26850636017

Committed 02 Jun 2026 10:01PM UTC coverage: 92.271% (-0.06%) from 92.327%

Build # 26850636017

Build Type

push

github

Committed by

SeaweedbrainCY

Commit Message

feat(api): If the detected Origin is likely a mobile app, tokens are also returned in the body

The Origin header is used to know if the origin app is capacitor or not. This header is spoofable, but only on a hijacked browser. Innocent user cannot have this modified without a compromised browser.
Attacker can spoof their own Origin header. In that case there is no sensitive information that isn't already transmitted in the SetCookies header.

It's more a precaution feature than a security feature

Coverage Stats

9 of 15 new or added lines in 1 file covered. (60.0%)

52 existing lines in 1 file now uncovered.

13609 of 14749 relevant lines covered (92.27%)

0.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

89.99

api/api/controllers.py

SeaweedbrainCY / zero-totp / 26850636017

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous