Allow `RequireHeaderAuthorization` Middleware to Support Custom HTTP Status Code and Error Message

[deveasyclick]

The RequireHeaderAuthorization middleware currently throws a 403 Forbidden status code when authorization fails. However, in many cases, a 401 Unauthorized status code is more appropriate per HTTP standards, as it indicates missing or invalid authentication credentials. Additionally, there’s no way to customize the error message to provide more context to the client.

I had to create a custom middleware to replicate the functionality of RequireHeaderAuthorization but return a 401 status code and a custom error message. This workaround is not ideal, as it duplicates code.

Proposed Solution

Add configuration options to RequireHeaderAuthorization to allow developers to specify:

• A custom HTTP status code (e.g., 401 instead of 403).
• A custom error message to be returned in the response body.

[Jibaru]

Currently, adding a new configuration option can break compatibility because it changes the signature of the RequireHeaderAuthorization middleware.

The AuthorizationFailureHandler field from AuthorizationParams could be reused in the middleware, but its purpose is not to serve as a response handler in the middleware I think. A new handler could also be added to AuthorizationParams to handle this middleware error case, but again, I think those params shouldn't be used there.

I prefer the idea of ​​introducing a new function that does what you propose, simply because it wouldn't break the current use of the existing middleware. Something like this:

func RequireHeaderAuthorization(opts ...AuthorizationOption) func(http.Handler) http.Handler {
	return RequireHeaderAuthorizationWithFailureHandler(nil, opts...)
}

func RequireHeaderAuthorizationWithFailureHandler(
	failureHandler http.Handler,
	opts ...AuthorizationOption,
) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return WithHeaderAuthorization(opts...)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			claims, ok := clerk.SessionClaimsFromContext(r.Context())
			if !ok || claims == nil {
				// use provided failure handler if set
				if failureHandler != nil {
					failureHandler.ServeHTTP(w, r)
					return
				}
				// default (same as old behavior)
				w.WriteHeader(http.StatusForbidden)
				return
			}
			next.ServeHTTP(w, r)
		}))
	}
}

But doing it this way doesn't seem to follow the same pattern configuration variadic fns.