fix: return JSON response for unmatched routes instead of plain text (#2457)

cemalkilic · web-flow · commit 7337e21c288c · 2026-04-02T16:01:44.000+02:00
## What kind of change does this PR introduce?

Fix

## Summary

Routes behind feature flags (e.g. OAuthServer, CustomOAuth) return chi's
default plain text "404 page not found" when disabled. Register custom
NotFound and MethodNotAllowed handlers on the router so all unmatched
routes return structured JSON errors consistent with the rest of the
API.

Fixes inconsistent `content-type: text/plain` responses when
feature-gated routes (OAuthServer, CustomOAuth) are disabled

## Test plan
- [x] Hit a disabled route (e.g. `/oauth/clients/register` with
`OAuthServer.Enabled=false`) and verify JSON 404 response with
`error_code: "route_not_found"`
diff --git a/internal/api/api.go b/internal/api/api.go
@@ -200,9 +200,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 	// Both OIDC Discovery and OAuth Authorization Server Metadata use the same unified handler
 	// OIDC Discovery is an extension of RFC 8414, so one response satisfies both specs
 	r.Get("/.well-known/openid-configuration", api.WellKnownOpenID)
-	if globalConfig.OAuthServer.Enabled {
-		r.Get("/.well-known/oauth-authorization-server", api.WellKnownOpenID)
-	}
+	r.With(api.requireOAuthServerEnabled).Get("/.well-known/oauth-authorization-server", api.WellKnownOpenID)
 
 	r.Route("/callback", func(r *router) {
 		r.Use(api.isValidExternalHost)
@@ -285,13 +283,12 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 				r.Delete("/{identity_id}", api.DeleteIdentity)
 			})
 
-			// OAuth grant management endpoints (only if OAuth server is enabled)
-			if globalConfig.OAuthServer.Enabled {
-				r.Route("/oauth/grants", func(r *router) {
-					r.Get("/", api.oauthServer.UserListOAuthGrants)
-					r.Delete("/", api.oauthServer.UserRevokeOAuthGrant)
-				})
-			}
+			// OAuth grant management endpoints
+			r.Route("/oauth/grants", func(r *router) {
+				r.Use(api.requireOAuthServerEnabled)
+				r.Get("/", api.oauthServer.UserListOAuthGrants)
+				r.Delete("/", api.oauthServer.UserRevokeOAuthGrant)
+			})
 		})
 
 		r.With(api.requireAuthentication).Route("/factors", func(r *router) {
@@ -397,60 +394,57 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			})
 
 			// Admin only oauth client management endpoints
-			if globalConfig.OAuthServer.Enabled {
-				r.Route("/oauth", func(r *router) {
-					r.Route("/clients", func(r *router) {
-						// Manual client registration
-						r.Post("/", api.oauthServer.AdminOAuthServerClientRegister)
-
-						r.Get("/", api.oauthServer.OAuthServerClientList)
-
-						r.Route("/{client_id}", func(r *router) {
-							r.Use(api.oauthServer.LoadOAuthServerClient)
-							r.Get("/", api.oauthServer.OAuthServerClientGet)
-							r.Put("/", api.oauthServer.OAuthServerClientUpdate)
-							r.Delete("/", api.oauthServer.OAuthServerClientDelete)
-							r.Post("/regenerate_secret", api.oauthServer.OAuthServerClientRegenerateSecret)
-						})
+			r.Route("/oauth", func(r *router) {
+				r.Use(api.requireOAuthServerEnabled)
+				r.Route("/clients", func(r *router) {
+					// Manual client registration
+					r.Post("/", api.oauthServer.AdminOAuthServerClientRegister)
+
+					r.Get("/", api.oauthServer.OAuthServerClientList)
+
+					r.Route("/{client_id}", func(r *router) {
+						r.Use(api.oauthServer.LoadOAuthServerClient)
+						r.Get("/", api.oauthServer.OAuthServerClientGet)
+						r.Put("/", api.oauthServer.OAuthServerClientUpdate)
+						r.Delete("/", api.oauthServer.OAuthServerClientDelete)
+						r.Post("/regenerate_secret", api.oauthServer.OAuthServerClientRegenerateSecret)
 					})
 				})
-			}
+			})
 
