From 0716b6ffa204f1a38613b1041c6932ae637ce8e8 Mon Sep 17 00:00:00 2001 From: Jefferson Rodrigues Date: Thu, 26 Mar 2026 20:26:52 -0300 Subject: [PATCH 1/2] fix: prevent HTTP/2 hpack panic with shared HTTP client Replace per-request http.Client{} (3 occurrences) with a package-level shared client using custom transport with ForceAttemptHTTP2: false. The bare http.Client{} used Go's default transport which enables HTTP/2 over HTTPS, causing hpack encoder panic under concurrent goroutine access. X-Lerian-Ref: 0x1 --- auth/middleware/middleware.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/auth/middleware/middleware.go b/auth/middleware/middleware.go index 758f06c..2fd47be 100644 --- a/auth/middleware/middleware.go +++ b/auth/middleware/middleware.go @@ -49,6 +49,19 @@ const ( pluginName string = "plugin-auth" ) +// sharedHTTPClient is a package-level HTTP client with a custom transport +// that prevents HTTP/2 hpack panics under concurrent access. HTTP clients +// are safe for concurrent use and should be reused across requests. +var sharedHTTPClient = &http.Client{ + Timeout: 30 * time.Second, + Transport: &http.Transport{ + ForceAttemptHTTP2: false, + MaxIdleConns: 100, + MaxIdleConnsPerHost: 10, + IdleConnTimeout: 90 * time.Second, + }, +} + // unmarshalErrorResponse unmarshals a JSON response body into commons.Response, // tolerating a numeric "code" field (the auth service may return code as a number). func unmarshalErrorResponse(body []byte) (commons.Response, error) { @@ -157,7 +170,7 @@ func NewAuthClient(address string, enabled bool, logger *log.Logger) *AuthClient } } - client := &http.Client{} + client := sharedHTTPClient healthURL := fmt.Sprintf("%s/health", address) failedToConnectMsg := fmt.Sprintf("Failed to connect to %s: %%v\n", pluginName) @@ -257,7 +270,7 @@ func (auth *AuthClient) checkAuthorization(ctx context.Context, sub, resource, a attribute.String("app.request.request_id", reqID), ) - client := &http.Client{} + client := sharedHTTPClient token, _, err := new(jwt.Parser).ParseUnverified(accessToken, jwt.MapClaims{}) if err != nil { @@ -400,7 +413,7 @@ func (auth *AuthClient) GetApplicationToken(ctx context.Context, clientID, clien return "", nil } - client := &http.Client{} + client := sharedHTTPClient requestBody := map[string]string{ "grantType": "client_credentials", From 04758980d4b7202b3d3f5657df02056871c74aac Mon Sep 17 00:00:00 2001 From: lerian-studio Date: Thu, 26 Mar 2026 23:56:59 +0000 Subject: [PATCH 2/2] chore(release): 2.6.0-beta.1 ## [2.6.0-beta.1](https://github.com/LerianStudio/lib-auth/compare/v2.5.0...v2.6.0-beta.1) (2026-03-26) ### Bug Fixes * prevent HTTP/2 hpack panic with shared HTTP client ([0716b6f](https://github.com/LerianStudio/lib-auth/commit/0716b6ffa204f1a38613b1041c6932ae637ce8e8)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 255c54a..44e0a9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +## [2.6.0-beta.1](https://github.com/LerianStudio/lib-auth/compare/v2.5.0...v2.6.0-beta.1) (2026-03-26) + + +### Bug Fixes + +* prevent HTTP/2 hpack panic with shared HTTP client ([0716b6f](https://github.com/LerianStudio/lib-auth/commit/0716b6ffa204f1a38613b1041c6932ae637ce8e8)) + ## [2.5.0](https://github.com/LerianStudio/lib-auth/compare/v2.4.0...v2.5.0) (2026-03-21)