Dan Milne
b7fa49953c
Revoke full token chain on OIDC authorization-code replay
...
The replay handler previously used a created_at time-range filter to
target access tokens and called update_all(expires_at:), which left
revoked_at nil, skipped refresh tokens entirely, and could miss or
falsely catch tokens from concurrent flows. Add an oidc_authorization_code
FK on both token tables, carry it through refresh-token rotation, and
use the association to revoke every descendant via revoke! (which sets
revoked_at and cascades access -> refresh).
Co-Authored-By: Claude Opus 4 <noreply@anthropic.com >
2026-04-20 17:39:08 +10:00
Dan Milne
2235924f37
Harden OIDC, add SVG sanitization, improve form UX and security defaults
...
Remove PKCE plain method support (S256 only), enforce openid scope requirement,
filter to supported scopes, strip reserved claims from custom claims as
defense-in-depth, sanitize SVG icons with Loofah, add global input padding,
switch session cookies to SameSite=Lax, use Session.active scope, and remove
unsafe-eval from CSP.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-06 21:06:51 +10:00
Dan Milne
d8d8000b92
Add tests for forward auth cache gaps: invalidation, rate limiting, and debounce
...
- Test ApplicationGroup cache busting on add and remove
- Test first failure persists in rate limit cache (increment fallback)
- Test bearer token failures count toward rate limit
- Test rd parameter rejected for deactivated applications
- Test last_activity_at updates after debounce window expires
- Test successful requests don't reset failure counter
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-21 23:59:18 +11:00
Dan Milne
6844c5fab3
Clean up forward auth caching: remove duplication, fix rate limiting, and plug cache gaps
...
- Remove duplicated app_allows_user_cached?/headers_for_user_cached methods; call model methods directly
- Fix sliding-window rate limit bug by using increment instead of write (avoids TTL reset)
- Use cached app lookup in validate_redirect_url instead of hitting DB on every unauthorized request
- Add cache busting to ApplicationGroup so group assignment changes invalidate the cache
- Eager-load user groups (includes(user: :groups)) to eliminate N+1 queries
- Replace pluck(:name) with map(&:name) to use already-loaded associations
- Remove hardcoded fallback domain, dead methods, and unnecessary comments
- Fix test indentation and make group-order assertions deterministic
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-21 23:54:19 +11:00
Dan Milne
5505f99287
Add rate limiting and in-memory caching for forward auth endpoint
...
Rate limit failed attempts (50/min per IP) with 429 + Retry-After.
Cache forward auth applications in a dedicated MemoryStore (8MB LRU)
to avoid loading all apps from SQLite on every request. Debounce
last_activity_at writes to at most once per minute per session.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-07 11:15:54 +11:00
Dan Milne
65c19fa732
Upgrade to Ruby 4.0.1, bump version to 0.9.0
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Replace CGI.parse (removed in Ruby 4.0) with Rack::Utils.parse_query
in application controller, sessions controller, and OIDC tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:52:11 +11:00
Dan Milne
fd8785a43d
Add API keys / bearer tokens for forward auth
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Enables server-to-server authentication for forward auth applications
(e.g., video players accessing WebDAV) where browser cookies aren't
available. API keys use clk_ prefixed tokens stored as HMAC hashes.
Bearer token auth is checked before cookie auth in /api/verify.
Invalid tokens return 401 JSON (no redirect). Requests without
bearer tokens fall through to existing cookie flow unchanged.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:45:40 +11:00
Dan Milne
444ae6291c
Add missing files, fix formatting
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:34:11 +11:00
Dan Milne
cc6d4fcc65
Add test files, update checklist
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:28:55 +11:00
Dan Milne
75cc223329
303 is the correct response
2026-01-05 13:05:24 +11:00
Dan Milne
25e1043312
Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.
