From d8570e4d643f62f04820e7cf82b002ebca9fa27b Mon Sep 17 00:00:00 2001
From: Shreya Keshive <shreyakeshive@google.com>
Date: Fri, 3 Oct 2025 11:41:27 -0400
Subject: [PATCH] feat(vscode-ide-companion): enforce auth token validation
 (#10481)

---
 .../src/ide-server.test.ts                    |  5 ++--
 .../vscode-ide-companion/src/ide-server.ts    | 29 ++++++++++---------
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/packages/vscode-ide-companion/src/ide-server.test.ts b/packages/vscode-ide-companion/src/ide-server.test.ts
index 614c338063..794e7fb5c3 100644
--- a/packages/vscode-ide-companion/src/ide-server.test.ts
+++ b/packages/vscode-ide-companion/src/ide-server.test.ts
@@ -379,7 +379,7 @@ describe('IDEServer', () => {
       port = (ideServer as unknown as { port: number }).port;
     });
 
-    it('should allow request without auth token for backwards compatibility', async () => {
+    it('should reject request without auth token', async () => {
       const response = await fetch(`http://localhost:${port}/mcp`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
@@ -390,7 +390,7 @@ describe('IDEServer', () => {
           id: 1,
         }),
       });
-      expect(response.status).not.toBe(401);
+      expect(response.status).toBe(401);
     });
 
     it('should allow request with valid auth token', async () => {
@@ -550,6 +550,7 @@ describe('IDEServer HTTP endpoints', () => {
         headers: {
           Host: `localhost:${port}`,
           'Content-Type': 'application/json',
+          Authorization: 'Bearer test-auth-token',
         },
       },
       JSON.stringify({ jsonrpc: '2.0', method: 'initialize' }),
diff --git a/packages/vscode-ide-companion/src/ide-server.ts b/packages/vscode-ide-companion/src/ide-server.ts
index e158d50250..b23f488020 100644
--- a/packages/vscode-ide-companion/src/ide-server.ts
+++ b/packages/vscode-ide-companion/src/ide-server.ts
@@ -166,19 +166,22 @@ export class IDEServer {
 
       app.use((req, res, next) => {
         const authHeader = req.headers.authorization;
-        if (authHeader) {
-          const parts = authHeader.split(' ');
-          if (parts.length !== 2 || parts[0] !== 'Bearer') {
-            this.log('Malformed Authorization header. Rejecting request.');
-            res.status(401).send('Unauthorized');
-            return;
-          }
-          const token = parts[1];
-          if (token !== this.authToken) {
-            this.log('Invalid auth token provided. Rejecting request.');
-            res.status(401).send('Unauthorized');
-            return;
-          }
+        if (!authHeader) {
+          this.log('Missing Authorization header. Rejecting request.');
+          res.status(401).send('Unauthorized');
+          return;
+        }
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0] !== 'Bearer') {
+          this.log('Malformed Authorization header. Rejecting request.');
+          res.status(401).send('Unauthorized');
+          return;
+        }
+        const token = parts[1];
+        if (token !== this.authToken) {
+          this.log('Invalid auth token provided. Rejecting request.');
+          res.status(401).send('Unauthorized');
+          return;
         }
         next();
       });