[TT-16013] fix bug gateway panics when validating jwt claims - fix visor comments4

NurayAhmadova · NurayAhmadova · commit c628a8af9e4b · 2025-11-10T17:14:06.000+04:00
diff --git a/apidef/oas/oas.go b/apidef/oas/oas.go
@@ -35,7 +35,8 @@ const (
 // OAS holds the upstream OAS definition as well as adds functionality like custom JSON marshalling.
 type OAS struct {
 	openapi3.T
-	mu sync.RWMutex
+	mu    sync.RWMutex
+	secMu sync.RWMutex
 }
 
 // MarshalJSON implements json.Marshaller.
@@ -137,29 +138,38 @@ func (s *OAS) GetTykStreamingExtension() *XTykStreaming {
 		return nil
 	}
 
-	// Convert outside the lock (no shared state modified)
-	var xTykStreaming XTykStreaming
+	var x XTykStreaming
 
-	if rawTykStreaming, ok := ext.(json.RawMessage); ok {
-		if err := json.Unmarshal(rawTykStreaming, &xTykStreaming); err != nil {
+	if raw, ok := ext.(json.RawMessage); ok {
+		if err := json.Unmarshal(raw, &x); err != nil {
 			return nil
 		}
-		return &xTykStreaming
+		s.secMu.Lock()
+		if s.Extensions != nil {
+			s.Extensions[ExtensionTykStreaming] = &x
+		}
+		s.secMu.Unlock()
+		return &x
 	}
 
-	if mapTykAPIGateway, ok := ext.(map[string]interface{}); ok {
-		dbByte, err := json.Marshal(mapTykAPIGateway)
+	if m, ok := ext.(map[string]interface{}); ok {
+		dbByte, err := json.Marshal(m)
 		if err != nil {
 			return nil
 		}
-		if err := json.Unmarshal(dbByte, &xTykStreaming); err != nil {
+		if err := json.Unmarshal(dbByte, &x); err != nil {
 			return nil
 		}
-		return &xTykStreaming
+		s.secMu.Lock()
+		if s.Extensions != nil {
+			s.Extensions[ExtensionTykStreaming] = &x
+		}
+		s.secMu.Unlock()
+		return &x
 	}
 
-	if xTyk, ok := ext.(*XTykStreaming); ok {
-		return xTyk
+	if typed, ok := ext.(*XTykStreaming); ok {
+		return typed
 	}
 
 	return nil
@@ -196,29 +206,38 @@ func (s *OAS) GetTykExtension() *XTykAPIGateway {
 		return nil
 	}
 
-	// Convert outside the lock (no shared state modified)
-	var xTykAPIGateway XTykAPIGateway
+	var x XTykAPIGateway
 
-	if rawTykAPIGateway, ok := ext.(json.RawMessage); ok {
-		if err := json.Unmarshal(rawTykAPIGateway, &xTykAPIGateway); err != nil {
+	if raw, ok := ext.(json.RawMessage); ok {
+		if err := json.Unmarshal(raw, &x); err != nil {
 			return nil
 		}
-		return &xTykAPIGateway
+		s.secMu.Lock()
+		if s.Extensions != nil {
+			s.Extensions[ExtensionTykAPIGateway] = &x
+		}
+		s.secMu.Unlock()
+		return &x
 	}
 
-	if mapTykAPIGateway, ok := ext.(map[string]interface{}); ok {
-		dbByte, err := json.Marshal(mapTykAPIGateway)
+	if m, ok := ext.(map[string]interface{}); ok {
+		dbByte, err := json.Marshal(m)
 		if err != nil {
 			return nil
 		}
-		if err := json.Unmarshal(dbByte, &xTykAPIGateway); err != nil {
+		if err := json.Unmarshal(dbByte, &x); err != nil {
 			return nil
 		}
-		return &xTykAPIGateway
+		s.secMu.Lock()
+		if s.Extensions != nil {
+			s.Extensions[ExtensionTykAPIGateway] = &x
+		}
+		s.secMu.Unlock()
+		return &x
 	}
 
-	if xTyk, ok := ext.(*XTykAPIGateway); ok {
-		return xTyk
+	if typed, ok := ext.(*XTykAPIGateway); ok {
+		return typed
 	}
 
 	return nil
@@ -252,20 +271,30 @@ func (s *OAS) getTykTokenAuth(name string) (token *Token) {
 		return nil
 	}
 
-	s.mu.RLock()
+	s.secMu.RLock()
 	securityScheme := tykAuth.SecuritySchemes[name]
-	s.mu.RUnlock()
-
 	if securityScheme == nil {
+		s.secMu.RUnlock()
 		return nil
 	}
-
-	token = &Token{}
-	if tokenVal, ok := securityScheme.(*Token); ok {
-		return tokenVal
+	if v, ok := securityScheme.(*Token); ok {
+		s.secMu.RUnlock()
+		return v
 	}
+	s.secMu.RUnlock()
 
