Prevent forwardedHeaders from overriding MCP auth headers (#2893)

* fix: prevent forwarded headers from overriding MCP auth

* feedback

* tests

* remove casting

---------

Co-authored-by: miles-kt-inkeep <miles.kamingthanassi@inkeep.com>
Co-authored-by: miles-kt-inkeep <135626743+miles-kt-inkeep@users.noreply.github.com>

Author: robert-inkeep

agents-api/src/__tests__/run/agents/AgentMcpManager.test.ts

@@ -73,7 +73,9 @@ function createMcpTool(overrides: Record<string, any> = {}): any {
   };
 }
 
-function createManager(options: { credentialStuffer?: any } = {}): AgentMcpManager {
+function createManager(
+  options: { credentialStuffer?: any; forwardedHeaders?: Record<string, string> } = {}
+): AgentMcpManager {
   const config = {
     id: 'sub-agent-1',
     agentId: 'parent-agent-1',
@@ -82,7 +84,7 @@ function createManager(options: { credentialStuffer?: any } = {}): AgentMcpManag
     name: 'Test Sub-Agent',
     userId: undefined,
     contextConfigId: undefined,
-    forwardedHeaders: undefined,
+    forwardedHeaders: options.forwardedHeaders,
   } as any;
 
   const executionContext = {
@@ -205,6 +207,64 @@ describe('AgentMcpManager', () => {
         undefined
       );
     });
+
+    test('does not allow forwarded headers to override trusted Slack auth headers', async () => {
+      const { isSlackWorkAppTool } = await import('@inkeep/agents-core');
+      vi.mocked(isSlackWorkAppTool).mockReturnValue(true);
+
+      const trustedSlackTool = createMcpTool({
+        config: {
+          type: 'mcp',
+          mcp: {
+            server: { url: 'https://api.inkeep.example/work-apps/slack/mcp' },
+          },
+        },
+      });
+
+      await createManager({
+        forwardedHeaders: {
+          Authorization: 'Bearer attacker-token',
+          'x-inkeep-tenant-id': 'attacker-tenant',
+          'x-inkeep-project-id': 'attacker-project',
+          'x-inkeep-tool-id': 'attacker-tool',
+          'x-custom-forwarded': 'allowed',
+        },
+      }).getToolSet(trustedSlackTool);
+
+      const headers = vi.mocked(McpClient).mock.calls[0]?.[0]?.server?.headers;
+      expect(headers?.Authorization).toBe('Bearer test-slack-key');
+      expect(headers?.['x-inkeep-tenant-id']).toBe('tenant-1');
+      expect(headers?.['x-inkeep-project-id']).toBe('project-1');
+      expect(headers?.['x-inkeep-tool-id']).toBe('test-tool-id');
+      expect(headers?.['x-custom-forwarded']).toBe('allowed');
+    });
+
+    test('blocks case-insensitive header override attempts on Slack headers', async () => {
+      const { isSlackWorkAppTool } = await import('@inkeep/agents-core');
+      vi.mocked(isSlackWorkAppTool).mockReturnValue(true);
+
+      const trustedSlackTool = createMcpTool({
+        config: {
+          type: 'mcp',
+          mcp: {
+            server: { url: 'https://api.inkeep.example/work-apps/slack/mcp' },
+          },
+        },
+      });
+
+      await createManager({
+        forwardedHeaders: {
+          authorization: 'Bearer attacker-token',
+          'X-INKEEP-TENANT-ID': 'attacker-tenant',
+          'X-Inkeep-Project-Id': 'attacker-project',
+        },
+      }).getToolSet(trustedSlackTool);
+
+      const headers = vi.mocked(McpClient).mock.calls[0]?.[0]?.server?.headers;
+      expect(headers?.Authorization).toBe('Bearer test-slack-key');
+      expect(headers?.['x-inkeep-tenant-id']).toBe('tenant-1');
+      expect(headers?.['x-inkeep-project-id']).toBe('project-1');
+    });
   });
 
