fix: use default api when auto detection fails (#415)

dotkas · web-flow · commit 049cd1cecda5 · 2025-08-26T16:09:07.000Z
diff --git a/pkg/app/app_test.go b/pkg/app/app_test.go
@@ -121,7 +121,7 @@ func Test_CreateAppEngine_config_PAT_autoRegionDetection(t *testing.T) {
 		assert.Equal(t, fmt.Sprintf("https://%s", apiUrl), actualApiUrl)
 	})
 
-	t.Run("invalid PAT reverts to default API URL", func(t *testing.T) {
+	t.Run("invalid PAT reverts to default API URL (with wrong payload)", func(t *testing.T) {
 		patWithExtraSegments := "snyk_uat.12345678.payload.signature.extra"
 		engine := CreateAppEngine()
 		config := engine.GetConfiguration()
@@ -130,6 +130,16 @@ func Test_CreateAppEngine_config_PAT_autoRegionDetection(t *testing.T) {
 		actualApiUrl := config.GetString(configuration.API_URL)
 		assert.Equal(t, constants.SNYK_DEFAULT_API_URL, actualApiUrl)
 	})
+
+	t.Run("invalid PAT reverts to default API URL (with no hostname in claim)", func(t *testing.T) {
+		pat := createMockPAT(t, `{}`)
+		engine := CreateAppEngine()
+		config := engine.GetConfiguration()
+		config.Set(configuration.AUTHENTICATION_TOKEN, pat)
+
+		actualApiUrl := config.GetString(configuration.API_URL)
+		assert.Equal(t, constants.SNYK_DEFAULT_API_URL, actualApiUrl)
+	})
 }
 
 func Test_CreateAppEngine_config_OauthAudHasPrecedence(t *testing.T) {
diff --git a/pkg/auth/tokenauthenticator.go b/pkg/auth/tokenauthenticator.go
@@ -24,7 +24,7 @@ const (
 // Claims represents the structure of the PATs claims, it does not represent all the claims; only the ones we need
 type Claims struct {
 	// Hostname PAT is valid for
-	Hostname string `json:"h,omitempty"`
+	Hostname string `json:"h"`
 }
 
 var _ Authenticator = (*tokenAuthenticator)(nil)
@@ -101,6 +101,10 @@ func GetApiUrlFromPAT(pat string) (string, error) {
 	}
 
 	hostname := claims.Hostname
+	if len(hostname) == 0 {
+		return "", fmt.Errorf("hostname is empty")
+	}
+
 	if !strings.HasPrefix(hostname, "http") {
 		hostname = fmt.Sprintf("https://%s", hostname)
 	}
diff --git a/pkg/auth/tokenauthenticator_test.go b/pkg/auth/tokenauthenticator_test.go
@@ -90,12 +90,17 @@ func TestGetApiUrlFromPAT(t *testing.T) {
 
 	t.Run("PAT with scheme", func(t *testing.T) {
 		pat := createMockPAT(t, `{"h":"http://api.snyk.io"}`)
-		fmt.Println("pat", pat)
 		apiUrl, err := GetApiUrlFromPAT(pat)
 		assert.NoError(t, err)
 		assert.Equal(t, "http://api.snyk.io", apiUrl)
 	})
 
+	t.Run("PAT without hostname in claims", func(t *testing.T) {
+		pat := createMockPAT(t, `{}`)
+		_, err := GetApiUrlFromPAT(pat)
+		assert.Error(t, err)
+	})
+
 	t.Run("Invalid PAT", func(t *testing.T) {
 		patTooManySegments := "snyk_test.12345678.payload.signature.extra"
 		apiUrl, err := GetApiUrlFromPAT(patTooManySegments)

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ const (`
`24`	`24`	`// Claims represents the structure of the PATs claims, it does not represent all the claims; only the ones we need`
`25`	`25`	`type Claims struct {`
`26`	`26`	`// Hostname PAT is valid for`
`27`		- Hostname string `json:"h,omitempty"`
	`27`	+ Hostname string `json:"h"`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`var _ Authenticator = (*tokenAuthenticator)(nil)`
`@@ -101,6 +101,10 @@ func GetApiUrlFromPAT(pat string) (string, error) {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`hostname := claims.Hostname`
	`104`	`+ if len(hostname) == 0 {`
	`105`	`+ return "", fmt.Errorf("hostname is empty")`
	`106`	`+ }`
	`107`	`+`
`104`	`108`	`if !strings.HasPrefix(hostname, "http") {`
`105`	`109`	`hostname = fmt.Sprintf("https://%s", hostname)`
`106`	`110`	`}`