Skip to content

docs: fill documentation gaps — passkeys, OIDC, rate-limiting, email-verification, magic-links, SMTP, crypto#156

Merged
veverkap merged 2 commits into
mainfrom
docs/fill-gaps-20260428-d6a52c2d3d7d0732
Apr 28, 2026
Merged

docs: fill documentation gaps — passkeys, OIDC, rate-limiting, email-verification, magic-links, SMTP, crypto#156
veverkap merged 2 commits into
mainfrom
docs/fill-gaps-20260428-d6a52c2d3d7d0732

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 28, 2026
edited by greptile-apps Bot
Loading

Summary

Automated documentation gap analysis found several places where code behaviour was not reflected in the docs. This PR fills those gaps across seven files.

Changes

docs/handler/passkeys.md

  • Challenge expiry: BeginRegistration / BeginAuthentication store a challenge that expires after 5 minutes. Added this to the registration/authentication flow description so integrators know the time budget for the client-side WebAuthn ceremony.
  • Credential counter updates: FinishAuthentication calls PasskeyStore.UpdateCredentialData to persist the updated WebAuthn signature counter after every successful login. Counter update failures are logged as warnings and do not fail authentication. The counter is the primary mechanism for detecting cloned authenticators.

docs/handler/oidc.md

  • In-memory link-nonce warning: OIDCHandler holds pending link nonces in a process-local map[string]linkNonce. In multi-instance deployments the nonce created on one pod may not exist on the pod handling the OIDC callback, silently breaking the account-linking flow. Added a !!! warning callout recommending sticky sessions or a shared store.

docs/auth/rate-limiting.md

  • In-memory visitor state warning: RateLimiter tracks per-IP token buckets in an in-memory map — enforcement does not span instances. Added a !!! warning callout advising operators to supplement with an external rate-limiter (e.g. Redis) for multi-instance deployments.

docs/handler/email-verification.md

  • Token retention on SendEmail failure: When SendEmail returns an error, SendVerification logs the failure and returns HTTP 200 — the stored token is not deleted. This contrasts with PasswordResetHandler, which does delete the reset token on email failure. Added a !!! note callout to document this behaviour and the intentional difference.

docs/handler/magic-links.md

  • Auto-provisioning display name: When a new account is auto-provisioned on magic-link verification, the email address is used as the initial display name. Mentioned this in the introduction and linked to AuthHandler.UpdateProfile so users know how to change it.

docs/smtp.md

  • Security and timeouts section: Added a new section documenting:
    • TLS 1.2 minimum version enforced for tls and starttls modes.
    • 10-second TCP dial timeout.
    • 30-second session timeout (takes the minimum of the configured value and the caller's context deadline).

docs/auth/crypto.md

  • Empty plaintext behaviour: SecretEncrypter.Encrypt("") returns ("", nil) — no ciphertext is produced. Added a comment in the code block so callers are not surprised when an empty field round-trips as an empty string.

How gaps were identified

A explore sub-agent compared every exported Go symbol in auth/ and handler/ against the corresponding Markdown documentation, then cross-checked behaviour notes in code comments against what was written in the docs.

Testing

Documentation-only change. No code was modified. Existing tests are unaffected.

Generated by Update Docs · ● 3.1M ·

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/update-docs.md@96b9d4c39aa22359c0b38265927eadb31dcf4e2a

Greptile Summary

This PR adds documentation for seven previously undocumented or under-documented behaviours across the passkeys, OIDC, rate-limiting, email-verification, magic-links, SMTP, and crypto modules. The new content is accurate: the 5-minute challenge expiry, credential-counter semantics, in-memory rate-limiter and nonce warnings, token-retention contrast between EmailVerificationHandler and PasswordResetHandler, auto-provisioned display name, and the SMTP TLS/timeout section all match the source code.

Confidence Score: 4/5

Documentation-only PR; most new content is accurate, but two previously-flagged inaccuracies (oidc.md failure mode, email-verification.md nil-sender behaviour) remain unresolved in this HEAD.

All newly-added documentation was verified against source and is accurate. Score is held at 4 rather than 5 because two factual inaccuracies noted in prior review threads (oidc.md still describes the wrong failure endpoint; email-verification.md line 16 still mis-states nil-SendEmail behaviour) have not been corrected in this HEAD despite the author's commit-message claim of a fix.

docs/handler/oidc.md and docs/handler/email-verification.md — both still contain inaccuracies tracked in prior review threads.

