fix(security): prevent Windows command injection and improve RFC 7009 compliance

- Use rundll32 instead of cmd /c start to prevent shell metacharacter injection in URLs on Windows
- Replace panic with fmt.Fprintf + os.Exit(1) for consistent error handling in loadConfig
- Write token save warning to stderr instead of stdout in refreshAccessToken
- Add token_type_hint parameter to revocation requests per RFC 7009

Author: appleboy

auth.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 
 	retry "github.com/appleboy/go-httpretry"
 	"github.com/go-authgate/cli/tui"
@@ -94,7 +95,7 @@ func refreshAccessToken(
 	}
 
 	if err := cfg.Store.Save(cfg.ClientID, *storage); err != nil {
-		fmt.Printf("Warning: Failed to save refreshed tokens: %v\n", err)
+		fmt.Fprintf(os.Stderr, "Warning: Failed to save refreshed tokens: %v\n", err)
 	}
 	return storage, nil
 }

browser.go

@@ -17,7 +17,7 @@ func openBrowser(ctx context.Context, url string) error {
 	case "darwin":
 		cmd = exec.CommandContext(ctx, "open", url)
 	case "windows":
-		cmd = exec.CommandContext(ctx, "cmd", "/c", "start", url)
+		cmd = exec.CommandContext(ctx, "rundll32", "url.dll,FileProtocolHandler", url)
 	default:
 		cmd = exec.CommandContext(ctx, "xdg-open", url)
 	}

config.go

@@ -236,7 +236,8 @@ func loadConfig() *AppConfig {
 	var err error
 	cfg.RetryClient, err = retry.NewBackgroundClient(retry.WithHTTPClient(baseHTTPClient))
 	if err != nil {
-		panic(fmt.Sprintf("failed to create retry client: %v", err))
+		fmt.Fprintf(os.Stderr, "Error: failed to create HTTP client: %v\n", err)
+		os.Exit(1)
 	}
 
 	// Resolve timeout configuration.

token_cmd.go

@@ -172,7 +172,14 @@ func revokeTokenOnServer(
 
 	if tok.RefreshToken != "" {
 		wg.Go(func() {
-			if err := doRevoke(ctx, cfg, revokeURL, tok.RefreshToken, timeout); err != nil {
+			if err := doRevoke(
+				ctx,
+				cfg,
+				revokeURL,
+				tok.RefreshToken,
+				"refresh_token",
+				timeout,
+			); err != nil {
 				mu.Lock()
 				refreshErr = err
 				mu.Unlock()
@@ -182,7 +189,14 @@ func revokeTokenOnServer(
 
 	if tok.AccessToken != "" {
 		wg.Go(func() {
-			if err := doRevoke(ctx, cfg, revokeURL, tok.AccessToken, timeout); err != nil {
+			if err := doRevoke(
+				ctx,
+				cfg,
+				revokeURL,
+				tok.AccessToken,
+				"access_token",
+				timeout,
+			); err != nil {
 				mu.Lock()
 				accessErr = err
 				mu.Unlock()
@@ -213,14 +227,16 @@ func doRevoke(
 	cfg *AppConfig,
 	revokeURL string,
 	token string,
+	tokenTypeHint string,
 	timeout time.Duration,
 ) error {
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
 	data := url.Values{
-		"token":     {token},
-		"client_id": {cfg.ClientID},
+		"token":           {token},
+		"token_type_hint": {tokenTypeHint},
+		"client_id":       {cfg.ClientID},
 	}
 	if !cfg.IsPublicClient() {
 		data.Set("client_secret", cfg.ClientSecret)