forked from docker/cagent-action
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbatched-verifier-security-2.json
More file actions
28 lines (28 loc) · 6.64 KB
/
batched-verifier-security-2.json
File metadata and controls
28 lines (28 loc) · 6.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{
"id": "1b195ab6-cbb9-46b6-9549-59ae89b68f65",
"title": "Batched verifier with security findings - single delegation call (run 2)",
"evals": {
"setup": "apk add --no-cache github-cli",
"relevance": [
"The agent ran 'echo $GITHUB_ACTIONS' before performing the review to detect the output mode",
"The agent output the review to the console as formatted markdown instead of posting via gh api",
"The drafter response is valid JSON containing a 'findings' array and a 'summary' field",
"At least one finding flags the missing redirect_uri validation as a security concern",
"The agent delegated all high and medium severity findings to the verifier in a single batch delegation, not multiple individual delegations",
"The verifier returned a JSON response with a 'verdicts' array containing one verdict per finding",
"The review assessment label is '🔴 CRITICAL' because there is at least one high-severity confirmed or likely finding"
]
},
"messages": [
{
"message": {
"agentName": "",
"message": {
"role": "user",
"content": "Review the following PR.\n\n## PR Information\n- **Title**: Add optional redirect URI to OAuth authorization flow\n- **Author**: jeanlaurent\n- **Branch**: custom-redirect-url → main\n- **Files Changed**: 6\n\n## PR Description\nAdds an optional redirect_uri field to GetAuthorizationURLRequest so callers can override the default OAuth callback URL. This allows apps to use custom URI schemes (e.g., myapp://auth/callback) for the OIDC login flow.\n\n### Changes\n- proto: Added optional redirect_uri field to GetAuthorizationURLRequest\n- auth/oidc: AuthorizationURL() accepts a redirectURI parameter, falls back to configured default when empty\n- auth/service: Reads redirect_uri from the request and passes it through\n- generated code: Regenerated Go and TypeScript protobuf files\n\n## Diff\n\nNote: Generated protobuf files (auth.pb.go, auth_pb.ts) are omitted — only hand-written code is shown.\n\n```diff\ndiff --git a/api/auth/v1/auth.proto b/api/auth/v1/auth.proto\nindex df6bf369..54dfc78a 100644\n--- a/api/auth/v1/auth.proto\n+++ b/api/auth/v1/auth.proto\n@@ -25,6 +25,11 @@ message GetAuthorizationURLRequest {\n // Optional state parameter for CSRF protection.\n // If not provided, the server will generate one.\n optional string state = 1;\n+\n+ // Optional redirect URI for the OAuth callback.\n+ // If not provided, the server will use the configured default redirect URI.\n+ // This allows mobile apps to use custom URI schemes (e.g., myapp://auth/callback).\n+ optional string redirect_uri = 2;\n }\n \n // GetAuthorizationURLResponse is the response message containing the authorization URL.\n@@ -53,6 +58,10 @@ message GetLogoutURLResponse {\n message ExchangeTokenRequest {\n // The authorization code received from the OIDC provider.\n string code = 1;\n+\n+ // Optional redirect URI that was used in the authorization request.\n+ // Must match the redirect_uri used in GetAuthorizationURL for the OAuth flow to succeed.