go-pkgz / auth

85%

master: 85%

LAST BUILD ON BRANCH fix/csp-consumer-note

branch: fix/csp-consumer-note

CHANGE BRANCH

x

Reset

• fix/csp-consumer-note
• allowed-provider-check
• apple-reponse-mode-fix
• aud-secrets
• ava-factory
• chore/go-fix
• configurable-microsoft-tenant
• cookie-domain
• custom-dev-host
• custom-dev-port
• dependabot/go_modules/_example/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/_example/golang.org/x/crypto-0.17.0
• dependabot/go_modules/_example/golang.org/x/image-0.38.0
• dependabot/go_modules/_example/golang.org/x/image-0.5.0
• dependabot/go_modules/_example/golang.org/x/net-0.17.0
• dependabot/go_modules/_example/golang.org/x/net-0.7.0
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/image-0.38.0
• dependabot/go_modules/v2/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/v2/golang.org/x/crypto-0.31.0
• dependabot/go_modules/v2/golang.org/x/crypto-0.45.0
• dependabot/go_modules/v2/golang.org/x/net-0.33.0
• dependabot/go_modules/v2/golang.org/x/net-0.36.0
• direct-custom-id
• docs/comment-sweep
• dverhoturov/telegram_fix
• email-sender
• feat/csrf-middleware
• feature/custom-error-handler
• fix-anon
• fix-content-type-header
• fix-oauth-from-open-redirect
• fix-oauth-sendjwtheader
• fix-providers-names
• fix/admin-passwd-log-leak
• fix/apple-id-token-iss-aud
• fix/apple-log-redact-token-response
• fix/auth-sensitive-logging
• fix/avatar-content-type-spoofing-xss
• fix/dev-custom-bind-localhost
• fix/email-sender-redact-body
• fix/panic-save-ava-nil
• fix/telegram-redact-bot-token-in-avatar-url
• fix/v1-from-redirect-validator
• fix/verify-replay
• fix/verify-replay-typed-nil-followup
• followups/security-review
• go1_20
• jwt-header
• master
• microsoft
• migrate-example-to-routegroup
• no-ava
• official-mongo-drvier
• paskal/HttpOnly
• paskal/add_common_processor
• paskal/avatar_return_proper_content_type
• paskal/bump_ci_go_version
• paskal/bump_dep
• paskal/bump_go_modules
• paskal/bump_modules
• paskal/double_close
• paskal/email_module
• paskal/facelift
• paskal/fix_actions_test
• paskal/fix_apple_key_panic
• paskal/fix_custom_server
• paskal/fix_error
• paskal/fix_golangcilint
• paskal/fix_lint_report
• paskal/fix_send_jwt_header
• paskal/google_auth_doc
• paskal/improve_telegram
• paskal/modules_bump
• paskal/mongodb
• paskal/moq
• paskal/new_errors
• paskal/plain_text
• paskal/switch_to_v2
• paskal/sync_v2
• paskal/telegram_site_id
• paskal/tg_username
• paskal/token_generation_instructions
• paskal/update-dependencies
• paskal/update-modules
• paskal/update_modules
• paskal/update_pkcs8
• paskal/v2
• paskal/v2_golangcilint
• paskal/v2_jwt5
• rbac
• refs/tags/v0.10.0
• refs/tags/v0.10.1
• refs/tags/v0.10.2
• refs/tags/v0.11.0
• refs/tags/v0.12.0
• refs/tags/v0.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.15.0
• refs/tags/v1.16.0
• refs/tags/v1.17.0
• refs/tags/v1.18.0
• refs/tags/v1.19.0
• refs/tags/v1.19.1
• refs/tags/v1.20.0
• refs/tags/v1.21.0
• refs/tags/v1.22.0
• refs/tags/v1.22.1
• refs/tags/v1.23.0
• refs/tags/v1.24.0
• refs/tags/v1.24.1
• refs/tags/v1.24.2
• refs/tags/v1.25.1
• refs/tags/v1.25.2
• refs/tags/v1.25.3
• refs/tags/v1.25.4
• refs/tags/v1.5.1
• refs/tags/v2.0.0
• refs/tags/v2.1.0
• refs/tags/v2.1.1
• refs/tags/v2.1.2
• refs/tags/v2.1.3
• refs/tags/v2.1.4
• remove-bluemonday
• samesite
• sanitize-verifyed
• update-dependencies-2026-04
• update-dependencies-dec2024
• update-deps-and-golangci-v2
• upgrade-repeater-v2
• v0.8.0
• v0.8.1
• v0.8.2
• v0.8.3
• v0.9.0
• verify-avatar

Build # 26202851038

Build Type

Pull #291

github

Committed by paskal

Commit Message

docs(auth, avatar): fix misleading and stale docstrings around the security fix

Sweep over the docstrings touched (or adjacent to) PR #290's security work,
prompted by Copilot's post-merge review of withSecurityHeaders and an
adversarial pass from Codex on the rest of the same surface. All changes are
docstring/comment-only; no code, no behavior, no test churn.

  * withSecurityHeaders CONSUMER NOTE (auth.go, v2/auth.go) — the previous
    text told consumers HTML custom handlers could fix CSP blocking by
    "moving scripts/styles to external files served from 'self'", but the
    wrapper applies default-src 'none' and sandbox, so even self-hosted
    resources are blocked. New text spells out what the wrapper actually
    does and gives a concrete relaxed-CSP example. The example list also
    drops "dev_provider's login page" — that page is served by
    DevAuthServer on its own HTTP listener, not by handlers Service.Handlers
    wraps. Replaced with "custom server login pages".

  * Proxy.Put godoc — was "stores retrieved avatar to avatar.Store. Gets
    image from user info. Returns proxied url", which omitted the identicon
    fallback that fires on empty u.Picture, fetch failure, or non-image
    upstream bytes. Doc now describes that the function silently substitutes
    an identicon in those cases and returns its proxied URL — the caller
    is not told the upstream was rejected.

  * Proxy.Handler godoc — was "returns token routes for given provider",
    a leftover from a much older shape of the code. Replaced with a
    description of what Handler actually does today: serves stored avatar
    bytes by id, sniffs against an allowlist, sets defense headers.

  * Handler's inline serve-time validation comment — said "validate the
    bytes really are an image", but Handler reads up to sniffLen bytes
    and runs them through http.DetectContentType + an allowlist. That is
    content-type sniffing, not proof of full decodability. Reworded to
... (continued)

Pull Request Pull Request #291: docs(auth, avatar): fix misleading and stale docstrings around the security fix

Coverage Stats

3042 of 3561 relevant lines covered (85.43%)

8.3 hits per line