Skip to content

refactor(server): deduplicate session ID extraction into a shared helper#7158

Merged
lpcox merged 2 commits into
mainfrom
copilot/duplicate-code-session-id-extraction
Jun 7, 2026
Merged

refactor(server): deduplicate session ID extraction into a shared helper#7158
lpcox merged 2 commits into
mainfrom
copilot/duplicate-code-session-id-extraction

Conversation

Copilot AI commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The three-line pattern for extracting a session ID from X-Agent-ID/Authorization headers was copy-pasted in two places in the same package. Because this is security-sensitive (session tracking divergence between logging and validation is a real risk), the duplication is worth eliminating.

Changes

  • internal/server/session.go — adds a package-private helper: 
    func extractSessionIDFromRequest(r *http.Request) string {
    return auth.ExtractSessionIDFromHeaders(
        r.Header.Get("X-Agent-ID"),
        r.Header.Get("Authorization"),
    )
}
  • session.go (extractAndValidateSession) and middleware.go (WithSDKLogging) — each inline 3-line block replaced with a single call to the new helper.

No behaviour change; header precedence logic remains in auth.ExtractSessionIDFromHeaders.

Copilot AI linked an issue Jun 7, 2026 that may be closed by this pull request
[duplicate-code] Duplicate Code Pattern: Session ID Extraction from Request Headers (2 locations, security-sensitive) #7137
Closed
6 tasks
Copilot AI changed the title [WIP] Fix duplicate code for session ID extraction from headers refactor(server): deduplicate session ID extraction into a shared helper Jun 7, 2026
Copilot finished work on behalf of lpcox June 7, 2026 17:01
Copilot AI requested a review from lpcox June 7, 2026 17:01
@lpcox lpcox marked this pull request as ready for review June 7, 2026 17:04
Copilot AI review requested due to automatic review settings June 7, 2026 17:04
Copilot AI reviewed Jun 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the internal/server package to eliminate duplicated session ID extraction logic by introducing a single shared helper that reads X-Agent-ID / Authorization from an *http.Request and delegates precedence/validation to auth.ExtractSessionIDFromHeaders.

Changes:

  • Added a package-private extractSessionIDFromRequest(*http.Request) string helper in internal/server/session.go.
  • Updated extractAndValidateSession to use the new helper instead of an inline 3-line header extraction block.
  • Updated WithSDKLogging middleware to use the same helper for consistent session ID extraction in logging.
Show a summary per file
File Description
internal/server/session.go Adds extractSessionIDFromRequest and uses it from extractAndValidateSession to centralize header-based session ID extraction.
internal/server/middleware.go Switches WithSDKLogging to call extractSessionIDFromRequest to keep logging/session extraction consistent with validation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

@lpcox lpcox merged commit f474697 into main Jun 7, 2026
29 checks passed
@lpcox lpcox deleted the copilot/duplicate-code-session-id-extraction branch June 7, 2026 17:16
@github-actions github-actions Bot mentioned this pull request Jun 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[duplicate-code] Duplicate Code Pattern: Session ID Extraction from Request Headers (2 locations, security-sensitive)

3 participants

@lpcox