feat(api): advertise OAuth resource metadata on 401 responses

[rafaeelaudibert]

Problem

Agents (MCP-style clients, in particular) that hit our API with no
credentials need a way to bootstrap OAuth discovery from a stock 401
response. RFC 9728 standardizes this: the server returns
WWW-Authenticate: Bearer resource_metadata="<URL>", and the client
fetches the protected-resource metadata document from that URL.

Today our DRF 401s carry no WWW-Authenticate header, so agents have
to be configured out-of-band to know where the discovery document
lives.

Changes

• posthog/exceptions.py — new exception_handler that wraps
  exceptions_hog.exception_handler. When the wrapped response is a
  401, we append:
  Bearer resource_metadata="<absolute URL>/.well-known/oauth-protected-resource".
  The absolute URL is built from the incoming request (scheme + host)
  so it works correctly for both us.posthog.com and self-hosted
  deployments. If no request is present in the context we fall back to
  a relative URL.
• posthog/settings/web.py — point DRF's EXCEPTION_HANDLER at the
  new wrapper (was exceptions_hog.exception_handler).
• posthog/test/test_exceptions.py — new file with six parameterless
  cases.

Non-DRF 401 paths (e.g. raw JsonResponse(401) from
session_auth_required in posthog/auth.py) are intentionally out of
scope; happy to fold them into a shared helper in a follow-up if
reviewers want consistent coverage across the whole app.

How did you test this code?

This PR was authored by an agent. I did not perform any manual
testing.

Automated tests in posthog/test/test_exceptions.py cover:

Case	Expected
NotAuthenticated over HTTPS	401 + hint with https:// URL
AuthenticationFailed over HTTPS	401 + hint with https:// URL
PermissionDenied	403, no WWW-Authenticate
ValidationError	400, no WWW-Authenticate
NotAuthenticated over HTTP	401 + hint with http:// URL
NotAuthenticated without request in context	401 + hint with relative URL

Validated against the real drf-exceptions-hog==0.4.0 in a temp venv
during development (the cloud env doesn't have hogli/flox/uv
available). Ruff check and format both clean.

Publish to changelog?

no

Docs update

n/a — no user-facing surface area change.

🤖 Agent context

Authored by Claude (Claude Code, Opus 4.7). The user asked us to
advertise the OAuth protected-resource metadata document via
WWW-Authenticate on any 401 from our API. Decision points:

• Wrap vs. fork exceptions_hog. Wrapping is one tiny function
  and preserves all the existing error-body formatting and
  exception_reporting hook. Forking would have meant copying
  ~hundreds of lines of code for no gain.
• Where to put the wrapper. posthog/exceptions.py already hosts
  the exception_reporting callback and the manual
  generate_exception_response helper, so it's the obvious neighbor.
• Absolute vs. relative URL. RFC 9728 says the resource_metadata
  value SHOULD be a URI. request.build_absolute_uri() gives us the
  correct scheme + host without hardcoding SITE_URL, which matters
  for self-hosted users.
• Scope. Only DRF-mediated 401s carry the hint. The non-DRF paths
  (legacy session_auth_required, a couple of raw 401s elsewhere)
  would need their own change and are not in this PR — flagged in the
  commit body so a reviewer can opt into expanding scope.

[stamphog]

This PR modifies the global DRF exception handler (auth-adjacent code) to add a WWW-Authenticate header on all 401 responses, which changes the API contract for authentication flows. Needs a human reviewer to confirm the OAuth resource metadata endpoint exists, the header value is correct per RFC 9728, and there are no unintended side effects on existing auth integrations.

[greptile-apps]

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
posthog/test/test_exceptions.py:8-64
**Prefer parameterised tests**

The six test methods share almost identical setup and assertion logic; the custom instructions explicitly prefer parameterised tests. The two HTTPS cases (`test_not_authenticated_includes_resource_metadata_hint` and `test_authentication_failed_includes_resource_metadata_hint`) are especially close — they differ only in the exception type. The scheme and presence/absence of the header could also be collapsed. Consider grouping with `@pytest.mark.parametrize` or `subTest`.

### Issue 2 of 2
posthog/exceptions.py:137
Dead `else` branch — `ExceptionContext` is a `TypedDict`, which is a plain `dict` at runtime, so `isinstance(context, dict)` is always `True` and the `getattr` fallback is unreachable. Removing it keeps the code clean and satisfies the "no superfluous parts" simplicity rule.

```suggestion
        request = context.get("request")
```

_{Reviews (1): Last reviewed commit: "feat(api): advertise OAuth resource meta..." | Re-trigger Greptile}

[veria-ai]

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 1 · PR risk: 0/10

[github-actions]

🎭 Playwright didn't run on this PR — your changes touch code that could affect E2E behavior, but Playwright is opt-in via label now to keep CI cost down.

Add the run-playwright label if you want an E2E sweep before merging — CI will pick it up automatically.

Most PRs don't need this. Real regressions still get caught on master and fix-forward.

[github-actions]

ClickHouse migration SQL per cloud environment

No ClickHouse migrations changed in this PR.

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-05-27 18:08 UTC	Run
prod-us	✅ Deployed	2026-05-27 18:26 UTC	Run
prod-eu	✅ Deployed	2026-05-27 18:31 UTC	Run