fix(auth): match complete WWW-Authenticate parameters#3012
Conversation
|
Pushed a follow-up commit ( The extractor now splits Additional validation added:
Validation run locally:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/mcp/client/auth/utils.py">
<violation number="1" location="src/mcp/client/auth/utils.py:69">
P2: `extract_field_from_www_auth` fails to match fields in subsequent `WWW-Authenticate` challenges because the scheme prefix is kept in the parsed parameter name (e.g. `"Bearer scope"`), so valid headers with multiple challenges are misparsed.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
| match = re.search(pattern, www_auth_header) | ||
| for param in _iter_www_auth_params(www_auth_header): | ||
| name, separator, value = param.partition("=") | ||
| if separator != "=" or name.strip() != field_name: |
There was a problem hiding this comment.
P2: extract_field_from_www_auth fails to match fields in subsequent WWW-Authenticate challenges because the scheme prefix is kept in the parsed parameter name (e.g. "Bearer scope"), so valid headers with multiple challenges are misparsed.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/mcp/client/auth/utils.py, line 69:
<comment>`extract_field_from_www_auth` fails to match fields in subsequent `WWW-Authenticate` challenges because the scheme prefix is kept in the parsed parameter name (e.g. `"Bearer scope"`), so valid headers with multiple challenges are misparsed.</comment>
<file context>
@@ -26,14 +64,16 @@ def extract_field_from_www_auth(response: Response, field_name: str) -> str | No
- match = re.search(pattern, www_auth_header)
+ for param in _iter_www_auth_params(www_auth_header):
+ name, separator, value = param.partition("=")
+ if separator != "=" or name.strip() != field_name:
+ continue
</file context>
|
Pushed one more test-only follow-up ( The failing jobs had all tests passing, then failed the repo-wide 100% coverage gate because the new quote-aware splitter had untested escaped-character branches. I added a regression for an escaped quote inside a quoted auth-param value, which exercises that branch while preserving the real Validation run locally:
|
|
Pushed another test-only coverage follow-up ( Added regressions for:
Local validation now covers 33 selected auth tests:
|
1 participant
Summary
error_scopesatisfyingscopescopeandresource_metadataprefixed parametersTest plan
uv run pytest tests/client/test_auth.py::TestWWWAuthenticate -quv run ruff check src/mcp/client/auth/utils.py tests/client/test_auth.pyuv run pyright src/mcp/client/auth/utils.py tests/client/test_auth.pygit diff --checkRelated: #2902