feat(oidc): support access token in body for user info post

[scottmckendry]

Add support for access token in body for post request to /userinfo

resolves warning (soft failure) in oidc suite:

Before:

After:

Summary by CodeRabbit

• New Features

  • Accept access tokens submitted via POST with application/x-www-form-urlencoded as an alternative to Authorization headers.

• Bug Fixes

  • Return more specific HTTP statuses and JSON error codes for missing, malformed, or unsupported Authorization headers.
  • Reject POSTs with incorrect content types or missing/empty form tokens.

• Tests

  • Added coverage for header validation, form token submission, and content-type handling.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 19.91%. Comparing base (0d286d1) to head (3cc72bc).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #769      +/-   ##
==========================================
+ Coverage   19.14%   19.91%   +0.77%     
==========================================
  Files          50       50              
  Lines        3918     3941      +23     
==========================================
+ Hits          750      785      +35     
+ Misses       3095     3085      -10     
+ Partials       73       71       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6ec27e9a-9c96-43f3-a239-e8c82d690637

📥 Commits

Reviewing files that changed from the base of the PR and between dd448c9 and 3cc72bc.

📒 Files selected for processing (2)

• internal/controller/oidc_controller.go
• internal/controller/oidc_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• internal/controller/oidc_controller.go
• internal/controller/oidc_controller_test.go

---

📝 Walkthrough

Walkthrough

Userinfo handler now conditionally parses the Authorization header, returns invalid_request for malformed or non-Bearer auth, and for POST requests accepts an application/x-www-form-urlencoded access_token fallback with content-type and presence validation.

Changes

Cohort / File(s)	Summary
Authorization & Token Extraction internal/controller/oidc_controller.go	Refactored Userinfo token extraction: only parse Authorization when present; return 401 with error: invalid_request for malformed header or non-Bearer schemes; for POST accept access_token from application/x-www-form-urlencoded with content-type and presence checks; otherwise return 401 invalid_request.
Handler Tests internal/controller/oidc_controller_test.go	Added GET and POST test cases covering missing Authorization, malformed Authorization: Bearer (no token), unsupported auth schemes, empty Bearer token, rejecting non-form POST content-type, rejecting missing/empty access_token, and accepting access_token via form-encoded POST.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant API as OIDC Userinfo Handler
    participant Store as Token Store / DB

    Client->>API: GET/POST /api/oidc/userinfo (Authorization header?)
    alt Authorization header present
        API->>API: parse Authorization
        alt malformed or non-Bearer
            API-->>Client: 401 { "error":"invalid_request" or "invalid_grant" }
        else valid Bearer token
            API->>Store: lookup access token
            Store-->>API: token record
            API-->>Client: 200 userinfo / 401 error
        end
    else No Authorization header
        alt POST & content-type form-url-encoded
            Client->>API: form body containing access_token
            API->>Store: lookup access token
            Store-->>API: token record
            API-->>Client: 200 userinfo / 401 error
        else POST with wrong content-type or non-POST
            API-->>Client: 400 or 401 { "error":"invalid_request" }
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(oidc): add post route for /userinfo #767: Adds POST /api/oidc/userinfo handling and middleware adjustments; closely related to POST/form access_token behavior.

Suggested reviewers

• Rycochet

Poem

🐰 I sniffed the header, then peered at the form,
If Bearer is broken or the Content-Type's wrong,
I hop to the store, fetch the token I seek,
Sub or error I answer — precise, never weak. 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: adding support for access tokens in the POST body for the user info endpoint, which directly resolves the OIDC compliance warning shown in the PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/controller/oidc_controller.go`:
- Around line 403-404: The content-type check in the OIDC userinfo POST handler
uses c.GetHeader("Content-Type") which fails when parameters like charset are
present; replace that check with Gin's c.ContentType() (e.g. change the
condition currently using c.GetHeader("Content-Type") in the handler to
c.ContentType() != "application/x-www-form-urlencoded") so Content-Type
parameters are ignored while keeping the existing warning log
(tlog.App.Warn().Msg(...)) and behavior otherwise.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3fe1e48c-389f-45e2-9a8b-f24aaee12d04

📥 Commits

Reviewing files that changed from the base of the PR and between 0d286d1 and 2e383ae.

📒 Files selected for processing (2)

• internal/controller/oidc_controller.go
• internal/controller/oidc_controller_test.go

[Rycochet]

Looks good - I'd like the test order to be tweaked slightly (including the 2 tests already touching userinfo) - "Bearer", "Bearer ", "Bearer invalid-access-token", etc - sort of in an escalating order of what they're testing - but not important (and that test file is getting somewhat long 😅)

[scottmckendry]

@Rycochet tests have been re-ordered to a more sensible order (IMO). Hopefully you agree 🙂