Add RestoreHijackPrevention and RestoreSession interface stub#4405
Add RestoreHijackPrevention and RestoreSession interface stub#4405
Conversation
yrobla
requested review from
JAORMX,
amirejaz,
jerm-dro and
jhrozek
as code owners
There was a problem hiding this comment.
Pull request overview
Adds scaffolding to restore vMCP session hijack-prevention state from Redis-persisted metadata, enabling cross-pod token validation as part of the horizontal scaling effort (Fixes #4216).
Changes:
- Added
RestoreHijackPrevention()to reconstruct the hijack-prevention decorator from persisted token hash/salt + HMAC secret. - Extended
MultiSessionFactorywithRestoreSession()(stubbed in the default factory) and forwarded it through the decorating factory; updated mocks/test factories accordingly. - Added unit tests validating restore behavior, including cross-replica secret mismatch.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/vmcp/session/internal/security/security.go | Adds RestoreHijackPrevention() helper for reconstructing token-binding decorator from persisted metadata. |
| pkg/vmcp/session/internal/security/restore_test.go | Adds unit coverage for restore behavior (nil session, malformed salt, anonymous/auth round-trip, secret mismatch). |
| pkg/vmcp/session/factory.go | Adds RestoreSession() to MultiSessionFactory, documents replica HMAC requirements, and stubs default implementation. |
| pkg/vmcp/session/decorating_factory.go | Adds RestoreSession() forwarding on the decorating factory. |
| pkg/vmcp/session/mocks/mock_factory.go | Regenerates GoMock for the interface addition. |
| pkg/vmcp/server/testfactory_test.go | Updates minimal test factory to satisfy the new interface. |
| pkg/vmcp/server/telemetry_integration_test.go | Updates backend-aware test factory to satisfy the new interface. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4405 +/- ##
==========================================
+ Coverage 68.87% 68.96% +0.08%
==========================================
Files 505 505
Lines 52420 52410 -10
==========================================
+ Hits 36106 36142 +36
+ Misses 13521 13481 -40
+ Partials 2793 2787 -6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
github-actions
bot
added
size/S
github-actions
bot
added
size/M
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jerm-dro
left a comment
jerm-dro
left a comment
There was a problem hiding this comment.
The RestoreHijackPrevention function and the RestoreSession interface definition both look good — solid tests, clean implementation, and the contract aligns with where we need to go.
Holding off on approval for now because the RestoreSession stub will need to become a real implementation as part of the #4402 rework (see feedback there on SessionDataStorage + reconstruction-on-demand). The direction here is right, but approving before the underlying storage architecture settles would be premature. Happy to re-review once #4402 and #4404 land.
github-actions
bot
added
size/L
…4216) Add the infrastructure needed to reconstruct hijack-prevention state from Redis-persisted metadata, enabling cross-pod token validation in horizontal scaling scenarios. - security.go: Add RestoreHijackPrevention(), the restore counterpart to PreventSessionHijacking(). Rebuilds a hijackPreventionDecorator from persisted tokenHash + tokenSaltHex + hmacSecret without re-hashing a live token. Returns errors for nil session, missing salt on authenticated sessions, and invalid hex salt. - factory.go: Add RestoreSession() to the MultiSessionFactory interface with full doc comment (backend ID parsing, session hint lookup, routing-table rebuild, hijack-prevention re-application). Add a stub implementation on defaultMultiSessionFactory (returns "not yet implemented"); full reconnection logic is deferred. Document the cross-replica HMAC secret consistency requirement on defaultHMACSecret. - decorating_factory.go: Forward RestoreSession() to the base factory; decorators are not re-applied during restore. - mocks/mock_factory.go: Regenerate mock to include RestoreSession(). - restore_test.go: Unit tests covering nil session, missing salt, invalid hex, anonymous session round-trip, authenticated store→restore→validate round-trip, and cross-replica secret mismatch. Closes #4216.
github-actions
bot
added
size/M
github-actions
bot
added
size/M
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
bot
added
size/M
Summary
Add the infrastructure needed to reconstruct hijack-prevention state from Redis-persisted metadata, enabling cross-pod token validation in horizontal scaling scenarios.
security.go: Add RestoreHijackPrevention(), the restore counterpart to PreventSessionHijacking(). Rebuilds a hijackPreventionDecorator from persisted tokenHash + tokenSaltHex + hmacSecret without re-hashing a live token. Returns errors for nil session, missing salt on authenticated sessions, and invalid hex salt.
factory.go: Add RestoreSession() to the MultiSessionFactory interface with full doc comment (backend ID parsing, session hint lookup, routing-table rebuild, hijack-prevention re-application). Add a stub implementation on defaultMultiSessionFactory (returns "not yet implemented"); full reconnection logic is deferred. Document the cross-replica HMAC secret consistency requirement on defaultHMACSecret.
decorating_factory.go: Forward RestoreSession() to the base factory; decorators are not re-applied during restore.
mocks/mock_factory.go: Regenerate mock to include RestoreSession().
restore_test.go: Unit tests covering nil session, missing salt, invalid hex, anonymous session round-trip, authenticated store→restore→validate round-trip, and cross-replica secret mismatch.
Fixes #4216
Type of change
Test plan
task test)task test-e2e)task lint-fix)Changes
Does this introduce a user-facing change?
Special notes for reviewers