dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation

Browse Source
This commit is contained in:
Dan Milne
2025-12-31 10:33:56 +11:00
parent cc7beba9de
commit bb5aa2e6d6
7 changed files with 56 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config/initializers/token_hmac.rb
View File

@@ -1,6 +1,7 @@
# Token HMAC key derivation
# This key is used to compute HMAC-based token prefixes for fast lookup
# Derived from SECRET_KEY_BASE - no storage needed, deterministic output
# Optional: Set OIDC_TOKEN_PREFIX_HMAC env var to override with explicit key
module TokenHmac
KEY = Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
KEY = ENV['OIDC_TOKEN_PREFIX_HMAC'] || Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
end