From 32a21d9a324be261d3d217b893cf92726a55d5a7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 7 Jun 2026 13:21:34 +0000 Subject: [PATCH 1/2] refactor: remove deprecated API key alias functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Agent ID rename (PR #7114) introduced four deprecated one-liner wrapper functions that forward calls to the new AgentID-named functions. These create a maintenance burden and IDE confusion (autocomplete suggests the old names). All callers have been migrated: - Remove ValidateAPIKey(): no non-test callers; remove TestValidateAPIKeyAlias - Remove GetAPIKey() on Config: no callers outside its own definition - Remove GetGatewayAPIKeyFromEnv(): no callers outside its own definition - Rename GenerateRandomAPIKey() → GenerateRandomAgentID(): update the single production caller in internal/cmd/root.go and rename all tests in internal/auth/apikey_test.go Also update the stale ValidateAPIKey() reference in the authMiddleware doc comment in internal/server/middleware.go. Closes #7136 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- internal/auth/apikey_test.go | 38 +++++++++++++++++----------------- internal/auth/header.go | 11 +++------- internal/auth/header_test.go | 5 ----- internal/cmd/root.go | 2 +- internal/config/config_core.go | 5 ----- internal/config/config_env.go | 5 ----- internal/server/middleware.go | 2 +- 7 files changed, 24 insertions(+), 44 deletions(-) diff --git a/internal/auth/apikey_test.go b/internal/auth/apikey_test.go index c17fd81d2..9e9323b2d 100644 --- a/internal/auth/apikey_test.go +++ b/internal/auth/apikey_test.go @@ -10,25 +10,25 @@ import ( "github.com/stretchr/testify/require" ) -// TestGenerateRandomAPIKey verifies that GenerateRandomAPIKey produces a +// TestGenerateRandomAgentID verifies that GenerateRandomAgentID produces a // non-empty, unique, hex-encoded string per spec §7.3. -func TestGenerateRandomAPIKey(t *testing.T) { - key, err := auth.GenerateRandomAPIKey() - require.NoError(t, err, "GenerateRandomAPIKey() should not fail") +func TestGenerateRandomAgentID(t *testing.T) { + key, err := auth.GenerateRandomAgentID() + require.NoError(t, err, "GenerateRandomAgentID() should not fail") assert.NotEmpty(t, key, "generated key should not be empty") // 32 bytes encoded as hex = 64 characters assert.Len(t, key, 64, "generated key should be 64 hex characters") // Verify keys are unique across calls - key2, err := auth.GenerateRandomAPIKey() + key2, err := auth.GenerateRandomAgentID() require.NoError(t, err) assert.NotEqual(t, key, key2, "successive calls should produce unique keys") } -// TestGenerateRandomAPIKey_IsValidHex verifies the returned key is a valid +// TestGenerateRandomAgentID_IsValidHex verifies the returned key is a valid // hex-encoded string that decodes to exactly 32 bytes. -func TestGenerateRandomAPIKey_IsValidHex(t *testing.T) { - key, err := auth.GenerateRandomAPIKey() +func TestGenerateRandomAgentID_IsValidHex(t *testing.T) { + key, err := auth.GenerateRandomAgentID() require.NoError(t, err) decoded, decodeErr := hex.DecodeString(key) @@ -36,10 +36,10 @@ func TestGenerateRandomAPIKey_IsValidHex(t *testing.T) { assert.Len(t, decoded, 32, "decoded key should be 32 bytes") } -// TestGenerateRandomAPIKey_IsLowercaseHex verifies the key uses only lowercase +// TestGenerateRandomAgentID_IsLowercaseHex verifies the key uses only lowercase // hex characters (0-9, a-f) as produced by hex.EncodeToString. -func TestGenerateRandomAPIKey_IsLowercaseHex(t *testing.T) { - key, err := auth.GenerateRandomAPIKey() +func TestGenerateRandomAgentID_IsLowercaseHex(t *testing.T) { + key, err := auth.GenerateRandomAgentID() require.NoError(t, err) matched, matchErr := regexp.MatchString(`^[0-9a-f]{64}$`, key) @@ -47,25 +47,25 @@ func TestGenerateRandomAPIKey_IsLowercaseHex(t *testing.T) { assert.True(t, matched, "key should consist of exactly 64 lowercase hex chars; got %q", key) } -// TestGenerateRandomAPIKey_Uniqueness verifies that repeated calls produce +// TestGenerateRandomAgentID_Uniqueness verifies that repeated calls produce // distinct keys, confirming that crypto/rand entropy is used. -func TestGenerateRandomAPIKey_Uniqueness(t *testing.T) { +func TestGenerateRandomAgentID_Uniqueness(t *testing.T) { const n = 20 seen := make(map[string]bool, n) for i := 0; i < n; i++ { - key, err := auth.GenerateRandomAPIKey() - require.NoError(t, err, "call %d: GenerateRandomAPIKey() should not fail", i+1) + key, err := auth.GenerateRandomAgentID() + require.NoError(t, err, "call %d: GenerateRandomAgentID() should not fail", i+1) assert.False(t, seen[key], "call %d: generated duplicate key %q", i+1, key) seen[key] = true } } -// TestGenerateRandomAPIKey_LengthConsistency verifies that every call returns +// TestGenerateRandomAgentID_LengthConsistency verifies that every call returns // a key of exactly 64 characters, regardless of call order. -func TestGenerateRandomAPIKey_LengthConsistency(t *testing.T) { +func TestGenerateRandomAgentID_LengthConsistency(t *testing.T) { for i := 0; i < 10; i++ { - key, err := auth.GenerateRandomAPIKey() - require.NoError(t, err, "call %d: GenerateRandomAPIKey() should not fail", i+1) + key, err := auth.GenerateRandomAgentID() + require.NoError(t, err, "call %d: GenerateRandomAgentID() should not