24739214132
85%
master: 85%

Ran 21 Apr 2026 06:24PM UTC

Jobs 1

Files 24

Run time 1min

Badge

Embed ▾

Committed 21 Apr 2026 05:35PM UTC coverage: 84.247%. Remained the same

Build # 24739214132

Build Type

Pull #275

github

Committed by

paskal

Commit Message

fix(provider): address review on host-allowlist hardening

Address Copilot and maintainer review comments on PR #275:

* Hostname compare is case-insensitive (strings.EqualFold), mirroring
  checkAuds in token/jwt.go. DNS hostnames are case-insensitive, so
  App.Example.Com in "from" now matches app.example.com in the
  allowlist or service URL. Covered by three new TestIsAllowedRedirect
  cases.

* Scheme check: only http/https are accepted when the policy is on.
  Hostname()=="" already filters javascript:/data:/etc. in practice,
  but an explicit check is defence-in-depth. New test cases cover
  javascript, ftp and data scheme rejection.

* Typed-nil guard: a nil AllowedHostsFunc assigned to the interface
  field produces a non-nil interface wrapping a nil func, which would
  panic in Get(). Detect the common adapter case and treat it as "no
  allowlist configured". Documented on AllowedHostsFunc godoc. New
  test case exercises the typed-nil path.

* TestOauth2LoginFromAllowsAllowlistedHost now reuses prepOauth2Test
  via its paramOpts hook instead of building a parallel mock server,
  removing the G101 gosec hit on the inline oauth2.Endpoint literals
  (flagged by umputun) and cutting ~60 lines of duplication.

Pull Request Pull Request #275: fix: validate "from" redirect target in OAuth/verify flows

Coverage Stats

2706 of 3212 relevant lines covered (84.25%)

7.27 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	24739214132.1	21 Apr 2026 06:24PM UTC	24	84.25	GitHub Action Run

go-pkgz / auth / 24739214132
85%
master: 85%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 24739214132

go-pkgz / auth / 24739214132 85% master: 85%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 24739214132

go-pkgz / auth / 24739214132
85%
master: 85%

README BADGES
x