Dan Milne
2d5650e620
Bind forward-auth fa_token to its destination host
...
An observed fa_token (via Referer leaks, access logs, JS monitors)
could previously be redeemed against a different reverse-proxied app
within the 60s TTL. The token now stores the destination host at
creation and the verifier rejects mismatches without burning the cache
entry, so legitimate destinations can still redeem.
Co-Authored-By: Claude Opus 4 <noreply@anthropic.com >
2026-04-20 19:04:53 +10:00
Dan Milne
6844c5fab3
Clean up forward auth caching: remove duplication, fix rate limiting, and plug cache gaps
...
- Remove duplicated app_allows_user_cached?/headers_for_user_cached methods; call model methods directly
- Fix sliding-window rate limit bug by using increment instead of write (avoids TTL reset)
- Use cached app lookup in validate_redirect_url instead of hitting DB on every unauthorized request
- Add cache busting to ApplicationGroup so group assignment changes invalidate the cache
- Eager-load user groups (includes(user: :groups)) to eliminate N+1 queries
- Replace pluck(:name) with map(&:name) to use already-loaded associations
- Remove hardcoded fallback domain, dead methods, and unnecessary comments
- Fix test indentation and make group-order assertions deterministic
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-21 23:54:19 +11:00
Dan Milne
5505f99287
Add rate limiting and in-memory caching for forward auth endpoint
...
Rate limit failed attempts (50/min per IP) with 429 + Retry-After.
Cache forward auth applications in a dedicated MemoryStore (8MB LRU)
to avoid loading all apps from SQLite on every request. Debounce
last_activity_at writes to at most once per minute per session.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-07 11:15:54 +11:00
Dan Milne
fd8785a43d
Add API keys / bearer tokens for forward auth
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Enables server-to-server authentication for forward auth applications
(e.g., video players accessing WebDAV) where browser cookies aren't
available. API keys use clk_ prefixed tokens stored as HMAC hashes.
Bearer token auth is checked before cookie auth in /api/verify.
Invalid tokens return 401 JSON (no redirect). Requests without
bearer tokens fall through to existing cookie flow unchanged.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:45:40 +11:00
Dan Milne
27d77ebf47
Expose 'username' via forward auth headers
2026-01-05 15:12:02 +11:00
Dan Milne
93a0edb0a2
StandardRB fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:29:44 +11:00
Dan Milne
00eca6d8b2
Default deny forward_auth requests
2025-12-30 16:04:01 +11:00
Dan Milne
0361bfe470
Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-29 15:37:12 +11:00
Dan Milne
ab362aabac
Remove the rate limit for the forward auth system
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-28 14:40:53 +11:00
Dan Milne
67f28faaca
Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN
2025-11-12 16:24:05 +11:00
Dan Milne
6049429a41
Fix mobile view menu popout. Add an option SENTRY_DSN support, which uses rails event reporting
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 23:16:28 +11:00
Dan Milne
73b2ae2f02
Add some docs
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 21:13:46 +11:00
Dan Milne
ef15db77f9
Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 13:21:55 +11:00
Dan Milne
ddcb297c74
Add comprhensive csp polices and reporting endpoint. Add environment support require for protecting against rebinding attacks on ip addresses
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-29 15:37:53 +11:00
Dan Milne
6f7de94623
Rate limit the forward_auth controller
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-29 13:55:36 +11:00
Dan Milne
baa75a3456
Use the IPAddr library to detect ipv4 and ipv6 addresses
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-29 13:47:23 +11:00
Dan Milne
7074242907
Update docs. Implemented a one-time token to work around domain cookies not being immediately return by the browser. Reduce db queries on /api/verify requests.
2025-10-28 08:27:19 +11:00
Dan Milne
da6fd5b800
More logs
2025-10-28 08:27:19 +11:00
Dan Milne
88428bfd97
Add configuration foward-auth headers
2025-10-26 14:41:20 +11:00
Dan Milne
a21b21ace2
remove unneeded action
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 11:43:34 +11:00
Dan Milne
ad70841689
Pass the redirect url through the forms
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 11:36:11 +11:00
Dan Milne
ee4af20000
Updates
2025-10-23 23:55:21 +11:00
Dan Milne
7200a6735f
OK - 302 + Location
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-23 23:52:01 +11:00
Dan Milne
e3e2a565e7
Oh - we do use a 401, but with a Location header
2025-10-23 22:27:11 +11:00
Dan Milne
19cc425f94
Annnd let extract the correct headers so we can redirect
2025-10-23 22:16:28 +11:00
Dan Milne
96a9ce2258
Redirect when auth fails - I think!
2025-10-23 22:07:58 +11:00
Dan Milne
7f075391c1
Switch user status to enum
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-23 20:24:19 +11:00
