Fixes for tests and AR Encryption

Fix tests - add missing files
Version bump
2025-12-31 16:08:05 +11:00 · 2025-12-31 16:01:31 +11:00 · 2025-12-31 15:48:52 +11:00 · 2025-12-31 15:48:32 +11:00 · 2025-12-31 15:00:00 +11:00 · 2025-12-31 14:45:38 +11:00
92 changed files with 5689 additions and 1124 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,21 @@
 # Rails Configuration
-SECRET_KEY_BASE=generate-with-bin-rails-secret
+# SECRET_KEY_BASE is used for:
 #   - Session cookie encryption
 #   - Signed token verification
 #   - ActiveRecord encryption (currently: TOTP secrets)
 #   - OIDC token prefix HMAC derivation
 #
 # CRITICAL: Do NOT change SECRET_KEY_BASE after deployment. Changing it will:
 #   - Invalidate all user sessions (users must re-login)
 #   - Break encrypted data (users must re-setup 2FA)
 #   - Invalidate all OIDC access/refresh tokens (clients must re-authenticate)
 #
 # Optional: Override encryption keys with env vars for key rotation:
 #   - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 #   - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
 #   - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
 #   - OIDC_TOKEN_PREFIX_HMAC
 SECRET_KEY_BASE=generate-with-bin/rails/secret
 RAILS_ENV=development
 # Database
--- a/2
+++ b/2
@@ -11,6 +11,8 @@
 ARG RUBY_VERSION=3.4.6
 FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base
 LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
 # Rails app lives here
 WORKDIR /rails
--- a/8
+++ b/8
@@ -35,11 +35,11 @@ gem "jwt", "~> 3.1"
 gem "webauthn", "~> 3.0"
 # Public Suffix List for domain parsing
-gem "public_suffix", "~> 6.0"
+gem "public_suffix", "~> 7.0"
 # Error tracking and performance monitoring (optional, configured via SENTRY_DSN)
-gem "sentry-ruby", "~> 5.18"
+gem "sentry-ruby", "~> 6.2"
-gem "sentry-rails", "~> 5.18"
+gem "sentry-rails", "~> 6.2"
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem "tzinfo-data", platforms: %i[ windows jruby ]
@@ -47,6 +47,7 @@ gem "tzinfo-data", platforms: %i[ windows jruby ]
 # Use the database-backed adapters for Rails.cache and Action Cable
 gem "solid_cache"
 gem "solid_cable"
 gem "solid_queue", "~> 1.2"
 # Reduces boot times through caching; required in config/boot.rb
 gem "bootsnap", require: false
@@ -87,3 +88,4 @@ group :test do
  gem "capybara"
  gem "selenium-webdriver"
 end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -75,8 +75,8 @@ GEM
      securerandom (>= 0.3)
      tzinfo (~> 2.0, >= 2.0.5)
      uri (>= 0.13.1)
-    addressable (2.8.7)
+    addressable (2.8.8)
-      public_suffix (>= 2.0.2, < 7.0)
+      public_suffix (>= 2.0.2, < 8.0)
    android_key_attestation (0.3.0)
    ast (2.4.3)
    base64 (0.3.0)
@@ -85,13 +85,13 @@ GEM
    bigdecimal (3.3.1)
    bindata (2.5.1)
    bindex (0.8.1)
-    bootsnap (1.18.6)
+    bootsnap (1.19.0)
      msgpack (~> 1.2)
-    brakeman (7.1.0)
+    brakeman (7.1.1)
      racc
    builder (3.3.0)
-    bundler-audit (0.9.2)
+    bundler-audit (0.9.3)
-      bundler (>= 1.2.0, < 3)
+      bundler (>= 1.2.0)
      thor (~> 1.0)
    capybara (3.40.0)
      addressable
@@ -107,7 +107,7 @@ GEM
      logger (~> 1.5)
    chunky_png (1.4.0)
    concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    connection_pool (2.5.5)
    cose (1.3.1)
      cbor (~> 0.5.9)
      openssl-signature_algorithm (~> 1.0)
@@ -119,8 +119,10 @@ GEM
    dotenv (3.1.8)
    drb (2.2.3)
    ed25519 (1.4.0)
-    erb (5.1.3)
+    erb (6.0.0)
    erubi (1.13.1)
    et-orbi (1.4.0)
      tzinfo
    ffi (1.17.2-aarch64-linux-gnu)
    ffi (1.17.2-aarch64-linux-musl)
    ffi (1.17.2-arm-linux-gnu)
@@ -128,6 +130,9 @@ GEM
    ffi (1.17.2-arm64-darwin)
    ffi (1.17.2-x86_64-linux-gnu)
    ffi (1.17.2-x86_64-linux-musl)
    fugit (1.12.1)
      et-orbi (~> 1.4)
      raabro (~> 1.4)
    globalid (1.3.0)
      activesupport (>= 6.1)
    i18n (1.14.7)
@@ -147,10 +152,10 @@ GEM
    jbuilder (2.14.1)
      actionview (>= 7.0.0)
      activesupport (>= 7.0.0)
-    json (2.15.2)
+    json (2.16.0)
    jwt (3.1.2)
      base64
-    kamal (2.8.1)
+    kamal (2.9.0)
      activesupport (>= 7.0)
      base64 (~> 0.2)
      bcrypt_pbkdf (~> 1.0)
@@ -184,7 +189,7 @@ GEM
    mini_magick (5.3.1)
      logger
    mini_mime (1.1.5)
-    minitest (5.26.0)
+    minitest (5.26.2)
    msgpack (1.8.0)
    net-imap (0.5.12)
      date
@@ -220,7 +225,7 @@ GEM
      openssl (> 2.0)
    ostruct (0.6.3)
    parallel (1.27.0)
-    parser (3.3.9.0)
+    parser (3.3.10.0)
      ast (~> 2.4.1)
      racc
    pp (0.6.3)
@@ -234,9 +239,10 @@ GEM
    psych (5.2.6)
      date
      stringio
-    public_suffix (6.0.2)
+    public_suffix (7.0.0)
    puma (7.1.0)
      nio4r (~> 2.0)
    raabro (1.4.0)
    racc (1.8.1)
    rack (3.2.4)
    rack-session (2.1.1)
@@ -278,20 +284,20 @@ GEM
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
    rake (13.3.1)
-    rdoc (6.15.1)
+    rdoc (6.16.1)
      erb
      psych (>= 4.0.0)
      tsort
    regexp_parser (2.11.3)
-    reline (0.6.2)
+    reline (0.6.3)
      io-console (~> 0.5)
    rexml (3.4.4)
    rotp (6.3.0)
-    rqrcode (3.1.0)
+    rqrcode (3.1.1)
      chunky_png (~> 1.0)
      rqrcode_core (~> 2.0)
-    rqrcode_core (2.0.0)
+    rqrcode_core (2.0.1)
-    rubocop (1.81.6)
+    rubocop (1.81.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.1.0)
@@ -302,14 +308,14 @@ GEM
      rubocop-ast (>= 1.47.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.47.1)
+    rubocop-ast (1.48.0)
      parser (>= 3.3.7.2)
      prism (~> 1.4)
    rubocop-performance (1.26.1)
      lint_roller (~> 1.1)
      rubocop (>= 1.75.0, < 2.0)
      rubocop-ast (>= 1.47.1, < 2.0)
-    rubocop-rails (2.33.4)
+    rubocop-rails (2.34.2)
      activesupport (>= 4.2.0)
      lint_roller (~> 1.1)
      rack (>= 1.1)
@@ -323,7 +329,7 @@ GEM
    ruby-vips (2.2.5)
      ffi (~> 1.12)
      logger
-    rubyzip (3.2.1)
+    rubyzip (3.2.2)
    safety_net_attestation (0.5.0)
      jwt (>= 2.0, < 4.0)
    securerandom (0.4.1)
@@ -333,10 +339,10 @@ GEM
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 4.0)
      websocket (~> 1.0)
-    sentry-rails (5.28.0)
+    sentry-rails (6.2.0)
-      railties (>= 5.0)
+      railties (>= 5.2.0)
-      sentry-ruby (~> 5.28.0)
+      sentry-ruby (~> 6.2.0)
-    sentry-ruby (5.28.0)
+    sentry-ruby (6.2.0)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
    solid_cable (3.0.12)
@@ -344,17 +350,24 @@ GEM
      activejob (>= 7.2)
      activerecord (>= 7.2)
      railties (>= 7.2)
-    solid_cache (1.0.8)
+    solid_cache (1.0.10)
      activejob (>= 7.2)
      activerecord (>= 7.2)
      railties (>= 7.2)
-    sqlite3 (2.7.4-aarch64-linux-gnu)
+    solid_queue (1.2.4)
-    sqlite3 (2.7.4-aarch64-linux-musl)
+      activejob (>= 7.1)
-    sqlite3 (2.7.4-arm-linux-gnu)
+      activerecord (>= 7.1)
-    sqlite3 (2.7.4-arm-linux-musl)
+      concurrent-ruby (>= 1.3.1)
-    sqlite3 (2.7.4-arm64-darwin)
+      fugit (~> 1.11)
-    sqlite3 (2.7.4-x86_64-linux-gnu)
+      railties (>= 7.1)
-    sqlite3 (2.7.4-x86_64-linux-musl)
+      thor (>= 1.3.1)
    sqlite3 (2.8.1-aarch64-linux-gnu)
    sqlite3 (2.8.1-aarch64-linux-musl)
    sqlite3 (2.8.1-arm-linux-gnu)
    sqlite3 (2.8.1-arm-linux-musl)
    sqlite3 (2.8.1-arm64-darwin)
    sqlite3 (2.8.1-x86_64-linux-gnu)
    sqlite3 (2.8.1-x86_64-linux-musl)
    sshkit (1.24.0)
      base64
      logger
@@ -364,16 +377,16 @@ GEM
      ostruct
    stimulus-rails (1.3.4)
      railties (>= 6.0.0)
-    stringio (3.1.7)
+    stringio (3.1.8)
-    tailwindcss-rails (4.3.0)
+    tailwindcss-rails (4.4.0)
      railties (>= 7.0.0)
      tailwindcss-ruby (~> 4.0)
-    tailwindcss-ruby (4.1.13)
+    tailwindcss-ruby (4.1.16)
-    tailwindcss-ruby (4.1.13-aarch64-linux-gnu)
+    tailwindcss-ruby (4.1.16-aarch64-linux-gnu)
-    tailwindcss-ruby (4.1.13-aarch64-linux-musl)
+    tailwindcss-ruby (4.1.16-aarch64-linux-musl)
-    tailwindcss-ruby (4.1.13-arm64-darwin)
+    tailwindcss-ruby (4.1.16-arm64-darwin)
-    tailwindcss-ruby (4.1.13-x86_64-linux-gnu)
+    tailwindcss-ruby (4.1.16-x86_64-linux-gnu)
-    tailwindcss-ruby (4.1.13-x86_64-linux-musl)
+    tailwindcss-ruby (4.1.16-x86_64-linux-musl)
    thor (1.4.0)
    thruster (0.1.16)
    thruster (0.1.16-aarch64-linux)
@@ -385,15 +398,15 @@ GEM
      openssl (> 2.0)
      openssl-signature_algorithm (~> 1.0)
    tsort (0.2.0)
-    turbo-rails (2.0.17)
+    turbo-rails (2.0.20)
      actionpack (>= 7.1.0)
      railties (>= 7.1.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    unicode-display_width (3.2.0)
      unicode-emoji (~> 4.1)
-    unicode-emoji (4.1.0)
+    unicode-emoji (4.2.0)
-    uri (1.1.0)
+    uri (1.1.1)
    useragent (0.16.11)
    web-console (4.2.1)
      actionview (>= 6.0.0)
@@ -442,17 +455,18 @@ DEPENDENCIES
  kamal
  letter_opener
  propshaft
-  public_suffix (~> 6.0)
+  public_suffix (~> 7.0)
  puma (>= 5.0)
  rails (~> 8.1.1)
  rotp (~> 6.3)
  rqrcode (~> 3.1)
  rubocop-rails-omakase
  selenium-webdriver
-  sentry-rails (~> 5.18)
+  sentry-rails (~> 6.2)
-  sentry-ruby (~> 5.18)
+  sentry-ruby (~> 6.2)
  solid_cable
  solid_cache
  solid_queue (~> 1.2)
  sqlite3 (>= 2.1)
  stimulus-rails
  tailwindcss-rails
--- a/README.md
+++ b/README.md
@@ -1,32 +1,15 @@
 # Clinch
 > [!NOTE]
-> This software is experiemental. If you'd like to try it out, find bugs, security flaws and improvements, please do. 
+> This software is experimental. If you'd like to try it out, find bugs, security flaws and improvements, please do. 
 **A lightweight, self-hosted identity & SSO / IpD portal**
-Clinch gives you one place to manage users and lets any web app authenticate against it without maintaining its own user table. 
+Clinch gives you one place to manage users and lets any web app authenticate against it without managing its own users.
 I've completed all planned features:
 * Create Admin user on first login
 * TOTP ( QR Code ) 2FA, with backup codes ( encrypted at rest )
 * Passkey generation and login, with detection of Passkey during login
 * Forward Auth configured and working
 * OIDC provider with auto discovery, refresh tokens, and token revocation
 * Configurable token expiry per application (access, refresh, ID tokens)
 * Invite users by email, assign to groups
 * Self managed password reset by email
 * Use Groups to assign Applications ( Family group can access Kavita, Developers can access Gitea )
 * Configurable Group and User custom claims for OIDC token
 * Display all Applications available to the user on their Dashboard
 * Display all logged in sessions and OIDC logged in sessions
 What remains now is ensure test coverage, 
 ## Why Clinch?
-Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
+Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea, Grafana, Proxmox? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
 Clinch sits in a sweet spot between two excellent open-source identity solutions:
@@ -76,14 +59,17 @@ Clinch sits in a sweet spot between two excellent open-source identity solutions
 - **User statuses** - Active, disabled, or pending invitation
 ### Authentication Methods
 - **WebAuthn/Passkeys** - Modern passwordless authentication using FIDO2 standards
 - **Password authentication** - Secure bcrypt-based password storage
 - **Magic login links** - Passwordless login via email (15-minute expiry)
 - **TOTP 2FA** - Optional time-based one-time passwords with QR code setup
 - **Backup codes** - 10 single-use recovery codes per user
- **Configurable 2FA enforcement** - Admins can require TOTP for specific users/groups
+- **Configurable 2FA enforcement** - Admins can require TOTP for specific users
 ### SSO Protocols
 Apps that speak OIDC use the OIDC flow.
 Apps that only need "who is it?", or you want available from the internet behind authentication (MeTube, Jellyfin) use ForwardAuth.
 #### OpenID Connect (OIDC)
 Standard OAuth2/OIDC provider with endpoints:
 - `/.well-known/openid-configuration` - Discovery endpoint
@@ -94,18 +80,19 @@ Standard OAuth2/OIDC provider with endpoints:
 Features:
 - **Refresh tokens** - Long-lived tokens (30 days default) with automatic rotation and revocation
 - **Token family tracking** - Advanced security detects token replay attacks and revokes compromised token families
 - **Configurable token expiry** - Set access token (5min-24hr), refresh token (1-90 days), and ID token TTL per application
- **Token security** - BCrypt-hashed tokens, automatic cleanup of expired tokens
+- **Token security** - All tokens HMAC-SHA256 hashed (suitable for 256-bit random data), automatic cleanup of expired tokens
 - **Pairwise subject identifiers** - Each user gets a unique, stable `sub` claim per application for enhanced privacy
-Client apps (Audiobookshelf, Kavita, Grafana, etc.) redirect to Clinch for login and receive ID tokens, access tokens, and refresh tokens.
+Client apps (Audiobookshelf, Kavita, Proxmox, Grafana, etc.) redirect to Clinch for login and receive ID tokens, access tokens, and refresh tokens.
 #### Trusted-Header SSO (ForwardAuth)
 Works with reverse proxies (Caddy, Traefik, Nginx):
 1. Proxy sends every request to `/api/verify`
-2. **200 OK** → Proxy injects headers (`Remote-User`, `Remote-Groups`, `Remote-Email`) and forwards to app
+2. Response handling:
-3. **401/403** → Proxy redirects to Clinch login; after login, user returns to original URL
+   - **200 OK** → Proxy injects headers (`Remote-User`, `Remote-Groups`, `Remote-Email`) and forwards to app
-
+   - **Any other status** → Proxy returns that response directly to client (typically 302 redirect to login page)
 Apps that speak OIDC use the OIDC flow; apps that only need "who is it?" headers use ForwardAuth.
 **Note:** ForwardAuth requires applications to run on the same domain as Clinch (e.g., `app.yourdomain.com` with Clinch at `auth.yourdomain.com`) for secure session cookie sharing. Take a look at Authentik if you need multi domain support.
@@ -113,7 +100,6 @@ Apps that speak OIDC use the OIDC flow; apps that only need "who is it?" headers
 Send emails for:
 - Invitation links (one-time token, 7-day expiry)
 - Password reset links (one-time token, 1-hour expiry)
 - 2FA backup codes
 ### Session Management
 - **Device tracking** - See all active sessions with device names and IPs
@@ -121,10 +107,54 @@ Send emails for:
 - **Session revocation** - Users and admins can revoke individual sessions
 ### Access Control
- **Group-based allowlists** - Restrict applications to specific user groups
+
- **Per-application access** - Each app defines which groups can access it
+#### Group-Based Application Access
- **Automatic enforcement** - Access checks during OIDC authorization and ForwardAuth
+Clinch uses groups to control which users can access which applications:
- **Custom claims** - Add arbitrary claims to OIDC tokens via groups and users (perfect for app-specific roles)
+
 - **Create groups** - Organize users into logical groups (readers, editors, family, developers, etc.)
 - **Assign groups to applications** - Each app defines which groups are allowed to access it
  - Example: Kavita app allows the "readers" group → only users in the "readers" group can sign in
  - If no groups are assigned to an app → all active users can access it
 - **Automatic enforcement** - Access checks happen automatically:
  - During OIDC authorization flow (before consent)
  - During ForwardAuth verification (before proxying requests)
  - Users not in allowed groups receive a "You do not have permission" error
 #### Group Claims in Tokens
 - **OIDC tokens include group membership** - ID tokens contain a `groups` claim with all user's groups
 - **Custom claims** - Add arbitrary key-value pairs to tokens via groups and users
  - Group claims apply to all members (e.g., `{"role": "viewer"}`)
  - User claims override group claims for fine-grained control
  - Perfect for app-specific authorization (e.g., admin vs. read-only roles)
 #### Custom Claims Merging
 Custom claims from groups and users are merged into OIDC ID tokens with the following precedence:
 1. **Default OIDC claims** - Standard claims (`iss`, `sub`, `aud`, `exp`, `email`, etc.)
 2. **Standard Clinch claims** - `groups` array (list of user's group names)
 3. **Group custom claims** - Merged in order; later groups override earlier ones
 4. **User custom claims** - Override all group claims
 5. **Application-specific claims** - Highest priority; override all other claims
 **Example:**
 - Group "readers" has `{"role": "viewer", "max_items": 10}`
 - Group "premium" has `{"role": "subscriber", "max_items": 100}`
 - User (in both groups) has `{"max_items": 500}`
 - **Result:** `{"role": "subscriber", "max_items": 500}` (user overrides max_items, premium overrides role)
 #### Application-Specific Claims
 Configure different claims for different applications on a per-user basis:
 - **Per-app customization** - Each application can have unique claims for each user
 - **Highest precedence** - App-specific claims override group and user global claims
 - **Use case** - Different roles in different apps (e.g., admin in Kavita, user in Audiobookshelf)
 - **Admin UI** - Configure via Admin → Users → Edit User → App-Specific Claim Overrides
 **Example:**
 - User Alice, global claims: `{"theme": "dark"}`
 - Kavita app-specific: `{"kavita_groups": ["admin"]}`
 - Audiobookshelf app-specific: `{"abs_groups": ["user"]}`
 - **Result:** Kavita receives `{"theme": "dark", "kavita_groups": ["admin"]}`, Audiobookshelf receives `{"theme": "dark", "abs_groups": ["user"]}`
 ---
@@ -169,9 +199,9 @@ Send emails for:
 - Many-to-many with Groups (allowlist)
 **OIDC Tokens**
- Authorization codes (10-minute expiry, one-time use, PKCE support)
+- Authorization codes (opaque, HMAC-SHA256 hashed, 10-minute expiry, one-time use, PKCE support)
- Access tokens (opaque, BCrypt-hashed, configurable expiry 5min-24hr, revocable)
+- Access tokens (opaque, HMAC-SHA256 hashed, configurable expiry 5min-24hr, revocable)
- Refresh tokens (opaque, BCrypt-hashed, configurable expiry 1-90 days, single-use with rotation)
+- Refresh tokens (opaque, HMAC-SHA256 hashed, configurable expiry 1-90 days, single-use with rotation)
 - ID tokens (JWT, signed with RS256, configurable expiry 5min-24hr)
 ---
@@ -286,24 +316,180 @@ OIDC_PRIVATE_KEY=<contents-of-private-key.pem>
 ---
-## Roadmap
+## Rails Console
-### In Progress
+One advantage of being a Rails application is direct access to the Rails console for administrative tasks. This is particularly useful for debugging, emergency access, or bulk operations.
 - OIDC provider implementation
 - ForwardAuth endpoint
 - Admin UI for user/group/app management
 - First-run wizard
-### Planned Features
+### Starting the Console
 - **Audit logging** - Track all authentication events
 - **WebAuthn/Passkeys** - Hardware key support
-#### Maybe
+```bash
- **SAML support** - SAML 2.0 identity provider
+# Docker / Docker Compose
- **Policy engine** - Rule-based access control
+docker exec -it clinch bin/rails console
-  - Example: `IF user.email =~ "*@gmail.com" AND app.slug == "kavita" THEN DENY`
+# or
-  - Stored as JSON, evaluated after auth but before consent
+docker compose exec -it clinch bin/rails console
- **LDAP sync** - Import users from LDAP/Active Directory
+
 # Local development
 bin/rails console
 ```
 ### Finding Users
 ```ruby
 # Find by email
 user = User.find_by(email_address: 'alice@example.com')
 # Find by username
 user = User.find_by(username: 'alice')
 # List all users
 User.all.pluck(:id, :email_address, :status)
 # Find admins
 User.admins.pluck(:email_address)
 # Find users in a specific status
 User.active.count
 User.disabled.pluck(:email_address)
 User.pending_invitation.pluck(:email_address)
 ```
 ### Creating Users
 ```ruby
 # Create a regular user
 User.create!(
  email_address: 'newuser@example.com',
  password: 'secure-password-here',
  status: :active
 )
 # Create an admin user
 User.create!(
  email_address: 'admin@example.com',
  password: 'secure-password-here',
  status: :active,
  admin: true
 )
 ```
 ### Managing Passwords
 ```ruby
 user = User.find_by(email_address: 'alice@example.com')
 user.password = 'new-secure-password'
 user.save!
 ```
 ### Two-Factor Authentication (TOTP)
 ```ruby
 user = User.find_by(email_address: 'alice@example.com')
 # Check if TOTP is enabled
 user.totp_enabled?
 # Get current TOTP code (useful for testing/debugging)
 puts user.console_totp
 # Enable TOTP (generates secret and backup codes)
 backup_codes = user.enable_totp!
 puts backup_codes  # Display backup codes to give to user
 # Disable TOTP
 user.disable_totp!
 # Force user to set up TOTP on next login
 user.update!(totp_required: true)
 ```
 ### Managing User Status
 ```ruby
 user = User.find_by(email_address: 'alice@example.com')
 # Disable a user (prevents login)
 user.disabled!
 # Re-enable a user
 user.active!
