[Bug] OIDC nil deref when visiting invalid/old callback urls #903

New Issue

adam · 2025-12-29T02:25:36+01:00

adam commented

2025-12-29 02:25:36 +01:00

Originally created by @ToxicMushroom on GitHub (Jan 8, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

nil deref when visiting invalid/old callback urls

Expected Behavior

no nil deref and just an access denied error page, could mention: possibly expired link/session expired.

Steps To Reproduce

log in and keep the callback url
restart the headscale server
visit the callback url again

Environment

- OS: Debian 12
- Headscale version: ghcr.io/juanfont/headscale:0.24.0-beta.2-debug
- Tailscale version: 1.78.1

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Anything else?

headscale     | 2025/01/08 12:37:09 http: panic serving 172.18.0.16:56944: runtime error: invalid memory address or nil pointer dereference
headscale     | goroutine 306 [running]:
headscale     | net/http.(*conn).serve.func1()
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:1947 +0xbe
headscale     | panic({0x1e5d320?, 0x3654b60?})
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/runtime/panic.go:785 +0x132
headscale     | github.com/juanfont/headscale/hscontrol.(*AuthProviderOIDC).OIDCCallbackHandler(0xc0005d6ae0, {0x2541680, 0xc0006c1ce0}, 0xc0003f6640)
headscale     | 	/home/runner/work/headscale/headscale/hscontrol/oidc.go:299 +0x566
headscale     | net/http.HandlerFunc.ServeHTTP(0xb1b9e8?, {0x2541680?, 0xc0006c1ce0?}, 0xc0006c1c80?)
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:2220 +0x29
headscale     | github.com/juanfont/headscale/hscontrol.prometheusMiddleware.func1({0x2541520, 0xc0005de1c0}, 0xc0003f6640)
headscale     | 	/home/runner/work/headscale/headscale/hscontrol/metrics.go:89 +0x293
headscale     | net/http.HandlerFunc.ServeHTTP(0xc0003f6500?, {0x2541520?, 0xc0005de1c0?}, 0x4c04e9?)
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:2220 +0x29
headscale     | github.com/gorilla/mux.(*Router).ServeHTTP(0xc000176d80, {0x2541520, 0xc0005de1c0}, 0xc0003f6280)
headscale     | 	/home/runner/go/pkg/mod/github.com/gorilla/mux@v1.8.1/mux.go:212 +0x1e2
headscale     | net/http.serverHandler.ServeHTTP({0xc0006c0960?}, {0x2541520?, 0xc0005de1c0?}, 0x6?)
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:3210 +0x8e
headscale     | net/http.(*conn).serve(0xc000698000, {0x2545798, 0xc0000a9d10})
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:2092 +0x5d0
headscale     | created by net/http.(*Server).Serve in goroutine 77
headscale     | 	/nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:3360 +0x485

Originally created by @ToxicMushroom on GitHub (Jan 8, 2025). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior nil deref when visiting invalid/old callback urls ### Expected Behavior no nil deref and just an access denied error page, could mention: possibly expired link/session expired. ### Steps To Reproduce 1. log in and keep the callback url 2. restart the headscale server 3. visit the callback url again ### Environment ```markdown - OS: Debian 12 - Headscale version: ghcr.io/juanfont/headscale:0.24.0-beta.2-debug - Tailscale version: 1.78.1 ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? ``` headscale | 2025/01/08 12:37:09 http: panic serving 172.18.0.16:56944: runtime error: invalid memory address or nil pointer dereference headscale | goroutine 306 [running]: headscale | net/http.(*conn).serve.func1() headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:1947 +0xbe headscale | panic({0x1e5d320?, 0x3654b60?}) headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/runtime/panic.go:785 +0x132 headscale | github.com/juanfont/headscale/hscontrol.(*AuthProviderOIDC).OIDCCallbackHandler(0xc0005d6ae0, {0x2541680, 0xc0006c1ce0}, 0xc0003f6640) headscale | /home/runner/work/headscale/headscale/hscontrol/oidc.go:299 +0x566 headscale | net/http.HandlerFunc.ServeHTTP(0xb1b9e8?, {0x2541680?, 0xc0006c1ce0?}, 0xc0006c1c80?) headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:2220 +0x29 headscale | github.com/juanfont/headscale/hscontrol.prometheusMiddleware.func1({0x2541520, 0xc0005de1c0}, 0xc0003f6640) headscale | /home/runner/work/headscale/headscale/hscontrol/metrics.go:89 +0x293 headscale | net/http.HandlerFunc.ServeHTTP(0xc0003f6500?, {0x2541520?, 0xc0005de1c0?}, 0x4c04e9?) headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:2220 +0x29 headscale | github.com/gorilla/mux.(*Router).ServeHTTP(0xc000176d80, {0x2541520, 0xc0005de1c0}, 0xc0003f6280) headscale | /home/runner/go/pkg/mod/github.com/gorilla/mux@v1.8.1/mux.go:212 +0x1e2 headscale | net/http.serverHandler.ServeHTTP({0xc0006c0960?}, {0x2541520?, 0xc0005de1c0?}, 0x6?) headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:3210 +0x8e headscale | net/http.(*conn).serve(0xc000698000, {0x2545798, 0xc0000a9d10}) headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:2092 +0x5d0 headscale | created by net/http.(*Server).Serve in goroutine 77 headscale | /nix/store/zhq8dnjbhwspzdglyq28j74axvqyk86q-go-1.23.3/share/go/src/net/http/server.go:3360 +0x485 ```

adam added the bug OIDC labels 2025-12-29 02:25:36 +01:00

adam closed this issue

2025-12-29 02:25:36 +01:00

adam referenced this issue

2025-12-29 02:31:26 +01:00

[PR #903] [CLOSED] docs(README): update contributors #1724

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#903