fix unit test

Author: duwenxin99

internal/auth/generic/generic.go

@@ -99,9 +99,11 @@ func safeDialer() *net.Dialer {
 	}
 }
 
+var allowInsecureForTest = false
+
 func discoverJWKSURL(authURL string) (string, error) {
 	u, err := url.Parse(authURL)
-	if err != nil || u.Scheme != "https" {
+	if err != nil || (u.Scheme != "https" && !allowInsecureForTest) {
 		return "", fmt.Errorf("invalid or insecure auth URL: must be HTTPS")
 	}
 
@@ -114,7 +116,6 @@ func discoverJWKSURL(authURL string) (string, error) {
 	client := &http.Client{
 		Timeout: 10 * time.Second,
 		Transport: &http.Transport{
-			DialContext:           safeDialer().DialContext,
 			ForceAttemptHTTP2:     true,
 			MaxIdleConns:          10,
 			IdleConnTimeout:       90 * time.Second,
@@ -126,6 +127,10 @@ func discoverJWKSURL(authURL string) (string, error) {
 			return http.ErrUseLastResponse
 		},
 	}
+	
+	if !allowInsecureForTest {
+		client.Transport.(*http.Transport).DialContext = safeDialer().DialContext
+	}
 
 	resp, err := client.Get(oidcConfigURL)
 	if err != nil {
@@ -156,7 +161,7 @@ func discoverJWKSURL(authURL string) (string, error) {
 
 	// Sanitize the resulting JWKS URI before returning it
 	parsedJWKS, err := url.Parse(config.JWKSURI)
-	if err != nil || parsedJWKS.Scheme != "https" {
+	if err != nil || (parsedJWKS.Scheme != "https" && !allowInsecureForTest) {
 		return "", fmt.Errorf("malicious jwks_uri detected")
 	}
 

internal/auth/generic/generic_test.go

@@ -29,6 +29,10 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 )
 
+func init() {
+	allowInsecureForTest = true
+}
+
 func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
@@ -159,7 +163,7 @@ func TestGetClaimsFromHeader(t *testing.T) {
 				return header
 			},
 			wantError:   true,
-			errContains: "Authorization header format must be Bearer {token}",
+			errContains: "authorization header format must be Bearer {token}",
 		},
 		{
 			name: "wrong audience",