From ced6d16dae2e6f367c03b38cd3b5ddad2912f22e Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Thu, 31 Oct 2024 18:17:33 +0200
Subject: [PATCH 01/12] token invalid throw 401 instead of return public
 incoming payment

---
 packages/backend/src/app.ts                   |  2 +-
 .../src/open_payments/auth/middleware.test.ts | 58 +++++++++++++++++--
 .../src/open_payments/auth/middleware.ts      | 25 ++++----
 .../docs/integration/playground/overview.mdx  | 12 ++++
 4 files changed, 81 insertions(+), 16 deletions(-)

diff --git a/packages/backend/src/app.ts b/packages/backend/src/app.ts
index d0cdd19f35..d4bb95d67c 100644
--- a/packages/backend/src/app.ts
+++ b/packages/backend/src/app.ts
@@ -577,7 +577,7 @@ export class App {
       createTokenIntrospectionMiddleware({
         requestType: AccessType.IncomingPayment,
         requestAction: RequestAction.Read,
-        bypassError: true
+        canSkipAuthValidation: true
       }),
       authenticatedStatusMiddleware,
       getWalletAddressForSubresource,
diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
index 96f590fc23..3287ff8689 100644
--- a/packages/backend/src/open_payments/auth/middleware.test.ts
+++ b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -87,12 +87,12 @@ describe('Auth Middleware', (): void => {
     await appContainer.shutdown()
   })
 
-  describe('bypassError option', (): void => {
-    test('calls next for HTTP errors', async (): Promise<void> => {
+  describe('canSkipAuthValidation option', (): void => {
+    test('calls next for undefined authorization header', async (): Promise<void> => {
       const middleware = createTokenIntrospectionMiddleware({
         requestType: type,
         requestAction: action,
-        bypassError: true
+        canSkipAuthValidation: true
       })
       ctx.request.headers.authorization = ''
 
@@ -107,7 +107,7 @@ describe('Auth Middleware', (): void => {
       const middleware = createTokenIntrospectionMiddleware({
         requestType: AccessType.OutgoingPayment,
         requestAction: action,
-        bypassError: true
+        canSkipAuthValidation: true
       })
 
       jest.spyOn(tokenIntrospectionClient, 'introspect').mockResolvedValueOnce({
@@ -140,6 +140,56 @@ describe('Auth Middleware', (): void => {
       )
       expect(next).not.toHaveBeenCalled()
     })
+
+    test('proceeds with validation when authorization header exists, even with canSkipAuthValidation true', async (): Promise<void> => {
+      const middleware = createTokenIntrospectionMiddleware({
+        requestType: type,
+        requestAction: action,
+        canSkipAuthValidation: true
+      })
+      ctx.request.headers.authorization = 'GNAP valid_token'
+      jest.spyOn(tokenIntrospectionClient, 'introspect').mockResolvedValueOnce({
+        active: true,
+        access: [{ type: type, actions: [action] }],
+        client: 'test-client'
+      } as TokenInfo)
+  
+      await middleware(ctx, next)
+      
+      expect(tokenIntrospectionClient.introspect).toHaveBeenCalled()
+      expect(ctx.client).toBe('test-client')
+      expect(next).toHaveBeenCalled()
+    })
+
+    test('throws error when skipAuthValidation is false and no authorization header', async (): Promise<void> => {
+      const middleware = createTokenIntrospectionMiddleware({
+        requestType: type,
+        requestAction: action,
+        canSkipAuthValidation: false
+      })
+      ctx.request.headers.authorization = ''
+  
+      await expect(middleware(ctx, next)).rejects.toThrow(OpenPaymentsServerRouteError)
+      expect(ctx.response.get('WWW-Authenticate')).toBe(
+        `GNAP as_uri=${Config.authServerGrantUrl}`
+      )
+      expect(next).not.toHaveBeenCalled()
+    })
+
+    test('throws error when canSkipAuthValidation is false and no authorization header', async (): Promise<void> => {
+      const middleware = createTokenIntrospectionMiddleware({
+        requestType: type,
+        requestAction: action,
+        canSkipAuthValidation: false
+      })
+      ctx.request.headers.authorization = ''
+  
+      await expect(middleware(ctx, next)).rejects.toThrow(OpenPaymentsServerRouteError)
+      expect(ctx.response.get('WWW-Authenticate')).toBe(
+        `GNAP as_uri=${Config.authServerGrantUrl}`
+      )
+      expect(next).not.toHaveBeenCalled()
+    })
   })
 
