fix(services): add timeouts and encode error handling

haasonsaas · haasonsaas · commit 4c67c93e2c09 · 2025-10-18T16:38:02.000-07:00
diff --git a/services/authz/server/server.go b/services/authz/server/server.go
@@ -163,8 +163,12 @@ func New(cfg Config) (*Server, error) {
 		}
 
 		s.httpSrv = &http.Server{
-			Addr:    cfg.HTTPAddr,
-			Handler: r,
+			Addr:              cfg.HTTPAddr,
+			Handler:           r,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			WriteTimeout:      30 * time.Second,
+			IdleTimeout:       60 * time.Second,
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{cert},
 				ClientAuth:   tls.NoClientCert,
@@ -175,7 +179,14 @@ func New(cfg Config) (*Server, error) {
 		s.useTLS = true
 		s.rootCAPEM = rootCAPEM
 	} else {
-		s.httpSrv = &http.Server{Addr: cfg.HTTPAddr, Handler: r}
+		s.httpSrv = &http.Server{
+			Addr:              cfg.HTTPAddr,
+			Handler:           r,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			WriteTimeout:      30 * time.Second,
+			IdleTimeout:       60 * time.Second,
+		}
 		var err error
 		s.rootCAPEM, err = ca.CertificatePEM()
 		if err != nil {
@@ -185,7 +196,13 @@ func New(cfg Config) (*Server, error) {
 
 	// Set up Tailscale HTTP server if Tailscale is configured
 	if tailscaleListener != nil {
-		s.tsHTTP = &http.Server{Handler: r}
+		s.tsHTTP = &http.Server{
+			Handler:           r,
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       30 * time.Second,
+			WriteTimeout:      30 * time.Second,
+			IdleTimeout:       60 * time.Second,
+		}
 		s.tsListener = tailscaleListener
 		log.Printf("Tailscale HTTP server configured on %s", tailscaleListener.Addr().String())
 	}
@@ -248,7 +265,9 @@ func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(health)
+	if err := json.NewEncoder(w).Encode(health); err != nil {
+		log.Printf("failed to encode health response: %v", err)
+	}
 }
 
 type verifyRequest struct {
@@ -285,7 +304,9 @@ func (s *Server) verifyHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	json.NewEncoder(w).Encode(verifyResponse{Decision: decision})
+	if err := json.NewEncoder(w).Encode(verifyResponse{Decision: decision}); err != nil {
+		log.Printf("failed to encode verify response: %v", err)
+	}
 }
 
 func (s *Server) envoyAuthHandler(w http.ResponseWriter, r *http.Request) {
@@ -364,7 +385,9 @@ func (s *Server) envoyAuthHandler(w http.ResponseWriter, r *http.Request) {
 			"device_id":  deviceID,
 			"session_id": middleware.GetReqID(r.Context()),
 		}
-		json.NewEncoder(w).Encode(response)
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			log.Printf("failed to encode envoy auth response: %v", err)
+		}
 	default:
 		http.Error(w, "forbidden", http.StatusForbidden)
 	}
@@ -587,7 +610,9 @@ func (s *Server) deviceCertHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	json.NewEncoder(w).Encode(map[string]any{"certificate": string(certPEM)})
+	if err := json.NewEncoder(w).Encode(map[string]any{"certificate": string(certPEM)}); err != nil {
+		log.Printf("failed to encode device cert response: %v", err)
+	}
 }
 
 func (s *Server) caHandler(w http.ResponseWriter, r *http.Request) {
@@ -597,7 +622,9 @@ func (s *Server) caHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	w.Header().Set("Content-Type", "application/x-pem-file")
 	w.WriteHeader(http.StatusOK)
-	w.Write(s.rootCAPEM)
+	if _, err := w.Write(s.rootCAPEM); err != nil {
+		log.Printf("failed to write CA response: %v", err)
+	}
 }
 
 func decodePEMBlock(p string) ([]byte, error) {
@@ -751,7 +778,9 @@ func (s *Server) tailscaleStatusHandler(w http.ResponseWriter, r *http.Request)
 	status := s.getTailscaleInfo()
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(status)
+	if err := json.NewEncoder(w).Encode(status); err != nil {
+		log.Printf("failed to encode tailscale status: %v", err)
+	}
 }
 
