fix: close base64 encoder in DelegatedState.EncodeAsUrlParam

[flemzord]

Summary

• Fix: DelegatedState.EncodeAsUrlParam() was not calling Close() on the base64.NewEncoder, which caused the final buffered bytes to be silently dropped. This produced truncated base64 output that could not be decoded back, breaking the encode/decode round-trip.
• Fuzz test: Added FuzzDecodeDelegatedState which tests round-trip consistency (encode → decode → encode → decode) and discovered this bug within 3 seconds of fuzzing.

Root cause

base64.NewEncoder returns an io.WriteCloser that buffers data internally in 3-byte blocks. Close() must be called to flush any remaining 1-2 bytes with proper padding. The original code wrote JSON through the encoder but never closed it, losing trailing bytes.

Test plan

• Fuzz test FuzzDecodeDelegatedState passes (120s, 3M+ executions, no failures)
• Previously-failing corpus entry c71785f735fef5ee now passes
• golangci-lint passes with 0 issues
• All existing tests pass (go test -race ./pkg/...)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling when encoding delegated authentication state to ensure encoder closure failures are detected and reported alongside encoding errors.

• Tests

  • Added a fuzz test suite to validate encode/decode roundtrips for delegated authentication state, seeded with normal and edge-case inputs to catch decoding regressions and ensure consistent behavior.

[coderabbitai]

Warning

Rate limit exceeded

@flemzord has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 34 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ad5669ed-101c-4310-ad89-5005b9384db3

📥 Commits

Reviewing files that changed from the base of the PR and between d1bf0a3 and abd5877.

📒 Files selected for processing (3)

• pkg/delegatedauth/state.go
• pkg/delegatedauth/state_fuzz_test.go
• pkg/delegatedauth/testdata/fuzz/FuzzDecodeDelegatedState/c71785f735fef5ee

📝 Walkthrough

Walkthrough

EncodeAsUrlParam() now creates a local base64 encoder, uses json.NewEncoder(encoder).Encode(s), and explicitly calls and checks encoder.Close(). A new fuzz test FuzzDecodeDelegatedState plus a fuzz corpus seed file were added to exercise DecodeDelegatedState and round-trip encode/decode behavior.

Changes

Cohort / File(s)	Summary
Encoder change pkg/delegatedauth/state.go	Refactored EncodeAsUrlParam() to assign the base64 encoder to a local variable, use json.NewEncoder(encoder).Encode(s), and explicitly call/check encoder.Close() (added panic on Close error).
Fuzz tests & corpus pkg/delegatedauth/state_fuzz_test.go, pkg/delegatedauth/testdata/fuzz/FuzzDecodeDelegatedState/c71785f735fef5ee	Added FuzzDecodeDelegatedState fuzz entry that seeds multiple inputs (including valid encoded states and edge-case strings), performs decode → re-encode → decode round-trip checks, and includes a seed corpus file.`

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nibble bytes by moonlit beam,
I wrap the state in base64 cream.
I fuzz and hop through strange input lands,
Round-trip checks safe in my paws and hands.
Hooray—no sneaky close that slips from my plans!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main fix in the changeset: closing the base64 encoder in DelegatedState.EncodeAsUrlParam, which is the core bug being fixed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fuzz/fixes-20260327

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}