Compare commits
2 Commits
9b81aee490
...
71198340d0
| Author | SHA1 | Date | |
|---|---|---|---|
|
71198340d0 | ||
|
|
d597ca8810 |
65
Claude.md
Normal file
65
Claude.md
Normal file
@@ -0,0 +1,65 @@
|
||||
# Claude Code Guidelines for Clinch
|
||||
|
||||
This document provides guidelines for AI assistants (Claude, ChatGPT, etc.) working on this codebase.
|
||||
|
||||
## Project Context
|
||||
|
||||
Clinch is a lightweight identity provider (IdP) supporting:
|
||||
- **OIDC/OAuth2** - Standard OAuth flows for modern apps
|
||||
- **ForwardAuth** - Trusted-header SSO for reverse proxies (Traefik, Caddy, Nginx)
|
||||
- **WebAuthn/Passkeys** - Passwordless authentication
|
||||
- Group-based access control
|
||||
|
||||
Key characteristics:
|
||||
- Rails 8 application with SQLite database
|
||||
- Focus on simplicity and self-hosting
|
||||
- No external dependencies for core functionality
|
||||
|
||||
## Testing Guidelines
|
||||
|
||||
### Do Not Test Rails Framework Functionality
|
||||
|
||||
When writing tests, focus on testing **our application's specific behavior and logic**, not standard Rails framework functionality.
|
||||
|
||||
**Examples of what NOT to test:**
|
||||
- Session isolation between users (Rails handles this)
|
||||
- Basic ActiveRecord associations (Rails handles this)
|
||||
- Standard cookie signing/verification (Rails handles this)
|
||||
- Default controller rendering behavior (Rails handles this)
|
||||
- Infrastructure-level error handling (database connection failures, network issues, etc.)
|
||||
|
||||
**Examples of what TO test:**
|
||||
- Forward auth business logic (group-based access control, header configuration, etc.)
|
||||
- Custom authentication flows
|
||||
- Application-specific session expiration behavior
|
||||
- Domain pattern matching logic
|
||||
- Custom response header generation
|
||||
|
||||
**Why:**
|
||||
Testing Rails framework functionality adds no value and can create maintenance burden. Trust that Rails works correctly and focus tests on verifying our application's unique behavior.
|
||||
|
||||
### Integration Test Patterns
|
||||
|
||||
**Session handling:**
|
||||
- Do NOT manually manipulate cookies in integration tests
|
||||
- Use the session provided by the test framework
|
||||
- To get the actual session ID, use `Session.last.id` after sign-in, not `cookies[:session_id]` (which is signed)
|
||||
|
||||
**Application setup:**
|
||||
- Always create Application records for the domains you're testing
|
||||
- Use wildcard patterns (e.g., `*.example.com`) when testing multiple subdomains
|
||||
- Remember: `*` matches one level only (`*.example.com` matches `app.example.com` but NOT `sub.app.example.com`)
|
||||
|
||||
**Header assertions:**
|
||||
- Always normalize header names to lowercase when asserting (HTTP headers are case-insensitive)
|
||||
- Use `response.headers["x-remote-user"]` not `response.headers["X-Remote-User"]`
|
||||
|
||||
**Avoid threading in integration tests:**
|
||||
- Rails integration tests use a single cookie jar
|
||||
- Convert threaded tests to sequential requests instead
|
||||
|
||||
### Common Testing Pitfalls
|
||||
|
||||
1. **Don't test concurrent users with manual cookie manipulation** - Integration tests can't properly simulate multiple concurrent sessions
|
||||
2. **Don't expect `cookies[:session_id]` to be the actual ID** - It's a signed cookie value
|
||||
3. **Don't assume wildcard patterns match multiple levels** - `*.domain.com` only matches one level
|
||||
18
README.md
18
README.md
@@ -257,6 +257,24 @@ Configure different claims for different applications on a per-user basis:
|
||||
- Proxy redirects to Clinch login page
|
||||
- After login, redirect back to original URL
|
||||
|
||||
#### Race Condition Handling
|
||||
|
||||
After successful login, you may notice an `fa_token` query parameter appended to redirect URLs (e.g., `https://app.example.com/dashboard?fa_token=...`). This solves a timing issue:
|
||||
|
||||
**The Problem:**
|
||||
1. User signs in → session cookie is set
|
||||
2. Browser gets redirected to protected resource
|
||||
3. Browser may not have processed the `Set-Cookie` header yet
|
||||
4. Reverse proxy checks `/api/verify` → no cookie yet → auth fails ❌
|
||||
|
||||
**The Solution:**
|
||||
- A one-time token (`fa_token`) is added to the redirect URL as a query parameter
|
||||
- `/api/verify` checks for this token first, before checking cookies
|
||||
- Token is cached for 60 seconds and deleted immediately after use
|
||||
- This gives the browser's cookie handling time to catch up
|
||||
|
||||
This is transparent to end users and requires no configuration.
