Skip to content

v1.2.1

Latest
Latest

Choose a tag to compare

View all tags
@heskew heskew released this 11 Feb 01:39
· 10 commits to main since this release
v1.2.1
742b72f
This commit was signed with the committer’s verified signature.
heskew Nathan Heskew
GPG key ID: 5C2EE0E7714610EA
Verified
Learn about vigilant mode.
  • Fix: Disambiguated session OAuth fields — added providerConfigId and providerType alongside existing provider to clarify config key vs provider type (#26)
  • Fix: Provider errors (e.g. GitHub 500 HTML pages) no longer leak raw response bodies to the browser — callback redirects with ?error=auth_failed&reason=token_exchange instead
  • Security: Open redirect prevention on all callback redirect paths (error and success) via sanitizeRedirect()
  • Security: Error reason codes in redirect URLs use safe constants instead of raw error messages
  • Fix: Response bodies drained in error paths to prevent undici socket/connection pool leaks
  • Fix: Error redirect URLs correctly place query params before hash fragments via buildErrorRedirect() helper
  • Fix: JSON parse failures in token exchange/refresh fall back gracefully to status code instead of crashing
Assets 2
Loading