2026-01-05 12:03:01 +11:00
Dan Milne
0bb84f08d6
OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 16:35:12 +11:00
Dan Milne
182682024d
OpenID Conformance: Include all required scopes when profile is requested, even if they're empty
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:47:40 +11:00
Dan Milne
b517ebe809
OpenID conformance test: Allow posting the access token in the body for userinfo endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:41:07 +11:00
Dan Milne
f67a73821c
OpenID Conformance: user info endpoint should support get and post requets, not just get
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:26:39 +11:00
Dan Milne
b09ddf6db5
OpenID Conformance: We need to return to the redirect_uri in the case of errors.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:12:55 +11:00
Dan Milne
abbb11a41d
Return only scopes requested, add tests ( OpenID conformance test )
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 14:55:06 +11:00
Dan Milne
ae99d3d9cf
Fix webauthn bug. Fix tests. Update docs
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 15:24:56 +11:00
Dan Milne
1afcd041f9
Update README, fix a test
2026-01-01 15:17:28 +11:00
Dan Milne
71198340d0
fix tests and add a Claude.md file
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 15:11:46 +11:00
Dan Milne
d597ca8810
Fix tests
2026-01-01 14:52:24 +11:00
Dan Milne
9b81aee490
Fix linting error
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:45:10 +11:00
Dan Milne
265518ab25
Move integration tests into right directory
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:43:13 +11:00
Dan Milne
93a0edb0a2
StandardRB fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:29:44 +11:00
Dan Milne
9234904e47
Add security-todo and beta-checklists, and some security rake tasks
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 13:06:54 +11:00
Dan Milne
d036e25fef
Add auth_time, acr and azp support for OIDC claims
2025-12-31 17:07:54 +11:00
Dan Milne
fcdd2b6de7
Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.
2025-12-31 16:57:28 +11:00
Dan Milne
3939ea773f
We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ).
2025-12-31 16:45:45 +11:00
Dan Milne
4b4afe277e
Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record
2025-12-31 16:36:32 +11:00
Dan Milne
364e6e21dd
Fixes for tests and AR Encryption
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 16:08:05 +11:00
Dan Milne
9d352ab8ec
Fix tests - add missing files
2025-12-31 16:01:31 +11:00
Dan Milne
ed7ceedef5
Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 14:45:38 +11:00
Dan Milne
29c0981a59
Improve readme and tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 11:56:09 +11:00
Dan Milne
9d402fcd92
Clean up and secure web_authn controller
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-31 11:44:11 +11:00
Dan Milne
cc7beba9de
PKCE is now default enabled. You can now create public / no-secret apps OIDC apps
2025-12-31 09:22:18 +11:00
Dan Milne
00eca6d8b2
Default deny forward_auth requests
2025-12-30 16:04:01 +11:00
Dan Milne
71d59e7367
Remove plain text token from everywhere
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-30 11:58:11 +11:00
Dan Milne
0761c424c1
Fix tests. Remove tests which test rails functionality
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-30 00:18:19 +11:00
Dan Milne
2a32d75895
Fix tests - don't test standard rails features
2025-12-29 19:45:01 +11:00
Dan Milne
4c1df53fd5
Fix more tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-29 19:22:08 +11:00
Dan Milne
acab15ce30
Fix more tests
2025-12-29 18:48:41 +11:00
Dan Milne
0361bfe470
Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-12-29 15:37:12 +11:00
Dan Milne
5b9d15584a
Add more rate limiting, and more restrictive headers
2025-12-29 13:29:14 +11:00
Dan Milne
d6029556d3
Add OIDC fixes, add prefered_username, add application-user claims
2025-11-25 16:29:40 +11:00
Dan Milne
7796c38c08
Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-23 11:16:06 +11:00
Dan Milne
ab0085e9c9
More complete oidc
2025-11-18 20:02:45 +11:00
Dan Milne
1ee3302319
Improvements derived from rodauth-oauth
2025-11-12 22:17:55 +11:00
Dan Milne
33ad956508
Add test
2025-11-12 15:50:04 +11:00
Dan Milne
038801f34b
Add pkce
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2025-11-09 10:21:29 +11:00
Dan Milne
fb14ce032f
Strip out more inline javascript code. Encrypt backup codes and treat the backup codes attribute as a json array
2025-11-04 18:46:11 +11:00