fail", i+1) assert.Len(t, key, 64, "call %d: key should always be 64 characters", i+1) } } diff --git a/internal/auth/header.go b/internal/auth/header.go index a95f93d8a..8a5d20897 100644 --- a/internal/auth/header.go +++ b/internal/auth/header.go @@ -119,11 +119,6 @@ func ValidateAgentID(provided, expected string) bool { return matches } -// ValidateAPIKey is a deprecated alias for ValidateAgentID. -func ValidateAPIKey(provided, expected string) bool { - return ValidateAgentID(provided, expected) -} - // ExtractAgentID extracts the agent ID from an Authorization header. // This is a convenience wrapper around ParseAuthHeader that only returns the agent ID. // Returns "default" if the header is empty or cannot be parsed. @@ -206,10 +201,10 @@ func IsMalformedHeader(header string) bool { return false } -// GenerateRandomAPIKey generates a cryptographically random API key. -// Per spec §7.3, the gateway SHOULD generate a random API key on startup +// GenerateRandomAgentID generates a cryptographically random agent ID. +// Per spec §7.3, the gateway SHOULD generate a random agent ID on startup // if none is provided. Returns a 32-byte hex-encoded string (64 chars). -func GenerateRandomAPIKey() (string, error) { +func GenerateRandomAgentID() (string, error) { logAPIKey.Print("Generating random agent ID") key, err := strutil.RandomHex(32) if err != nil { diff --git a/internal/auth/header_test.go b/internal/auth/header_test.go index 65e8113f0..eb592c82b 100644 --- a/internal/auth/header_test.go +++ b/internal/auth/header_test.go @@ -323,11 +323,6 @@ func TestValidateAgentID(t *testing.T) { } } -func TestValidateAPIKeyAlias(t *testing.T) { - assert.True(t, ValidateAPIKey("same", "same")) - assert.False(t, ValidateAPIKey("a", "b")) -} - func TestExtractAgentID(t *testing.T) { assert := assert.New(t) diff --git a/internal/cmd/root.go b/internal/cmd/root.go index 9dc0da24e..d49912afd 100644 --- a/internal/cmd/root.go +++ b/internal/cmd/root.go @@ -274,7 +274,7 @@ func run(cmd *cobra.Command, args []string) error { // The generated value is set in the config so it propagates to both the HTTP // server authentication and the stdout configuration output (spec §5.4). if cfg.GetAgentID() == "" { - randomKey, err := auth.GenerateRandomAPIKey() + randomKey, err := auth.GenerateRandomAgentID() if err != nil { return fmt.Errorf("failed to generate random agent ID: %w", err) } diff --git a/internal/config/config_core.go b/internal/config/config_core.go index 2ccaf0fdb..ddfad80ba 100644 --- a/internal/config/config_core.go +++ b/internal/config/config_core.go @@ -182,11 +182,6 @@ func (c *Config) GetAgentID() string { return c.Gateway.effectiveAgentID() } -// GetAPIKey is a deprecated alias for GetAgentID. -func (c *Config) GetAPIKey() string { - return c.GetAgentID() -} - func (g *GatewayConfig) effectiveAgentID() string { if g == nil { return "" diff --git a/internal/config/config_env.go b/internal/config/config_env.go index 3d0e76cfe..55040954f 100644 --- a/internal/config/config_env.go +++ b/internal/config/config_env.go @@ -78,11 +78,6 @@ func GetGatewayAgentIDFromEnv() string { return "" } -// GetGatewayAPIKeyFromEnv is a deprecated alias for GetGatewayAgentIDFromEnv. -func GetGatewayAPIKeyFromEnv() string { - return GetGatewayAgentIDFromEnv() -} - // GetGatewayToolTimeoutFromEnv returns the MCP_GATEWAY_TOOL_TIMEOUT value, parsed as int. // Returns (0, false) when the environment variable is not set or empty. // Returns an error when the variable is set but invalid (non-integer or below minimum of 10). diff --git a/internal/server/middleware.go b/internal/server/middleware.go index ddd8c2982..2f6e5df73 100644 --- a/internal/server/middleware.go +++ b/internal/server/middleware.go @@ -87,7 +87,7 @@ func applyIfConfigured(key string, handler http.HandlerFunc, middleware func(str // // For header parsing logic, see internal/auth package which provides: // - ParseAuthHeader() for extracting API keys and agent IDs -// - ValidateAPIKey() for key validation +// - ValidateAgentID() for key validation func authMiddleware(apiKey string, next http.HandlerFunc) http.HandlerFunc { logAuth.Printf("Initialized auth middleware") return func(w http.ResponseWriter, r *http.Request) { From 02c89e1bd7d0f932fb7bf105921652357a782265 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 7 Jun 2026 17:07:30 +0000 Subject: [PATCH 2/2] docs: fix authMiddleware helper references --- internal/server/middleware.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/internal/server/middleware.go b/internal/server/middleware.go index 2f6e5df73..82c63e7c3 100644 --- a/internal/server/middleware.go +++ b/internal/server/middleware.go @@ -87,7 +87,10 @@ func applyIfConfigured(key string, handler http.HandlerFunc, middleware func(str // // For header parsing logic, see internal/auth package which provides: // - ParseAuthHeader() for extracting API keys and agent IDs -// - ValidateAgentID() for key validation +// - IsMalformedHeader() for malformed header detection +// +// This middleware validates credentials by directly comparing parsed API key +// values to the configured key. func authMiddleware(apiKey string, next http.HandlerFunc) http.HandlerFunc { logAuth.Printf("Initialized auth middleware") return func(w http.ResponseWriter, r *http.Request) {