Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.

2026-01-05 12:03:01 +11:00
parent e631f606e7
commit 25e1043312
10 changed files with 148 additions and 32 deletions
--- a/test/controllers/api/forward_auth_controller_test.rb
+++ b/test/controllers/api/forward_auth_controller_test.rb
@@ -279,7 +279,7 @@ module Api
        rd: evil_url  # Ensure the rd parameter is preserved in login
      }

-      assert_response 302
+      assert_response 303
      # Should NOT redirect to evil URL after successful authentication
      refute_match evil_url, response.location, "Should not redirect to evil URL after authentication"
      # Should redirect to the legitimate URL (not the evil one)