Skip to content

[Repo Assist] refactor(server): extract session ID header extraction into helper#7151

Merged
lpcox merged 2 commits into
mainfrom
repo-assist/refactor-session-id-helper-7137-40c771877d950de7
Jun 7, 2026
Merged

[Repo Assist] refactor(server): extract session ID header extraction into helper#7151
lpcox merged 2 commits into
mainfrom
repo-assist/refactor-session-id-helper-7137-40c771877d950de7

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

🤖 This PR was created by Repo Assist, an automated AI assistant.

Summary

Addresses the security-sensitive duplication identified in issue #7137. An identical 3-line block that extracts the session ID from X-Agent-ID and Authorization headers was duplicated in two places within internal/server:

  • session.go:124–126 — inside extractAndValidateSession()
  • middleware.go:194–196 — inside WithSDKLogging()

If the header names change (e.g., a new X-Session-ID header is added) or the extraction logic shifts, a missed update could cause session tracking divergence — the middleware's logging could show a different session ID than the one actually used for authentication.

Changes

internal/server/session.go — add package-private helper:

// extractSessionIDFromRequest extracts the session ID from the X-Agent-ID and
// Authorization headers of an HTTP request. Returns "" if neither header is present.
func extractSessionIDFromRequest(r *http.Request) string {
    return auth.ExtractSessionIDFromHeaders(
        r.Header.Get("X-Agent-ID"),
        r.Header.Get("Authorization"),
    )
}

The extractAndValidateSession function is updated to call this helper instead of repeating the 3-line extraction block.

internal/server/middleware.goWithSDKLogging updated to call extractSessionIDFromRequest(r) instead of the inline 3-line block.

No imports were added or removed (both packages already imported auth).

Test Status

Build and tests could not be run — proxy.golang.org is blocked in this environment (pre-existing infrastructure limitation). The changes are syntactically verified by inspection:

  • The helper is placed before its first caller in session.go
  • Both call sites are updated identically
  • The auth import remains in both files (still used elsewhere)

Closes #7137

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • proxy.golang.org
  • releaseassets.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"
    - "releaseassets.githubusercontent.com"

See Network Configuration for more information.

Generated by Repo Assist · sonnet46 8M ·

Add this agentic workflows to your repo

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

@github-actions
refactor(server): extract session ID header extraction into helper
a38d907 
Deduplicate the identical 3-line session ID extraction block that
appeared in both extractAndValidateSession (session.go) and
WithSDKLogging (middleware.go).

Add extractSessionIDFromRequest(r *http.Request) string as a
package-private helper in session.go that wraps the call to
auth.ExtractSessionIDFromHeaders. Both callers are updated to use
the new helper.

This closes issue #7137 (security-sensitive duplication). Keeping the
extraction logic in one place means any future header-name change
(e.g., adding X-Session-ID) only needs to be made once.

Closes #7137

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review June 7, 2026 16:52
Copilot AI review requested due to automatic review settings June 7, 2026 16:52
Copilot AI reviewed Jun 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors internal/server to centralize extraction of the session ID from request headers, reducing the risk of security-sensitive logic drifting between authentication and logging paths.

Changes:

  • Added a package-private extractSessionIDFromRequest(*http.Request) string helper in internal/server/session.go.
  • Updated session validation (extractAndValidateSession) and SDK request logging (WithSDKLogging) to use the helper.
Show a summary per file
File Description
internal/server/session.go Introduces extractSessionIDFromRequest and uses it in session extraction/validation.
internal/server/middleware.go Uses extractSessionIDFromRequest for consistent session ID extraction in SDK logging middleware.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread internal/server/session.go Outdated
@lpcox
Potential fix for pull request finding
8b24537 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@lpcox lpcox merged commit 906ea8b into main Jun 7, 2026
16 checks passed
@lpcox lpcox deleted the repo-assist/refactor-session-id-helper-7137-40c771877d950de7 branch June 7, 2026 17:06
This was referenced Jun 8, 2026
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automation repo-assist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[duplicate-code] Duplicate Code Pattern: Session ID Extraction from Request Headers (2 locations, security-sensitive)

2 participants

@lpcox