Skip to content

Token extraction middleware 401 #1916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mattdholloway wants to merge 1 commit into
base: oauth-handler-implementation
Choose a base branch
from
Open

Token extraction middleware 401 #1916

mattdholloway wants to merge 1 commit into from

Conversation

@mattdholloway
Copy link
Contributor

@mattdholloway mattdholloway commented Jan 28, 2026
edited
Loading

Summary

This pull request updates the token extraction middleware to support configurable handling of invalid token formats, and introduces comprehensive unit tests for its behavior. The main change is the addition of a ValidateTokenFormat option in the OAuth config, which determines whether the middleware returns a 401 Unauthorized (with a WWW-Authenticate header) or a 400 Bad Request for invalid token formats. This makes the authentication flow more flexible and testable.

Why

Fixes #

What changed

MCP impact

  • No tool or API changes
  • Tool schema or behavior changed
  • New tool added

Prompts tested (tool changes only)

Security / limits

  • No security or limits impact
  • Auth / permissions considered
  • Data exposure, filtering, or token/size limits considered

Tool renaming

  • I am renaming tools as part of this PR (e.g. a part of a consolidation effort)
    • I have added the new tool aliases in deprecated_tool_aliases.go
  • I am not renaming tools as part of this PR

Note: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.

Lint & tests

  • Linted locally with ./script/lint
  • Tested locally with ./script/test

Docs

  • Not needed
  • Updated (README / docs / examples)

@mattdholloway mattdholloway marked this pull request as ready for review January 28, 2026 15:09
@mattdholloway mattdholloway requested a review from a team as a code owner January 28, 2026 15:09
Copilot AI review requested due to automatic review settings January 28, 2026 15:09
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds configurable token format validation to the authentication middleware. When enabled, the middleware returns 401 Unauthorized with WWW-Authenticate headers for invalid token formats; when disabled (default), it returns 400 Bad Request, allowing downstream systems (like CAPI) to handle validation.

Changes:

  • Added ValidateTokenFormat boolean field to OAuth config to control error response behavior
  • Updated token extraction middleware to conditionally return 401 vs 400 for invalid tokens
  • Added comprehensive unit tests covering all token validation scenarios

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pkg/http/oauth/oauth.go Adds ValidateTokenFormat configuration field with clear documentation
pkg/http/middleware/token.go Updates error handling logic to check ValidateTokenFormat and return appropriate status code
pkg/http/middleware/token_test.go Adds comprehensive table-driven tests for token extraction middleware and helper functions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mattdholloway @Claude @Codex