Add constants for auth strategy types (#2477)

* Add constants for auth strategy types

Replace magic strings with constants in vMCP auth system
to improve type safety and prevent typos. This makes the
code more maintainable and refactoring easier.

Strategy type constants (StrategyTypeHeaderInjection,
StrategyTypeUnauthenticated) and metadata key constants
(MetadataHeaderName, MetadataHeaderValue) are now defined
in pkg/vmcp/auth/strategies/constants.go.

Fixes #2466

* Replace remaining magic strings with constants in auth system

Address review feedback by replacing magic strings in:
- pkg/vmcp/auth/factory/outgoing.go: Use strategy type constants
- pkg/vmcp/config/validator.go: Use strategy type and metadata constants

Co-authored-by: Juan Antonio Osorio <JAORMX@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Juan Antonio Osorio <JAORMX@users.noreply.github.com>

Author: JAORMX

pkg/vmcp/auth/factory/outgoing.go

@@ -76,7 +76,7 @@ func NewOutgoingAuthRegistry(_ context.Context, cfg *config.OutgoingAuthConfig)
 // registerUnauthenticatedStrategy registers the default unauthenticated strategy.
 func registerUnauthenticatedStrategy(registry auth.OutgoingAuthRegistry) error {
 	unauthStrategy := strategies.NewUnauthenticatedStrategy()
-	if err := registry.RegisterStrategy("unauthenticated", unauthStrategy); err != nil {
+	if err := registry.RegisterStrategy(strategies.StrategyTypeUnauthenticated, unauthStrategy); err != nil {
 		return fmt.Errorf("failed to register default unauthenticated strategy: %w", err)
 	}
 	return nil
@@ -120,7 +120,7 @@ func collectStrategyTypes(cfg *config.OutgoingAuthConfig) map[string]struct{} {
 func registerStrategies(registry auth.OutgoingAuthRegistry, strategyTypes map[string]struct{}) error {
 	for strategyType := range strategyTypes {
 		// Skip "unauthenticated" - already registered
-		if strategyType == "unauthenticated" {
+		if strategyType == strategies.StrategyTypeUnauthenticated {
 			continue
 		}
 
@@ -156,9 +156,9 @@ func createStrategy(strategyType string) (auth.Strategy, error) {
 	}
 
 	switch strategyType {
-	case "header_injection":
+	case strategies.StrategyTypeHeaderInjection:
 		return strategies.NewHeaderInjectionStrategy(), nil
-	case "unauthenticated":
+	case strategies.StrategyTypeUnauthenticated:
 		return strategies.NewUnauthenticatedStrategy(), nil
 	default:
 		return nil, fmt.Errorf("unknown strategy type: %s", strategyType)

pkg/vmcp/auth/strategies/constants.go

@@ -0,0 +1,25 @@
+// Package strategies provides authentication strategy implementations for Virtual MCP Server.
+package strategies
+
+// Strategy type identifiers used to identify authentication strategies.
+const (
+	// StrategyTypeUnauthenticated identifies the unauthenticated strategy.
+	// This strategy performs no authentication and is used when a backend
+	// requires no authentication.
+	StrategyTypeUnauthenticated = "unauthenticated"
+
+	// StrategyTypeHeaderInjection identifies the header injection strategy.
+	// This strategy injects a static header value into request headers.
+	StrategyTypeHeaderInjection = "header_injection"
+)
+
+// Metadata key names used in strategy configurations.
+const (
+	// MetadataHeaderName is the key for the HTTP header name in metadata.
+	// Used by HeaderInjectionStrategy to identify which header to inject.
+	MetadataHeaderName = "header_name"
+
+	// MetadataHeaderValue is the key for the HTTP header value in metadata.
+	// Used by HeaderInjectionStrategy to identify the value to inject.
+	MetadataHeaderValue = "header_value"
+)

pkg/vmcp/auth/strategies/header_injection.go

@@ -38,7 +38,7 @@ func NewHeaderInjectionStrategy() *HeaderInjectionStrategy {
 
 // Name returns the strategy identifier.
 func (*HeaderInjectionStrategy) Name() string {
-	return "header_injection"
+	return StrategyTypeHeaderInjection
 }
 
 // Authenticate injects the header value from metadata into the request header.
@@ -56,12 +56,12 @@ func (*HeaderInjectionStrategy) Name() string {
 //   - header_name is missing or empty
 //   - header_value is missing or empty
 func (*HeaderInjectionStrategy) Authenticate(_ context.Context, req *http.Request, metadata map[string]any) error {
-	headerName, ok := metadata["header_name"].(string)
+	headerName, ok := metadata[MetadataHeaderName].(string)
 	if !ok || headerName == "" {
 		return fmt.Errorf("header_name required in metadata")
 	}
 
