Bug fix for domain names with empty string instead of null. Form errors and some security fixes

app/controllers/application_controller.rb

@@ -5,4 +5,7 @@ class ApplicationController < ActionController::Base
 
   # Changes to the importmap will invalidate the etag for HTML responses
   stale_when_importmap_changes
+
+  # CSRF protection
+  protect_from_forgery with: :exception
 end

app/controllers/oidc_controller.rb

@@ -408,9 +408,7 @@ class OidcController < ApplicationController
                         when "plain"
                           code_verifier
                         when "S256"
-                          Digest::SHA256.base64digest(code_verifier)
-                            .tr("+/", "-_")
-                            .tr("=", "")
+                          Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
                         else
                           return {
                             valid: false,