Fix critical nil pointer bug and improve validation

- Fix nil pointer dereference when GetInClusterContext returns error
- Add else block to only use context when err == nil
- Move validation before InClusterConfig for consistent error messages
- Add Hostname() check to reject URLs like https://:443
- Add test case for empty hostname validation
- Improve integration test to always test validation
- Revert unintended frontend/package-lock.json changes

Addresses critical bug and review comments.

Co-authored-by: illume <9541+illume@users.noreply.github.com>

Author: Copilot

backend/cmd/headlamp.go

@@ -438,18 +438,18 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 			config.APIServerEndpoint)
 		if err != nil {
 			logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
-		}
-
-		context.Source = kubeconfig.InCluster
+		} else {
+			context.Source = kubeconfig.InCluster
 
-		err = context.SetupProxy()
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
-		}
+			err = context.SetupProxy()
+			if err != nil {
+				logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
+			}
 
-		err = config.KubeConfigStore.AddContext(context)
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+			err = config.KubeConfigStore.AddContext(context)
+			if err != nil {
+				logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+			}
 		}
 	}
 

backend/cmd/headlamp_test.go

@@ -1735,33 +1735,25 @@ func TestHandleClusterServiceProxy(t *testing.T) {
 // TestCustomAPIServerEndpoint tests the custom API server endpoint configuration
 // with validation logic, simulating kube-oidc-proxy scenarios.
 func TestCustomAPIServerEndpoint(t *testing.T) {
-	if os.Getenv("HEADLAMP_RUN_INTEGRATION_TESTS") != strconv.FormatBool(istrue) {
-		t.Skip("skipping integration test")
-	}
-
-	// Test https validation - should reject http URLs
+	// Test https validation directly - should reject http URLs
+	// Since validation now happens before InClusterConfig, this will always test validation
 	_, err := kubeconfig.GetInClusterContext(
 		"test-cluster",
 		"", "", "", "",
 		false, "",
 		"http://insecure-proxy.example.com:443", // http scheme should be rejected
 	)
 
-	// Should always fail - either with validation error or in-cluster config error
-	if err == nil {
-		t.Fatal("Expected error with http:// URL, but got nil")
-	}
+	// Should always fail with validation error (validation happens before in-cluster check)
+	require.Error(t, err, "Expected error with http:// URL")
+	assert.Contains(t, err.Error(), "must be a full https:// URL",
+		"Error should be about https requirement")
 
-	switch {
-	case strings.Contains(err.Error(), "must be a full https:// URL"):
-		t.Logf("https validation working correctly: %v", err)
-	case strings.Contains(err.Error(), "unable to load in-cluster configuration"):
-		t.Skip("not running in cluster environment, cannot test full functionality")
-	default:
-		t.Fatalf("unexpected error: %v", err)
+	// Test with valid https URL - will fail with in-cluster error if not actually in cluster
+	if os.Getenv("HEADLAMP_RUN_INTEGRATION_TESTS") != strconv.FormatBool(istrue) {
+		t.Skip("skipping full integration test (validation already tested above)")
 	}
 
-	// Test with valid https URL (will fail with in-cluster error if not in cluster)
 	ctx, err := kubeconfig.GetInClusterContext(
 		"test-cluster",
 		"", "", "", "",

backend/pkg/kubeconfig/kubeconfig.go

@@ -1010,7 +1010,7 @@ func validateAPIServerEndpoint(endpoint string) (string, error) {
 	}
 
 	parsedURL, err := url.Parse(trimmed)
-	if err != nil || !parsedURL.IsAbs() || parsedURL.Host == "" {
+	if err != nil || !parsedURL.IsAbs() || parsedURL.Host == "" || parsedURL.Hostname() == "" {
 		return "", fmt.Errorf(
 			"invalid custom API server endpoint %q: must be an absolute URL with scheme and host",
 			trimmed,
@@ -1087,19 +1087,20 @@ func GetInClusterContext(
 	oidcCACert string,
 	customAPIServerEndpoint string,
 ) (*Context, error) {
-	clusterConfig, err := rest.InClusterConfig()
+	// Validate custom endpoint first, before attempting to load in-cluster config
+	customEndpoint, err := validateAPIServerEndpoint(customAPIServerEndpoint)
 	if err != nil {
 		return nil, err
 	}
 
-	// Use custom API server endpoint if provided, otherwise use default from in-cluster config
-	apiServerHost := clusterConfig.Host
-
-	customEndpoint, err := validateAPIServerEndpoint(customAPIServerEndpoint)
+	clusterConfig, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, err
 	}
 
+	// Use custom API server endpoint if provided, otherwise use default from in-cluster config
+	apiServerHost := clusterConfig.Host
+
 	if customEndpoint != "" {
 		apiServerHost = customEndpoint
 	}

backend/pkg/kubeconfig/kubeconfig_test.go

@@ -883,6 +883,12 @@ func TestValidateAPIServerEndpoint(t *testing.T) {
 			wantErr:     true,
 			errContains: "must not include user info (credentials)",
 		},
+		{
+			name:        "URL with empty hostname is rejected",
+			endpoint:    "https://:443",
+			wantErr:     true,
+			errContains: "must be an absolute URL with scheme and host",
+		},
 		{
 			name:        "URL with query string is rejected",
 			endpoint:    "https://proxy.example.com:443?token=secret",