backend: OIDC: Return error on state generation failure

[harrshita123]

Summary

This PR fixes the OIDC login path so Headlamp returns a normal error when OAuth state generation fails instead of panicking the backend handler.

Related Issue

Fixes #5630

Changes

• Added a small helper to generate the OIDC state value and return an error on failure
• Updated the OIDC login handler in backend/cmd/headlamp.go to log and return 500 Internal Server Error if state generation fails
• Added a regression test for successful and failing state generation paths in backend/cmd/headlamp_test.go

Steps to Test

1. Run the backend command package tests.
2. Verify the new TestGenerateOidcState regression test passes.
3. Confirm the OIDC login path no longer uses panic(err) for state generation failure.

Screenshots

Not applicable.

Notes for the Reviewer

This change is intentionally small and isolated to the OIDC login path. It replaces the panic path with explicit error handling and keeps the rest of the login flow unchanged.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: harrshita123
Once this PR has been reviewed and has the lgtm label, please assign joaquimrocha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This PR updates the backend OIDC login flow to avoid panicking when OAuth state generation fails, instead returning a controlled 500 Internal Server Error and logging the underlying failure. It also introduces a small helper to make state generation testable.

Changes:

• Added generateOidcState() and a test seam (randRead) to return (state, error) instead of panicking on entropy read failures.
• Updated the /oidc handler to log and return HTTP 500 when state generation fails.
• Added a regression test covering success/failure paths for state generation.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
backend/cmd/headlamp.go	Replaces panic-based state generation with an error-returning helper and graceful HTTP 500 handling in the OIDC login route.
backend/cmd/headlamp_test.go	Adds a regression test for generateOidcState() using an overridable randomness function.

[illume]

Thanks for this PR.

the PR has a merge-main commit; please rebase against main to keep the history clean.

Why this matters

Merge commits from main make the PR history harder to review. Please rebase your branch on top of the latest main instead, then update the PR with the rebased commits.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

backend/cmd/headlamp.go:1129

• generateOidcState ignores the byte count returned by randRead. Since Read is allowed to return n < len(b) with err == nil, this can produce a state value with partially zero-filled bytes. Treat short reads as an error (e.g., check n != len(b) and return io.ErrUnexpectedEOF) and add a test for the partial-read case.

func generateOidcState() (string, error) {
	b := make([]byte, 32)

	if _, err := randRead(b); err != nil {
		return "", err
	}

[illume]

Thanks for this PR.

the PR has a merge-main commit; please rebase against main to keep the history clean.

Why this matters

Merge commits from main make the PR history harder to review. Please rebase your branch on top of the latest main instead, then update the PR with the rebased commits.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.