• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

tecnickcom / gogen / 28934407441
100%

Build:
DEFAULT BRANCH: main
Ran 08 Jul 2026 10:08AM UTC
Jobs 1
Files 184
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

08 Jul 2026 10:02AM UTC coverage: 99.987% (+0.001%) from 99.986%
28934407441

push

github

nicolaasuni
feat(jwt)!: self-contained HMAC engine, verifier-based API, and security hardening

Rework the jwt package into a hardened, net/http-oriented JWT auth helper. Tokens are now signed and verified by a standard-library-only HMAC-SHA2 (HS256/HS384/HS512) implementation of the RFC 7515/7519 compact JWS, removing the github.com/golang-jwt/jwt/v5 build dependency (retained test-only for cross-validation). Restricting the surface to symmetric HMAC and verifying the signature before decoding the claims payload makes alg=none and algorithm-confusion attacks structurally impossible.

BREAKING CHANGES:
- New takes VerifyCredentialsFn func(username, password string) (bool, error) instead of UserHashFn: credential verification is fully delegated, so the package is agnostic to the password-hashing scheme (pair it with pkg/passwordhash) and no longer performs bcrypt comparison itself.
- SigningMethod is now an HS256/HS384/HS512 enum instead of an alias of the upstream interface, and Claims carries native fields instead of embedding jwt.RegisteredClaims.
- WithClaimSubject is removed; the sub claim is now set to the authenticated username.

Security hardening:
- Pin the accepted signing algorithm and require exp, enforcing it exclusively per RFC 7519 §4.1.4; validate nbf with optional clock-skew leeway; enforce iss and the full aud set when configured.
- Cap the login request body (413 on overflow) and reject unknown or trailing JSON; return generic client messages while logging details server-side; distinguish invalid credentials (401) from credential-backend failures (500).
- Bound how long a session can be kept alive by renewals via an auth_time claim preserved across renewals and a configurable maximum lifetime, so a stolen token cannot be renewed indefinitely.
- Support HMAC key rotation through previous keys accepted for verification, validate minimum key length against the method hash size, and copy caller-supplied key material so later mutation cannot affect t... (continued)

418 of 418 new or added lines in 5 files covered. (100.0%)

14897 of 14899 relevant lines covered (99.99%)

996.0 hits per line

Jobs
ID Job ID Ran Files Coverage
1 28934407441.1 08 Jul 2026 10:08AM UTC 184
99.99
GitHub Action Run
Source Files on build 28934407441
  • Tree
  • List 184
  • Changed 2
  • Source Changed 2
  • Coverage Changed 2
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28934407441
  • 88b27098 on github
  • Prev Build on main (#28904081343)
  • Next Build on main (#28938710952)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc