Fix panic when token is invalid

Joël-Franck HOSSIE · Joël-Franck HOSSIE · commit d4c5226c442c · 2025-12-16T16:23:46.000+01:00
Return from webhook handler when the token verification fails.
Otherwise we try to access the invalid token which causes a panic.
We also log the error for better troubleshooting and remove useless token marshalling
diff --git a/internal/services/webhook-tokenauthenticator.go b/internal/services/webhook-tokenauthenticator.go
@@ -34,6 +34,7 @@ func AuthenticateHandler(issuer *TokenIssuer) http.HandlerFunc {
 		token, err := issuer.VerifyToken(tokenReview.Spec.Token)
 
 		if err != nil {
+			slog.Error("error verifying token", "error", err)
 			resp := v1beta1.TokenReview{
 				Status: v1beta1.TokenReviewStatus{
 					Authenticated: false,
@@ -42,6 +43,7 @@ func AuthenticateHandler(issuer *TokenIssuer) http.HandlerFunc {
 			w.WriteHeader(http.StatusUnauthorized)
 			w.Header().Set("Content-Type", "application/json")
 			json.NewEncoder(w).Encode(resp)
+			return
 		}
 
 		slog.Debug("preparing access for user", "user", token.User)
@@ -96,11 +98,6 @@ func AuthenticateHandler(issuer *TokenIssuer) http.HandlerFunc {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 
-		jwtTokenString, marshallError := json.Marshal(resp)
-		if marshallError != nil {
-			slog.Error("Error serializing json to token review", "error", marshallError.Error(), "token", jwtTokenString)
-		}
-
 		err = json.NewEncoder(w).Encode(resp)
 		if err != nil {
 			slog.Error("cannot encode resp", "error", err)