Important Files Changed
Filename Overview
docs/handler/passkeys.md Adds accurate challenge-expiry note (5 min, confirmed in passkey.go) and credential-counter update semantics (warn-on-failure, no auth failure); both match source.
docs/handler/oidc.md Adds in-memory nonce warning; the described failure mode (redirect to /?oidc_link_error=User+not+found) is still inaccurate per the source (Link() returns HTTP 401 via consumeLinkNonce) — tracked in a prior review thread.
docs/handler/email-verification.md New token-retention note is accurate; pre-existing nil-SendEmail description on line 16 still contradicts the source (HTTP 503 before any DB write) — tracked in a prior review thread.
docs/smtp.md New Security and timeouts section accurately reflects the source: TLS 1.2 minimum for tls/starttls modes, 10 s dial timeout, 30 s session deadline with context-override logic.
docs/handler/magic-links.md Display-name auto-provisioning detail is accurate (CreateUser called with email as name); AuthHandler.UpdateProfile reference is valid.
docs/auth/rate-limiting.md In-memory warning accurately describes per-instance token-bucket state in RateLimiter; recommendation for external rate-limiter (e.g. Redis) is appropriate.
docs/auth/crypto.md Empty-string short-circuit comment matches crypto.go (returns ("", nil) before any cipher ops).

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[smtp.Send called] --> B[Dial TCP\n10 s timeout]
    B -->|tls mode| C[TLS handshake\nmin TLS 1.2]
    B -->|starttls / none| D[Plain TCP conn established]
    C --> E[Set 30 s session deadline\nmin ctx deadline, now+30s]
    D --> E
    E -->|starttls| F[STARTTLS upgrade\nmin TLS 1.2]
    E -->|none| G[Plain SMTP session]
    F --> H[AUTH → MAIL FROM → RCPT TO → DATA]
    G --> H
    H --> I[QUIT]
Loading

Reviews (2): Last reviewed commit: "docs: fix nil-sender and nonce-consumpti..." | Re-trigger Greptile

@github-actions
docs: fill documentation gaps identified in gap analysis
2ee6f5d 
- passkeys.md: document 5-minute challenge expiry and credential counter
  update behaviour on FinishAuthentication (non-fatal, used for clone
  detection)
- oidc.md: warn that link-nonce state is in-memory and unsuitable for
  multi-instance deployments without sticky sessions
- rate-limiting.md: warn that per-IP visitor state is in-memory and
  enforcement does not span instances in multi-instance deployments
- email-verification.md: add note that SendVerification does NOT delete
  the verification token when SendEmail fails (contrast with
  PasswordResetHandler which does delete the token on failure)
- magic-links.md: document that auto-provisioned accounts use the email
  address as the initial display name
- smtp.md: add Security and timeouts section documenting TLS 1.2 minimum,
  10 s dial timeout, and 30 s session timeout
- crypto.md: note that SecretEncrypter.Encrypt returns ("", nil) for
  empty input — no ciphertext is produced or stored

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added automation documentation Improvements or additions to documentation labels Apr 28, 2026
@veverkap veverkap marked this pull request as ready for review April 28, 2026 18:58
@veverkap veverkap requested review from a team and Copilot April 28, 2026 18:58
greptile-apps[bot]
greptile-apps Bot reviewed Apr 28, 2026
View reviewed changes
Comment thread docs/handler/oidc.md
Comment thread docs/handler/email-verification.md Outdated
@veverkap
docs: fix nil-sender and nonce-consumption inaccuracies
6ca69b1 
email-verification.md: SendEmail=nil returns HTTP 503 before any DB
write; it does not create/store a token silently.

oidc.md: In-memory nonce is consumed by the Link handler, so a
cross-instance nonce miss fails the /oidc/link?nonce=… request with
HTTP 401, not the OIDC callback with a redirect error.
@veverkap veverkap merged commit 4bb6299 into main Apr 28, 2026
6 checks passed
@veverkap veverkap deleted the docs/fill-gaps-20260428-d6a52c2d3d7d0732 branch April 28, 2026 19:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@veverkap veverkap veverkap left review comments

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

automation documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@veverkap