From 2389aa28a8b1a9cf22e97f19bb0ae933a059c934 Mon Sep 17 00:00:00 2001 From: Sheng Kun Chang Date: Sat, 13 Jun 2026 19:51:15 +0800 Subject: [PATCH] refactor(auth): extract rejectNotProxied to remove duplicated 403 body Both failure paths in requireProxy (unreadable token source and token mismatch) wrote the same httputil.JSON 403/not_proxied response inline. Extract rejectNotProxied() so the response body is defined once; the distinct log.Printf calls before each site are preserved for per-path diagnostics. No behavior change. go test ./auth/... ./internal/core/... green. --- auth/middleware.go | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/auth/middleware.go b/auth/middleware.go index c387c2c..5d4d466 100644 --- a/auth/middleware.go +++ b/auth/middleware.go @@ -288,20 +288,14 @@ func requireProxy(inLambda bool) func(http.Handler) http.Handler { // reject rather than silently pass every request through. if expected == "" { log.Printf("mirrorstack: proxy guard rejected (token source configured but unreadable) from %s %s", r.RemoteAddr, r.URL.Path) - httputil.JSON(w, http.StatusForbidden, httputil.ErrorResponse{ - Error: "request did not come through the platform proxy", - Code: CodeNotProxied, - }) + rejectNotProxied(w) return } token := r.Header.Get(header) if !constantTimeEqual(token, expected) { log.Printf("mirrorstack: proxy guard rejected (token mismatch, header_present=%v) from %s %s", token != "", r.RemoteAddr, r.URL.Path) - httputil.JSON(w, http.StatusForbidden, httputil.ErrorResponse{ - Error: "request did not come through the platform proxy", - Code: CodeNotProxied, - }) + rejectNotProxied(w) return } next.ServeHTTP(w, r) @@ -309,6 +303,17 @@ func requireProxy(inLambda bool) func(http.Handler) http.Handler { } } +// rejectNotProxied writes the standard 403 not_proxied response. Both failure +// paths in requireProxy (unreadable token source and token mismatch) produce +// the same JSON body; the log call before each site carries the distinct +// diagnostic. +func rejectNotProxied(w http.ResponseWriter) { + httputil.JSON(w, http.StatusForbidden, httputil.ErrorResponse{ + Error: "request did not come through the platform proxy", + Code: CodeNotProxied, + }) +} + // secretReader returns the current secret, which header carries it, and // whether a secret SOURCE is configured at all. The file-backed variant // re-reads on every call so a refreshed token (CLI reconnect) is picked up