[PR #2145] [MERGED] fix: avoid mutating global http.DefaultClient in webhook proxy #3967

New Issue

GiteaMirror · 2026-03-22T14:57:54-05:00

GiteaMirror commented

2026-03-22 14:57:54 -05:00

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/2145
Author: @kolaente
Created: 1/24/2026
Status: ✅ Merged
Merged: 1/24/2026
Merged by: @kolaente

Base: main ← Head: fix/webhook-proxy-global-client

📝 Commits (1)

4764a57 fix: avoid mutating global http.DefaultClient in webhook proxy

📊 Changes

6 files changed (+7 additions, -7 deletions)

View changed files

📝 pkg/models/webhooks.go (+1 -1)
📝 pkg/modules/avatar/gravatar/gravatar.go (+1 -1)
📝 pkg/modules/background/unsplash/proxy.go (+1 -1)
📝 pkg/modules/background/unsplash/unsplash.go (+2 -2)
📝 pkg/modules/migration/microsoft-todo/microsoft_todo.go (+1 -1)
📝 pkg/utils/avatar.go (+1 -1)

📄 Description

Summary

Fixes a bug where the webhook HTTP client was mutating http.DefaultClient (the global singleton), causing ALL HTTP requests in the application to use the webhook proxy
This broke OIDC authentication and other external HTTP calls when webhook proxy was configured
Creates new http.Client{} instances instead of mutating the global across all affected files

Root Cause

In pkg/models/webhooks.go:248, the code was doing:

client = http.DefaultClient  // Assigns pointer to global singleton
client.Transport = &http.Transport{Proxy: ...}  // Mutates global!

This meant any code using http.DefaultClient (including the go-oidc library for OIDC authentication) would route requests through the webhook proxy.

Changes

pkg/models/webhooks.go - Create new http.Client{} instead of using http.DefaultClient
pkg/utils/avatar.go - Use own HTTP client
pkg/modules/avatar/gravatar/gravatar.go - Use own HTTP client
pkg/modules/background/unsplash/proxy.go - Use own HTTP client
pkg/modules/background/unsplash/unsplash.go - Use own HTTP client (2 locations)
pkg/modules/migration/microsoft-todo/microsoft_todo.go - Use own HTTP client

Test plan

Configure webhook proxy settings
Verify webhooks still work through the proxy
Verify OIDC authentication works when webhook proxy is configured
Verify avatar downloads, Gravatar, Unsplash backgrounds still work

Fixes #2144

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/2145 **Author:** [@kolaente](https://github.com/kolaente) **Created:** 1/24/2026 **Status:** ✅ Merged **Merged:** 1/24/2026 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `fix/webhook-proxy-global-client` --- ### 📝 Commits (1) - [`4764a57`](https://github.com/go-vikunja/vikunja/commit/4764a5709eeaede75994ef410333d5e174fa1e53) fix: avoid mutating global http.DefaultClient in webhook proxy ### 📊 Changes **6 files changed** (+7 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `pkg/models/webhooks.go` (+1 -1) 📝 `pkg/modules/avatar/gravatar/gravatar.go` (+1 -1) 📝 `pkg/modules/background/unsplash/proxy.go` (+1 -1) 📝 `pkg/modules/background/unsplash/unsplash.go` (+2 -2) 📝 `pkg/modules/migration/microsoft-todo/microsoft_todo.go` (+1 -1) 📝 `pkg/utils/avatar.go` (+1 -1) </details> ### 📄 Description ## Summary - Fixes a bug where the webhook HTTP client was mutating `http.DefaultClient` (the global singleton), causing ALL HTTP requests in the application to use the webhook proxy - This broke OIDC authentication and other external HTTP calls when webhook proxy was configured - Creates new `http.Client{}` instances instead of mutating the global across all affected files ## Root Cause In `pkg/models/webhooks.go:248`, the code was doing: ```go client = http.DefaultClient // Assigns pointer to global singleton client.Transport = &http.Transport{Proxy: ...} // Mutates global! ``` This meant any code using `http.DefaultClient` (including the go-oidc library for OIDC authentication) would route requests through the webhook proxy. ## Changes - `pkg/models/webhooks.go` - Create new `http.Client{}` instead of using `http.DefaultClient` - `pkg/utils/avatar.go` - Use own HTTP client - `pkg/modules/avatar/gravatar/gravatar.go` - Use own HTTP client - `pkg/modules/background/unsplash/proxy.go` - Use own HTTP client - `pkg/modules/background/unsplash/unsplash.go` - Use own HTTP client (2 locations) - `pkg/modules/migration/microsoft-todo/microsoft_todo.go` - Use own HTTP client ## Test plan - [ ] Configure webhook proxy settings - [ ] Verify webhooks still work through the proxy - [ ] Verify OIDC authentication works when webhook proxy is configured - [ ] Verify avatar downloads, Gravatar, Unsplash backgrounds still work Fixes #2144 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-22 14:57:54 -05:00

GiteaMirror closed this issue

2026-03-22 14:57:54 -05:00

Sign in to join this conversation.

Branches Tags

main

renovate/dev-dependencies

feat-v2-foundation

dependabot/npm_and_yarn/frontend/axios-1.15.2

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#3967