Guards against the v1.2.4 bug (fixed in c32acd5) where Authenticate
held a.mux via defer for its full duration, then called
loadAndVerifyToken which also tries to acquire a.mux — deadlock on
every token auth request.
TestAuthenticateTokenNoDeadlock exercises both the bare-token
("", token) and named-username ("api", token) forms with a 1s
timeout, so a regression fails fast rather than hanging the suite.
Distinguishes the two validator constructors by signature:
- NewIDTokenValidator(iss, aud, azp []string) — allowlist semantics
- NewAccessTokenValidator(iss, aud []string, requiredScopes ...string) — requirement semantics
Variadic scopes read naturally at the call site:
NewAccessTokenValidator(issuers, audiences, "openid", "profile")
Three-state semantics preserved:
no args → scope not checked
[]string{}... → scope must be present (any value)
"openid", ... → scope must contain all listed values
Also removes the old gracePeriod parameter from both constructors
(was 0 at all call sites; set GracePeriod on the struct directly
if a non-default value is needed).
Adds TestCov_NewAccessTokenValidator_Scopes covering all three cases.
Default matrix (conservative, CGO_ENABLED=0):
goos: darwin freebsd js linux netbsd openbsd wasip1 windows
goarch: amd64 arm arm64 mips64le mipsle ppc64le riscv64 wasm
goarm: 6 7 (always included when arm is in goarch)
--almost-all widens to esoteric goos (aix dragonfly illumos plan9
solaris), adds 386/loong64/mips/mips64/ppc64/s390x to goarch, and
emits goamd64: v1 v2 v3 v4.
--ios generates an active iOS build entry (CGO_ENABLED=1, arm64)
instead of the default commented stub.
--android-ndk generates an active Android NDK build entry
(CGO_ENABLED=1, arm64) instead of the default commented stub.
Both --ios and --android-ndk are available on init and release.
The existing -A flag (include hidden dirs) is unchanged.
