andreas/heartbeat
Public Access
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases 44 Wiki Activity

fix: remove dead helper, add state logging, add integration-style oauth tests

Browse Source 
- Remove unused `_gitea_cfg_url` module-level helper from http.py
- Add logger.warning on invalid/expired state in oauth_gitea_callback
- Add test_callback_invalid_state_rejects and test_full_oauth_flow_chain to tests/test_oauth.py (21 tests total, all passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Andreas Wrede
2026-05-08 13:53:57 -04:00
parent 940d0af35e
commit b06de6fdd3
2 changed files with 64 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hbd/server/http.py
+1 -4
View File
@@ -35,10 +35,6 @@ def _render_template(html_str: str, **context) -> str:
SESSION_COOKIE = "hbd_session"
def _gitea_cfg_url(config: dict) -> str:
return config.get("oauth", {}).get("gitea", {}).get("url", "")
def _get_token(request) -> str:
"""Extract session token from Bearer header, X-Auth-Token header, or cookie."""
auth = request.headers.get("Authorization", "")
@@ -935,6 +931,7 @@ async def start(
if not code or not state:
return web.Response(status=400, text="Missing code or state")
if not oauth_mod.validate_state(state):
logger.warning("OAuth: invalid or expired state token from %s", request.remote)
raise web.HTTPFound("/login?error=1")
redirect_uri = f"{request.url.origin()}/login/oauth/gitea/callback"
try: