17 Commits

Author	SHA1	Message	Date
Dan Milne	b55139eb1c	Fix Sentry config to use Sentry.init API ... The Sentry setup used a config.sentry.* accessor that sentry-rails has never provided, so booting with SENTRY_DSN set raised NoMethodError during environment load (e.g. db:prepare). The code only ran once a DSN was configured, which is why it surfaced in production now. Rewrites config/initializers/sentry.rb to call Sentry.init, the actual sentry-ruby API, and removes the duplicate broken block from production.rb. Verified production boots with SENTRY_DSN set (Sentry.initialized? == true) and that the no-DSN path still early-returns. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 13:57:26 +10:00
Dan Milne	07ea031b61	Remove hardcoded internal IP from production hosts allowlist ... 192.168.2.246 was redundant with the 192.168.0.0/16 regex already in the CLINCH_ALLOW_INTERNAL_IPS block, and baked a specific lab IP into the repo. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-11 23:55:02 +10:00
Dan Milne	57d7d1f691	Anchor host-authorization regex to prevent look-alike domain bypass ... The DNS-rebinding allowlist used /.*#{registrable_domain}/, which is unanchored: for example.com it also matched evil-example.com, notexample.com, example.computer, and example.com.attacker.com. Any of those hosts would pass Rails' HostAuthorization middleware. Anchor the pattern as /\A(.+\.)?DOMAIN\z/i so it matches only the registrable domain and its subdomains (now also case-insensitively). Verified against a real production boot. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 19:47:35 +10:00
Dan Milne	444ae6291c	Add missing files, fix formatting	2026-01-05 23:34:11 +11:00
Dan Milne	ba08158c85	Bug fix for background jobs	2026-01-05 14:43:06 +11:00
Dan Milne	93a0edb0a2	StandardRB fixes	2026-01-01 13:29:44 +11:00
Dan Milne	40815d3576	Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens	2025-12-31 14:32:34 +11:00
Dan Milne	5b9d15584a	Add more rate limiting, and more restrictive headers	2025-12-29 13:29:14 +11:00
Dan Milne	67f28faaca	Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN	2025-11-12 16:24:05 +11:00
Dan Milne	c92e69fa4a	Add PCKE	2025-11-09 11:54:45 +11:00
Dan Milne	2b15aa2c40	Add sentry, set csp reporting API	2025-11-04 22:58:32 +11:00
Dan Milne	bfcc5cdc84	More nuanced domain fetching for host validation	2025-10-29 16:31:56 +11:00
Dan Milne	ddcb297c74	Add comprhensive csp polices and reporting endpoint. Add environment support require for protecting against rebinding attacks on ip addresses	2025-10-29 15:37:53 +11:00
Dan Milne	b5b1d94d47	Fix the CLINCH_HOST issue.	2025-10-26 21:59:27 +11:00
Dan Milne	d98f777e7d	Refactor email delivery and background jobs system ... - Switch from SolidQueue to async job processor for simpler background job handling - Remove SolidQueue gem and related configuration files - Add letter_opener gem for development email preview - Fix invitation email template issues (invitation_login_token method and route helper) - Configure SMTP settings via environment variables in application.rb - Add email delivery configuration banner on admin users page - Improve admin users page with inline action buttons and SMTP configuration warnings - Update development and production environments to use async processor - Add helper methods to detect SMTP configuration and filter out localhost settings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-26 16:30:02 +11:00
Dan Milne	256cbe3a48	User registation working. Sidebar built. Dashboard built. TOTP enable works - TOTP login works	2025-10-23 18:07:27 +11:00
Dan Milne	1ff0a95392	First commit	2025-10-23 16:19:56 +11:00