go-pkgz / auth

85%

LAST BUILD ON BRANCH master

branch: master

CHANGE BRANCH

x

Reset

• master
• allowed-provider-check
• apple-reponse-mode-fix
• aud-secrets
• ava-factory
• chore/go-fix
• configurable-microsoft-tenant
• cookie-domain
• custom-dev-host
• custom-dev-port
• dependabot/go_modules/_example/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/_example/golang.org/x/crypto-0.17.0
• dependabot/go_modules/_example/golang.org/x/image-0.38.0
• dependabot/go_modules/_example/golang.org/x/image-0.5.0
• dependabot/go_modules/_example/golang.org/x/net-0.17.0
• dependabot/go_modules/_example/golang.org/x/net-0.7.0
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/image-0.38.0
• dependabot/go_modules/v2/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/v2/golang.org/x/crypto-0.31.0
• dependabot/go_modules/v2/golang.org/x/crypto-0.45.0
• dependabot/go_modules/v2/golang.org/x/net-0.33.0
• dependabot/go_modules/v2/golang.org/x/net-0.36.0
• direct-custom-id
• docs/comment-sweep
• dverhoturov/telegram_fix
• email-sender
• feat/csrf-middleware
• feature/custom-error-handler
• fix-anon
• fix-content-type-header
• fix-oauth-from-open-redirect
• fix-oauth-sendjwtheader
• fix-providers-names
• fix/admin-passwd-log-leak
• fix/apple-id-token-iss-aud
• fix/apple-log-redact-token-response
• fix/avatar-content-type-spoofing-xss
• fix/csp-consumer-note
• fix/dev-custom-bind-localhost
• fix/email-sender-redact-body
• fix/panic-save-ava-nil
• fix/telegram-redact-bot-token-in-avatar-url
• fix/v1-from-redirect-validator
• fix/verify-replay
• fix/verify-replay-typed-nil-followup
• followups/security-review
• go1_20
• jwt-header
• microsoft
• migrate-example-to-routegroup
• no-ava
• official-mongo-drvier
• paskal/HttpOnly
• paskal/add_common_processor
• paskal/avatar_return_proper_content_type
• paskal/bump_ci_go_version
• paskal/bump_dep
• paskal/bump_go_modules
• paskal/bump_modules
• paskal/double_close
• paskal/email_module
• paskal/facelift
• paskal/fix_actions_test
• paskal/fix_apple_key_panic
• paskal/fix_custom_server
• paskal/fix_error
• paskal/fix_golangcilint
• paskal/fix_lint_report
• paskal/fix_send_jwt_header
• paskal/google_auth_doc
• paskal/improve_telegram
• paskal/modules_bump
• paskal/mongodb
• paskal/moq
• paskal/new_errors
• paskal/plain_text
• paskal/switch_to_v2
• paskal/sync_v2
• paskal/telegram_site_id
• paskal/tg_username
• paskal/token_generation_instructions
• paskal/update-dependencies
• paskal/update-modules
• paskal/update_modules
• paskal/update_pkcs8
• paskal/v2
• paskal/v2_golangcilint
• paskal/v2_jwt5
• rbac
• refs/tags/v0.10.0
• refs/tags/v0.10.1
• refs/tags/v0.10.2
• refs/tags/v0.11.0
• refs/tags/v0.12.0
• refs/tags/v0.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.15.0
• refs/tags/v1.16.0
• refs/tags/v1.17.0
• refs/tags/v1.18.0
• refs/tags/v1.19.0
• refs/tags/v1.19.1
• refs/tags/v1.20.0
• refs/tags/v1.21.0
• refs/tags/v1.22.0
• refs/tags/v1.22.1
• refs/tags/v1.23.0
• refs/tags/v1.24.0
• refs/tags/v1.24.1
• refs/tags/v1.24.2
• refs/tags/v1.25.1
• refs/tags/v1.25.2
• refs/tags/v1.25.3
• refs/tags/v1.25.4
• refs/tags/v1.5.1
• refs/tags/v2.0.0
• refs/tags/v2.1.0
• refs/tags/v2.1.1
• refs/tags/v2.1.2
• refs/tags/v2.1.3
• refs/tags/v2.1.4
• remove-bluemonday
• samesite
• sanitize-verifyed
• update-dependencies-2026-04
• update-dependencies-dec2024
• update-deps-and-golangci-v2
• upgrade-repeater-v2
• v0.8.0
• v0.8.1
• v0.8.2
• v0.8.3
• v0.9.0
• verify-avatar

Build # 26203179848

Build Type

push

github

Committed by umputun

Commit Message

docs: package-wide comment sweep (non-security)

Pre-existing comment drift in files unrelated to the recent security fix —
unrelated docstrings that misled, said the wrong thing, or were copy-paste
leftovers. Mirrored across v1 and v2.

The security-fix docstring fixes (avatar/avatar.go security comments and
auth.go withSecurityHeaders) live in PR #291 and are intentionally NOT
included here so the two PRs stay independent.

Findings:

  * avatar/gridfs.go — ID doc claimed MD5 sourced from gridfs; metadata.hash
    is the sha1 written at Put time.
  * avatar/bolt.go, avatar/gridfs.go — Put docs and BoltDB type doc claimed
    these layers "resize" the image; they only copy bytes. Resize happens
    in Proxy.resize upstream.
  * avatar/store.go — Migrate doc didn't mention that per-avatar Get/Put/Close
    errors are logged and skipped, and that the returned count is "ids
    attempted", not "ids stored".
  * provider/oauth1.go — initOauth1Handler doc and DEBUG log both said
    "oauth2".
  * provider/service.go — Service.Handler doc said "returns auth routes";
    it dispatches login/callback/logout.
  * provider/telegram.go — processUpdates claimed to return an offset (no
    return value); checkToken doc described an "address or empty string"
    return shape but the signature is (*token.User, error).
  * provider/verify.go — Sender interface doc locked the contract to "send
    emails", contradicting the broader "email, IM, or anything else" on
    VerifyHandler. AuthHandler comment was copy-pasted from direct.
  * provider/dev_provider.go — NewDev doc said "for admin user"; just makes
    the dev oauth2 provider.
  * middleware/user_updater.go — UserUpdFunc adapter doc said result "is a
    Handler"; implements UserUpdater.
  * logger/interface.go — Func adapter doc said "Logf calls f(id)"; actually
    calls f(format, args...).
  * token/jwt.go — SendJWTHeader option doc said "instead of cookie"; Set
    sends header AND cookie. Set doc referenc... (continued)

Coverage Stats

3 of 3 new or added lines in 3 files covered. (100.0%)

3042 of 3561 relevant lines covered (85.43%)

8.3 hits per line