Skip to content

fix: Add validation to ensure added auth token getters are used by the tool #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: anubhav-error
Choose a base branch
from
Open

fix: Add validation to ensure added auth token getters are used by the tool #220

wants to merge 7 commits into from

Conversation

anubhav756
Copy link
Contributor

Problem

Previously, the ToolboxTool.add_auth_token_getters method only validated against existing registered getters or conflicts with client headers. It did not verify if all the auth token getters provided were actually used or required by the specific tool instance they were being added to.

Solution

This PR enhances the validation in add_auth_token_getters. It now leverages the used_auth_token_getters information returned by the existing identify_required_authn_params call. This allows the method to confirm that every getter passed in is genuinely required by the tool, raising an error if any are unused.

Benefit

This ensures that only relevant auth token getters are attempted to be registered for a tool, preventing misconfigurations and human errors.

Note

This validation aligns with the existing validation logic already present in the ToolboxClient.load_tool method, promoting a consistent approach to handling auth token getter requirements across the codebase.

@anubhav756 anubhav756 self-assigned this May 5, 2025
@anubhav756 anubhav756 requested a review from a team as a code owner May 5, 2025 15:17
@anubhav756 anubhav756 mentioned this pull request May 5, 2025
Open
@anubhav756 anubhav756 marked this pull request as draft May 5, 2025 16:28
anubhav756 added 2 commits May 6, 2025 13:18
@anubhav756
feat: Introduce identifying used authz token getters
c7dbc3c 
This PR adds the feature in `identify_required_authn_params` helper to determine which of the provided auth token getters are actively used to satisfy a tool's authorization requirements (as defined by the `authRequired` key in its manifest).

This is a foundational step towards future validation in `ToolboxTool.add_auth_token_getters`, which will ensure no configured auth token getters remain unused, thereby preventing potential misconfigurations.
@anubhav756
fix: Correctly determine remaining required authz tokens
adc8bc2 
This PR fixes an issue where the system could inaccurately identify the authorization tokens still needed for tool invocation.

The `identify_required_authn_params` helper has been updated to leverage its new capability of recognizing all alternatives of required authorization tokens.

A new `ToolboxTool` member variable, `__required_authz_tokens`, now stores these alternatives. The tool invocation logic correctly uses this to check if any matching token has been provided.

This new member variable is also updated correctly by the remaining authz tokens while adding auth token getters, and validated right before tool invocation.
@anubhav756 anubhav756 force-pushed the anubhav-tool-unused-auth branch from 74ddda7 to 86f44f5 Compare May 6, 2025 11:18
anubhav756 added 5 commits May 6, 2025 17:25
@anubhav756
chore: Fix integration tests
854ef47
@anubhav756
fix: Add validation to ensure added auth token getters are used by th…
180eddc 
…e tool

Previously, the `ToolboxTool.add_auth_token_getters` method only validated against existing registered getters or conflicts with client headers. It did not verify if *all* the auth token getters provided were actually used or required by the specific tool instance they were being added to.

This PR enhances the validation in `add_auth_token_getters`. It now leverages the `used_auth_token_getters` information returned by the existing `identify_required_authn_params` call. This allows the method to confirm that every getter passed in is genuinely required by the tool, raising an error if any are unused.

This ensures that only relevant auth token getters are attempted to be registered for a tool, preventing misconfigurations and human errors.

> [!NOTE]
> This validation aligns with the existing validation logic already present in the `ToolboxClient.load_tool` method, promoting a consistent approach to handling auth token getter requirements across the codebase.
@anubhav756
docs: Improve helper comment
913d990
@anubhav756
chore: Add unit test cases
b7b0dc1
@anubhav756
chore: Delint
4405195
@anubhav756 anubhav756 force-pushed the anubhav-tool-unused-auth branch from 06847ff to 4405195 Compare May 6, 2025 11:56
@anubhav756 anubhav756 mentioned this pull request May 6, 2025
Open
@anubhav756 anubhav756 marked this pull request as ready for review May 6, 2025 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kurtisvg kurtisvg Awaiting requested review from kurtisvg

@twishabansal twishabansal Awaiting requested review from twishabansal

Assignees

@anubhav756 anubhav756

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@anubhav756