chore: Add linter rule to catch missing return after http writes (#2702)

coderd/users.go

@@ -663,6 +663,7 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
 			Message: "Internal error.",
 		})
+		return
 	}
 	if !equal {
 		// This message is the same as above to remove ease in detecting whether

coderd/workspaceapps.go

@@ -80,6 +80,7 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
 			Message: "No agents exist.",
 		})
+		return
 	}
 
 	agent := agents[0]

scripts/rules.go

@@ -151,6 +151,29 @@ func HttpAPIErrorMessage(m dsl.Matcher) {
 		Report("Field \"Message\" should be a proper sentence with a capitalized first letter and ending in punctuation. $m")
 }
 
+// HttpAPIReturn will report a linter violation if the http function is not
+// returned after writing a response to the client.
+func HttpAPIReturn(m dsl.Matcher) {
+	m.Import("github.com/coder/coder/coderd/httpapi")
+
+	// Manually enumerate the httpapi function rather then a 'Where' condition
+	// as this is a bit more efficient.
+	m.Match(`
+	if $*_ {
+		httpapi.Write($*a)
+	}
+	`, `
+	if $*_ {
+		httpapi.Forbidden($*a)
+	}
+	`, `
+	if $*_ {
+		httpapi.ResourceNotFound($*a)
+	}
+	`).At(m["a"]).
+		Report("Forgot to return early after writing to the http response writer.")
+}
+
 // ProperRBACReturn ensures we always write to the response writer after a
 // call to Authorize. If we just do a return, the client will get a status code
 // 200, which is incorrect.