Respect an http error returned by the authentication function (#142)

tschaub · web-flow · commit 628ca60d90da · 2020-03-03T14:53:32.000-08:00
diff --git a/oapi_validate.go b/oapi_validate.go
@@ -126,6 +126,12 @@ func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router,
 				Internal: err,
 			}
 		case *openapi3filter.SecurityRequirementsError:
+			for _, err := range e.Errors {
+				httpErr, ok := err.(*echo.HTTPError)
+				if ok {
+					return httpErr
+				}
+			}
 			return &echo.HTTPError{
 				Code:     http.StatusForbidden,
 				Message:  e.Error(),
@@ -135,8 +141,8 @@ func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router,
 			// This should never happen today, but if our upstream code changes,
 			// we don't want to crash the server, so handle the unexpected error.
 			return &echo.HTTPError{
-				Code: http.StatusInternalServerError,
-				Message: fmt.Sprintf("error validating request: %s", err),
+				Code:     http.StatusInternalServerError,
+				Message:  fmt.Sprintf("error validating request: %s", err),
 				Internal: err,
 			}
 		}
diff --git a/oapi_validate_test.go b/oapi_validate_test.go
@@ -87,6 +87,15 @@ paths:
       responses:
         '204':
           description: no content
+  /protected_resource_401:
+    get:
+      operationId: getProtectedResource
+      security:
+        - BearerAuth:
+          - unauthorized
+      responses:
+        '401':
+          description: no content
 components:
   securitySchemes:
     BearerAuth:
@@ -127,6 +136,9 @@ func TestOapiRequestValidator(t *testing.T) {
 					if s == "someScope" {
 						return nil
 					}
+					if s == "unauthorized" {
+						return echo.ErrUnauthorized
+					}
 				}
 				return errors.New("forbidden")
 			},
@@ -234,4 +246,16 @@ func TestOapiRequestValidator(t *testing.T) {
 		assert.False(t, called, "Handler should not have been called")
 		called = false
 	}
+
+	e.GET("/protected_resource_401", func(c echo.Context) error {
+		called = true
+		return c.NoContent(http.StatusNoContent)
+	})
+	// Call a protected function without credentials
+	{
+		rec := doGet(t, e, "http://deepmap.ai/protected_resource_401")
+		assert.Equal(t, http.StatusUnauthorized, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+		called = false
+	}
 }
