From 886888d6bba1677946eb2e400394753547b03311 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 07:35:22 +0000
Subject: [PATCH] fix: nil AuthorizationSchemes skips Authorization header (not
 any-scheme wildcard)

Co-authored-by: coolaj86 <122831+coolaj86@users.noreply.github.com>
---
 auth/request.go        | 12 ++++++------
 cmd/auth-proxy/main.go |  7 +------
 cmd/smsapid/main.go    |  3 ++-
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/auth/request.go b/auth/request.go
index 05c3c44..aef2ed0 100644
--- a/auth/request.go
+++ b/auth/request.go
@@ -16,8 +16,8 @@ var ErrNoCredentials = errors.New("no credentials provided")
 // header tokens, custom token headers, and query-parameter tokens.
 type RequestAuthenticator struct {
 	// AuthorizationSchemes lists accepted schemes for "Authorization: <scheme> <token>".
-	// nil accepts any scheme; a non-nil empty slice skips the Authorization header
-	// entirely; ["*"] also accepts any scheme; ["Bearer", "Token"] restricts to those.
+	// nil or an empty slice skips the Authorization header entirely;
+	// ["*"] accepts any scheme; ["Bearer", "Token"] restricts to those schemes.
 	AuthorizationSchemes []string
 
 	// TokenHeaders lists header names checked for bearer tokens,
@@ -43,14 +43,14 @@ func (ra *RequestAuthenticator) Authenticate(r *http.Request, a BasicAuthenticat
 	}
 
 	// 2. Authorization: <scheme> <token>
-	// nil AuthorizationSchemes accepts any scheme; a non-nil empty slice skips.
-	if ra.AuthorizationSchemes == nil || len(ra.AuthorizationSchemes) > 0 {
+	// AuthorizationSchemes must be non-empty to check the Authorization header;
+	// nil or empty skips it entirely.
+	if len(ra.AuthorizationSchemes) > 0 {
 		if authHeader := r.Header.Get("Authorization"); authHeader != "" {
 			parts := strings.SplitN(authHeader, " ", 2)
 			if len(parts) == 2 {
 				scheme, token := parts[0], strings.TrimSpace(parts[1])
-				if ra.AuthorizationSchemes == nil ||
-					ra.AuthorizationSchemes[0] == "*" ||
+				if ra.AuthorizationSchemes[0] == "*" ||
 					slices.Contains(ra.AuthorizationSchemes, scheme) {
 					return a.Authenticate("", token)
 				}
diff --git a/cmd/auth-proxy/main.go b/cmd/auth-proxy/main.go
index ca9df10..ac5d7df 100644
--- a/cmd/auth-proxy/main.go
+++ b/cmd/auth-proxy/main.go
@@ -593,13 +593,8 @@ func matchPattern(grant, rMethod, rHost, rPath string) bool {
 }
 
 func (cli *MainConfig) authenticate(r *http.Request) (auth.BasicPrinciple, error) {
-	// nil AuthorizationHeaderSchemes means "not configured" → skip Authorization header.
-	schemes := cli.AuthorizationHeaderSchemes
-	if schemes == nil {
-		schemes = []string{} // non-nil empty slice → skip Authorization header
-	}
 	ra := auth.RequestAuthenticator{
-		AuthorizationSchemes: schemes,
+		AuthorizationSchemes: cli.AuthorizationHeaderSchemes,
 		TokenHeaders:         cli.TokenHeaderNames,
 		TokenQueryParams:     cli.QueryParamNames,
 	}
diff --git a/cmd/smsapid/main.go b/cmd/smsapid/main.go
index 85eb6e0..ac9b968 100644
--- a/cmd/smsapid/main.go
+++ b/cmd/smsapid/main.go
@@ -36,7 +36,8 @@ var pingWriter jsonl.Writer
 var smsAuth *csvauth.Auth
 
 var smsRequestAuth = &auth.RequestAuthenticator{
-	TokenHeaders: []string{"API-Key", "X-API-Key"},
+	AuthorizationSchemes: []string{"*"},
+	TokenHeaders:         []string{"API-Key", "X-API-Key"},
 }
 
 func main() {