   test.each`
diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index 27ed023a14..dd8da187df 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -67,11 +67,11 @@ function toOpenPaymentsAccess(
 export function createTokenIntrospectionMiddleware({
   requestType,
   requestAction,
-  bypassError = false
+  canSkipAuthValidation = false
 }: {
   requestType: AccessType
   requestAction: RequestAction
-  bypassError?: boolean
+  canSkipAuthValidation?: boolean 
 }) {
   return async (
     ctx: WalletAddressUrlContext,
@@ -79,14 +79,20 @@ export function createTokenIntrospectionMiddleware({
   ): Promise<void> => {
     const config = await ctx.container.use('config')
     try {
-      const parts = ctx.request.headers.authorization?.split(' ')
-      if (parts?.length !== 2 || parts[0] !== 'GNAP') {
+      if (canSkipAuthValidation && !ctx.request.headers.authorization) {
+        ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
+        await next()
+        return
+      }
+
+      const authSplit = ctx.request.headers.authorization?.split(' ')
+      if (authSplit?.length !== 2 || authSplit[0] !== 'GNAP') {
         throw new OpenPaymentsServerRouteError(
           401,
           'Missing or invalid authorization header value'
         )
       }
-      const token = parts[1]
+      const token = authSplit[1]
       const tokenIntrospectionClient = await ctx.container.use(
         'tokenIntrospectionClient'
       )
@@ -145,19 +151,16 @@ export function createTokenIntrospectionMiddleware({
               : undefined
         }
       }
+
+      await next()
     } catch (err) {
       if (!(err instanceof OpenPaymentsServerRouteError)) {
         throw err
       }
 
       ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
-
-      if (!bypassError) {
-        throw err
-      }
+      throw err
     }
-
-    await next()
   }
 }
 
diff --git a/packages/documentation/src/content/docs/integration/playground/overview.mdx b/packages/documentation/src/content/docs/integration/playground/overview.mdx
index 59c7d41c25..35a0101c2f 100644
--- a/packages/documentation/src/content/docs/integration/playground/overview.mdx
+++ b/packages/documentation/src/content/docs/integration/playground/overview.mdx
@@ -178,6 +178,18 @@ You can either trigger the debugger by adding `debugger` statements in the code
 #### Debugging with VS Code:
 
 To debug with VS Code, add this configuration to your `.vscode/launch.json`:
+```json
+{
+    "name": "Attach to docker (cloud-nine-backend)",
+    "type": "node",
+    "request": "attach",
+    "port": 9229,
+    "address": "localhost",
+    "localRoot": "${workspaceFolder}",
+    "remoteRoot": "/home/rafiki/",
+    "restart": true
+},
+```
 
 The `localRoot` variable will depend on the location of the `launch.json` file relative to Rafiki’s root directory.
 

From e0909bf3be10bbe7531ecd2f31f261e962e68f0c Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Fri, 1 Nov 2024 15:40:03 +0200
Subject: [PATCH 02/12] pull request review changes

---
 .../src/open_payments/auth/middleware.test.ts | 27 ++++++++++++-------
 .../src/open_payments/auth/middleware.ts      | 15 ++++++-----
 .../payment/incoming_remote/service.ts        |  8 ------
 3 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
index 3287ff8689..adee15f414 100644
--- a/packages/backend/src/open_payments/auth/middleware.test.ts
+++ b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -153,38 +153,45 @@ describe('Auth Middleware', (): void => {
         access: [{ type: type, actions: [action] }],
         client: 'test-client'
       } as TokenInfo)
-  
+
       await middleware(ctx, next)
-      
+
       expect(tokenIntrospectionClient.introspect).toHaveBeenCalled()
       expect(ctx.client).toBe('test-client')
       expect(next).toHaveBeenCalled()
     })
 
-    test('throws error when skipAuthValidation is false and no authorization header', async (): Promise<void> => {
+    test('throws OpenPaymentsServerRouteError for invalid token with skipAuthValidation true', async (): Promise<void> => {
       const middleware = createTokenIntrospectionMiddleware({
         requestType: type,
         requestAction: action,
-        canSkipAuthValidation: false
+        canSkipAuthValidation: true
       })
-      ctx.request.headers.authorization = ''
-  
-      await expect(middleware(ctx, next)).rejects.toThrow(OpenPaymentsServerRouteError)
+      ctx.request.headers.authorization = 'GNAP invalid_token'
+      jest
+        .spyOn(tokenIntrospectionClient, 'introspect')
+        .mockRejectedValueOnce(new Error())
+
+      await expect(middleware(ctx, next)).rejects.toThrow(
+        OpenPaymentsServerRouteError
+      )
       expect(ctx.response.get('WWW-Authenticate')).toBe(
         `GNAP as_uri=${Config.authServerGrantUrl}`
       )
       expect(next).not.toHaveBeenCalled()
     })
 
