dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Remember that we concented.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-10-24 17:01:03 +11:00
parent d6c24e50df
commit 0af3dbefed
8 changed files with 136 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/models/application.rb
View File

@@ -5,6 +5,7 @@ class Application < ApplicationRecord
has_many :allowed_groups, through: :application_groups, source: :group
has_many :oidc_authorization_codes, dependent: :destroy
has_many :oidc_access_tokens, dependent: :destroy
has_many :oidc_user_consents, dependent: :destroy
has_many :application_roles, dependent: :destroy
has_many :user_role_assignments, through: :application_roles

34
app/models/oidc_user_consent.rb Normal file
View File

@@ -0,0 +1,34 @@
class OidcUserConsent < ApplicationRecord
belongs_to :user
belongs_to :application
validates :user, :application, :scopes_granted, :granted_at, presence: true
validates :user_id, uniqueness: { scope: :application_id }
before_validation :set_granted_at, on: :create
# Parse scopes_granted into an array
def scopes
scopes_granted.split(' ')
end
# Set scopes from an array
def scopes=(scope_array)
self.scopes_granted = Array(scope_array).uniq.join(' ')
end
# Check if this consent covers the requested scopes
def covers_scopes?(requested_scopes)
requested = Array(requested_scopes).map(&:to_s)
granted = scopes
# All requested scopes must be included in granted scopes
(requested - granted).empty?
end
private
def set_granted_at
self.granted_at ||= Time.current
end
end

7
app/models/user.rb
View File

@@ -5,6 +5,7 @@ class User < ApplicationRecord
has_many :groups, through: :user_groups
has_many :user_role_assignments, dependent: :destroy
has_many :application_roles, through: :user_role_assignments
has_many :oidc_user_consents, dependent: :destroy
# Token generation for passwordless flows
generates_token_for :invitation, expires_in: 7.days
@@ -73,6 +74,12 @@ class User < ApplicationRecord
JSON.parse(backup_codes)
end
def has_oidc_consent?(application, requested_scopes)
oidc_user_consents
.where(application: application)
.find { |consent| consent.covers_scopes?(requested_scopes) }
end
private
def generate_backup_codes