 # Check current status
 user.status  # => "active", "disabled", or "pending_invitation"
 # Grant admin privileges
 user.update!(admin: true)
 # Revoke admin privileges
 user.update!(admin: false)
 ```
 ### Managing Groups
 ```ruby
 user = User.find_by(email_address: 'alice@example.com')
 # View user's groups
 user.groups.pluck(:name)
 # Add user to a group
 family = Group.find_by(name: 'family')
 user.groups << family
 # Remove user from a group
 user.groups.delete(family)
 # Create a new group
 Group.create!(name: 'developers', description: 'Development team')
 ```
 ### Managing Sessions
 ```ruby
 user = User.find_by(email_address: 'alice@example.com')
 # View active sessions
 user.sessions.pluck(:id, :device_name, :client_ip, :created_at)
 # Revoke all sessions (force logout everywhere)
 user.sessions.destroy_all
 # Revoke a specific session
 user.sessions.find(123).destroy
 ```
 ### Managing Applications
 ```ruby
 # List all OIDC applications
 Application.oidc.pluck(:name, :client_id)
 # Find an application
 app = Application.find_by(slug: 'kavita')
 # Regenerate client secret
 new_secret = app.generate_new_client_secret!
 puts new_secret  # Display once - not stored in plain text
 # Check which users can access an app
 app.allowed_groups.flat_map(&:users).uniq.pluck(:email_address)
 # Revoke all tokens for an application
 app.oidc_access_tokens.destroy_all
 app.oidc_refresh_tokens.destroy_all
 ```
 ### Revoking OIDC Consents
 ```ruby
 user = User.find_by(email_address: 'alice@example.com')
 app = Application.find_by(slug: 'kavita')
 # Revoke consent for a specific app
 user.revoke_consent!(app)
 # Revoke all OIDC consents
 user.revoke_all_consents!
 ```
 ---
--- a/1
+++ b/1
@@ -1 +0,0 @@
 2025.02
--- a/app/controllers/active_sessions_controller.rb
+++ b/app/controllers/active_sessions_controller.rb
@@ -16,16 +16,82 @@ class ActiveSessionsController < ApplicationController
      return
    end
    # Send backchannel logout notification before revoking consent
    if application.supports_backchannel_logout?
      BackchannelLogoutJob.perform_later(
        user_id: @user.id,
        application_id: application.id,
        consent_sid: consent.sid
      )
      Rails.logger.info "ActiveSessionsController: Enqueued backchannel logout for #{application.name}"
    end
    # Revoke all tokens for this user-application pair
    now = Time.current
    revoked_access_tokens = OidcAccessToken.where(application: application, user: @user, revoked_at: nil)
                                           .update_all(revoked_at: now)
    revoked_refresh_tokens = OidcRefreshToken.where(application: application, user: @user, revoked_at: nil)
                                             .update_all(revoked_at: now)
    Rails.logger.info "ActiveSessionsController: Revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens for #{application.name}"
    # Revoke the consent
    consent.destroy
    redirect_to active_sessions_path, notice: "Successfully revoked access to #{application.name}."
  end
  def logout_from_app
    @user = Current.session.user
    application = Application.find(params[:application_id])
    # Check if user has consent for this application
    consent = @user.oidc_user_consents.find_by(application: application)
    unless consent
      redirect_to root_path, alert: "No active session found for this application."
      return
    end
    # Send backchannel logout notification
    if application.supports_backchannel_logout?
      BackchannelLogoutJob.perform_later(
        user_id: @user.id,
        application_id: application.id,
        consent_sid: consent.sid
      )
      Rails.logger.info "ActiveSessionsController: Enqueued backchannel logout for #{application.name}"
    end
    # Revoke all tokens for this user-application pair
    now = Time.current
    revoked_access_tokens = OidcAccessToken.where(application: application, user: @user, revoked_at: nil)
                                           .update_all(revoked_at: now)
    revoked_refresh_tokens = OidcRefreshToken.where(application: application, user: @user, revoked_at: nil)
                                             .update_all(revoked_at: now)
    Rails.logger.info "ActiveSessionsController: Logged out from #{application.name} - revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens"
    # Keep the consent intact - this is the key difference from revoke_consent
    redirect_to root_path, notice: "Successfully logged out of #{application.name}."
  end
  def revoke_all_consents
    @user = Current.session.user
-    count = @user.oidc_user_consents.count
+    consents = @user.oidc_user_consents.includes(:application)
    count = consents.count
    if count > 0
      # Send backchannel logout notifications before revoking consents
      consents.each do |consent|
        next unless consent.application.supports_backchannel_logout?
        BackchannelLogoutJob.perform_later(
          user_id: @user.id,
          application_id: consent.application.id,
          consent_sid: consent.sid
        )
      end
      Rails.logger.info "ActiveSessionsController: Enqueued #{count} backchannel logout notifications"
      @user.oidc_user_consents.destroy_all
      redirect_to active_sessions_path, notice: "Successfully revoked access to #{count} applications."
    else
--- a/app/controllers/admin/applications_controller.rb
+++ b/app/controllers/admin/applications_controller.rb
@@ -26,16 +26,17 @@ module Admin
          @application.allowed_groups = Group.where(id: group_ids)
        end
-        # Get the plain text client secret to show one time
+        # Get the plain text client secret to show one time (confidential clients only)
        client_secret = nil
-        if @application.oidc?
+        if @application.oidc? && @application.confidential_client?
          client_secret = @application.generate_new_client_secret!
        end
-        if @application.oidc? && client_secret
+        if @application.oidc?
          flash[:notice] = "Application created successfully."
          flash[:client_id] = @application.client_id
-          flash[:client_secret] = client_secret
+          flash[:client_secret] = client_secret if client_secret
          flash[:public_client] = true if @application.public_client?
        else
          flash[:notice] = "Application created successfully."
        end
@@ -74,15 +75,20 @@ module Admin
    def regenerate_credentials
      if @application.oidc?
-        # Generate new client ID and secret
+        # Generate new client ID (always)
        new_client_id = SecureRandom.urlsafe_base64(32)
        client_secret = @application.generate_new_client_secret!
        @application.update!(client_id: new_client_id)
        flash[:notice] = "Credentials regenerated successfully."
        flash[:client_id] = @application.client_id
        # Generate new client secret only for confidential clients
        if @application.confidential_client?
          client_secret = @application.generate_new_client_secret!
          flash[:client_secret] = client_secret
        else
          flash[:public_client] = true
        end
        redirect_to admin_application_path(@application)
      else
@@ -97,14 +103,24 @@ module Admin
    end
    def application_params
-      params.require(:application).permit(
+      permitted = params.require(:application).permit(
        :name, :slug, :app_type, :active, :redirect_uris, :description, :metadata,
        :domain_pattern, :landing_url, :access_token_ttl, :refresh_token_ttl, :id_token_ttl,
-        headers_config: {}
+        :icon, :backchannel_logout_uri, :is_public_client, :require_pkce
-      ).tap do |whitelisted|
+      )
      # Handle headers_config - it comes as a JSON string from the text area
      if params[:application][:headers_config].present?
        begin
          permitted[:headers_config] = JSON.parse(params[:application][:headers_config])
        rescue JSON::ParserError
          permitted[:headers_config] = {}
        end
      end
      # Remove client_secret from params if present (shouldn't be updated via form)
-        whitelisted.delete(:client_secret)
+      permitted.delete(:client_secret)
-      end
+      permitted
    end
  end
 end
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -18,7 +18,25 @@ module Admin
    end
    def create
-      @group = Group.new(group_params)
+      create_params = group_params
      # Parse custom_claims JSON if provided
      if create_params[:custom_claims].present?
        begin
          create_params[:custom_claims] = JSON.parse(create_params[:custom_claims])
        rescue JSON::ParserError
          @group = Group.new
          @group.errors.add(:custom_claims, "must be valid JSON")
          @available_users = User.order(:email_address)
          render :new, status: :unprocessable_entity
          return
        end
      else
        # If empty or blank, set to empty hash (NOT NULL constraint)
        create_params[:custom_claims] = {}
      end
      @group = Group.new(create_params)
      if @group.save
        # Handle user assignments
@@ -39,7 +57,24 @@ module Admin
    end
    def update
-      if @group.update(group_params)
+      update_params = group_params
      # Parse custom_claims JSON if provided
      if update_params[:custom_claims].present?
        begin
          update_params[:custom_claims] = JSON.parse(update_params[:custom_claims])
        rescue JSON::ParserError
          @group.errors.add(:custom_claims, "must be valid JSON")
          @available_users = User.order(:email_address)
          render :edit, status: :unprocessable_entity
          return
        end
      else
        # If empty or blank, set to empty hash (NOT NULL constraint)
        update_params[:custom_claims] = {}
      end
      if @group.update(update_params)
        # Handle user assignments
        if params[:group][:user_ids].present?
          user_ids = params[:group][:user_ids].reject(&:blank?)
@@ -67,7 +102,7 @@ module Admin
    end
    def group_params
-      params.require(:group).permit(:name, :description, custom_claims: {})
+      params.require(:group).permit(:name, :description, :custom_claims)
    end
  end
 end
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -1,6 +1,6 @@
 module Admin
  class UsersController < BaseController
-    before_action :set_user, only: [:show, :edit, :update, :destroy, :resend_invitation]
+    before_action :set_user, only: [:show, :edit, :update, :destroy, :resend_invitation, :update_application_claims, :delete_application_claims]
    def index
      @users = User.order(created_at: :desc)
@@ -27,23 +27,34 @@ module Admin
    end
    def edit
      @applications = Application.active.order(:name)
    end
    def update
-      # Prevent changing params for the current user's email and admin status
+      update_params = user_params
      # to avoid locking themselves out
      update_params = user_params.dup
      if @user == Current.session.user
        update_params.delete(:admin)
      end
      # Only update password if provided
      update_params.delete(:password) if update_params[:password].blank?
      # Parse custom_claims JSON if provided
      if update_params[:custom_claims].present?
        begin
          update_params[:custom_claims] = JSON.parse(update_params[:custom_claims])
        rescue JSON::ParserError
          @user.errors.add(:custom_claims, "must be valid JSON")
          @applications = Application.active.order(:name)
          render :edit, status: :unprocessable_entity
          return
        end
      else
        # If empty or blank, set to empty hash (NOT NULL constraint)
        update_params[:custom_claims] = {}
      end
      if @user.update(update_params)
        redirect_to admin_users_path, notice: "User updated successfully."
      else
        @applications = Application.active.order(:name)
        render :edit, status: :unprocessable_entity
      end
    end
@@ -69,6 +80,41 @@ module Admin
      redirect_to admin_users_path, notice: "User deleted successfully."
    end
    # POST /admin/users/:id/update_application_claims
    def update_application_claims
      application = Application.find(params[:application_id])
      claims_json = params[:custom_claims].presence || "{}"
      begin
        claims = JSON.parse(claims_json)
      rescue JSON::ParserError
        redirect_to edit_admin_user_path(@user), alert: "Invalid JSON format for claims."
        return
      end
      app_claim = @user.application_user_claims.find_or_initialize_by(application: application)
      app_claim.custom_claims = claims
      if app_claim.save
        redirect_to edit_admin_user_path(@user), notice: "App-specific claims updated for #{application.name}."
      else
        error_message = app_claim.errors.full_messages.join(", ")
        redirect_to edit_admin_user_path(@user), alert: "Failed to update claims: #{error_message}"
      end
    end
    # DELETE /admin/users/:id/delete_application_claims
    def delete_application_claims
      application = Application.find(params[:application_id])
      app_claim = @user.application_user_claims.find_by(application: application)
      if app_claim&.destroy
        redirect_to edit_admin_user_path(@user), notice: "App-specific claims removed for #{application.name}."
      else
        redirect_to edit_admin_user_path(@user), alert: "No claims found to remove."
      end
    end
    private
    def set_user
@@ -76,7 +122,15 @@ module Admin
    end
    def user_params
-      params.require(:user).permit(:email_address, :name, :password, :admin, :status, custom_claims: {})
+      # Base attributes that all admins can modify
      base_params = params.require(:user).permit(:email_address, :username, :name, :password, :status, :totp_required, :custom_claims)
      # Only allow modifying admin status when editing other users (prevent self-demotion)
      if params[:id] != Current.session.user.id.to_s
        base_params[:admin] = params[:user][:admin] if params[:user][:admin].present?
      end
      base_params
    end
  end
 end
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -3,7 +3,7 @@ module Api
    # ForwardAuth endpoints need session storage for return URL
    allow_unauthenticated_access
    skip_before_action :verify_authenticity_token
-    rate_limit to: 100, within: 1.minute, only: :verify, with: -> { head :too_many_requests }
+    # No rate limiting on forward_auth endpoint - proxy middleware hits this frequently
    # GET /api/verify
    # This endpoint is called by reverse proxies (Traefik, Caddy, nginx)
@@ -49,14 +49,20 @@ module Api
      forwarded_host = request.headers["X-Forwarded-Host"] || request.headers["Host"]
      if forwarded_host.present?
-        # Load active forward auth applications with their associations for better performance
+        # Load all forward auth applications (including inactive ones) for security checks
        # Preload groups to avoid N+1 queries in user_allowed? checks
-        apps = Application.forward_auth.includes(:allowed_groups).active
+        apps = Application.forward_auth.includes(:allowed_groups)
        # Find matching forward auth application for this domain
        app = apps.find { |a| a.matches_domain?(forwarded_host) }
        if app
          # Check if application is active
          unless app.active?
            Rails.logger.info "ForwardAuth: Access denied to #{forwarded_host} - application is inactive"
            return render_forbidden("No authentication rule configured for this domain")
          end
          # Check if user is allowed by this application
          unless app.user_allowed?(user)
            Rails.logger.info "ForwardAuth: User #{user.email_address} denied access to #{forwarded_host} by app #{app.domain_pattern}"
@@ -65,8 +71,9 @@ module Api
          Rails.logger.info "ForwardAuth: User #{user.email_address} granted access to #{forwarded_host} by app #{app.domain_pattern} (policy: #{app.policy_for_user(user)})"
        else
-          # No application found - allow access with default headers (original behavior)
+          # No application found - DENY by default (fail-closed security)
-          Rails.logger.info "ForwardAuth: No application found for domain: #{forwarded_host}, allowing with default headers"
+          Rails.logger.info "ForwardAuth: Access denied to #{forwarded_host} - no authentication rule configured"
          return render_forbidden("No authentication rule configured for this domain")
        end
      else
        Rails.logger.info "ForwardAuth: User #{user.email_address} authenticated (no domain specified)"
@@ -135,6 +142,9 @@ module Api
    def render_unauthorized(reason = nil)
      Rails.logger.info "ForwardAuth: Unauthorized - #{reason}"
      # Set auth reason header for debugging (like Authelia)
      response.headers["X-Auth-Reason"] = reason if reason.present?
      # Get the redirect URL from query params or construct default
      redirect_url = validate_redirect_url(params[:rd])
      base_url = determine_base_url(redirect_url)
@@ -176,6 +186,9 @@ module Api
    def render_forbidden(reason = nil)
      Rails.logger.info "ForwardAuth: Forbidden - #{reason}"
      # Set auth reason header for debugging (like Authelia)
      response.headers["X-Auth-Reason"] = reason if reason.present?
      # Return 403 Forbidden
      head :forbidden
    end
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -3,6 +3,14 @@ class OidcController < ApplicationController
  allow_unauthenticated_access only: [:discovery, :jwks, :token, :revoke, :userinfo, :logout]
  skip_before_action :verify_authenticity_token, only: [:token, :revoke, :logout]
  # Rate limiting to prevent brute force and abuse
  rate_limit to: 60, within: 1.minute, only: [:token, :revoke], with: -> {
    render json: { error: "too_many_requests", error_description: "Rate limit exceeded. Try again later." }, status: :too_many_requests
  }
  rate_limit to: 30, within: 1.minute, only: [:authorize, :consent], with: -> {
    render plain: "Too many authorization attempts. Try again later.", status: :too_many_requests
  }
  # GET /.well-known/openid-configuration
  def discovery
    base_url = OidcJwtService.issuer_url
@@ -18,12 +26,14 @@ class OidcController < ApplicationController
      response_types_supported: ["code"],
      response_modes_supported: ["query"],
      grant_types_supported: ["authorization_code", "refresh_token"],
-      subject_types_supported: ["public"],
+      subject_types_supported: ["pairwise"],
      id_token_signing_alg_values_supported: ["RS256"],
-      scopes_supported: ["openid", "profile", "email", "groups"],
+      scopes_supported: ["openid", "profile", "email", "groups", "offline_access"],
      token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
      claims_supported: ["sub", "email", "email_verified", "name", "preferred_username", "groups", "admin"],
-      code_challenge_methods_supported: ["plain", "S256"]
+      code_challenge_methods_supported: ["plain", "S256"],
      backchannel_logout_supported: true,
      backchannel_logout_session_supported: true
    }
    render json: config
@@ -89,7 +99,7 @@ class OidcController < ApplicationController
      return
    end
-    # Validate redirect URI
+    # Validate redirect URI first (required before we can safely redirect with errors)
    unless @application.parsed_redirect_uris.include?(redirect_uri)
      Rails.logger.error "OAuth: Invalid request - redirect URI mismatch. Expected: #{@application.parsed_redirect_uris}, Got: #{redirect_uri}"
@@ -104,6 +114,15 @@ class OidcController < ApplicationController
      return
    end
    # Check if application is active (now we can safely redirect with error)
    unless @application.active?
      Rails.logger.error "OAuth: Application is not active: #{@application.name}"
      error_uri = "#{redirect_uri}?error=unauthorized_client&error_description=Application+is+not+active"
      error_uri += "&state=#{CGI.escape(state)}" if state.present?
      redirect_to error_uri, allow_other_host: true
      return
    end
    # Check if user is authenticated
    unless authenticated?
      # Store OAuth parameters in session and redirect to sign in
@@ -135,11 +154,9 @@ class OidcController < ApplicationController
    existing_consent = user.has_oidc_consent?(@application, requested_scopes)
    if existing_consent
      # User has already consented, generate authorization code directly
      code = SecureRandom.urlsafe_base64(32)
      auth_code = OidcAuthorizationCode.create!(
        application: @application,
        user: user,
        code: code,
        redirect_uri: redirect_uri,
        scope: scope,
        nonce: nonce,
@@ -148,9 +165,9 @@ class OidcController < ApplicationController
        expires_at: 10.minutes.from_now
      )
-      # Redirect back to client with authorization code
+      # Redirect back to client with authorization code (plaintext)
-      redirect_uri = "#{redirect_uri}?code=#{code}"
+      redirect_uri = "#{redirect_uri}?code=#{auth_code.plaintext_code}"
-      redirect_uri += "&state=#{state}" if state.present?
+      redirect_uri += "&state=#{CGI.escape(state)}" if state.present?
      redirect_to redirect_uri, allow_other_host: true
      return
    end
@@ -205,7 +222,7 @@ class OidcController < ApplicationController
    if params[:deny].present?
      session.delete(:oauth_params)
      error_uri = "#{oauth_params['redirect_uri']}?error=access_denied"
-      error_uri += "&state=#{oauth_params['state']}" if oauth_params['state']
+      error_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state']
      redirect_to error_uri, allow_other_host: true
      return
    end
@@ -213,6 +230,17 @@ class OidcController < ApplicationController
    # Find the application
    client_id = oauth_params['client_id']
    application = Application.find_by(client_id: client_id, app_type: "oidc")
    # Check if application is active (redirect with OAuth error)
    unless application&.active?
      Rails.logger.error "OAuth: Application is not active: #{application&.name || client_id}"
      session.delete(:oauth_params)
      error_uri = "#{oauth_params['redirect_uri']}?error=unauthorized_client&error_description=Application+is+not+active"
      error_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state'].present?
      redirect_to error_uri, allow_other_host: true
      return
    end
    user = Current.session.user
    # Record user consent
@@ -228,11 +256,9 @@ class OidcController < ApplicationController
    )
    # Generate authorization code
    code = SecureRandom.urlsafe_base64(32)
    auth_code = OidcAuthorizationCode.create!(
      application: application,
      user: user,
      code: code,
      redirect_uri: oauth_params['redirect_uri'],
      scope: oauth_params['scope'],
      nonce: oauth_params['nonce'],
@@ -244,9 +270,9 @@ class OidcController < ApplicationController
    # Clear OAuth params from session
    session.delete(:oauth_params)
-    # Redirect back to client with authorization code
+    # Redirect back to client with authorization code (plaintext)
-    redirect_uri = "#{oauth_params['redirect_uri']}?code=#{code}"
+    redirect_uri = "#{oauth_params['redirect_uri']}?code=#{auth_code.plaintext_code}"
-    redirect_uri += "&state=#{oauth_params['state']}" if oauth_params['state']
+    redirect_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state']
    redirect_to redirect_uri, allow_other_host: true
  end
@@ -266,19 +292,37 @@ class OidcController < ApplicationController
  end
  def handle_authorization_code_grant
    # Get client credentials from Authorization header or params
    client_id, client_secret = extract_client_credentials
-    unless client_id && client_secret
+    unless client_id
-      render json: { error: "invalid_client" }, status: :unauthorized
+      render json: { error: "invalid_client", error_description: "client_id is required" }, status: :unauthorized
      return
    end
-    # Find and validate the application
+    # Find the application
    application = Application.find_by(client_id: client_id)
-    unless application && application.authenticate_client_secret(client_secret)
+    unless application
-      render json: { error: "invalid_client" }, status: :unauthorized
+      render json: { error: "invalid_client", error_description: "Unknown client" }, status: :unauthorized
      return
    end
    # Validate client credentials based on client type
    if application.public_client?
      # Public clients don't have a secret - they MUST use PKCE (checked later)
      Rails.logger.info "OAuth: Public client authentication for #{application.name}"
    else
      # Confidential clients MUST provide valid client_secret
      unless client_secret.present? && application.authenticate_client_secret(client_secret)
        render json: { error: "invalid_client", error_description: "Invalid client credentials" }, status: :unauthorized
        return
      end
    end
    # Check if application is active
    unless application.active?
      Rails.logger.error "OAuth: Token request for inactive application: #{application.name}"
      render json: { error: "invalid_client", error_description: "Application is not active" }, status: :forbidden
      return
    end
@@ -287,12 +331,10 @@ class OidcController < ApplicationController
    redirect_uri = params[:redirect_uri]
    code_verifier = params[:code_verifier]
-    auth_code = OidcAuthorizationCode.find_by(
+    # Find authorization code using HMAC verification
-      application: application,
+    auth_code = OidcAuthorizationCode.find_by_plaintext(code)
      code: code
    )
-    unless auth_code
+    unless auth_code && auth_code.application == application
      render json: { error: "invalid_grant" }, status: :bad_request
      return
    end
@@ -334,8 +376,8 @@ class OidcController < ApplicationController
          return
        end
-        # Validate PKCE if code challenge is present
+        # Validate PKCE - required for public clients and optionally for confidential clients
-        pkce_result = validate_pkce(auth_code, code_verifier)
+        pkce_result = validate_pkce(application, auth_code, code_verifier)
        unless pkce_result[:valid]
          render json: {
            error: pkce_result[:error],
@@ -365,8 +407,23 @@ class OidcController < ApplicationController
          scope: auth_code.scope
        )
-        # Generate ID token (JWT)
+        # Find user consent for this application
-        id_token = OidcJwtService.generate_id_token(user, application, nonce: auth_code.nonce)
+        consent = OidcUserConsent.find_by(user: user, application: application)
        unless consent
          Rails.logger.error "OIDC Security: Token requested without consent record (user: #{user.id}, app: #{application.id})"
          render json: { error: "invalid_grant", error_description: "Authorization consent not found" }, status: :bad_request
          return
        end
        # Generate ID token (JWT) with pairwise SID and at_hash
        id_token = OidcJwtService.generate_id_token(
          user,
          application,
          consent: consent,
          nonce: auth_code.nonce,
          access_token: access_token_record.plaintext_token
        )
        # Return tokens
        render json: {
@@ -387,15 +444,34 @@ class OidcController < ApplicationController
    # Get client credentials from Authorization header or params
    client_id, client_secret = extract_client_credentials
-    unless client_id && client_secret
+    unless client_id
-      render json: { error: "invalid_client" }, status: :unauthorized
+      render json: { error: "invalid_client", error_description: "client_id is required" }, status: :unauthorized
      return
    end
-    # Find and validate the application
+    # Find the application
    application = Application.find_by(client_id: client_id)
-    unless application && application.authenticate_client_secret(client_secret)
+    unless application
-      render json: { error: "invalid_client" }, status: :unauthorized
+      render json: { error: "invalid_client", error_description: "Unknown client" }, status: :unauthorized
      return
    end
    # Validate client credentials based on client type
    if application.public_client?
      # Public clients don't have a secret
      Rails.logger.info "OAuth: Public client refresh token request for #{application.name}"
    else
      # Confidential clients MUST provide valid client_secret
      unless client_secret.present? && application.authenticate_client_secret(client_secret)
        render json: { error: "invalid_client", error_description: "Invalid client credentials" }, status: :unauthorized
        return
      end
    end
    # Check if application is active
    unless application.active?
