Merging to release-5.8: when worker node is on emergency node, do not panic when using a new jwt token (#5534)

[probelabs]

User description

when worker node is on emergency node, do not panic when using a new jwt token (#5534)

Description

When worker node is on Emergency mode, anyway return a session with a
session key set so it doesn't panic

Related Issue

TT-9970

Motivation and Context

Better experience in MDCB

How This Has Been Tested

• Create an api in dashboard with JWT protection
• Start MDCB environment
• Shut down MDCB
• Wait until worker node is on emergency node (wait some time)
• Consume api with new api-key
• request goes trought

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing
  functionality to change)
• Refactoring or add test (improvements in base code or adds test
  coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning
  why it's required
• I would like a code coverage CI quality gate exception and have
  explained why

Co-authored-by: andrei-tyk [email protected]

---

PR Type

Bug fix

---

Description

• Prevent panic in MDCB emergency mode

• Set session.KeyID for new JWT tokens

• Return safe cloned session when RPC emergency

---

Diagram Walkthrough

flowchart LR
  A["JWT auth request"] -- "RPC storage + emergency" --> B["Set session.KeyID"]
  B -- "return session.Clone(), false" --> C["No panic, continue"]
  A -- "Non-emergency" --> D["Normal key lookup flow"]

Loading

File Walkthrough

	Relevant files
Bug fix	middleware.go Set session key to avoid panic in emergency                            gateway/middleware.go In emergency mode with RPC storage, set session.KeyID to key Return session.Clone(), false to avoid nil key-induced panic No behavior change for non-emergency paths +1/-0

---

[github-actions]

🚨 Jira Linter Failed

Commit: 39f67d1
Failed at: 2025-11-19 07:54:20 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'merge/release-5.8/df7793f79af66c893cbc8d2e41037e44ddba75d5' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Avoid in-place session mutation Clone the session before mutating to avoid side effects on shared session state. Mutating session.KeyID directly can affect callers or caches referencing the same struct. gateway/middleware.go [541-544] if _, ok := t.Spec.AuthManager.Store().(*RPCStorageHandler); ok && rpc.IsEmergencyMode() { - session.KeyID = key - return session.Clone(), false + cloned := session.Clone() + cloned.KeyID = key + return cloned, false } Suggestion importance[1-10]: 6 __ Why: The suggestion correctly targets the new emergency-mode block and proposes cloning before mutation to prevent unintended side effects, which is a reasonable maintainability/safety improvement. Impact is moderate since current code returns a clone but still mutates the original; the fix is straightforward and contextually accurate.	Low

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud