fix(auth/middleware): return 401 instead of 500 for malformed tokens

[qnen]

checkAuthorization returned HTTP 500 when JWT parsing failed (malformed/invalid token). The Authorize caller also hardcoded 500, ignoring the returned status code.

Now returns 401 Unauthorized for parse failures and the caller respects the returned status code.

X-Lerian-Ref: 0x1

Pull Request Checklist

Pull Request Type

• Feature
• Fix
• Refactor
• Pipeline
• Tests
• Documentation
• Helm

Checklist

Please check each item after it's completed.

• I have tested these changes locally.
• I have updated the documentation accordingly.
• I have added necessary comments to the code, especially in complex areas.
• I have ensured that my changes adhere to the project's coding standards.
• I have checked for any potential security issues.
• I have ensured that all tests pass.
• I have updated the version appropriately (if applicable).
• I have confirmed this code is ready for review.

Additional Notes

Obs: Please, always remember to target your PR to develop branch instead of main.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2e5ecf92-c5f5-4756-806c-93e21b0cb24a

📥 Commits

Reviewing files that changed from the base of the PR and between 7175a5b and 4f51877.

📒 Files selected for processing (2)

• auth/middleware/middleware.go
• auth/middleware/middleware_test.go

---

Walkthrough

The authorization middleware now returns more appropriate HTTP status codes for authentication failures. When token parsing or claims extraction fails, the response now returns 401 Unauthorized instead of 500 Internal Server Error. The Authorize function uses the statusCode returned from checkAuthorization instead of defaulting to 500. Error responses include HTTP status text corresponding to the actual statusCode. Test expectations updated to verify 401 is returned for invalid token scenarios.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description explains the problem and solution clearly, and includes the required checklist template with Fix type selected; however, most checklist items remain unchecked, leaving verification incomplete.	Complete the checklist items to verify that testing, code standards, security review, and other requirements have been satisfied before merging.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: returning 401 instead of 500 for malformed tokens in the auth middleware.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

[gandalf-at-lerian]

Straightforward and correct. Malformed/invalid tokens are a client problem, not a server problem — 401 is the right response. The Authorize handler now actually uses the returned statusCode instead of hardcoding 500, which was a silent bug. Test updated to match. LGTM ✅

[lerian-studio-midaz-push-bot]

🎉 This PR is included in version 2.5.0-beta.8 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