      Rails.logger.error "OAuth: Refresh token request for inactive application: #{application.name}"
      render json: { error: "invalid_client", error_description: "Application is not active" }, status: :forbidden
      return
    end
@@ -406,14 +482,11 @@ class OidcController < ApplicationController
      return
    end
-    # Find the refresh token record
+    # Find the refresh token record using indexed token prefix lookup
-    # Note: This is inefficient with BCrypt hashing, but necessary for security
+    refresh_token_record = OidcRefreshToken.find_by_token(refresh_token)
    # In production, consider adding a token prefix for faster lookup
    refresh_token_record = OidcRefreshToken.where(application: application).find do |rt|
      rt.token_matches?(refresh_token)
    end
-    unless refresh_token_record
+    # Verify the token belongs to the correct application
    unless refresh_token_record && refresh_token_record.application == application
      render json: { error: "invalid_grant", error_description: "Invalid refresh token" }, status: :bad_request
      return
    end
@@ -457,8 +530,22 @@ class OidcController < ApplicationController
      token_family_id: refresh_token_record.token_family_id  # Keep same family for rotation tracking
    )
-    # Generate new ID token (JWT, no nonce for refresh grants)
+    # Find user consent for this application
-    id_token = OidcJwtService.generate_id_token(user, application)
+    consent = OidcUserConsent.find_by(user: user, application: application)
    unless consent
      Rails.logger.error "OIDC Security: Refresh token used without consent record (user: #{user.id}, app: #{application.id})"
      render json: { error: "invalid_grant", error_description: "Authorization consent not found" }, status: :bad_request
      return
    end
    # Generate new ID token (JWT with pairwise SID and at_hash, no nonce for refresh grants)
    id_token = OidcJwtService.generate_id_token(
      user,
      application,
      consent: consent,
      access_token: new_access_token.plaintext_token
    )
    # Return new tokens
    render json: {
@@ -491,6 +578,13 @@ class OidcController < ApplicationController
      return
    end
    # Check if application is active (immediate cutoff when app is disabled)
    unless access_token.application&.active?
      Rails.logger.warn "OAuth: Userinfo request for inactive application: #{access_token.application&.name}"
      head :forbidden
      return
    end
    # Get the user (with fresh data from database)
    user = access_token.user
    unless user
@@ -498,9 +592,13 @@ class OidcController < ApplicationController
      return
    end
    # Find user consent for this application to get pairwise SID
    consent = OidcUserConsent.find_by(user: user, application: access_token.application)
    subject = consent&.sid || user.id.to_s
    # Return user claims
    claims = {
-      sub: user.id.to_s,
+      sub: subject,
      email: user.email_address,
      email_verified: true,
      preferred_username: user.email_address,
@@ -512,9 +610,6 @@ class OidcController < ApplicationController
      claims[:groups] = user.groups.pluck(:name)
    end
    # Add admin claim if user is admin
    claims[:admin] = true if user.admin?
    # Merge custom claims from groups
    user.groups.each do |group|
      claims.merge!(group.parsed_custom_claims)
@@ -523,6 +618,10 @@ class OidcController < ApplicationController
    # Merge custom claims from user (overrides group claims)
    claims.merge!(user.parsed_custom_claims)
    # Merge app-specific custom claims (highest priority)
    application = access_token.application
    claims.merge!(application.custom_claims_for_user(user))
    render json: claims
  end
@@ -548,6 +647,13 @@ class OidcController < ApplicationController
      return
    end
    # Check if application is active (RFC 7009: still return 200 OK for privacy)
    unless application.active?
      Rails.logger.warn "OAuth: Token revocation attempted for inactive application: #{application.name}"
      head :ok
      return
    end
    # Get the token to revoke
    token = params[:token]
    token_type_hint = params[:token_type_hint]  # Optional hint: "access_token" or "refresh_token"
@@ -564,9 +670,7 @@ class OidcController < ApplicationController
    if token_type_hint == "refresh_token" || token_type_hint.nil?
      # Try to find as refresh token
-      refresh_token_record = OidcRefreshToken.where(application: application).find do |rt|
+      refresh_token_record = OidcRefreshToken.find_by_token(token)
        rt.token_matches?(token)
      end
      if refresh_token_record
        refresh_token_record.revoke!
@@ -577,9 +681,7 @@ class OidcController < ApplicationController
    if !revoked && (token_type_hint == "access_token" || token_type_hint.nil?)
      # Try to find as access token
-      access_token_record = OidcAccessToken.where(application: application).find do |at|
+      access_token_record = OidcAccessToken.find_by_token(token)
        at.token_matches?(token)
      end
      if access_token_record
        access_token_record.revoke!
@@ -604,16 +706,29 @@ class OidcController < ApplicationController
    # If user is authenticated, log them out
    if authenticated?
      user = Current.session.user
      # Send backchannel logout notifications to all connected applications
      send_backchannel_logout_notifications(user)
      # Invalidate the current session
      Current.session&.destroy
      reset_session
    end
-    # If post_logout_redirect_uri is provided, redirect there
+    # If post_logout_redirect_uri is provided, validate and redirect
    if post_logout_redirect_uri.present?
-      redirect_uri = post_logout_redirect_uri
+      validated_uri = validate_logout_redirect_uri(post_logout_redirect_uri)
-      redirect_uri += "?state=#{state}" if state.present?
+
      if validated_uri
        redirect_uri = validated_uri
        redirect_uri += "?state=#{CGI.escape(state)}" if state.present?
        redirect_to redirect_uri, allow_other_host: true
      else
        # Invalid redirect URI - log warning and go to default
        Rails.logger.warn "OIDC Logout: Invalid post_logout_redirect_uri attempted: #{post_logout_redirect_uri}"
        redirect_to root_path
      end
    else
      # Default redirect to home page
      redirect_to root_path
@@ -622,11 +737,26 @@ class OidcController < ApplicationController
  private
-  def validate_pkce(auth_code, code_verifier)
+  def validate_pkce(application, auth_code, code_verifier)
-    # Skip PKCE validation if no code challenge was stored (legacy clients)
+    # Check if PKCE is required for this application
-    return { valid: true } unless auth_code.code_challenge.present?
+    pkce_required = application.requires_pkce?
    pkce_provided = auth_code.code_challenge.present?
-    # PKCE is required but no verifier provided
+    # If PKCE is required but wasn't provided during authorization
    if pkce_required && !pkce_provided
      client_type = application.public_client? ? "public clients" : "this application"
      return {
        valid: false,
        error: "invalid_request",
        error_description: "PKCE is required for #{client_type}. code_challenge must be provided during authorization.",
        status: :bad_request
      }
    end
    # Skip validation if no code challenge was stored (legacy clients without PKCE requirement)
    return { valid: true } unless pkce_provided
    # PKCE was provided during authorization but no verifier sent with token request
    unless code_verifier.present?
      return {
        valid: false,
@@ -685,4 +815,76 @@ class OidcController < ApplicationController
      [params[:client_id], params[:client_secret]]
    end
  end
  def validate_logout_redirect_uri(uri)
    return nil unless uri.present?
    begin
      parsed_uri = URI.parse(uri)
      # Only allow HTTP/HTTPS schemes (prevent javascript:, data:, etc.)
      return nil unless parsed_uri.is_a?(URI::HTTP) || parsed_uri.is_a?(URI::HTTPS)
      # Only allow HTTPS in production
      return nil if Rails.env.production? && parsed_uri.scheme != 'https'
      # Check if URI matches any registered OIDC application's redirect URIs
      # According to OIDC spec, post_logout_redirect_uri should be pre-registered
      Application.oidc.active.find_each do |app|
        # Check if this URI matches any of the app's registered redirect URIs
        if app.parsed_redirect_uris.any? { |registered_uri| logout_uri_matches?(uri, registered_uri) }
          return uri
        end
      end
      # No matching application found
      nil
    rescue URI::InvalidURIError
      nil
    end
  end
  # Check if logout URI matches a registered redirect URI
  # More lenient than exact match - allows same host/path with different query params
  def logout_uri_matches?(provided, registered)
    # Exact match is always valid
    return true if provided == registered
    # Parse both URIs to compare components
    begin
      provided_parsed = URI.parse(provided)
      registered_parsed = URI.parse(registered)
      # Match if scheme, host, port, and path are the same
      # (allows different query params which is common for logout redirects)
      provided_parsed.scheme == registered_parsed.scheme &&
        provided_parsed.host == registered_parsed.host &&
        provided_parsed.port == registered_parsed.port &&
        provided_parsed.path == registered_parsed.path
    rescue URI::InvalidURIError
      false
    end
  end
  def send_backchannel_logout_notifications(user)
    # Find all active OIDC consents for this user
    consents = OidcUserConsent.where(user: user).includes(:application)
    consents.each do |consent|
      # Skip if application doesn't support backchannel logout
      next unless consent.application.supports_backchannel_logout?
      # Enqueue background job to send logout notification
      BackchannelLogoutJob.perform_later(
        user_id: user.id,
        application_id: consent.application.id,
        consent_sid: consent.sid
      )
    end
    Rails.logger.info "OidcController: Enqueued #{consents.count} backchannel logout notifications for user #{user.id}"
  rescue => e
    # Log error but don't block logout
    Rails.logger.error "OidcController: Failed to enqueue backchannel logout: #{e.class} - #{e.message}"
  end
 end
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -11,7 +11,7 @@ class PasswordsController < ApplicationController
      PasswordsMailer.reset(user).deliver_later
    end
-    redirect_to new_session_path, notice: "Password reset instructions sent (if user with that email address exists)."
+    redirect_to signin_path, notice: "Password reset instructions sent (if user with that email address exists)."
  end
  def edit
@@ -20,7 +20,7 @@ class PasswordsController < ApplicationController
  def update
    if @user.update(params.permit(:password, :password_confirmation))
      @user.sessions.destroy_all
-      redirect_to new_session_path, notice: "Password has been reset."
+      redirect_to signin_path, notice: "Password has been reset."
    else
      redirect_to edit_password_path(params[:token]), alert: "Passwords did not match."
    end
@@ -29,6 +29,7 @@ class PasswordsController < ApplicationController
  private
    def set_user_by_token
      @user = User.find_by_token_for(:password_reset, params[:token])
      redirect_to new_password_path, alert: "Password reset link is invalid or has expired." if @user.nil?
    rescue ActiveSupport::MessageVerifier::InvalidSignature
      redirect_to new_password_path, alert: "Password reset link is invalid or has expired."
    end
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -19,13 +19,21 @@ class ProfilesController < ApplicationController
      else
        render :show, status: :unprocessable_entity
      end
-    else
+    elsif params[:user][:email_address].present?
-      # Updating email
+      # Updating email - requires current password (security: prevents account takeover)
      unless @user.authenticate(params[:user][:current_password])
        @user.errors.add(:current_password, "is required to change email")
        render :show, status: :unprocessable_entity
        return
      end
      if @user.update(email_params)
        redirect_to profile_path, notice: "Email updated successfully."
      else
        render :show, status: :unprocessable_entity
      end
    else
      render :show, status: :unprocessable_entity
    end
  end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -6,7 +6,18 @@ class SessionsController < ApplicationController
  def new
    # Redirect to signup if this is first run
-    redirect_to signup_path if User.count.zero?
+    if User.count.zero?
      respond_to do |format|
        format.html { redirect_to signup_path }
        format.json { render json: { error: "No users exist. Please complete initial setup." }, status: :service_unavailable }
      end
      return
    end
    respond_to do |format|
      format.html # render HTML login page
      format.json { render json: { error: "Authentication required" }, status: :unauthorized }
    end
  end
  def create
@@ -33,8 +44,22 @@ class SessionsController < ApplicationController
      return
    end
-    # Check if TOTP is required
+    # Check if TOTP is required or enabled
-    if user.totp_enabled?
+    if user.totp_required? || user.totp_enabled?
      # If TOTP is required but not yet set up, redirect to setup
      if user.totp_required? && !user.totp_enabled?
        # Store user ID in session for TOTP setup
        session[:pending_totp_setup_user_id] = user.id
        # Preserve the redirect URL through TOTP setup
        if params[:rd].present?
          validated_url = validate_redirect_url(params[:rd])
          session[:totp_redirect_url] = validated_url if validated_url
        end
        redirect_to new_totp_path, alert: "Your administrator requires two-factor authentication. Please set it up now to continue."
        return
      end
      # TOTP is enabled, proceed to verification
      # Store user ID in session temporarily for TOTP verification
      session[:pending_totp_user_id] = user.id
      # Preserve the redirect URL through TOTP verification (after validation)
@@ -109,6 +134,12 @@ class SessionsController < ApplicationController
  end
  def destroy
    # Send backchannel logout notifications before terminating session
    if authenticated?
      user = Current.session.user
      send_backchannel_logout_notifications(user)
    end
    terminate_session
    redirect_to signin_path, status: :see_other, notice: "Signed out successfully."
  end
@@ -275,15 +306,37 @@ class SessionsController < ApplicationController
      redirect_domain = uri.host.downcase
      return nil unless redirect_domain.present?
-      # Check against our ForwardAuthRules
+      # Check against our forward auth applications
-      matching_rule = ForwardAuthRule.active.find do |rule|
+      matching_app = Application.forward_auth.active.find do |app|
-        rule.matches_domain?(redirect_domain)
+        app.matches_domain?(redirect_domain)
      end
-      matching_rule ? url : nil
+      matching_app ? url : nil
    rescue URI::InvalidURIError
      nil
    end
  end
  def send_backchannel_logout_notifications(user)
    # Find all active OIDC consents for this user
    consents = OidcUserConsent.where(user: user).includes(:application)
    consents.each do |consent|
      # Skip if application doesn't support backchannel logout
      next unless consent.application.supports_backchannel_logout?
      # Enqueue background job to send logout notification
      BackchannelLogoutJob.perform_later(
        user_id: user.id,
        application_id: consent.application.id,
        consent_sid: consent.sid
      )
    end
    Rails.logger.info "SessionsController: Enqueued #{consents.count} backchannel logout notifications for user #{user.id}"
  rescue => e
    # Log error but don't block logout
    Rails.logger.error "SessionsController: Failed to enqueue backchannel logout: #{e.class} - #{e.message}"
  end
 end
--- a/app/controllers/totp_controller.rb
+++ b/app/controllers/totp_controller.rb
@@ -5,6 +5,9 @@ class TotpController < ApplicationController
  # GET /totp/new - Show QR code to set up TOTP
  def new
    # Check if user is being forced to set up TOTP by admin
    @totp_setup_required = session[:pending_totp_setup_user_id].present?
    # Generate TOTP secret but don't save yet
    @totp_secret = ROTP::Base32.random
    @provisioning_uri = ROTP::TOTP.new(@totp_secret, issuer: "Clinch").provisioning_uri(@user.email_address)
@@ -30,8 +33,16 @@ class TotpController < ApplicationController
      # Store plain codes temporarily in session for display after redirect
      session[:temp_backup_codes] = plain_codes
-      # Redirect to backup codes page with success message
+      # Check if this was a required setup from login
      if session[:pending_totp_setup_user_id].present?
        session.delete(:pending_totp_setup_user_id)
        # Mark that user should be auto-signed in after viewing backup codes
        session[:auto_signin_after_forced_totp] = true
        redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes, then you'll be signed in."
      else
        # Regular setup from profile
        redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes now."
      end
    else
      redirect_to new_totp_path, alert: "Invalid verification code. Please try again."
    end
@@ -43,6 +54,12 @@ class TotpController < ApplicationController
    if session[:temp_backup_codes].present?
      @backup_codes = session[:temp_backup_codes]
      session.delete(:temp_backup_codes) # Clear after use
      # Check if this was a forced TOTP setup during login
      @auto_signin_pending = session[:auto_signin_after_forced_totp].present?
      if @auto_signin_pending
        session.delete(:auto_signin_after_forced_totp)
      end
    else
      # This will be shown after password verification for existing users
      # Since we can't display BCrypt hashes, redirect to regenerate
@@ -81,6 +98,18 @@ class TotpController < ApplicationController
    redirect_to backup_codes_totp_path, notice: "New backup codes have been generated. Save them now!"
  end
  # POST /totp/complete_setup - Complete forced TOTP setup and sign in
  def complete_setup
    # Sign in the user after they've saved their backup codes
    # This is only used when admin requires TOTP and user just set it up during login
    if session[:totp_redirect_url].present?
      session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
    end
    start_new_session_for @user
    redirect_to after_authentication_url, notice: "Two-factor authentication enabled. Signed in successfully.", allow_other_host: true
  end
  # DELETE /totp - Disable TOTP (requires password)
  def destroy
    unless @user.authenticate(params[:password])
@@ -88,6 +117,12 @@ class TotpController < ApplicationController
      return
    end
    # Prevent disabling if admin requires TOTP
    if @user.totp_required?
      redirect_to profile_path, alert: "Two-factor authentication is required by your administrator and cannot be disabled."
      return
    end
    @user.disable_totp!
    redirect_to profile_path, notice: "Two-factor authentication has been disabled."
  end
@@ -99,7 +134,8 @@ class TotpController < ApplicationController
  end
  def redirect_if_totp_enabled
-    if @user.totp_enabled?
+    # Allow setup if admin requires it, even if already enabled (for regeneration)
    if @user.totp_enabled? && !session[:pending_totp_setup_user_id].present?
      redirect_to profile_path, alert: "Two-factor authentication is already enabled."
    end
  end
--- a/app/controllers/webauthn_controller.rb
+++ b/app/controllers/webauthn_controller.rb
@@ -2,6 +2,11 @@ class WebauthnController < ApplicationController
  before_action :set_webauthn_credential, only: [:destroy]
  skip_before_action :require_authentication, only: [:check]
  # Rate limit check endpoint to prevent enumeration attacks
  rate_limit to: 10, within: 1.minute, only: [:check], with: -> {
    render json: { error: "Too many requests. Try again later." }, status: :too_many_requests
  }
  # GET /webauthn/new
  def new
    @webauthn_credential = WebauthnCredential.new
@@ -104,14 +109,6 @@ class WebauthnController < ApplicationController
  # DELETE /webauthn/:id
  # Remove a passkey
  def destroy
    user = Current.session&.user
    return render json: { error: "Not authenticated" }, status: :unauthorized unless user
    if @webauthn_credential.user != user
      render json: { error: "Unauthorized" }, status: :forbidden
      return
    end
    nickname = @webauthn_credential.nickname
    @webauthn_credential.destroy
@@ -131,25 +128,27 @@ class WebauthnController < ApplicationController
  # GET /webauthn/check
  # Check if user has WebAuthn credentials (for login page detection)
  # Security: Returns identical responses for non-existent users to prevent enumeration
  def check
    email = params[:email]&.strip&.downcase
    if email.blank?
-      render json: { has_webauthn: false, error: "Email is required" }
+      render json: { has_webauthn: false, requires_webauthn: false }
      return
    end
    user = User.find_by(email_address: email)
    # Security: Return identical response for non-existent users
    # Combined with rate limiting (10/min), this prevents account enumeration
    if user.nil?
-      render json: { has_webauthn: false, message: "User not found" }
+      render json: { has_webauthn: false, requires_webauthn: false }
      return
    end
    # Only return minimal necessary info - no user_id or preferred_method
    render json: {
      has_webauthn: user.can_authenticate_with_webauthn?,
      user_id: user.id,
      preferred_method: user.preferred_authentication_method,
      requires_webauthn: user.require_webauthn?
    }
  end
@@ -173,16 +172,13 @@ class WebauthnController < ApplicationController
  end
  def set_webauthn_credential
-    @webauthn_credential = WebauthnCredential.find(params[:id])
+    user = Current.session&.user
    return render json: { error: "Not authenticated" }, status: :unauthorized unless user
    @webauthn_credential = user.webauthn_credentials.find(params[:id])
  rescue ActiveRecord::RecordNotFound
    respond_to do |format|
-      format.html {
+      format.html { redirect_to profile_path, alert: "Passkey not found" }
-        redirect_to profile_path,
+      format.json { render json: { error: "Passkey not found" }, status: :not_found }
        alert: "Passkey not found"
      }
      format.json {
        render json: { error: "Passkey not found" }, status: :not_found
      }
    end
  end
--- a/app/helpers/claims_helper.rb
+++ b/app/helpers/claims_helper.rb
@@ -0,0 +1,69 @@
 module ClaimsHelper
  include ClaimsMerger
  # Preview final merged claims for a user accessing an application
  def preview_user_claims(user, application)
    claims = {
      # Standard OIDC claims
      email: user.email_address,
      email_verified: true,
      preferred_username: user.username.presence || user.email_address,
      name: user.name.presence || user.email_address
    }
    # Add groups
    if user.groups.any?
      claims[:groups] = user.groups.pluck(:name)
    end
    # Merge group custom claims (arrays are combined, not overwritten)
    user.groups.each do |group|
      claims = deep_merge_claims(claims, group.parsed_custom_claims)
    end
    # Merge user custom claims (arrays are combined, other values override)
    claims = deep_merge_claims(claims, user.parsed_custom_claims)
    # Merge app-specific claims (arrays are combined)
    claims = deep_merge_claims(claims, application.custom_claims_for_user(user))
    claims
  end
  # Get claim sources breakdown for display
  def claim_sources(user, application)
    sources = []
    # Group claims
    user.groups.each do |group|
      if group.parsed_custom_claims.any?
        sources << {
          type: :group,
          name: group.name,
          claims: group.parsed_custom_claims
        }
      end
    end
    # User claims
    if user.parsed_custom_claims.any?
      sources << {
        type: :user,
        name: "User Override",
        claims: user.parsed_custom_claims
      }
    end
    # App-specific claims
    app_claims = application.custom_claims_for_user(user)
    if app_claims.any?
