fix: invalid domain should result in HTTP 403 (forbidden), not 401 (n…

…ot authorized).

internal/server/handlers.go

@@ -26,7 +26,7 @@ func ForwardAuthHandler(domains domains.Domains, oauthHandlers map[domains.Domai
 		domain, ok := domains.Domain(r.URL)
 		if !ok {
 			logger.Warn("host doesn't match any configured domains", "host", r.URL.Host)
-			http.Error(w, "Not authorized", http.StatusUnauthorized)
+			http.Error(w, "Forbidden: "+string(domain)+" is not an allowed domain", http.StatusForbidden)
 			return
 		}
 

internal/server/metrics_test.go

@@ -32,7 +32,7 @@ func TestServer_withMetrics(t *testing.T) {
 	r.AddCookie(c)
 	w = httptest.NewRecorder()
 	s.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusUnauthorized, w.Code)
+	assert.Equal(t, http.StatusForbidden, w.Code)
 
 	r = testutils.ForwardAuthRequest(http.MethodGet, "https://example.com/foo")
 	c, _ = authenticator.CookieWithSignedToken("foo@example.com", "example.com")
@@ -47,7 +47,7 @@ func TestServer_withMetrics(t *testing.T) {
 http_requests_total{code="200",host="example.com",path="/",provider="foo",user="foo@example.com"} 1
 http_requests_total{code="307",host="example.com",path="/",provider="foo",user=""} 1
 http_requests_total{code="401",host="example.com",path="/_oauth",provider="foo",user=""} 1
-http_requests_total{code="401",host="example.org",path="/",provider="foo",user="foo@example.com"} 1
+http_requests_total{code="403",host="example.org",path="/",provider="foo",user="foo@example.com"} 1
 
 `), "http_requests_total"))
 

internal/server/server_test.go

@@ -67,7 +67,7 @@ func TestForwardAuthHandler(t *testing.T) {
 				target: "https://example.org",
 				cookie: validSession,
 			},
-			want: http.StatusUnauthorized,
+			want: http.StatusForbidden,
 		},
 		{
 			name: "valid cookie",