|
||||
|
||||
---
|
||||
|
||||
## Setup & Installation
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
require "test_helper"
|
||||
|
||||
# Note: This file tests API endpoints directly (post/get/assert_response)
|
||||
# so it should use IntegrationTest, not SystemTestCase
|
||||
class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
# Advanced integration tests for Forward Auth API
|
||||
class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
|
||||
setup do
|
||||
@user = users(:one)
|
||||
@admin_user = users(:two)
|
||||
@@ -24,7 +23,7 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
assert_response 302
|
||||
location = response.location
|
||||
assert_match %r{/signin}, location
|
||||
assert_match %r{rd=https://app.example.com/dashboard}, location
|
||||
assert_match %r{rd=https%3A%2F%2Fapp\.example\.com%2Fdashboard}, location
|
||||
|
||||
# Step 2: Extract return URL from session
|
||||
assert_equal "https://app.example.com/dashboard", session[:return_to_after_authenticating]
|
||||
@@ -33,7 +32,10 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
post "/signin", params: {email_address: @user.email_address, password: "password"}
|
||||
|
||||
assert_response 302
|
||||
assert_redirected_to "https://app.example.com/dashboard"
|
||||
redirect_uri = URI.parse(response.location)
|
||||
assert_equal "https", redirect_uri.scheme
|
||||
assert_equal "app.example.com", redirect_uri.host
|
||||
assert_equal "/dashboard", redirect_uri.path
|
||||
|
||||
# Step 4: Authenticated request to protected resource
|
||||
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
|
||||
@@ -146,40 +148,17 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
end
|
||||
|
||||
# Security System Tests
|
||||
test "session security and isolation" do
|
||||
# User A signs in
|
||||
post "/signin", params: {email_address: @user.email_address, password: "password"}
|
||||
user_a_session = cookies[:session_id]
|
||||
|
||||
# User B signs in
|
||||
delete "/session"
|
||||
post "/signin", params: {email_address: @admin_user.email_address, password: "password"}
|
||||
user_b_session = cookies[:session_id]
|
||||
|
||||
# User A should still be able to access resources
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "test.example.com",
|
||||
"Cookie" => "_clinch_session_id=#{user_a_session}"
|
||||
}
|
||||
assert_response 200
|
||||
assert_equal @user.email_address, response.headers["x-remote-user"]
|
||||
|
||||
# User B should be able to access resources
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "test.example.com",
|
||||
"Cookie" => "_clinch_session_id=#{user_b_session}"
|
||||
}
|
||||
assert_response 200
|
||||
assert_equal @admin_user.email_address, response.headers["x-remote-user"]
|
||||
|
||||
# Sessions should be independent
|
||||
assert_not_equal user_a_session, user_b_session
|
||||
end
|
||||
|
||||
test "session expiration and cleanup" do
|
||||
# Create test application
|
||||
Application.create!(
|
||||
name: "Test", slug: "test-system-test", app_type: "forward_auth",
|
||||
domain_pattern: "test.example.com",
|
||||
active: true
|
||||
)
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: {email_address: @user.email_address, password: "password"}
|
||||
session_id = cookies[:session_id]
|
||||
session_id = Session.last.id
|
||||
|
||||
# Should work initially
|
||||
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
|
||||
@@ -199,42 +178,42 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
end
|
||||
|
||||
test "concurrent access with rate limiting considerations" do
|
||||
# Create wildcard application
|
||||
Application.create!(
|
||||
name: "Wildcard", slug: "wildcard-test", app_type: "forward_auth",
|
||||
domain_pattern: "*.example.com",
|
||||