      sources << {
        type: :application,
        name: "App-Specific (#{application.name})",
        claims: app_claims
      }
    end
    sources
  end
 end
--- a/app/javascript/controllers/application_form_controller.js
+++ b/app/javascript/controllers/application_form_controller.js
@@ -1,7 +1,7 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
-  static targets = ["appTypeSelect", "oidcFields", "forwardAuthFields"]
+  static targets = ["appTypeSelect", "oidcFields", "forwardAuthFields", "pkceOptions"]
  connect() {
    this.updateFieldVisibility()
@@ -21,4 +21,17 @@ export default class extends Controller {
      this.forwardAuthFieldsTarget.classList.add('hidden')
    }
  }
  updatePkceVisibility(event) {
    // Show PKCE options for confidential clients, hide for public clients
    const isPublicClient = event.target.value === "true"
    if (this.hasPkceOptionsTarget) {
      if (isPublicClient) {
        this.pkceOptionsTarget.classList.add('hidden')
      } else {
        this.pkceOptionsTarget.classList.remove('hidden')
      }
    }
  }
 }
--- a/app/javascript/controllers/file_drop_controller.js
+++ b/app/javascript/controllers/file_drop_controller.js
@@ -0,0 +1,96 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
  static targets = ["input", "dropzone", "preview", "previewImage", "filename", "filesize"]
  connect() {
    // Prevent default drag behaviors on the whole document
    ["dragenter", "dragover", "dragleave", "drop"].forEach(eventName => {
      document.body.addEventListener(eventName, this.preventDefaults, false)
    })
  }
  disconnect() {
    ["dragenter", "dragover", "dragleave", "drop"].forEach(eventName => {
      document.body.removeEventListener(eventName, this.preventDefaults, false)
    })
  }
  preventDefaults(e) {
    e.preventDefault()
    e.stopPropagation()
  }
  dragover(e) {
    e.preventDefault()
    e.stopPropagation()
    this.dropzoneTarget.classList.add("border-blue-500", "bg-blue-50")
  }
  dragleave(e) {
    e.preventDefault()
    e.stopPropagation()
    this.dropzoneTarget.classList.remove("border-blue-500", "bg-blue-50")
  }
  drop(e) {
    e.preventDefault()
    e.stopPropagation()
    this.dropzoneTarget.classList.remove("border-blue-500", "bg-blue-50")
    const files = e.dataTransfer.files
    if (files.length > 0) {
      // Set the file to the input element
      this.inputTarget.files = files
      this.handleFiles()
    }
  }
  handleFiles() {
    const file = this.inputTarget.files[0]
    if (!file) return
    // Validate file type
    const validTypes = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
    if (!validTypes.includes(file.type)) {
      alert("Please upload a PNG, JPG, GIF, or SVG image")
      this.clear()
      return
    }
    // Validate file size (2MB)
    if (file.size > 2 * 1024 * 1024) {
      alert("File size must be less than 2MB")
      this.clear()
      return
    }
    // Show preview
    this.filenameTarget.textContent = file.name
    this.filesizeTarget.textContent = this.formatFileSize(file.size)
    // Create preview image
    const reader = new FileReader()
    reader.onload = (e) => {
      this.previewImageTarget.src = e.target.result
      this.previewTarget.classList.remove("hidden")
    }
    reader.readAsDataURL(file)
  }
  clear(e) {
    if (e) {
      e.preventDefault()
    }
    this.inputTarget.value = ""
    this.previewTarget.classList.add("hidden")
  }
  formatFileSize(bytes) {
    if (bytes === 0) return "0 Bytes"
    const k = 1024
    const sizes = ["Bytes", "KB", "MB"]
    const i = Math.floor(Math.log(bytes) / Math.log(k))
    return Math.round(bytes / Math.pow(k, i) * 100) / 100 + " " + sizes[i]
  }
 }
--- a/app/javascript/controllers/image_paste_controller.js
+++ b/app/javascript/controllers/image_paste_controller.js
@@ -0,0 +1,121 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
  static targets = ["input", "dropzone"]
  connect() {
    // Listen for paste events on the dropzone
    this.dropzoneTarget.addEventListener("paste", this.handlePaste.bind(this))
  }
  disconnect() {
    this.dropzoneTarget.removeEventListener("paste", this.handlePaste.bind(this))
  }
  handlePaste(e) {
    e.preventDefault()
    e.stopPropagation()
    const clipboardData = e.clipboardData || e.originalEvent.clipboardData
    // First, try to get image data
    for (let item of clipboardData.items) {
      if (item.type.indexOf("image") !== -1) {
        const blob = item.getAsFile()
        this.handleImageBlob(blob)
        return
      }
    }
    // If no image found, check for SVG text
    const text = clipboardData.getData("text/plain")
    if (text && this.isSVG(text)) {
      this.handleSVGText(text)
      return
    }
  }
  isSVG(text) {
    // Check if the text looks like SVG code
    const trimmed = text.trim()
    return trimmed.startsWith("<svg") && trimmed.includes("</svg>")
  }
  handleSVGText(svgText) {
    // Validate file size (2MB)
    const size = new Blob([svgText]).size
    if (size > 2 * 1024 * 1024) {
      alert("SVG code is too large (must be less than 2MB)")
      return
    }
    // Create a blob from the SVG text
    const blob = new Blob([svgText], { type: "image/svg+xml" })
    // Create a File object
    const file = new File([blob], `pasted-svg-${Date.now()}.svg`, {
      type: "image/svg+xml"
    })
    // Create a DataTransfer object to set files on the input
    const dataTransfer = new DataTransfer()
    dataTransfer.items.add(file)
    this.inputTarget.files = dataTransfer.files
    // Trigger change event to update preview (file-drop controller will handle it)
    const event = new Event("change", { bubbles: true })
    this.inputTarget.dispatchEvent(event)
    // Visual feedback
    this.dropzoneTarget.classList.add("border-green-500", "bg-green-50")
    setTimeout(() => {
      this.dropzoneTarget.classList.remove("border-green-500", "bg-green-50")
    }, 500)
  }
  handleImageBlob(blob) {
    // Validate file type
    const validTypes = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
    if (!validTypes.includes(blob.type)) {
      alert("Please paste a PNG, JPG, GIF, or SVG image")
      return
    }
    // Validate file size (2MB)
    if (blob.size > 2 * 1024 * 1024) {
      alert("Image size must be less than 2MB")
      return
    }
    // Create a File object from the blob with a default name
    const file = new File([blob], `pasted-image-${Date.now()}.${this.getExtension(blob.type)}`, {
      type: blob.type
    })
    // Create a DataTransfer object to set files on the input
    const dataTransfer = new DataTransfer()
    dataTransfer.items.add(file)
    this.inputTarget.files = dataTransfer.files
    // Trigger change event to update preview (file-drop controller will handle it)
    const event = new Event("change", { bubbles: true })
    this.inputTarget.dispatchEvent(event)
    // Visual feedback
    this.dropzoneTarget.classList.add("border-green-500", "bg-green-50")
    setTimeout(() => {
      this.dropzoneTarget.classList.remove("border-green-500", "bg-green-50")
    }, 500)
  }
  getExtension(mimeType) {
    const extensions = {
      "image/png": "png",
      "image/jpeg": "jpg",
      "image/jpg": "jpg",
      "image/gif": "gif",
      "image/svg+xml": "svg"
    }
    return extensions[mimeType] || "png"
  }
 }
--- a/app/jobs/backchannel_logout_job.rb
+++ b/app/jobs/backchannel_logout_job.rb
@@ -0,0 +1,52 @@
 class BackchannelLogoutJob < ApplicationJob
  queue_as :default
  # Retry with exponential backoff: 1s, 5s, 25s
  retry_on StandardError, wait: :exponentially_longer, attempts: 3
  def perform(user_id:, application_id:, consent_sid:)
    # Find the records
    user = User.find_by(id: user_id)
    application = Application.find_by(id: application_id)
    consent = OidcUserConsent.find_by(sid: consent_sid)
    # Validate we have all required data
    unless user && application && consent
      Rails.logger.warn "BackchannelLogout: Missing data - user: #{user.present?}, app: #{application.present?}, consent: #{consent.present?}"
      return
    end
    # Skip if application doesn't support backchannel logout
    unless application.supports_backchannel_logout?
      Rails.logger.debug "BackchannelLogout: Application #{application.name} doesn't support backchannel logout"
      return
    end
    # Generate the logout token
    logout_token = OidcJwtService.generate_logout_token(user, application, consent)
    # Send HTTP POST to the application's backchannel logout URI
    uri = URI.parse(application.backchannel_logout_uri)
    begin
      response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https', open_timeout: 5, read_timeout: 5) do |http|
        request = Net::HTTP::Post.new(uri.path.presence || '/')
        request['Content-Type'] = 'application/x-www-form-urlencoded'
        request.set_form_data({ logout_token: logout_token })
        http.request(request)
      end
      if response.code.to_i == 200
        Rails.logger.info "BackchannelLogout: Successfully sent logout notification to #{application.name} (#{application.backchannel_logout_uri})"
      else
        Rails.logger.warn "BackchannelLogout: Application #{application.name} returned HTTP #{response.code} from #{application.backchannel_logout_uri}"
      end
    rescue Net::OpenTimeout, Net::ReadTimeout => e
      Rails.logger.warn "BackchannelLogout: Timeout sending logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.message}"
      raise # Retry on timeout
    rescue StandardError => e
      Rails.logger.error "BackchannelLogout: Failed to send logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.class} - #{e.message}"
      raise # Retry on error
    end
  end
 end
--- a/app/models/application.rb
+++ b/app/models/application.rb
@@ -1,8 +1,18 @@
 class Application < ApplicationRecord
  has_secure_password :client_secret, validations: false
  # Virtual attribute to control client type during creation
  # When true, no client_secret will be generated (public client)
  attr_accessor :is_public_client
  has_one_attached :icon
  # Fix SVG content type after attachment
  after_save :fix_icon_content_type, if: -> { icon.attached? && saved_change_to_attribute?(:id) == false }
  has_many :application_groups, dependent: :destroy
  has_many :allowed_groups, through: :application_groups, source: :group
  has_many :application_user_claims, dependent: :destroy
  has_many :oidc_authorization_codes, dependent: :destroy
  has_many :oidc_access_tokens, dependent: :destroy
  has_many :oidc_refresh_tokens, dependent: :destroy
@@ -14,9 +24,18 @@ class Application < ApplicationRecord
  validates :app_type, presence: true,
                      inclusion: { in: %w[oidc forward_auth] }
  validates :client_id, uniqueness: { allow_nil: true }
-  validates :client_secret, presence: true, on: :create, if: -> { oidc? }
+  validates :client_secret, presence: true, on: :create, if: -> { oidc? && confidential_client? }
  validates :domain_pattern, presence: true, uniqueness: { case_sensitive: false }, if: :forward_auth?
  validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }
  validates :backchannel_logout_uri, format: {
    with: URI::regexp(%w[http https]),
    allow_nil: true,
    message: "must be a valid HTTP or HTTPS URL"
  }
  validate :backchannel_logout_uri_must_be_https_in_production, if: -> { backchannel_logout_uri.present? }
  # Icon validation using ActiveStorage validators
  validate :icon_validation, if: -> { icon.attached? }
  # Token TTL validations (for OIDC apps)
  validates :access_token_ttl, numericality: { greater_than_or_equal_to: 300, less_than_or_equal_to: 86400 }, if: :oidc?  # 5 min - 24 hours
@@ -28,6 +47,10 @@ class Application < ApplicationRecord
    normalized = pattern&.strip&.downcase
    normalized.blank? ? nil : normalized
  }
  normalizes :backchannel_logout_uri, with: ->(uri) {
    normalized = uri&.strip
    normalized.blank? ? nil : normalized
  }
  before_validation :generate_client_credentials, on: :create, if: :oidc?
@@ -55,6 +78,24 @@ class Application < ApplicationRecord
    app_type == "forward_auth"
  end
  # Client type checks (for OIDC)
  def public_client?
    client_secret_digest.blank?
  end
  def confidential_client?
    !public_client?
  end
  # PKCE requirement check
  # Public clients MUST use PKCE (no client secret to protect auth code)
  # Confidential clients can optionally require PKCE (OAuth 2.1 recommendation)
  def requires_pkce?
    return false unless oidc?
    return true if public_client?  # Always require PKCE for public clients
    require_pkce?  # Check the flag for confidential clients
  end
  # Access control
  def user_allowed?(user)
    return false unless active?
@@ -186,8 +227,50 @@ class Application < ApplicationRecord
    duration_to_human(id_token_ttl || 3600)
  end
  # Get app-specific custom claims for a user
  def custom_claims_for_user(user)
    app_claim = application_user_claims.find_by(user: user)
    app_claim&.parsed_custom_claims || {}
  end
  # Check if this application supports backchannel logout
  def supports_backchannel_logout?
    backchannel_logout_uri.present?
  end
  # Check if a user has an active session with this application
  # (i.e., has valid, non-revoked tokens)
  def user_has_active_session?(user)
    oidc_access_tokens.where(user: user).valid.exists? ||
    oidc_refresh_tokens.where(user: user).valid.exists?
  end
  private
  def fix_icon_content_type
    return unless icon.attached?
    # Fix SVG content type if it was detected incorrectly
    if icon.filename.extension == "svg" && icon.content_type == "application/octet-stream"
      icon.blob.update(content_type: "image/svg+xml")
    end
  end
  def icon_validation
    return unless icon.attached?
    # Check content type
    allowed_types = ['image/png', 'image/jpg', 'image/jpeg', 'image/gif', 'image/svg+xml']
    unless allowed_types.include?(icon.content_type)
      errors.add(:icon, 'must be a PNG, JPG, GIF, or SVG image')
    end
    # Check file size (2MB limit)
    if icon.blob.byte_size > 2.megabytes
      errors.add(:icon, 'must be less than 2MB')
    end
  end
  def duration_to_human(seconds)
    if seconds < 3600
      "#{seconds / 60} minutes"
@@ -200,10 +283,30 @@ class Application < ApplicationRecord
  def generate_client_credentials
    self.client_id ||= SecureRandom.urlsafe_base64(32)
-    # Generate and hash the client secret
+    # Generate client secret only for confidential clients
-    if new_record? && client_secret.blank?
+    # Public clients (is_public_client checked) don't get a secret - they use PKCE only
    if new_record? && client_secret.blank? && !is_public_client_selected?
      secret = SecureRandom.urlsafe_base64(48)
      self.client_secret = secret
    end
  end
  # Check if the user selected public client option
  def is_public_client_selected?
    ActiveModel::Type::Boolean.new.cast(is_public_client)
  end
  def backchannel_logout_uri_must_be_https_in_production
    return unless Rails.env.production?
    return unless backchannel_logout_uri.present?
    begin
      uri = URI.parse(backchannel_logout_uri)
      unless uri.scheme == 'https'
        errors.add(:backchannel_logout_uri, 'must use HTTPS in production')
      end
    rescue URI::InvalidURIError
      # Let the format validator handle invalid URIs
    end
  end
 end
--- a/app/models/application_user_claim.rb
+++ b/app/models/application_user_claim.rb
@@ -0,0 +1,31 @@
 class ApplicationUserClaim < ApplicationRecord
  belongs_to :application
  belongs_to :user
  # Reserved OIDC claim names that should not be overridden
  RESERVED_CLAIMS = %w[
    iss sub aud exp iat nbf jti nonce azp
    email email_verified preferred_username name
    groups
  ].freeze
  validates :user_id, uniqueness: { scope: :application_id }
  validate :no_reserved_claim_names
  # Parse custom_claims JSON field
  def parsed_custom_claims
    return {} if custom_claims.blank?
    custom_claims.is_a?(Hash) ? custom_claims : {}
  end
  private
  def no_reserved_claim_names
    return if custom_claims.blank?
    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
    if reserved_used.any?
      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
    end
  end
 end
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -4,11 +4,31 @@ class Group < ApplicationRecord
  has_many :application_groups, dependent: :destroy
  has_many :applications, through: :application_groups
  # Reserved OIDC claim names that should not be overridden
  RESERVED_CLAIMS = %w[
    iss sub aud exp iat nbf jti nonce azp
    email email_verified preferred_username name
    groups
  ].freeze
  validates :name, presence: true, uniqueness: { case_sensitive: false }
  normalizes :name, with: ->(name) { name.strip.downcase }
  validate :no_reserved_claim_names
  # Parse custom_claims JSON field
  def parsed_custom_claims
-    custom_claims || {}
+    return {} if custom_claims.blank?
    custom_claims.is_a?(Hash) ? custom_claims : {}
  end
  private
  def no_reserved_claim_names
    return if custom_claims.blank?
    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
    if reserved_used.any?
      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
    end
  end
 end
--- a/app/models/oidc_access_token.rb
+++ b/app/models/oidc_access_token.rb
@@ -6,7 +6,7 @@ class OidcAccessToken < ApplicationRecord
  before_validation :generate_token, on: :create
  before_validation :set_expiry, on: :create
-  validates :token, uniqueness: true, presence: true
+  validates :token_hmac, presence: true, uniqueness: true
  scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
  scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -15,6 +15,19 @@ class OidcAccessToken < ApplicationRecord
  attr_accessor :plaintext_token  # Store plaintext temporarily for returning to client
  # Find access token by plaintext token using HMAC verification
  def self.find_by_token(plaintext_token)
    return nil if plaintext_token.blank?
    token_hmac = compute_token_hmac(plaintext_token)
    find_by(token_hmac: token_hmac)
  end
  # Compute HMAC for token lookup
  def self.compute_token_hmac(plaintext_token)
    OpenSSL::HMAC.hexdigest('SHA256', TokenHmac::KEY, plaintext_token)
  end
  def expired?
    expires_at <= Time.current
  end
@@ -33,48 +46,13 @@ class OidcAccessToken < ApplicationRecord
    oidc_refresh_tokens.each(&:revoke!)
  end
  # Check if a plaintext token matches the hashed token
  def token_matches?(plaintext_token)
    return false if plaintext_token.blank?
    # Use BCrypt to compare if token_digest exists
    if token_digest.present?
      BCrypt::Password.new(token_digest) == plaintext_token
    # Fall back to direct comparison for backward compatibility
    elsif token.present?
      token == plaintext_token
    else
      false
    end
  end
  # Find by token (validates and checks if revoked)
  def self.find_by_token(plaintext_token)
    return nil if plaintext_token.blank?
    # Find all non-revoked, non-expired tokens
    valid.find_each do |access_token|
      # Use BCrypt to compare (if token_digest exists) or direct comparison
      if access_token.token_digest.present?
        return access_token if BCrypt::Password.new(access_token.token_digest) == plaintext_token
      elsif access_token.token == plaintext_token
        return access_token
      end
    end
    nil
  end
  private
  def generate_token
-    return if token.present?
+    # Generate random plaintext token
-
+    self.plaintext_token ||= SecureRandom.urlsafe_base64(48)
-    # Generate opaque access token
+    # Store HMAC in database (not plaintext)
-    plaintext = SecureRandom.urlsafe_base64(48)
+    self.token_hmac ||= self.class.compute_token_hmac(plaintext_token)
    self.plaintext_token = plaintext  # Store temporarily for returning to client
    self.token_digest = BCrypt::Password.create(plaintext)
    # Keep token column for backward compatibility during migration
    self.token = plaintext
  end
  def set_expiry
--- a/app/models/oidc_authorization_code.rb
+++ b/app/models/oidc_authorization_code.rb
@@ -2,10 +2,12 @@ class OidcAuthorizationCode < ApplicationRecord
  belongs_to :application
  belongs_to :user
  attr_accessor :plaintext_code
  before_validation :generate_code, on: :create
  before_validation :set_expiry, on: :create
-  validates :code, presence: true, uniqueness: true
+  validates :code_hmac, presence: true, uniqueness: true
  validates :redirect_uri, presence: true
  validates :code_challenge_method, inclusion: { in: %w[plain S256], allow_nil: true }
  validate :validate_code_challenge_format, if: -> { code_challenge.present? }
@@ -13,6 +15,19 @@ class OidcAuthorizationCode < ApplicationRecord
  scope :valid, -> { where(used: false).where("expires_at > ?", Time.current) }
  scope :expired, -> { where("expires_at <= ?", Time.current) }
  # Find authorization code by plaintext code using HMAC verification
  def self.find_by_plaintext(plaintext_code)
    return nil if plaintext_code.blank?
    code_hmac = compute_code_hmac(plaintext_code)
    find_by(code_hmac: code_hmac)
  end
  # Compute HMAC for code lookup
  def self.compute_code_hmac(plaintext_code)
    OpenSSL::HMAC.hexdigest('SHA256', TokenHmac::KEY, plaintext_code)
  end
  def expired?
    expires_at <= Time.current
  end
@@ -32,7 +47,10 @@ class OidcAuthorizationCode < ApplicationRecord
  private
  def generate_code
-    self.code ||= SecureRandom.urlsafe_base64(32)
+    # Generate random plaintext code
    self.plaintext_code ||= SecureRandom.urlsafe_base64(32)
    # Store HMAC in database (not plaintext)
    self.code_hmac ||= self.class.compute_code_hmac(plaintext_code)
  end
  def set_expiry
--- a/app/models/oidc_refresh_token.rb
+++ b/app/models/oidc_refresh_token.rb
@@ -2,13 +2,12 @@ class OidcRefreshToken < ApplicationRecord
  belongs_to :application
  belongs_to :user
  belongs_to :oidc_access_token
  has_many :oidc_access_tokens, foreign_key: :oidc_access_token_id, dependent: :nullify
  before_validation :generate_token, on: :create
  before_validation :set_expiry, on: :create
  before_validation :set_token_family_id, on: :create
-  validates :token_digest, presence: true, uniqueness: true
+  validates :token_hmac, presence: true, uniqueness: true
  scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
  scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -20,6 +19,19 @@ class OidcRefreshToken < ApplicationRecord
  attr_accessor :token  # Store plaintext token temporarily for returning to client
  # Find refresh token by plaintext token using HMAC verification
  def self.find_by_token(plaintext_token)
    return nil if plaintext_token.blank?
    token_hmac = compute_token_hmac(plaintext_token)
    find_by(token_hmac: token_hmac)
  end
  # Compute HMAC for token lookup
  def self.compute_token_hmac(plaintext_token)
    OpenSSL::HMAC.hexdigest('SHA256', TokenHmac::KEY, plaintext_token)
  end
  def expired?
    expires_at <= Time.current
  end
@@ -43,35 +55,13 @@ class OidcRefreshToken < ApplicationRecord
    OidcRefreshToken.in_family(token_family_id).update_all(revoked_at: Time.current)
  end
  # Verify a plaintext token against the stored digest
  def self.find_by_token(plaintext_token)
    return nil if plaintext_token.blank?
    # Try to find tokens that could match (we can't search by hash directly)
    # This is less efficient but necessary with BCrypt
    # In production, you might want to add a token prefix or other optimization
    all.find do |refresh_token|
      refresh_token.token_matches?(plaintext_token)
    end
  end
  def token_matches?(plaintext_token)
    return false if plaintext_token.blank? || token_digest.blank?
    BCrypt::Password.new(token_digest) == plaintext_token
  rescue BCrypt::Errors::InvalidHash
    false
  end
  private
  def generate_token
-    # Generate a secure random token
+    # Generate random plaintext token
-    plaintext = SecureRandom.urlsafe_base64(48)
+    self.token ||= SecureRandom.urlsafe_base64(48)
-    self.token = plaintext  # Store temporarily for returning to client
+    # Store HMAC in database (not plaintext)
-
+    self.token_hmac ||= self.class.compute_token_hmac(token)
    # Hash it with BCrypt for storage
    self.token_digest = BCrypt::Password.create(plaintext)
  end
  def set_expiry
--- a/app/models/oidc_user_consent.rb
+++ b/app/models/oidc_user_consent.rb
@@ -6,6 +6,7 @@ class OidcUserConsent < ApplicationRecord
  validates :user_id, uniqueness: { scope: :application_id }
  before_validation :set_granted_at, on: :create
  before_validation :set_sid, on: :create
  # Parse scopes_granted into an array
  def scopes
@@ -44,9 +45,18 @@ class OidcUserConsent < ApplicationRecord
    end.join(', ')
  end
  # Find consent by SID
  def self.find_by_sid(sid)
    find_by(sid: sid)
  end
  private
  def set_granted_at
    self.granted_at ||= Time.current
  end
  def set_sid
    self.sid ||= SecureRandom.uuid
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,8 +1,12 @@
 class User < ApplicationRecord
  # Encrypt TOTP secrets at rest (key derived from SECRET_KEY_BASE)
  encrypts :totp_secret
  has_secure_password
  has_many :sessions, dependent: :destroy
  has_many :user_groups, dependent: :destroy
  has_many :groups, through: :user_groups
  has_many :application_user_claims, dependent: :destroy
  has_many :oidc_user_consents, dependent: :destroy
  has_many :webauthn_credentials, dependent: :destroy
@@ -15,15 +19,23 @@ class User < ApplicationRecord
    updated_at
  end
  generates_token_for :magic_login, expires_in: 15.minutes do
    last_sign_in_at
  end
  normalizes :email_address, with: ->(e) { e.strip.downcase }
  normalizes :username, with: ->(u) { u.strip.downcase if u.present? }
  # Reserved OIDC claim names that should not be overridden
  RESERVED_CLAIMS = %w[
    iss sub aud exp iat nbf jti nonce azp
    email email_verified preferred_username name
    groups
  ].freeze
  validates :email_address, presence: true, uniqueness: { case_sensitive: false },
                           format: { with: URI::MailTo::EMAIL_REGEXP }
  validates :username, uniqueness: { case_sensitive: false }, allow_nil: true,
                      format: { with: /\A[a-zA-Z0-9_-]+\z/, message: "can only contain letters, numbers, underscores, and hyphens" },
                      length: { minimum: 2, maximum: 30 }
  validates :password, length: { minimum: 8 }, allow_nil: true
  validate :no_reserved_claim_names
  # Enum - automatically creates scopes (User.active, User.disabled, etc.)
  enum :status, { active: 0, disabled: 1, pending_invitation: 2 }
@@ -44,7 +56,9 @@ class User < ApplicationRecord
  end
  def disable_totp!
-    update!(totp_secret: nil, totp_required: false, backup_codes: nil)
+    # Note: This does NOT clear totp_required flag
    # Admins control that flag via admin panel, users cannot remove admin-required 2FA
    update!(totp_secret: nil, backup_codes: nil)
  end
  def totp_provisioning_uri(issuer: "Clinch")
@@ -63,6 +77,14 @@ class User < ApplicationRecord
    totp.verify(code, drift_behind: 30, drift_ahead: 30)
  end
  # Console/debug helper: get current TOTP code
  def console_totp
    return nil unless totp_enabled?
    require "rotp"
    ROTP::TOTP.new(totp_secret).now
  end
  def verify_backup_code(code)
    return false unless backup_codes.present?
@@ -180,11 +202,39 @@ class User < ApplicationRecord
  # Parse custom_claims JSON field
  def parsed_custom_claims
-    custom_claims || {}
+    return {} if custom_claims.blank?
    custom_claims.is_a?(Hash) ? custom_claims : {}
  end
  # Get fully merged claims for a specific application
  def merged_claims_for_application(application)
    merged = {}
    # Start with group claims (in order)
    groups.each do |group|
      merged.merge!(group.parsed_custom_claims)
    end
    # Merge user global claims
    merged.merge!(parsed_custom_claims)
    # Merge app-specific claims (highest priority)
    merged.merge!(application.custom_claims_for_user(self))
    merged
  end
  private
  def no_reserved_claim_names
    return if custom_claims.blank?
