@@ -16,8 +16,12 @@ package auth
1616import (
1717 "errors"
1818 "strings"
19+
20+ "github.com/githubnext/gh-aw-mcpg/internal/logger"
1921)
2022
23+ var log = logger .New ("auth:header" )
24+
2125var (
2226 // ErrMissingAuthHeader is returned when the Authorization header is missing
2327 ErrMissingAuthHeader = errors .New ("missing Authorization header" )
@@ -38,33 +42,52 @@ var (
3842// - agentID: The extracted agent/session identifier
3943// - error: ErrMissingAuthHeader if header is empty, nil otherwise
4044func ParseAuthHeader (authHeader string ) (apiKey string , agentID string , error error ) {
45+ // Sanitize header for logging (show only first 4 chars)
46+ sanitized := ""
47+ if len (authHeader ) > 4 {
48+ sanitized = authHeader [:4 ] + "..."
49+ } else if len (authHeader ) > 0 {
50+ sanitized = "..."
51+ }
52+ log .Printf ("Parsing auth header: sanitized=%s, length=%d" , sanitized , len (authHeader ))
53+
4154 if authHeader == "" {
55+ log .Print ("Auth header missing, returning error" )
4256 return "" , "" , ErrMissingAuthHeader
4357 }
4458
4559 // Handle "Bearer <token>" format (backward compatibility)
4660 if strings .HasPrefix (authHeader , "Bearer " ) {
61+ log .Print ("Detected Bearer token format (backward compatibility)" )
4762 token := strings .TrimPrefix (authHeader , "Bearer " )
4863 return token , token , nil
4964 }
5065
5166 // Handle "Agent <agent-id>" format
5267 if strings .HasPrefix (authHeader , "Agent " ) {
68+ log .Print ("Detected Agent ID format" )
5369 agentIDValue := strings .TrimPrefix (authHeader , "Agent " )
5470 return agentIDValue , agentIDValue , nil
5571 }
5672
5773 // Per MCP spec 7.1: Authorization header contains API key directly
5874 // Use the entire header value as both API key and agent/session ID
75+ log .Print ("Using plain API key format (MCP spec 7.1)" )
5976 return authHeader , authHeader , nil
6077}
6178
6279// ValidateAPIKey checks if the provided API key matches the expected key.
6380// Returns true if they match, false otherwise.
6481func ValidateAPIKey (provided , expected string ) bool {
82+ log .Printf ("Validating API key: expected_configured=%t" , expected != "" )
83+
6584 if expected == "" {
6685 // No API key configured, authentication is disabled
86+ log .Print ("No API key configured, authentication disabled" )
6787 return true
6888 }
69- return provided == expected
89+
90+ matches := provided == expected
91+ log .Printf ("API key validation result: matches=%t" , matches )
92+ return matches
7093}
0 commit comments