server: fix DCR tests

Signed-off-by: Benson Wong <[email protected]>

Author: mostlygeek

server/client_test.go

@@ -249,7 +249,7 @@ func TestServeDynamicClientRegistration(t *testing.T) {
 			method:       "POST",
 			body:         `{"redirect_uris": ["https://example.com/callback"]}`,
 			isFunnel:     true,
-			expectStatus: http.StatusForbidden,
+			expectStatus: http.StatusUnauthorized,
 			checkResponse: func(t *testing.T, body []byte) {
 				var errResp map[string]interface{}
 				if err := json.Unmarshal(body, &errResp); err != nil {

server/clients.go

@@ -122,7 +122,7 @@ func (s *IDPServer) storeFunnelClientsLocked() error {
 // Migrated from legacy/tsidp.go:2055-2094
 func (s *IDPServer) serveClients(w http.ResponseWriter, r *http.Request) {
 	if isFunnelRequest(r) {
-		writeHTTPError(w, r, http.StatusUnauthorized, "access_denied", "not allowed over funnel")
+		writeHTTPError(w, r, http.StatusUnauthorized, "access_denied", "not available over funnel")
 		return
 	}
 
@@ -274,7 +274,7 @@ func (s *IDPServer) serveDeleteClient(w http.ResponseWriter, r *http.Request, cl
 func (s *IDPServer) serveDynamicClientRegistration(w http.ResponseWriter, r *http.Request) {
 	// Block funnel requests - dynamic registration is only available over tailnet
 	if isFunnelRequest(r) {
-		writeHTTPError(w, r, http.StatusUnauthorized, "access_denied", "not allowed over funnel")
+		writeHTTPError(w, r, http.StatusUnauthorized, "access_denied", "not available over funnel")
 		return
 	}
 

server/ui.go

@@ -44,7 +44,7 @@ var processStart = time.Now()
 // Migrated from legacy/ui.go:61-85
 func (s *IDPServer) handleUI(w http.ResponseWriter, r *http.Request) {
 	if isFunnelRequest(r) {
-		writeHTTPError(w, r, http.StatusUnauthorized, "access_denied", "not allowed over funnel")
+		writeHTTPError(w, r, http.StatusUnauthorized, "access_denied", "not available over funnel")
 		return
 	}