Dan Milne
2235924f37
Harden OIDC, add SVG sanitization, improve form UX and security defaults
...
Remove PKCE plain method support (S256 only), enforce openid scope requirement,
filter to supported scopes, strip reserved claims from custom claims as
defense-in-depth, sanitize SVG icons with Loofah, add global input padding,
switch session cookies to SameSite=Lax, use Session.active scope, and remove
unsafe-eval from CSP.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-06 21:06:51 +10:00
Dan Milne
fd8785a43d
Add API keys / bearer tokens for forward auth
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Enables server-to-server authentication for forward auth applications
(e.g., video players accessing WebDAV) where browser cookies aren't
available. API keys use clk_ prefixed tokens stored as HMAC hashes.
Bearer token auth is checked before cookie auth in /api/verify.
Invalid tokens return 401 JSON (no redirect). Requests without
bearer tokens fall through to existing cookie flow unchanged.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:45:40 +11:00
Dan Milne
93a0edb0a2
StandardRB fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:29:44 +11:00
Dan Milne
bb5aa2e6d6
Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation
2025-12-31 10:33:56 +11:00
Dan Milne
cc7beba9de
PKCE is now default enabled. You can now create public / no-secret apps OIDC apps
2025-12-31 09:22:18 +11:00
Dan Milne
0761c424c1
Fix tests. Remove tests which test rails functionality
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-30 00:18:19 +11:00
Dan Milne
d6029556d3
Add OIDC fixes, add prefered_username, add application-user claims
2025-11-25 16:29:40 +11:00
Dan Milne
7796c38c08
Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-23 11:16:06 +11:00
Dan Milne
fb14ce032f
Strip out more inline javascript code. Encrypt backup codes and treat the backup codes attribute as a json array
2025-11-04 18:46:11 +11:00
Dan Milne
57abc0b804
Add webauthn
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 16:20:11 +11:00
Dan Milne
ef15db77f9
Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-04 13:21:55 +11:00
Dan Milne
431e947a4c
Some more tests. Fix invitation link and password reset links. After creating their account and setting a password, the user is logged in
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-26 23:09:38 +11:00
Dan Milne
8dd3e60071
Add a list_sign_in_at field for users so magick links work
2025-10-26 22:40:54 +11:00
Dan Milne
5921cf82c2
Add invite button and routes for resending invitations
2025-10-25 13:49:10 +11:00
Dan Milne
5463723455
Increase the thing
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 20:48:58 +11:00
Dan Milne
0af3dbefed
Remember that we concented.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 17:01:03 +11:00
Dan Milne
12e0ef66ed
OIDC app creation with encrypted secrets and application roles
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-24 14:47:24 +11:00
Dan Milne
7f075391c1
Switch user status to enum
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-23 20:24:19 +11:00
Dan Milne
256cbe3a48
User registation working. Sidebar built. Dashboard built. TOTP enable works - TOTP login works
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-23 18:07:27 +11:00
Dan Milne
56f7dd7b3c
First crack
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-10-23 16:45:00 +11:00
