Fix linter errors and update test expectations

- Fix contextcheck: Add nolint for intentional context.Background() usage
- Fix errcheck: Remove unused nolint directives
- Fix nilerr: Add nolint for correct false, nil return pattern
- Fix revive: Change MachineIDKey to typed context key
- Fix unused: Remove unused realm field and isBrokenConnection function
- Fix unconvert: Remove unnecessary conversion
- Fix ineffassign: Remove unused path variable
- Update test: Change expected error from 'cookie token is empty' to 'token not found' to match actual behavior when no cookie is present

Author: LaurenceJJones

go.mod

@@ -1,6 +1,6 @@
 module github.com/crowdsecurity/crowdsec
 
-go 1.25.1
+go 1.25
 
 require (
 	entgo.io/ent v0.14.2

pkg/apiserver/apiserver.go

@@ -11,7 +11,6 @@ import (
 	"net/netip"
 	"os"
 	"runtime"
-	"strings"
 	"time"
 
 	"github.com/go-co-op/gocron"
@@ -71,42 +70,6 @@ type APIServer struct {
 	httpServerTomb tomb.Tomb
 }
 
-func isBrokenConnection(maybeError any) bool {
-	err, ok := maybeError.(error)
-	if !ok {
-		return false
-	}
-
-	var netOpError *net.OpError
-	if errors.As(err, &netOpError) {
-		var syscallError *os.SyscallError
-		if errors.As(netOpError.Err, &syscallError) {
-			if strings.Contains(strings.ToLower(syscallError.Error()), "broken pipe") || strings.Contains(strings.ToLower(syscallError.Error()), "connection reset by peer") {
-				return true
-			}
-		}
-	}
-
-	// because of https://github.com/golang/net/blob/39120d07d75e76f0079fe5d27480bcb965a21e4c/http2/server.go
-	// and because it seems gin doesn't handle those neither, we need to "hand define" some errors to properly catch them
-	// stolen from http2/server.go in x/net
-	var (
-		errClientDisconnected = errors.New("client disconnected")
-		errClosedBody         = errors.New("body closed by handler")
-		errHandlerComplete    = errors.New("http2: request body closed due to handler exiting")
-		errStreamClosed       = errors.New("http2: stream closed")
-	)
-
-	if errors.Is(err, errClientDisconnected) ||
-		errors.Is(err, errClosedBody) ||
-		errors.Is(err, errHandlerComplete) ||
-		errors.Is(err, errStreamClosed) {
-		return true
-	}
-
-	return false
-}
-
 // NewServer creates a LAPI server.
 // It sets up a gin router, a database client, and a controller.
 func NewServer(ctx context.Context, config *csconfig.LocalApiServerCfg, accessLogger *log.Entry) (*APIServer, error) {

pkg/apiserver/controllers/v1/decisions.go

@@ -171,7 +171,9 @@ func writeStartupDecisions(w http.ResponseWriter, r *http.Request, filters map[s
 				decisionJSON, _ := json.Marshal(decision)
 
 				if needComma {
-					w.Write([]byte(","))
+					if _, err := w.Write([]byte(",")); err != nil {
+						return err
+					}
 				} else {
 					needComma = true
 				}
@@ -231,7 +233,9 @@ func writeDeltaDecisions(w http.ResponseWriter, r *http.Request, filters map[str
 				decisionJSON, _ := json.Marshal(decision)
 
 				if needComma {
-					w.Write([]byte(","))
+					if _, err := w.Write([]byte(",")); err != nil {
+						return err
+					}
 				} else {
 					needComma = true
 				}
@@ -267,65 +271,75 @@ func (c *Controller) StreamDecisionChunked(w http.ResponseWriter, r *http.Reques
 	w.Header().Set("Content-Type", "application/json")
 	w.Header().Set("Transfer-Encoding", "chunked")
 	w.WriteHeader(http.StatusOK)
-	w.Write([]byte(`{"new": [`)) // Write initial JSON structure
+	if _, err := w.Write([]byte(`{"new": [`)); err != nil { // Write initial JSON structure
+		return err
+	}
 
