Guards against the v1.2.4 bug (fixed in c32acd5) where Authenticate
held a.mux via defer for its full duration, then called
loadAndVerifyToken which also tries to acquire a.mux — deadlock on
every token auth request.
TestAuthenticateTokenNoDeadlock exercises both the bare-token
("", token) and named-username ("api", token) forms with a 1s
timeout, so a regression fails fast rather than hanging the suite.
Distinguishes the two validator constructors by signature:
- NewIDTokenValidator(iss, aud, azp []string) — allowlist semantics
- NewAccessTokenValidator(iss, aud []string, requiredScopes ...string) — requirement semantics
Variadic scopes read naturally at the call site:
NewAccessTokenValidator(issuers, audiences, "openid", "profile")
Three-state semantics preserved:
no args → scope not checked
[]string{}... → scope must be present (any value)
"openid", ... → scope must contain all listed values
Also removes the old gracePeriod parameter from both constructors
(was 0 at all call sites; set GracePeriod on the struct directly
if a non-default value is needed).
Adds TestCov_NewAccessTokenValidator_Scopes covering all three cases.
Default matrix (conservative, CGO_ENABLED=0):
goos: darwin freebsd js linux netbsd openbsd wasip1 windows
goarch: amd64 arm arm64 mips64le mipsle ppc64le riscv64 wasm
goarm: 6 7 (always included when arm is in goarch)
--almost-all widens to esoteric goos (aix dragonfly illumos plan9
solaris), adds 386/loong64/mips/mips64/ppc64/s390x to goarch, and
emits goamd64: v1 v2 v3 v4.
--ios generates an active iOS build entry (CGO_ENABLED=1, arm64)
instead of the default commented stub.
--android-ndk generates an active Android NDK build entry
(CGO_ENABLED=1, arm64) instead of the default commented stub.
Both --ios and --android-ndk are available on init and release.
The existing -A flag (include hidden dirs) is unchanged.
When a module has more than one binary, the shared build options (env,
ldflags, goos) are defined once via a YAML anchor on the first build and
merged into the rest with <<: *build_defaults. Single-binary modules use
plain fields with no anchor overhead.
- id: gsheet2csv - id: gsheet2csv
binary: gsheet2csv binary: gsheet2csv
env: → <<: &build_defaults
- CGO_ENABLED=0 env:
goos: - CGO_ENABLED=0
- aix goos:
- ... - aix
- id: gsheet2env - ...
binary: gsheet2env - id: gsheet2env
env: binary: gsheet2env
- CGO_ENABLED=0 <<: *build_defaults
goos: ...
The commented-out ios stubs follow the same pattern using a separate
build_defaults_ios anchor so they remain consistent when uncommented.
Also extracts defaultGoos to a package-level var to avoid repetition.
