gabriel / musehub public
fix patch fix/msign-raw-path-slash-encoding #1 / 1
AI Agent gabriel · 1 day ago · Jun 6, 2026 · Diff

fix: use raw ASGI path for MSign canonical message

MSign verification in _verify_msign used request.url.path which Uvicorn populates from scope["path"] — the *decoded* URL path. For branch names containing slashes (feat/*, task/*) the client percent-encodes them as feat%2F* in the DELETE URL, but the server decoded that back to feat/*, so the canonical messages diverged and signature verification failed with 401.

Fix: use scope["raw_path"] (the encoded bytes as received off the wire) for the path component of the canonical message, falling back to request.url.path when raw_path is absent (non-Uvicorn ASGI servers).

Adds 8 regression tests in test_request_signing_raw_path.py covering the encoded-slash case, the fallback case, query strings, and nested paths.

sha256:c748a46461e554a9560edea4edf4c3dffd2a7f81a1948ebdba60f5ec940c6e25 sha
sha256:b5c50ce14e3205ef4b679961fdd3786eea6a5ab6227586df445c1d7112b7132a parent
+13 ~1 symbols
sha256:abdf18e142cd4a5f54cdc186a0e6850c05fb7d945d1a93a779bf4be112092c48 snapshot
+13
symbols added
~1
symbol modified
0
dead code introduced
Semantic Changes 14 symbols
+ .vscode/
+ alembic/
+ alembic/versions/
+ deploy/
+ deploy/load-tests/
+ docs/
+ docs/guides/
+ docs/legal/
+ docs/reference/
+ docs/roadmaps/
+ musehub/
+ musehub/api/
+ musehub/api/routes/
+ musehub/api/routes/api/
+ musehub/api/routes/musehub/
+ musehub/auth/
+ musehub/core/
+ musehub/crypto/
+ musehub/db/
+ musehub/debug/
+ musehub/graph/
+ musehub/maintenance/
+ musehub/mcp/
+ musehub/mcp/tools/
+ musehub/mcp/write_tools/
+ musehub/middleware/
+ musehub/models/
+ musehub/muse_cli/
+ musehub/proposals/
+ musehub/protocol/
+ musehub/security/
+ musehub/services/
+ musehub/storage/
+ musehub/templates/
+ musehub/templates/mcp/
+ musehub/templates/musehub/
+ musehub/templates/musehub/fragments/
+ musehub/templates/musehub/macros/
+ musehub/templates/musehub/pages/
+ musehub/templates/musehub/partials/
+ musehub/templates/musehub/static/
+ musehub/templates/musehub/static/vendor/
+ musehub/types/
+ scripts/
+ src/
+ src/scss/
+ src/scss/components/
+ src/scss/pages/
+ src/scss/patterns/
+ src/scss/theme/
+ src/ts/
+ src/ts/pages/
+ tests/
+ tests/unit/
+ tools/
+ workflows/
~ tests/test_request_signing_raw_path.py .py 13 symbols added
+ TestMSignRawPathExtraction class class TestMSignRawPathExtraction L42–105
+ test_decoded_form_absent_from_result method method test_decoded_form_absent_from_result L61–68
+ test_encoded_slash_preserved_for_feat_branch method method test_encoded_slash_preserved_for_feat_branch L44–51
+ test_encoded_slash_preserved_for_task_branch method method test_encoded_slash_preserved_for_task_branch L53–59
+ test_fallback_to_url_path_when_raw_path_absent method method test_fallback_to_url_path_when_raw_path_absent L78–84
+ test_fallback_to_url_path_when_raw_path_empty method method test_fallback_to_url_path_when_raw_path_empty L86–89
+ test_multiple_encoded_segments method method test_multiple_encoded_segments L99–105
+ test_query_string_appended_with_encoded_path method method test_query_string_appended_with_encoded_path L91–97
+ test_simple_path_without_encoding_unchanged method method test_simple_path_without_encoding_unchanged L70–76
+ _extract_path function function _extract_path L29–35
+ _mock_request function function _mock_request L21–26
+ MagicMock import import MagicMock L14–14
+ annotations import import annotations L12–12
~ musehub/auth/request_signing.py .py 1 symbol modified
~ _verify_msign
← Older Oldest on fix/msign-raw-path-slash-encoding
All commits
Newer → Latest on fix/msign-raw-path-slash-encoding

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:c748a46461e554a9560edea4edf4c3dffd2a7f81a1948ebdba60f5ec940c6e25 --body "your comment"