Harden OIDC, add SVG sanitization, improve form UX and security defaults

Remove PKCE plain method support (S256 only), enforce openid scope requirement, filter to supported scopes, strip reserved claims from custom claims as defense-in-depth, sanitize SVG icons with Loofah, add global input padding, switch session cookies to SameSite=Lax, use Session.active scope, and remove unsafe-eval from CSP. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 21:06:51 +10:00
parent c7d9df48b5
commit 2235924f37
11 changed files with 94 additions and 73 deletions
--- a/test/models/pkce_authorization_code_test.rb
+++ b/test/models/pkce_authorization_code_test.rb
@@ -38,23 +38,18 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
    assert auth_code.uses_pkce?
  end

-  test "authorization code can store PKCE challenge with plain method" do
-    code_challenge = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
-    code_challenge_method = "plain"
-
-    auth_code = OidcAuthorizationCode.create!(
-      application: @application,
-      user: @user,
-      redirect_uri: "http://localhost:4000/callback",
-      scope: "openid profile",
-      code_challenge: code_challenge,
-      code_challenge_method: code_challenge_method,
-      expires_at: 10.minutes.from_now
-    )
-
-    assert_equal code_challenge, auth_code.code_challenge
-    assert_equal code_challenge_method, auth_code.code_challenge_method
-    assert auth_code.uses_pkce?
+  test "authorization code rejects plain PKCE method" do
+    assert_raises(ActiveRecord::RecordInvalid) do
+      OidcAuthorizationCode.create!(
+        application: @application,
+        user: @user,
+        redirect_uri: "http://localhost:4000/callback",
+        scope: "openid profile",
+        code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
+        code_challenge_method: "plain",
+        expires_at: 10.minutes.from_now
+      )
+    end
  end

  test "authorization code works without PKCE (backward compatibility)" do