oauth2: Handle nil headers in Transport.RoundTrip

dims · dims · commit be53fe712c05 · 2025-06-05T18:57:32.000-04:00
Fixes an issue where setting auth headers on requests with nil Headers would cause a panic. This change ensures that Transport.RoundTrip properly handles HTTP requests with nil headers by initializing the header map before setting the authorization header. Added a test case to verify this behavior as well. The bug was introduced in 696f7b3 Signed-off-by: Davanum Srinivas <davanum@gmail.com>
diff --git a/transport.go b/transport.go
@@ -48,6 +48,9 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	}
 
 	req2 := req.Clone(req.Context())
+	if req2.Header == nil {
+		req2.Header = make(http.Header)
+	}
 	token.SetAuthHeader(req2)
 
 	// req.Body is assumed to be closed by the base RoundTripper.
diff --git a/transport_test.go b/transport_test.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 )
@@ -154,3 +155,51 @@ func TestExpiredWithExpiry(t *testing.T) {
 func newMockServer(handler func(w http.ResponseWriter, r *http.Request)) *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(handler))
 }
+
+// TestTransportWithNilHeader tests that the Transport.RoundTrip method
+// correctly handles requests with nil Headers.
+func TestTransportWithNilHeader(t *testing.T) {
+	// Create a mock token source that returns a fixed token
+	tokenSource := StaticTokenSource(&Token{
+		AccessToken: "test-access-token",
+		TokenType:   "Bearer",
+	})
+
+	// Create a mock http server to verify the request
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check that the Authorization header was correctly set
+		authHeader := r.Header.Get("Authorization")
+		expectedHeader := "Bearer test-access-token"
+		if authHeader != expectedHeader {
+			t.Errorf("expected authorization header %q, got %q", expectedHeader, authHeader)
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	// Create Transport with our token source
+	transport := &Transport{
+		Source: tokenSource,
+		Base:   http.DefaultTransport,
+	}
+
+	// Create a request with nil Header
+	reqURL, _ := url.Parse(server.URL)
+	req := &http.Request{
+		Method: "GET",
+		URL:    reqURL,
+		// Header is intentionally nil
+	}
+
+	// Make the request using our Transport
+	resp, err := transport.RoundTrip(req)
+	if err != nil {
+		t.Fatalf("roundTrip failed with nil Header: %v", err)
+	}
+	defer resp.Body.Close()
+
+	// Verify response status
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,9 @@ func (t Transport) RoundTrip(req http.Request) (*http.Response, error) {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`req2 := req.Clone(req.Context())`
	`51`	`+ if req2.Header == nil {`
	`52`	`+ req2.Header = make(http.Header)`
	`53`	`+ }`
`51`	`54`	`token.SetAuthHeader(req2)`
`52`	`55`
`53`	`56`	`// req.Body is assumed to be closed by the base RoundTripper.`