From 8956f32e81cc24e1c4fb07b54f5060b1cffebbdf Mon Sep 17 00:00:00 2001 From: Rusty Conover Date: Sat, 13 Jun 2026 09:56:30 -0400 Subject: [PATCH] test(bearer): expect the no-credentials 401 at ATTACH, not on a later query MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The extension calls catalog_attach eagerly during ATTACH, so when a bearer-protected server returns 401 without an OAuth challenge, vgi_http_client raises the actionable "advertised no OAuth challenge" diagnostic at ATTACH time (it can only produce the clean message while the URL is in scope). The test previously expected ATTACH to succeed and the error to surface on a following SELECT, which fails against the worker — the ATTACH itself raises. Make the no-credentials case a `statement error` on the ATTACH expecting the same message. Verified against the vgi-python reference worker (full pass). Co-Authored-By: Claude Opus 4.8 --- .../integration/bearer_auth/bearer_token.test | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/test/sql/integration/bearer_auth/bearer_token.test b/test/sql/integration/bearer_auth/bearer_token.test index 3b96a7d..e38a8a8 100644 --- a/test/sql/integration/bearer_auth/bearer_token.test +++ b/test/sql/integration/bearer_auth/bearer_token.test @@ -61,19 +61,15 @@ ATTACH 'example' AS example_both (TYPE vgi, LOCATION '${VGI_TEST_WORKER}', beare Cannot specify both bearer_token and oauth_refresh_token # ============================================================================ -# ATTACH without any credentials against a bearer-protected server yields a -# clean diagnostic — not the legacy "VGI OAuth: resource metadata URL must -# use HTTPS:" message that surfaced when the default OAuthCatalogAuth tried -# to feed an empty challenge into the OAuth discovery flow. +# ATTACH without any credentials against a bearer-protected server fails fast +# with a clean diagnostic. The extension calls catalog_attach eagerly during +# ATTACH, so the 401 surfaces here — at ATTACH — not on a later query. (The +# diagnostic is the actionable "no OAuth challenge" message, not the legacy +# "VGI OAuth: resource metadata URL must use HTTPS:" that surfaced when the +# default OAuthCatalogAuth fed an empty challenge into the OAuth discovery flow.) # ============================================================================ -statement ok -ATTACH 'example' AS example_no_auth (TYPE vgi, LOCATION '${VGI_TEST_WORKER}'); - statement error -SELECT example_no_auth.double(1); +ATTACH 'example' AS example_no_auth (TYPE vgi, LOCATION '${VGI_TEST_WORKER}'); ---- The server requires authentication but advertised no OAuth challenge - -statement ok -DETACH example_no_auth;