check cookie for before we fall back to the default policy

proxy/pkg/proxy/policy/selector.go

@@ -165,19 +165,33 @@ func NewMigrationSelector(cfg *config.MigrationSelectorConf, ss accounts.Account
 func NewClaimsSelector(cfg *config.ClaimsSelectorConf) Selector {
 	return func(r *http.Request) (s string, err error) {
 
+		selectorCookie := func(r *http.Request) string {
+			selectorCookie, err := r.Cookie(cfg.SelectorCookieName)
+			if err == nil {
+				// TODO check we know the routing policy?
+				return selectorCookie.Value
+			}
+			return ""
+		}
+
 		// first, try to route by selector
 		if claims := oidc.FromContext(r.Context()); claims != nil {
 			if p, ok := claims[oidc.OcisRoutingPolicy].(string); ok && p != "" {
 				// TODO check we know the routing policy?
 				return p, nil
 			}
+
+			// basic auth requests don't have a routing claim, so check for the cookie
+			if s := selectorCookie(r); s != "" {
+				return s, nil
+			}
+
 			return cfg.DefaultPolicy, nil
 		}
 
 		// use cookie if provided
-		selectorCookie, err := r.Cookie(cfg.SelectorCookieName)
-		if err == nil {
-			return selectorCookie.Value, nil
+		if s := selectorCookie(r); s != "" {
+			return s, nil
 		}
 
 		return cfg.UnauthenticatedPolicy, nil