go-pkgz / auth
84%

Repo Added 26 Dec 2018 08:17AM UTC

Files 24

Badge

Embed ▾

LAST BUILD ON BRANCH master
branch: SELECT

CHANGE BRANCH
x

No branch selected

allowed-provider-check

apple-reponse-mode-fix

aud-secrets

ava-factory

configurable-microsoft-tenant

cookie-domain

custom-dev-host

custom-dev-port

dependabot/go_modules/_example/github.com/go-chi/chi/v5-5.2.2

dependabot/go_modules/_example/golang.org/x/crypto-0.17.0

dependabot/go_modules/_example/golang.org/x/image-0.38.0

dependabot/go_modules/_example/golang.org/x/image-0.5.0

dependabot/go_modules/_example/golang.org/x/net-0.17.0

dependabot/go_modules/_example/golang.org/x/net-0.7.0

dependabot/go_modules/golang.org/x/crypto-0.31.0

dependabot/go_modules/golang.org/x/image-0.38.0

dependabot/go_modules/v2/github.com/golang-jwt/jwt/v5-5.2.2

dependabot/go_modules/v2/golang.org/x/crypto-0.31.0

dependabot/go_modules/v2/golang.org/x/crypto-0.45.0

dependabot/go_modules/v2/golang.org/x/net-0.33.0

dependabot/go_modules/v2/golang.org/x/net-0.36.0

direct-custom-id

dverhoturov/telegram_fix

email-sender

feat/csrf-middleware

feature/custom-error-handler

fix-anon

fix-content-type-header

fix-oauth-from-open-redirect

fix-oauth-sendjwtheader

fix-providers-names

fix/panic-save-ava-nil

go1_20

jwt-header

master

microsoft

migrate-example-to-routegroup

no-ava

official-mongo-drvier

paskal/HttpOnly

paskal/add_common_processor

paskal/avatar_return_proper_content_type

paskal/bump_ci_go_version

paskal/bump_dep

paskal/bump_go_modules

paskal/bump_modules

paskal/double_close

paskal/email_module

paskal/facelift

paskal/fix_actions_test

paskal/fix_apple_key_panic

paskal/fix_custom_server

paskal/fix_error

paskal/fix_golangcilint

paskal/fix_lint_report

paskal/fix_send_jwt_header

paskal/google_auth_doc

paskal/improve_telegram

paskal/modules_bump

paskal/mongodb

paskal/moq

paskal/new_errors

paskal/plain_text

paskal/switch_to_v2

paskal/sync_v2

paskal/telegram_site_id

paskal/tg_username

paskal/token_generation_instructions

paskal/update-dependencies

paskal/update-modules

paskal/update_modules

paskal/update_pkcs8

paskal/v2

paskal/v2_golangcilint

paskal/v2_jwt5

rbac

refs/tags/v0.10.0

refs/tags/v0.10.1

refs/tags/v0.10.2

refs/tags/v0.11.0

refs/tags/v0.12.0

refs/tags/v0.12.1

refs/tags/v1.13.0

refs/tags/v1.13.1

refs/tags/v1.14.0

refs/tags/v1.15.0

refs/tags/v1.16.0

refs/tags/v1.17.0

refs/tags/v1.18.0

refs/tags/v1.19.0

refs/tags/v1.19.1

refs/tags/v1.20.0

refs/tags/v1.21.0

refs/tags/v1.22.0

refs/tags/v1.22.1

refs/tags/v1.23.0

refs/tags/v1.24.0

refs/tags/v1.24.1

refs/tags/v1.24.2

refs/tags/v1.25.1

refs/tags/v1.25.2

refs/tags/v1.5.1

refs/tags/v2.0.0

refs/tags/v2.1.0

refs/tags/v2.1.1

refs/tags/v2.1.2

remove-bluemonday

samesite

sanitize-verifyed

update-dependencies-2026-04

update-dependencies-dec2024

update-deps-and-golangci-v2

upgrade-repeater-v2

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0

verify-avatar

Committed 06 May 2026 06:59AM UTC coverage: 84.247%. Remained the same

Build # 25421111866

Build Type

push

github

Committed by

umputun

Commit Message

docs(verify): caveat that email proves control, not stable identity

The verify provider derives the local user id from the verified address
(ProviderName + "_" + HashID(address)). The confirmation round-trip
proves current control of the address at login time, but does not
guarantee a stable+unique identity over time -- the owner of an address
can change without the address changing (employer offboarding, recycled
free-mail handles, recycled domains). Any application that keys its own
records directly on the returned id will treat the new owner of an
address as the original user.

