From d60b0208db48bb2ab45cc308d450c4345cb008d4 Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Mon, 30 Mar 2026 11:44:39 +0000
Subject: [PATCH] fix: use internal Forgejo URL for token exchange and
 verification

Public git.georgsen.dk unreachable from LAN due to hairpin NAT.
Authorization endpoint stays public (browser redirect), but
token exchange and token verification use internal 10.5.0.14:3000.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 mcp_bridge/mcp_server.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mcp_bridge/mcp_server.py b/mcp_bridge/mcp_server.py
index 391579f..aa586ce 100644
--- a/mcp_bridge/mcp_server.py
+++ b/mcp_bridge/mcp_server.py
@@ -53,12 +53,14 @@ class ForgejoTokenVerifier(TokenVerifier):
 
 
 creds = load_credentials()
+FORGEJO_INTERNAL = "http://10.5.0.14:3000"
+
 auth = OAuthProxy(
     upstream_authorization_endpoint=f"{FORGEJO_URL}/login/oauth/authorize",
-    upstream_token_endpoint=f"{FORGEJO_URL}/login/oauth/access_token",
+    upstream_token_endpoint=f"{FORGEJO_INTERNAL}/login/oauth/access_token",
     upstream_client_id=creds["FORGEJO_OAUTH_CLIENT_ID"],
     upstream_client_secret=creds["FORGEJO_OAUTH_CLIENT_SECRET"],
-    token_verifier=ForgejoTokenVerifier(),
+    token_verifier=ForgejoTokenVerifier(forgejo_url=FORGEJO_INTERNAL),
     base_url="https://mcp.georgsen.dk",
 )