Skip to content

MCP-328 Migrate HTTP authentication header to Authorization Bearer xxx#247

Merged
nquinquenel merged 2 commits intomasterfrom
task/nq/MCP-328-token-auth
Mar 9, 2026
Merged

MCP-328 Migrate HTTP authentication header to Authorization Bearer xxx#247
nquinquenel merged 2 commits intomasterfrom
task/nq/MCP-328-token-auth

Conversation

@nquinquenel
Copy link
Copy Markdown
Member

@nquinquenel nquinquenel commented Mar 5, 2026

No description provided.

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Mar 5, 2026
edited by atlassian Bot
Loading

MCP-328

@nquinquenel nquinquenel force-pushed the task/nq/MCP-328-token-auth branch from 01384bf to f4abb0c Compare March 6, 2026 09:53
@nquinquenel nquinquenel marked this pull request as ready for review March 6, 2026 09:54
vnaskos-sonar
vnaskos-sonar approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vnaskos-sonar vnaskos-sonar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good, one minor comment 👍

Comment thread src/main/java/org/sonarsource/sonarqube/mcp/transport/HttpServerTransportProvider.java Outdated
@nquinquenel nquinquenel force-pushed the task/nq/MCP-328-token-auth branch from f4abb0c to db92283 Compare March 9, 2026 13:00
@nquinquenel nquinquenel force-pushed the task/nq/MCP-328-token-auth branch from db92283 to cdb262e Compare March 9, 2026 13:08
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 9, 2026

SonarQube reviewer guide

Review in SonarQube

Summary: Migrate HTTP authentication from custom SONARQUBE_TOKEN header to standard Authorization: Bearer <token> format, maintaining backward compatibility.

Review Focus:

  • The AuthenticationFilter.extractToken() method implements the dual-header support logic—verify the preference order (Bearer first, then legacy) and warning logging are correct
  • Token extraction is now reused in HttpServerTransportProvider.contextExtractor(), ensuring consistency across authentication points
  • CORS headers updated to allow Authorization header; verify this doesn't introduce security gaps
  • All test updates accurately reflect the new authentication flow and edge cases

Start review at: src/main/java/org/sonarsource/sonarqube/mcp/authentication/AuthenticationFilter.java. This is the core authentication component where the dual-header support logic lives. Understanding how it prioritizes Authorization: Bearer over the deprecated SONARQUBE_TOKEN header and logs warnings is essential to validating the backward-compatibility strategy and ensuring no regressions in the authentication flow.

💬 Please send your feedback

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
96.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@nquinquenel nquinquenel merged commit 833a07e into master Mar 9, 2026
7 checks passed
@nquinquenel nquinquenel deleted the task/nq/MCP-328-token-auth branch March 9, 2026 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vnaskos-sonar vnaskos-sonar vnaskos-sonar approved these changes

@damien-urruty-sonarsource damien-urruty-sonarsource Awaiting requested review from damien-urruty-sonarsource

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nquinquenel @vnaskos-sonar