\n+ optional string redirect_uri = 2;\n }\n \ndiff --git a/backend/internal/platformd/auth/oidc.go b/backend/internal/platformd/auth/oidc.go\nindex 0e14ad7e..c4c96499 100644\n--- a/backend/internal/platformd/auth/oidc.go\n+++ b/backend/internal/platformd/auth/oidc.go\n@@ -65,9 +65,14 @@ func NewOIDCClient(ctx context.Context, cfg *Config) (*OIDCClient, error) {\n }\n \n // AuthorizationURL builds the authorization URL for the OIDC login flow.\n-func (c *OIDCClient) AuthorizationURL(state string) string {\n+// If redirectURI is provided, it will be used instead of the configured default.\n+func (c *OIDCClient) AuthorizationURL(state string, redirectURI string) string {\n \tcfg := c.oauth2Config\n-\tcfg.RedirectURL = c.redirectURI\n+\tif redirectURI != \"\" {\n+\t\tcfg.RedirectURL = redirectURI\n+\t} else {\n+\t\tcfg.RedirectURL = c.redirectURI\n+\t}\n \treturn cfg.AuthCodeURL(state)\n }\n \n@@ -92,10 +97,16 @@ type TokenResponse struct {\n }\n \n // ExchangeCode exchanges an authorization code for tokens.\n-func (c *OIDCClient) ExchangeCode(ctx context.Context, code string) (*TokenResponse, error) {\n+// If redirectURI is provided, it will be used instead of the configured default.\n+// The redirect URI must match the one used in the authorization request.\n+func (c *OIDCClient) ExchangeCode(ctx context.Context, code string, redirectURI string) (*TokenResponse, error) {\n \t// Set the redirect URI for this specific exchange\n \tcfg := c.oauth2Config\n-\tcfg.RedirectURL = c.redirectURI\n+\tif redirectURI != \"\" {\n+\t\tcfg.RedirectURL = redirectURI\n+\t} else {\n+\t\tcfg.RedirectURL = c.redirectURI\n+\t}\n \n \ttoken, err := cfg.Exchange(ctx, code)\n \tif err != nil {\n\ndiff --git a/backend/internal/platformd/auth/oidc_test.go b/backend/internal/platformd/auth/oidc_test.go\nindex 6fb35ca4..55e2cca9 100644\n--- a/backend/internal/platformd/auth/oidc_test.go\n+++ b/backend/internal/platformd/auth/oidc_test.go\n@@ -75,7 +75,7 @@ func TestOIDCClient_AuthorizationURL(t *testing.T) {\n \n \tstate := \"random-state-123\"\n \n-\turl := client.AuthorizationURL(state)\n+\turl := client.AuthorizationURL(state, \"\")\n \n \t// Check that URL contains expected components\n \tif url == \"\" {\n\ndiff --git a/backend/internal/platformd/auth/service.go b/backend/internal/platformd/auth/service.go\nindex c2a95279..e3e355c9 100644\n--- a/backend/internal/platformd/auth/service.go\n+++ b/backend/internal/platformd/auth/service.go\n@@ -82,8 +82,11 @@ func (s *Service) GetAuthorizationURL(\n \t\t}\n \t}\n \n-\t// Build the authorization URL using the configured redirect URI\n-\tauthURL := s.oidcClient.AuthorizationURL(state)\n+\t// Get redirect URI from request, or use configured default\n+\tredirectURI := msg.GetRedirectUri()\n+\n+\t// Build the authorization URL\n+\tauthURL := s.oidcClient.AuthorizationURL(state, redirectURI)\n \n \treturn connect.NewResponse(&authv1.GetAuthorizationURLResponse{\n \t\tAuthorizationUrl: authURL,\n@@ -138,8 +141,11 @@ func (s *Service) ExchangeToken(\n \t\treturn nil, connect.NewError(connect.CodeInvalidArgument, ErrCodeRequired)\n \t}\n \n-\t// Exchange the code for Docker tokens using the configured redirect URI\n-\ttokenResp, err := s.oidcClient.ExchangeCode(ctx, code)\n+\t// Get redirect URI from request, or use configured default\n+\tredirectURI := msg.GetRedirectUri()\n+\n+\t// Exchange the code for Docker tokens\n+\ttokenResp, err := s.oidcClient.ExchangeCode(ctx, code, redirectURI)\n \tif err != nil {\n \t\tif errors.Is(err, ErrTokenExchange) {\n \t\t\treturn nil, connect.NewError(connect.CodeInvalidArgument, err)\n```",
"created_at": "2026-02-18T14:00:00-05:00"
}
}
}
]
}