From 69f916606be3e57dcba38ccb8c119624ae5f37bc Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Tue, 14 Apr 2026 08:09:58 -0700 Subject: [PATCH 1/2] refactor(config): extract shared validateServerAuth to deduplicate auth validation The TOML path (LoadFromFile in config_core.go) and JSON stdin path (validateStandardServerConfig in validation.go) both performed the same auth validation: reject auth on non-HTTP servers, then call validateAuthConfig. Extract a shared validateServerAuth helper that handles nil-check, type-check, and delegation in one place. - config_core.go: replaced 8-line inline loop body with 1-line call - validation.go (stdio block): replaced structured error with shared helper - validation.go (http block): replaced inline validateAuthConfig with shared helper Fixes #3561 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- internal/config/config_core.go | 14 ++++---------- internal/config/validation.go | 27 +++++++++++++++++++-------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/internal/config/config_core.go b/internal/config/config_core.go index 0c426eee..16c8ea30 100644 --- a/internal/config/config_core.go +++ b/internal/config/config_core.go @@ -346,18 +346,12 @@ func LoadFromFile(path string) (*Config, error) { } // Validate auth configs (e.g. fail-fast for missing OIDC env vars). - // This ensures parity with the JSON stdin path which calls validateAuthConfig + // This ensures parity with the JSON stdin path which calls validateServerAuth // via convertStdinServerConfig → validateServerConfigWithCustomSchemas. for name, serverCfg := range cfg.Servers { - if serverCfg.Auth != nil { - // Auth is only supported on HTTP servers, matching validateStandardServerConfig behavior. - if serverCfg.Type != "http" { - return nil, fmt.Errorf("server '%s': auth is only supported for HTTP servers (type: \"http\")", name) - } - jsonPath := fmt.Sprintf("servers.%s", name) - if err := validateAuthConfig(serverCfg.Auth, name, jsonPath); err != nil { - return nil, err - } + jsonPath := fmt.Sprintf("servers.%s", name) + if err := validateServerAuth(serverCfg.Auth, serverCfg.Type, name, jsonPath); err != nil { + return nil, err } } diff --git a/internal/config/validation.go b/internal/config/validation.go index 0ea3ce90..16fdc9f5 100644 --- a/internal/config/validation.go +++ b/internal/config/validation.go @@ -215,9 +215,8 @@ func validateStandardServerConfig(name string, server *StdinServerConfig, jsonPa } // auth is only valid on HTTP servers - if server.Auth != nil { - logValidateServerFailed(name, "auth field is not supported for stdio servers") - return rules.UnsupportedField("auth", "auth is only supported for HTTP servers (type: \"http\")", jsonPath, "Remove the 'auth' field from the stdio server configuration, or change the server type to 'http'") + if err := validateServerAuth(server.Auth, server.Type, name, jsonPath); err != nil { + return err } } @@ -232,11 +231,9 @@ func validateStandardServerConfig(name string, server *StdinServerConfig, jsonPa return rules.UnsupportedField("mounts", "mounts are only supported for stdio (containerized) servers", jsonPath, "Remove the 'mounts' field from HTTP server configuration; mounts only apply to stdio servers") } - // Validate auth field if present - if server.Auth != nil { - if err := validateAuthConfig(server.Auth, name, jsonPath); err != nil { - return err - } + // Validate auth config if present + if err := validateServerAuth(server.Auth, server.Type, name, jsonPath); err != nil { + return err } } @@ -244,6 +241,20 @@ func validateStandardServerConfig(name string, server *StdinServerConfig, jsonPa return nil } +// validateServerAuth validates the auth configuration on any server type, +// rejecting auth on non-HTTP servers and delegating to validateAuthConfig +// for HTTP servers. This is shared by both the TOML (LoadFromFile) and +// JSON stdin (validateStandardServerConfig) paths. +func validateServerAuth(auth *AuthConfig, serverType, name, jsonPath string) error { + if auth == nil { + return nil + } + if serverType != "http" { + return fmt.Errorf("server '%s': auth is only supported for HTTP servers (type: \"http\")", name) + } + return validateAuthConfig(auth, name, jsonPath) +} + // validateAuthConfig validates the auth configuration for an HTTP server. func validateAuthConfig(auth *AuthConfig, serverName, jsonPath string) error { authPath := jsonPath + ".auth" From e0ee181f182a657d81abef5e95074f7e18100ee2 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Tue, 14 Apr 2026 08:43:20 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- internal/config/validation.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/internal/config/validation.go b/internal/config/validation.go index 16fdc9f5..b0b7971a 100644 --- a/internal/config/validation.go +++ b/internal/config/validation.go @@ -250,7 +250,12 @@ func validateServerAuth(auth *AuthConfig, serverType, name, jsonPath string) err return nil } if serverType != "http" { - return fmt.Errorf("server '%s': auth is only supported for HTTP servers (type: \"http\")", name) + logValidateServerFailed(name, fmt.Sprintf("auth is set on non-HTTP server type: %s", serverType)) + return rules.UnsupportedField( + "auth", + fmt.Sprintf("server type %q", serverType), + jsonPath, + "Remove the auth configuration or change the server type to \"http\"") } return validateAuthConfig(auth, name, jsonPath) }