1
64%
main: 64%

Ran 06 Mar 2026 08:32AM UTC

Files 537

Run time 12s

Badge

Embed ▾

Committed 06 Mar 2026 08:22AM UTC coverage: 63.875% (+0.03%) from 63.843%

Job # 22755245212.1

Build Type

push

github

Committed by

web-flow

Commit Message

Implement HMAC-SHA256 token binding for session security (#3964)

* Add session token binding to vMCP server

Bind MCP sessions to the bearer token used at creation time to
prevent session hijacking via stolen session IDs.

At session creation, SHA256(bearerToken) is stored in session
metadata. Each subsequent request recomputes the hash of the
presented token and compares it against the stored value. On
mismatch, the session is immediately terminated and HTTP 401 is
returned to the client.

Anonymous sessions (no token at creation) store an empty-string
sentinel and reject any follow-up request that suddenly presents
a token. Sessions predating this change (no hash in metadata)
pass through for backward compatibility.

The feature is active whenever SessionManagementV2 is enabled and
covers both the V1 and V2 session paths.

Closes: #3867

* Move token binding from middleware to session-level validation

Refactor session security to validate caller identity at the session
method level rather than via HTTP middleware, making the security
contract explicit in the API.

* move algorithm to the one matching the rfc

* changes from review

---------

Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Coverage Stats

47067 of 73686 relevant lines covered (63.88%)

74.47 hits per line

stacklok / toolhive / 22755245212 / 1
64%
main: 64%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 22755245212.1

stacklok / toolhive / 22755245212 / 1 64% main: 64%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 22755245212.1

stacklok / toolhive / 22755245212 / 1
64%
main: 64%

README BADGES
x