fix: nil AuthorizationSchemes skips Authorization header (not any-scheme wildcard)

Co-authored-by: coolaj86 <122831+coolaj86@users.noreply.github.com>

auth/request.go

@@ -16,8 +16,8 @@ var ErrNoCredentials = errors.New("no credentials provided")
 // header tokens, custom token headers, and query-parameter tokens.
 type RequestAuthenticator struct {
 	// AuthorizationSchemes lists accepted schemes for "Authorization: <scheme> <token>".
-	// nil accepts any scheme; a non-nil empty slice skips the Authorization header
-	// entirely; ["*"] also accepts any scheme; ["Bearer", "Token"] restricts to those.
+	// nil or an empty slice skips the Authorization header entirely;
+	// ["*"] accepts any scheme; ["Bearer", "Token"] restricts to those schemes.
 	AuthorizationSchemes []string
 
 	// TokenHeaders lists header names checked for bearer tokens,
@@ -43,14 +43,14 @@ func (ra *RequestAuthenticator) Authenticate(r *http.Request, a BasicAuthenticat
 	}
 
 	// 2. Authorization: <scheme> <token>
-	// nil AuthorizationSchemes accepts any scheme; a non-nil empty slice skips.
-	if ra.AuthorizationSchemes == nil || len(ra.AuthorizationSchemes) > 0 {
+	// AuthorizationSchemes must be non-empty to check the Authorization header;
+	// nil or empty skips it entirely.
+	if len(ra.AuthorizationSchemes) > 0 {
 		if authHeader := r.Header.Get("Authorization"); authHeader != "" {
 			parts := strings.SplitN(authHeader, " ", 2)
 			if len(parts) == 2 {
 				scheme, token := parts[0], strings.TrimSpace(parts[1])
-				if ra.AuthorizationSchemes == nil ||
-					ra.AuthorizationSchemes[0] == "*" ||
+				if ra.AuthorizationSchemes[0] == "*" ||
 					slices.Contains(ra.AuthorizationSchemes, scheme) {
 					return a.Authenticate("", token)
 				}

cmd/auth-proxy/main.go

@@ -593,13 +593,8 @@ func matchPattern(grant, rMethod, rHost, rPath string) bool {
 }
 
 func (cli *MainConfig) authenticate(r *http.Request) (auth.BasicPrinciple, error) {
-	// nil AuthorizationHeaderSchemes means "not configured" → skip Authorization header.
-	schemes := cli.AuthorizationHeaderSchemes
-	if schemes == nil {
-		schemes = []string{} // non-nil empty slice → skip Authorization header
-	}
 	ra := auth.RequestAuthenticator{
-		AuthorizationSchemes: schemes,
+		AuthorizationSchemes: cli.AuthorizationHeaderSchemes,
 		TokenHeaders:         cli.TokenHeaderNames,
 		TokenQueryParams:     cli.QueryParamNames,
 	}

cmd/smsapid/main.go

@@ -36,7 +36,8 @@ var pingWriter jsonl.Writer
 var smsAuth *csvauth.Auth
 
 var smsRequestAuth = &auth.RequestAuthenticator{
-	TokenHeaders: []string{"API-Key", "X-API-Key"},
+	AuthorizationSchemes: []string{"*"},
+	TokenHeaders:         []string{"API-Key", "X-API-Key"},
 }
 
 func main() {