Skip to content

fix(examples): correct and harden example apps from review#31

Merged
appleboy merged 6 commits into
mainfrom
fix/examples-review-hardening
May 30, 2026
Merged

fix(examples): correct and harden example apps from review#31
appleboy merged 6 commits into
mainfrom
fix/examples-review-hardening

Conversation

@appleboy
Copy link
Copy Markdown
Member

@appleboy appleboy commented May 30, 2026

Summary

Applies the fixes from a maximum-effort /code-review pass over the entire examples/ tree: corrects several real bugs (display, endpoint resolution, error-path output), hardens two security-sensitive flows (discovery issuer validation, HTTP header limits), makes the uid claim demonstrable end-to-end, and tidies repo hygiene. No behavior changes for valid inputs on the happy path.

AI Authorship

  • No AI was used in this PR
  • AI was used. Details:
    • Tool / model: Claude Opus 4.8 via Claude Code (/code-review --fix)
    • AI-authored files: all 7 — .gitignore, go-cli/main.go, go-jwks-multi/testissuer/main.go, go-jwks/get-token.sh, go-m2m/main.go, go-oidc/main.go, go-webservice/main.go
    • Human line-by-line reviewed: none yet — pending human review

⚠️ Reviewer note: This is AI-authored code, not yet reviewed line-by-line by a human, and it touches auth/security-demonstration paths (client-secret handling, OIDC cookie lifecycle, JWT minting). Please review the files in "Read carefully" below line-by-line rather than spot-checking.

Change classification

  • Leaf node (local impact — these are standalone example apps; nothing in the SDK or production depends on them)
  • Core code
    • Caveat: although leaf in the dependency graph, these are security-demonstration examples that users copy as templates, so correctness of the auth flows still matters.

What changed (by file)

  • go-jwks/get-token.sh — verify the discovery doc's issuer matches ISSUER_URL before POSTing CLIENT_SECRET (matches the SDK's discovery client); rewrite decode_jwt to use jq @base64d | fromjson, dropping the hand-rolled base64url padding and the non-portable base64 -d dependency.
  • go-jwks-multi/testissuer/main.go — add a uid query param + <prefix>_uid claim so the uid field exposed by /api/profile and /api/admin is actually exercisable.
  • go-webservice/main.go — add ReadHeaderTimeout + MaxHeaderBytes to match sibling servers; return 500 (not 401) on the middleware-misconfiguration branch, per the SDK doc.
  • go-m2m/main.go — use the discovered userinfo endpoint instead of a hardcoded /oauth/userinfo (fixes trailing-slash double-slash and non-default paths).
  • go-cli/main.go — keep printing token/introspection details when UserInfo fails; maskToken("") returns "" instead of "****".
  • go-oidc/main.goclearCookie now mirrors setShortCookie's Path/Secure/SameSite.
  • .gitignore — ignore the go-oidc and go-jwks-multi build artifacts.

Verification

  • Unit tests — N/A (examples repo has no test suite)
  • Integration tests — N/A
  • e2e tests — none committed
  • Performed instead:
    • go build ./..., go vet ./..., gofmt -l clean across all 6 modules
    • bash -n clean on both shell scripts; no literal control bytes left
    • Runtime end-to-end: ran testissuer + the multi-issuer resource server, minted a uid=alice token → confirmed /api/profile and /api/admin return uid:"alice", and a no-uid token returns uid:""
    • Verified the get-token.sh issuer-match parse (trailing slash tolerated, mismatch rejected) and the jq @base64d decode + clean failure path
  • Manual verification for the reviewer: cd go-jwks-multi && go run ./testissuer then, with the printed env, go run .; mint curl '127.0.0.1:9001/sign?domain=oa&uid=alice' and check /api/profile.

Security check (touches external interfaces)

  • No secrets in code (scanned the diff)
  • External inputs validated — discovery issuer now checked before secret is sent
  • Permission checks tested — N/A (handled by the SDK middleware, unchanged)
  • Rate limits — N/A
  • Errors don't leak internals — decode_jwt now fails with a clean message

Risk & rollback

  • Risk: Low. Changes are confined to example apps with no production dependents. The only behavior changes on valid happy-path inputs are improvements (continue-on-UserInfo-error, discovered userinfo URL). get-token.sh now refuses a discovery doc whose issuer differs from ISSUER_URL — intended, but could surface a pre-existing misconfiguration.
  • Rollback: git revert 1d5a445 (single commit).

