mcp-server: api key converter rejects blank header names

Signed-off-by: Daniel Garnier-Moiroux <[email protected]>

Author: Kehrlann

mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/apikey/web/ApiKeyAuthenticationConverter.java

@@ -35,23 +35,23 @@
  */
 public class ApiKeyAuthenticationConverter implements AuthenticationConverter {
 
-	private final String apiKeyHeader;
+	private final String apiKeyHeaderName;
 
-	public ApiKeyAuthenticationConverter(String apiKeyHeader) {
-		Assert.notNull(apiKeyHeader, "apiKeyHeader cannot be null");
-		this.apiKeyHeader = apiKeyHeader;
+	public ApiKeyAuthenticationConverter(String apiKeyHeaderName) {
+		Assert.hasText(apiKeyHeaderName, "apiKeyHeaderName cannot be blank");
+		this.apiKeyHeaderName = apiKeyHeaderName;
 	}
 
 	@Override
 	@Nullable
 	public Authentication convert(HttpServletRequest request) {
-		var apiKeyValues = Collections.list(request.getHeaders(this.apiKeyHeader));
+		var apiKeyValues = Collections.list(request.getHeaders(this.apiKeyHeaderName));
 		if (apiKeyValues.isEmpty()) {
 			return null;
 		}
 		if (apiKeyValues.size() > 1) {
 			throw new BadCredentialsException(
-					"%s must have a single value, found %s".formatted(this.apiKeyHeader, apiKeyValues.size()));
+					"%s must have a single value, found %s".formatted(this.apiKeyHeaderName, apiKeyValues.size()));
 		}
 		String apiKey = apiKeyValues.get(0);
 

mcp-server-security/src/test/java/org/springaicommunity/mcp/security/server/apikey/web/ApiKeyAuthenticationConverterTests.java

@@ -62,4 +62,10 @@ void convertWhenMultipleApiKeysThrows() {
 			.hasMessage("x-custom-header must have a single value, found 2");
 	}
 
+	@Test
+	void constructorWhenHeaderBlankThenThrows() {
+		assertThatThrownBy(() -> new ApiKeyAuthenticationConverter("")).isInstanceOf(IllegalArgumentException.class)
+			.hasMessage("apiKeyHeaderName cannot be blank");
+	}
+
 }