go-pkgz / auth / 26203178077
85%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 25
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 85.395%. Remained the same
26203178077

push

github

umputun 
docs(auth, avatar): fix misleading and stale docstrings around the security fix

Sweep over the docstrings touched (or adjacent to) PR #290's security work,
prompted by Copilot's post-merge review of withSecurityHeaders and an
adversarial pass from Codex on the rest of the same surface. All changes are
docstring/comment-only; no code, no behavior, no test churn.

  * withSecurityHeaders CONSUMER NOTE (auth.go, v2/auth.go) — the previous
    text told consumers HTML custom handlers could fix CSP blocking by
    "moving scripts/styles to external files served from 'self'", but the
    wrapper applies default-src 'none' and sandbox, so even self-hosted
    resources are blocked. New text spells out what the wrapper actually
    does and gives a concrete relaxed-CSP example. The example list also
    drops "dev_provider's login page" — that page is served by
    DevAuthServer on its own HTTP listener, not by handlers Service.Handlers
    wraps. Replaced with "custom server login pages".

  * Proxy.Put godoc — was "stores retrieved avatar to avatar.Store. Gets
    image from user info. Returns proxied url", which omitted the identicon
    fallback that fires on empty u.Picture, fetch failure, or non-image
    upstream bytes. Doc now describes that the function silently substitutes
    an identicon in those cases and returns its proxied URL — the caller
    is not told the upstream was rejected.

  * Proxy.Handler godoc — was "returns token routes for given provider",
    a leftover from a much older shape of the code. Replaced with a
    description of what Handler actually does today: serves stored avatar
    bytes by id, sniffs against an allowlist, sets defense headers.

  * Handler's inline serve-time validation comment — said "validate the
    bytes really are an image", but Handler reads up to sniffLen bytes
    and runs them through http.DetectContentType + an allowlist. That is
    content-type sniffing, not proof of full decodability. Reworded to
... (continued)

3017 of 3533 relevant lines covered (85.39%)

8.21 hits per line

Jobs
ID Job ID Ran Files Coverage
1 26203178077.1 25
85.39
 GitHub Action Run
Source Files on build 26203178077