mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-07-17 07:12:34 -05:00
Login asserts the token, the HttpOnly refresh cookie, the no-store header and the credential/TOTP gates. Logout asserts the session is deleted and the cookie cleared. OIDC coverage is the registrar gate (404 when disabled, public route when enabled) — the full provider flow needs a live OIDC server, as the existing openid package tests show.