Bug fix for domain names with empty string instead of null. Form errors and some security fixes

2025-11-09 12:22:41 +11:00
parent d9f11abbbf
commit 4df2eee4d9
6 changed files with 28 additions and 7 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -5,4 +5,7 @@ class ApplicationController < ActionController::Base

  # Changes to the importmap will invalidate the etag for HTML responses
  stale_when_importmap_changes
+
+  # CSRF protection
+  protect_from_forgery with: :exception
 end
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -408,9 +408,7 @@ class OidcController < ApplicationController
                        when "plain"
                          code_verifier
                        when "S256"
-                          Digest::SHA256.base64digest(code_verifier)
-                            .tr("+/", "-_")
-                            .tr("=", "")
+                          Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
                        else
                          return {
                            valid: false,
--- a/app/models/application.rb
+++ b/app/models/application.rb
@@ -18,7 +18,10 @@ class Application < ApplicationRecord
  validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }

  normalizes :slug, with: ->(slug) { slug.strip.downcase }
-  normalizes :domain_pattern, with: ->(pattern) { pattern&.strip&.downcase }
+  normalizes :domain_pattern, with: ->(pattern) {
+    normalized = pattern&.strip&.downcase
+    normalized.blank? ? nil : normalized
+  }

  before_validation :generate_client_credentials, on: :create, if: :oidc?

--- a/app/views/shared/_form_errors.html.erb
+++ b/app/views/shared/_form_errors.html.erb
@@ -1,5 +1,5 @@
-<%# Usage: <%= render "shared/form_errors", object: @user %> %>
-<%# Usage: <%= render "shared/form_errors", form: form %> %>
+<%# Usage: render "shared/form_errors", object: @user %>
+<%# Usage: render "shared/form_errors", form: form %>

 <% form_object = form.respond_to?(:object) ? form.object : (object || form) %>
 <% if form_object&.errors&.any? %>
--- a/db/migrate/20251109011443_fix_empty_domain_patterns.rb
+++ b/db/migrate/20251109011443_fix_empty_domain_patterns.rb
@@ -0,0 +1,17 @@
+class FixEmptyDomainPatterns < ActiveRecord::Migration[8.1]
+  def up
+    # Convert empty string domain_patterns to NULL
+    # This fixes a unique constraint issue where multiple OIDC apps
+    # had empty string domain_patterns, causing uniqueness violations
+    execute <<-SQL
+      UPDATE applications
+      SET domain_pattern = NULL
+      WHERE domain_pattern = ''
+    SQL
+  end
+
+  def down
+    # No need to reverse this - empty strings and NULL are functionally equivalent
+    # for OIDC applications where domain_pattern is not used
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[8.1].define(version: 2025_11_08_090123) do
+ActiveRecord::Schema[8.1].define(version: 2025_11_09_011443) do
  create_table "application_groups", force: :cascade do |t|
    t.integer "application_id", null: false
    t.datetime "created_at", null: false