active: true
|
||||
)
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: {email_address: @user.email_address, password: "password"}
|
||||
session_cookie = cookies[:session_id]
|
||||
|
||||
# Simulate multiple concurrent requests from different IPs
|
||||
threads = []
|
||||
# Make multiple sequential requests (threads don't work in integration tests)
|
||||
results = []
|
||||
|
||||
10.times do |i|
|
||||
threads << Thread.new do
|
||||
start_time = Time.current
|
||||
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "app#{i}.example.com",
|
||||
"X-Forwarded-For" => "192.168.1.#{100 + i}",
|
||||
"Cookie" => "_clinch_session_id=#{session_cookie}"
|
||||
"X-Forwarded-For" => "192.168.1.#{100 + i}"
|
||||
}
|
||||
|
||||
end_time = Time.current
|
||||
|
||||
results << {
|
||||
thread_id: i,
|
||||
request_id: i,
|
||||
status: response.status,
|
||||
user: response.headers["x-remote-user"],
|
||||
duration: end_time - start_time
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
threads.each(&:join)
|
||||
|
||||
# All requests should succeed
|
||||
results.each do |result|
|
||||
assert_equal 200, result[:status], "Thread #{result[:thread_id]} failed"
|
||||
assert_equal @user.email_address, result[:user], "Thread #{result[:thread_id]} has wrong user"
|
||||
assert result[:duration] < 1.0, "Thread #{result[:thread_id]} was too slow"
|
||||
assert_equal 200, result[:status], "Request #{result[:request_id]} failed"
|
||||
assert_equal @user.email_address, result[:user], "Request #{result[:request_id]} has wrong user"
|
||||
assert result[:duration] < 1.0, "Request #{result[:request_id]} was too slow"
|
||||
end
|
||||
end
|
||||
|
||||
@@ -285,22 +264,23 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
|
||||
# Verify headers are correct
|
||||
if app[:headers_config][:user].present?
|
||||
assert_equal app[:headers_config][:user],
|
||||
response.headers.keys.find { |k| k.include?("USER") },
|
||||
"Wrong user header for #{app[:domain]}"
|
||||
assert_equal @user.email_address, response.headers[app[:headers_config][:user]]
|
||||
assert response.headers.key?(app[:headers_config][:user]),
|
||||
"Missing header #{app[:headers_config][:user]} for #{app[:domain]}"
|
||||
assert_equal @user.email_address, response.headers[app[:headers_config][:user]],
|
||||
"Wrong user value in #{app[:headers_config][:user]} for #{app[:domain]}"
|
||||
else
|
||||
# Should have no auth headers
|
||||
auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
|
||||
assert_empty auth_headers, "Should have no headers for #{app[:domain]}"
|
||||
auth_headers = response.headers.select { |k, v| k.match?(/^(x-remote-|x-webauth-|x-admin-)/i) }
|
||||
assert_empty auth_headers, "Should have no headers for #{app[:domain]}, got: #{auth_headers.keys.join(', ')}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
test "domain pattern edge cases" do
|
||||
# Test various domain patterns
|
||||
# Note: * matches one level only (no dots), so *.example.com matches app.example.com but not sub.app.example.com
|
||||
patterns = [
|
||||
{pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "sub.app.example.com"]},
|
||||
{pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "grafana.example.com"]},
|
||||
{pattern: "api.*.com", domains: ["api.example.com", "api.test.com"]},
|
||||
{pattern: "*.*.example.com", domains: ["app.dev.example.com", "api.staging.example.com"]}
|
||||
]
|
||||
@@ -329,12 +309,11 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
|
||||
# Performance System Tests
|
||||
test "system performance under load" do
|
||||
# Create test application
|
||||
Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "loadtest.example.com", active: true)
|
||||
# Create test application with wildcard pattern
|
