fix: make acp.capabilities public and update verification script

2026-04-21 20:05:50 +08:00 · 2026-04-21 20:05:50 +08:00 · fe13604703
commit fe13604703
parent c4d8c522a9
2 changed files with 61 additions and 23 deletions
--- a/internal/acp/server.go
+++ b/internal/acp/server.go
@ -1,6 +1,7 @@
 package acp

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@ -263,21 +264,30 @@ func (s *Server) HandleProviderRPC(w http.ResponseWriter, r *http.Request, provi
 		)
 		return
 	}
-	if !s.authorized(r) {
-		s.writeJSONError(
-			w,
-			nil,
-			http.StatusUnauthorized,
-			-32001,
-			"missing bearer authorization",
-		)
-		return
-	}
 	payload, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.writeJSONError(w, nil, http.StatusBadRequest, -32600, "invalid body")
 		return
 	}
+	r.Body = io.NopCloser(bytes.NewBuffer(payload))
+
+	if !s.authorized(r) {
+		var temp struct {
+			Method string `json:"method"`
+		}
+		_ = json.Unmarshal(payload, &temp)
+		method := strings.TrimSpace(temp.Method)
+		if method != "acp.capabilities" && method != "health" {
+			s.writeJSONError(
+				w,
+				nil,
+				http.StatusUnauthorized,
+				-32001,
+				"missing bearer authorization",
+			)
+			return
+		}
+	}
 	request, err := shared.DecodeRPCRequest(payload)
 	if err != nil {
 		s.writeJSONError(w, nil, http.StatusBadRequest, -32700, err.Error())
@ -403,21 +413,30 @@ func (s *Server) HandleRPC(w http.ResponseWriter, r *http.Request) {
 		)
 		return
 	}
-	if !s.authorized(r) {
-		s.writeJSONError(
-			w,
-			nil,
-			http.StatusUnauthorized,
-			-32001,
-			"missing bearer authorization",
-		)
-		return
-	}
 	payload, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.writeJSONError(w, nil, http.StatusBadRequest, -32600, "invalid body")
 		return
 	}
+	r.Body = io.NopCloser(bytes.NewBuffer(payload))
+
+	if !s.authorized(r) {
+		var temp struct {
+			Method string `json:"method"`
+		}
+		_ = json.Unmarshal(payload, &temp)
+		method := strings.TrimSpace(temp.Method)
+		if method != "acp.capabilities" && method != "health" {
+			s.writeJSONError(
+				w,
+				nil,
+				http.StatusUnauthorized,
+				-32001,
+				"missing bearer authorization",
+			)
+			return
+		}
+	}
 	request, err := shared.DecodeRPCRequest(payload)
 	if err != nil {
 		s.writeJSONError(w, nil, http.StatusBadRequest, -32700, err.Error())
--- a/scripts/github-actions/verify-public-rpc-contract.sh
+++ b/scripts/github-actions/verify-public-rpc-contract.sh
@ -59,12 +59,31 @@ unauthorized_status="$(
    --max-time "${HTTP_TIMEOUT_SECONDS}" \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/json' \
-    --data '{"jsonrpc":"2.0","id":"cap-unauthorized","method":"acp.capabilities"}' \
+    --data '{"jsonrpc":"2.0","id":"cap-public","method":"acp.capabilities"}' \
    "${resolved_base_url}/acp/rpc"
 )"

-if [[ "${unauthorized_status}" != "401" ]]; then
-  echo "expected unauthorized capabilities request to return 401, got ${unauthorized_status}" >&2
+if [[ "${unauthorized_status}" != "200" ]]; then
+  echo "expected public capabilities request to return 200, got ${unauthorized_status}" >&2
+  exit 1
+fi
+
+unauthorized_session_status="$(
+  curl \
+    --silent \
+    --show-error \
+    --output /dev/null \
+    --write-out '%{http_code}' \
+    --location \
+    --max-time "${HTTP_TIMEOUT_SECONDS}" \
+    -H 'Accept: application/json' \
+    -H 'Content-Type: application/json' \
+    --data '{"jsonrpc":"2.0","id":"session-unauthorized","method":"session.start","params":{"sessionId":"test"}}' \
+    "${resolved_base_url}/acp/rpc"
+)"
+
+if [[ "${unauthorized_session_status}" != "401" ]]; then
+  echo "expected unauthorized session.start request to return 401, got ${unauthorized_session_status}" >&2
  exit 1
 fi