Two years ago, a company paid me $10,000 for this fix to the http4s-pac4j library:

-   override def getRequestContent: String =
+   override lazy val getRequestContent: String =
      bodyExtractor(request.bodyText.compile.to(Collector.string))

The change is a single keyword: lazy. Without it, the request body was consumed eagerly — before the SAML handler had a chance to read it. The body of an HTTP stream can only be read once, so by the time pac4j tried to parse the SAML response, it was already gone. Authentication silently failed.

Making the value lazy defers evaluation until the first access, which happens to be exactly when the SAML parser needs it. One word, correct behavior.

The bug was invisible in testing because most HTTP clients in test environments buffer the body automatically. It only surfaced in production under http4s’s streaming model.