stacklok / toolhive / 22755245212

64%

Build Type

push

github

Committed by web-flow

Commit Message

Implement HMAC-SHA256 token binding for session security (#3964)

* Add session token binding to vMCP server

Bind MCP sessions to the bearer token used at creation time to
prevent session hijacking via stolen session IDs.

At session creation, SHA256(bearerToken) is stored in session
metadata. Each subsequent request recomputes the hash of the
presented token and compares it against the stored value. On
mismatch, the session is immediately terminated and HTTP 401 is
returned to the client.

Anonymous sessions (no token at creation) store an empty-string
sentinel and reject any follow-up request that suddenly presents
a token. Sessions predating this change (no hash in metadata)
pass through for backward compatibility.

The feature is active whenever SessionManagementV2 is enabled and
covers both the V1 and V2 session paths.

Closes: #3867

* Move token binding from middleware to session-level validation

Refactor session security to validate caller identity at the session
method level rather than via HTTP middleware, making the security
contract explicit in the API.

* move algorithm to the one matching the rfc

* changes from review

---------

Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Run Details

193 of 270 new or added lines in 8 files covered. (71.48%)

4 existing lines in 2 files now uncovered.

47067 of 73686 relevant lines covered (63.88%)

74.47 hits per line