From 2b55b3e9e7e899f2cbcbcb7afdcb55c2db6a1754 Mon Sep 17 00:00:00 2001
From: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
Date: Thu, 11 Jun 2026 14:26:11 +0200
Subject: [PATCH] config: check cross-host redirect before OAuth2 token fetch

Move isCrossHostRedirect early in oauth2RoundTripper.RoundTrip so that
cross-host redirects bypass token-source initialisation entirely and go
straight to Base.RoundTrip. Base is read under the RLock to avoid a
data race with concurrent reconfigurations.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
---
 config/http_config.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/config/http_config.go b/config/http_config.go
index bc25047f..92a88a94 100644
--- a/config/http_config.go
+++ b/config/http_config.go
@@ -1067,6 +1067,18 @@ func (rt *oauth2RoundTripper) newOauth2TokenSource(req *http.Request, clientCred
 }
 
 func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if isCrossHostRedirect(req) {
+		// Bypass the OAuth2 transport so no token is attached. Read Base under
+		// the lock to avoid a data race with concurrent reconfigurations.
+		rt.mtx.RLock()
+		base := rt.lastRT.Base
+		rt.mtx.RUnlock()
+		if base == nil {
+			base = http.DefaultTransport
+		}
+		return base.RoundTrip(req)
+	}
+
 	var (
 		secret    string
 		needsInit bool
@@ -1110,9 +1122,6 @@ func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, erro
 	rt.mtx.RLock()
 	currentRT := rt.lastRT
 	rt.mtx.RUnlock()
-	if isCrossHostRedirect(req) {
-		return currentRT.Base.RoundTrip(req)
-	}
 	return currentRT.RoundTrip(req)
 }