Fix discovery handler to decode base64url tokens

brianm · brianm · commit 2c99173bd84e · 2025-12-25T19:55:02.000-08:00
The broker base64url-encodes tokens for binary safety, but the discovery
handler was passing the encoded token directly to the OIDC validator.
This caused "malformed jwt" errors since the validator expected a raw JWT.

Add base64url decoding in discovery handler to match the policy handler
behavior. Update tests to use properly encoded tokens.
diff --git a/pkg/policyserver/discovery.go b/pkg/policyserver/discovery.go
@@ -1,6 +1,7 @@
 package policyserver
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"strings"
@@ -65,8 +66,15 @@ func (h *discoveryHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Decode base64url-encoded token (broker encodes tokens for binary safety)
+	decodedToken, err := base64.RawURLEncoding.DecodeString(token)
+	if err != nil {
+		h.writeError(w, http.StatusBadRequest, "Invalid token encoding")
+		return
+	}
+
 	// Validate token (we don't need the identity for discovery, just auth)
-	if _, err := h.config.Validator.ValidateAndExtractIdentity(token); err != nil {
+	if _, err := h.config.Validator.ValidateAndExtractIdentity(string(decodedToken)); err != nil {
 		h.writeError(w, http.StatusUnauthorized, err.Error())
 		return
 	}
diff --git a/pkg/policyserver/discovery_test.go b/pkg/policyserver/discovery_test.go
@@ -1,6 +1,7 @@
 package policyserver_test
 
 import (
+	"encoding/base64"
 	"errors"
 	"net/http"
 	"net/http/httptest"
@@ -17,8 +18,10 @@ func TestDiscoveryHandler_Success(t *testing.T) {
 		Hash:          "abc123",
 	})
 
+	// Token must be base64url-encoded (as broker encodes tokens)
+	encodedToken := base64.RawURLEncoding.EncodeToString([]byte("test-token"))
 	req := httptest.NewRequest(http.MethodGet, "/d/abc123", nil)
-	req.Header.Set("Authorization", "Bearer test-token")
+	req.Header.Set("Authorization", "Bearer "+encodedToken)
 	w := httptest.NewRecorder()
 
 	handler(w, req)
@@ -73,8 +76,10 @@ func TestDiscoveryHandler_InvalidToken(t *testing.T) {
 		Hash:          "abc123",
 	})
 
+	// Token must be base64url-encoded (as broker encodes tokens)
+	encodedToken := base64.RawURLEncoding.EncodeToString([]byte("invalid-token"))
 	req := httptest.NewRequest(http.MethodGet, "/d/abc123", nil)
-	req.Header.Set("Authorization", "Bearer invalid-token")
+	req.Header.Set("Authorization", "Bearer "+encodedToken)
 	w := httptest.NewRecorder()
 
 	handler(w, req)
@@ -92,8 +97,10 @@ func TestDiscoveryHandler_MethodNotAllowed(t *testing.T) {
 		Hash:          "abc123",
 	})
 
+	// Token must be base64url-encoded (as broker encodes tokens)
+	encodedToken := base64.RawURLEncoding.EncodeToString([]byte("test-token"))
 	req := httptest.NewRequest(http.MethodPost, "/d/abc123", nil)
-	req.Header.Set("Authorization", "Bearer test-token")
+	req.Header.Set("Authorization", "Bearer "+encodedToken)
 	w := httptest.NewRecorder()
 
 	handler(w, req)
@@ -149,8 +156,10 @@ func TestDiscoveryHandler_EmptyPatterns(t *testing.T) {
 		Hash:          "abc123",
 	})
 
+	// Token must be base64url-encoded (as broker encodes tokens)
+	encodedToken := base64.RawURLEncoding.EncodeToString([]byte("test-token"))
 	req := httptest.NewRequest(http.MethodGet, "/d/abc123", nil)
-	req.Header.Set("Authorization", "Bearer test-token")
+	req.Header.Set("Authorization", "Bearer "+encodedToken)
 	w := httptest.NewRecorder()
 
 	handler(w, req)
