Echo · Go

Fix MiddlewareError: echo: middleware returned an error: runtime error: index out of range [0] with length 0 in Echo

This error occurs when an Echo middleware accesses a slice or array element at an index that does not exist, often from parsing headers or path segments that are empty. Fix it by adding bounds checks before accessing slice elements and returning structured error responses from middleware instead of letting panics propagate.

Reading the Stack Trace

2024/03/15 14:45:22 echo: GET /api/items -> main.ListItems | 500 | 0.504ms | 127.0.0.1 goroutine 34 [running]: runtime/debug.Stack() /usr/local/go/src/runtime/debug/stack.go:24 +0x5e runtime.gopanic({0x102840ea0, 0x14000196040}) /usr/local/go/src/runtime/panic.go:770 +0x124 main.TenantMiddleware.func1({0x1029e4f80, 0x14000226000}) /app/middleware/tenant.go:14 +0x198 github.com/labstack/echo/v4.(*Echo).ServeHTTP(0x14000128680, {0x1029e4f80, 0x140001c40e0}, 0x140002b4000) /go/pkg/mod/github.com/labstack/echo/v4@v4.11.4/echo.go:669 +0x1a0 github.com/labstack/echo/v4/middleware.RecoverWithConfig.func1.1({0x1029e4f80, 0x14000226000}) /go/pkg/mod/github.com/labstack/echo/v4@v4.11.4/middleware/recover.go:78 +0x238

Here's what each line means:

main.TenantMiddleware.func1({0x1029e4f80, 0x14000226000}) /app/middleware/tenant.go:14 +0x198: The TenantMiddleware at line 14 accesses a slice index that is out of bounds, likely from splitting an empty header value.
runtime.gopanic({0x102840ea0, 0x14000196040}): Go's runtime panics because of the out-of-bounds index access.
github.com/labstack/echo/v4/middleware.RecoverWithConfig.func1.1({0x1029e4f80, 0x14000226000}): Echo's Recover middleware catches the panic and converts it to a 500 error response.

Common Causes

1. Accessing empty slice from header split

Splitting a header value and accessing index 0 without checking the result length panics when the header is empty.

func TenantMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		parts := strings.Split(c.Request().Host, ".")
		tenant := parts[0] // panic if Host is empty
		c.Set("tenant", tenant)
		return next(c)
	}
}

2. Middleware returns raw error to client

The middleware returns Go errors directly, leaking implementation details in the HTTP response.

func AuthMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		token := c.Request().Header.Get("Authorization")
		if token == "" {
			return fmt.Errorf("missing auth token for user service at %s", serviceURL)
		}
		return next(c)
	}
}

3. Middleware order causes nil context values

A middleware reads a context value set by a downstream middleware that hasn't run yet.

e.Use(RoleMiddleware)   // reads "user" from context
e.Use(AuthMiddleware)   // sets "user" in context
// Wrong order: RoleMiddleware runs first, "user" is nil

The Fix

Check that the Host header is present and that splitting it produces enough segments before accessing index 0. Use echo.NewHTTPError to return structured error responses with appropriate HTTP status codes instead of raw Go errors.

Before (broken)

func TenantMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		parts := strings.Split(c.Request().Host, ".")
		tenant := parts[0]
		c.Set("tenant", tenant)
		return next(c)
	}
}

After (fixed)

func TenantMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		host := c.Request().Host
		if host == "" {
			return echo.NewHTTPError(http.StatusBadRequest, "missing Host header")
		}
		parts := strings.Split(host, ".")
		if len(parts) < 2 {
			return echo.NewHTTPError(http.StatusBadRequest, "invalid tenant in Host header")
		}
		tenant := parts[0]
		c.Set("tenant", tenant)
		return next(c)
	}
}

Testing the Fix

package middleware_test

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/labstack/echo/v4"
	"github.com/stretchr/testify/assert"
)

func TestTenantMiddleware_ValidHost(t *testing.T) {
	e := echo.New()
	handler := TenantMiddleware(func(c echo.Context) error {
		return c.String(200, c.Get("tenant").(string))
	})

	req := httptest.NewRequest(http.MethodGet, "/", nil)
	req.Host = "acme.example.com"
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	err := handler(c)
	assert.NoError(t, err)
	assert.Equal(t, "acme", rec.Body.String())
}

func TestTenantMiddleware_EmptyHost(t *testing.T) {
	e := echo.New()
	handler := TenantMiddleware(func(c echo.Context) error {
		return c.String(200, "ok")
	})

	req := httptest.NewRequest(http.MethodGet, "/", nil)
	req.Host = ""
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)

	err := handler(c)
	assert.Error(t, err)
	he, ok := err.(*echo.HTTPError)
	assert.True(t, ok)
	assert.Equal(t, http.StatusBadRequest, he.Code)
}

Run your tests:

go test ./middleware/... -v

Pushing Through CI/CD

git checkout -b fix/echo-middleware-error,git add middleware/tenant.go middleware/tenant_test.go,git commit -m "fix: add bounds check and error handling in tenant middleware",git push origin fix/echo-middleware-error

Your CI config should look something like this:

name: CI
on:
  pull_request:
    branches: [main]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '1.22'
      - run: go mod download
      - run: go vet ./...
      - run: go test ./... -race -coverprofile=coverage.out
      - run: go build ./...

The Full Manual Process: 18 Steps

Here's every step you just went through to fix this one bug:

Notice the error alert or see it in your monitoring tool
Open the error dashboard and read the stack trace
Identify the file and line number from the stack trace
Open your IDE and navigate to the file
Read the surrounding code to understand context
Reproduce the error locally
Identify the root cause
Write the fix
Run the test suite locally
Fix any failing tests
Write new tests covering the edge case
Run the full test suite again
Create a new git branch
Commit and push your changes
Open a pull request
Wait for code review
Merge and deploy to production
Monitor production to confirm the error is resolved

Total time: 30-60 minutes. For one bug.

Or Let bugstack Fix It in Under 2 minutes

Every step above? bugstack does it automatically.

Step 1: Install the SDK

go get github.com/bugstack/sdk

Step 2: Initialize

import "github.com/bugstack/sdk"

func init() {
  bugstack.Init(os.Getenv("BUGSTACK_API_KEY"))
}

Step 3: There is no step 3.

bugstack handles everything from here:

Captures the stack trace and request context
Pulls the relevant source files from your GitHub repo
Analyzes the error and understands the code context
Generates a minimal, verified fix
Runs your existing test suite
Pushes through your CI/CD pipeline
Deploys to production (or opens a PR for review)

Time from error to fix deployed: Under 2 minutes.

Human involvement: zero.

Try bugstack Free →

No credit card. 5-minute setup. Cancel anytime.

Deploying the Fix (Manual Path)

Run go test ./... locally to confirm the fix passes.
Open a pull request with the middleware bounds check changes.
Wait for CI checks to pass on the PR.
Have a teammate review and approve the PR.
Merge to main and verify the deployment in staging before promoting to production.

Frequently Asked Questions

How does BugStack know the fix is safe to deploy?

BugStack runs the fix through your test suite, generates tests for edge cases like empty headers and malformed hosts, and validates that middleware returns proper HTTP errors before marking it safe to deploy.

What if BugStack generates a bad fix?

BugStack never pushes directly to production. Every fix goes through a pull request with full CI checks, so your team can review it before merging.

How do I add recover middleware in Echo?

Use e.Use(middleware.Recover()) which is included by default with echo.New(). It catches panics and converts them to 500 responses.

Does middleware order matter in Echo?

Yes. Middleware runs in the order it is registered. If middleware A depends on a value set by middleware B, register B before A with e.Use().