   describe('GitHub MCP API key forwarding', () => {
@@ -240,6 +300,37 @@ describe('AgentMcpManager', () => {
         undefined
       );
     });
+
+    test('does not allow forwarded headers to override trusted GitHub auth headers', async () => {
+      const { isGithubWorkAppTool } = await import('@inkeep/agents-core');
+      vi.mocked(isGithubWorkAppTool).mockReturnValue(true);
+
+      const trustedGithubTool = createMcpTool({
+        config: {
+          type: 'mcp',
+          mcp: {
+            server: { url: 'https://api.inkeep.example/work-apps/github/mcp' },
+          },
+        },
+      });
+
+      await createManager({
+        forwardedHeaders: {
+          Authorization: 'Bearer attacker-token',
+          'x-inkeep-tenant-id': 'attacker-tenant',
+          'x-inkeep-project-id': 'attacker-project',
+          'x-inkeep-tool-id': 'attacker-tool',
+          'x-custom-forwarded': 'allowed',
+        },
+      }).getToolSet(trustedGithubTool);
+
+      const headers = vi.mocked(McpClient).mock.calls[0]?.[0]?.server?.headers;
+      expect(headers?.Authorization).toBe('Bearer test-github-key');
+      expect(headers?.['x-inkeep-tenant-id']).toBe('tenant-1');
+      expect(headers?.['x-inkeep-project-id']).toBe('project-1');
+      expect(headers?.['x-inkeep-tool-id']).toBe('test-tool-id');
+      expect(headers?.['x-custom-forwarded']).toBe('allowed');
+    });
   });
 
   describe('createMcpConnection error handling', () => {

agents-api/src/__tests__/run/handlers/executionHandler-run-as-user.test.ts

@@ -200,3 +200,116 @@ describe('ExecutionHandler - x-inkeep-run-as-user-id forwarding', () => {
     expect(headers?.['x-inkeep-run-as-user-id']).toBeUndefined();
   });
 });
+
+describe('ExecutionHandler - A2A client header override protection', () => {
+  let handler: ExecutionHandler;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    handler = new ExecutionHandler();
+    mockSendMessage.mockResolvedValue({
+      result: {
+        id: 'task-123',
+        status: { state: 'completed' },
+        contextId: 'test-context',
+        artifacts: [{ parts: [{ kind: 'text', text: 'response' }] }],
+      },
+    });
+  });
+
+  async function executeWithForwardedHeaders(forwardedHeaders: Record<string, string>) {
+    await handler.execute({
+      executionContext: createExecutionContext({ type: 'user', id: 'user_abc123' }) as any,
+      conversationId: 'conv-123',
+      userMessage: 'hello',
+      initialAgentId: 'sub-1',
+      requestId: 'req-123',
+      sseHelper: createMockStreamHelper() as any,
+      forwardedHeaders,
+    });
+  }
+
+  it('does not allow forwardedHeaders to override Authorization', async () => {
+    await executeWithForwardedHeaders({
+      Authorization: 'Bearer attacker-token',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.Authorization).toBe('Bearer mock-service-token');
+  });
+
+  it('does not allow forwardedHeaders to override x-inkeep-tenant-id', async () => {
+    await executeWithForwardedHeaders({
+      'x-inkeep-tenant-id': 'attacker-tenant',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.['x-inkeep-tenant-id']).toBe('test-tenant');
+  });
+
+  it('does not allow forwardedHeaders to override x-inkeep-project-id', async () => {
+    await executeWithForwardedHeaders({
+      'x-inkeep-project-id': 'attacker-project',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.['x-inkeep-project-id']).toBe('test-project');
+  });
+
+  it('does not allow forwardedHeaders to override x-inkeep-agent-id', async () => {
+    await executeWithForwardedHeaders({
+      'x-inkeep-agent-id': 'attacker-agent',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.['x-inkeep-agent-id']).toBe('test-agent');
+  });
+
+  it('does not allow forwardedHeaders to override x-inkeep-sub-agent-id', async () => {
+    await executeWithForwardedHeaders({
+      'x-inkeep-sub-agent-id': 'attacker-sub-agent',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.['x-inkeep-sub-agent-id']).toBe('sub-1');
+  });
+
+  it('blocks case-insensitive override attempts', async () => {
+    await executeWithForwardedHeaders({
+      authorization: 'Bearer attacker-token',
+      'X-INKEEP-TENANT-ID': 'attacker-tenant',
+      'X-Inkeep-Project-Id': 'attacker-project',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.Authorization).toBe('Bearer mock-service-token');
+    expect(headers?.['x-inkeep-tenant-id']).toBe('test-tenant');
+    expect(headers?.['x-inkeep-project-id']).toBe('test-project');
+  });
+
+  it('passes through non-conflicting forwarded headers', async () => {
+    await executeWithForwardedHeaders({
+      'x-forwarded-cookie': 'session=abc123',
+      'x-inkeep-client-timezone': 'America/New_York',
+      'x-custom-header': 'allowed-value',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.['x-forwarded-cookie']).toBe('session=abc123');
+    expect(headers?.['x-inkeep-client-timezone']).toBe('America/New_York');
+    expect(headers?.['x-custom-header']).toBe('allowed-value');
+  });
+
+  it('blocks all trusted headers simultaneously while allowing legitimate ones', async () => {
+    await executeWithForwardedHeaders({
+      Authorization: 'Bearer attacker-token',
+      'x-inkeep-tenant-id': 'attacker-tenant',
+      'x-inkeep-project-id': 'attacker-project',
+      'x-inkeep-agent-id': 'attacker-agent',
+      'x-inkeep-sub-agent-id': 'attacker-sub-agent',
+      'x-inkeep-run-as-user-id': 'attacker-user',
+      'x-forwarded-cookie': 'session=legit',
+    });
+    const headers = getA2AClientHeaders();
+    expect(headers?.Authorization).toBe('Bearer mock-service-token');
+    expect(headers?.['x-inkeep-tenant-id']).toBe('test-tenant');
+    expect(headers?.['x-inkeep-project-id']).toBe('test-project');
+    expect(headers?.['x-inkeep-agent-id']).toBe('test-agent');
+    expect(headers?.['x-inkeep-sub-agent-id']).toBe('sub-1');
+    expect(headers?.['x-inkeep-run-as-user-id']).toBe('user_abc123');
+    expect(headers?.['x-forwarded-cookie']).toBe('session=legit');
+  });
+});

