fix: Return 5xx instead of 401 for missing ALB header

RealImage · Apr 9, 2024 · 2718eff · 2718eff
1 parent 55379c4
commit 2718eff
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/asgard/heimdallr.go b/asgard/heimdallr.go
@@ -16,6 +16,8 @@ import (
 	"github.com/google/uuid"
 )
 
+const errBadAuthHeader = "missing or invalid authorization information, server is misconfigured"
+
 type keyClientCert struct{}
 
 // ClientCert returns the client certificate from the request context.
@@ -41,7 +43,7 @@ func Heimdallr(h HeaderName, ns uuid.UUID) func(http.Handler) http.Handler {
 			certHeader := r.Header.Get(h.String())
 			if certHeader == "" {
 				slog.ErrorContext(ctx, "missing authorization header")
-				http.Error(w, "missing authorization header", http.StatusUnauthorized)
+				http.Error(w, errBadAuthHeader, http.StatusServiceUnavailable)
 				return
 			}
 
@@ -52,7 +54,7 @@ func Heimdallr(h HeaderName, ns uuid.UUID) func(http.Handler) http.Handler {
 					"headerName", h.String(),
 					"headerValue", certHeader,
 				)
-				http.Error(w, "invalid authorization header", http.StatusUnauthorized)
+				http.Error(w, errBadAuthHeader, http.StatusServiceUnavailable)
 				return
 			}
 
@@ -63,14 +65,14 @@ func Heimdallr(h HeaderName, ns uuid.UUID) func(http.Handler) http.Handler {
 					"headerName", h.String(),
 					"headerValue", certPEM,
 				)
-				http.Error(w, "invalid authorization header", http.StatusUnauthorized)
+				http.Error(w, errBadAuthHeader, http.StatusServiceUnavailable)
 				return
 			}
 
 			cert, err := bifrost.ParseCertificate(block.Bytes)
 			if err != nil {
 				slog.ErrorContext(ctx, "error parsing client certificate", "error", err)
-				http.Error(w, "invalid authorization header", http.StatusUnauthorized)
+				http.Error(w, errBadAuthHeader, http.StatusServiceUnavailable)
 				return
 			}