 			// Custom OAuth/OIDC provider management endpoints
-			if globalConfig.CustomOAuth.Enabled {
-				r.Route("/custom-providers", func(r *router) {
-					// supports both OAuth2 and OIDC via provider_type)
-					r.Get("/", api.adminCustomOAuthProvidersList)   // Optional ?type=oauth2 or ?type=oidc filter
-					r.Post("/", api.adminCustomOAuthProviderCreate) // provider_type in request body
-
-					r.Route("/{identifier}", func(r *router) {
-						r.Get("/", api.adminCustomOAuthProviderGet)
-						r.Put("/", api.adminCustomOAuthProviderUpdate)
-						r.Delete("/", api.adminCustomOAuthProviderDelete)
-					})
+			r.Route("/custom-providers", func(r *router) {
+				r.Use(api.requireCustomOAuthEnabled)
+				// supports both OAuth2 and OIDC via provider_type)
+				r.Get("/", api.adminCustomOAuthProvidersList)   // Optional ?type=oauth2 or ?type=oidc filter
+				r.Post("/", api.adminCustomOAuthProviderCreate) // provider_type in request body
+
+				r.Route("/{identifier}", func(r *router) {
+					r.Get("/", api.adminCustomOAuthProviderGet)
+					r.Put("/", api.adminCustomOAuthProviderUpdate)
+					r.Delete("/", api.adminCustomOAuthProviderDelete)
 				})
-			}
+			})
 		})
 
 		// OAuth Dynamic Client Registration endpoint (public, rate limited)
-		if globalConfig.OAuthServer.Enabled {
-			r.Route("/oauth", func(r *router) {
-				r.With(api.limitHandler(api.limiterOpts.OAuthClientRegister)).
-					Post("/clients/register", api.oauthServer.OAuthServerClientDynamicRegister)
-
-				// OAuth Token endpoint (public, with client authentication)
-				r.With(api.requireOAuthClientAuth).Post("/token", api.oauthServer.OAuthToken)
-
-				// OIDC UserInfo endpoint (requires user authentication via Bearer token)
-				r.With(api.requireAuthentication).Get("/userinfo", api.oauthServer.OAuthUserInfo)
-
-				// OAuth 2.1 Authorization endpoints
-				// `/authorize` to initiate OAuth2 authorization code flow where Supabase Auth is the OAuth2 provider
-				r.Get("/authorize", api.oauthServer.OAuthServerAuthorize)
-				r.With(api.requireAuthentication).Get("/authorizations/{authorization_id}", api.oauthServer.OAuthServerGetAuthorization)
-				r.With(api.requireAuthentication).Post("/authorizations/{authorization_id}/consent", api.oauthServer.OAuthServerConsent)
-			})
-		}
+		r.Route("/oauth", func(r *router) {
+			r.Use(api.requireOAuthServerEnabled)
+			r.With(api.limitHandler(api.limiterOpts.OAuthClientRegister)).
+				Post("/clients/register", api.oauthServer.OAuthServerClientDynamicRegister)
+
+			// OAuth Token endpoint (public, with client authentication)
+			r.With(api.requireOAuthClientAuth).Post("/token", api.oauthServer.OAuthToken)
+
+			// OIDC UserInfo endpoint (requires user authentication via Bearer token)
+			r.With(api.requireAuthentication).Get("/userinfo", api.oauthServer.OAuthUserInfo)
+
+			// OAuth 2.1 Authorization endpoints
+			// `/authorize` to initiate OAuth2 authorization code flow where Supabase Auth is the OAuth2 provider
+			r.Get("/authorize", api.oauthServer.OAuthServerAuthorize)
+			r.With(api.requireAuthentication).Get("/authorizations/{authorization_id}", api.oauthServer.OAuthServerGetAuthorization)
+			r.With(api.requireAuthentication).Post("/authorizations/{authorization_id}/consent", api.oauthServer.OAuthServerConsent)
+		})
 	})
 
 	corsHandler := cors.New(cors.Options{
diff --git a/internal/api/api_test.go b/internal/api/api_test.go
@@ -1,13 +1,18 @@
 package api
 
 import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/crypto"
 	"github.com/supabase/auth/internal/storage"
 	"github.com/supabase/auth/internal/storage/test"
+
+	"github.com/supabase/auth/internal/api/apierrors"
 )
 
 const (
@@ -77,6 +82,66 @@ func TestOAuthServerDisabledByDefault(t *testing.T) {
 	require.Nil(t, api.oauthServer)
 }
 
