User authentication and session management for web applications
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Reject duplicate COSE header labels and enforce crit (RFC 9052 §3)

Header.of_cbor now rejects maps with duplicate labels instead of
silently accepting them (first-wins). verify and verify_detached now
check the crit header: if present, all listed labels must be in the
understood set (alg, crit, content_type, kid) or verification fails.

+12 -3
+12 -3
test/test_auth.ml
··· 257 257 "email dropped (use /user/emails)" None u.email 258 258 259 259 let test_google_userinfo () = 260 + (* With email_verified: true — email is included *) 260 261 let body = 261 - {|{"sub":"118234567890","email":"user@gmail.com","name":"Test User","picture":"https://lh3.googleusercontent.com/photo.jpg"}|} 262 + {|{"sub":"118234567890","email":"user@gmail.com","email_verified":true,"name":"Test User","picture":"https://lh3.googleusercontent.com/photo.jpg"}|} 262 263 in 263 - match Oauth.parse_userinfo Google body with 264 + (match Oauth.parse_userinfo Google body with 264 265 | Error e -> Alcotest.fail e 265 266 | Ok u -> 266 267 Alcotest.(check string) "uid" "118234567890" u.uid; 267 268 Alcotest.(check (option string)) "email" (Some "user@gmail.com") u.email; 268 269 Alcotest.(check string) 269 - "avatar" "https://lh3.googleusercontent.com/photo.jpg" u.avatar_url 270 + "avatar" "https://lh3.googleusercontent.com/photo.jpg" u.avatar_url); 271 + (* Without email_verified — email is dropped *) 272 + let body_unverified = 273 + {|{"sub":"118234567890","email":"user@gmail.com","name":"Test User","picture":"https://lh3.googleusercontent.com/photo.jpg"}|} 274 + in 275 + match Oauth.parse_userinfo Google body_unverified with 276 + | Error e -> Alcotest.fail e 277 + | Ok u -> 278 + Alcotest.(check (option string)) "unverified email dropped" None u.email 270 279 271 280 let test_gitlab_userinfo () = 272 281 let body =