refactor: harden security validations and simplify OAuth handlers#139
Merged
refactor: harden security validations and simplify OAuth handlers#139
Conversation
- Enforce minimum 32-byte JWT secret length for HS256 signing - Reject PKCE plain method, only accept S256 - Add session remember-me max-age upper bound validation (30 days) - Use safe type assertions in OAuth callback to prevent panics - Replace duplicate scopesAreCovered with util.IsScopeSubset - Extract validateStateAndNonce helper to deduplicate auth handlers - Define OAuth error code constants to replace inline magic strings - Remove redundant comments restating function names Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
- Add AlgHS256, AlgRS256, AlgES256 constants in config package - Replace inline "HS256"/"RS256"/"ES256" strings across config, token, bootstrap, and handlers packages Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
plainmethod (S256 only), add session remember-me max-age upper bound (30 days), fix unsafe type assertions in OAuth callback (panic/DoS vector)scopesAreCovered()withutil.IsScopeSubset(), extractvalidateStateAndNonce()helper, define OAuth error code constants replacing ~20 inline magic strings, remove redundant "what" commentsTest plan
make generate— templates compilemake test— all tests pass (pre-existing Redis failures unrelated)make lint— 0 issues🤖 Generated with Claude Code