From 964fdb71d1f14bcde197f4b666dd5829f55e48cb Mon Sep 17 00:00:00 2001 From: Tink bot Date: Tue, 26 May 2026 19:52:26 +0000 Subject: [PATCH] test(veans): cover OAuth callback handler error paths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The e2e suite bypasses the OAuth flow via --token, so the callback handler's error branches had zero coverage. Eight tests appended to oauth_test.go drive the handler directly: - happy path: code+state arrive on the channel; response is HTML - authz-server error path: ?error=access_denied&error_description=… bubbles up as a non-nil err containing the description (not the code) - only-code fallback: when error_description is missing, the error message falls back to the error code - empty code: handler captures it; waitForCallback's job to reject - non-GET method: 405 with Allow: GET, nothing pushed to channel (defense against forged POST from a same-origin page) - wrong path: 404, nothing pushed - HTML-escaping: an error containing renders as <script> — XSS regression guard - nil-err success page: 200 with 'veans is authorized' Plus generateState shape coverage (length, charset, uniqueness) to match the existing TestGeneratePKCE_*. Sanity-checked the XSS test by deleting the html.EscapeString call — it fails with raw `}) + + body := rec.Body.String() + if strings.Contains(body, "