config: guard against nil oauth2 credential in RoundTrip (#897)

* config: guard against nil oauth2 credential in RoundTrip

toSecret returns (nil, nil) when no source is configured. Most callers
guarded the returned SecretReader with an `!= nil` check before
invoking Fetch, but oauth2RoundTripper.RoundTrip reached directly into
rt.oauthCredential.Immutable() and would nil-deref panic when someone
supplied an oauth2 block with no client-secret source (likely the
proximate cause of prometheus/prometheus#16622).

Return a clear error instead of panicking, and document toSecret's
nil-return contract so future callers explicitly acknowledge it.

Fixes #790

Signed-off-by: Ali <alliasgher123@gmail.com>

* config: simplify comments per review feedback

- toSecret: restore original one-line comment (no need to document
  nil-return semantics in the function comment)
- oauth2RoundTripper.RoundTrip nil guard: replace verbose explanation
  with a single-line note matching reviewer's suggestion

Signed-off-by: Ali <alliasgher123@gmail.com>

---------

Signed-off-by: Ali <alliasgher123@gmail.com>

Author: Ali Asghar

config/http_config.go

@@ -1063,6 +1063,12 @@ func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, erro
 		needsInit bool
 	)
 
+	// This should not happen when config goes through the normal Prometheus
+	// validation path, but guard against a nil credential to avoid a panic.
+	if rt.oauthCredential == nil {
+		return nil, errors.New("oauth2 client secret is required")
+	}
+
 	rt.mtx.RLock()
 	secret = rt.lastSecret
 	needsInit = rt.lastRT.Source == nil