diff --git a/auth/middleware.go b/auth/middleware.go index c387c2c..5d4d466 100644 --- a/auth/middleware.go +++ b/auth/middleware.go @@ -288,20 +288,14 @@ func requireProxy(inLambda bool) func(http.Handler) http.Handler { // reject rather than silently pass every request through. if expected == "" { log.Printf("mirrorstack: proxy guard rejected (token source configured but unreadable) from %s %s", r.RemoteAddr, r.URL.Path) - httputil.JSON(w, http.StatusForbidden, httputil.ErrorResponse{ - Error: "request did not come through the platform proxy", - Code: CodeNotProxied, - }) + rejectNotProxied(w) return } token := r.Header.Get(header) if !constantTimeEqual(token, expected) { log.Printf("mirrorstack: proxy guard rejected (token mismatch, header_present=%v) from %s %s", token != "", r.RemoteAddr, r.URL.Path) - httputil.JSON(w, http.StatusForbidden, httputil.ErrorResponse{ - Error: "request did not come through the platform proxy", - Code: CodeNotProxied, - }) + rejectNotProxied(w) return } next.ServeHTTP(w, r) @@ -309,6 +303,17 @@ func requireProxy(inLambda bool) func(http.Handler) http.Handler { } } +// rejectNotProxied writes the standard 403 not_proxied response. Both failure +// paths in requireProxy (unreadable token source and token mismatch) produce +// the same JSON body; the log call before each site carries the distinct +// diagnostic. +func rejectNotProxied(w http.ResponseWriter) { + httputil.JSON(w, http.StatusForbidden, httputil.ErrorResponse{ + Error: "request did not come through the platform proxy", + Code: CodeNotProxied, + }) +} + // secretReader returns the current secret, which header carries it, and // whether a secret SOURCE is configured at all. The file-backed variant // re-reads on every call so a refreshed token (CLI reconnect) is picked up