||||
Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "*.loadtest.example.com", active: true)
|
||||
|
||||
# Sign in
|
||||
post "/signin", params: {email_address: @user.email_address, password: "password"}
|
||||
session_cookie = cookies[:session_id]
|
||||
|
||||
# Performance test
|
||||
start_time = Time.current
|
||||
@@ -345,8 +324,7 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
request_start = Time.current
|
||||
|
||||
get "/api/verify", headers: {
|
||||
"X-Forwarded-Host" => "app#{i}.loadtest.example.com",
|
||||
"Cookie" => "_clinch_session_id=#{session_cookie}"
|
||||
"X-Forwarded-Host" => "app#{i}.loadtest.example.com"
|
||||
}
|
||||
|
||||
request_end = Time.current
|
||||
@@ -371,34 +349,4 @@ class ForwardAuthSystemTest < ActionDispatch::IntegrationTest
|
||||
assert rps > 10, "Requests per second #{rps} is too low"
|
||||
end
|
||||
|
||||
# Error Recovery System Tests
|
||||
test "graceful degradation with database issues" do
|
||||
# Sign in first
|
||||
post "/signin", params: {email_address: @user.email_address, password: "password"}
|
||||
assert_response 302
|
||||
|
||||
# Simulate database connection issue by mocking
|
||||
original_method = Session.method(:find_by)
|
||||
|
||||
# Mock database failure
|
||||
Session.define_singleton_method(:find_by) do |id|
|
||||
raise ActiveRecord::ConnectionNotEstablished, "Database connection lost"
|
||||
end
|
||||
|
||||
begin
|
||||
# Request should handle the error gracefully
|
||||
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
|
||||
|
||||
# Should return 302 (redirect to login) rather than 500 error
|
||||
assert_response 302, "Should gracefully handle database issues"
|
||||
assert_equal "Invalid session", response.headers["x-auth-reason"]
|
||||
ensure
|
||||
# Restore original method
|
||||
Session.define_singleton_method(:find_by, original_method)
|
||||
end
|
||||
|
||||
# Normal operation should still work
|
||||
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
|
||||
assert_response 200
|
||||
end
|
||||
end
|
||||
@@ -54,45 +54,39 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
|
||||
end
|
||||
|
||||
# ====================
|
||||
# USER HANDLE BINDING TESTS
|
||||
# USER HANDLE SECURITY TESTS
|
||||
# ====================
|
||||
|
||||
test "user handle is properly bound to WebAuthn credential" do
|
||||
user = User.create!(email_address: "webauthn_handle_test@example.com", password: "password123")
|
||||
test "WebAuthn challenge includes authenticated user's handle (not another user's)" do
|
||||
# Create two users
|
||||
user_a = User.create!(email_address: "usera@example.com", password: "password123")
|
||||
user_b = User.create!(email_address: "userb@example.com", password: "password123")
|
||||
|
||||
# Create a WebAuthn credential with user handle
|
||||
user_handle = SecureRandom.uuid
|
||||
credential = user.webauthn_credentials.create!(
|
||||
external_id: Base64.urlsafe_encode64("fake_credential_id"),
|
||||
public_key: Base64.urlsafe_encode64("fake_public_key"),
|
||||
sign_count: 0,
|
||||
nickname: "Test Key",
|
||||
user_handle: user_handle
|
||||
)
|
||||
# Generate handles for both users
|
||||
handle_a = user_a.webauthn_user_handle
|
||||
handle_b = user_b.webauthn_user_handle
|
||||
|
||||
# Verify user handle is associated with the credential
|
||||
assert_equal user_handle, credential.user_handle
|
||||
# Sign in as User A
|
||||
post signin_path, params: {email_address: user_a.email_address, password: "password123"}
|
||||
assert_response :redirect
|
||||
|
||||
user.destroy
|
||||
end
|
||||
# Request WebAuthn challenge (for registration)
|
||||
post webauthn_challenge_path, params: {email: user_a.email_address}
|
||||
assert_response :success
|
||||
|
||||
