Skip to content

sec(api): renderAuthError Cache-Control: no-store + lang=en (BUG-API-257/404)#196

Merged
mastermanas805 merged 1 commit into
masterfrom
bug-api-404-email-callback-no-store-lang
May 30, 2026
Merged

sec(api): renderAuthError Cache-Control: no-store + lang=en (BUG-API-257/404)#196
mastermanas805 merged 1 commit into
masterfrom
bug-api-404-email-callback-no-store-lang

Conversation

@mastermanas805

@mastermanas805 mastermanas805 commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

The OAuth / magic-link callback HTML is per-request session-bound state (the underlying token has been consumed or expired). Two compounding gaps:

  1. BUG-API-404 — no Cache-Control. Back-button, service-worker re-fetch, or intermediate proxy could replay the body, leaking the "you tried this link" UX state across sessions. Stamp `Cache-Control: no-store` (RFC 9111 §5.2.2.5).
  2. BUG-API-257 — `` shipped with no `lang` attribute. WCAG 3.1.1 requires a programmatically determinable primary language; assistive tech (VoiceOver, NVDA) falls back to OS locale otherwise. Pin `lang="en"` to match the static English-only copy.

Both fix at the single `renderAuthError` sink, fanning out across ~25 OAuth / magic-link callback paths without scattering edits.

Coverage block

```
Symptom: OAuth/magic-link error HTML missing Cache-Control: no-store
(BUG-API-404) and lang attribute (BUG-API-257)
Enumeration: rg -F 'renderAuthError' internal/handlers/ (~25 sites)
All flow through a single emit point at auth.go:1113
Sites found: 1 emit function (~25 callers)
Sites touched: 1 (single sink fix — rule 18 single-source guarantee)
Coverage test: TestAuth_RenderAuthError_StatusAndContentType pins
- resp.Header.Get("Cache-Control") == "no-store"
- body contains '<html lang="en">'
so a future revert of either fails before merge.
Live verified: pending auto-deploy + curl -sI
'https://api.instanode.dev/auth/email/callback?token=invalid'
| grep -i cache-control
```

Inbox reference

  • BUG-API-257 (P3 — /auth/email/callback HTML missing lang — a11y/i18n)
  • BUG-API-404 (P3 — /auth/email/callback no Cache-Control: no-store)

Test plan

🤖 Generated with Claude Code

@mastermanas805 mastermanas805 force-pushed the bug-api-404-email-callback-no-store-lang branch 3 times, most recently from df0da68 to cfddf22 Compare May 30, 2026 09:26
@mastermanas805 @claude
sec(api): renderAuthError Cache-Control: no-store + lang="en" (BUG-AP…
602e311 
…I-257/404)

The OAuth / magic-link callback HTML is per-request session-bound state
(the underlying magic-link / OAuth code has been consumed or expired by
the time the error page renders). Two compounding gaps shipped:

1. BUG-API-404 — no Cache-Control. A back-button, service-worker
   re-fetch, or intermediate proxy could replay the body, leaking the
   "you tried this link" UX state across sessions. Stamp
   Cache-Control: no-store (RFC 9111 §5.2.2.5) which is the strongest
   stop-cache directive and matches the contract every other
   auth-result surface in the api already follows.

2. BUG-API-257 — <html> shipped with no `lang` attribute. WCAG 3.1.1
   ("Language of Page") requires a programmatically determinable
   primary language; assistive tech (VoiceOver, NVDA) falls back to
   the OS locale otherwise, mispronouncing English copy in non-English
   locales. Pin lang="en" to match the static English-only copy.

Both fix at the single renderAuthError sink — fanning out across every
OAuth / magic-link callback error path (~20 call sites in auth.go +
magic_link.go) without scattering c.Set / template edits.

Coverage block:
  Symptom:        OAuth/magic-link error HTML missing Cache-Control: no-store
                  (BUG-API-404) and lang attribute (BUG-API-257)
  Enumeration:    rg -F 'renderAuthError' internal/handlers/ (~25 sites)
                  All flow through a single emit point in auth.go:1113
  Sites found:    1 emit function (~25 callers)
  Sites touched:  1 (single sink fix)
  Coverage test:  TestAuth_RenderAuthError_StatusAndContentType now pins
                   - Cache-Control: no-store
                   - body contains `<html lang="en">`
                  so a future revert of either fails before merge.
  Live verified:  pending auto-deploy + curl -sI
                  'https://api.instanode.dev/auth/email/callback?token=invalid'
                  | grep -i cache-control

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mastermanas805 mastermanas805 force-pushed the bug-api-404-email-callback-no-store-lang branch from cfddf22 to 602e311 Compare May 30, 2026 09:42
@mastermanas805 mastermanas805 merged commit fd61fc8 into master May 30, 2026
14 checks passed
@mastermanas805 mastermanas805 deleted the bug-api-404-email-callback-no-store-lang branch May 30, 2026 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mastermanas805