agents-api/src/__tests__/run/utils/merge-headers.test.ts

@@ -0,0 +1,75 @@
+import { describe, expect, it } from 'vitest';
+import { mergeHeadersWithoutOverrides } from '../../../domains/run/utils/merge-headers';
+
+describe('mergeHeadersWithoutOverrides', () => {
+  it('preserves all existing headers', () => {
+    const result = mergeHeadersWithoutOverrides(
+      { Authorization: 'Bearer trusted', 'x-inkeep-tenant-id': 'tenant-1' },
+      {}
+    );
+    expect(result).toEqual({
+      Authorization: 'Bearer trusted',
+      'x-inkeep-tenant-id': 'tenant-1',
+    });
+  });
+
+  it('adds non-conflicting forwarded headers', () => {
+    const result = mergeHeadersWithoutOverrides(
+      { Authorization: 'Bearer trusted' },
+      { 'x-custom': 'value' }
+    );
+    expect(result.Authorization).toBe('Bearer trusted');
+    expect(result['x-custom']).toBe('value');
+  });
+
+  it('blocks forwarded headers that conflict with existing headers (exact case)', () => {
+    const result = mergeHeadersWithoutOverrides(
+      { Authorization: 'Bearer trusted', 'x-inkeep-tenant-id': 'tenant-1' },
+      { Authorization: 'Bearer attacker', 'x-inkeep-tenant-id': 'attacker-tenant' }
+    );
+    expect(result.Authorization).toBe('Bearer trusted');
+    expect(result['x-inkeep-tenant-id']).toBe('tenant-1');
+  });
+
+  it('blocks forwarded headers with different casing (case-insensitive)', () => {
+    const result = mergeHeadersWithoutOverrides(
+      { Authorization: 'Bearer trusted', 'x-inkeep-tenant-id': 'tenant-1' },
+      { authorization: 'Bearer attacker', 'X-INKEEP-TENANT-ID': 'attacker-tenant' }
+    );
+    expect(result.Authorization).toBe('Bearer trusted');
+    expect(result['x-inkeep-tenant-id']).toBe('tenant-1');
+    expect(result.authorization).toBeUndefined();
+    expect(result['X-INKEEP-TENANT-ID']).toBeUndefined();
+  });
+
+  it('handles undefined existing headers', () => {
+    const result = mergeHeadersWithoutOverrides(undefined, { 'x-custom': 'value' });
+    expect(result).toEqual({ 'x-custom': 'value' });
+  });
+
+  it('handles empty forwarded headers', () => {
+    const result = mergeHeadersWithoutOverrides({ Authorization: 'Bearer trusted' }, {});
+    expect(result).toEqual({ Authorization: 'Bearer trusted' });
+  });
+
+  it('allows non-overlapping headers while blocking overlapping ones', () => {
+    const result = mergeHeadersWithoutOverrides(
+      {
+        Authorization: 'Bearer trusted',
+        'x-inkeep-tenant-id': 'tenant-1',
+        'x-inkeep-project-id': 'project-1',
+      },
+      {
+        Authorization: 'Bearer attacker',
+        'x-inkeep-tenant-id': 'attacker-tenant',
+        'x-custom-forwarded': 'allowed',
+        'x-another-custom': 'also-allowed',
+      }
+    );
+    expect(result.Authorization).toBe('Bearer trusted');
+    expect(result['x-inkeep-tenant-id']).toBe('tenant-1');
+    expect(result['x-inkeep-project-id']).toBe('project-1');
+    expect(result['x-custom-forwarded']).toBe('allowed');
+    expect(result['x-another-custom']).toBe('also-allowed');
+  });
+});

