From 4f51877ef95b4db01304cb9df5ba3a38919e55ff Mon Sep 17 00:00:00 2001
From: Brecci <brecci@lerian.studio>
Date: Tue, 17 Mar 2026 12:13:58 -0300
Subject: [PATCH] fix(auth/middleware): return 401 instead of 500 for malformed
 tokens

checkAuthorization returned HTTP 500 when JWT parsing failed (malformed/invalid token). The Authorize caller also hardcoded 500, ignoring the returned status code.

Now returns 401 Unauthorized for parse failures and the caller respects the returned status code.

X-Lerian-Ref: 0x1
---
 auth/middleware/middleware.go      | 6 +++---
 auth/middleware/middleware_test.go | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/auth/middleware/middleware.go b/auth/middleware/middleware.go
index 8fd225c..3d5acee 100644
--- a/auth/middleware/middleware.go
+++ b/auth/middleware/middleware.go
@@ -200,7 +200,7 @@ func (auth *AuthClient) Authorize(sub, resource, action string) fiber.Handler {
 
 			span.End()
 
-			return c.Status(http.StatusInternalServerError).SendString("Internal Server Error")
+			return c.Status(statusCode).SendString(http.StatusText(statusCode))
 		} else if authorized {
 			span.End()
 
@@ -232,7 +232,7 @@ func (auth *AuthClient) checkAuthorization(ctx context.Context, sub, resource, a
 
 		opentelemetry.HandleSpanError(span, "Failed to parse token", err)
 
-		return false, http.StatusInternalServerError, err
+		return false, http.StatusUnauthorized, err
 	}
 
 	claims, ok := token.Claims.(jwt.MapClaims)
@@ -243,7 +243,7 @@ func (auth *AuthClient) checkAuthorization(ctx context.Context, sub, resource, a
 
 		opentelemetry.HandleSpanError(span, "Failed to parse claims", err)
 
-		return false, http.StatusInternalServerError, err
+		return false, http.StatusUnauthorized, err
 	}
 
 	userType, _ := claims["type"].(string)
diff --git a/auth/middleware/middleware_test.go b/auth/middleware/middleware_test.go
index d0a72f7..3600cc7 100644
--- a/auth/middleware/middleware_test.go
+++ b/auth/middleware/middleware_test.go
@@ -305,7 +305,7 @@ func TestCheckAuthorization_InvalidToken(t *testing.T) {
 
 	require.Error(t, err)
 	assert.False(t, authorized)
-	assert.Equal(t, http.StatusInternalServerError, statusCode)
+	assert.Equal(t, http.StatusUnauthorized, statusCode)
 }
 
 func TestCheckAuthorization_EmptyTypeClaim_TreatedAsNonNormalUser(t *testing.T) {