From fbb8a1fca4e6dc844ec7d208e3f33bbc4581b5d1 Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Sun, 15 Feb 2026 20:04:12 +0800
Subject: [PATCH] refactor(middleware): emit OIDC blocked event at specific
 error points

---
 internal/net/gphttp/middleware/oidc.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/internal/net/gphttp/middleware/oidc.go b/internal/net/gphttp/middleware/oidc.go
index 3eb61bea..bd8c74e9 100644
--- a/internal/net/gphttp/middleware/oidc.go
+++ b/internal/net/gphttp/middleware/oidc.go
@@ -119,8 +119,10 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
 		return true
 	}
 
-	if r.Method != http.MethodHead {
-		defer httpevents.Blocked(r, "OIDC", err.Error())
+	emitBlockedEvent := func() {
+		if r.Method != http.MethodHead {
+			httpevents.Blocked(r, "OIDC", err.Error())
+		}
 	}
 
 	isGet := r.Method == http.MethodGet
@@ -135,11 +137,13 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
 			reqType = "WebSocket"
 		}
 		OIDC.LogWarn(r).Msgf("[OIDC] %s request blocked.\nConsider adding bypass rule for this path if needed", reqType)
+		emitBlockedEvent()
 		return false
 	case errors.Is(err, auth.ErrMissingOAuthToken):
 		amw.auth.HandleAuth(w, r)
 	default:
 		auth.WriteBlockPage(w, http.StatusForbidden, err.Error(), "Logout", auth.OIDCLogoutPath)
+		emitBlockedEvent()
 	}
 	return false
 }