File: internal/controller/oidc_controller.go (lines 149)
Project: tinyauth
Severity: BUG • Confidence: high • Slug: other-error-handling
Finding
Line 149: controller.authorizeError(c, err, "Client not found", ...). At this point err was reset to nil by the successful c.BindJSON above (line 140). The authorizeError helper then calls controller.log.App.Warn().Err(err) which logs a nil error — operators won't see the underlying cause in audit logs. This isn't a security flaw on its own but reduces forensics quality during a real client-spoofing attempt.
Recommendation
Pass a meaningful error: errors.New("client not found: " + req.ClientID) or just errors.New("invalid_client").
Revalidation
Verdict: true-positive
Verified by tracing variable state. Line 140: err = c.BindJSON(&req); if it errored, the early return at line 142 fires. So past line 144, err == nil. Line 146: client, ok := controller.oidc.GetClient(req.ClientID) — this uses := only for client, ok and does not reassign err. Line 149: controller.authorizeError(c, err, "Client not found", ...) therefore passes the nil err. authorizeError (line 482) does controller.log.App.Warn().Err(err) — zerolog rendering nil errors produces no error field, degrading audit-log forensics on client-spoofing attempts. No security flaw, but real forensics impact. Correctly classified BUG.
File:
internal/controller/oidc_controller.go(lines 149)Project: tinyauth
Severity: BUG • Confidence: high • Slug:
other-error-handlingFinding
Line 149:
controller.authorizeError(c, err, "Client not found", ...). At this pointerrwas reset to nil by the successfulc.BindJSONabove (line 140). TheauthorizeErrorhelper then callscontroller.log.App.Warn().Err(err)which logs a nil error — operators won't see the underlying cause in audit logs. This isn't a security flaw on its own but reduces forensics quality during a real client-spoofing attempt.Recommendation
Pass a meaningful error:
errors.New("client not found: " + req.ClientID)or justerrors.New("invalid_client").Revalidation
Verdict: true-positive
Verified by tracing variable state. Line 140:
err = c.BindJSON(&req); if it errored, the early return at line 142 fires. So past line 144,err == nil. Line 146:client, ok := controller.oidc.GetClient(req.ClientID)— this uses:=only forclient, okand does not reassignerr. Line 149:controller.authorizeError(c, err, "Client not found", ...)therefore passes the nilerr.authorizeError(line 482) doescontroller.log.App.Warn().Err(err)— zerolog rendering nil errors produces no error field, degrading audit-log forensics on client-spoofing attempts. No security flaw, but real forensics impact. Correctly classified BUG.