fix(a2a-server): add missing return after 501 in /tasks/metadata endpoint

[garagon]

Problem

GET /tasks/metadata sends a 501 when using a non-InMemory task store (e.g., GCSTaskStore) but does not return. Execution falls through to the try block which attempts to send a second response, triggering ERR_HTTP_HEADERS_SENT and crashing the server.

packages/a2a-server/src/http/app.ts:322-329

Fix

Add return after the 501 response.

Previous attempts (#21730, #21947) were closed for administrative reasons. The bug is still present on main.

Fixes #21729

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue where the server would attempt to send multiple HTTP responses when accessing the task metadata endpoint with an unsupported task store. By ensuring the function returns immediately after sending a 501 error, the server avoids subsequent code execution that leads to runtime crashes.

Highlights

• Bug Fix: Added a missing return statement in the /tasks/metadata endpoint to prevent execution fall-through.
• Server Stability: Prevented ERR_HTTP_HEADERS_SENT errors that occurred when using non-InMemory task stores.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a missing return statement to the /tasks/metadata endpoint in the a2a-server package to prevent execution from continuing when an unsupported task store is used. However, a high-severity security issue was identified: the endpoint lacks authentication and authorization, potentially exposing sensitive task metadata to unauthenticated users.

[gemini-code-assist]

The /tasks/metadata endpoint lacks any authentication or authorization checks. While this PR correctly adds a return statement to prevent a server crash (DoS) when using a non-in-memory task store, the endpoint remains publicly accessible. Any unauthenticated user can retrieve metadata for all tasks currently in memory, which may include sensitive information such as workspace paths and agent settings for all users. It is recommended to apply authentication middleware to this route and ensure that users can only access metadata for tasks they own.

[gemini-code-assist]

Code Review

This pull request adds a missing return statement to the /tasks/metadata endpoint in the a2a-server package, ensuring that execution stops after an error response is sent. A security review identified a high-severity vulnerability in this same endpoint, noting that it lacks proper authorization checks and could allow users to access sensitive metadata for tasks they do not own.

[gemini-code-assist]

The /tasks/metadata endpoint lacks proper authorization checks. It returns metadata for all tasks currently in the InMemoryTaskStore, which includes sensitive information such as workspacePath and other agent settings. An authenticated user can access this information for all tasks, not just their own, leading to unauthorized information disclosure.

Remediation: Implement an authorization check to ensure that the user requesting the metadata is authorized to view it. Typically, this involves filtering the tasks to only include those owned by the current user or requiring administrative privileges to list all tasks.

[gemini-code-assist]

Code Review

This pull request adds a missing return statement in the createApp function within packages/a2a-server/src/http/app.ts. This ensures that execution stops after an error response is sent when the task store is not an InMemoryTaskStore, preventing subsequent code from running unexpectedly. I have no feedback to provide.

[cocosheng-g]

Please address the gemini comments.