-    test('throws error when canSkipAuthValidation is false and no authorization header', async (): Promise<void> => {
+    test('throws OpenPaymentsServerRouteError when canSkipAuthValidation is false and no authorization header', async (): Promise<void> => {
       const middleware = createTokenIntrospectionMiddleware({
         requestType: type,
         requestAction: action,
         canSkipAuthValidation: false
       })
       ctx.request.headers.authorization = ''
-  
-      await expect(middleware(ctx, next)).rejects.toThrow(OpenPaymentsServerRouteError)
+
+      await expect(middleware(ctx, next)).rejects.toThrow(
+        OpenPaymentsServerRouteError
+      )
       expect(ctx.response.get('WWW-Authenticate')).toBe(
         `GNAP as_uri=${Config.authServerGrantUrl}`
       )
diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index dd8da187df..0691c4a120 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -71,7 +71,7 @@ export function createTokenIntrospectionMiddleware({
 }: {
   requestType: AccessType
   requestAction: RequestAction
-  canSkipAuthValidation?: boolean 
+  canSkipAuthValidation?: boolean
 }) {
   return async (
     ctx: WalletAddressUrlContext,
@@ -80,7 +80,6 @@ export function createTokenIntrospectionMiddleware({
     const config = await ctx.container.use('config')
     try {
       if (canSkipAuthValidation && !ctx.request.headers.authorization) {
-        ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
         await next()
         return
       }
@@ -151,16 +150,15 @@ export function createTokenIntrospectionMiddleware({
               : undefined
         }
       }
-
-      await next()
     } catch (err) {
       if (!(err instanceof OpenPaymentsServerRouteError)) {
-        throw err
+        ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
       }
 
-      ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
       throw err
     }
+
+    await next()
   }
 }
 
@@ -169,6 +167,11 @@ export const authenticatedStatusMiddleware = async (
   next: () => Promise<unknown>
 ): Promise<void> => {
   ctx.authenticated = false
+  if (!ctx.request.headers.authorization) {
+    await next()
+    return
+  }
+
   try {
     await throwIfSignatureInvalid(ctx)
     ctx.authenticated = true
diff --git a/packages/backend/src/open_payments/payment/incoming_remote/service.ts b/packages/backend/src/open_payments/payment/incoming_remote/service.ts
index 84920d13c3..bb11006b4a 100644
--- a/packages/backend/src/open_payments/payment/incoming_remote/service.ts
+++ b/packages/backend/src/open_payments/payment/incoming_remote/service.ts
@@ -231,14 +231,6 @@ async function getIncomingPayment(
       accessToken: grant.accessToken
     })
 
-    // TODO: remove after #2889 is completed
-    if (!incomingPayment.walletAddress) {
-      throw new OpenPaymentsClientError('Got invalid incoming payment', {
-        status: 401,
-        description: 'Received public incoming payment instead of private'
-      })
-    }
-
     return incomingPayment
   } catch (err) {
     const errorMessage = 'Could not get remote incoming payment'

From c2422020ee111a16981c7e918393ea30f44ac4ac Mon Sep 17 00:00:00 2001
From: darianm <47156919+DarianM@users.noreply.github.com>
Date: Fri, 1 Nov 2024 15:48:49 +0200
Subject: [PATCH 03/12] Update
 packages/backend/src/open_payments/auth/middleware.ts

`authorization` can still be undefined here, when the `canSkipAuthValidation` is false it won't enter the early return statement and will return 401 because of undefined authorization

Co-authored-by: Max Kurapov <max@interledger.org>
---
 packages/backend/src/open_payments/auth/middleware.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index 0691c4a120..fe86b50efc 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -84,7 +84,7 @@ export function createTokenIntrospectionMiddleware({
         return
       }
 
-      const authSplit = ctx.request.headers.authorization?.split(' ')
+      const authSplit = ctx.request.headers.authorization.split(' ')
       if (authSplit?.length !== 2 || authSplit[0] !== 'GNAP') {
         throw new OpenPaymentsServerRouteError(
           401,