agents-api/src/domains/run/agents/services/AgentMcpManager.ts

@@ -21,6 +21,7 @@ import runDbClient from '../../../../data/db/runDbClient';
 import { env } from '../../../../env';
 import { getLogger } from '../../../../logger';
 import { agentSessionManager } from '../../session/AgentSession';
+import { mergeHeadersWithoutOverrides } from '../../utils/merge-headers';
 import { setSpanWithError, tracer } from '../../utils/tracer';
 import type { AgentConfig } from '../Agent';
 import type { AiSdkToolDefinition } from '../agent-types';
@@ -177,10 +178,10 @@ export class AgentMcpManager {
     }
 
     if (this.config.forwardedHeaders && Object.keys(this.config.forwardedHeaders).length > 0) {
-      serverConfig.headers = {
-        ...serverConfig.headers,
-        ...this.config.forwardedHeaders,
-      };
+      serverConfig.headers = mergeHeadersWithoutOverrides(
+        serverConfig.headers,
+        this.config.forwardedHeaders
+      );
     }
 
     logger.info(

agents-api/src/domains/run/handlers/executionHandler.ts

@@ -29,6 +29,7 @@ import type { StreamHelper } from '../stream/stream-helpers.js';
 import { BufferingStreamHelper } from '../stream/stream-helpers.js';
 import { registerStreamHelper, unregisterStreamHelper } from '../stream/stream-registry.js';
 import { agentInitializingOp, completionOp, errorOp } from '../utils/agent-operations.js';
+import { mergeHeadersWithoutOverrides } from '../utils/merge-headers.js';
 import { resolveModelConfig } from '../utils/model-resolver.js';
 import { tracer } from '../utils/tracer.js';
 
@@ -306,17 +307,18 @@ export class ExecutionHandler {
 
         const appPrompt = executionContext.metadata?.appPrompt;
 
+        const trustedHeaders: Record<string, string> = {
+          Authorization: `Bearer ${authToken}`,
+          'x-inkeep-tenant-id': tenantId,
+          'x-inkeep-project-id': projectId,
+          'x-inkeep-agent-id': agentId,
+          'x-inkeep-sub-agent-id': currentAgentId,
+          ...(runAsUserId ? { 'x-inkeep-run-as-user-id': runAsUserId } : {}),
+          ...(appPrompt ? { 'x-inkeep-app-prompt': appPrompt } : {}),
+        };
+
         const a2aClient = new A2AClient(agentBaseUrl, {
-          headers: {
-            Authorization: `Bearer ${authToken}`,
-            'x-inkeep-tenant-id': tenantId,
-            'x-inkeep-project-id': projectId,
-            'x-inkeep-agent-id': agentId,
-            'x-inkeep-sub-agent-id': currentAgentId,
-            ...(runAsUserId ? { 'x-inkeep-run-as-user-id': runAsUserId } : {}),
-            ...(appPrompt ? { 'x-inkeep-app-prompt': appPrompt } : {}),
-            ...(forwardedHeaders || {}),
-          },
+          headers: mergeHeadersWithoutOverrides(trustedHeaders, forwardedHeaders || {}),
           fetchFn: getInProcessFetch(),
         });
 

agents-api/src/domains/run/utils/merge-headers.ts

@@ -0,0 +1,18 @@
+export function mergeHeadersWithoutOverrides(
+  existingHeaders: Record<string, string> | undefined,
+  forwardedHeaders: Record<string, string>
+): Record<string, string> {
+  const mergedHeaders = { ...(existingHeaders || {}) };
+  const existingHeaderNames = new Set(
+    Object.keys(mergedHeaders).map((header) => header.toLowerCase())
+  );
+
+  for (const [headerName, headerValue] of Object.entries(forwardedHeaders)) {
+    if (existingHeaderNames.has(headerName.toLowerCase())) {
+      continue;
+    }
+    mergedHeaders[headerName] = headerValue;
+  }
+
+  return mergedHeaders;
+}