    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
    if reserved_used.any?
      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
    end
  end
  def generate_backup_codes
    # Generate plain codes for user to see/save
    plain_codes = Array.new(10) { SecureRandom.alphanumeric(8).upcase }
--- a/app/services/concerns/claims_merger.rb
+++ b/app/services/concerns/claims_merger.rb
@@ -0,0 +1,35 @@
 module ClaimsMerger
  extend ActiveSupport::Concern
  # Deep merge claims, combining arrays instead of overwriting them
  # This ensures that array values (like roles) are combined across group/user/app claims
  #
  # Example:
  #   base = { "roles" => ["user"], "level" => 1 }
  #   incoming = { "roles" => ["admin"], "department" => "IT" }
  #   deep_merge_claims(base, incoming)
  #   # => { "roles" => ["user", "admin"], "level" => 1, "department" => "IT" }
  def deep_merge_claims(base, incoming)
    result = base.dup
    incoming.each do |key, value|
      if result.key?(key)
        # If both values are arrays, combine them (union to avoid duplicates)
        if result[key].is_a?(Array) && value.is_a?(Array)
          result[key] = (result[key] + value).uniq
        # If both values are hashes, recursively merge them
        elsif result[key].is_a?(Hash) && value.is_a?(Hash)
          result[key] = deep_merge_claims(result[key], value)
        else
          # Otherwise, incoming value wins (override)
          result[key] = value
        end
      else
        # New key, just add it
        result[key] = value
      end
    end
    result
  end
 end
--- a/app/services/oidc_jwt_service.rb
+++ b/app/services/oidc_jwt_service.rb
@@ -1,42 +1,79 @@
 class OidcJwtService
  extend ClaimsMerger
  class << self
    # Generate an ID token (JWT) for the user
-    def generate_id_token(user, application, nonce: nil)
+    def generate_id_token(user, application, consent: nil, nonce: nil, access_token: nil)
      now = Time.current.to_i
      # Use application's configured ID token TTL (defaults to 1 hour)
      ttl = application.id_token_expiry_seconds
      # Use pairwise SID from consent if available, fallback to user ID
      subject = consent&.sid || user.id.to_s
      payload = {
        iss: issuer_url,
-        sub: user.id.to_s,
+        sub: subject,
        aud: application.client_id,
        exp: now + ttl,
        iat: now,
        email: user.email_address,
        email_verified: true,
-        preferred_username: user.email_address,
+        preferred_username: user.username.presence || user.email_address,
        name: user.name.presence || user.email_address
      }
      # Add nonce if provided (OIDC requires this for implicit flow)
      payload[:nonce] = nonce if nonce.present?
      # Add at_hash if access token is provided (OIDC Core spec §3.1.3.6)
      # at_hash = left-most 128 bits of SHA-256 hash of access token, base64url encoded
      if access_token.present?
        sha256 = Digest::SHA256.digest(access_token)
        at_hash = Base64.urlsafe_encode64(sha256[0..15], padding: false)
        payload[:at_hash] = at_hash
      end
      # Add groups if user has any
      if user.groups.any?
        payload[:groups] = user.groups.pluck(:name)
      end
-      # Add admin claim if user is admin
+      # Merge custom claims from groups (arrays are combined, not overwritten)
      payload[:admin] = true if user.admin?
      # Merge custom claims from groups
      user.groups.each do |group|
-        payload.merge!(group.parsed_custom_claims)
+        payload = deep_merge_claims(payload, group.parsed_custom_claims)
      end
-      # Merge custom claims from user (overrides group claims)
+      # Merge custom claims from user (arrays are combined, other values override)
-      payload.merge!(user.parsed_custom_claims)
+      payload = deep_merge_claims(payload, user.parsed_custom_claims)
      # Merge app-specific custom claims (highest priority, arrays are combined)
      payload = deep_merge_claims(payload, application.custom_claims_for_user(user))
      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
    end
    # Generate a backchannel logout token (JWT)
    # Per OIDC Back-Channel Logout spec, this token:
    # - MUST include iss, aud, iat, jti, events claims
    # - MUST include sub or sid (or both) - we always include both
    # - MUST NOT include nonce claim
    def generate_logout_token(user, application, consent)
      now = Time.current.to_i
      payload = {
        iss: issuer_url,
        sub: consent.sid,  # Pairwise subject identifier
        aud: application.client_id,
        iat: now,
        jti: SecureRandom.uuid,  # Unique identifier for this logout token
        sid: consent.sid,  # Session ID - always included for granular logout
        events: {
          "http://schemas.openid.net/event/backchannel-logout" => {}
        }
      }
      # Important: Do NOT include nonce in logout tokens (spec requirement)
      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
    end
@@ -66,8 +103,13 @@ class OidcJwtService
      # In production, this should come from ENV or config
      # For now, we'll use a placeholder that can be overridden
      host = ENV.fetch("CLINCH_HOST", "localhost:3000")
-        # Ensure URL has https:// protocol
+      # Ensure URL has protocol - use https:// in production, http:// in development
-        host.match?(/^https?:\/\//) ? host : "https://#{host}"
+      if host.match?(/^https?:\/\//)
        host
      else
        protocol = Rails.env.production? ? "https" : "http"
        "#{protocol}://#{host}"
      end
    end
    private
@@ -75,17 +117,37 @@ class OidcJwtService
    # Get or generate RSA private key
    def private_key
      @private_key ||= begin
        key_source = nil
        # Try ENV variable first (best for Docker/Kamal)
        if ENV["OIDC_PRIVATE_KEY"].present?
-          OpenSSL::PKey::RSA.new(ENV["OIDC_PRIVATE_KEY"])
+          key_source = ENV["OIDC_PRIVATE_KEY"]
        # Then try Rails credentials
        elsif Rails.application.credentials.oidc_private_key.present?
-          OpenSSL::PKey::RSA.new(Rails.application.credentials.oidc_private_key)
+          key_source = Rails.application.credentials.oidc_private_key
        end
        if key_source.present?
          begin
            # Handle both actual newlines and escaped \n sequences
            # Some .env loaders may escape newlines, so we need to convert them back
            key_data = key_source.gsub("\\n", "\n")
            OpenSSL::PKey::RSA.new(key_data)
          rescue OpenSSL::PKey::RSAError => e
            Rails.logger.error "OIDC: Failed to load private key: #{e.message}"
            Rails.logger.error "OIDC: Key source length: #{key_source.length}, starts with: #{key_source[0..50]}"
            raise "Invalid OIDC private key format. Please ensure the key is in PEM format with proper newlines."
          end
        else
-          # Generate a new key for development
+          # In production, we should never generate a key on the fly
-          # In production, you MUST set OIDC_PRIVATE_KEY env var or add to credentials
+          # because it would be different across servers/deployments
          if Rails.env.production?
            raise "OIDC private key not configured. Set OIDC_PRIVATE_KEY environment variable or add to Rails credentials."
          end
          # Generate a new key for development/test only
          Rails.logger.warn "OIDC: No private key found in ENV or credentials, generating new key (development only)"
-          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable in production!"
+          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable for consistency across restarts"
          OpenSSL::PKey::RSA.new(2048)
        end
      end
--- a/app/views/admin/applications/_form.html.erb
+++ b/app/views/admin/applications/_form.html.erb
@@ -17,6 +17,87 @@
    <%= form.text_area :description, rows: 3, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "Optional description of this application" %>
  </div>
  <div>
    <div class="flex items-center justify-between">
      <%= form.label :icon, "Application Icon", class: "block text-sm font-medium text-gray-700" %>
      <a href="https://dashboardicons.com" target="_blank" rel="noopener noreferrer" class="text-xs text-blue-600 hover:text-blue-800 flex items-center gap-1">
        <svg class="w-3 h-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14"></path>
        </svg>
        Browse icons at dashboardicons.com
      </a>
    </div>
    <% if application.icon.attached? && application.persisted? %>
      <% begin %>
        <%# Only show icon if we can successfully get its URL (blob is persisted) %>
        <% if application.icon.blob&.persisted? && application.icon.blob.key.present? %>
          <div class="mt-2 mb-3 flex items-center gap-4">
            <%= image_tag application.icon, class: "h-16 w-16 rounded-lg object-cover border border-gray-200", alt: "Current icon" %>
            <div class="text-sm text-gray-600">
              <p class="font-medium">Current icon</p>
              <p class="text-xs"><%= number_to_human_size(application.icon.blob.byte_size) %></p>
            </div>
          </div>
        <% end %>
      <% rescue ArgumentError => e %>
        <%# Handle case where icon attachment exists but can't generate signed_id %>
        <% if e.message.include?("Cannot get a signed_id for a new record") %>
          <div class="mt-2 mb-3 text-sm text-gray-600">
            <p class="font-medium">Icon uploaded</p>
            <p class="text-xs">File will be processed shortly</p>
          </div>
        <% else %>
          <%# Re-raise if it's a different error %>
          <% raise e %>
        <% end %>
      <% end %>
    <% end %>
    <div class="mt-2" data-controller="file-drop image-paste">
      <div class="flex justify-center px-6 pt-5 pb-6 border-2 border-gray-300 border-dashed rounded-md hover:border-blue-400 transition-colors"
           data-file-drop-target="dropzone"
           data-image-paste-target="dropzone"
           data-action="dragover->file-drop#dragover dragleave->file-drop#dragleave drop->file-drop#drop paste->image-paste#handlePaste"
           tabindex="0">
        <div class="space-y-1 text-center">
          <svg class="mx-auto h-12 w-12 text-gray-400" stroke="currentColor" fill="none" viewBox="0 0 48 48">
            <path d="M28 8H12a4 4 0 00-4 4v20m32-12v8m0 0v8a4 4 0 01-4 4H12a4 4 0 01-4-4v-4m32-4l-3.172-3.172a4 4 0 00-5.656 0L28 28M8 32l9.172-9.172a4 4 0 015.656 0L28 28m0 0l4 4m4-24h8m-4-4v8m-12 4h.02" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" />
          </svg>
          <div class="flex text-sm text-gray-600">
            <label for="<%= form.field_id(:icon) %>" class="relative cursor-pointer bg-white rounded-md font-medium text-blue-600 hover:text-blue-500 focus-within:outline-none focus-within:ring-2 focus-within:ring-offset-2 focus-within:ring-blue-500">
              <span>Upload a file</span>
              <%= form.file_field :icon,
                  accept: "image/png,image/jpg,image/jpeg,image/gif,image/svg+xml",
                  class: "sr-only",
                  data: {
                    file_drop_target: "input",
                    image_paste_target: "input",
                    action: "change->file-drop#handleFiles"
                  } %>
            </label>
            <p class="pl-1">or drag and drop</p>
          </div>
          <p class="text-xs text-gray-500">PNG, JPG, GIF, or SVG up to 2MB</p>
          <p class="text-xs text-blue-600 font-medium mt-2">💡 Tip: Click here and press Ctrl+V (or Cmd+V) to paste an image from your clipboard</p>
        </div>
      </div>
      <div data-file-drop-target="preview" class="mt-3 hidden">
        <div class="flex items-center gap-3 p-3 bg-blue-50 rounded-md border border-blue-200">
          <img data-file-drop-target="previewImage" class="h-12 w-12 rounded object-cover" alt="Preview">
          <div class="flex-1 min-w-0">
            <p class="text-sm font-medium text-gray-900" data-file-drop-target="filename"></p>
            <p class="text-xs text-gray-500" data-file-drop-target="filesize"></p>
          </div>
          <button type="button" data-action="click->file-drop#clear" class="text-gray-400 hover:text-gray-600">
            <svg class="h-5 w-5" fill="currentColor" viewBox="0 0 20 20">
              <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd" />
            </svg>
          </button>
        </div>
      </div>
    </div>
  </div>
  <div>
    <%= form.label :landing_url, "Landing URL", class: "block text-sm font-medium text-gray-700" %>
    <%= form.url_field :landing_url, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "https://app.example.com" %>
@@ -39,12 +120,67 @@
  <div id="oidc-fields" class="space-y-6 border-t border-gray-200 pt-6 <%= 'hidden' unless application.oidc? || !application.persisted? %>" data-application-form-target="oidcFields">
    <h3 class="text-base font-semibold text-gray-900">OIDC Configuration</h3>
    <!-- Client Type Selection (only for new applications) -->
    <% unless application.persisted? %>
    <div class="border border-gray-200 rounded-lg p-4 bg-gray-50">
      <h4 class="text-sm font-semibold text-gray-900 mb-3">Client Type</h4>
      <div class="space-y-3">
        <div class="flex items-start">
          <%= form.radio_button :is_public_client, "false", checked: !application.is_public_client, class: "mt-1 h-4 w-4 border-gray-300 text-blue-600 focus:ring-blue-500", data: { action: "change->application-form#updatePkceVisibility" } %>
          <div class="ml-3">
            <label for="application_is_public_client_false" class="block text-sm font-medium text-gray-900">Confidential Client (Recommended)</label>
            <p class="text-sm text-gray-500">Backend server app that can securely store a client secret. Examples: traditional web apps, server-to-server APIs.</p>
          </div>
        </div>
        <div class="flex items-start">
          <%= form.radio_button :is_public_client, "true", checked: application.is_public_client, class: "mt-1 h-4 w-4 border-gray-300 text-blue-600 focus:ring-blue-500", data: { action: "change->application-form#updatePkceVisibility" } %>
          <div class="ml-3">
            <label for="application_is_public_client_true" class="block text-sm font-medium text-gray-900">Public Client</label>
            <p class="text-sm text-gray-500">Frontend-only app that cannot store secrets securely. Examples: SPAs (React/Vue), mobile apps, CLI tools. <strong class="text-amber-600">PKCE is required.</strong></p>
          </div>
        </div>
      </div>
    </div>
    <% else %>
    <!-- Show client type for existing applications (read-only) -->
    <div class="flex items-center gap-2 text-sm">
      <span class="font-medium text-gray-700">Client Type:</span>
      <% if application.public_client? %>
        <span class="inline-flex items-center rounded-md bg-amber-50 px-2 py-1 text-xs font-medium text-amber-700 ring-1 ring-inset ring-amber-600/20">Public Client (PKCE Required)</span>
      <% else %>
        <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700 ring-1 ring-inset ring-green-600/20">Confidential Client</span>
      <% end %>
    </div>
    <% end %>
    <!-- PKCE Requirement (only for confidential clients) -->
    <div id="pkce-options" data-application-form-target="pkceOptions" class="<%= 'hidden' if application.persisted? && application.public_client? %>">
      <div class="flex items-center">
        <%= form.check_box :require_pkce, class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-500" %>
        <%= form.label :require_pkce, "Require PKCE (Proof Key for Code Exchange)", class: "ml-2 block text-sm font-medium text-gray-900" %>
      </div>
      <p class="ml-6 text-sm text-gray-500">
        Recommended for enhanced security (OAuth 2.1 best practice).
        <br><span class="text-xs text-gray-400">Note: Public clients always require PKCE regardless of this setting.</span>
      </p>
    </div>
    <div>
      <%= form.label :redirect_uris, "Redirect URIs", class: "block text-sm font-medium text-gray-700" %>
      <%= form.text_area :redirect_uris, rows: 4, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "https://example.com/callback\nhttps://app.example.com/auth/callback" %>
      <p class="mt-1 text-sm text-gray-500">One URI per line. These are the allowed callback URLs for your application.</p>
    </div>
    <div>
      <%= form.label :backchannel_logout_uri, "Backchannel Logout URI (Optional)", class: "block text-sm font-medium text-gray-700" %>
      <%= form.url_field :backchannel_logout_uri, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "https://app.example.com/oidc/backchannel-logout" %>
      <p class="mt-1 text-sm text-gray-500">
        If the application supports OpenID Connect Backchannel Logout, enter the logout endpoint URL.
        When users log out, Clinch will send logout notifications to this endpoint for immediate session termination.
        Leave blank if the application doesn't support backchannel logout.
      </p>
    </div>
    <div class="border-t border-gray-200 pt-4 mt-4">
      <h4 class="text-sm font-semibold text-gray-900 mb-3">Token Expiration Settings</h4>
      <p class="text-sm text-gray-500 mb-4">Configure how long tokens remain valid. Shorter times are more secure but require more frequent refreshes.</p>
--- a/app/views/admin/applications/index.html.erb
+++ b/app/views/admin/applications/index.html.erb
@@ -14,7 +14,7 @@
      <table class="min-w-full divide-y divide-gray-300">
        <thead>
          <tr>
-            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Name</th>
+            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Application</th>
            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Slug</th>
            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Type</th>
            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Status</th>
@@ -28,7 +28,18 @@
          <% @applications.each do |application| %>
            <tr>
              <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 sm:pl-0">
                <div class="flex items-center gap-3">
                  <% if application.icon.attached? %>
                    <%= image_tag application.icon, class: "h-10 w-10 rounded-lg object-cover border border-gray-200 flex-shrink-0", alt: "#{application.name} icon" %>
                  <% else %>
                    <div class="h-10 w-10 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center flex-shrink-0">
                      <svg class="h-6 w-6 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
                      </svg>
                    </div>
                  <% end %>
                  <%= link_to application.name, admin_application_path(application), class: "text-blue-600 hover:text-blue-900" %>
                </div>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                <code class="text-xs bg-gray-100 px-2 py-1 rounded"><%= application.slug %></code>
--- a/app/views/admin/applications/show.html.erb
+++ b/app/views/admin/applications/show.html.erb
@@ -1,26 +1,50 @@
 <div class="mb-6">
-  <% if flash[:client_id] && flash[:client_secret] %>
+  <% if flash[:client_id] %>
    <div class="bg-yellow-50 border border-yellow-200 rounded-md p-4 mb-6">
      <h4 class="text-sm font-medium text-yellow-800 mb-2">🔐 OIDC Client Credentials</h4>
      <% if flash[:public_client] %>
        <p class="text-xs text-yellow-700 mb-3">This is a public client. Copy the client ID below.</p>
      <% else %>
        <p class="text-xs text-yellow-700 mb-3">Copy these credentials now. The client secret will not be shown again.</p>
      <% end %>
      <div class="space-y-2">
        <div>
          <span class="text-xs font-medium text-yellow-700">Client ID:</span>
        </div>
        <code class="block bg-yellow-100 px-3 py-2 rounded font-mono text-xs break-all"><%= flash[:client_id] %></code>
        <% if flash[:client_secret] %>
          <div class="mt-3">
            <span class="text-xs font-medium text-yellow-700">Client Secret:</span>
          </div>
          <code class="block bg-yellow-100 px-3 py-2 rounded font-mono text-xs break-all"><%= flash[:client_secret] %></code>
        <% elsif flash[:public_client] %>
          <div class="mt-3">
            <span class="text-xs font-medium text-yellow-700">Client Secret:</span>
          </div>
          <div class="bg-yellow-100 px-3 py-2 rounded text-xs text-yellow-600">
            Public clients do not have a client secret. PKCE is required.
          </div>
        <% end %>
      </div>
    </div>
  <% end %>
-  <div class="sm:flex sm:items-center sm:justify-between">
+  <div class="sm:flex sm:items-start sm:justify-between">
    <div class="flex items-start gap-4">
      <% if @application.icon.attached? %>
        <%= image_tag @application.icon, class: "h-16 w-16 rounded-lg object-cover border border-gray-200 shrink-0", alt: "#{@application.name} icon" %>
      <% else %>
        <div class="h-16 w-16 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center shrink-0">
          <svg class="h-8 w-8 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
          </svg>
        </div>
      <% end %>
      <div>
        <h1 class="text-2xl font-semibold text-gray-900"><%= @application.name %></h1>
        <p class="mt-1 text-sm text-gray-500"><%= @application.description %></p>
      </div>
    </div>
    <div class="mt-4 sm:mt-0 flex gap-3">
      <%= link_to "Edit", edit_admin_application_path(@application), class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
      <%= button_to "Delete", admin_application_path(@application), method: :delete, data: { turbo_confirm: "Are you sure?" }, class: "rounded-md bg-red-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-red-500" %>
@@ -78,16 +102,40 @@
    <div class="bg-white shadow sm:rounded-lg">
      <div class="px-4 py-5 sm:p-6">
        <div class="flex items-center justify-between mb-4">
-          <h3 class="text-base font-semibold leading-6 text-gray-900">OIDC Credentials</h3>
+          <h3 class="text-base font-semibold leading-6 text-gray-900">OIDC Configuration</h3>
          <%= button_to "Regenerate Credentials", regenerate_credentials_admin_application_path(@application), method: :post, data: { turbo_confirm: "This will invalidate the current credentials. Continue?" }, class: "text-sm text-red-600 hover:text-red-900" %>
        </div>
        <dl class="space-y-4">
          <div class="grid grid-cols-2 gap-4">
            <div>
              <dt class="text-sm font-medium text-gray-500">Client Type</dt>
              <dd class="mt-1 text-sm text-gray-900">
                <% if @application.public_client? %>
                  <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Public</span>
                <% else %>
                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Confidential</span>
                <% end %>
              </dd>
            </div>
            <div>
              <dt class="text-sm font-medium text-gray-500">PKCE</dt>
              <dd class="mt-1 text-sm text-gray-900">
                <% if @application.requires_pkce? %>
                  <span class="inline-flex items-center rounded-full bg-green-100 px-2 py-1 text-xs font-medium text-green-700">Required</span>
                <% else %>
                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Optional</span>
                <% end %>
              </dd>
            </div>
          </div>
          <% unless flash[:client_id] %>
            <div>
              <dt class="text-sm font-medium text-gray-500">Client ID</dt>
              <dd class="mt-1 text-sm text-gray-900">
                <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.client_id %></code>
              </dd>
            </div>
            <% if @application.confidential_client? %>
              <div>
                <dt class="text-sm font-medium text-gray-500">Client Secret</dt>
                <dd class="mt-1 text-sm text-gray-900">
@@ -99,6 +147,17 @@
                  </p>
                </dd>
              </div>
            <% else %>
              <div>
                <dt class="text-sm font-medium text-gray-500">Client Secret</dt>
                <dd class="mt-1 text-sm text-gray-900">
                  <div class="bg-blue-50 px-3 py-2 rounded text-xs text-blue-600">
                    Public clients do not use a client secret. PKCE is required for authorization.
                  </div>
                </dd>
              </div>
            <% end %>
          <% end %>
          <div>
            <dt class="text-sm font-medium text-gray-500">Redirect URIs</dt>
            <dd class="mt-1 text-sm text-gray-900">
@@ -111,6 +170,27 @@
              <% end %>
            </dd>
          </div>
          <div>
            <dt class="text-sm font-medium text-gray-500">
              Backchannel Logout URI
              <% if @application.supports_backchannel_logout? %>
                <span class="ml-2 inline-flex items-center rounded-full bg-green-100 px-2 py-0.5 text-xs font-medium text-green-700">Enabled</span>
              <% end %>
            </dt>
            <dd class="mt-1 text-sm text-gray-900">
              <% if @application.backchannel_logout_uri.present? %>
                <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.backchannel_logout_uri %></code>
                <p class="mt-2 text-xs text-gray-500">
                  When users log out, Clinch will send logout notifications to this endpoint for immediate session termination.
                </p>
              <% else %>
                <span class="text-gray-400 italic">Not configured</span>
                <p class="mt-1 text-xs text-gray-500">
                  Backchannel logout is optional. Configure it if the application supports OpenID Connect Backchannel Logout.
                </p>
              <% end %>
            </dd>
          </div>
        </dl>
      </div>
    </div>
--- a/app/views/admin/users/_application_claims.html.erb
+++ b/app/views/admin/users/_application_claims.html.erb
@@ -0,0 +1,185 @@
 <% oidc_apps = applications.select(&:oidc?) %>
 <% forward_auth_apps = applications.select(&:forward_auth?) %>
 <!-- OIDC Apps: Custom Claims -->
 <% if oidc_apps.any? %>
  <div class="mt-12 border-t pt-8">
    <h2 class="text-xl font-semibold text-gray-900 mb-4">OIDC App-Specific Claims</h2>
    <p class="text-sm text-gray-600 mb-6">
      Configure custom claims that apply only to specific OIDC applications. These override both group and user global claims and are included in ID tokens.