From 97afcdfa53c6afe963739e7efca1f162bd524161 Mon Sep 17 00:00:00 2001
From: darianm <47156919+DarianM@users.noreply.github.com>
Date: Fri, 1 Nov 2024 15:50:52 +0200
Subject: [PATCH 04/12] redo update middleware.ts

---
 packages/backend/src/open_payments/auth/middleware.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index fe86b50efc..0691c4a120 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -84,7 +84,7 @@ export function createTokenIntrospectionMiddleware({
         return
       }
 
-      const authSplit = ctx.request.headers.authorization.split(' ')
+      const authSplit = ctx.request.headers.authorization?.split(' ')
       if (authSplit?.length !== 2 || authSplit[0] !== 'GNAP') {
         throw new OpenPaymentsServerRouteError(
           401,

From dd1b8e3767e5a1f9d48846aba3123b3ba438e893 Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Fri, 1 Nov 2024 16:33:16 +0200
Subject: [PATCH 05/12] fix error check

---
 .../src/open_payments/auth/middleware.ts      | 30 ++++++++-----------
 1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index 0691c4a120..1dd4af3f3e 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -67,11 +67,11 @@ function toOpenPaymentsAccess(
 export function createTokenIntrospectionMiddleware({
   requestType,
   requestAction,
-  canSkipAuthValidation = false
+  bypassError = false
 }: {
   requestType: AccessType
   requestAction: RequestAction
-  canSkipAuthValidation?: boolean
+  bypassError?: boolean
 }) {
   return async (
     ctx: WalletAddressUrlContext,
@@ -79,19 +79,14 @@ export function createTokenIntrospectionMiddleware({
   ): Promise<void> => {
     const config = await ctx.container.use('config')
     try {
-      if (canSkipAuthValidation && !ctx.request.headers.authorization) {
-        await next()
-        return
-      }
-
-      const authSplit = ctx.request.headers.authorization?.split(' ')
-      if (authSplit?.length !== 2 || authSplit[0] !== 'GNAP') {
+      const parts = ctx.request.headers.authorization?.split(' ')
+      if (parts?.length !== 2 || parts[0] !== 'GNAP') {
         throw new OpenPaymentsServerRouteError(
           401,
           'Missing or invalid authorization header value'
         )
       }
-      const token = authSplit[1]
+      const token = parts[1]
       const tokenIntrospectionClient = await ctx.container.use(
         'tokenIntrospectionClient'
       )
@@ -151,11 +146,15 @@ export function createTokenIntrospectionMiddleware({
         }
       }
     } catch (err) {
-      if (!(err instanceof OpenPaymentsServerRouteError)) {
-        ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
+      if (err instanceof OpenPaymentsServerRouteError) {
+        throw err
       }
 
-      throw err
+      ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
+
+      if (!bypassError) {
+        throw err
+      }
     }
 
     await next()
@@ -167,11 +166,6 @@ export const authenticatedStatusMiddleware = async (
   next: () => Promise<unknown>
 ): Promise<void> => {
   ctx.authenticated = false
-  if (!ctx.request.headers.authorization) {
-    await next()
-    return
-  }
-
   try {
     await throwIfSignatureInvalid(ctx)
     ctx.authenticated = true

From e90fb80e42e03d3d42cf9c4b441051e7eef2ac14 Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Fri, 1 Nov 2024 16:55:44 +0200
Subject: [PATCH 06/12] createTokenIntrospectionMiddleware changes

