Skip to content

auth: add integration tests for security best practices conformance #457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

auth: add integration tests for security best practices conformance #457

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 103 additions & 0 deletions auth/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"context"
"errors"
"net/http"
"net/http/httptest"
"testing"
"time"
)
Expand Down Expand Up @@ -76,3 +77,105 @@ func TestVerify(t *testing.T) {
})
}
}

// Integration tests for Security Best Practices conformance.
// 2.2 Token Passthrough.
// https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices.
// Table-driven middleware tests covering invalid tokens, scope enforcement, and OK path.
func TestBearerMiddleware(t *testing.T) {
const resourceMetadata = "https://auth.example/meta"
verifier := func(_ context.Context, tok string, _ *http.Request) (*TokenInfo, error) {
switch tok {
case "valid":
return &TokenInfo{Expiration: time.Now().Add(time.Hour)}, nil
default:
return nil, ErrInvalidToken
}
}

tests := []struct {
name string
token string
scopes []string
wantCode int
wantCalled bool
}{
{name: "invalid-aud", token: "bad-aud", wantCode: http.StatusUnauthorized, wantCalled: false},
{name: "unknown-issuer", token: "unknown-issuer", wantCode: http.StatusUnauthorized, wantCalled: false},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is invalid-aud and unknown-issuer the same test case?

{name: "missing-scope", token: "valid", scopes: []string{"s1"}, wantCode: http.StatusForbidden, wantCalled: false},
{name: "ok", token: "valid", wantCode: http.StatusOK, wantCalled: true},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
called := false
h := RequireBearerToken(verifier, &RequireBearerTokenOptions{
ResourceMetadataURL: resourceMetadata,
Scopes: tt.scopes,
})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
w.WriteHeader(http.StatusOK)
}))

req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
req.Header.Set("Authorization", "Bearer "+tt.token)
rw := httptest.NewRecorder()

h.ServeHTTP(rw, req)

if rw.Code != tt.wantCode {
t.Fatalf("got status %d, want %d", rw.Code, tt.wantCode)
}
if called != tt.wantCalled {
t.Fatalf("handler called=%v, want %v", called, tt.wantCalled)
}
if tt.wantCode == http.StatusUnauthorized || tt.wantCode == http.StatusForbidden {
want := "Bearer resource_metadata=" + resourceMetadata
if rw.Header().Get("WWW-Authenticate") != want {
t.Fatalf("unexpected WWW-Authenticate header: %q", rw.Header().Get("WWW-Authenticate"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

print got and want and store w.Header().Get("WWW-Authenticate") as got

}
}
})
}
}

func TestHTTPMiddleware_NoTokenPassthrough(t *testing.T) {
// Downstream fake API that records the incoming Authorization header.
var gotAuth string
downstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
gotAuth = r.Header.Get("Authorization")
w.WriteHeader(http.StatusOK)
}))
defer downstream.Close()

// Verifier accepts the incoming client token.
verifier := func(_ context.Context, token string, _ *http.Request) (*TokenInfo, error) {
if token != "client-token" {
return nil, ErrInvalidToken
}
return &TokenInfo{Expiration: time.Now().Add(time.Hour)}, nil
}

wrapped := RequireBearerToken(verifier, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Simulate proxy-like behavior: perform a downstream request without
// forwarding the client's Authorization header.
resp, err := http.Get(downstream.URL)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not saying anything is wrong with the PR, just pointing out that the SDK doesn't (and maybe shouldn't try to) prevent the pattern that I've seen when people forward tokens downstream which would roughly be:

		req, err := http.NewRequest(http.MethodGet, downstream.URL, nil)
		if err != nil {
			t.Fatalf("failed to create downstream request: %v", err)
		}
		// Read and forward the Authorization header from the incoming request
		if auth := r.Header.Get("Authorization"); auth != "" {
			req.Header.Set("Authorization", auth)
		}
		resp, err := http.DefaultClient.Do(req)
		if err != nil {
			t.Fatalf("downstream request failed: %v", err)
		}
		resp.Body.Close()

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(sorry clicked submit too soon)

what I meant to say is that it's fine to test that the SDK doesn't do the wrong thing on its own, but the SDK can't prevent the user from doing the wrong thing if they wish to.

if err != nil {
t.Fatalf("downstream request failed: %v", err)
}
resp.Body.Close()
w.WriteHeader(http.StatusOK)
}))

req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
req.Header.Set("Authorization", "Bearer client-token")
rw := httptest.NewRecorder()
wrapped.ServeHTTP(rw, req)

if rw.Code != http.StatusOK {
t.Fatalf("got status %d, want %d", rw.Code, http.StatusOK)
}
if gotAuth != "" {
t.Fatalf("downstream Authorization header should be empty; got %q", gotAuth)
}
}