From 0417aff3b109a59ac31de0b813cf8d26df945273 Mon Sep 17 00:00:00 2001
From: Zac Gaetano <zgaetano@wilddragon.net>
Date: Sun, 3 May 2026 04:59:08 +0000
Subject: [PATCH] test(whep-client): add -token flag for JWT-gated /api/v3/whep
 endpoints

The M2 WHEP route lives under /api/v3 and inherits Core's JWT auth.
The M1 test client was written for the unauth'd PoC port; without
this flag it's useless against the real Core build.

- Subscribe() and postOffer() take a token string; empty means no
  Authorization header (M1 behavior preserved).
- main.go gains a -token flag.
- main_test.go pass empty token (existing tests run against an
  in-process unauth'd handler).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 test/whep-client/main.go      | 12 ++++++++----
 test/whep-client/main_test.go |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/test/whep-client/main.go b/test/whep-client/main.go
index 8098aac..fae3902 100644
--- a/test/whep-client/main.go
+++ b/test/whep-client/main.go
@@ -23,6 +23,7 @@ import (
 func main() {
 	var (
 		whepURL = flag.String("url", "http://127.0.0.1:8787/whep/test", "WHEP endpoint URL")
+		token   = flag.String("token", "", "Authorization: Bearer <token>; empty means no auth header")
 		timeout = flag.Duration("timeout", 10*time.Second, "overall subscribe+receive timeout")
 	)
 	flag.Parse()
@@ -30,7 +31,7 @@ func main() {
 	ctx, cancel := context.WithTimeout(context.Background(), *timeout)
 	defer cancel()
 
-	if err := Subscribe(ctx, *whepURL); err != nil {
+	if err := Subscribe(ctx, *whepURL, *token); err != nil {
 		log.Fatalf("subscribe failed: %v", err)
 	}
 	fmt.Println("OK: received video and audio RTP")
@@ -40,7 +41,7 @@ func main() {
 // Subscribe performs a full WHEP subscribe against whepURL and returns
 // nil when both a video and an audio RTP packet have been observed
 // before ctx expires. It is exported so tests can exercise it.
-func Subscribe(ctx context.Context, whepURL string) error {
+func Subscribe(ctx context.Context, whepURL, token string) error {
 	me := &webrtc.MediaEngine{}
 	if err := me.RegisterDefaultCodecs(); err != nil {
 		return fmt.Errorf("register codecs: %w", err)
@@ -105,7 +106,7 @@ func Subscribe(ctx context.Context, whepURL string) error {
 		return fmt.Errorf("ice gather: %w", ctx.Err())
 	}
 
-	answerSDP, err := postOffer(ctx, whepURL, pc.LocalDescription().SDP)
+	answerSDP, err := postOffer(ctx, whepURL, token, pc.LocalDescription().SDP)
 	if err != nil {
 		return err
 	}
@@ -130,13 +131,16 @@ func Subscribe(ctx context.Context, whepURL string) error {
 	return nil
 }
 
-func postOffer(ctx context.Context, url, sdp string) (string, error) {
+func postOffer(ctx context.Context, url, token, sdp string) (string, error) {
 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url,
 		bytes.NewReader([]byte(sdp)))
 	if err != nil {
 		return "", fmt.Errorf("new request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/sdp")
+	if token != "" {
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
diff --git a/test/whep-client/main_test.go b/test/whep-client/main_test.go
index f1bca0b..5ef70b3 100644
--- a/test/whep-client/main_test.go
+++ b/test/whep-client/main_test.go
@@ -104,7 +104,7 @@ func TestSubscribe_EndToEnd(t *testing.T) {
 	defer cancel()
 
 	whepURL := strings.TrimRight(ts.URL, "/") + "/whep/stream-e2e"
-	if err := Subscribe(ctx, whepURL); err != nil {
+	if err := Subscribe(ctx, whepURL, ""); err != nil {
 		t.Fatalf("Subscribe: %v", err)
 	}
 }