuthConfigRef"] = crdConfig.ExternalAuthConfigRef.Name
-}
+// Note: When Type is "external_auth_config_ref", the actual MCPExternalAuthConfig
+// resource should be resolved at runtime and its configuration (TokenExchange or
+// HeaderInjection) should be populated into the corresponding typed fields.
+// This conversion happens during server initialization when the referenced
+// MCPExternalAuthConfig can be looked up.
 
 return strategy
 }

pkg/vmcp/aggregator/discoverer.go

@@ -178,7 +178,7 @@ func (d *backendDiscoverer) applyAuthConfigToBackend(backend *vmcp.Backend, back
 // In discovered mode, use auth discovered from MCPServer (if any exists)
 // If no auth is discovered, fall back to config-based auth via ResolveForBackend
 // which will use backend-specific config, then Default, then no auth
-useDiscoveredAuth = backend.AuthStrategy != ""
+useDiscoveredAuth = backend.AuthConfig != nil
 case "inline", "":
 // For inline mode or empty source, always use config-based auth
 // Ignore any discovered auth from backends
@@ -191,14 +191,13 @@ func (d *backendDiscoverer) applyAuthConfigToBackend(backend *vmcp.Backend, back
 
 if useDiscoveredAuth {
 // Keep the auth discovered from MCPServer (already populated in backend)
-logger.Debugf("Backend %s using discovered auth strategy: %s", backendName, backend.AuthStrategy)
+logger.Debugf("Backend %s using discovered auth strategy: %s", backendName, backend.AuthConfig.Type)
 } else {
 // Use auth from config (inline mode)
-authStrategy, authMetadata := d.authConfig.ResolveForBackend(backendName)
-if authStrategy != "" {
-backend.AuthStrategy = authStrategy
-backend.AuthMetadata = authMetadata
-logger.Debugf("Backend %s configured with auth strategy from config: %s", backendName, authStrategy)
+authConfig := d.authConfig.ResolveForBackend(backendName)
+if authConfig != nil {
+backend.AuthConfig = authConfig
+logger.Debugf("Backend %s configured with auth strategy from config: %s", backendName, authConfig.Type)
 }
 }
 }