Skip to content

fix(server): BearerTokenAuthMiddleware now populates ctx.auth_info for bearer flows#579

Merged
bokelley merged 2 commits intomainfrom
claude/issue-576-bearer-auth-info
May 4, 2026
Merged

fix(server): BearerTokenAuthMiddleware now populates ctx.auth_info for bearer flows#579
bokelley merged 2 commits intomainfrom
claude/issue-576-bearer-auth-info

Conversation

@bokelley
Copy link
Copy Markdown
Contributor

@bokelley bokelley commented May 4, 2026

Summary

  • auth_context_factory now constructs AuthInfo(kind="bearer", principal=..., credential=None) and stores it at metadata["adcp.auth_info"] when the request is authenticated, so RequestContext.auth_info is non-None for bearer flows — the same typed surface signed-request flows already populate
  • _build_ctx pops adcp.auth_info from tool_ctx.metadata after extraction so the AuthInfo object never reaches RequestContext.metadata or the context-echo/idempotency path (mirrors the existing adcp.buyer_agent pop)
  • Two new regression tests + one tightened assertion in test_auth_middleware.py

Root cause

auth_context_factory populated caller_identity and tenant_id on the ToolContext but never set metadata["adcp.auth_info"]. PlatformHandler._extract_auth_info reads that key — so for every bearer-authenticated request it silently returned None, leaving ctx.auth_info unset even though ctx.auth_principal was populated (fixed in #574).

Test plan

  • pytest tests/test_auth_middleware.py — 38/38 pass
  • pytest tests/ — 4092 pass (excluding pre-existing network flake test_real_tls_handshake_still_validates_hostname)
  • ruff check src/ — clean
  • mypy src/adcp/ — clean
  • Security review: bearer token value never stored in AuthInfo, object popped before context-echo path, credential=None suppresses synthesis
  • Code review: approved; test nit resolved (disambiguation between discovery-tool and non-discovery unauthenticated paths)

Closes #576

https://claude.ai/code/session_01R254Wmibw6fxiDDTvhuw9b

Generated by Claude Code

@bokelley bokelley mentioned this pull request May 4, 2026
Closed
@bokelley bokelley marked this pull request as ready for review May 4, 2026 16:29
bokelley and others added 2 commits May 4, 2026 12:34
@bokelley
fix(server): auth_context_factory populates adcp.auth_info for bearer…
cf04cf3 
… flows

Closes #576 (partial — handler.py pop follows in next commit)

https://claude.ai/code/session_01R254Wmibw6fxiDDTvhuw9b
@claude @bokelley
fix(server): pop adcp.auth_info from tool_ctx.metadata after extraction
51f8d63 
_build_ctx now pops metadata["adcp.auth_info"] after calling
_extract_auth_info, preventing the AuthInfo object from surviving into
RequestContext.metadata where it would be opaque to downstream
serializers. Mirrors the existing adcp.buyer_agent pop pattern.

https://claude.ai/code/session_01R254Wmibw6fxiDDTvhuw9b
@bokelley bokelley force-pushed the claude/issue-576-bearer-auth-info branch from 0db54bd to 51f8d63 Compare May 4, 2026 16:34
@bokelley bokelley merged commit 901aa53 into main May 4, 2026
16 checks passed
@bokelley bokelley deleted the claude/issue-576-bearer-auth-info branch May 4, 2026 16:39
@github-actions github-actions Bot mentioned this pull request May 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BearerTokenAuthMiddleware does not construct AuthInfo — ctx.auth_info.kind unusable for bearer flows

2 participants

@bokelley @claude