Reviewer guide

  • Read carefully (auth/security, AI-authored, not yet human-reviewed):
    • go-jwks/get-token.sh — issuer-match check and the jq-based JWT decode rewrite
    • go-oidc/main.go — cookie clearing across the OIDC callback flow
    • go-jwks-multi/testissuer/main.go — JWT claim minting
  • Spot-check OK (mechanical / display): go-cli/main.go, go-m2m/main.go, go-webservice/main.go, .gitignore

🤖 Generated with Claude Code

@appleboy @claude
fix(examples): correct and harden example apps from review
1d5a445 
- Validate the discovery issuer matches the configured URL before sending the client secret
- Let the test issuer mint the uid claim so the profile and admin endpoints can expose it
- Keep printing token and introspection details when the UserInfo lookup fails
- Add a header read timeout and header size limit to the web service server
- Use the discovered userinfo endpoint instead of a hardcoded path
- Return 500 instead of 401 when token info is missing from the request context
- Decode JWT segments with jq instead of a hand-rolled base64url helper
- Return an empty string when masking an empty token
- Align cleared cookie attributes with the ones used when setting them
- Ignore the go-oidc and go-jwks-multi build artifacts

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 30, 2026 01:14
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens and corrects several standalone AuthGate example apps, mainly around auth-flow correctness, safer defaults, and clearer example behavior without changing valid happy-path behavior.

Changes:

  • Adds HTTP/server and OIDC cookie hardening, plus more accurate middleware error handling.
  • Uses discovered endpoints and validates discovery issuer metadata before sending secrets.
  • Improves JWT/demo claim coverage and CLI output behavior.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.gitignore Ignores additional Go example build artifacts.
go-cli/main.go Keeps printing token details when UserInfo fails and avoids masking empty tokens.
go-jwks/get-token.sh Validates discovery issuer and simplifies JWT decoding through jq.
go-jwks-multi/testissuer/main.go Adds support for minting the uid private claim.
go-m2m/main.go Uses the discovered userinfo endpoint instead of constructing a hardcoded path.
go-oidc/main.go Clears OIDC flow cookies with matching cookie attributes.
go-webservice/main.go Adds header timeout/size limits and reports missing middleware context as a server error.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@appleboy @claude
refactor(go-oidc): share cookie attributes between set and clear
6ec5fb3 
- Build the short-lived auth cookies and their deletions through one authCookie helper so Path, Secure, and SameSite cannot drift apart
- Name the 10-minute cookie lifetime as a constant

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@appleboy appleboy requested a review from Copilot May 30, 2026 01:23
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Comment thread go-jwks/get-token.sh Outdated
@appleboy @claude
fix(go-jwks): decode JWT base64url segments correctly
d0ecfc1 
- Map the JWT base64url alphabet to standard base64 and restore padding before jq @base64d, which only accepts the standard alphabet
- Without this, valid tokens whose header or payload contains - or _ failed to decode

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@appleboy appleboy requested a review from Copilot May 30, 2026 01:30
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Comment thread go-m2m/main.go
Comment thread go-jwks-multi/testissuer/main.go
@appleboy @claude
docs(examples): sync READMEs with code changes
5718e2f 
- Describe the go-m2m userinfo call as hitting the discovered userinfo_endpoint rather than a hardcoded path
- Document the new uid query parameter in the testissuer /sign table

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@appleboy appleboy requested a review from Copilot May 30, 2026 01:38
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 3 comments.

Comment thread go-jwks/get-token.sh
Comment thread go-jwks-multi/testissuer/README.md Outdated
Comment thread go-jwks/get-token.sh
@appleboy @claude
docs(examples): correct get-token and testissuer README details
99dfe03 
- Drop the stale base64 prerequisite for get-token.sh --decode, which now decodes in jq
- Clarify the testissuer uid param is a display-only claim, since no AccessRule gates UID

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@appleboy appleboy requested a review from Copilot May 30, 2026 01:45
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated no new comments.

@appleboy @claude
style(examples): reformat README tables
ebea13f 
- Re-align markdown table columns in the example READMEs
- Tag the m2m example output block as txt

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@appleboy appleboy merged commit 05341d4 into main May 30, 2026
4 checks passed
@appleboy appleboy deleted the fix/examples-review-hardening branch May 30, 2026 02:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@appleboy