• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

dunglas / mercure / 29640604202
86%
master: 93%

Build:
Build:
LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran 18 Jul 2026 10:20AM UTC
Jobs 1
Files 37
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

18 Jul 2026 10:17AM UTC coverage: 85.233% (+0.2%) from 85.075%
29640604202

push

github

web-flow
OAuth conformance fixes from draft-08 review (#1297)

* spec!: OAuth conformance fixes from review

Address all nine conformance and consistency reports of
https://github.com/dunglas/mercure/issues/1296:

- require full RFC 9068 conformance for every token, including
  self-issued ones: iss always present and exact-matched against the
  hub's trusted issuers, issuers populate sub, client_id, iat and jti
- remove the access_token URI query parameter (RFC 9700 forbids tokens
  in URLs); recommend fetch() with an Authorization header for browsers
  needing per-connection tokens
- reduce the RFC 6750 deviation to ignoring an ambient cookie when an
  Authorization header is present
- drop the jwks_uri protected resource metadata member (RFC 9728 defines
  it as the resource's own keys)
- switch the RAR type to the collision-resistant URI
  https://mercure.rocks/authorization-detail (RFC 9396 §2.1)
- Change Controller IESG -> IETF (RFC 9728 §8.1.1)
- clarify SameSite=Lax semantics (top-level navigations only)
- make 200 mandatory for successful publications
- fix the stale 403 reserved-namespace example (now 400)

* feat!: require iss, drop query token, URI RAR type

Align the hub with the spec changes triggered by
https://github.com/dunglas/mercure/issues/1296:

- the token iss claim is now required and must exactly match a trusted
  issuer; add WithTrustedIssuers and the trusted_issuers Caddy directive
  (authorization_servers entries remain trusted issuers too), and refuse
  to start a token-validating hub without one
- remove the access_token query parameter (RFC 9700); the legacy
  authorization parameter remains available behind the deprecated_*
  build tags only
- bearer_methods_supported now advertises only "header"
- the RAR type becomes the URI https://mercure.rocks/authorization-detail

Docs and examples updated accordingly.

* fix(ci): trust the token issuer in the compat-mode audience test and prettier-format docs

The require-iss enforcement r... (continued)

15 of 17 new or added lines in 3 files covered. (88.24%)

2730 of 3203 relevant lines covered (85.23%)

102.89 hits per line

Uncovered Changes

Lines Coverage ∆ File
2
92.86
-0.41% hub.go
Jobs
ID Job ID Ran Files Coverage
1 0 - 29640604202.1 18 Jul 2026 10:20AM UTC 37
85.23
GitHub Action Run
Source Files on build 29640604202
  • Tree
  • List 37
  • Changed 0
  • Source Changed 0
  • Coverage Changed 0
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • f774f388 on github
  • Prev Build on main (#29640602977)
  • Next Build on main (#29640602977)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc