From fdb1d96a2c5a5c5d8e595f1e44fa532691638938 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Fri, 2 Jan 2026 22:58:15 -0800
Subject: [PATCH] refactor(s3api): use typed iamAuthPath for authorization path
 constants

- Define iamAuthPath as a named string type (similar to existing authType enum)
- Update constants to use explicit type: iamAuthPathJWT, iamAuthPathSTS_V4, etc.
- Update determineIAMAuthPath() to return typed iamAuthPath
- Improves type safety and prevents accidental string value misuse
---
 weed/iam/sts/session_claims_test.go |  6 +++---
 weed/s3api/auth_credentials.go      | 14 +++++++++-----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/weed/iam/sts/session_claims_test.go b/weed/iam/sts/session_claims_test.go
index 5cd87d726..d7a1769bb 100644
--- a/weed/iam/sts/session_claims_test.go
+++ b/weed/iam/sts/session_claims_test.go
@@ -177,9 +177,9 @@ func TestSTSSessionClaimsToSessionInfoCredentialExpiration(t *testing.T) {
 			sessionInfo := claims.ToSessionInfo()
 
 			assert.NotNil(t, sessionInfo.Credentials)
-		// Check expiration within 1 second due to timing precision (symmetric tolerance)
-		assert.WithinDuration(t, tc.expiresAt, sessionInfo.Credentials.Expiration, time.Second,
-			"credential expiration should be within 1 second of session expiration")
+			// Check expiration within 1 second due to timing precision (symmetric tolerance)
+			assert.WithinDuration(t, tc.expiresAt, sessionInfo.Credentials.Expiration, time.Second,
+				"credential expiration should be within 1 second of session expiration")
 			// We set tc.expiresAt to past/future values to exercise expiration handling.
 			// Assert the credentials' expiration relative to now to exercise code behavior
 			if tc.expectNotExpired {
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 89bd1d216..f15d2cd19 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -952,15 +952,19 @@ func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*I
 }
 
 // IAM authorization path type constants
+// iamAuthPath represents the type of IAM authorization path
+type iamAuthPath string
+
+// IAM authorization path constants
 const (
-	iamAuthPathJWT       = "jwt"
-	iamAuthPathSTS_V4    = "sts_v4"
-	iamAuthPathStatic_V4 = "static_v4"
-	iamAuthPathNone      = "none"
+	iamAuthPathJWT       iamAuthPath = "jwt"
+	iamAuthPathSTS_V4    iamAuthPath = "sts_v4"
+	iamAuthPathStatic_V4 iamAuthPath = "static_v4"
+	iamAuthPathNone      iamAuthPath = "none"
 )
 
 // determineIAMAuthPath determines the IAM authorization path based on available tokens and principals
-func determineIAMAuthPath(sessionToken, principal, principalArn string) string {
+func determineIAMAuthPath(sessionToken, principal, principalArn string) iamAuthPath {
 	if sessionToken != "" && principal != "" {
 		return iamAuthPathJWT
 	} else if sessionToken != "" && principalArn != "" {