Skip to content

fix: prevent HTTP/2 hpack panic with shared HTTP client #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeffersonrodrigues92 merged 1 commit into from
Mar 26, 2026
Merged

fix: prevent HTTP/2 hpack panic with shared HTTP client #85

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions auth/middleware/middleware.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,19 @@ const (
pluginName string = "plugin-auth"
)

// sharedHTTPClient is a package-level HTTP client with a custom transport
// that prevents HTTP/2 hpack panics under concurrent access. HTTP clients
// are safe for concurrent use and should be reused across requests.
var sharedHTTPClient = &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
ForceAttemptHTTP2: false,
MaxIdleConns: 100,
MaxIdleConnsPerHost: 10,
IdleConnTimeout: 90 * time.Second,
},
}
Comment on lines +52 to +63
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider adding missing transport settings for robustness.

The fix correctly addresses the HTTP/2 panic by using a shared client with ForceAttemptHTTP2: false. However, the custom transport omits several settings from Go's DefaultTransport that could cause issues:

  1. Missing Proxy: http.ProxyFromEnvironment – HTTP/HTTPS proxy environment variables won't be respected, which may break deployments behind corporate proxies.
  2. Missing TLSHandshakeTimeout – TLS handshakes could stall; the client-level timeout is a coarse fallback.
  3. Missing ExpectContinueTimeout – Affects POST requests with Expect: 100-continue.
♻️ Proposed enhancement to match DefaultTransport behavior 
 var sharedHTTPClient = &http.Client{
 	Timeout: 30 * time.Second,
 	Transport: &http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
 		ForceAttemptHTTP2:   false,
 		MaxIdleConns:        100,
 		MaxIdleConnsPerHost: 10,
 		IdleConnTimeout:     90 * time.Second,
+		TLSHandshakeTimeout: 10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
 	},
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// sharedHTTPClient is a package-level HTTP client with a custom transport
// that prevents HTTP/2 hpack panics under concurrent access. HTTP clients
// are safe for concurrent use and should be reused across requests.
var sharedHTTPClient = &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
ForceAttemptHTTP2: false,
MaxIdleConns: 100,
MaxIdleConnsPerHost: 10,
IdleConnTimeout: 90 * time.Second,
},
}
// sharedHTTPClient is a package-level HTTP client with a custom transport
// that prevents HTTP/2 hpack panics under concurrent access. HTTP clients
// are safe for concurrent use and should be reused across requests.
var sharedHTTPClient = &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
ForceAttemptHTTP2: false,
MaxIdleConns: 100,
MaxIdleConnsPerHost: 10,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@auth/middleware/middleware.go` around lines 52 - 63, The custom transport for
sharedHTTPClient omits important DefaultTransport fields; update the Transport
in sharedHTTPClient to set Proxy: http.ProxyFromEnvironment and add
TLSHandshakeTimeout (e.g., 10*time.Second) and ExpectContinueTimeout (e.g.,
1*time.Second) alongside the existing
ForceAttemptHTTP2/MaxIdleConns/MaxIdleConnsPerHost/IdleConnTimeout so the client
respects system proxies and uses robust TLS/expect-continue timeouts.


// unmarshalErrorResponse unmarshals a JSON response body into commons.Response,
// tolerating a numeric "code" field (the auth service may return code as a number).
func unmarshalErrorResponse(body []byte) (commons.Response, error) {
Expand Down Expand Up @@ -157,7 +170,7 @@ func NewAuthClient(address string, enabled bool, logger *log.Logger) *AuthClient
}
}

client := &http.Client{}
client := sharedHTTPClient
healthURL := fmt.Sprintf("%s/health", address)

failedToConnectMsg := fmt.Sprintf("Failed to connect to %s: %%v\n", pluginName)
Expand Down Expand Up @@ -257,7 +270,7 @@ func (auth *AuthClient) checkAuthorization(ctx context.Context, sub, resource, a
attribute.String("app.request.request_id", reqID),
)

client := &http.Client{}
client := sharedHTTPClient

token, _, err := new(jwt.Parser).ParseUnverified(accessToken, jwt.MapClaims{})
if err != nil {
Expand Down Expand Up @@ -400,7 +413,7 @@ func (auth *AuthClient) GetApplicationToken(ctx context.Context, clientID, clien
return "", nil
}

client := &http.Client{}
client := sharedHTTPClient

requestBody := map[string]string{
"grantType": "client_credentials",
Expand Down
Loading