 // loggingMiddleware provides structured logging for all requests
diff --git a/services/inventory/server/server.go b/services/inventory/server/server.go
@@ -82,7 +82,14 @@ func NewServer(cfg Config) (*Server, error) {
 		})
 	})
 
-	s.http = &http.Server{Addr: cfg.Addr, Handler: r}
+	s.http = &http.Server{
+		Addr:              cfg.Addr,
+		Handler:           r,
+		ReadHeaderTimeout: 10 * time.Second,
+		ReadTimeout:       30 * time.Second,
+		WriteTimeout:      30 * time.Second,
+		IdleTimeout:       60 * time.Second,
+	}
 	return s, nil
 }
 
@@ -185,7 +192,9 @@ func (s *Server) requireClientCertMiddleware(next http.Handler) http.Handler {
 
 func (s *Server) health(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+	if err := json.NewEncoder(w).Encode(map[string]string{"status": "ok"}); err != nil {
+		log.Printf("failed to encode health response: %v", err)
+	}
 }
 
 // updateDevicePosture handles posture update requests
@@ -209,7 +218,9 @@ func (s *Server) updateDevicePosture(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "db error", http.StatusInternalServerError)
 		return
 	}
-	json.NewEncoder(w).Encode(map[string]string{"status": "updated"})
+	if err := json.NewEncoder(w).Encode(map[string]string{"status": "updated"}); err != nil {
+		log.Printf("failed to encode posture update response: %v", err)
+	}
 }
 
 type Device struct {
@@ -252,7 +263,9 @@ func (s *Server) listDevices(w http.ResponseWriter, r *http.Request) {
 		list = append(list, d)
 	}
 
-	json.NewEncoder(w).Encode(list)
+	if err := json.NewEncoder(w).Encode(list); err != nil {
+		log.Printf("failed to encode list devices response: %v", err)
+	}
 }
 
 func (s *Server) registerDevice(w http.ResponseWriter, r *http.Request) {
@@ -271,7 +284,9 @@ func (s *Server) registerDevice(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "db error", http.StatusInternalServerError)
 		return
 	}
-	json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+	if err := json.NewEncoder(w).Encode(map[string]string{"status": "ok"}); err != nil {
+		log.Printf("failed to encode registration response: %v", err)
+	}
 }
 
 func (s *Server) getDevice(w http.ResponseWriter, r *http.Request) {
@@ -285,7 +300,9 @@ func (s *Server) getDevice(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "db error", http.StatusInternalServerError)
 		return
 	}
-	json.NewEncoder(w).Encode(d)
+	if err := json.NewEncoder(w).Encode(d); err != nil {
+		log.Printf("failed to encode get device response: %v", err)
+	}
 }
 
 func (s *Server) updateDevice(w http.ResponseWriter, r *http.Request) {
@@ -303,5 +320,7 @@ func (s *Server) updateDevice(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "db error", http.StatusInternalServerError)
 		return
 	}
-	json.NewEncoder(w).Encode(map[string]string{"status": "updated"})
+	if err := json.NewEncoder(w).Encode(map[string]string{"status": "updated"}); err != nil {
+		log.Printf("failed to encode update device response: %v", err)
+	}
 }
diff --git a/services/mfa/server.go b/services/mfa/server.go
@@ -90,8 +90,12 @@ func (s *Server) Start(ctx context.Context) error {
 	go s.cleanupExpiredSessions(ctx)
 
 	server := &http.Server{
-		Addr:    s.cfg.Addr,
-		Handler: r,
+		Addr:              s.cfg.Addr,
+		Handler:           r,
+		ReadHeaderTimeout: 10 * time.Second,
+		ReadTimeout:       30 * time.Second,
+		WriteTimeout:      30 * time.Second,
+		IdleTimeout:       60 * time.Second,
 	}
 
 	go func() {
@@ -150,7 +154,9 @@ func (s *Server) challengeHandler(w http.ResponseWriter, r *http.Request) {
 		"expires_at": session.ExpiresAt,
 		"code":       code, // Only for PoC testing
 	}
-	json.NewEncoder(w).Encode(response)
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		log.Error().Err(err).Msg("failed to encode MFA challenge response")
+	}
 }
 
