You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During a documentation sweep triggered by PR #498 (consolidating tokenTTL into defaultDuration), I found documentation drift across README.md and docs/handler/index.md that incorrectly attributed HTTP 503 responses to MagicLinkHandler.Sender, EmailVerificationHandler.SendEmail, and PasswordResetHandler.SendResetEmail being nil.
What the docs incorrectly claimed
Three sections in README.md and the error-status table in docs/handler/index.md all described this behaviour:
When <sender field> is nil, <handler> returns HTTP 503 before any database write.
The README also listed 503 Service Unavailable rows in the error-response tables for all three handlers, and the index listed SendEmail, Sender, and SendResetEmail as examples of fields that trigger 503 at runtime.
What the code actually does
These are required fields caught by Validate() at startup — there are no runtime nil guards in the handler methods. The 503 runtime-nil-check pattern applies only to optional fields (PasskeyHandler.WebAuthn, OIDCHandler/OAuth2HandlerLinkNonces) which have explicit guards.
The individual handler docs (docs/handler/magic-links.md, docs/handler/email-verification.md, docs/handler/password-reset.md) were already accurate — none listed a 503 row — making the README inconsistent with its own detailed docs.
Changes
README.md
Remove three 503 Service Unavailable rows from error tables for MagicLinkHandler, EmailVerificationHandler, and PasswordResetHandler
Replace nil-sender-→-503 prose with "caught by Validate() at startup"
Fix SendVerification note: "beyond the 400 case" (was "beyond the 400 and 503 cases")
docs/handler/index.md
Update the 503 row to name only fields with actual runtime nil guards (WebAuthn in PasskeyHandler, LinkNonces in OIDCHandler/OAuth2Handler)
Verification
No behaviour changes. Corrected docs align with Validate() implementations and existing handler tests.
Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
README.md
The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.
Create the pull request manually
# Download the patch from the workflow run
gh run download 27235257596 -n agent -D /tmp/agent-27235257596
# Create a new branch
git checkout -b docs/fix-503-sender-claims-498-bbf0e5d20cdacd31 main
# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-27235257596/aw-docs-fix-503-sender-claims-498.patch
# Push the branch and create the pull request
git push origin docs/fix-503-sender-claims-498-bbf0e5d20cdacd31
gh pr create --title 'docs: remove inaccurate 503 claims for required sender fields' --base main --head docs/fix-503-sender-claims-498-bbf0e5d20cdacd31 --repo amalgamated-tools/goauth
Summary
During a documentation sweep triggered by PR #498 (consolidating
tokenTTLintodefaultDuration), I found documentation drift acrossREADME.mdanddocs/handler/index.mdthat incorrectly attributed HTTP 503 responses toMagicLinkHandler.Sender,EmailVerificationHandler.SendEmail, andPasswordResetHandler.SendResetEmailbeingnil.What the docs incorrectly claimed
Three sections in
README.mdand the error-status table indocs/handler/index.mdall described this behaviour:The README also listed
503 Service Unavailablerows in the error-response tables for all three handlers, and the index listedSendEmail,Sender, andSendResetEmailas examples of fields that trigger 503 at runtime.What the code actually does
These are required fields caught by
Validate()at startup — there are no runtime nil guards in the handler methods. The 503 runtime-nil-check pattern applies only to optional fields (PasskeyHandler.WebAuthn,OIDCHandler/OAuth2HandlerLinkNonces) which have explicit guards.The individual handler docs (
docs/handler/magic-links.md,docs/handler/email-verification.md,docs/handler/password-reset.md) were already accurate — none listed a 503 row — making the README inconsistent with its own detailed docs.Changes
README.md503 Service Unavailablerows from error tables forMagicLinkHandler,EmailVerificationHandler, andPasswordResetHandlerValidate()at startup"SendVerificationnote: "beyond the400case" (was "beyond the400and503cases")docs/handler/index.mdWebAuthninPasskeyHandler,LinkNoncesinOIDCHandler/OAuth2Handler)Verification
No behaviour changes. Corrected docs align with
Validate()implementations and existing handler tests.Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
README.mdThe push was rejected because GitHub Actions does not have
workflowspermission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.Create the pull request manually
Add this agentic workflows to your repo
To install this agentic workflow, run