feat: support authentication on server side#195
Conversation
Summary of ChangesHello @guglielmo-san, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the server's security posture by introducing support for basic bearer token authentication. By integrating industry-standard libraries like Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces bearer token authentication, which is a great addition. The implementation using express-openapi-validator and passport is mostly solid and includes good test coverage. However, I've identified a critical security vulnerability with a hardcoded JWT secret that must be addressed. I've also provided suggestions to improve efficiency by removing unnecessary file I/O, to enhance functionality by preserving user data from the JWT payload, and to align with common naming conventions. Overall, these are valuable changes that will be even better with these improvements.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a solid implementation for basic bearer authentication on the server side. The changes are well-structured, with a clear separation of concerns by introducing an A2AUser interface and related classes to abstract user information. The ServerCallContext is appropriately updated to carry user details, and the JSON-RPC handler is cleanly modified to build this context from the incoming request. The accompanying tests effectively validate the new functionality for both authenticated and unauthenticated scenarios. My feedback focuses on enhancing the robustness of the ProxyUser class to ensure type safety when dealing with user objects from various authentication middlewares.
guglielmo-san
changed the title
ishymko
changed the title
guglielmo-san
deleted the
implement_support_for_authentication_on_server_side
branch
This PR integrates a support for authentication on the server side. A new `User` interface is created to represent the Authenticated and UnAuthenticated user in the context, with 2 required function: 1. isAuthenticathed() 2. userName() The callback `authenticathedUserExtractor` provided to the `A2AExpressApp` is responsible for extracting the user object from the Request (if set up by the authentication middleware), and returning an instance of the `User` interface. The returned instance will be added to the ServerCallContext. If no authentication middleware or no `authenticathedUserExtractor` is provided to the Server, the user in the ServerCallContext will be of type UnAuthenticated. Fixes a2aproject#194 🦕 Release-As: 0.3.6
…ontext is created (#200) # Description This PR is a fix for the bug caused by the user being deleted when the request is containing requested extensions, as a new ServerCallContext was created without copying the `context.user`. Fixes #199 🦕 PRs #171, #195 BEGIN_COMMIT_OVERRIDE refactor: Populate the ServerCallContext user param when a new ServerCallContext is created END_COMMIT_OVERRIDE
# Description Marking as refactor, since updated type wasn't released yet. Making `userBuilder` a mandatory parameter for `JsonRpcHandlerOptions` and define a helper `UserBuilder.NoAuthentication` to make it explicit. Re #195.
…ontext is created (a2aproject#200) This PR is a fix for the bug caused by the user being deleted when the request is containing requested extensions, as a new ServerCallContext was created without copying the `context.user`. Fixes a2aproject#199 🦕 PRs a2aproject#171, a2aproject#195 BEGIN_COMMIT_OVERRIDE refactor: Populate the ServerCallContext user param when a new ServerCallContext is created END_COMMIT_OVERRIDE
# Description Marking as refactor, since updated type wasn't released yet. Making `userBuilder` a mandatory parameter for `JsonRpcHandlerOptions` and define a helper `UserBuilder.NoAuthentication` to make it explicit. Re a2aproject#195.
This PR integrates a support for authentication on the server side. A new `User` interface is created to represent the Authenticated and UnAuthenticated user in the context, with 2 required function: 1. isAuthenticathed() 2. userName() The callback `authenticathedUserExtractor` provided to the `A2AExpressApp` is responsible for extracting the user object from the Request (if set up by the authentication middleware), and returning an instance of the `User` interface. The returned instance will be added to the ServerCallContext. If no authentication middleware or no `authenticathedUserExtractor` is provided to the Server, the user in the ServerCallContext will be of type UnAuthenticated. Fixes a2aproject#194 🦕 Release-As: 0.3.6
This PR integrates a support for authentication on the server side. A new `User` interface is created to represent the Authenticated and UnAuthenticated user in the context, with 2 required function: 1. isAuthenticathed() 2. userName() The callback `authenticathedUserExtractor` provided to the `A2AExpressApp` is responsible for extracting the user object from the Request (if set up by the authentication middleware), and returning an instance of the `User` interface. The returned instance will be added to the ServerCallContext. If no authentication middleware or no `authenticathedUserExtractor` is provided to the Server, the user in the ServerCallContext will be of type UnAuthenticated. Fixes a2aproject#194 🦕 Release-As: 0.3.6
…ontext is created (a2aproject#200) This PR is a fix for the bug caused by the user being deleted when the request is containing requested extensions, as a new ServerCallContext was created without copying the `context.user`. Fixes a2aproject#199 🦕 PRs a2aproject#171, a2aproject#195 BEGIN_COMMIT_OVERRIDE refactor: Populate the ServerCallContext user param when a new ServerCallContext is created END_COMMIT_OVERRIDE
# Description This PR introduces a sample for the authentication feature. Re #195 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.3.6](v0.3.5...v0.3.6) (2025-12-10) ### Features * add support for extendedAgentCard on client side ([#234](#234)) ([3073376](3073376)) * Add support for extension headers on client side ([#227](#227)) ([8c57002](8c57002)) * implement client interceptors ([#223](#223)) ([5694c22](5694c22)) * Implement extended card support on server side ([#197](#197)) ([45014ac](45014ac)) * implement server http+json ([#142](#142)) ([f20e662](f20e662)) * introduce AgentCardResolver ([#225](#225)) ([ddaf7de](ddaf7de)) * introduce transport agnostic client ([#198](#198)) ([94a9848](94a9848)) * server side support for extensions ([5ef7396](5ef7396)) * support authentication on server side ([#195](#195)) ([9872d93](9872d93)) ### Bug Fixes * handle errors occurred in non-blocking sendMessage ([#187](#187)) ([e55c0f4](e55c0f4)) ### Miscellaneous Chores * set version to 0.3.6 ([#191](#191)) ([3f8cea0](3f8cea0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: Ivan Shymko <ishymko@google.com>
2 participants
Description
This PR integrates a support for authentication on the server side.
A new
Userinterface is created to represent the Authenticated and UnAuthenticated user in the context, with 2 required function:The callback
authenticathedUserExtractorprovided to theA2AExpressAppis responsible for extracting the user object from the Request (if set up by the authentication middleware), and returning an instance of theUserinterface. The returned instance will be added to the ServerCallContext.If no authentication middleware or no
authenticathedUserExtractoris provided to the Server, the user in the ServerCallContext will be of type UnAuthenticated.Fixes #194 🦕
Release-As: 0.3.6