This is inherent to email-as-identity, not a bug in this library: the
verify flow has no upstream identifier (such as an OIDC sub) to fall
back on. The right place to address it is integrator-side -- map the
verified address to a server-side immutable user id at first verify --
but the property is non-obvious and easy to miss, so this commit calls
it out where readers will look:

  - VerifyHandler doc comment in provider/verify.go (v1)
  - VerifyHandler doc comment in v2/provider/verify.go
  - new "Email-as-identity caveat" subsection under "Verified
    authentication" in the root README

Documentation only; no behaviour change.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Coverage Stats

2706 of 3212 relevant lines covered (84.25%)

7.31 hits per line

Relevant lines Covered

3212 RELEVANT LINES 2706 COVERED LINES

7.31 HITS PER LINE

Source Files on master

Recent builds

Builds	Branch	Commit	Type	Ran	Committer	Via	Coverage
25421111866	master	docs(verify): caveat that email proves control, not stable identity The verify provider derives the local user id from the verified address (ProviderName + "_" + HashID(address)). The confirmation round-trip proves current control of the address ...	push	06 May 2026 07:02AM UTC	umputun	github	84.25
25421111927	master	docs(verify): caveat that email proves control, not stable identity The verify provider derives the local user id from the verified address (ProviderName + "_" + HashID(address)). The confirmation round-trip proves current control of the address ...	push	06 May 2026 07:01AM UTC	umputun	github	84.66
24808552052	refs/tags/v2.1.2	Merge commit from fork The Patreon provider was hashing userInfo.ID (the uninitialized destination field on a freshly created token.User), not the Patreon account ID from the response. Every Patreon login therefore produced the same local user ID...	push	22 Apr 2026 11:48PM UTC	web-flow	github	84.66
24808551995	refs/tags/v1.25.2	Merge commit from fork The Patreon provider was hashing userInfo.ID (the uninitialized destination field on a freshly created token.User), not the Patreon account ID from the response. Every Patreon login therefore produced the same local user ID...	push	22 Apr 2026 11:48PM UTC	web-flow	github	84.66
24808552025	refs/tags/v2.1.2	Merge commit from fork The Patreon provider was hashing userInfo.ID (the uninitialized destination field on a freshly created token.User), not the Patreon account ID from the response. Every Patreon login therefore produced the same local user ID...	push	22 Apr 2026 11:48PM UTC	web-flow	github	84.25
24808551998	refs/tags/v1.25.2	Merge commit from fork The Patreon provider was hashing userInfo.ID (the uninitialized destination field on a freshly created token.User), not the Patreon account ID from the response. Every Patreon login therefore produced the same local user ID...	push	22 Apr 2026 11:48PM UTC	web-flow	github	84.25
24808418169	master	Merge commit from fork The Patreon provider was hashing userInfo.ID (the uninitialized destination field on a freshly created token.User), not the Patreon account ID from the response. Every Patreon login therefore produced the same local user ID...	push	22 Apr 2026 11:43PM UTC	web-flow	github	84.66
24808418198	master	Merge commit from fork The Patreon provider was hashing userInfo.ID (the uninitialized destination field on a freshly created token.User), not the Patreon account ID from the response. Every Patreon login therefore produced the same local user ID...	push	22 Apr 2026 11:43PM UTC	web-flow	github	84.25
24744987298	master	fix: validate "from" redirect target in OAuth/verify flows (#275) * fix: validate "from" redirect target in OAuth/verify flows The "from" query parameter accepted by oauth1/oauth2/apple/verify login handlers was stored verbatim in the handshake ...	push	21 Apr 2026 08:35PM UTC	web-flow	github	84.66
24744987265	master	fix: validate "from" redirect target in OAuth/verify flows (#275) * fix: validate "from" redirect target in OAuth/verify flows The "from" query parameter accepted by oauth1/oauth2/apple/verify login handlers was stored verbatim in the handshake ...	push	21 Apr 2026 08:34PM UTC	web-flow	github	84.25

See All Builds (916)

go-pkgz / auth
84%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

CHANGE BRANCH
x

Relevant lines Covered

Source Files on master

Recent builds

go-pkgz / auth 84%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

CHANGE BRANCH x

Relevant lines Covered

Source Files on master

Recent builds

go-pkgz / auth
84%

README BADGES
x

CHANGE BRANCH
x