The runtime accepts session.hello.payload.auth.scheme = "none" unconditionally in src/Arcp.Runtime/Internal/SessionHandshake.fs inside authenticateAsync, returning AnonymousPrincipal without consulting ArcpServerOptions.BearerVerifier. A server that configures StaticBearerVerifier or a custom production verifier can still be entered by any client that sends AuthScheme.None, so bearer authentication is optional even when the server appears to require it. This is especially risky because ArcpClientOptions.defaults in src/Arcp.Client/ArcpClientTypes.fs sends AuthScheme.None by default.
Fix prompt: change runtime authentication so no-auth is allowed only when the server explicitly opts into anonymous sessions. Add an AllowAnonymousAuth or equivalent field to ArcpServerOptions, default it to false, pass it into SessionHandshake.handleAsync, and make the "none" branch return Unauthenticated unless that option is enabled. Update samples and local-trust stdio setup to opt in deliberately or send a bearer token, and add integration tests proving that a server with a static bearer verifier rejects AuthScheme.None and accepts a valid bearer token.
The runtime accepts
session.hello.payload.auth.scheme = "none"unconditionally insrc/Arcp.Runtime/Internal/SessionHandshake.fsinsideauthenticateAsync, returningAnonymousPrincipalwithout consultingArcpServerOptions.BearerVerifier. A server that configuresStaticBearerVerifieror a custom production verifier can still be entered by any client that sendsAuthScheme.None, so bearer authentication is optional even when the server appears to require it. This is especially risky becauseArcpClientOptions.defaultsinsrc/Arcp.Client/ArcpClientTypes.fssendsAuthScheme.Noneby default.Fix prompt: change runtime authentication so no-auth is allowed only when the server explicitly opts into anonymous sessions. Add an
AllowAnonymousAuthor equivalent field toArcpServerOptions, default it to false, pass it intoSessionHandshake.handleAsync, and make the"none"branch returnUnauthenticatedunless that option is enabled. Update samples and local-trust stdio setup to opt in deliberately or send a bearer token, and add integration tests proving that a server with a static bearer verifier rejectsAuthScheme.Noneand accepts a valid bearer token.