From e8da108edc96b2d30c7fd0de428af4e0115b697f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Mon, 18 Mar 2024 10:10:06 +0100
Subject: [PATCH] use mutex when lazy initializing the OIDC provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 ocis-pkg/middleware/oidc.go | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/ocis-pkg/middleware/oidc.go b/ocis-pkg/middleware/oidc.go
index d66c2213e..4c8c53346 100644
--- a/ocis-pkg/middleware/oidc.go
+++ b/ocis-pkg/middleware/oidc.go
@@ -44,7 +44,7 @@ func OidcAuth(opts ...Option) func(http.Handler) http.Handler {
 		)
 	}
 	var provider OIDCProvider
-	getProviderOnce := sync.Once{}
+	initializeProviderLock := sync.Mutex{}
 
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -52,13 +52,22 @@ func OidcAuth(opts ...Option) func(http.Handler) http.Handler {
 			authHeader := r.Header.Get("Authorization")
 			switch {
 			case strings.HasPrefix(authHeader, "Bearer "):
-				getProviderOnce.Do(func() {
+				if provider == nil {
+					// lazy initialize provider
+					initializeProviderLock.Lock()
 					var err error
-					provider, err = providerFunc()
+					// ensure no other request initialized the provider
+					if provider == nil {
+						provider, err = providerFunc()
+					}
+					initializeProviderLock.Unlock()
 					if err != nil {
+						opt.Logger.Error().Err(err).Msg("could not initialize OIDC provider")
+						w.WriteHeader(http.StatusInternalServerError)
 						return
 					}
-				})
+					opt.Logger.Debug().Msg("initialized OIDC provider")
+				}
 
 				oauth2Token := &oauth2.Token{
 					AccessToken: strings.TrimPrefix(authHeader, "Bearer "),