From 68cb970b424f48ea589eb12c8d5bc101584788e8 Mon Sep 17 00:00:00 2001 From: Saniya Date: Thu, 20 Nov 2025 20:25:37 +0530 Subject: [PATCH] Restrict /.well-known auth bypass to alive endpoint --- pkg/gofr/http/middleware/auth.go | 3 ++- pkg/gofr/http/middleware/auth_test.go | 11 +++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/pkg/gofr/http/middleware/auth.go b/pkg/gofr/http/middleware/auth.go index 0a280c5a93..b455dae7df 100644 --- a/pkg/gofr/http/middleware/auth.go +++ b/pkg/gofr/http/middleware/auth.go @@ -8,6 +8,7 @@ import ( "strings" gofrHttp "gofr.dev/pkg/gofr/http" + "gofr.dev/pkg/gofr/service" ) // AuthMethod represents a custom type to define the different authentication methods supported. @@ -37,7 +38,7 @@ type AuthProvider interface { func AuthMiddleware(a AuthProvider) func(handler http.Handler) http.Handler { return func(handler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if isWellKnown(r.URL.Path) { + if r.URL.Path == service.AlivePath { handler.ServeHTTP(w, r) return } diff --git a/pkg/gofr/http/middleware/auth_test.go b/pkg/gofr/http/middleware/auth_test.go index 565447a565..25e58202c4 100644 --- a/pkg/gofr/http/middleware/auth_test.go +++ b/pkg/gofr/http/middleware/auth_test.go @@ -7,6 +7,7 @@ import ( "strings" "testing" + "gofr.dev/pkg/gofr/service" "github.com/stretchr/testify/assert" ) @@ -20,8 +21,9 @@ func TestAuthMiddleware(t *testing.T) { expectedHeader any expectedBody string }{ - {url: "/.well-known/health", success: true, statusCode: http.StatusOK, expectedBody: `OK`}, - {url: "/.well-known/health", statusCode: http.StatusOK, expectedBody: `OK`}, + {url: service.AlivePath, statusCode: http.StatusOK, expectedBody: `OK`}, + {url: service.HealthPath, success: true, statusCode: http.StatusOK, expectedHeader: "user-header-string", expectedBody: `OK`}, + {url: service.HealthPath, success: false, statusCode: http.StatusUnauthorized, expectedBody: errBody}, {url: "/", success: true, statusCode: http.StatusOK, expectedHeader: "user-header-string", expectedBody: `OK`}, {url: "/", success: false, statusCode: http.StatusUnauthorized, expectedBody: errBody}, } @@ -44,12 +46,13 @@ func TestAuthMiddleware(t *testing.T) { assert.Equal(t, tc.statusCode == http.StatusOK, mockHandler.handlerCalled) assert.Equal(t, tc.expectedBody, strings.TrimSuffix(rr.Body.String(), "\n")) - if strings.HasPrefix(tc.url, "/.well-known") { + if tc.url == service.AlivePath { + assert.False(t, authProvider.extractAuthHeaderCalled) + assert.False(t, authProvider.getAuthMethodCalled) return } assert.True(t, authProvider.extractAuthHeaderCalled) - assert.Equal(t, tc.statusCode == http.StatusOK, authProvider.getAuthMethodCalled) }) }