24596751515
85%
master: 85%

Ran 18 Apr 2026 04:22AM UTC

Jobs 1

Files 25

Run time 1min

Badge

Embed ▾

Committed 18 Apr 2026 04:20AM UTC coverage: 84.618% (+0.4%) from 84.247%

Build # 24596751515

Build Type

Pull #275

github

Committed by

paskal

Commit Message

fix(provider): port-insensitive host check + log only host on rejection

Address Copilot review on PR #275:

* isAllowedRedirect compared u.Host (which includes port). A from URL
  like https://app.example.com:443/x against an Opts.URL of
  https://app.example.com would be rejected even though they are the
  same origin. Switch to u.Hostname() so the explicit-default-port form
  matches, and add three test cases (https:443, http:80, non-default :8080).

* The rejection log lines wrote the full from URL, leaking
  attacker-supplied paths/query strings into operator logs. Add
  redirectHostForLog helper (parses and returns just the hostname,
  sentinel on parse failure) and use it from all four sites
  (oauth1/oauth2/apple/verify). Covered by TestRedirectHostForLog.

Pull Request Pull Request #275: fix: validate "from" redirect target in OAuth/verify flows

Coverage Stats

106 of 109 new or added lines in 7 files covered. (97.25%)

2789 of 3296 relevant lines covered (84.62%)

7.68 hits per line

Uncovered Changes

Lines	Coverage	∆	File
3	89.11		v2/token/jwt.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	24596751515.1	18 Apr 2026 04:21AM UTC	25	84.62	GitHub Action Run

go-pkgz / auth / 24596751515
85%
master: 85%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build 24596751515

go-pkgz / auth / 24596751515 85% master: 85%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build 24596751515

go-pkgz / auth / 24596751515
85%
master: 85%

README BADGES
x