Skip to content

fix: store tokens in ~/.config/mcp-publisher/ instead of cwd#1166

Merged
rdimitrov merged 2 commits intomainfrom
fix/token-storage-663
Apr 15, 2026
Merged

fix: store tokens in ~/.config/mcp-publisher/ instead of cwd#1166
rdimitrov merged 2 commits intomainfrom
fix/token-storage-663

Conversation

@rdimitrov
Copy link
Copy Markdown
Member

@rdimitrov rdimitrov commented Apr 14, 2026

Summary

Fixes #663

  • Security fix: mcp-publisher login no longer writes .mcpregistry_github_token and .mcpregistry_registry_token to the current working directory. GitHub tokens are kept in memory during the login→exchange flow and cleared immediately after.
  • Token location: Unified token moved from ~/.mcp_publisher_token to ~/.config/mcp-publisher/token.json (dir 0700, file 0600), following the convention used by gh, docker, and kubectl.
  • Dead code removed: NeedsLogin() was on the Provider interface but never called — removed from interface and all 4 implementations. forceLogin field also removed.
  • Auth tests added: 11 new tests for GitHubATProvider (package previously had 0 tests).
  • Test isolation: SetupTestToken now uses t.TempDir() + t.Setenv("HOME", ...) instead of writing to real $HOME.

Breaking change

Users must re-login after upgrading (mcp-publisher login <method>). Existing tokens at ~/.mcp_publisher_token are not auto-migrated. logout cleans up both old and new locations.

Test plan

  • make check passes (lint, unit tests, integration tests)
  • mcp-publisher login none stores token at ~/.config/mcp-publisher/token.json
  • No .mcpregistry_* files created in cwd after login (with --token, MCP_GITHUB_TOKEN, or device flow)
  • mcp-publisher publish reads token from new location
  • mcp-publisher validate reads registry URL from new location
  • mcp-publisher logout cleans up new location, legacy ~/.mcp_publisher_token, and cwd .mcpregistry_* files
  • mcp-publisher logout when not logged in shows "Not logged in"
  • File permissions: dir 0700, file 0600

🤖 Generated with Claude Code

rdimitrov and others added 2 commits April 14, 2026 17:48
@rdimitrov @claude
fix: store tokens in ~/.config/mcp-publisher/ instead of cwd
f88ab03 
The mcp-publisher CLI wrote intermediate GitHub token files
(.mcpregistry_github_token, .mcpregistry_registry_token) to the current
working directory, causing users to accidentally commit live credentials
to git. At least 2 users have publicly pushed tokens due to this.

This commit:
- Eliminates intermediate token files entirely by keeping the GitHub
  token in memory during the login->exchange flow
- Moves the unified token from ~/.mcp_publisher_token to
  ~/.config/mcp-publisher/token.json (0600 perms, 0700 dir)
- Clears the GitHub token from memory immediately after exchange
- Cleans up all legacy token locations on logout (cwd, $HOME)
- Removes dead NeedsLogin() method from Provider interface
- Adds auth package tests (11 tests, previously 0)
- Isolates test token setup with t.TempDir() instead of real $HOME

Breaking change: users must re-login after upgrading. Existing tokens at
~/.mcp_publisher_token will not be auto-migrated.

Fixes #663

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rdimitrov @claude
fix: add login/logout tests, improve error message, fix integration c…
3a0aefb 
…leanup

- Add login_test.go: verifies token is written to ~/.config/mcp-publisher/,
  directory has 0700 perms, file has 0600 perms, no legacy files created
- Add logout_test.go: verifies cleanup of new token, legacy token,
  both simultaneously, cwd .mcpregistry_* files, and $HOME .mcpregistry_* files
- Improve "not authenticated" error to print a hint about the token
  location change for users upgrading
- Add .mcpregistry_* cleanup to integration test teardown

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rdimitrov rdimitrov mentioned this pull request Apr 14, 2026
Closed
2 tasks
@rdimitrov rdimitrov merged commit 90baa05 into main Apr 15, 2026
6 checks passed
@rdimitrov rdimitrov deleted the fix/token-storage-663 branch April 15, 2026 07:23
@rdimitrov rdimitrov mentioned this pull request Apr 15, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tadasant tadasant tadasant approved these changes

@BobDickinson BobDickinson Awaiting requested review from BobDickinson

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

.mcpregistry_* token files should be stored in a unified folder ignored from git

2 participants

@rdimitrov @tadasant