pkg/auth: check HTTP status from the server

Previously the reported failure was a nondescript
strconv.ParseInt: parsing "": invalid syntax

2 files changed, 16 insertions, 1 deletions

diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index c662218ea..af8432a34 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -78,6 +78,9 @@ func (auth *Endpoint) queryTokenInfo(tokenValue string) (*jwtClaims, error) {
 		return nil, err
 	}
 	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("verification failed %v", resp.StatusCode)
+	}
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
@@ -116,7 +119,7 @@ func (auth *Endpoint) DetermineAuthSubj(now time.Time, authHeader []string) (str
 		return "", err
 	}
 	if claims.Audience != DashboardAudience {
-		err := fmt.Errorf("unexpected audience %v %v", claims.Audience, claims)
+		err := fmt.Errorf("unexpected audience %v", claims.Audience)
 		return "", err
 	}
 	if claims.Expiration.Before(now) {
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
index 7e0a5184f..d343e0f33 100644
--- a/pkg/auth/auth_test.go
+++ b/pkg/auth/auth_test.go
@@ -95,3 +95,15 @@ func TestBadHeader(t *testing.T) {
 		t.Errorf("Unexpected error %v %v", got, err)
 	}
 }
+
+func TestBadHttpStatus(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(400)
+	}))
+	defer ts.Close()
+	dut := MakeEndpoint(ts.URL)
+	got, err := dut.DetermineAuthSubj(time.Now(), []string{"Bearer x"})
+	if err == nil || !strings.HasSuffix(err.Error(), "400") || got != "" {
+		t.Errorf("Unexpected error %v %v", got, err)
+	}
+}