    </p>
    <div class="space-y-6">
      <% oidc_apps.each do |app| %>
        <% app_claim = user.application_user_claims.find_by(application: app) %>
        <details class="border rounded-lg" <%= "open" if app_claim&.custom_claims&.any? %>>
          <summary class="cursor-pointer bg-gray-50 px-4 py-3 hover:bg-gray-100 rounded-t-lg flex items-center justify-between">
            <div class="flex items-center gap-3">
              <span class="font-medium text-gray-900"><%= app.name %></span>
              <span class="text-xs px-2 py-1 rounded-full bg-blue-100 text-blue-700">
                OIDC
              </span>
              <% if app_claim&.custom_claims&.any? %>
                <span class="text-xs px-2 py-1 rounded-full bg-amber-100 text-amber-700">
                  <%= app_claim.custom_claims.keys.count %> claim(s)
                </span>
              <% end %>
            </div>
            <svg class="h-5 w-5 text-gray-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7" />
            </svg>
          </summary>
          <div class="p-4 space-y-4">
            <%= form_with url: update_application_claims_admin_user_path(user), method: :post, class: "space-y-4", data: { controller: "json-validator" } do |form| %>
              <%= hidden_field_tag :application_id, app.id %>
              <div>
                <label class="block text-sm font-medium text-gray-700 mb-2">Custom Claims (JSON)</label>
                <%= text_area_tag :custom_claims,
                    (app_claim&.custom_claims.present? ? JSON.pretty_generate(app_claim.custom_claims) : ""),
                    rows: 8,
                    class: "w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono",
                    placeholder: '{"kavita_groups": ["admin"], "library_access": "all"}',
                    data: {
                      action: "input->json-validator#validate blur->json-validator#format",
                      json_validator_target: "textarea"
                    } %>
                <div class="mt-2 space-y-1">
                  <p class="text-xs text-gray-600">
                    Example for <%= app.name %>: Add claims that this app specifically needs to read.
                  </p>
                  <p class="text-xs text-amber-600">
                    <strong>Note:</strong> Do not use reserved claim names (<code class="bg-amber-50 px-1 rounded">groups</code>, <code class="bg-amber-50 px-1 rounded">email</code>, <code class="bg-amber-50 px-1 rounded">name</code>, etc.). Use app-specific names like <code class="bg-amber-50 px-1 rounded">kavita_groups</code> instead.
                  </p>
                  <div data-json-validator-target="status" class="text-xs font-medium"></div>
                </div>
              </div>
              <div class="flex gap-3">
                <%= button_tag type: :submit, class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500" do %>
                  <%= app_claim ? "Update" : "Add" %> Claims
                <% end %>
                <% if app_claim %>
                  <%= button_to "Remove Override",
                      delete_application_claims_admin_user_path(user, application_id: app.id),
                      method: :delete,
                      data: { turbo_confirm: "Remove app-specific claims for #{app.name}?" },
                      class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
                <% end %>
              </div>
            <% end %>
            <!-- Preview merged claims -->
            <div class="mt-4 border-t pt-4">
              <h4 class="text-sm font-medium text-gray-700 mb-2">Preview: Final ID Token Claims for <%= app.name %></h4>
              <div class="bg-gray-50 rounded-lg p-3">
                <pre class="text-xs font-mono text-gray-800 overflow-x-auto"><%= JSON.pretty_generate(preview_user_claims(user, app)) %></pre>
              </div>
              <details class="mt-2">
                <summary class="cursor-pointer text-xs text-gray-600 hover:text-gray-900">Show claim sources</summary>
                <div class="mt-2 space-y-1">
                  <% claim_sources(user, app).each do |source| %>
                    <div class="flex gap-2 items-start text-xs">
                      <span class="px-2 py-1 rounded <%= source[:type] == :group ? 'bg-blue-100 text-blue-700' : (source[:type] == :user ? 'bg-green-100 text-green-700' : 'bg-amber-100 text-amber-700') %>">
                        <%= source[:name] %>
                      </span>
                      <code class="text-gray-700"><%= source[:claims].to_json %></code>
                    </div>
                  <% end %>
                </div>
              </details>
            </div>
          </div>
        </details>
      <% end %>
    </div>
  </div>
 <% end %>
 <!-- ForwardAuth Apps: Headers Preview -->
 <% if forward_auth_apps.any? %>
  <div class="mt-12 border-t pt-8">
    <h2 class="text-xl font-semibold text-gray-900 mb-4">ForwardAuth Headers Preview</h2>
    <p class="text-sm text-gray-600 mb-6">
      ForwardAuth applications receive HTTP headers (not OIDC tokens). Headers are based on user's email, name, groups, and admin status.
    </p>
    <div class="space-y-6">
      <% forward_auth_apps.each do |app| %>
        <details class="border rounded-lg">
          <summary class="cursor-pointer bg-gray-50 px-4 py-3 hover:bg-gray-100 rounded-t-lg flex items-center justify-between">
            <div class="flex items-center gap-3">
              <span class="font-medium text-gray-900"><%= app.name %></span>
              <span class="text-xs px-2 py-1 rounded-full bg-green-100 text-green-700">
                FORWARD AUTH
              </span>
              <span class="text-xs text-gray-500">
                <%= app.domain_pattern %>
              </span>
            </div>
            <svg class="h-5 w-5 text-gray-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7" />
            </svg>
          </summary>
          <div class="p-4 space-y-4">
            <div class="bg-blue-50 border border-blue-200 rounded-lg p-3">
              <div class="flex items-start">
                <svg class="h-5 w-5 text-blue-400 mr-2 flex-shrink-0 mt-0.5" fill="currentColor" viewBox="0 0 20 20">
                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
                </svg>
              </div>
            </div>
            <div>
              <h4 class="text-sm font-medium text-gray-700 mb-2">Headers Sent to <%= app.name %></h4>
              <div class="bg-gray-50 rounded-lg p-3 border">
                <% headers = app.headers_for_user(user) %>
                <% if headers.any? %>
                  <dl class="space-y-2 text-xs font-mono">
                    <% headers.each do |header_name, value| %>
                      <div class="flex">
                        <dt class="text-blue-600 font-semibold w-48"><%= header_name %>:</dt>
                        <dd class="text-gray-800 flex-1"><%= value %></dd>
                      </div>
                    <% end %>
                  </dl>
                <% else %>
                  <p class="text-xs text-gray-500 italic">All headers disabled for this application.</p>
                <% end %>
              </div>
              <p class="mt-2 text-xs text-gray-500">
                These headers are configured in the application settings and sent by your reverse proxy (Caddy/Traefik) to the upstream application.
              </p>
            </div>
            <% if user.groups.any? %>
              <div>
                <h4 class="text-sm font-medium text-gray-700 mb-2">User's Groups</h4>
                <div class="flex flex-wrap gap-2">
                  <% user.groups.each do |group| %>
                    <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-blue-100 text-blue-800">
                      <%= group.name %>
                    </span>
                  <% end %>
                </div>
              </div>
            <% end %>
          </div>
        </details>
      <% end %>
    </div>
  </div>
 <% end %>
 <% if oidc_apps.empty? && forward_auth_apps.empty? %>
  <div class="mt-12 border-t pt-8">
    <div class="text-center py-12 bg-gray-50 rounded-lg">
      <p class="text-gray-500">No active applications found.</p>
      <p class="text-sm text-gray-400 mt-1">Create applications in the Admin panel first.</p>
    </div>
  </div>
 <% end %>
--- a/app/views/admin/users/_form.html.erb
+++ b/app/views/admin/users/_form.html.erb
@@ -6,10 +6,16 @@
    <%= form.email_field :email_address, required: true, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "user@example.com" %>
  </div>
  <div>
    <%= form.label :username, "Username (Optional)", class: "block text-sm font-medium text-gray-700" %>
    <%= form.text_field :username, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "jsmith" %>
    <p class="mt-1 text-sm text-gray-500">Optional: Short username/handle for login. Can only contain letters, numbers, underscores, and hyphens.</p>
  </div>
  <div>
    <%= form.label :name, "Display Name (Optional)", class: "block text-sm font-medium text-gray-700" %>
    <%= form.text_field :name, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "John Smith" %>
-    <p class="mt-1 text-sm text-gray-500">Optional: Name shown in applications. Defaults to email address if not set.</p>
+    <p class="mt-1 text-sm text-gray-500">Optional: Full name shown in applications. Defaults to email address if not set.</p>
  </div>
  <div>
@@ -35,6 +41,25 @@
    <% end %>
  </div>
  <div>
    <div class="flex items-center">
      <%= form.check_box :totp_required, class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-500" %>
      <%= form.label :totp_required, "Require Two-Factor Authentication", class: "ml-2 block text-sm text-gray-900" %>
      <% if user.totp_required? && !user.totp_enabled? %>
        <span class="ml-2 text-xs text-amber-600">(User has not set up 2FA yet)</span>
      <% end %>
    </div>
    <% if user.totp_required? && !user.totp_enabled? %>
      <p class="mt-1 text-sm text-amber-600">
        <svg class="inline h-4 w-4" fill="currentColor" viewBox="0 0 20 20">
          <path fill-rule="evenodd" d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z" clip-rule="evenodd" />
        </svg>
        Warning: This user will be prompted to set up 2FA on their next login.
      </p>
    <% end %>
    <p class="mt-1 text-sm text-gray-500">When enabled, this user must use two-factor authentication to sign in.</p>
  </div>
  <div data-controller="json-validator" data-json-validator-valid-class="border-green-500 focus:border-green-500 focus:ring-green-500" data-json-validator-invalid-class="border-red-500 focus:border-red-500 focus:ring-red-500" data-json-validator-valid-status-class="text-green-600" data-json-validator-invalid-status-class="text-red-600">
    <%= form.label :custom_claims, "Custom Claims (JSON)", class: "block text-sm font-medium text-gray-700" %>
    <%= form.text_area :custom_claims, value: (user.custom_claims.present? ? JSON.pretty_generate(user.custom_claims) : ""), rows: 8,
--- a/app/views/admin/users/edit.html.erb
+++ b/app/views/admin/users/edit.html.erb
@@ -1,5 +1,12 @@
-<div class="max-w-2xl">
+<div class="max-w-4xl">
  <h1 class="text-2xl font-semibold text-gray-900 mb-6">Edit User</h1>
  <p class="text-sm text-gray-600 mb-6">Editing: <%= @user.email_address %></p>
  <div class="max-w-2xl">
    <%= render "form", user: @user %>
  </div>
  <% if @user.persisted? %>
    <%= render "application_claims", user: @user, applications: @applications %>
  <% end %>
 </div>
--- a/app/views/admin/users/index.html.erb
+++ b/app/views/admin/users/index.html.erb
@@ -85,15 +85,20 @@
                <% end %>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                <div class="flex items-center gap-2">
                  <% if user.totp_enabled? %>
-                  <svg class="h-5 w-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <svg class="h-5 w-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="2FA Enabled">
                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
                    </svg>
                  <% else %>
-                  <svg class="h-5 w-5 text-gray-300" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <svg class="h-5 w-5 text-gray-300" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="2FA Not Enabled">
                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
                    </svg>
                  <% end %>
                  <% if user.totp_required? %>
                    <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700" title="2FA Required by Admin">Required</span>
                  <% end %>
                </div>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                <%= user.groups.count %>
--- a/app/views/dashboard/index.html.erb
+++ b/app/views/dashboard/index.html.erb
@@ -102,11 +102,22 @@
      <% @applications.each do |app| %>
        <div class="bg-white rounded-lg border border-gray-200 shadow-sm hover:shadow-md transition">
          <div class="p-6">
-            <div class="flex items-center justify-between mb-3">
+            <div class="flex items-start gap-3 mb-4">
              <% if app.icon.attached? %>
                <%= image_tag app.icon, class: "h-12 w-12 rounded-lg object-cover border border-gray-200 shrink-0", alt: "#{app.name} icon" %>
              <% else %>
                <div class="h-12 w-12 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center shrink-0">
                  <svg class="h-6 w-6 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
                  </svg>
                </div>
              <% end %>
              <div class="flex-1 min-w-0">
                <div class="flex items-start justify-between">
                  <h3 class="text-lg font-semibold text-gray-900 truncate">
                    <%= app.name %>
                  </h3>
-              <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium
+                  <span class="ml-2 inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium shrink-0
                    <% if app.oidc? %>
                      bg-blue-100 text-blue-800
                    <% else %>
@@ -115,15 +126,15 @@
                    <%= app.app_type.humanize %>
                  </span>
                </div>
-
+                <% if app.description.present? %>
-            <p class="text-sm text-gray-600 mb-4">
+                  <p class="text-sm text-gray-600 mt-1 line-clamp-2">
-              <% if app.oidc? %>
+                    <%= app.description %>
                OIDC Application
              <% else %>
                ForwardAuth Protected Application
              <% end %>
                  </p>
                <% end %>
              </div>
            </div>
            <div class="space-y-2">
              <% if app.landing_url.present? %>
                <%= link_to "Open Application", app.landing_url,
                    target: "_blank",
@@ -134,6 +145,13 @@
                  No landing URL configured
                </div>
              <% end %>
              <% if app.user_has_active_session?(@user) %>
                <%= button_to "Logout", logout_from_app_active_sessions_path(application_id: app.id), method: :delete,
                    class: "w-full flex justify-center items-center px-4 py-2 border border-orange-300 text-sm font-medium rounded-md text-orange-700 bg-white hover:bg-orange-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-orange-500 transition",
                    form: { data: { turbo_confirm: "This will log you out of #{app.name}. You can sign back in without re-authorizing. Continue?" } } %>
              <% end %>
            </div>
          </div>
        </div>
      <% end %>
--- a/app/views/oidc/consent.html.erb
+++ b/app/views/oidc/consent.html.erb
@@ -1,6 +1,15 @@
 <div class="mx-auto max-w-md">
  <div class="bg-white py-8 px-6 shadow rounded-lg sm:px-10">
-    <div class="mb-8">
+    <div class="mb-8 text-center">
      <% if @application.icon.attached? %>
        <%= image_tag @application.icon, class: "mx-auto h-20 w-20 rounded-xl object-cover border-2 border-gray-200 shadow-sm mb-4", alt: "#{@application.name} icon" %>
      <% else %>
        <div class="mx-auto h-20 w-20 rounded-xl bg-gray-100 border-2 border-gray-200 flex items-center justify-center mb-4">
          <svg class="h-10 w-10 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
          </svg>
        </div>
      <% end %>
      <h2 class="text-2xl font-bold text-gray-900">Authorize Application</h2>
      <p class="mt-2 text-sm text-gray-600">
        <strong><%= @application.name %></strong> is requesting access to your account.
--- a/app/views/profiles/show.html.erb
+++ b/app/views/profiles/show.html.erb
@@ -31,6 +31,15 @@
                class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
          </div>
          <div>
            <%= form.label :current_password, "Current Password", class: "block text-sm font-medium text-gray-700" %>
            <%= form.password_field :current_password,
                autocomplete: "current-password",
                placeholder: "Required to change email",
                class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
            <p class="mt-1 text-sm text-gray-500">Enter your current password to confirm this change</p>
          </div>
          <div>
            <%= form.submit "Update Email", class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
          </div>
@@ -98,9 +107,37 @@
                <p class="text-sm font-medium text-green-800">
                  Two-factor authentication is enabled
                </p>
                <% if @user.totp_required? %>
                  <p class="mt-1 text-sm text-green-700">
                    <svg class="inline h-4 w-4" fill="currentColor" viewBox="0 0 20 20">
                      <path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd" />
                    </svg>
                    Required by administrator
                  </p>
                <% end %>
              </div>
            </div>
          </div>
          <% if @user.totp_required? %>
            <div class="mt-4 rounded-md bg-blue-50 p-4">
              <div class="flex">
                <svg class="h-5 w-5 text-blue-400 mr-2 flex-shrink-0" viewBox="0 0 20 20" fill="currentColor">
                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
                </svg>
                <p class="text-sm text-blue-800">
                  Your administrator requires two-factor authentication. You cannot disable it.
                </p>
              </div>
            </div>
            <div class="mt-4 flex gap-3">
              <button type="button"
                      data-action="click->modal#show"
                      data-modal-id="view-backup-codes-modal"
                      class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
                View Backup Codes
              </button>
            </div>
          <% else %>
            <div class="mt-4 flex gap-3">
              <button type="button"
                      data-action="click->modal#show"
@@ -115,6 +152,7 @@
                View Backup Codes
              </button>
            </div>
          <% end %>
        <% else %>
          <%= link_to new_totp_path, class: "inline-flex items-center rounded-md border border-transparent bg-blue-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" do %>
            Enable 2FA
--- a/app/views/shared/_flash.html.erb
+++ b/app/views/shared/_flash.html.erb
@@ -1,6 +1,8 @@
 <%# Enhanced Flash Messages with Support for Multiple Types and Auto-Dismiss %>
 <% flash.each do |type, message| %>
  <% next if message.blank? %>
  <%# Skip credential-related flash messages - they're displayed in a special credentials box %>
  <% next if %w[client_id client_secret public_client].include?(type.to_s) %>
  <%
    # Map flash types to styling
--- a/app/views/totp/backup_codes.html.erb
+++ b/app/views/totp/backup_codes.html.erb
@@ -45,8 +45,13 @@
      </div>
      <div class="mt-8">
        <% if @auto_signin_pending %>
          <%= button_to "Continue to Sign In", complete_totp_setup_path, method: :post,
              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
        <% else %>
          <%= link_to "Done", profile_path,
              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
        <% end %>
      </div>
    </div>
  </div>
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -30,6 +30,14 @@ Rails.application.configure do
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true
  # Additional security headers (beyond Rails defaults)
  # Note: Rails already sets X-Content-Type-Options: nosniff by default
  # Note: Permissions-Policy is configured in config/initializers/permissions_policy.rb
  config.action_dispatch.default_headers.merge!(
    'X-Frame-Options' => 'DENY',  # Override default SAMEORIGIN to prevent clickjacking
    'Referrer-Policy' => 'strict-origin-when-cross-origin'  # Control referrer information
  )
  # Skip http-to-https redirect for the default health check endpoint.
  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
@@ -49,8 +57,8 @@ Rails.application.configure do
  # Replace the default in-process memory cache store with a durable alternative.
  config.cache_store = :solid_cache_store
-  # Use async processor for background jobs (modify as needed for production)
+  # Use Solid Queue for background jobs
-  config.active_job.queue_adapter = :async
+  config.active_job.queue_adapter = :solid_queue
  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@@ -0,0 +1,28 @@
 # ActiveRecord Encryption Configuration
 # Encryption keys derived from SECRET_KEY_BASE (no separate key storage needed)
 # Used for encrypting sensitive columns (currently: TOTP secrets)
 #
 # Optional: Override with env vars (for key rotation or explicit key management):
 #   - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 #   - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
 #   - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
 # Use env vars if set, otherwise derive from SECRET_KEY_BASE (deterministic)
 primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY') do
  Rails.application.key_generator.generate_key('active_record_encryption_primary', 32)
 end
 deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY') do
  Rails.application.key_generator.generate_key('active_record_encryption_deterministic', 32)
 end
 key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT') do
  Rails.application.key_generator.generate_key('active_record_encryption_salt', 32)
 end
 # Configure Rails 7.1+ ActiveRecord encryption
 Rails.application.config.active_record.encryption.primary_key = primary_key
 Rails.application.config.active_record.encryption.deterministic_key = deterministic_key
 Rails.application.config.active_record.encryption.key_derivation_salt = key_derivation_salt
 # Allow unencrypted data for existing records (new/updated records will be encrypted)
 # Set to false after all existing encrypted columns have been migrated
 Rails.application.config.active_record.encryption.support_unencrypted_data = true
--- a/config/initializers/active_storage.rb
+++ b/config/initializers/active_storage.rb
@@ -0,0 +1,14 @@
 # Configure ActiveStorage content type resolution
 Rails.application.config.after_initialize do
  # Ensure SVG files are served with the correct content type
  ActiveStorage::Blob.class_eval do
    def content_type_for_serving
      # Override content type for SVG files
      if filename.extension == "svg" && content_type == "application/octet-stream"
        "image/svg+xml"
      else
        content_type
      end
    end
  end
 end
--- a/config/initializers/permissions_policy.rb
+++ b/config/initializers/permissions_policy.rb
@@ -0,0 +1,19 @@
 # Configure the Permissions-Policy header
 # See https://api.rubyonrails.org/classes/ActionDispatch/PermissionsPolicy.html
 Rails.application.config.permissions_policy do |f|
  # Disable sensitive browser features for security
  f.camera           :none
  f.gyroscope        :none
  f.microphone       :none
  f.payment          :none
  f.usb              :none
  f.magnetometer     :none
  # You can enable specific features as needed:
  # f.fullscreen      :self
  # f.geolocation     :self
  # You can also allow specific origins:
  # f.payment         :self, "https://secure.example.com"
 end
--- a/config/initializers/token_hmac.rb
+++ b/config/initializers/token_hmac.rb
@@ -0,0 +1,7 @@
 # Token HMAC key derivation
 # This key is used to compute HMAC-based token prefixes for fast lookup
 # Derived from SECRET_KEY_BASE - no storage needed, deterministic output
 # Optional: Set OIDC_TOKEN_PREFIX_HMAC env var to override with explicit key
 module TokenHmac
  KEY = ENV['OIDC_TOKEN_PREFIX_HMAC'] || Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
 end
--- a/config/initializers/version.rb
+++ b/config/initializers/version.rb
@@ -0,0 +1,5 @@
 # frozen_string_literal: true
 module Clinch
  VERSION = "0.8.1"
 end
--- a/config/recurring.yml
+++ b/config/recurring.yml
@@ -0,0 +1,17 @@
 # Solid Queue Recurring Jobs Configuration
 # This file defines scheduled/cron-like jobs that run periodically
 production:
  oidc_token_cleanup:
    class: OidcTokenCleanupJob
    schedule: "0 3 * * *"  # Run daily at 3:00 AM
    queue: default
 development:
  oidc_token_cleanup:
    class: OidcTokenCleanupJob
    schedule: "0 3 * * *"  # Run daily at 3:00 AM
    queue: default
 test:
  # No recurring jobs in test environment
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -49,6 +49,7 @@ Rails.application.routes.draw do
  end
  resource :active_sessions, only: [:show] do
    member do
      delete :logout_from_app
      delete :revoke_consent
      delete :revoke_all_consents
    end
@@ -67,6 +68,7 @@ Rails.application.routes.draw do
  post '/totp/verify_password', to: 'totp#verify_password', as: :verify_password_totp
  get '/totp/regenerate_backup_codes', to: 'totp#regenerate_backup_codes', as: :regenerate_backup_codes_totp
  post '/totp/regenerate_backup_codes', to: 'totp#create_new_backup_codes', as: :create_new_backup_codes_totp
  post '/totp/complete_setup', to: 'totp#complete_setup', as: :complete_totp_setup
  # WebAuthn (Passkeys) routes
  get '/webauthn/new', to: 'webauthn#new', as: :new_webauthn
@@ -81,6 +83,8 @@ Rails.application.routes.draw do
    resources :users do
      member do
        post :resend_invitation
        post :update_application_claims
        delete :delete_application_claims
      end
    end
    resources :applications do
--- a/config/storage.yml
+++ b/config/storage.yml
@@ -4,7 +4,7 @@ test:
 local:
  service: Disk
-  root: <%= Rails.root.join("storage") %>
+  root: <%= Rails.root.join("storage/uploads") %>
 # Use bin/rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
 # amazon:
--- a/db/migrate/20251122235519_add_sid_to_oidc_user_consent.rb
+++ b/db/migrate/20251122235519_add_sid_to_oidc_user_consent.rb
@@ -0,0 +1,15 @@
 class AddSidToOidcUserConsent < ActiveRecord::Migration[8.1]
  def change
    add_column :oidc_user_consents, :sid, :string
    add_index :oidc_user_consents, :sid
    # Generate UUIDs for existing consent records
    reversible do |dir|
      dir.up do
        OidcUserConsent.where(sid: nil).find_each do |consent|
          consent.update_column(:sid, SecureRandom.uuid)
        end
      end
    end
  end
 end
--- a/db/migrate/20251123052026_create_application_user_claims.rb
+++ b/db/migrate/20251123052026_create_application_user_claims.rb
@@ -0,0 +1,13 @@
 class CreateApplicationUserClaims < ActiveRecord::Migration[8.1]
  def change
    create_table :application_user_claims do |t|
      t.references :application, null: false, foreign_key: { on_delete: :cascade }
      t.references :user, null: false, foreign_key: { on_delete: :cascade }
      t.json :custom_claims, default: {}, null: false
      t.timestamps
    end
    add_index :application_user_claims, [:application_id, :user_id], unique: true, name: 'index_app_user_claims_unique'
  end
 end
--- a/db/migrate/20251125012446_add_username_to_users.rb
+++ b/db/migrate/20251125012446_add_username_to_users.rb
@@ -0,0 +1,6 @@
 class AddUsernameToUsers < ActiveRecord::Migration[8.1]
  def change
    add_column :users, :username, :string
    add_index :users, :username, unique: true
  end
 end
--- a/db/migrate/20251125063248_create_active_storage_tables.active_storage.rb
+++ b/db/migrate/20251125063248_create_active_storage_tables.active_storage.rb
@@ -0,0 +1,57 @@
 # This migration comes from active_storage (originally 20170806125915)
 class CreateActiveStorageTables < ActiveRecord::Migration[7.0]
  def change
    # Use Active Record's configured type for primary and foreign keys
    primary_key_type, foreign_key_type = primary_and_foreign_key_types
    create_table :active_storage_blobs, id: primary_key_type do |t|
      t.string   :key,          null: false
      t.string   :filename,     null: false
      t.string   :content_type
      t.text     :metadata
      t.string   :service_name, null: false
      t.bigint   :byte_size,    null: false
      t.string   :checksum
      if connection.supports_datetime_with_precision?
