You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The fix for #5323 added a higher-level integration test (pkg/vmcp/session/internal/backend/mcp_session_identity_refresh_test.go) that exercises the full transport chain — headerForwardRoundTripper → identityRoundTripper → authRoundTripper (UpstreamInjectStrategy) → http.DefaultTransport — and verifies that a fresh identity placed on req.Context() drives the upstream Authorization header.
That test attaches freshIdentity to the request context directly via auth.WithIdentity(...), which is the same call TokenValidator.Middleware makes at pkg/auth/token.go:1245. The iteration 2 review of #5323 explicitly allowed this higher-level alternative, but noted that it does not verify the link from TokenValidator.Middleware → loadUpstreamTokens → UpstreamTokenRefresher → fresh map on identity.UpstreamTokens.
Gap
The user-visible "forced re-auth every ~24h" symptom can recur via multiple distinct failure modes:
loadUpstreamTokens returning a stale map because UpstreamTokenRefresher is broken.
TokenValidator.Middleware failing to call WithIdentity on the refresh path.
The new test only catches (1). Modes (2) and (3) would still produce the same user-visible symptom.
Proposal
Extend mcp_session_identity_refresh_test.go (or create a sibling test in a higher-level package such as pkg/vmcp/server/...) with an end-to-end case that:
Builds a minimal TokenValidator wired to a fake UpstreamTokenRefresher whose returned tokens differ between the first and second call (simulating transparent refresh).
Constructs a signed JWT carrying a tsid claim that the validator can resolve via the fake UpstreamTokenRefresher.
Issues two requests through the validator's middleware into the backend session.
Asserts the upstream observes the rotated token on the second call.
This is the AC5 acceptance criterion as literally written on #5323. Closing this gap is non-trivial test setup (signed JWT, fake refresher, real middleware wiring), which is why the iteration 2 review allowed deferring it.
Acceptance criteria
A test exists that exercises TokenValidator.Middleware → loadUpstreamTokens → UpstreamTokenRefresher end-to-end against a vMCP backend session.
The fake UpstreamTokenRefresher rotates tokens between the two calls.
The upstream httptest.Server observes the rotated token on the second call.
Raised as a MEDIUM finding on the iteration 2 review of #5323. The reviewer noted that either filing this issue or extending the existing test is acceptable; this issue makes the gap visible rather than implicit.
Context
The fix for #5323 added a higher-level integration test (
pkg/vmcp/session/internal/backend/mcp_session_identity_refresh_test.go) that exercises the full transport chain —headerForwardRoundTripper → identityRoundTripper → authRoundTripper (UpstreamInjectStrategy) → http.DefaultTransport— and verifies that a fresh identity placed onreq.Context()drives the upstreamAuthorizationheader.That test attaches
freshIdentityto the request context directly viaauth.WithIdentity(...), which is the same callTokenValidator.Middlewaremakes atpkg/auth/token.go:1245. The iteration 2 review of #5323 explicitly allowed this higher-level alternative, but noted that it does not verify the link fromTokenValidator.Middleware→loadUpstreamTokens→UpstreamTokenRefresher→ fresh map onidentity.UpstreamTokens.Gap
The user-visible "forced re-auth every ~24h" symptom can recur via multiple distinct failure modes:
loadUpstreamTokensreturning a stale map becauseUpstreamTokenRefresheris broken.TokenValidator.Middlewarefailing to callWithIdentityon the refresh path.The new test only catches (1). Modes (2) and (3) would still produce the same user-visible symptom.
Proposal
Extend
mcp_session_identity_refresh_test.go(or create a sibling test in a higher-level package such aspkg/vmcp/server/...) with an end-to-end case that:TokenValidatorwired to a fakeUpstreamTokenRefresherwhose returned tokens differ between the first and second call (simulating transparent refresh).tsidclaim that the validator can resolve via the fakeUpstreamTokenRefresher.This is the AC5 acceptance criterion as literally written on #5323. Closing this gap is non-trivial test setup (signed JWT, fake refresher, real middleware wiring), which is why the iteration 2 review allowed deferring it.
Acceptance criteria
TokenValidator.Middleware → loadUpstreamTokens → UpstreamTokenRefresherend-to-end against a vMCP backend session.UpstreamTokenRefresherrotates tokens between the two calls.httptest.Serverobserves the rotated token on the second call.Notes
Raised as a MEDIUM finding on the iteration 2 review of #5323. The reviewer noted that either filing this issue or extending the existing test is acceptable; this issue makes the gap visible rather than implicit.
Related: #5323, #3877, #3869