Harden OAuth and session handling

[ragokan]

Summary

• verify OpenID Connect ID tokens before mapping profile claims for Google, Apple, LinkedIn, Microsoft, Twitch, and generic providers
• handle Microsoft shared-tenant issuer discovery safely, and only mark Microsoft email verified when email_verified or verified email arrays prove it
• reject OAuth profiles with unverified provider emails and prevent implicit linking into local accounts whose email is still unverified
• align non-OIDC email verification with provider proof: GitHub /user/emails, Discord verified, Facebook/Spotify unverified by default
• harden default IP/origin handling, refresh-token reuse paths, GORM empty mutations, and unchecked crypto random reads

Verification notes

• OIDC ID-token validation follows issuer discovery/JWKS verification with client ID audience checks and expiry validation: https://openid.net/specs/openid-connect-core-1_0-18.html#IDTokenValidation
• Generic OIDC UserInfo now rejects mismatched sub when both UserInfo and ID-token claims are present: https://openid.net/specs/openid-connect-core-1_0-18.html#UserInfoResponse
• Compared against Better Auth provider/linking behavior, including Microsoft Entra ID email verification defaults and account-linking gates:
  • https://github.com/better-auth/better-auth/blob/main/packages/core/src/social-providers/microsoft-entra-id.ts
  • https://github.com/better-auth/better-auth/blob/main/packages/better-auth/src/oauth2/link-account.ts
• Microsoft claim handling follows Microsoft guidance that display/email-like claims should not be used as authorization identifiers without validation: https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation

Tests

• for d in $(find . -name go.mod -not -path './examples/*' -exec dirname {} \; | sort); do (cd "$d" && go test -race -count=1 ./...); done
• golangci-lint run --new-from-rev upstream/master ./...
• golangci-lint run ./... passes in changed provider modules: oauth-microsoft, oauth-generic, oauth-github, oauth-discord, oauth-facebook, oauth-spotify
• root golangci-lint run ./... still reports existing goconst and cookie gosec baseline warnings present on upstream master

[ragokan]

Hey, I really like where this package is headed. I came from the Node world using Better Auth and was looking for something similar in Go, so Limen felt like the kind of lightweight auth package I wanted to use.

While trying it out, I ran into a few small OAuth/OIDC edge cases around ID-token verification, email verification, and account linking. They are not huge issues, but they matter for production auth flows, so I wanted to send a patch instead of just leaving notes.

I tried to keep the changes focused and added tests around the risky paths. Happy to adjust anything to better fit the project’s direction.

[thecodearcher]

Hey @ragokan , Thanks for opening this PR. I appreciate you taking the time to contribute to Limen.

I’ll take a proper look at it later and leave any feedback or questions directly on the PR.