        t.datetime :created_at, precision: 6, null: false
      else
        t.datetime :created_at, null: false
      end
      t.index [ :key ], unique: true
    end
    create_table :active_storage_attachments, id: primary_key_type do |t|
      t.string     :name,     null: false
      t.references :record,   null: false, polymorphic: true, index: false, type: foreign_key_type
      t.references :blob,     null: false, type: foreign_key_type
      if connection.supports_datetime_with_precision?
        t.datetime :created_at, precision: 6, null: false
      else
        t.datetime :created_at, null: false
      end
      t.index [ :record_type, :record_id, :name, :blob_id ], name: :index_active_storage_attachments_uniqueness, unique: true
      t.foreign_key :active_storage_blobs, column: :blob_id
    end
    create_table :active_storage_variant_records, id: primary_key_type do |t|
      t.belongs_to :blob, null: false, index: false, type: foreign_key_type
      t.string :variation_digest, null: false
      t.index [ :blob_id, :variation_digest ], name: :index_active_storage_variant_records_uniqueness, unique: true
      t.foreign_key :active_storage_blobs, column: :blob_id
    end
  end
  private
    def primary_and_foreign_key_types
      config = Rails.configuration.generators
      setting = config.options[config.orm][:primary_key_type]
      primary_key_type = setting || :primary_key
      foreign_key_type = setting || :bigint
      [ primary_key_type, foreign_key_type ]
    end
 end
--- a/db/migrate/20251125081147_add_backchannel_logout_uri_to_applications.rb
+++ b/db/migrate/20251125081147_add_backchannel_logout_uri_to_applications.rb
@@ -0,0 +1,5 @@
 class AddBackchannelLogoutUriToApplications < ActiveRecord::Migration[8.1]
  def change
    add_column :applications, :backchannel_logout_uri, :string
  end
 end
--- a/db/migrate/20251229220739_add_token_prefix_to_tokens.rb
+++ b/db/migrate/20251229220739_add_token_prefix_to_tokens.rb
@@ -0,0 +1,42 @@
 class AddTokenPrefixToTokens < ActiveRecord::Migration[8.1]
  def up
    add_column :oidc_access_tokens, :token_prefix, :string, limit: 8
    add_column :oidc_refresh_tokens, :token_prefix, :string, limit: 8
    # Backfill existing tokens with prefix and digest
    say_with_time "Backfilling token prefixes and digests..." do
      [OidcAccessToken, OidcRefreshToken].each do |klass|
        klass.reset_column_information  # Ensure Rails knows about new column
        klass.where(token_prefix: nil).find_each do |token|
          next unless token.token.present?
          updates = {}
          # Compute HMAC prefix
          prefix = klass.compute_token_prefix(token.token)
          updates[:token_prefix] = prefix if prefix.present?
          # Backfill digest if missing
          if token.token_digest.nil?
            updates[:token_digest] = BCrypt::Password.create(token.token)
          end
          token.update_columns(updates) if updates.any?
        end
        say "  #{klass.name}: #{klass.where.not(token_prefix: nil).count} tokens backfilled"
      end
    end
    add_index :oidc_access_tokens, :token_prefix
    add_index :oidc_refresh_tokens, :token_prefix
  end
  def down
    remove_index :oidc_access_tokens, :token_prefix
    remove_index :oidc_refresh_tokens, :token_prefix
    remove_column :oidc_access_tokens, :token_prefix
    remove_column :oidc_refresh_tokens, :token_prefix
  end
 end
--- a/db/migrate/20251230005248_remove_plaintext_token_from_oidc_access_tokens.rb
+++ b/db/migrate/20251230005248_remove_plaintext_token_from_oidc_access_tokens.rb
@@ -0,0 +1,10 @@
 class RemovePlaintextTokenFromOidcAccessTokens < ActiveRecord::Migration[8.1]
  def change
    # Remove the unique index first
    remove_index :oidc_access_tokens, :token, if_exists: true
    # Remove the plaintext token column - no longer needed
    # Tokens are now stored as BCrypt-hashed token_digest with HMAC token_prefix
    remove_column :oidc_access_tokens, :token, :string
  end
 end
--- a/db/migrate/20251230073656_add_pkce_options_to_applications.rb
+++ b/db/migrate/20251230073656_add_pkce_options_to_applications.rb
@@ -0,0 +1,14 @@
 class AddPkceOptionsToApplications < ActiveRecord::Migration[8.1]
  def change
    # Add require_pkce column for confidential clients
    # Default true for new apps (secure by default), existing apps will be false
    add_column :applications, :require_pkce, :boolean, default: true, null: false
    # Set existing applications to not require PKCE (backwards compatibility)
    reversible do |dir|
      dir.up do
        execute "UPDATE applications SET require_pkce = false WHERE id > 0"
      end
    end
  end
 end
--- a/db/migrate/20251231043838_rename_code_to_code_hmac_and_add_token_hmac.rb
+++ b/db/migrate/20251231043838_rename_code_to_code_hmac_and_add_token_hmac.rb
@@ -0,0 +1,20 @@
 class RenameCodeToCodeHmacAndAddTokenHmac < ActiveRecord::Migration[8.1]
  def change
    # Authorization codes: rename code to code_hmac
    rename_column :oidc_authorization_codes, :code, :code_hmac
    # Access tokens: add token_hmac, remove old columns
    add_column :oidc_access_tokens, :token_hmac, :string
    add_index :oidc_access_tokens, :token_hmac, unique: true
    remove_column :oidc_access_tokens, :token_prefix
    remove_column :oidc_access_tokens, :token_digest
    # Refresh tokens: add token_hmac, remove old columns
    add_column :oidc_refresh_tokens, :token_hmac, :string
    add_index :oidc_refresh_tokens, :token_hmac, unique: true
    remove_column :oidc_refresh_tokens, :token_prefix
    remove_column :oidc_refresh_tokens, :token_digest
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,35 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
+ActiveRecord::Schema[8.1].define(version: 2025_12_31_043838) do
  create_table "active_storage_attachments", force: :cascade do |t|
    t.bigint "blob_id", null: false
    t.datetime "created_at", null: false
    t.string "name", null: false
    t.bigint "record_id", null: false
    t.string "record_type", null: false
    t.index ["blob_id"], name: "index_active_storage_attachments_on_blob_id"
    t.index ["record_type", "record_id", "name", "blob_id"], name: "index_active_storage_attachments_uniqueness", unique: true
  end
  create_table "active_storage_blobs", force: :cascade do |t|
    t.bigint "byte_size", null: false
    t.string "checksum"
    t.string "content_type"
    t.datetime "created_at", null: false
    t.string "filename", null: false
    t.string "key", null: false
    t.text "metadata"
    t.string "service_name", null: false
    t.index ["key"], name: "index_active_storage_blobs_on_key", unique: true
  end
  create_table "active_storage_variant_records", force: :cascade do |t|
    t.bigint "blob_id", null: false
    t.string "variation_digest", null: false
    t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true
  end
  create_table "application_groups", force: :cascade do |t|
    t.integer "application_id", null: false
    t.datetime "created_at", null: false
@@ -21,10 +49,22 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.index ["group_id"], name: "index_application_groups_on_group_id"
  end
  create_table "application_user_claims", force: :cascade do |t|
    t.integer "application_id", null: false
    t.datetime "created_at", null: false
    t.json "custom_claims", default: {}, null: false
    t.datetime "updated_at", null: false
    t.integer "user_id", null: false
    t.index ["application_id", "user_id"], name: "index_app_user_claims_unique", unique: true
    t.index ["application_id"], name: "index_application_user_claims_on_application_id"
    t.index ["user_id"], name: "index_application_user_claims_on_user_id"
  end
  create_table "applications", force: :cascade do |t|
    t.integer "access_token_ttl", default: 3600
    t.boolean "active", default: true, null: false
    t.string "app_type", null: false
    t.string "backchannel_logout_uri"
    t.string "client_id"
    t.string "client_secret_digest"
    t.datetime "created_at", null: false
@@ -37,6 +77,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.string "name", null: false
    t.text "redirect_uris"
    t.integer "refresh_token_ttl", default: 2592000
    t.boolean "require_pkce", default: true, null: false
    t.string "slug", null: false
    t.datetime "updated_at", null: false
    t.index ["active"], name: "index_applications_on_active"
@@ -60,24 +101,22 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.datetime "expires_at", null: false
    t.datetime "revoked_at"
    t.string "scope"
-    t.string "token"
+    t.string "token_hmac"
    t.string "token_digest"
    t.datetime "updated_at", null: false
    t.integer "user_id", null: false
    t.index ["application_id", "user_id"], name: "index_oidc_access_tokens_on_application_id_and_user_id"
    t.index ["application_id"], name: "index_oidc_access_tokens_on_application_id"
    t.index ["expires_at"], name: "index_oidc_access_tokens_on_expires_at"
    t.index ["revoked_at"], name: "index_oidc_access_tokens_on_revoked_at"
-    t.index ["token"], name: "index_oidc_access_tokens_on_token", unique: true
+    t.index ["token_hmac"], name: "index_oidc_access_tokens_on_token_hmac", unique: true
    t.index ["token_digest"], name: "index_oidc_access_tokens_on_token_digest", unique: true
    t.index ["user_id"], name: "index_oidc_access_tokens_on_user_id"
  end
  create_table "oidc_authorization_codes", force: :cascade do |t|
    t.integer "application_id", null: false
    t.string "code", null: false
    t.string "code_challenge"
    t.string "code_challenge_method"
    t.string "code_hmac", null: false
    t.datetime "created_at", null: false
    t.datetime "expires_at", null: false
    t.string "nonce"
@@ -88,8 +127,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.integer "user_id", null: false
    t.index ["application_id", "user_id"], name: "index_oidc_authorization_codes_on_application_id_and_user_id"
    t.index ["application_id"], name: "index_oidc_authorization_codes_on_application_id"
    t.index ["code"], name: "index_oidc_authorization_codes_on_code", unique: true
    t.index ["code_challenge"], name: "index_oidc_authorization_codes_on_code_challenge"
    t.index ["code_hmac"], name: "index_oidc_authorization_codes_on_code_hmac", unique: true
    t.index ["expires_at"], name: "index_oidc_authorization_codes_on_expires_at"
    t.index ["user_id"], name: "index_oidc_authorization_codes_on_user_id"
  end
@@ -101,8 +140,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.integer "oidc_access_token_id", null: false
    t.datetime "revoked_at"
    t.string "scope"
    t.string "token_digest", null: false
    t.integer "token_family_id"
    t.string "token_hmac"
    t.datetime "updated_at", null: false
    t.integer "user_id", null: false
    t.index ["application_id", "user_id"], name: "index_oidc_refresh_tokens_on_application_id_and_user_id"
@@ -110,8 +149,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.index ["expires_at"], name: "index_oidc_refresh_tokens_on_expires_at"
    t.index ["oidc_access_token_id"], name: "index_oidc_refresh_tokens_on_oidc_access_token_id"
    t.index ["revoked_at"], name: "index_oidc_refresh_tokens_on_revoked_at"
    t.index ["token_digest"], name: "index_oidc_refresh_tokens_on_token_digest", unique: true
    t.index ["token_family_id"], name: "index_oidc_refresh_tokens_on_token_family_id"
    t.index ["token_hmac"], name: "index_oidc_refresh_tokens_on_token_hmac", unique: true
    t.index ["user_id"], name: "index_oidc_refresh_tokens_on_user_id"
  end
@@ -120,10 +159,12 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.datetime "created_at", null: false
    t.datetime "granted_at", null: false
    t.text "scopes_granted", null: false
    t.string "sid"
    t.datetime "updated_at", null: false
    t.integer "user_id", null: false
    t.index ["application_id"], name: "index_oidc_user_consents_on_application_id"
    t.index ["granted_at"], name: "index_oidc_user_consents_on_granted_at"
    t.index ["sid"], name: "index_oidc_user_consents_on_sid"
    t.index ["user_id", "application_id"], name: "index_oidc_user_consents_on_user_id_and_application_id", unique: true
    t.index ["user_id"], name: "index_oidc_user_consents_on_user_id"
  end
@@ -167,10 +208,12 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.boolean "totp_required", default: false, null: false
    t.string "totp_secret"
    t.datetime "updated_at", null: false
    t.string "username"
    t.string "webauthn_id"
    t.boolean "webauthn_required", default: false, null: false
    t.index ["email_address"], name: "index_users_on_email_address", unique: true
    t.index ["status"], name: "index_users_on_status"
    t.index ["username"], name: "index_users_on_username", unique: true
    t.index ["webauthn_id"], name: "index_users_on_webauthn_id", unique: true
  end
@@ -196,8 +239,12 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.index ["user_id"], name: "index_webauthn_credentials_on_user_id"
  end
  add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"
  add_foreign_key "active_storage_variant_records", "active_storage_blobs", column: "blob_id"
  add_foreign_key "application_groups", "applications"
  add_foreign_key "application_groups", "groups"
  add_foreign_key "application_user_claims", "applications", on_delete: :cascade
  add_foreign_key "application_user_claims", "users", on_delete: :cascade
  add_foreign_key "oidc_access_tokens", "applications"
  add_foreign_key "oidc_access_tokens", "users"
  add_foreign_key "oidc_authorization_codes", "applications"
--- a/docs/backchannel-logout.md
+++ b/docs/backchannel-logout.md
@@ -0,0 +1,316 @@
 # OpenID Connect Backchannel Logout
 ## Overview
 Backchannel logout is an OpenID Connect feature that enables Clinch to notify applications when a user logs out, ensuring sessions are terminated across all connected applications immediately.
 ## How It Works
 When a user logs out from Clinch (or any connected application), Clinch sends server-to-server HTTP POST requests to all applications that have configured a backchannel logout endpoint. This happens automatically in the background.
 ### Logout Triggers
 Backchannel logout notifications are sent when:
 1. **User clicks "Sign Out" in Clinch** - All connected OIDC applications are notified, then the Clinch session is terminated
 2. **User logs out via OIDC `/logout` endpoint** (RP-Initiated Logout) - All connected applications are notified, then the Clinch session is terminated
 3. **User clicks "Logout" on an app (Dashboard)** - Backchannel logout is sent to that app, all access/refresh tokens are revoked, but OAuth consent is preserved (user can sign back in without re-authorizing)
 4. **User clicks "Revoke Access" for a specific app (Active Sessions page)** - Backchannel logout is sent to that app to terminate its session, all access/refresh tokens are revoked, then the OAuth consent is permanently destroyed (user must re-authorize the app to use it again)
 5. **User clicks "Revoke All App Access"** - All connected applications receive backchannel logout notifications, all tokens are revoked, then all OAuth consents are permanently destroyed
 ### The Logout Flow
 ```
 User logs out → Clinch finds all connected apps
                ↓
        For each app with backchannel_logout_uri:
                ↓
        Generate signed JWT logout token
                ↓
        HTTP POST to app's logout endpoint
                ↓
        App validates JWT and terminates session
                ↓
        Clinch revokes access and refresh tokens
 ```
 ### Logout vs Revoke Access
 Clinch provides two distinct actions for managing application access:
 | Action | Location | What Happens | When to Use |
 |--------|----------|--------------|-------------|
 | **Logout** | Dashboard | • Sends backchannel logout to app<br>• Revokes all access tokens<br>• Revokes all refresh tokens<br>• **Keeps OAuth consent intact** | You want to end your session with an app but still trust it. Next login will skip the authorization screen. |
 | **Revoke Access** | Active Sessions page | • Sends backchannel logout to app<br>• Revokes all access tokens<br>• Revokes all refresh tokens<br>• **Destroys OAuth consent** | You want to completely de-authorize an app. Next login will require you to re-authorize the app. |
 **Key Difference**: "Logout" preserves the authorization relationship while terminating the active session. "Revoke Access" completely removes the app's authorization to access your account.
 **Example Use Cases**:
 - **Logout**: "I left my Jellyfin session open at a friend's house. I want to kill that session but I still use Jellyfin."
 - **Revoke Access**: "I no longer trust this app and want to remove its authorization completely."
 **Technical Details**:
 - Both actions revoke access tokens (opaque, database-backed, validated on each use)
 - Both actions revoke refresh tokens (prevents obtaining new access tokens)
 - ID tokens remain valid until expiry (stateless JWTs), but apps should honor backchannel logout
 - Backchannel logout ensures the app clears its local session immediately
 ## Configuring Applications
 ### In Clinch Admin UI
 1. Navigate to **Admin → Applications**
 2. Edit or create an OIDC application
 3. In the "Backchannel Logout URI" field, enter the application's logout endpoint
   - Example: `https://kavita.local/oidc/backchannel-logout`
   - Must be HTTPS in production
   - Leave blank if the application doesn't support backchannel logout
 ### Checking Support
 The OIDC discovery endpoint advertises backchannel logout support:
 ```bash
 curl https://clinch.local/.well-known/openid-configuration | jq
 ```
 Look for:
 ```json
 {
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true
 }
 ```
 ## Implementing a Backchannel Logout Endpoint (for RPs)
 If you're developing an application that integrates with Clinch, here's how to implement backchannel logout support:
 ### 1. Create the Endpoint
 The endpoint must:
 - Accept HTTP POST requests
 - Parse the `logout_token` parameter from the form body
 - Validate the JWT signature
 - Terminate the user's session
 - Return 200 OK quickly (within 5 seconds)
 ### 2. Example Implementation (Ruby/Rails)
 ```ruby
 # config/routes.rb
 post '/oidc/backchannel-logout', to: 'oidc_backchannel_logout#logout'
 # app/controllers/oidc_backchannel_logout_controller.rb
 class OidcBackchannelLogoutController < ApplicationController
  skip_before_action :verify_authenticity_token  # Server-to-server call
  skip_before_action :authenticate_user!         # No user session yet
  def logout
    logout_token = params[:logout_token]
    unless logout_token.present?
      head :bad_request
      return
    end
    begin
      # Decode and verify the JWT
      # Get Clinch's public key from JWKS endpoint
      jwks = fetch_clinch_jwks
      decoded = JWT.decode(
        logout_token,
        nil,  # Will be verified using JWKS
        true,
        {
          algorithms: ['RS256'],
          jwks: jwks,
          verify_aud: true,
          aud: YOUR_CLIENT_ID,
          verify_iss: true,
          iss: 'https://clinch.local'  # Your Clinch URL
        }
      )
      claims = decoded.first
      # Validate required claims
      unless claims['events']&.key?('http://schemas.openid.net/event/backchannel-logout')
        head :bad_request
        return
      end
      # Get session ID from the token
      sid = claims['sid']
      sub = claims['sub']
      # Terminate sessions
      if sid.present?
        # Terminate specific session by SID (recommended)
        Session.where(oidc_sid: sid).destroy_all
      elsif sub.present?
        # Terminate all sessions for this user
        user = User.find_by(oidc_sub: sub)
        user&.sessions&.destroy_all
      end
      Rails.logger.info "Backchannel logout: Terminated session for sid=#{sid}, sub=#{sub}"
      head :ok
    rescue JWT::DecodeError => e
      Rails.logger.error "Backchannel logout: Invalid JWT - #{e.message}"
      head :bad_request
    rescue => e
      Rails.logger.error "Backchannel logout: Error - #{e.class}: #{e.message}"
      head :internal_server_error
    end
  end
  private
  def fetch_clinch_jwks
    # Cache this in production!
    response = HTTParty.get('https://clinch.local/.well-known/jwks.json')
    JSON.parse(response.body, symbolize_names: true)
  end
 end
 ```
 ### 3. Required JWT Claims Validation
 The logout token will contain:
 | Claim | Description | Required |
 |-------|-------------|----------|
 | `iss` | Issuer (Clinch URL) | Yes |
 | `aud` | Your application's client_id | Yes |
 | `iat` | Issued at timestamp | Yes |
 | `jti` | Unique token ID | Yes |
 | `sub` | Pairwise subject identifier (user's SID) | Yes |
 | `sid` | Session ID (same as sub) | Yes |
 | `events` | Must contain `http://schemas.openid.net/event/backchannel-logout` | Yes |
 | `nonce` | Must NOT be present (spec requirement) | No |
 ### 4. Session Tracking Requirements
 To support backchannel logout, your application must:
 1. **Store the `sid` claim from ID tokens**:
   ```ruby
   # When user logs in via OIDC
   id_token = decode_id_token(params[:id_token])
   session[:oidc_sid] = id_token['sid']  # Store this!
   ```
 2. **Associate sessions with SID**:
   ```ruby
   # Create session with SID tracking
   Session.create!(
     user: current_user,
     oidc_sid: id_token['sid'],
     ...
