MCPcopy Index your code
hub / github.com/coder/coder / buildWWWAuthenticateHeader

Function buildWWWAuthenticateHeader

coderd/httpmw/apikey.go:840–872  ·  view source on GitHub ↗

Test export functions for testing package access buildWWWAuthenticateHeader constructs RFC 6750 + RFC 9728 compliant WWW-Authenticate header

(accessURL *url.URL, r *http.Request, code int, response codersdk.Response)

Source from the content-addressed store, hash-verified

838
839// buildWWWAuthenticateHeader constructs RFC 6750 + RFC 9728 compliant WWW-Authenticate header
840func buildWWWAuthenticateHeader(accessURL *url.URL, r *http.Request, code int, response codersdk.Response) string {
841 // Use the configured access URL for resource metadata
842 if accessURL == nil {
843 scheme := "https"
844 if r.TLS == nil {
845 scheme = "http"
846 }
847
848 // Use the Host header to construct the canonical audience URI
849 accessURL = &url.URL{
850 Scheme: scheme,
851 Host: r.Host,
852 }
853 }
854
855 resourceMetadata := accessURL.JoinPath("/.well-known/oauth-protected-resource").String()
856
857 switch code {
858 case http.StatusUnauthorized:
859 switch {
860 case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"):
861 return fmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token has expired", resource_metadata=%q`, resourceMetadata)
862 case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"):
863 return fmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource", resource_metadata=%q`, resourceMetadata)
864 default:
865 return fmt.Sprintf(`Bearer realm="coder", error="invalid_token", error_description="The access token is invalid", resource_metadata=%q`, resourceMetadata)
866 }
867 case http.StatusForbidden:
868 return fmt.Sprintf(`Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token", resource_metadata=%q`, resourceMetadata)
869 default:
870 return fmt.Sprintf(`Bearer realm="coder", resource_metadata=%q`, resourceMetadata)
871 }
872}
873
874// extractExpectedAudience determines the expected audience for the current request.
875// This should match the resource parameter used during authorization.

Callers 1

ExtractAPIKeyFunction · 0.85

Calls 2

StringMethod · 0.45
ContainsMethod · 0.45

Tested by

no test coverage detected