---
 .../src/open_payments/auth/middleware.ts      | 26 +++++++++++--------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index 1dd4af3f3e..b5bccea5d0 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -67,11 +67,11 @@ function toOpenPaymentsAccess(
 export function createTokenIntrospectionMiddleware({
   requestType,
   requestAction,
-  bypassError = false
+  canSkipAuthValidation = false
 }: {
   requestType: AccessType
   requestAction: RequestAction
-  bypassError?: boolean
+  canSkipAuthValidation?: boolean
 }) {
   return async (
     ctx: WalletAddressUrlContext,
@@ -79,14 +79,19 @@ export function createTokenIntrospectionMiddleware({
   ): Promise<void> => {
     const config = await ctx.container.use('config')
     try {
-      const parts = ctx.request.headers.authorization?.split(' ')
-      if (parts?.length !== 2 || parts[0] !== 'GNAP') {
+      if (canSkipAuthValidation && !ctx.request.headers.authorization) {
+        await next()
+        return
+      }
+
+      const authSplit = ctx.request.headers.authorization?.split(' ')
+      if (authSplit?.length !== 2 || authSplit[0] !== 'GNAP') {
         throw new OpenPaymentsServerRouteError(
           401,
           'Missing or invalid authorization header value'
         )
       }
-      const token = parts[1]
+      const token = authSplit[1]
       const tokenIntrospectionClient = await ctx.container.use(
         'tokenIntrospectionClient'
       )
@@ -147,12 +152,7 @@ export function createTokenIntrospectionMiddleware({
       }
     } catch (err) {
       if (err instanceof OpenPaymentsServerRouteError) {
-        throw err
-      }
-
-      ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
-
-      if (!bypassError) {
+        ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
         throw err
       }
     }
@@ -166,6 +166,10 @@ export const authenticatedStatusMiddleware = async (
   next: () => Promise<unknown>
 ): Promise<void> => {
   ctx.authenticated = false
+  if (!ctx.request.headers.authorization) {
+    await next()
+    return
+  }
   try {
     await throwIfSignatureInvalid(ctx)
     ctx.authenticated = true

From 92b887e9b4b4b174f730ed1b760328cd77016d43 Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Fri, 1 Nov 2024 16:57:20 +0200
Subject: [PATCH 07/12] move throw outside condition

---
 packages/backend/src/open_payments/auth/middleware.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index b5bccea5d0..7886f63502 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -153,8 +153,9 @@ export function createTokenIntrospectionMiddleware({
     } catch (err) {
       if (err instanceof OpenPaymentsServerRouteError) {
         ctx.set('WWW-Authenticate', `GNAP as_uri=${config.authServerGrantUrl}`)
-        throw err
       }
+
+      throw err
     }
 
     await next()

From fa0d4b1a39e6803cb98936f2e452707b7ae24555 Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Fri, 1 Nov 2024 20:03:42 +0200
Subject: [PATCH 08/12] remove try catch

---
 packages/backend/src/open_payments/auth/middleware.ts | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.ts b/packages/backend/src/open_payments/auth/middleware.ts
index 7886f63502..1efa7fccc0 100644
--- a/packages/backend/src/open_payments/auth/middleware.ts
+++ b/packages/backend/src/open_payments/auth/middleware.ts
@@ -171,14 +171,9 @@ export const authenticatedStatusMiddleware = async (
     await next()
     return
   }
-  try {
-    await throwIfSignatureInvalid(ctx)
-    ctx.authenticated = true
-  } catch (err) {
-    if (!(err instanceof OpenPaymentsServerRouteError)) {
-      throw err
-    }
-  }
+
+  await throwIfSignatureInvalid(ctx)
+  ctx.authenticated = true
   await next()
 }
 

From 150a26e2b342fbc5cdbc8c1abc5838abaf6b3559 Mon Sep 17 00:00:00 2001
From: darianm <darian@DESKTOP-6TB9AGJ.>
Date: Mon, 4 Nov 2024 13:02:22 +0200
Subject: [PATCH 09/12] fix tests

---
 .../src/open_payments/auth/middleware.test.ts | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
index adee15f414..db4feb408d 100644
--- a/packages/backend/src/open_payments/auth/middleware.test.ts
+++ b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -97,9 +97,7 @@ describe('Auth Middleware', (): void => {
       ctx.request.headers.authorization = ''
 
       await expect(middleware(ctx, next)).resolves.toBeUndefined()
-      expect(ctx.response.get('WWW-Authenticate')).toBe(
-        `GNAP as_uri=${Config.authServerGrantUrl}`
-      )
+      expect(ctx.response.get('WWW-Authenticate')).toBe('')
       expect(next).toHaveBeenCalled()
     })
 
@@ -555,12 +553,25 @@ describe('authenticatedStatusMiddleware', (): void => {
     await appContainer.shutdown()
   })
 
-  test('sets ctx.authenticated to false if http signature is invalid', async (): Promise<void> => {
+  test('sets ctx.authenticated to false if http signature is invalid and missing auth header', async (): Promise<void> => {
     const ctx = createContext<HttpSigWithAuthenticatedStatusContext>({
       headers: { 'signature-input': '' }
     })
 
     expect(authenticatedStatusMiddleware(ctx, next)).resolves.toBeUndefined()
+    expect(next).toHaveBeenCalled()
+    expect(ctx.authenticated).toBe(false)
+  })
+
+  test('sets ctx.authenticated to false if http signature is invalid and existing auth header', async (): Promise<void> => {
+    const ctx = createContext<HttpSigWithAuthenticatedStatusContext>({
+      headers: { 'signature-input': '', authorization: 'GNAP token' }
+    })
+
+    expect(authenticatedStatusMiddleware(ctx, next)).rejects.toMatchObject({
+      status: 401,
+      message: 'Signature validation error: missing keyId in signature input'
+    })
     expect(next).not.toHaveBeenCalled()
     expect(ctx.authenticated).toBe(false)
   })

