From b8294a98b1560dde113b8c06ff857d3c87613c11 Mon Sep 17 00:00:00 2001
From: Paul Lorenz <paul.lorenz@netfoundry.io>
Date: Tue, 1 Oct 2024 09:41:52 -0400
Subject: [PATCH] Fix JWT refresh panic. Fixes #2460

---
 CHANGELOG.md                    | 11 +++++++++++
 controller/oidc_auth/storage.go |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9833a0fd5..0e801f41a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+# Release 1.1.15
+
+## What's New
+
+* Panic fix related to controller HA
+
+## Component Updates and Bug Fixes
+
+* github.com/openziti/ziti: [v1.1.14 -> v1.1.15](https://github.com/openziti/ziti/compare/v1.1.14...v1.1.15)
+    * [Issue #2460](https://github.com/openziti/ziti/issues/2460) - Panic on JWT token refresh
+
 # Release 1.1.14
 
 ## What's New
diff --git a/controller/oidc_auth/storage.go b/controller/oidc_auth/storage.go
index fc6ce23f4..b902a9ce6 100644
--- a/controller/oidc_auth/storage.go
+++ b/controller/oidc_auth/storage.go
@@ -601,6 +601,9 @@ func (s *HybridStorage) parseAccessToken(tokenStr string) (*jwt.Token, *common.A
 // TokenRequestByRefreshToken implements the op.Storage interface
 func (s *HybridStorage) TokenRequestByRefreshToken(_ context.Context, refreshToken string) (op.RefreshTokenRequest, error) {
 	_, token, err := s.parseRefreshToken(refreshToken)
+	if err != nil {
+		return nil, err
+	}
 	return &RefreshTokenRequest{*token}, err
 }