fix(auth): allow custom environments via BW_API_URL; harden token parsing#17
Open
kshahbw wants to merge 2 commits into
Open
fix(auth): allow custom environments via BW_API_URL; harden token parsing#17kshahbw wants to merge 2 commits into
kshahbw wants to merge 2 commits into
Conversation
…sing resolveEnvironment rejected any environment outside prod/test/uat, which also blocked an environment routed through an explicit BW_API_URL override — regressing that workflow. Permit a non-built-in environment when BW_API_URL is set: an explicit route is not a silent fall-through to prod, so it keeps the guarantee that an unrecognized value never silently resolves to production (the reason validation was added in ddb2632 / 11a4f95). Because a custom-routed environment still hits the production-only messaging host, widen messagingProdOnlyWarning to fire for any non-prod environment, so those users are still warned that sends are real and billable. Harden the OAuth token exchange: a 2xx response whose body is not a JSON object (an HTML proxy interstitial, or a misrouted host returning XML) now produces a clear 'non-JSON response — check your environment and BW_API_URL' error instead of a cryptic 'invalid character <' JSON parse failure.
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
A BW_API_URL missing its scheme (e.g. "stage.api.bandwidth.com") reached net/http as the opaque error 'unsupported protocol scheme ""'. ValidateAPIOverride now catches a schemeless or hostless override at both auth entry points — authenticate() and auth login — with an actionable message that names the fix. An unset BW_API_URL stays valid.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three related auth-path hardenings, all grounded in the intent of the env-validation work in
ddb2632/11a4f95(kill silent fall-through to production, and turn cryptic failures into actionable ones):resolveEnvironment— restore the explicit-route escape hatch. After that change, any environment outsideprod/test/uatwas rejected outright — including environments intentionally routed through an explicitBW_API_URLoverride, which regressed that workflow. This permits a non-built-in environment only whenBW_API_URLis set. An explicit route is the opposite of a silent fall-through, so the original guarantee holds: an unrecognized value with no override still fails loudly and never silently resolves to prod.oauth.go— legible error for a non-JSON token response. A 2xx whose body isn't a JSON object (an HTML proxy interstitial, or a misrouted host returning XML) previously died with a crypticinvalid character '<' looking for beginning of valueparse error. It now returns "token endpoint returned a non-JSON response — you may be behind a proxy or pointed at the wrong host; check your environment andBW_API_URL."ValidateAPIOverride— reject a schemelessBW_API_URLup front. ABW_API_URLmissing its scheme (e.g.stage.api.bandwidth.cominstead ofhttps://stage.api.bandwidth.com) reachednet/httpas the opaqueunsupported protocol scheme "". It's now caught at both auth entry points (authenticate()andauth login) with a message that names the fix. Unset stays valid.Also included (flag for review)
messagingProdOnlyWarningnow fires for any non-prod environment, not justtest/uat. Slightly beyond the fixes above, but it's the minimum needed to keep #1 from regressing a safety property: a custom-routed environment still hits the production-only messaging host, so without this a custom-env user would send real, billable messages with no warning — exactly the hazard the original hardening closed. Happy to drop it if you'd rather handle separately.Why this came up
Two users hit auth failures that all trace back to the
BW_API_URLoverride path:parsing token response: invalid character '<'— an older binary whoseauthenticate()predatesresolveEnvironmentsilently fell through to the prod identity host and got a non-JSON gateway body (→ Snyk Vulnerability Dashboard #2 makes this legible; the newer validation prevents the silent prod routing).unsupported protocol scheme ""— aBW_API_URLset withouthttps://(→ Fix GoReleaser homebrew publish to use PR flow #3).Testing
resolveEnvironment: unit tests for fail-loud (no override) and opt-in (withBW_API_URL); verified in a real binary — unknown env fails loudly without an override, routes the token request to the custom host with one.ValidateAPIOverride: unit tests for unset/valid/schemeless; verified in a real binary that a schemeless value yields the actionable message and a scheme'd value routes to the host.messagingProdOnlyWarning: unit test asserts any non-prod env warns.oauth.go: unit test asserts a 2xx HTML body yields the friendly error, not a parse error.go build ./..., fullgo test ./...,gofmt, andgo vetall clean.🤖 Generated with Claude Code