comment on [cloudflare/workers-oauth-provider] quote, another HN comment mentioned that it had a CVE (https://nvd.nist.gov/vuln/detail/cve-2025-4143) with perhaps interesting commentary:
Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it's not that he didn't know what he was doing, it's that he knew what he was doing but flubbed it.
Possibly this is just a danger of speed, maybe overconfidence due to LLM usage?
comment on [cloudflare/workers-oauth-provider] quote, another HN comment mentioned that it had a CVE (https://nvd.nist.gov/vuln/detail/cve-2025-4143) with perhaps interesting commentary:
Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it's not that he didn't know what he was doing, it's that he knew what he was doing but flubbed it.
Possibly this is just a danger of speed, maybe overconfidence due to LLM usage?