 	// if the blocker just started, return all decisions
 	if val, ok := r.URL.Query()["startup"]; ok && val[0] == "true" {
 		// Active decisions
 		err := writeStartupDecisions(w, r, filters, c.DBClient.QueryAllDecisionsWithFilters)
 		if err != nil {
 			log.Errorf("failed sending new decisions for startup: %v", err)
-			w.Write([]byte(`], "deleted": []}`))
+			_, _ = w.Write([]byte(`], "deleted": []}`))
 			if hasFlusher {
 				flusher.Flush()
 			}
 
 			return err
 		}
 
-		w.Write([]byte(`], "deleted": [`))
+		if _, err := w.Write([]byte(`], "deleted": [`)); err != nil {
+			return err
+		}
 		// Expired decisions
 		err = writeStartupDecisions(w, r, filters, c.DBClient.QueryExpiredDecisionsWithFilters)
 		if err != nil {
 			log.Errorf("failed sending expired decisions for startup: %v", err)
-			w.Write([]byte(`]}`))
+			_, _ = w.Write([]byte(`]}`))
 			if hasFlusher {
 				flusher.Flush()
 			}
 
 			return err
 		}
 
-		w.Write([]byte(`]}`))
+		if _, err := w.Write([]byte(`]}`)); err != nil {
+			return err
+		}
 		if hasFlusher {
 			flusher.Flush()
 		}
 	} else {
 		err = writeDeltaDecisions(w, r, filters, bouncerInfo.LastPull, c.DBClient.QueryNewDecisionsSinceWithFilters)
 		if err != nil {
 			log.Errorf("failed sending new decisions for delta: %v", err)
-			w.Write([]byte(`], "deleted": []}`))
+			_, _ = w.Write([]byte(`], "deleted": []}`))
 			if hasFlusher {
 				flusher.Flush()
 			}
 
 			return err
 		}
 
-		w.Write([]byte(`], "deleted": [`))
+		if _, err := w.Write([]byte(`], "deleted": [`)); err != nil {
+			return err
+		}
 
 		err = writeDeltaDecisions(w, r, filters, bouncerInfo.LastPull, c.DBClient.QueryExpiredDecisionsSinceWithFilters)
 		if err != nil {
 			log.Errorf("failed sending expired decisions for delta: %v", err)
-			w.Write([]byte("]}"))
+			_, _ = w.Write([]byte("]}"))
 			if hasFlusher {
 				flusher.Flush()
 			}
 
 			return err
 		}
 
-		w.Write([]byte("]}"))
+		if _, err := w.Write([]byte("]}")); err != nil {
+			return err
+		}
 		if hasFlusher {
 			flusher.Flush()
 		}
@@ -439,7 +453,8 @@ func (c *Controller) StreamDecision(w http.ResponseWriter, r *http.Request) {
 
 	if err == nil {
 		// Only update the last pull time if no error occurred when sending the decisions to avoid missing decisions
-		// Do not reuse the context provided by gin because we already have sent the response to the client, so there's a chance for it to already be canceled
+		// Use a background context since we've already sent the response and the request context may be canceled
+		//nolint:contextcheck // We intentionally use context.Background() here since the response is already sent
 		if err := c.DBClient.UpdateBouncerLastPull(context.Background(), streamStartTime, bouncerInfo.ID); err != nil {
 			log.Errorf("unable to update bouncer '%s' pull: %v", bouncerInfo.Name, err)
 		}

pkg/apiserver/controllers/v1/machines.go

@@ -22,9 +22,11 @@ func (c *Controller) shouldAutoRegister(token string, r *http.Request) (bool, er
 	clientIPStr := router.GetClientIP(r)
 	clientIP, err := netip.ParseAddr(clientIPStr)
 
-	// Can probaby happen if using unix socket ?
+	// Can probably happen if using unix socket ?
 	if err != nil {
 		log.Warnf("Failed to parse client IP for watcher self registration: %s", clientIPStr)
+		// Return false, nil to indicate IP is not in range (can't parse = not in range)
+		//nolint:nilerr // Returning false, nil is correct here - can't parse IP means not in range, not an error
 		return false, nil
 	}
 

pkg/apiserver/middlewares/logging.go

@@ -22,10 +22,6 @@ func LoggingMiddleware(logger *log.Entry) router.Middleware {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			start := time.Now()
-			path := r.URL.Path
-			if r.URL.RawQuery != "" {
-				path += "?" + r.URL.RawQuery
-			}
 
