Skip to content

v1.6.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 30 May 14:25
· 36 commits to main since this release
v1.6.2
d75118b

pollen v1.6.2

A small correctness patch on top of v1.6.1. Two fixes, no
new surface, no behavior changes outside the bugs they
address.

The first fix closes a v1.6.0 latent bug in the
Authorization Code with PKCE flow: parseLoopback
accepted ::1 as a valid loopback host (and a unit test
even pinned that acceptance) but the matching net.Listen
call was hard-coded to 127.0.0.1. A user who set
Redirect URI: http://[::1]:8765/callback would have
parseLoopback accept it, the IdP redirect the browser to
[::1]:8765, and the IPv4-only listener never see the
callback — silent 5-minute timeout. Fixed by routing the
parsed host through net.JoinHostPort, so 127.0.0.1
binds IPv4, ::1 binds IPv6, and localhost follows
the kernel's dual-stack default. A new IPv6 end-to-end
regression test pins the fix and skips cleanly on
environments without IPv6 loopback.

The second fix refreshes the Ctrl+/ help overlay's Auth
section, which had been stuck on pre-v1.6.0 wording. The
type list still showed only "None / Bearer / Basic /
OAuth"; the g row read as Client-Credentials-only; and
Esc-on-action-row (the in-flight cancel for an OAuth AC
flow, added in v1.6.0) was completely undocumented. The
section now lists all five types, describes g as
covering both grants, and includes the Esc cancel as its
own row.

Also rewrites a comment in internal/oauth/authcode.go
that had been describing recovery behavior (URL printed
to stderr / shown in the status line) that the code never
implemented. The functional gap remains — there is still
no recovery path if openBrowser fails to launch — and
is reserved for a future release with the broader
URL-stashing redesign.

Fixed:

  • OAuth Authorization Code: callback server now binds to
    the host parsed from RedirectURI, fixing the
    http://[::1]:port/... case that previously timed out
  • Ctrl+/ help: Auth section refreshed to document OAuth
    AC, the dual-purpose g key, and Esc-on-action-row as
    the in-flight cancel

Notes:

  • internal/oauth.parseLoopback is unexported; its
    signature change (adds a host return value) is internal
  • v1.x SemVer-frozen surface unchanged
  • Recovery path for openBrowser failure remains a known
    gap — see scope-out notes in the source comment

See CHANGELOG.md for the full list.

Assets 9
Loading