+	token = &Token{}
 	toStructIfMap(securityScheme, token)
+
+	s.secMu.Lock()
+	if cur := tykAuth.SecuritySchemes[name]; cur != nil {
+		if already, ok := cur.(*Token); ok {
+			token = already
+		} else {
+			tykAuth.SecuritySchemes[name] = token
+		}
+	}
+	s.secMu.Unlock()
 	return token
 }
 
@@ -275,20 +304,30 @@ func (s *OAS) getTykJWTAuth(name string) (jwt *JWT) {
 		return nil
 	}
 
-	s.mu.RLock()
+	s.secMu.RLock()
 	securityScheme := tykAuth.SecuritySchemes[name]
-	s.mu.RUnlock()
-
 	if securityScheme == nil {
+		s.secMu.RUnlock()
 		return nil
 	}
-
-	jwt = &JWT{}
-	if jwtVal, ok := securityScheme.(*JWT); ok {
-		return jwtVal
+	if v, ok := securityScheme.(*JWT); ok {
+		s.secMu.RUnlock()
+		return v
 	}
+	s.secMu.RUnlock()
 
+	jwt = &JWT{}
 	toStructIfMap(securityScheme, jwt)
+
+	s.secMu.Lock()
+	if cur := tykAuth.SecuritySchemes[name]; cur != nil {
+		if already, ok := cur.(*JWT); ok {
+			jwt = already
+		} else {
+			tykAuth.SecuritySchemes[name] = jwt
+		}
+	}
+	s.secMu.Unlock()
 	return jwt
 }
 
@@ -300,20 +339,30 @@ func (s *OAS) getTykBasicAuth(name string) (basic *Basic) {
 		return nil
 	}
 
-	s.mu.RLock()
+	s.secMu.RLock()
 	securityScheme := tykAuth.SecuritySchemes[name]
-	s.mu.RUnlock()
-
 	if securityScheme == nil {
+		s.secMu.RUnlock()
 		return nil
 	}
-
-	basic = &Basic{}
-	if basicVal, ok := securityScheme.(*Basic); ok {
-		return basicVal
+	if v, ok := securityScheme.(*Basic); ok {
+		s.secMu.RUnlock()
+		return v
 	}
+	s.secMu.RUnlock()
 
+	basic = &Basic{}
 	toStructIfMap(securityScheme, basic)
+
+	s.secMu.Lock()
+	if cur := tykAuth.SecuritySchemes[name]; cur != nil {
+		if already, ok := cur.(*Basic); ok {
+			basic = already
+		} else {
+			tykAuth.SecuritySchemes[name] = basic
+		}
+	}
+	s.secMu.Unlock()
 	return basic
 }
 
@@ -323,20 +372,30 @@ func (s *OAS) getTykOAuthAuth(name string) (oauth *OAuth) {
 		return nil
 	}
 
-	s.mu.RLock()
+	s.secMu.RLock()
 	securityScheme := tykAuth.SecuritySchemes[name]
-	s.mu.RUnlock()
-
 	if securityScheme == nil {
+		s.secMu.RUnlock()
 		return nil
 	}
-
-	oauth = &OAuth{}
-	if oauthVal, ok := securityScheme.(*OAuth); ok {
-		return oauthVal
+	if v, ok := securityScheme.(*OAuth); ok {
+		s.secMu.RUnlock()
+		return v
 	}
+	s.secMu.RUnlock()
 
+	oauth = &OAuth{}
 	toStructIfMap(securityScheme, oauth)
+
+	s.secMu.Lock()
+	if cur := tykAuth.SecuritySchemes[name]; cur != nil {
+		if already, ok := cur.(*OAuth); ok {
+			oauth = already
+		} else {
+			tykAuth.SecuritySchemes[name] = oauth
+		}
+	}
+	s.secMu.Unlock()
 	return oauth
 }
 
@@ -346,20 +405,30 @@ func (s *OAS) getTykExternalOAuthAuth(name string) (externalOAuth *ExternalOAuth
 		return nil
 	}
 
-	s.mu.RLock()
+	s.secMu.RLock()
 	securityScheme := tykAuth.SecuritySchemes[name]
-	s.mu.RUnlock()
-
 	if securityScheme == nil {
+		s.secMu.RUnlock()
 		return nil
 	}
-
-	externalOAuth = &ExternalOAuth{}
-	if oauthVal, ok := securityScheme.(*ExternalOAuth); ok { // ✅ FIXED - check securityScheme, not externalOAuth
-		return oauthVal
+	if v, ok := securityScheme.(*ExternalOAuth); ok {
+		s.secMu.RUnlock()
+		return v
 	}
+	s.secMu.RUnlock()
 
+	externalOAuth = &ExternalOAuth{}
 	toStructIfMap(securityScheme, externalOAuth)
+
+	s.secMu.Lock()
+	if cur := tykAuth.SecuritySchemes[name]; cur != nil {
+		if already, ok := cur.(*ExternalOAuth); ok {
+			externalOAuth = already
+		} else {
+			tykAuth.SecuritySchemes[name] = externalOAuth
+		}
+	}
+	s.secMu.Unlock()
 	return externalOAuth
 }
 
