Skip to content

fix: correct error handling, panic recovery, and JWT concurrency in proxy handler#1068

Draft
oliverbaehler with Copilot wants to merge 4 commits into
mainfrom
copilot/fix-code-comments-review-thread
Draft

fix: correct error handling, panic recovery, and JWT concurrency in proxy handler#1068
oliverbaehler with Copilot wants to merge 4 commits into
mainfrom
copilot/fix-code-comments-review-thread

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

PR #1066 introduced several handler fixes but left auth errors mis-classified as 500s, swallowed http.ErrAbortHandler, returned plain-text panic responses, and introduced a data race on the JWT token cache.

Error handling: *req.ErrUnauthorized → 403 not 500

ResolveUserAndGroups returns *req.ErrUnauthorized for missing/invalid auth headers. Four call sites (authorizationMiddleware, registerModules handler, CheckUserInIgnoredGroupMiddleware, CheckUserInCapsuleGroupMiddleware) were routing all errors through HandleError (500). Now they mirror impersonateHandler:

var t *req.ErrUnauthorized
if errors.As(err, &t) {
    server.HandleUnauthorized(writer, err, msg)
} else {
    server.HandleError(writer, err, msg)
}

Panic recovery (recoveryMiddleware)

  • http.ErrAbortHandler was swallowed (return); must be re-panicked so net/http can abort the connection correctly.
  • Fallback 500 response was plain text via http.Error; now uses server.HandleError for a consistent Kubernetes-style JSON metav1.Status body.

JWT token cache: data race

invalidatedToken (sets.Set[string]) is captured by the middleware closure and mutated concurrently across requests. Fixed with a sync.RWMutex — reads under RLock, the invalidation write under Lock.

errors/panic.go

w.WriteHeader was hardcoding http.StatusForbidden / http.StatusInternalServerError rather than reading from the metav1.Status.Code field already set on the struct. Both handlers now use w.WriteHeader(int(status.Code)).

Copilot AI changed the title [WIP] Fix code issues based on review comments fix: correct error handling, panic recovery, and JWT concurrency in proxy handler Jul 2, 2026
Copilot AI requested a review from oliverbaehler July 2, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants