fix(handlers): add rows.Err() checks after all secrets scan loops

Regression from audit #109: rows.Err() checks were removed from List, ListGlobal, restartAllAffectedByGlobalKey, and Values between commits 3a30b073 and b25b4fb6. Without these checks, a mid-stream query error (e.g. connection loss during iteration) is silently ignored and partial results are returned as if the query succeeded. Fix: add if err := rows.Err(); err != nil { log.Printf(...) } after every for rows.Next() loop in secrets.go. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-14 13:38:53 +00:00 · 2026-05-14 13:38:53 +00:00 · 420c42a202
commit 420c42a202
parent cee43a6dd8
1 changed files with 18 additions and 0 deletions
--- a/workspace-server/internal/handlers/secrets.go
+++ b/workspace-server/internal/handlers/secrets.go
@ -63,6 +63,9 @@ func (h *SecretsHandler) List(c *gin.Context) {
 			"updated_at": updatedAt,
 		})
 	}
+	if err := rows.Err(); err != nil {
+		log.Printf("List secrets rows.Err: %v", err)
+	}

 	// 2. Global secrets not overridden at workspace level
 	globalRows, err := db.DB.QueryContext(ctx,
@ -91,6 +94,9 @@ func (h *SecretsHandler) List(c *gin.Context) {
 			"updated_at": updatedAt,
 		})
 	}
+	if err := globalRows.Err(); err != nil {
+		log.Printf("List secrets (global) rows.Err: %v", err)
+	}

 	c.JSON(http.StatusOK, secrets)
 }
@ -174,6 +180,9 @@ func (h *SecretsHandler) Values(c *gin.Context) {
 				out[k] = string(decrypted)
 			}
 		}
+		if err := globalRows.Err(); err != nil {
+			log.Printf("secrets.Values globalRows.Err: %v", err)
+		}
 	}

 	wsRows, wErr := db.DB.QueryContext(ctx,
@ -195,6 +204,9 @@ func (h *SecretsHandler) Values(c *gin.Context) {
 				out[k] = string(decrypted) // workspace override wins over global
 			}
 		}
+		if err := wsRows.Err(); err != nil {
+			log.Printf("secrets.Values wsRows.Err: %v", err)
+		}
 	}

 	if len(failedKeys) > 0 {
@ -324,6 +336,9 @@ func (h *SecretsHandler) ListGlobal(c *gin.Context) {
 			"scope":      "global",
 		})
 	}
+	if err := rows.Err(); err != nil {
+		log.Printf("ListGlobal rows.Err: %v", err)
+	}
 	c.JSON(http.StatusOK, secrets)
 }

@ -400,6 +415,9 @@ func (h *SecretsHandler) restartAllAffectedByGlobalKey(key string) {
 			ids = append(ids, id)
 		}
 	}
+	if err := rows.Err(); err != nil {
+		log.Printf("restartAllAffectedByGlobalKey rows.Err: %v", err)
+	}
 	if len(ids) == 0 {
 		return
 	}