Fix nil pointer panic in local auth mode #1

New issue

Open

opened 2026-03-16 21:05:27 +00:00 by austin · 0 comments

austin commented 2026-03-16 21:05:27 +00:00

Owner

Copy link

Description

server.go:55 calls s.auth.Middleware() unconditionally. When running in local auth mode, s.auth is nil, so this panics on any authenticated API request.

What needs to happen

Define an Authenticator interface with Middleware(http.Handler) http.Handler and ValidateSession(token string) (*Claims, error) methods. Both Auth (OIDC) and Local should implement it. The Server struct stores the interface, not concrete types.

The session logic (CreateSessionToken, validateSession in internal/auth/oidc.go) is already auth-mode-agnostic — it just does base64 JSON, nothing OIDC-specific. Extract it to a shared location that both auth modes can use.

Key files

• internal/api/server.go — the panic site (line 55) and route setup
• internal/auth/oidc.go — session functions and Middleware method
• internal/auth/local.go — needs Middleware and session validation added

## Description `server.go:55` calls `s.auth.Middleware()` unconditionally. When running in local auth mode, `s.auth` is nil, so this panics on any authenticated API request. ## What needs to happen Define an `Authenticator` interface with `Middleware(http.Handler) http.Handler` and `ValidateSession(token string) (*Claims, error)` methods. Both `Auth` (OIDC) and `Local` should implement it. The `Server` struct stores the interface, not concrete types. The session logic (`CreateSessionToken`, `validateSession` in `internal/auth/oidc.go`) is already auth-mode-agnostic — it just does base64 JSON, nothing OIDC-specific. Extract it to a shared location that both auth modes can use. ## Key files - `internal/api/server.go` — the panic site (line 55) and route setup - `internal/auth/oidc.go` — session functions and `Middleware` method - `internal/auth/local.go` — needs `Middleware` and session validation added

austin added this to the Fix Foundation milestone 2026-03-16 21:05:27 +00:00

austin self-assigned this 2026-03-16 21:05:27 +00:00

austin added this to the Vektor - CLI project 2026-03-16 21:05:27 +00:00

austin added the

bug

label 2026-03-16 21:06:03 +00:00

austin referenced this issue 2026-03-16 21:07:38 +00:00

Sign session tokens with HMAC #2

austin added a new dependency 2026-03-16 21:08:05 +00:00

#2 Sign session tokens with HMAC

austin added a new dependency 2026-03-16 21:29:50 +00:00

#13 Extract service/store layer from API handlers

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Fix Foundation

Projects

Clear projects

No items

No project

Vektor - CLI

Assignees

Clear assignees

No assignees

austin

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#2 Sign session tokens with HMAC

austin/vektor

#13 Extract service/store layer from API handlers

austin/vektor

Reference

austin/vektor#1

No description provided.