-	headerValue, ok := metadata["header_value"].(string)
+	headerValue, ok := metadata[MetadataHeaderValue].(string)
 	if !ok || headerValue == "" {
 		return fmt.Errorf("header_value required in metadata")
 	}
@@ -89,12 +89,12 @@ func (*HeaderInjectionStrategy) Authenticate(_ context.Context, req *http.Reques
 // This validation is typically called during configuration parsing to fail fast
 // if the strategy is misconfigured.
 func (*HeaderInjectionStrategy) Validate(metadata map[string]any) error {
-	headerName, ok := metadata["header_name"].(string)
+	headerName, ok := metadata[MetadataHeaderName].(string)
 	if !ok || headerName == "" {
 		return fmt.Errorf("header_name required in metadata")
 	}
 
-	headerValue, ok := metadata["header_value"].(string)
+	headerValue, ok := metadata[MetadataHeaderValue].(string)
 	if !ok || headerValue == "" {
 		return fmt.Errorf("header_value required in metadata")
 	}

pkg/vmcp/auth/strategies/unauthenticated.go

@@ -38,7 +38,7 @@ func NewUnauthenticatedStrategy() *UnauthenticatedStrategy {
 
 // Name returns the strategy identifier.
 func (*UnauthenticatedStrategy) Name() string {
-	return "unauthenticated"
+	return StrategyTypeUnauthenticated
 }
 
 // Authenticate performs no authentication and returns immediately.

pkg/vmcp/config/validator.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/stacklok/toolhive/pkg/vmcp"
+	"github.com/stacklok/toolhive/pkg/vmcp/auth/strategies"
 )
 
 // DefaultValidator implements comprehensive configuration validation.
@@ -169,7 +170,7 @@ func (*DefaultValidator) validateBackendAuthStrategy(_ string, strategy *Backend
 	}
 
 	validTypes := []string{
-		"unauthenticated", "header_injection",
+		strategies.StrategyTypeUnauthenticated, strategies.StrategyTypeHeaderInjection,
 		// TODO: Add more as strategies are implemented:
 		// "pass_through", "token_exchange", "client_credentials",
 		// "service_account", "oauth_proxy",
@@ -195,13 +196,13 @@ func (*DefaultValidator) validateBackendAuthStrategy(_ string, strategy *Backend
 			return fmt.Errorf("service_account requires metadata field: credentials_env")
 		}
 
-	case "header_injection":
+	case strategies.StrategyTypeHeaderInjection:
 		// Header injection requires header name and value
-		if _, ok := strategy.Metadata["header_name"]; !ok {
-			return fmt.Errorf("header_injection requires metadata field: header_name")
+		if _, ok := strategy.Metadata[strategies.MetadataHeaderName]; !ok {
+			return fmt.Errorf("header_injection requires metadata field: %s", strategies.MetadataHeaderName)
 		}
-		if _, ok := strategy.Metadata["header_value"]; !ok {
-			return fmt.Errorf("header_injection requires metadata field: header_value")
+		if _, ok := strategy.Metadata[strategies.MetadataHeaderValue]; !ok {
+			return fmt.Errorf("header_injection requires metadata field: %s", strategies.MetadataHeaderValue)
 		}
 	}
 

pkg/vmcp/config/yaml_loader.go

@@ -8,6 +8,7 @@ import (
 	"gopkg.in/yaml.v3"
 
 	"github.com/stacklok/toolhive/pkg/vmcp"
+	"github.com/stacklok/toolhive/pkg/vmcp/auth/strategies"
 )
 
 // YAMLLoader loads configuration from a YAML file.
@@ -310,17 +311,17 @@ func (*YAMLLoader) transformBackendAuthStrategy(raw *rawBackendAuthStrategy) (*B
 	}
 
 	switch raw.Type {
-	case "header_injection":
+	case strategies.StrategyTypeHeaderInjection:
 		if raw.HeaderInjection == nil {
 			return nil, fmt.Errorf("header_injection configuration is required")
 		}
 
 		strategy.Metadata = map[string]any{
-			"header_name":  raw.HeaderInjection.HeaderName,
-			"header_value": raw.HeaderInjection.HeaderValue,
+			strategies.MetadataHeaderName:  raw.HeaderInjection.HeaderName,
+			strategies.MetadataHeaderValue: raw.HeaderInjection.HeaderValue,
 		}
 
-	case "unauthenticated":
+	case strategies.StrategyTypeUnauthenticated:
 		// No metadata required for unauthenticated strategy
 
 	case "token_exchange":