Skip to content

[Repo Assist] refactor(auth): move IsMalformedHeader from server to auth package#4144

Merged
lpcox merged 1 commit intomainfrom
repo-assist/improve-auth-malformed-header-check-e26b91f046eb323e
Apr 19, 2026
Merged

[Repo Assist] refactor(auth): move IsMalformedHeader from server to auth package#4144
lpcox merged 1 commit intomainfrom
repo-assist/improve-auth-malformed-header-check-e26b91f046eb323e

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 19, 2026

🤖 This PR was created by Repo Assist, an automated AI assistant.

Summary

Moves the RFC 7230 header-character validation logic out of internal/server/auth.go into internal/auth/header.go, where all other header-parsing utilities already live.

This addresses Issue 3 from the automated Semantic Function Clustering Analysis (#4138), which identified that isMalformedAuthHeader is conceptually misplaced — it validates raw header bytes per RFC 7230 before any auth parsing, and belongs alongside ParseAuthHeader, ExtractSessionID, ValidateAPIKey, etc.

Changes

  • internal/auth/header.go — Add exported IsMalformedHeader(header string) bool
  • internal/server/auth.go — Remove private isMalformedAuthHeader; import internal/auth; call auth.IsMalformedHeader
  • internal/auth/header_test.go — Add TestIsMalformedHeader with 12 test cases (empty string, normal key, horizontal tab, null byte, control chars 0x01/0x0A/0x0D/0x1F, DEL 0x7F, etc.)
  • internal/server/auth_test.go — Update TestIsMalformedAuthHeader to call auth.IsMalformedHeader (no logic change; existing 10 cases preserved)

Rationale

Before this change, server/auth.go contained a comment pointing maintainers at internal/auth for header logic — yet itself held a piece of header validation. After this change, all header validation lives in one package and can be used by any future callers without importing the server package.

Test Status

The environment has Go 1.24.13; the module requires Go 1.25.0 (network-restricted — toolchain download blocked). Build and test could not be run locally. CI will provide authoritative results.

The logic in IsMalformedHeader is identical to the previous isMalformedAuthHeader — only renamed and relocated. The existing 10 unit tests in server/auth_test.go continue to cover the same code paths via the new auth.IsMalformedHeader call, and 12 new cases are added directly to auth/header_test.go.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by Repo Assist · ● 4.6M ·

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

@github-actions
refactor(auth): move IsMalformedHeader from server to auth package
8beaab0 
The isMalformedAuthHeader function implements RFC 7230 header validation
logic that belongs in the internal/auth package alongside other header
parsing utilities (ParseAuthHeader, ExtractSessionID, etc.).

Changes:
- Add exported auth.IsMalformedHeader to internal/auth/header.go
- Remove private isMalformedAuthHeader from internal/server/auth.go
- Update server/auth.go to call auth.IsMalformedHeader
- Update server/auth_test.go to call auth.IsMalformedHeader
- Add TestIsMalformedHeader with 12 cases to internal/auth/header_test.go

This makes all header validation logic discoverable in one place and
ensures future additions follow the same pattern.

Closes #4138 (partial: addresses Issue 3 from the analysis)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review April 19, 2026 21:48
Copilot AI review requested due to automatic review settings April 19, 2026 21:48
@lpcox lpcox merged commit 189246a into main Apr 19, 2026
3 checks passed
@lpcox lpcox deleted the repo-assist/improve-auth-malformed-header-check-e26b91f046eb323e branch April 19, 2026 21:48
Copilot AI reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors header-value validation by relocating RFC 7230 malformed-header character checks from the server auth middleware into the dedicated internal/auth package, consolidating header parsing/validation utilities in one place.

Changes:

  • Added auth.IsMalformedHeader(header string) bool to internal/auth/header.go.
  • Updated internal/server/auth.go to call auth.IsMalformedHeader and removed the local helper.
  • Added/updated unit tests to cover the moved functionality from both internal/auth and internal/server.
Show a summary per file
File Description
internal/auth/header.go Introduces exported IsMalformedHeader alongside other auth/header utilities.
internal/server/auth.go Switches middleware validation to auth.IsMalformedHeader and removes the duplicated helper.
internal/auth/header_test.go Adds direct unit tests for IsMalformedHeader.
internal/server/auth_test.go Updates the existing malformed-header test to exercise auth.IsMalformedHeader.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 0

This was referenced Apr 19, 2026
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automation repo-assist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox