📌 Description
internal/github/oauth.go builds the OAuth authorize URL (AuthorizeURL), joins scopes (joinScopes), and exchanges a code for a token (ExchangeCode), but has no test file. These functions sit on the login/signup critical path and are entirely uncovered.
💡 Why it matters: A malformed authorize URL or scope string silently breaks GitHub login; tests pin the exact query construction and error handling.
🧩 Requirements and context
- Test
AuthorizeURL produces the expected client_id, redirect_uri, scope, and state query parameters.
- Test
joinScopes joins with spaces and handles empty input.
- Test
ExchangeCode against an httptest.Server for success and for a GitHub error body.
- Assert the 30s HTTP timeout path is respected (use a context deadline).
- Avoid network access; mock the token endpoint.
Non-functional requirements
- Must be secure, tested, and documented.
- Should be efficient and easy to review.
🛠️ Suggested execution
1. Fork the repo and create a branch
git checkout -b test/github-oauth
2. Implement changes
- Write/modify the relevant source: minor refactor of
oauth.go to accept a base URL for testing if needed
- Write comprehensive tests:
internal/github/oauth_test.go
- Add documentation: GoDoc on exported functions
- Include GoDoc comments clarifying scope handling
- Validate security assumptions:
state must be present and non-empty in the URL
3. Test and commit
go test ./internal/github/...
- Cover edge cases: empty scopes, error response, malformed token body
- Include test output and security notes in the PR description.
Example commit message
test(github): cover OAuth authorize URL and code exchange
✅ Acceptance criteria
🔒 Security notes
Tests confirm state is always included (CSRF defense) and that secrets are not logged during exchange.
📋 Guidelines
- Minimum 95% test coverage
- Clear documentation
- Timeframe: 96 hours
📌 Description
internal/github/oauth.gobuilds the OAuth authorize URL (AuthorizeURL), joins scopes (joinScopes), and exchanges a code for a token (ExchangeCode), but has no test file. These functions sit on the login/signup critical path and are entirely uncovered.🧩 Requirements and context
AuthorizeURLproduces the expectedclient_id,redirect_uri,scope, andstatequery parameters.joinScopesjoins with spaces and handles empty input.ExchangeCodeagainst anhttptest.Serverfor success and for a GitHub error body.Non-functional requirements
🛠️ Suggested execution
1. Fork the repo and create a branch
2. Implement changes
oauth.goto accept a base URL for testing if neededinternal/github/oauth_test.gostatemust be present and non-empty in the URL3. Test and commit
go test ./internal/github/...Example commit message
✅ Acceptance criteria
AuthorizeURLquery params assertedjoinScopesempty/multi cases coveredExchangeCodesuccess and error paths covered via httptest🔒 Security notes
Tests confirm
stateis always included (CSRF defense) and that secrets are not logged during exchange.📋 Guidelines