 // verifyHandler verifies an MFA code
@@ -214,7 +220,9 @@ func (s *Server) verifyHandler(w http.ResponseWriter, r *http.Request) {
 		"message": "MFA verification successful",
 		"token":   s.generateMFAToken(session), // Short-lived MFA verification token
 	}
-	json.NewEncoder(w).Encode(response)
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		log.Error().Err(err).Msg("failed to encode MFA verify response")
+	}
 }
 
 // statusHandler returns MFA session status
@@ -236,7 +244,9 @@ func (s *Server) statusHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(session)
+	if err := json.NewEncoder(w).Encode(session); err != nil {
+		log.Error().Err(err).Msg("failed to encode MFA status response")
+	}
 }
 
 // healthHandler returns service health
@@ -251,7 +261,9 @@ func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(health)
+	if err := json.NewEncoder(w).Encode(health); err != nil {
+		log.Error().Err(err).Msg("failed to encode MFA health response")
+	}
 }
 
 // generateMFACode generates a random numeric code

Original file line number	Diff line number	Diff line change
`@@ -90,8 +90,12 @@ func (s *Server) Start(ctx context.Context) error {`
`90`	`90`	`go s.cleanupExpiredSessions(ctx)`
`91`	`91`
`92`	`92`	`server := &http.Server{`
`93`		`- Addr: s.cfg.Addr,`
`94`		`- Handler: r,`
	`93`	`+ Addr: s.cfg.Addr,`
	`94`	`+ Handler: r,`
	`95`	`+ ReadHeaderTimeout: 10 * time.Second,`
	`96`	`+ ReadTimeout: 30 * time.Second,`
	`97`	`+ WriteTimeout: 30 * time.Second,`
	`98`	`+ IdleTimeout: 60 * time.Second,`
`95`	`99`	`}`
`96`	`100`
`97`	`101`	`go func() {`
`@@ -150,7 +154,9 @@ func (s Server) challengeHandler(w http.ResponseWriter, r http.Request) {`
`150`	`154`	`"expires_at": session.ExpiresAt,`
`151`	`155`	`"code": code, // Only for PoC testing`
`152`	`156`	`}`
`153`		`- json.NewEncoder(w).Encode(response)`
	`157`	`+ if err := json.NewEncoder(w).Encode(response); err != nil {`
	`158`	`+ log.Error().Err(err).Msg("failed to encode MFA challenge response")`
	`159`	`+ }`
`154`	`160`	`}`
`155`	`161`
`156`	`162`	`// verifyHandler verifies an MFA code`
`@@ -214,7 +220,9 @@ func (s Server) verifyHandler(w http.ResponseWriter, r http.Request) {`
`214`	`220`	`"message": "MFA verification successful",`
`215`	`221`	`"token": s.generateMFAToken(session), // Short-lived MFA verification token`
`216`	`222`	`}`
`217`		`- json.NewEncoder(w).Encode(response)`
	`223`	`+ if err := json.NewEncoder(w).Encode(response); err != nil {`
	`224`	`+ log.Error().Err(err).Msg("failed to encode MFA verify response")`
	`225`	`+ }`
`218`	`226`	`}`
`219`	`227`
`220`	`228`	`// statusHandler returns MFA session status`
`@@ -236,7 +244,9 @@ func (s Server) statusHandler(w http.ResponseWriter, r http.Request) {`
`236`	`244`	`}`
`237`	`245`
`238`	`246`	`w.Header().Set("Content-Type", "application/json")`
`239`		`- json.NewEncoder(w).Encode(session)`
	`247`	`+ if err := json.NewEncoder(w).Encode(session); err != nil {`
	`248`	`+ log.Error().Err(err).Msg("failed to encode MFA status response")`
	`249`	`+ }`
`240`	`250`	`}`
`241`	`251`
`242`	`252`	`// healthHandler returns service health`
`@@ -251,7 +261,9 @@ func (s Server) healthHandler(w http.ResponseWriter, r http.Request) {`
`251`	`261`	`}`
`252`	`262`
`253`	`263`	`w.Header().Set("Content-Type", "application/json")`
`254`		`- json.NewEncoder(w).Encode(health)`
	`264`	`+ if err := json.NewEncoder(w).Encode(health); err != nil {`
	`265`	`+ log.Error().Err(err).Msg("failed to encode MFA health response")`
	`266`	`+ }`
`255`	`267`	`}`
`256`	`268`
`257`	`269`	`// generateMFACode generates a random numeric code`