From 166afadb10e17f88dee23a290baa9132b6fe733a Mon Sep 17 00:00:00 2001
From: Giannis Katsanos <giannis@clerk.dev>
Date: Thu, 22 Feb 2024 18:17:17 +0200
Subject: [PATCH] fix: Auth middleware params should not be mutated (#261)

Applying authentication options should happen inside the handler to
avoid the authorization parameters from getting mutated on each handler
execution.
---
 http/middleware.go | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/http/middleware.go b/http/middleware.go
index 876ad57..d339f9a 100644
--- a/http/middleware.go
+++ b/http/middleware.go
@@ -36,20 +36,15 @@ func RequireHeaderAuthorization(opts ...AuthorizationOption) func(http.Handler)
 // is expected to have the following format:
 // Authorization: Bearer <token>
 func WithHeaderAuthorization(opts ...AuthorizationOption) func(http.Handler) http.Handler {
-	var paramsErr error
-	params := &AuthorizationParams{}
-	for _, opt := range opts {
-		paramsErr = opt(params)
-		if paramsErr != nil {
-			break
-		}
-	}
-
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if paramsErr != nil {
-				w.WriteHeader(http.StatusUnauthorized)
-				return
+			params := &AuthorizationParams{}
+			for _, opt := range opts {
+				err := opt(params)
+				if err != nil {
+					w.WriteHeader(http.StatusUnauthorized)
+					return
+				}
 			}
 
 			authorization := strings.TrimSpace(r.Header.Get("Authorization"))