test(token-runtime): align auth tests with current http behavior

platform-token-runtime/internal/auth/middleware/token_auth_middleware_test.go

@@ -59,7 +59,7 @@ func TestQueryKeyRejectMiddleware(t *testing.T) {
 	next := http.HandlerFunc(func(http.ResponseWriter, *http.Request) {
 		nextCalled = true
 	})
-	handler := QueryKeyRejectMiddleware(next, auditor, fixedNow)
+	handler := QueryKeyRejectMiddleware(next, auditor, fixedNow, nil)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/supply/accounts?api_key=secret", nil)
 	rec := httptest.NewRecorder()
 

platform-token-runtime/internal/httpapi/token_api_test.go

@@ -203,10 +203,13 @@ func TestTokenAPIAuditEventsQuery(t *testing.T) {
 		t.Fatalf("issue failed: code=%d body=%s", issueRec.Code, issueRec.Body.String())
 	}
 	issueResp := decodeMap(t, issueRec.Body.Bytes())
-	tokenID := issueResp["data"].(map[string]any)["token_id"].(string)
+	issueData := issueResp["data"].(map[string]any)
+	tokenID := issueData["token_id"].(string)
+	accessToken := issueData["access_token"].(string)
 
 	queryReq := httptest.NewRequest(http.MethodGet, "/api/v1/platform/tokens/audit-events?token_id="+tokenID+"&limit=5", nil)
 	queryReq.Header.Set("X-Request-Id", "req-audit-query-2")
+	queryReq.Header.Set("Authorization", "Bearer "+accessToken)
 	queryRec := httptest.NewRecorder()
 	mux.ServeHTTP(queryRec, queryReq)
 	if queryRec.Code != http.StatusOK {
@@ -236,8 +239,20 @@ func TestTokenAPIAuditEventsReady(t *testing.T) {
 	mux := http.NewServeMux()
 	api.Register(mux)
 
+	record, err := runtime.Issue(context.Background(), service.IssueTokenInput{
+		SubjectID: "2011",
+		Role:      "owner",
+		Scope:     []string{"supply:*"},
+		TTL:       5 * time.Minute,
+		RequestID: "req-audit-ready-issue",
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/platform/tokens/audit-events?limit=3", nil)
 	req.Header.Set("X-Request-Id", "req-audit-ready")
+	req.Header.Set("Authorization", "Bearer "+record.AccessToken)
 	rec := httptest.NewRecorder()
 	mux.ServeHTTP(rec, req)
 
@@ -254,8 +269,20 @@ func TestTokenAPIAuditEventsWithoutQuerierReturnsEmptyList(t *testing.T) {
 	mux := http.NewServeMux()
 	api.Register(mux)
 
+	record, err := runtime.Issue(context.Background(), service.IssueTokenInput{
+		SubjectID: "2012",
+		Role:      "owner",
+		Scope:     []string{"supply:*"},
+		TTL:       5 * time.Minute,
+		RequestID: "req-audit-query-3-issue",
+	})
+	if err != nil {
+		t.Fatalf("issue token failed: %v", err)
+	}
+
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/platform/tokens/audit-events?limit=3", nil)
 	req.Header.Set("X-Request-Id", "req-audit-query-3")
+	req.Header.Set("Authorization", "Bearer "+record.AccessToken)
 	rec := httptest.NewRecorder()
 	mux.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
@@ -269,6 +296,24 @@ func TestTokenAPIAuditEventsWithoutQuerierReturnsEmptyList(t *testing.T) {
 	}
 }
 
+func TestTokenAPIAuditEventsRequireAuthorization(t *testing.T) {
+	t.Parallel()
+
+	runtime := service.NewInMemoryTokenRuntime(nil)
+	api := NewTokenAPI(runtime, service.NewMemoryAuditStore(), time.Now)
+	mux := http.NewServeMux()
+	api.Register(mux)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/platform/tokens/audit-events?limit=3", nil)
+	req.Header.Set("X-Request-Id", "req-audit-auth-required")
+	rec := httptest.NewRecorder()
+	mux.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("expected unauthorized audit query without bearer token: code=%d body=%s", rec.Code, rec.Body.String())
+	}
+}
+
 func mustJSON(t *testing.T, payload any) *bytes.Reader {
 	t.Helper()
 	buf, err := json.Marshal(payload)