superfly · mjbraun · Dec 4, 2025 · Nov 25, 2025
diff --git a/authorizer.go b/authorizer.go
@@ -285,6 +285,10 @@ var _ AuthConfig = (*FlySrcAuthConfig)(nil)
 
 func (c *FlySrcAuthConfig) AuthRequest(authctx AuthContext, req *http.Request) error {
 	flysrcParser := authctx.GetFlysrcParser()
+	if flysrcParser == nil {
+		return fmt.Errorf("%w: no flysrc parser", ErrNotAuthorized)
+	}
+
 	fs, err := flysrcParser.FromRequest(req)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrNotAuthorized, err)

diff --git a/cmd/tokenizer/main.go b/cmd/tokenizer/main.go
@@ -17,6 +17,8 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/superfly/tokenizer"
 	"golang.org/x/exp/slices"
+
+	"github.com/superfly/flysrc-go"
 )
 
 // Package variables can be overridden at build time:
@@ -96,6 +98,17 @@ func runServe() {
 		opts = append(opts, tokenizer.RequireFlySrc())
 	}
 
+	if slices.Contains([]string{"1", "true"}, os.Getenv("NO_FLY_SRC")) {
+		// nothing
+	} else {
+		parser, err := flysrc.New()
+		if err != nil {
+			logrus.WithError(err).Panic("Error making flysrc parser")
+		}
+
+		opts = append(opts, tokenizer.WithFlysrcParser(parser))
+	}
+
 	tkz := tokenizer.NewTokenizer(key, opts...)
 
 	if len(os.Getenv("DEBUG")) != 0 {

diff --git a/tokenizer.go b/tokenizer.go
@@ -122,12 +122,8 @@ func NewTokenizer(openKey string, opts ...Option) *tokenizer {
 		opt(tkz)
 	}
 
-	if tkz.flysrcParser == nil {
-		parser, err := flysrc.New()
-		if err != nil {
-			logrus.WithError(err).Panic("Error making flysrc parser")
-		}
-		tkz.flysrcParser = parser
+	if tkz.RequireFlySrc && tkz.flysrcParser == nil {
+		logrus.Panic("FlySrc is required but no flysrc Parser is specified")
 	}
 
 	hostnameMap := map[string]bool{}
@@ -282,19 +278,21 @@ func (t *tokenizer) HandleRequest(req *http.Request, ctx *goproxy.ProxyCtx) (*ht
 		pud.reqLog = logrus.WithFields(reqLogFields(ctx.Req))
 	}
 
-	src, err := t.flysrcParser.FromRequest(req)
-	if err != nil {
-		if t.RequireFlySrc {
-			pud.reqLog.Warn(err.Error())
-			return nil, errorResponse(ErrBadRequest)
+	if t.flysrcParser != nil {
+		src, err := t.flysrcParser.FromRequest(req)
+		if err != nil {
+			if t.RequireFlySrc {
+				pud.reqLog.Warn(err.Error())
+				return nil, errorResponse(ErrBadRequest)
+			}
+		} else {
+			pud.reqLog = pud.reqLog.WithFields(logrus.Fields{
+				"flysrc-org":       src.Org,
+				"flysrc-app":       src.App,
+				"flysrc-instance":  src.Instance,
+				"flysrc-timestamp": src.Timestamp,
+			})
 		}
-	} else {
-		pud.reqLog = pud.reqLog.WithFields(logrus.Fields{
-			"flysrc-org":       src.Org,
-			"flysrc-app":       src.App,
-			"flysrc-instance":  src.Instance,
-			"flysrc-timestamp": src.Timestamp,
-		})
 	}
 
 	processors := append([]RequestProcessor(nil), pud.connectProcessors...)

diff --git a/tokenizer_test.go b/tokenizer_test.go
@@ -55,7 +55,11 @@ func TestTokenizer(t *testing.T) {
 
 	assert.NoError(t, err)
 
-	tkz := NewTokenizer(openKey, WithFlysrcParser(flysrcParser))
+	// we can build a server without a fly src parser
+	tkz := NewTokenizer(openKey)
+	assert.True(t, tkz != nil)
+
+	tkz = NewTokenizer(openKey, WithFlysrcParser(flysrcParser))
 	tkz.ProxyHttpServer.Verbose = true
 
 	tkzServer := httptest.NewServer(tkz)
@@ -417,6 +421,14 @@ func TestTokenizer(t *testing.T) {
 			Body: "",
 		}, doEcho(t, client, req))
 
+		// Bad, the same request fails, without panic, if flysrc parser is nil
+		parser := tkz.flysrcParser
+		tkz.flysrcParser = nil
+		resp, err = client.Do(req)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusProxyAuthRequired, resp.StatusCode)
+		tkz.flysrcParser = parser
+
 		// Bad org
 		fs = &flysrc.FlySrc{Org: "WRONG!", App: "bar", Instance: "baz", Timestamp: time.Now().Truncate(time.Second)}
 		hdrSrc = fs.String()