From 0fcbeb36e33fe0532ed70213e8779f7222db56e3 Mon Sep 17 00:00:00 2001
From: tjacovich <tjacovich@cfa.harvard.edu>
Date: Wed, 11 Jun 2025 11:31:16 -0400
Subject: [PATCH 1/4] Add more informative 401 error.

---
 apigateway/app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigateway/app.py b/apigateway/app.py
index 7ec410a..2008447 100644
--- a/apigateway/app.py
+++ b/apigateway/app.py
@@ -135,7 +135,7 @@ def no_client_error(e):
 
     @app.errorhandler(401)
     def on_401(e):
-        return jsonify({"message": "Unauthorized"}), 401
+        return jsonify({"message": "Unauthorized. If you are using the API, please confirm your Authorization header is of the form Bearer TOKEN and not Bearer:TOKEN"}), 401
 
     @app.errorhandler(405)
     def on_405(e):

From 90f5e2302764cdc1923d31c1c41afa27620ad809 Mon Sep 17 00:00:00 2001
From: tjacovich <tjacovich@cfa.harvard.edu>
Date: Thu, 12 Jun 2025 09:51:50 -0400
Subject: [PATCH 2/4] Commit first stab at testing 401.

---
 apigateway/tests/test_services.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/apigateway/tests/test_services.py b/apigateway/tests/test_services.py
index ef9d283..2fc9a78 100644
--- a/apigateway/tests/test_services.py
+++ b/apigateway/tests/test_services.py
@@ -110,6 +110,25 @@ def test_route():
 
             assert "X-api-uid" in request.headers
 
+    def test_invalid_auth_headers_set(self, app, mock_regular_user):
+        _, token = app.auth_service.bootstrap_user()
+
+        @app.route("/test_invalid_auth_headers_set")
+        def test_invalid_route():
+            pass
+
+        with app.test_request_context(
+            "/test_invalid_auth_headers_set",
+            headers={
+                "Authorization": "Bearer:" + token.access_token,
+            },
+        ):
+            # Manually call before_request functions
+            for func in app.before_request_funcs[None]:
+                func()
+
+            assert request.status_code==401
+
     def test_headers_not_set(self, app):
 
         @app.route("/test_auth_headers_not_set")

From d6bcba4ee10efbb10ef826481ba47d4d71fba094 Mon Sep 17 00:00:00 2001
From: tjacovich <tjacovich@cfa.harvard.edu>
Date: Thu, 12 Jun 2025 13:28:08 -0400
Subject: [PATCH 3/4] Relocated 401 update into GatewayProtectorView where
 error is actually being handled.

---
 apigateway/app.py   | 4 ++--
 apigateway/utils.py | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/apigateway/app.py b/apigateway/app.py
index 2008447..39fc138 100644
--- a/apigateway/app.py
+++ b/apigateway/app.py
@@ -85,7 +85,7 @@ def unauthorized():
         This overrides the default behavior or re-directing to a login view
         """
         abort(401)
-    
+        
     @app.teardown_request
     def teardown_request(exception=None):
         """This function will close active transaction, if there is one
@@ -135,7 +135,7 @@ def no_client_error(e):
 
     @app.errorhandler(401)
     def on_401(e):
-        return jsonify({"message": "Unauthorized. If you are using the API, please confirm your Authorization header is of the form Bearer TOKEN and not Bearer:TOKEN"}), 401
+        return jsonify({"message": "Unauthorized"}), 401
 
     @app.errorhandler(405)
     def on_405(e):
diff --git a/apigateway/utils.py b/apigateway/utils.py
index bf3b934..3f7946d 100644
--- a/apigateway/utils.py
+++ b/apigateway/utils.py
@@ -7,6 +7,7 @@
 
 import jsondiff as jd
 import requests
+from authlib.oauth2.rfc6749.errors import UnsupportedTokenTypeError
 from authlib.integrations.flask_oauth2 import ResourceProtector
 from flask import Request, current_app, request
 from flask.views import View
@@ -259,6 +260,10 @@ def _construct_remote_url(self) -> str:
 class GatewayResourceProtector(ResourceProtector):
     def raise_error_response(self, error):
         body = json.dumps(dict({"message": error.description}))
+        if type(error)==UnsupportedTokenTypeError:
+            current_app.logger.info("Token not recognized as a Bearer Token.")
+            body="Unauthorized. If you are using the API, please confirm your Authorization header is of the form Bearer TOKEN and not Bearer:TOKEN"
+            raise Oauth2HttpError(error.status_code, error.description, body, error.get_headers())
         raise Oauth2HttpError(error.status_code, error.description, body, error.get_headers())
 
 

From a99cdc750384b41076c5c80c93ede4f25e79bd58 Mon Sep 17 00:00:00 2001
From: tjacovich <tjacovich@cfa.harvard.edu>
Date: Thu, 12 Jun 2025 13:32:43 -0400
Subject: [PATCH 4/4] Remove test invalid authorization.

---
 apigateway/tests/test_services.py | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/apigateway/tests/test_services.py b/apigateway/tests/test_services.py
index 2fc9a78..b4225a1 100644
--- a/apigateway/tests/test_services.py
+++ b/apigateway/tests/test_services.py
@@ -110,24 +110,6 @@ def test_route():
 
             assert "X-api-uid" in request.headers
 
-    def test_invalid_auth_headers_set(self, app, mock_regular_user):
-        _, token = app.auth_service.bootstrap_user()
-
-        @app.route("/test_invalid_auth_headers_set")
-        def test_invalid_route():
-            pass
-
-        with app.test_request_context(
-            "/test_invalid_auth_headers_set",
-            headers={
-                "Authorization": "Bearer:" + token.access_token,
-            },
-        ):
-            # Manually call before_request functions
-            for func in app.before_request_funcs[None]:
-                func()
-
-            assert request.status_code==401
 
     def test_headers_not_set(self, app):