test "WebAuthn authentication validates user handle" do
|
||||
user = User.create!(email_address: "webauthn_handle_auth_test@example.com", password: "password123")
|
||||
# Parse the JSON response
|
||||
challenge_data = JSON.parse(response.body)
|
||||
|
||||
user_handle = SecureRandom.uuid
|
||||
user.webauthn_credentials.create!(
|
||||
external_id: Base64.urlsafe_encode64("fake_credential_id"),
|
||||
public_key: Base64.urlsafe_encode64("fake_public_key"),
|
||||
sign_count: 0,
|
||||
nickname: "Test Key",
|
||||
user_handle: user_handle
|
||||
)
|
||||
# SECURITY: Verify challenge includes User A's handle
|
||||
assert challenge_data.key?("user")
|
||||
assert_equal handle_a, challenge_data["user"]["id"], "Challenge should include authenticated user's handle"
|
||||
assert_equal user_a.email_address, challenge_data["user"]["name"]
|
||||
|
||||
# Sign in with WebAuthn
|
||||
# The implementation should verify the user handle matches
|
||||
# This test documents the expected behavior
|
||||
# SECURITY: Verify challenge does NOT include User B's handle
|
||||
assert_not_equal handle_b, challenge_data["user"]["id"], "Challenge should NOT include another user's handle"
|
||||
|
||||
user.destroy
|
||||
user_a.destroy
|
||||
user_b.destroy
|
||||
end
|
||||
|
||||
# ====================
|
||||
@@ -316,7 +310,7 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
|
||||
|
||||
test "WebAuthn can be required for authentication" do
|
||||
user = User.create!(email_address: "webauthn_required_test@example.com", password: "password123")
|
||||
user.update!(webauthn_enabled: true)
|
||||
user.update!(webauthn_required: true)
|
||||
|
||||
# Sign in with password should still work
|
||||
post signin_path, params: {email_address: "webauthn_required_test@example.com", password: "password123"}
|
||||
@@ -329,7 +323,7 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
|
||||
|
||||
test "WebAuthn can be used for passwordless authentication" do
|
||||
user = User.create!(email_address: "webauthn_passwordless_test@example.com", password: "password123")
|
||||
user.update!(webauthn_enabled: true)
|
||||
user.update!(webauthn_required: true)
|
||||
|
||||
user.webauthn_credentials.create!(
|
||||
external_id: Base64.urlsafe_encode64("passwordless_credential"),
|
||||
|
||||
@@ -319,4 +319,35 @@ class UserTest < ActiveSupport::TestCase
|
||||
|
||||
# Note: parsed_backup_codes method and legacy tests removed
|
||||
# All users now use BCrypt hashes stored in JSON column
|
||||
|
||||
# WebAuthn user handle tests
|
||||
test "generates and persists unique webauthn user handle" do
|
||||
user = User.create!(email_address: "webauthn_test@example.com", password: "password123")
|
||||
|
||||
# User should not have a webauthn_id initially
|
||||
assert_nil user.webauthn_id
|
||||
|
||||
# Getting the user handle should generate and persist it
|
||||
handle = user.webauthn_user_handle
|
||||
assert_not_nil handle
|
||||
assert_equal 86, handle.length # Base64-urlsafe-encoded 64 bytes (no padding)
|
||||
|
||||
# Reload and verify it was persisted
|
||||
user.reload
|
||||
assert_equal handle, user.webauthn_id
|
||||
|
||||
# Subsequent calls should return the same handle (stable)
|
||||
assert_equal handle, user.webauthn_user_handle
|
||||
end
|
||||
|
||||
test "webauthn user handles are unique across users" do
|
||||
user1 = User.create!(email_address: "user1@example.com", password: "password123")
|
||||
user2 = User.create!(email_address: "user2@example.com", password: "password123")
|
||||
|
||||
handle1 = user1.webauthn_user_handle
|
||||
handle2 = user2.webauthn_user_handle
|
||||
|
||||
# Each user should get a unique handle
|
||||
assert_not_equal handle1, handle2
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user