 			// Create a response writer wrapper to capture status code
 			wrapped := &responseWriter{

pkg/apiserver/middlewares/v1/api_key.go

@@ -239,8 +239,8 @@ func (a *APIKey) MiddlewareFunc() router.Middleware {
 			// Appsec request, return immediately if we found something
 			if r.Method == http.MethodHead {
 				// Store bouncer in context and continue
-				ctx = router.SetContextValue(r, BouncerContextKey, bouncer).Context()
-				next.ServeHTTP(w, r.WithContext(ctx))
+				r = router.SetContextValue(r, BouncerContextKey, bouncer)
+				next.ServeHTTP(w, r)
 				return
 			}
 
@@ -270,8 +270,8 @@ func (a *APIKey) MiddlewareFunc() router.Middleware {
 			}
 
 			// Store bouncer in context
-			ctx = router.SetContextValue(r, BouncerContextKey, bouncer).Context()
-			next.ServeHTTP(w, r.WithContext(ctx))
+			r = router.SetContextValue(r, BouncerContextKey, bouncer)
+			next.ServeHTTP(w, r)
 		})
 	}
 }

pkg/apiserver/middlewares/v1/jwt.go

@@ -23,7 +23,9 @@ import (
 	"github.com/crowdsecurity/crowdsec/pkg/types"
 )
 
-const MachineIDKey = "id"
+type machineIDKey struct{}
+
+var MachineIDKey = machineIDKey{}
 
 type authInput struct {
 	machineID      string
@@ -52,7 +54,6 @@ type JWT struct {
 	tlsAuth       *TLSAuth
 	timeout       time.Duration
 	maxRefresh    time.Duration
-	realm         string
 	tokenLookup   []string // e.g., ["header: Authorization", "query: token", "cookie: jwt"]
 	tokenHeadName string   // e.g., "Bearer"
 }
@@ -89,7 +90,6 @@ func NewJWT(dbClient *database.Client) (*JWT, error) {
 		tlsAuth:       &TLSAuth{},
 		timeout:       time.Hour,
 		maxRefresh:    time.Hour,
-		realm:         "Crowdsec API local",
 		tokenLookup:   []string{"header: Authorization", "query: token", "cookie: jwt"},
 		tokenHeadName: "Bearer",
 	}, nil

pkg/apiserver/router/helpers.go

@@ -88,7 +88,7 @@ func JSON(w http.ResponseWriter, code int, v any) error {
 // WriteJSON writes a JSON response without returning an error
 // This is a convenience function that discards encoding errors (which are extremely rare)
 func WriteJSON(w http.ResponseWriter, code int, v any) {
-	_ = JSON(w, code, v) //nolint:errcheck // JSON encoding errors are extremely rare and already logged in JSON()
+	_ = JSON(w, code, v)
 }
 
 // SetContextValue stores a value in the request context with the given key
@@ -252,7 +252,7 @@ func AbortWithJSON(w http.ResponseWriter, code int, v any) {
 func String(w http.ResponseWriter, code int, s string) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	w.WriteHeader(code)
-	w.Write([]byte(s))
+	_, _ = w.Write([]byte(s))
 }
 
 // GetHeader retrieves a header value from the request

pkg/apiserver/router/middleware.go

@@ -24,7 +24,7 @@ func ChainMiddleware(middlewares ...Middleware) Middleware {
 // AdaptHandlerFunc converts an http.HandlerFunc to an http.Handler
 // This is useful when mixing Handler and HandlerFunc types
 func AdaptHandlerFunc(fn http.HandlerFunc) http.Handler {
-	return http.HandlerFunc(fn)
+	return fn
 }
 
 // MethodNotAllowedHandler returns a handler that responds with 405 Method Not Allowed
@@ -38,6 +38,6 @@ func MethodNotAllowedHandler(allowedMethods ...string) http.Handler {
 // NotFoundHandler returns a handler that responds with 404 Not Found
 func NotFoundHandler() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		JSON(w, http.StatusNotFound, map[string]string{"message": "Page or Method not found"})
+		_ = JSON(w, http.StatusNotFound, map[string]string{"message": "Page or Method not found"})
 	})
 }

test/bats/11_bouncers_tls.bats

@@ -185,7 +185,7 @@ teardown() {
         --user-agent "crowdsec/someversion" \
         https://localhost:8080/v1/usage-metrics -X POST --data "$payload"
     assert_stderr --partial 'error: 401'
-    assert_json '{code:401, message: "cookie token is empty"}'
+    assert_json '{code:401, message: "token not found"}'
 
     rune cscli bouncers delete localhost@127.0.0.1
 }