fix(backend): return 401 for expired tokens in ValidateProjectContext

[jeremyeder]

Summary

• Return HTTP 401 (not 500) when a ServiceAccount token expires during the SSAR check in ValidateProjectContext middleware
• Add 7 unit tests covering all ValidateProjectContext response paths (401 expired, 401 no token, 403 denied, 500 server error, 400 invalid name, 200 allowed)

Context

When runner pods have long-running sessions, their ServiceAccount tokens can expire. The K8s API returns Unauthorized on the SSAR call, but the middleware was catching all errors as a generic 500. This prevents the runner from detecting token expiration and refreshing.

Replaces #446 which was 112 commits behind main and included unrelated changes.

Note: The operator/runner-side token volume mount and reload logic from #446 still needs to be re-implemented against current main (the runner-shell component was removed). Filed as a separate concern.

Fixes #445

Test plan

• All 7 ValidateProjectContext unit tests pass
• gofmt, go vet clean
• CI passes

🤖 Generated with Claude Code

[github-actions]

Claude Code Review

Summary

This PR correctly fixes a critical authentication issue where expired ServiceAccount tokens returned HTTP 500 instead of 401. The fix properly distinguishes between token expiration (401) and other API errors (500), enabling runner pods to detect and refresh expired tokens. The implementation includes comprehensive unit tests covering all middleware response paths.

Issues by Severity

Blocker Issues

None.

Critical Issues

None.

Major Issues

1. Test isolation improvement needed (validate_project_context_test.go:23)

• Issue: Tests directly mutate package-level global handlers.BaseKubeConfig without proper cleanup guarantees
• Current pattern: Uses defer to set to nil
• Recommended pattern: Use t.Cleanup to restore original value (see k8s_clients_for_request_integration_test.go:59-61)
• Why: t.Cleanup ensures cleanup even if test panics and restores original value instead of setting to nil

2. Test documentation could be clearer (validate_project_context_test.go:172)

• Issue: Test TestValidateProjectContext_Forbidden_Returns403 has misleading name
• Current: Test name says Returns403 but assertion expects 500
• Why this is correct: K8s API returning 403 on SSAR create is an API error (not an SSAR denial), so middleware correctly returns 500
• Recommendation: Rename test to TestValidateProjectContext_K8sForbidden_Returns500 or add comment explaining why 500 is expected

Minor Issues

1. Missing test coverage for edge cases

• Missing: Test for malformed K8s API response (invalid JSON)
• Missing: Test for empty project name edge case
• Current coverage: 7 tests cover happy path, auth errors, validation errors
• Recommendation: Add 2 more tests for robustness (not blocking)

2. Test helper function could be more reusable

• Issue: fakeK8sAPI helper only accepts status code and body
• Improvement: Could accept optional headers map for testing edge cases
• Priority: Low - current implementation works fine

Positive Highlights

Excellent adherence to security standards

• Follows established error handling patterns
• Properly distinguishes auth errors (401) from server errors (500)
• Uses errors.IsUnauthorized(err) helper correctly

Comprehensive test coverage

• 7 tests cover all response paths
• Tests use clear helper functions
• Follows repository testing patterns

Minimal, focused change

• Only 5 lines changed in production code
• Avoids over-engineering
• No scope creep from original PR 446

Clear documentation

• PR description explains context
• Test names are descriptive
• Code comments explain behavior

Proper error logging

• Maintains existing log statement with context
• Does not expose internal errors to API responses

Recommendations

High Priority (before merge):

1. Update test cleanup pattern to use t.Cleanup instead of defer for safety
2. Rename TestValidateProjectContext_Forbidden_Returns403 to match actual behavior (returns 500)

Low Priority (optional):
3. Add test for malformed JSON response from K8s API
4. Add test for empty project name edge case
5. Consider adding comment in middleware.go explaining why K8s 403 on SSAR returns 500

Final Assessment

Ready to merge after addressing the two high-priority recommendations. The core fix is correct, well-tested, and follows all repository standards. This PR successfully resolves issue 445 and enables proper token refresh in runner pods.

Code Quality: A-
Security: A+
Testing: A
Architecture: A

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.