Comment by parliament32
6 hours ago
The learning is "they lied". After all, apart from marketing materials making a claim, where is the evidence?
6 hours ago
The learning is "they lied". After all, apart from marketing materials making a claim, where is the evidence?
Wait, we think they’re lying because an advisory was eventually found? We think that should be impossible with people involved?
Reading the necessary RFC is table stakes. Instead we got this:
>"NOOOOOOOO!!!! You can't just use an LLM to write an auth library!"
>"haha gpus go brrr"
(Those lines remain in the readme, even now: https://github.com/cloudflare/workers-oauth-provider?tab=rea...)
To me it's likely, given the extremely rudimentary nature of that issue.
If you're asking in good faith,
> Every line was thoroughly reviewed and cross-referenced with relevant RFCs
The issue in the CVE comes from direct contradiction of the RFC. The RFC says you MUST check redirect uris (and, as anyone who's ever worked with oauth knows, all the functionality around redirect uris is a staple of how oauth works in the first place -- this isn't some obscure edge case). They didn't make a mistake, they simply did not implement this part of the spec.
When they said every line was "thoroughly reviewed" and "cross referenced", yes, they lied.
I mean, you can't review or cross reference something that isn't there... So interpreting in good faith, technically, maybe they just forgot to also check for completeness? /s