Conversation
Member
appleboy
commented
Feb 22, 2026
- Ensure redirect URLs in authentication middleware are properly URL-encoded
- Add unit tests to verify URL encoding of redirect parameters during login, timeout, and fingerprint mismatch scenarios
- Ensure redirect URLs in authentication middleware are properly URL-encoded - Add unit tests to verify URL encoding of redirect parameters during login, timeout, and fingerprint mismatch scenarios Signed-off-by: appleboy <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ensures authentication-related redirects (login, idle timeout, fingerprint mismatch) correctly URL-encode the “redirect” return URL, and adds unit tests to validate that complex querystrings survive round-tripping through the login redirect.
Changes:
- URL-encode redirect return URLs using
url.QueryEscapein auth middleware redirects. - Add unit tests covering redirect encoding for unauthenticated access, session idle timeout, and fingerprint mismatch cases.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| internal/middleware/auth.go | Apply URL encoding to redirect query parameter in /login redirects. |
| internal/middleware/auth_test.go | Add tests asserting redirected redirect parameter preserves complex querystrings across scenarios. |
Comments suppressed due to low confidence (1)
internal/middleware/auth.go:52
RequireAuthdereferencesuserServiceunconditionally when a session is present (userService.GetUserByID(...)). Since this middleware can be called with a nil service (as in the added tests), an authenticated request would panic. Consider guarding the audit-load block withif userService != nil { ... }(or making the parameter non-optional via an interface/constructor) so the middleware is safe even whenuserServiceis nil.
if userID == nil {
// Redirect to login with return URL
redirectURL := c.Request.URL.String()
c.Redirect(http.StatusFound, "/login?redirect="+url.QueryEscape(redirectURL))
c.Abort()
return
}
c.Set("user_id", userID)
// Load user object for audit logging and other purposes
user, err := userService.GetUserByID(userID.(string))
if err == nil {
c.Set("user", user)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add createTestUserService helper to set up a test UserService with an in-memory store, preventing nil pointer issues in tests - Update TestRequireAuth_RedirectURLEncoded to use a real test UserService, ensuring middleware stability if code paths change - Add additional imports necessary for the new helper function Signed-off-by: appleboy <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.