Test export functions for testing package access buildWWWAuthenticateHeader constructs RFC 6750 + RFC 9728 compliant WWW-Authenticate header
(accessURL *url.URL, r *http.Request, code int, response codersdk.Response)
| 838 | |
| 839 | // buildWWWAuthenticateHeader constructs RFC 6750 + RFC 9728 compliant WWW-Authenticate header |
| 840 | func buildWWWAuthenticateHeader(accessURL *url.URL, r *http.Request, code int, response codersdk.Response) string { |
| 841 | // Use the configured access URL for resource metadata |
| 842 | if accessURL == nil { |
| 843 | scheme := "https" |
| 844 | if r.TLS == nil { |
| 845 | scheme = "http" |
| 846 | } |
| 847 | |
| 848 | // Use the Host header to construct the canonical audience URI |
| 849 | accessURL = &url.URL{ |
| 850 | Scheme: scheme, |
| 851 | Host: r.Host, |
| 852 | } |
| 853 | } |
| 854 | |
| 855 | resourceMetadata := accessURL.JoinPath("/.well-known/oauth-protected-resource").String() |
| 856 | |
| 857 | switch code { |
| 858 | case http.StatusUnauthorized: |
| 859 | switch { |
| 860 | case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"): |
| 861 | return fmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token has expired", resource_metadata=%q`, resourceMetadata) |
| 862 | case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"): |
| 863 | return fmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource", resource_metadata=%q`, resourceMetadata) |
| 864 | default: |
| 865 | return fmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid", resource_metadata=%q`, resourceMetadata) |
| 866 | } |
| 867 | case http.StatusForbidden: |
| 868 | return fmt.Sprintf(`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token", resource_metadata=%q`, resourceMetadata) |
| 869 | default: |
| 870 | return fmt.Sprintf(`Bearer realm="coder", resource_metadata=%q`, resourceMetadata) |
| 871 | } |
| 872 | } |
| 873 | |
| 874 | // extractExpectedAudience determines the expected audience for the current request. |
| 875 | // This should match the resource parameter used during authorization. |
no test coverage detected