Skip to content

Commit 80edc53

Browse files
Add debug logging to auth header parser
- Add logger declaration using auth:header namespace - Add sanitized logging to ParseAuthHeader function - Add validation logging to ValidateAPIKey function - Ensures secure logging with no sensitive data exposure
1 parent a53fac8 commit 80edc53

1 file changed

Lines changed: 24 additions & 1 deletion

File tree

internal/auth/header.go

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,12 @@ package auth
1616
import (
1717
"errors"
1818
"strings"
19+
20+
"github.com/githubnext/gh-aw-mcpg/internal/logger"
1921
)
2022

23+
var log = logger.New("auth:header")
24+
2125
var (
2226
// ErrMissingAuthHeader is returned when the Authorization header is missing
2327
ErrMissingAuthHeader = errors.New("missing Authorization header")
@@ -38,33 +42,52 @@ var (
3842
// - agentID: The extracted agent/session identifier
3943
// - error: ErrMissingAuthHeader if header is empty, nil otherwise
4044
func ParseAuthHeader(authHeader string) (apiKey string, agentID string, error error) {
45+
// Sanitize header for logging (show only first 4 chars)
46+
sanitized := ""
47+
if len(authHeader) > 4 {
48+
sanitized = authHeader[:4] + "..."
49+
} else if len(authHeader) > 0 {
50+
sanitized = "..."
51+
}
52+
log.Printf("Parsing auth header: sanitized=%s, length=%d", sanitized, len(authHeader))
53+
4154
if authHeader == "" {
55+
log.Print("Auth header missing, returning error")
4256
return "", "", ErrMissingAuthHeader
4357
}
4458

4559
// Handle "Bearer <token>" format (backward compatibility)
4660
if strings.HasPrefix(authHeader, "Bearer ") {
61+
log.Print("Detected Bearer token format (backward compatibility)")
4762
token := strings.TrimPrefix(authHeader, "Bearer ")
4863
return token, token, nil
4964
}
5065

5166
// Handle "Agent <agent-id>" format
5267
if strings.HasPrefix(authHeader, "Agent ") {
68+
log.Print("Detected Agent ID format")
5369
agentIDValue := strings.TrimPrefix(authHeader, "Agent ")
5470
return agentIDValue, agentIDValue, nil
5571
}
5672

5773
// Per MCP spec 7.1: Authorization header contains API key directly
5874
// Use the entire header value as both API key and agent/session ID
75+
log.Print("Using plain API key format (MCP spec 7.1)")
5976
return authHeader, authHeader, nil
6077
}
6178

6279
// ValidateAPIKey checks if the provided API key matches the expected key.
6380
// Returns true if they match, false otherwise.
6481
func ValidateAPIKey(provided, expected string) bool {
82+
log.Printf("Validating API key: expected_configured=%t", expected != "")
83+
6584
if expected == "" {
6685
// No API key configured, authentication is disabled
86+
log.Print("No API key configured, authentication disabled")
6787
return true
6888
}
69-
return provided == expected
89+
90+
matches := provided == expected
91+
log.Printf("API key validation result: matches=%t", matches)
92+
return matches
7093
}

0 commit comments

Comments
 (0)