From a38d907f64c40ebd0174c35f39b587a884ae9f0a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 7 Jun 2026 13:21:40 +0000 Subject: [PATCH 1/2] refactor(server): extract session ID header extraction into helper Deduplicate the identical 3-line session ID extraction block that appeared in both extractAndValidateSession (session.go) and WithSDKLogging (middleware.go). Add extractSessionIDFromRequest(r *http.Request) string as a package-private helper in session.go that wraps the call to auth.ExtractSessionIDFromHeaders. Both callers are updated to use the new helper. This closes issue #7137 (security-sensitive duplication). Keeping the extraction logic in one place means any future header-name change (e.g., adding X-Session-ID) only needs to be made once. Closes #7137 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- internal/server/middleware.go | 4 +--- internal/server/session.go | 13 ++++++++++--- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/internal/server/middleware.go b/internal/server/middleware.go index ddd8c298..82a140b6 100644 --- a/internal/server/middleware.go +++ b/internal/server/middleware.go @@ -191,9 +191,7 @@ func WithSDKLogging(handler http.Handler, mode string) http.Handler { startTime := time.Now() // Extract session info for logging context - agentIDHeader := r.Header.Get("X-Agent-ID") - authHeader := r.Header.Get("Authorization") - sessionID := auth.ExtractSessionIDFromHeaders(agentIDHeader, authHeader) + sessionID := extractSessionIDFromRequest(r) mcpSessionID := r.Header.Get("Mcp-Session-Id") // Log incoming request diff --git a/internal/server/session.go b/internal/server/session.go index d199e364..20850445 100644 --- a/internal/server/session.go +++ b/internal/server/session.go @@ -116,14 +116,21 @@ func (us *UnifiedServer) getSessionKeys() []string { return keys } +// extractSessionIDFromRequest extracts the session ID from the X-Agent-ID and +// Authorization headers of an HTTP request. Returns "" if neither header is present. +func extractSessionIDFromRequest(r *http.Request) string { + return auth.ExtractSessionIDFromHeaders( + r.Header.Get("X-Agent-ID"), + r.Header.Get("Authorization"), + ) +} + // extractAndValidateSession extracts the session ID from request headers. // and logs connection details. Returns empty string if validation fails. func extractAndValidateSession(r *http.Request) string { logSession.Printf("Extracting session from request: remote=%s, path=%s", r.RemoteAddr, r.URL.Path) - agentIDHeader := r.Header.Get("X-Agent-ID") - authHeader := r.Header.Get("Authorization") - sessionID := auth.ExtractSessionIDFromHeaders(agentIDHeader, authHeader) + sessionID := extractSessionIDFromRequest(r) if sessionID == "" { logSession.Printf("Session extraction failed: missing or invalid X-Agent-ID/Authorization header, remote=%s", r.RemoteAddr) From 8b245371d5668683554ef27e764403f35798f568 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Sun, 7 Jun 2026 10:03:54 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- internal/server/session.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/server/session.go b/internal/server/session.go index 20850445..50fe16c1 100644 --- a/internal/server/session.go +++ b/internal/server/session.go @@ -117,7 +117,8 @@ func (us *UnifiedServer) getSessionKeys() []string { } // extractSessionIDFromRequest extracts the session ID from the X-Agent-ID and -// Authorization headers of an HTTP request. Returns "" if neither header is present. +// Authorization headers of an HTTP request. Returns "" if neither header is present +// or if the provided header value is malformed. func extractSessionIDFromRequest(r *http.Request) string { return auth.ExtractSessionIDFromHeaders( r.Header.Get("X-Agent-ID"),