From 64518b2d82d95004082d48058a1fb7396e5b4568 Mon Sep 17 00:00:00 2001
From: darian <darian410@gmail.com>
Date: Mon, 4 Nov 2024 15:00:59 +0200
Subject: [PATCH 10/12] change test description

---
 packages/backend/src/open_payments/auth/middleware.test.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
index db4feb408d..9a2fa5a4e5 100644
--- a/packages/backend/src/open_payments/auth/middleware.test.ts
+++ b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -97,7 +97,7 @@ describe('Auth Middleware', (): void => {
       ctx.request.headers.authorization = ''
 
       await expect(middleware(ctx, next)).resolves.toBeUndefined()
-      expect(ctx.response.get('WWW-Authenticate')).toBe('')
+      expect(ctx.response.get('WWW-Authenticate')).toBeUndefined()
       expect(next).toHaveBeenCalled()
     })
 
@@ -553,7 +553,7 @@ describe('authenticatedStatusMiddleware', (): void => {
     await appContainer.shutdown()
   })
 
-  test('sets ctx.authenticated to false if http signature is invalid and missing auth header', async (): Promise<void> => {
+  test('sets ctx.authenticated to false if missing auth header', async (): Promise<void> => {
     const ctx = createContext<HttpSigWithAuthenticatedStatusContext>({
       headers: { 'signature-input': '' }
     })

From 940879549c952c6f3ffc943a6c0fdd858b26c8d1 Mon Sep 17 00:00:00 2001
From: darianm <darian@DESKTOP-6TB9AGJ.>
Date: Mon, 4 Nov 2024 15:37:48 +0200
Subject: [PATCH 11/12] fix test: change toBeUndefined to toBeFalsy

---
 .../backend/src/open_payments/auth/middleware.test.ts  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
index 9a2fa5a4e5..95174aae2c 100644
--- a/packages/backend/src/open_payments/auth/middleware.test.ts
+++ b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -94,10 +94,10 @@ describe('Auth Middleware', (): void => {
         requestAction: action,
         canSkipAuthValidation: true
       })
-      ctx.request.headers.authorization = ''
+      ctx.request.headers.authorization = undefined
 
       await expect(middleware(ctx, next)).resolves.toBeUndefined()
-      expect(ctx.response.get('WWW-Authenticate')).toBeUndefined()
+      expect(ctx.response.get('WWW-Authenticate')).toBeFalsy()
       expect(next).toHaveBeenCalled()
     })
 
@@ -506,9 +506,9 @@ describe('Auth Middleware', (): void => {
               expect(ctx.grant).toEqual(
                 ctxGrant
                   ? {
-                      id: tokenInfo.grant,
-                      limits: ctxLimits ? parseLimits(limits) : undefined
-                    }
+                    id: tokenInfo.grant,
+                    limits: ctxLimits ? parseLimits(limits) : undefined
+                  }
                   : undefined
               )
             }

From 040b13276843f6a38cbe812814d996456e56c843 Mon Sep 17 00:00:00 2001
From: darianm <darian@DESKTOP-6TB9AGJ.>
Date: Mon, 4 Nov 2024 15:45:56 +0200
Subject: [PATCH 12/12] prettier formating

---
 packages/backend/src/open_payments/auth/middleware.test.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/open_payments/auth/middleware.test.ts b/packages/backend/src/open_payments/auth/middleware.test.ts
index 95174aae2c..26b06dc9da 100644
--- a/packages/backend/src/open_payments/auth/middleware.test.ts
+++ b/packages/backend/src/open_payments/auth/middleware.test.ts
@@ -506,9 +506,9 @@ describe('Auth Middleware', (): void => {
               expect(ctx.grant).toEqual(
                 ctxGrant
                   ? {
-                    id: tokenInfo.grant,
-                    limits: ctxLimits ? parseLimits(limits) : undefined
-                  }
+                      id: tokenInfo.grant,
+                      limits: ctxLimits ? parseLimits(limits) : undefined
+                    }
                   : undefined
               )
             }