Skip to content

Commit 62fea10

Browse files
authored
Merge pull request #254 from githubnext/copilot/sub-pr-253
2 parents 80edc53 + 0e64d20 commit 62fea10

2 files changed

Lines changed: 60 additions & 8 deletions

File tree

internal/auth/header.go

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,18 @@ var (
2929
ErrInvalidAuthHeader = errors.New("invalid Authorization header format")
3030
)
3131

32+
// sanitizeForLogging returns a sanitized version of the input string for safe logging.
33+
// It shows only the first 4 characters followed by "..." to prevent exposing sensitive data.
34+
// For strings with 4 or fewer characters, it returns only "...".
35+
func sanitizeForLogging(input string) string {
36+
if len(input) > 4 {
37+
return input[:4] + "..."
38+
} else if len(input) > 0 {
39+
return "..."
40+
}
41+
return ""
42+
}
43+
3244
// ParseAuthHeader parses the Authorization header and extracts the API key and agent ID.
3345
// Per MCP spec 7.1, the Authorization header should contain the API key directly
3446
// without any Bearer prefix or other scheme.
@@ -42,14 +54,7 @@ var (
4254
// - agentID: The extracted agent/session identifier
4355
// - error: ErrMissingAuthHeader if header is empty, nil otherwise
4456
func ParseAuthHeader(authHeader string) (apiKey string, agentID string, error error) {
45-
// Sanitize header for logging (show only first 4 chars)
46-
sanitized := ""
47-
if len(authHeader) > 4 {
48-
sanitized = authHeader[:4] + "..."
49-
} else if len(authHeader) > 0 {
50-
sanitized = "..."
51-
}
52-
log.Printf("Parsing auth header: sanitized=%s, length=%d", sanitized, len(authHeader))
57+
log.Printf("Parsing auth header: sanitized=%s, length=%d", sanitizeForLogging(authHeader), len(authHeader))
5358

5459
if authHeader == "" {
5560
log.Print("Auth header missing, returning error")

internal/auth/header_test.go

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,53 @@ import (
44
"testing"
55
)
66

7+
func TestSanitizeForLogging(t *testing.T) {
8+
tests := []struct {
9+
name string
10+
input string
11+
want string
12+
}{
13+
{
14+
name: "Empty string",
15+
input: "",
16+
want: "",
17+
},
18+
{
19+
name: "Single character",
20+
input: "a",
21+
want: "...",
22+
},
23+
{
24+
name: "Four characters",
25+
input: "abcd",
26+
want: "...",
27+
},
28+
{
29+
name: "Five characters",
30+
input: "abcde",
31+
want: "abcd...",
32+
},
33+
{
34+
name: "Long string",
35+
input: "my-secret-api-key-12345",
36+
want: "my-s...",
37+
},
38+
{
39+
name: "API key with Bearer prefix",
40+
input: "Bearer my-token-123",
41+
want: "Bear...",
42+
},
43+
}
44+
45+
for _, tt := range tests {
46+
t.Run(tt.name, func(t *testing.T) {
47+
if got := sanitizeForLogging(tt.input); got != tt.want {
48+
t.Errorf("sanitizeForLogging() = %v, want %v", got, tt.want)
49+
}
50+
})
51+
}
52+
}
53+
754
func TestParseAuthHeader(t *testing.T) {
855
tests := []struct {
956
name string

0 commit comments

Comments
 (0)