+func TestDisabledFeatureReturnsJSON(t *testing.T) {
+	cases := []struct {
+		name      string
+		method    string
+		path      string
+		errorCode string
+		setup     func(*conf.GlobalConfiguration)
+	}{
+		{
+			name:      "OAuthServer disabled returns JSON on /oauth/token",
+			method:    http.MethodPost,
+			path:      "http://localhost/oauth/token",
+			errorCode: apierrors.ErrorCodeFeatureDisabled,
+			setup: func(c *conf.GlobalConfiguration) {
+				c.OAuthServer.Enabled = false
+			},
+		},
+		{
+			name:      "OAuthServer disabled returns JSON on /oauth/clients/register",
+			method:    http.MethodPost,
+			path:      "http://localhost/oauth/clients/register",
+			errorCode: apierrors.ErrorCodeFeatureDisabled,
+			setup: func(c *conf.GlobalConfiguration) {
+				c.OAuthServer.Enabled = false
+			},
+		},
+		{
+			name:      "OAuthServer disabled returns JSON on /.well-known/oauth-authorization-server",
+			method:    http.MethodGet,
+			path:      "http://localhost/.well-known/oauth-authorization-server",
+			errorCode: apierrors.ErrorCodeFeatureDisabled,
+			setup: func(c *conf.GlobalConfiguration) {
+				c.OAuthServer.Enabled = false
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			api, _, err := setupAPIForTestWithCallback(func(config *conf.GlobalConfiguration, conn *storage.Connection) {
+				if config != nil {
+					tc.setup(config)
+				}
+			})
+			require.NoError(t, err)
+
+			req := httptest.NewRequest(tc.method, tc.path, nil)
+			w := httptest.NewRecorder()
+			api.handler.ServeHTTP(w, req)
+
+			require.Equal(t, http.StatusNotFound, w.Code)
+			require.Contains(t, w.Header().Get("Content-Type"), "application/json")
+
+			var body map[string]interface{}
+			require.NoError(t, json.NewDecoder(w.Body).Decode(&body))
+			require.Equal(t, tc.errorCode, body["error_code"])
+		})
+	}
+}
+
 func TestOAuthServerCanBeEnabled(t *testing.T) {
 	api, _, err := setupAPIForTestWithCallback(func(config *conf.GlobalConfiguration, conn *storage.Connection) {
 		if config != nil {
diff --git a/internal/api/custom_oauth_admin.go b/internal/api/custom_oauth_admin.go
@@ -142,11 +142,6 @@ func (a *API) adminCustomOAuthProviderCreate(w http.ResponseWriter, r *http.Requ
 	db := a.db.WithContext(ctx)
 	config := a.config
 
-	// Check if custom OAuth is enabled
-	if !config.CustomOAuth.Enabled {
-		return apierrors.NewBadRequestError(apierrors.ErrorCodeFeatureDisabled, "Custom OAuth/OIDC providers are not enabled")
-	}
-
 	// Parse request parameters
 	params := &AdminCustomOAuthProviderParams{}
 	if err := retrieveRequestParams(r, params); err != nil {
diff --git a/internal/api/custom_oauth_admin_test.go b/internal/api/custom_oauth_admin_test.go
@@ -409,11 +409,11 @@ func (ts *CustomOAuthAdminTestSuite) TestCreateProviderFeatureDisabled() {
 	ts.Config.CustomOAuth.Enabled = false
 
 	payload := ts.createTestOAuth2Payload("test")
-	w := ts.createProvider(payload, http.StatusBadRequest)
+	w := ts.createProvider(payload, http.StatusNotFound)
 
 	var apiErr apierrors.HTTPError
 	json.NewDecoder(w.Body).Decode(&apiErr)
-	assert.Contains(ts.T(), apiErr.Message, "not enabled")
+	assert.Contains(ts.T(), apiErr.Message, "disabled")
 }
 
 func (ts *CustomOAuthAdminTestSuite) TestCreateProviderDuplicateIdentifier() {
diff --git a/internal/api/middleware.go b/internal/api/middleware.go
@@ -371,6 +371,22 @@ func (a *API) requireManualLinkingEnabled(w http.ResponseWriter, req *http.Reque
 	return ctx, nil
 }
 
+func (a *API) requireOAuthServerEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
+	ctx := req.Context()
+	if !a.config.OAuthServer.Enabled {
+		return nil, apierrors.NewNotFoundError(apierrors.ErrorCodeFeatureDisabled, "OAuth server is disabled")
+	}
+	return ctx, nil
+}
+
+func (a *API) requireCustomOAuthEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
+	ctx := req.Context()
+	if !a.config.CustomOAuth.Enabled {
+		return nil, apierrors.NewNotFoundError(apierrors.ErrorCodeFeatureDisabled, "Custom OAuth providers are disabled")
+	}
+	return ctx, nil
+}
+
 func (a *API) requirePasskeyEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 	ctx := req.Context()
 	if !a.config.Passkey.Enabled {
diff --git a/internal/api/middleware_test.go b/internal/api/middleware_test.go
@@ -379,9 +379,15 @@ func (ts *MiddlewareTestSuite) TestTimeoutMiddleware() {
 	timeoutHandler := timeoutMiddleware(ts.Config.API.MaxRequestDuration)
 
 	slowHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Sleep for 1 second to simulate a slow handler which should trigger the timeout
-		time.Sleep(1 * time.Second)
-		ts.API.handler.ServeHTTP(w, r)
+		// Simulate a slow handler which should trigger the timeout.
+		// Use context-aware wait so the goroutine exits when the timeout fires,
+		// avoiding a data race with test cleanup.
+		select {
+		case <-time.After(1 * time.Second):
+			ts.API.handler.ServeHTTP(w, r)
+		case <-r.Context().Done():
+			return
+		}
 	})
 	timeoutHandler(slowHandler).ServeHTTP(w, req)
 	assert.Equal(ts.T(), http.StatusGatewayTimeout, w.Code)
