Skip to content

Use constant-time auth checks in FastA2A proxy#1432

Closed
sena-labs wants to merge 2 commits intoagent0ai:developmentfrom
sena-labs:fix/1351-constant-time-fasta2a-auth
Closed

Use constant-time auth checks in FastA2A proxy#1432
sena-labs wants to merge 2 commits intoagent0ai:developmentfrom
sena-labs:fix/1351-constant-time-fasta2a-auth

Conversation

@sena-labs
Copy link
Copy Markdown
Contributor

@sena-labs sena-labs commented Apr 3, 2026
edited
Loading

Summary:

  • switch FastA2A token checks to a shared constant-time helper for token-path, bearer, and api_key auth flows
  • add regression coverage for successful and rejected auth paths

Root cause:

  • the proxy compared attacker-controlled auth tokens with direct string equality, which duplicated logic across code paths and did not use a timing-safe comparison

Testing:

  • docker exec agent-zero-live /opt/venv-a0/bin/python -m pytest /a0/tests/test_fasta2a_server_auth.py -q4 passed in 0.41s
  • updated rejection coverage validated in the live container against the PR branch test file → 8 passed in 0.09s

Copilot AI review requested due to automatic review settings April 3, 2026 14:55
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the FastA2A proxy’s authentication checks by centralizing token comparisons into a constant-time helper and adds targeted regression tests to ensure the new comparison path is exercised.

Changes:

  • Introduces a shared _tokens_match() helper using hmac.compare_digest() for constant-time token comparisons.
  • Updates token-in-path and header/query auth flows to use _tokens_match() instead of direct string equality.
  • Adds async tests that validate compare_digest is invoked for token-path, Bearer, and api_key query authentication.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
helpers/fasta2a_server.py Adds constant-time token comparison helper and routes all relevant auth flows through it.
tests/test_fasta2a_server_auth.py Adds regression tests asserting the proxy’s auth paths call hmac.compare_digest().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/test_fasta2a_server_auth.py
Comment on lines +212 to +216
@pytest.mark.asyncio
async def test_bearer_auth_uses_compare_digest(monkeypatch):
module = _load_target_module(
monkeypatch,
{"a2a_server_enabled": True, "mcp_server_token": "secret"},
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The non-token-path auth flows are only tested for the success case. Since the PR changes the bearer / api_key checks to route through the new constant-time helper, add regression tests for rejected requests too (e.g., wrong Bearer token, wrong/missing api_key in query and in X-API-KEY header) to ensure 401 behavior can’t regress without being caught.

Copilot uses AI. Check for mistakes.
@sena-labs
Copy link
Copy Markdown
Contributor Author

sena-labs commented Apr 3, 2026

Addressed the Copilot review feedback in 0221cff: the auth regression suite now covers rejected non-token-path requests for wrong Bearer credentials, wrong X-API-KEY/query api_key credentials, and the no-auth case, while preserving the existing compare_digest path assertions.

@sena-labs sena-labs closed this by deleting the head repository Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sena-labs