Description
In crates/zeph-a2a/src/server/router.rs, AuthConfig stores token: Option<String> — the raw bearer token — and hashes it per-request in auth_middleware:
let h_expected = blake3::hash(expected.as_bytes());
crates/zeph-gateway/src/router.rs correctly pre-hashes the expected token at startup:
struct AuthConfig {
token_hash: Option<blake3::Hash>,
}
// ...
token_hash: auth_token.map(|t| blake3::hash(t.as_bytes())),This means the a2a server:
- Performs an extra BLAKE3 hash per authenticated request (minor CPU overhead).
- Keeps the raw token string in memory inside
AuthConfig, which is cloned for every request via Axum's Clone requirement. Pre-hashing removes the token string from in-memory clones.
This divergence was introduced when the two routers were developed independently (see also #4387).
Expected Behavior
zeph-a2a AuthConfig pre-hashes the token at startup, consistent with zeph-gateway.
Environment
- Crate:
zeph-a2a
- File:
crates/zeph-a2a/src/server/router.rs lines 41-43, 124-138
Description
In
crates/zeph-a2a/src/server/router.rs,AuthConfigstorestoken: Option<String>— the raw bearer token — and hashes it per-request inauth_middleware:crates/zeph-gateway/src/router.rscorrectly pre-hashes the expected token at startup:This means the a2a server:
AuthConfig, which is cloned for every request via Axum'sClonerequirement. Pre-hashing removes the token string from in-memory clones.This divergence was introduced when the two routers were developed independently (see also #4387).
Expected Behavior
zeph-a2aAuthConfigpre-hashes the token at startup, consistent withzeph-gateway.Environment
zeph-a2acrates/zeph-a2a/src/server/router.rslines 41-43, 124-138