From fbcc76f779310be2f9cbd44d8fcdcfb9303913b1 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <cardoe@cardoe.com>
Date: Tue, 1 Jul 2025 20:06:20 -0500
Subject: [PATCH] fix: device code pending HTTP response

As per RFC8628 section 3.5, https://datatracker.ietf.org/doc/html/rfc8628#section-3.5
the authorization_pending response should extend RFC6749 section 5.2,
https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 which
specifies that the HTTP response code should be 400, Bad Request.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 server/deviceflowhandlers.go      | 2 +-
 server/deviceflowhandlers_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/deviceflowhandlers.go b/server/deviceflowhandlers.go
index 380e40aa..78e1ee19 100644
--- a/server/deviceflowhandlers.go
+++ b/server/deviceflowhandlers.go
@@ -249,7 +249,7 @@ func (s *Server) handleDeviceToken(w http.ResponseWriter, r *http.Request) {
 		if slowDown {
 			s.tokenErrHelper(w, deviceTokenSlowDown, "", http.StatusBadRequest)
 		} else {
-			s.tokenErrHelper(w, deviceTokenPending, "", http.StatusUnauthorized)
+			s.tokenErrHelper(w, deviceTokenPending, "", http.StatusBadRequest)
 		}
 	case deviceTokenComplete:
 		codeChallengeFromStorage := deviceToken.PKCE.CodeChallenge
diff --git a/server/deviceflowhandlers_test.go b/server/deviceflowhandlers_test.go
index 151c7508..03a12d75 100644
--- a/server/deviceflowhandlers_test.go
+++ b/server/deviceflowhandlers_test.go
@@ -459,7 +459,7 @@ func TestDeviceTokenResponse(t *testing.T) {
 			},
 			testDeviceCode:         "f00bar",
 			expectedServerResponse: deviceTokenPending,
-			expectedResponseCode:   http.StatusUnauthorized,
+			expectedResponseCode:   http.StatusBadRequest,
 		},
 		{
 			testName:          "Invalid Grant Type",