   )
   ```
 3. **Terminate sessions by SID**:
   ```ruby
   # When backchannel logout is received
   Session.where(oidc_sid: sid).destroy_all
   ```
 ### 5. Testing Your Endpoint
 Test with curl:
 ```bash
 # Get a valid logout token (you'll need to capture this from Clinch logs)
 LOGOUT_TOKEN="eyJhbGc..."
 curl -X POST https://your-app.local/oidc/backchannel-logout \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "logout_token=$LOGOUT_TOKEN"
 ```
 Expected response: `200 OK` (empty body)
 ## Monitoring and Troubleshooting
 ### Checking Logs
 Clinch logs all backchannel logout attempts:
 ```bash
 # In development
 tail -f log/development.log | grep BackchannelLogout
 # Example log output:
 # BackchannelLogout: Successfully sent logout notification to Kavita (https://kavita.local/oidc/backchannel-logout)
 # BackchannelLogout: Application Jellyfin doesn't support backchannel logout
 # BackchannelLogout: Timeout sending logout to HomeAssistant (https://ha.local/logout): Connection timeout
 ```
 ### Common Issues
 **1. HTTP Timeout**
 - Symptom: `Timeout sending logout to...` in logs
 - Solution: Ensure the RP's backchannel logout endpoint responds within 5 seconds
 - Note: Clinch will retry 3 times with exponential backoff
 **2. HTTP Errors (Non-200 Status)**
 - Symptom: `Application X returned HTTP 400/500...` in logs
 - Solution: Check the RP's logs for JWT validation errors
 - Common causes:
  - Wrong JWKS (public key mismatch)
  - Incorrect `aud` (client_id) validation
  - Missing required claims validation
 **3. Network Unreachable**
 - Symptom: `Failed to send logout to...` with connection errors
 - Solution: Ensure the RP's logout endpoint is accessible from Clinch server
 - Check: Firewalls, DNS, SSL certificates
 **4. Sessions Not Terminating**
 - Symptom: User still logged into RP after logging out of Clinch
 - Solution: Verify the RP is storing and checking `sid` correctly
 - Debug: Add logging to the RP's backchannel logout handler
 ### Verification Checklist
 For RPs (Application Developers):
 - [ ] Endpoint accepts POST requests
 - [ ] Endpoint validates JWT signature using Clinch's JWKS
 - [ ] Endpoint validates all required claims
 - [ ] Endpoint terminates sessions by SID
 - [ ] Endpoint returns 200 OK quickly (< 5 seconds)
 - [ ] Sessions store the `sid` claim from ID tokens
 - [ ] Backchannel logout URI is configured in Clinch admin
 For Administrators:
 - [ ] Application has `backchannel_logout_uri` configured
 - [ ] URI uses HTTPS (in production)
 - [ ] URI is reachable from Clinch server
 - [ ] Check logs for successful logout notifications
 ## Security Considerations
 1. **JWT Signature Verification**: Always verify the logout token signature using Clinch's public key
 2. **Audience Validation**: Ensure the `aud` claim matches your client_id
 3. **Issuer Validation**: Ensure the `iss` claim matches your Clinch URL
 4. **No Authentication Required**: The endpoint should not require user authentication (it's server-to-server)
 5. **HTTPS Only**: Always use HTTPS in production (Clinch enforces this)
 6. **Fire-and-Forget**: RPs should log failures but not block on errors
 ## Comparison with Other Logout Methods
 | Method | Communication | When Sessions Terminate | Reliability |
 |--------|--------------|------------------------|-------------|
 | **Backchannel Logout** | Server-to-server POST | Immediately | High (retries on failure) |
 | **Front-Channel Logout** | Browser iframes | When browser loads iframes | Low (blocked by privacy settings) |
 | **RP-Initiated Logout** | User redirects to Clinch | Only affects Clinch session | N/A (just triggers other methods) |
 | **Token Expiry** | None | When access token expires | Guaranteed but delayed |
 ## References
 - [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html)
 - [RFC 7009: OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009)
 - [Clinch OIDC Discovery](/.well-known/openid-configuration)
--- a/test/controllers/api/forward_auth_controller_test.rb
+++ b/test/controllers/api/forward_auth_controller_test.rb
@@ -5,10 +5,10 @@ module Api
    setup do
      @user = users(:bob)
      @admin_user = users(:alice)
-      @inactive_user = users(:bob)  # We'll create an inactive user in setup if needed
+      @inactive_user = User.create!(email_address: "inactive@example.com", password: "password", status: :disabled)
      @group = groups(:admin_group)
-      @rule = ForwardAuthRule.create!(domain_pattern: "test.example.com", active: true)
+      @rule = Application.create!(name: "Test App", slug: "test-app", app_type: "forward_auth", domain_pattern: "test.example.com", active: true)
-      @inactive_rule = ForwardAuthRule.create!(domain_pattern: "inactive.example.com", active: false)
+      @inactive_rule = Application.create!(name: "Inactive App", slug: "inactive-app", app_type: "forward_auth", domain_pattern: "inactive.example.com", active: false)
    end
    # Authentication Tests
@@ -17,31 +17,7 @@ module Api
      assert_response 302
      assert_match %r{/signin}, response.location
-      assert_equal "No session cookie", response.headers["X-Auth-Reason"]
+      assert_equal "No session cookie", response.headers["x-auth-reason"]
    end
    test "should redirect when session cookie is invalid" do
      get "/api/verify", headers: {
        "X-Forwarded-Host" => "test.example.com",
        "Cookie" => "_clinch_session_id=invalid_session_id"
      }
      assert_response 302
      assert_match %r{/signin}, response.location
      assert_equal "Invalid session", response.headers["X-Auth-Reason"]
    end
    test "should redirect when session is expired" do
      expired_session = @user.sessions.create!(created_at: 1.year.ago)
      get "/api/verify", headers: {
        "X-Forwarded-Host" => "test.example.com",
        "Cookie" => "_clinch_session_id=#{expired_session.id}"
      }
      assert_response 302
      assert_match %r{/signin}, response.location
      assert_equal "Session expired", response.headers["X-Auth-Reason"]
    end
    test "should redirect when user is inactive" do
@@ -50,7 +26,7 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 302
-      assert_equal "User account is not active", response.headers["X-Auth-Reason"]
+      assert_equal "User account is not active", response.headers["x-auth-reason"]
    end
    test "should return 200 when user is authenticated" do
@@ -70,14 +46,13 @@ module Api
      assert_response 200
    end
-    test "should return 200 with default headers when no rule matches" do
+    test "should return 403 when no rule matches (fail-closed security)" do
      sign_in_as(@user)
      get "/api/verify", headers: { "X-Forwarded-Host" => "unknown.example.com" }
-      assert_response 200
+      assert_response 403
-      assert_equal @user.email_address, response.headers["X-Remote-User"]
+      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
      assert_equal @user.email_address, response.headers["X-Remote-Email"]
    end
    test "should return 403 when rule exists but is inactive" do
@@ -86,7 +61,7 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "inactive.example.com" }
      assert_response 403
-      assert_equal "No authentication rule configured for this domain", response.headers["X-Auth-Reason"]
+      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    test "should return 403 when rule exists but user not in allowed groups" do
@@ -96,7 +71,7 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 403
-      assert_match %r{permission to access this domain}, response.headers["X-Auth-Reason"]
+      assert_match %r{permission to access this domain}, response.headers["x-auth-reason"]
    end
    test "should return 200 when user is in allowed groups" do
@@ -111,7 +86,7 @@ module Api
    # Domain Pattern Tests
    test "should match wildcard domains correctly" do
-      wildcard_rule = ForwardAuthRule.create!(domain_pattern: "*.example.com", active: true)
+      wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
      sign_in_as(@user)
      get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
@@ -121,18 +96,20 @@ module Api
      assert_response 200
      get "/api/verify", headers: { "X-Forwarded-Host" => "other.com" }
-      assert_response 200  # Falls back to default behavior
+      assert_response 403  # No rule configured - fail-closed
      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    test "should match exact domains correctly" do
-      exact_rule = ForwardAuthRule.create!(domain_pattern: "api.example.com", active: true)
+      exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
      sign_in_as(@user)
      get "/api/verify", headers: { "X-Forwarded-Host" => "api.example.com" }
      assert_response 200
      get "/api/verify", headers: { "X-Forwarded-Host" => "app.api.example.com" }
-      assert_response 200  # Falls back to default behavior
+      assert_response 403  # No rule configured - fail-closed
      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    # Header Configuration Tests
@@ -142,14 +119,17 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200
-      assert_equal "X-Remote-User", response.headers.keys.find { |k| k.include?("User") }
+      assert_equal @user.email_address, response.headers["x-remote-user"]
-      assert_equal "X-Remote-Email", response.headers.keys.find { |k| k.include?("Email") }
+      assert_equal @user.email_address, response.headers["x-remote-email"]
-      assert_equal "X-Remote-Name", response.headers.keys.find { |k| k.include?("Name") }
+      assert response.headers["x-remote-name"].present?
-      assert_equal @user.email_address, response.headers["X-Remote-User"]
+      assert_equal (@user.admin? ? "true" : "false"), response.headers["x-remote-admin"]
    end
    test "should return custom headers when configured" do
-      custom_rule = ForwardAuthRule.create!(
+      custom_rule = Application.create!(
        name: "Custom App",
        slug: "custom-app",
        app_type: "forward_auth",
        domain_pattern: "custom.example.com",
        active: true,
        headers_config: {
@@ -163,13 +143,18 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "custom.example.com" }
      assert_response 200
-      assert_equal "X-WEBAUTH-USER", response.headers.keys.find { |k| k.include?("USER") }
+      assert_equal @user.email_address, response.headers["x-webauth-user"]
-      assert_equal "X-WEBAUTH-EMAIL", response.headers.keys.find { |k| k.include?("EMAIL") }
+      assert_equal @user.email_address, response.headers["x-webauth-email"]
-      assert_equal @user.email_address, response.headers["X-WEBAUTH-USER"]
+      # Default headers should NOT be present
      assert_nil response.headers["x-remote-user"]
      assert_nil response.headers["x-remote-email"]
    end
    test "should return no headers when all headers disabled" do
-      no_headers_rule = ForwardAuthRule.create!(
+      no_headers_rule = Application.create!(
        name: "No Headers App",
        slug: "no-headers-app",
        app_type: "forward_auth",
        domain_pattern: "noheaders.example.com",
        active: true,
        headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
@@ -179,8 +164,9 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "noheaders.example.com" }
      assert_response 200
-      auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
+      # Check that auth-specific headers are not present (exclude Rails security headers)
-      assert_empty auth_headers
+      auth_headers = response.headers.select { |k, v| k.match?(/^X-Remote-/i) || k.match?(/^X-WEBAUTH/i) }
      assert_empty auth_headers, "Should not have any auth headers when all are disabled"
    end
    test "should include groups header when user has groups" do
@@ -190,16 +176,20 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200
-      assert_equal @group.name, response.headers["X-Remote-Groups"]
+      groups_header = response.headers["x-remote-groups"]
      assert_includes groups_header, @group.name
      # Bob also has editor_group from fixtures
      assert_includes groups_header, "Editors"
    end
    test "should not include groups header when user has no groups" do
      @user.groups.clear  # Remove fixture groups
      sign_in_as(@user)
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200
-      assert_nil response.headers["X-Remote-Groups"]
+      assert_nil response.headers["x-remote-groups"]
    end
    test "should include admin header correctly" do
@@ -208,7 +198,7 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200
-      assert_equal "true", response.headers["X-Remote-Admin"]
+      assert_equal "true", response.headers["x-remote-admin"]
    end
    test "should include multiple groups when user has multiple groups" do
@@ -220,7 +210,7 @@ module Api
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200
-      groups_header = response.headers["X-Remote-Groups"]
+      groups_header = response.headers["x-remote-groups"]
      assert_includes groups_header, @group.name
      assert_includes groups_header, group2.name
    end
@@ -239,29 +229,20 @@ module Api
      get "/api/verify"
-      assert_response 200
+      # User is authenticated but no domain rule matches (default test host)
-      assert_equal "User #{@user.email_address} authenticated (no domain specified)",
+      assert_response 403
-                   request.env["action_dispatch.instance"].instance_variable_get(:@logged_messages)&.last
+      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    # Security Tests
    test "should handle malformed session IDs gracefully" do
      get "/api/verify", headers: {
        "X-Forwarded-Host" => "test.example.com",
        "Cookie" => "_clinch_session_id=malformed_session_id_with_special_chars!@#$%"
      }
      assert_response 302
      assert_equal "Invalid session", response.headers["X-Auth-Reason"]
    end
    test "should handle very long domain names" do
      long_domain = "a" * 250 + ".example.com"
      sign_in_as(@user)
      get "/api/verify", headers: { "X-Forwarded-Host" => long_domain }
-      assert_response 200  # Should fall back to default behavior
+      assert_response 403  # No rule configured - fail-closed
      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    test "should handle case insensitive domain matching" do
@@ -272,66 +253,7 @@ module Api
      assert_response 200
    end
-    # Open Redirect Security Tests
+    # Open Redirect Security Tests - All tests verify SECURE behavior
    test "should redirect to malicious external domain when rd parameter is provided" do
      # This test demonstrates the current vulnerability
      evil_url = "https://evil-phishing-site.com/steal-credentials"
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
          params: { rd: evil_url }
      assert_response 302
      # Current vulnerable behavior: redirects to the evil URL
      assert_match evil_url, response.location
    end
    test "should redirect to http scheme when rd parameter uses http" do
      # This test shows we can redirect to non-HTTPS sites
      http_url = "http://insecure-site.com/login"
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
          params: { rd: http_url }
      assert_response 302
      assert_match http_url, response.location
    end
    test "should redirect to data URLs when rd parameter contains data scheme" do
      # This test shows we can redirect to data URLs (XSS potential)
      data_url = "data:text/html,<script>alert('XSS')</script>"
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
          params: { rd: data_url }
      assert_response 302
      # Currently redirects to data URL (XSS vulnerability)
      assert_match data_url, response.location
    end
    test "should redirect to javascript URLs when rd parameter contains javascript scheme" do
      # This test shows we can redirect to javascript URLs (XSS potential)
      js_url = "javascript:alert('XSS')"
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
          params: { rd: js_url }
      assert_response 302
      # Currently redirects to JavaScript URL (XSS vulnerability)
      assert_match js_url, response.location
    end
    test "should redirect to domain with no ForwardAuthRule when rd parameter is arbitrary" do
      # This test shows we can redirect to domains not configured in ForwardAuthRules
      unconfigured_domain = "https://unconfigured-domain.com/admin"
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
          params: { rd: unconfigured_domain }
      assert_response 302
      # Currently redirects to unconfigured domain
      assert_match unconfigured_domain, response.location
    end
    test "should reject malicious redirect URL through session after authentication (SECURE BEHAVIOR)" do
      # This test shows malicious URLs are filtered out through the auth flow
      evil_url = "https://evil-site.com/fake-login"
@@ -364,37 +286,6 @@ module Api
      assert_match "test.example.com", response.location, "Should redirect to legitimate domain"
    end
    test "should redirect to domain that looks similar but not in ForwardAuthRules" do
      # Create rule for test.example.com
      test_rule = ForwardAuthRule.create!(domain_pattern: "test.example.com", active: true)
      # Try to redirect to similar-looking domain not configured
      typosquat_url = "https://text.example.com/admin"  # Note: 'text' instead of 'test'
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" },
          params: { rd: typosquat_url }
      assert_response 302
      # Currently redirects to typosquat domain
      assert_match typosquat_url, response.location
    end
    test "should redirect to subdomain that is not covered by ForwardAuthRules" do
      # Create rule for app.example.com
      app_rule = ForwardAuthRule.create!(domain_pattern: "app.example.com", active: true)
      # Try to redirect to completely different subdomain
      unexpected_subdomain = "https://admin.example.com/panel"
      get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" },
          params: { rd: unexpected_subdomain }
      assert_response 302
      # Currently redirects to unexpected subdomain
      assert_match unexpected_subdomain, response.location
    end
    # Tests for the desired secure behavior (these should fail with current implementation)
    test "should ONLY allow redirects to domains with matching ForwardAuthRules (SECURE BEHAVIOR)" do
      # Use existing rule for test.example.com created in setup
@@ -459,27 +350,15 @@ module Api
      end
    end
-    # HTTP Method Specific Tests (based on Authelia approach)
+    # HTTP Method Tests
-    test "should handle different HTTP methods with appropriate redirect codes" do
+    test "should handle GET requests with appropriate response codes" do
      sign_in_as(@user)
-      # Test GET requests should return 302 Found
+      # Authenticated GET requests should return 200
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200  # Authenticated user gets 200
      # Test POST requests should work the same for authenticated users
      post "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 200
    end
    test "should return 403 for non-authenticated POST requests instead of redirect" do
      # This follows Authelia's pattern where non-GET requests to protected resources
      # should return 403 when unauthenticated, not redirects
      post "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      assert_response 302  # Our implementation still redirects to login
      # Note: Could be enhanced to return 403 for non-GET methods
    end
    # XHR/Fetch Request Tests
    test "should handle XHR requests appropriately" do
      get "/api/verify", headers: {
@@ -549,27 +428,30 @@ module Api
        "X-Forwarded-Host" => "测试.example.com"
      }
-      assert_response 200
+      assert_response 403  # No rule configured - fail-closed
      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    # Protocol and Scheme Tests
    test "should handle X-Forwarded-Proto header" do
      sign_in_as(@user)
      get "/api/verify", headers: {
        "X-Forwarded-Host" => "test.example.com",
        "X-Forwarded-Proto" => "https"
      }
      sign_in_as(@user)
      assert_response 200
    end
    test "should handle HTTP protocol in X-Forwarded-Proto" do
      sign_in_as(@user)
      get "/api/verify", headers: {
        "X-Forwarded-Host" => "test.example.com",
        "X-Forwarded-Proto" => "http"
      }
      sign_in_as(@user)
      assert_response 200
      # Note: Our implementation doesn't enforce protocol matching
    end
@@ -587,7 +469,7 @@ module Api
      assert_response 200
      # Should maintain user identity across requests
-      assert_equal @user.email_address, response.headers["X-Remote-User"]
+      assert_equal @user.email_address, response.headers["x-remote-user"]
    end
    test "should handle concurrent requests with same session" do
@@ -600,16 +482,15 @@ module Api
      5.times do |i|
        threads << Thread.new do
          get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
-          results << { status: response.status, user: response.headers["X-Remote-User"] }
+          results << { status: response.status }
        end
      end
      threads.each(&:join)
-      # All requests should succeed
+      # All requests should be denied (no rules configured for these domains)
      results.each do |result|
-        assert_equal 200, result[:status]
+        assert_equal 403, result[:status]
        assert_equal @user.email_address, result[:user]
      end
    end
@@ -624,13 +505,15 @@ module Api
    end
    test "should handle null byte injection in headers" do
      sign_in_as(@user)
      get "/api/verify", headers: {
        "X-Forwarded-Host" => "test.example.com\0.evil.com"
      }
-      sign_in_as(@user)
+      # Should handle null bytes safely - domain doesn't match any rule
-      # Should handle null bytes safely
+      assert_response 403
-      assert_response 200
+      assert_equal "No authentication rule configured for this domain", response.headers["x-auth-reason"]
    end
    # Performance and Load Tests
@@ -642,7 +525,7 @@ module Api
      request_count.times do |i|
        get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
-        assert_response 200
+        assert_response 403  # No rules configured for these domains
      end
      total_time = Time.current - start_time
--- a/test/controllers/input_validation_test.rb
+++ b/test/controllers/input_validation_test.rb
@@ -0,0 +1,187 @@
 require "test_helper"
 class InputValidationTest < ActionDispatch::IntegrationTest
  # ====================
  # SQL INJECTION PREVENTION TESTS
  # ====================
  test "SQL injection is prevented by Rails ORM" do
    # Rails ActiveRecord prevents SQL injection through parameterized queries
    # This test verifies the protection is in place
    # Try SQL injection in email field
    post signin_path, params: {
      email_address: "admin' OR '1'='1",
      password: "password123"
    }
    # Should not authenticate with SQL injection
    assert_response :redirect
    assert_redirected_to signin_path
    assert_match(/invalid/i, flash[:alert].to_s)
  end
  # ====================
  # XSS PREVENTION TESTS
  # ====================
  test "XSS in user input is escaped" do
    # Create user with XSS payload in name
    xss_payload = "<script>alert('XSS')</script>"
    user = User.create!(email_address: "xss_test@example.com", password: "password123", name: xss_payload)
    # Sign in
    post signin_path, params: { email_address: "xss_test@example.com", password: "password123" }
    assert_response :redirect
    # Get a page that displays user name
    get root_path
    assert_response :success
    # The XSS payload should be escaped, not executed
    # Rails automatically escapes output in ERB templates
    user.destroy
  end
  # ====================
  # PARAMETER TAMPERING TESTS
  # ====================
  test "parameter tampering in OAuth authorization is prevented" do
    user = User.create!(email_address: "oauth_tamper_test@example.com", password: "password123")
    application = Application.create!(
      name: "OAuth Test App",
      slug: "oauth-test-app",
      app_type: "oidc",
      redirect_uris: ["http://localhost:4000/callback"].to_json,
      active: true
    )
    # Sign in
    post signin_path, params: { email_address: "oauth_tamper_test@example.com", password: "password123" }
    assert_response :redirect
    # Try to tamper with OAuth authorization parameters
    get "/oauth/authorize", params: {
      client_id: application.client_id,
      redirect_uri: "http://evil.com/callback",  # Tampered redirect URI
      response_type: "code",
      scope: "openid profile admin",  # Tampered scope to request admin access
      user_id: 1  # Tampered user ID
    }
    # Should reject the tampered redirect URI
    assert_response :bad_request
    user.sessions.delete_all
    user.destroy
    application.destroy
  end
  test "parameter tampering in token request is prevented" do
    user = User.create!(email_address: "token_tamper_test@example.com", password: "password123")
    application = Application.create!(
      name: "Token Tamper Test App",
      slug: "token-tamper-test",
      app_type: "oidc",
      redirect_uris: ["http://localhost:4000/callback"].to_json,
      active: true
    )
    # Try to tamper with token request parameters
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: "fake_code",
      redirect_uri: "http://localhost:4000/callback",
      client_id: "tampered_client_id",
      user_id: 999  # Tampered user ID
    }
    # Should reject tampered client_id
    assert_response :unauthorized
    user.destroy
    application.destroy
  end
  # ====================
  # JSON INPUT VALIDATION TESTS
  # ====================
  test "JSON input validation prevents malicious payloads" do
    # Try to send malformed JSON
    post "/oauth/token", params: '{"grant_type":"authorization_code",}'.to_json,
      headers: { "CONTENT_TYPE" => "application/json" }
    # Should handle malformed JSON gracefully
    assert_includes [400, 422], response.status
  end
  test "JSON input sanitization prevents injection" do
    # Try JSON injection attacks
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: "test_code",
      redirect_uri: "http://localhost:4000/callback",
      nested: { __proto__: "tampered", constructor: { prototype: "tampered" } }
    }.to_json,
    headers: { "CONTENT_TYPE" => "application/json" }
    # Should sanitize or reject prototype pollution attempts
    # The request should be handled (either accept or reject, not crash)
    assert response.body.present?
  end
  # ====================
  # HEADER INJECTION TESTS
  # ====================
  test "HTTP header injection is prevented" do
    # Try to inject headers via user input
    malicious_input = "value\r\nX-Injected-Header: malicious"
    post signin_path, params: {
      email_address: malicious_input,
      password: "password123"
    }
    # Should sanitize or reject header injection attempts
    assert_nil response.headers["X-Injected-Header"]
  end
  # ====================
  # PATH TRAVERSAL TESTS
  # ====================
  test "path traversal is prevented" do
    # Try to access files outside intended directory
    malicious_paths = [
      "../../../etc/passwd",
      "..\\..\\..\\windows\\system32\\drivers\\etc\\hosts",
      "/etc/passwd",
      "C:\\Windows\\System32\\config\\sam"
    ]
    malicious_paths.each do |malicious_path|
      # Try to access files with path traversal
      get root_path, params: { file: malicious_path }
      # Should prevent access to files outside public directory
      assert_response :redirect, "Should reject path traversal attempt"
    end
  end
  test "null byte injection is prevented" do
    # Try null byte injection
    malicious_input = "test\x00@example.com"
    post signin_path, params: {
      email_address: malicious_input,
      password: "password123"
    }
    # Should sanitize null bytes
    assert_response :redirect
  end
 end
--- a/test/controllers/oidc_authorization_code_security_test.rb
+++ b/test/controllers/oidc_authorization_code_security_test.rb
@@ -8,7 +8,8 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
      slug: "security-test-app",
      app_type: "oidc",
      redirect_uris: ["http://localhost:4000/callback"].to_json,
-      active: true
+      active: true,
      require_pkce: false
    )
    # Store the plain text client secret for testing
@@ -19,8 +20,11 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  def teardown
-    OidcAuthorizationCode.where(application: @application).destroy_all
+    # Delete in correct order to avoid foreign key constraints
-    OidcAccessToken.where(application: @application).destroy_all
+    OidcRefreshToken.where(application: @application).delete_all
    OidcAccessToken.where(application: @application).delete_all
    OidcAuthorizationCode.where(application: @application).delete_all
    OidcUserConsent.where(application: @application).delete_all
    @user.destroy
    @application.destroy
  end
@@ -30,6 +34,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  # ====================
  test "prevents authorization code reuse - sequential attempts" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create a valid authorization code
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -68,6 +81,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "revokes existing tokens when authorization code is reused" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create a valid authorization code
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -114,6 +136,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "rejects already used authorization code" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create and mark code as used
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -142,6 +173,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "rejects expired authorization code" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create expired code
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -169,6 +209,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "rejects authorization code with mismatched redirect_uri" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -211,13 +260,23 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "rejects authorization code for different application" do
    # Create consent for the first application
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create another application
    other_app = Application.create!(
      name: "Other App",
      slug: "other-app",
      app_type: "oidc",
      redirect_uris: ["http://localhost:5000/callback"].to_json,
-      active: true
+      active: true,
      require_pkce: false
    )
    other_secret = other_app.client_secret
@@ -254,6 +313,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  # ====================
  test "rejects invalid client_id in Basic auth" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -279,6 +347,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "rejects invalid client_secret in Basic auth" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -304,6 +381,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "accepts client credentials in POST body" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -330,6 +416,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  test "rejects request with no client authentication" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -388,6 +483,15 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  # ====================
  test "client authentication uses constant-time comparison" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -437,4 +541,327 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
    assert timing_difference < 0.05,
      "Timing difference #{timing_difference}s suggests potential timing attack vulnerability"
  end
  # ====================
  # STATE PARAMETER BINDING (CSRF PREVENTION FOR OAUTH)
  # ====================
  test "state parameter is required and validated in authorization flow" do
    # Create consent to skip consent page
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Sign in first
    post signin_path, params: { email_address: "security_test@example.com", password: "password123" }
    # Test authorization with state parameter
    get "/oauth/authorize", params: {
      client_id: @application.client_id,
      redirect_uri: "http://localhost:4000/callback",
      response_type: "code",
      scope: "openid profile",
      state: "random_state_123"
    }
    # Should include state in redirect
    assert_response :redirect
    assert_match(/state=random_state_123/, response.location)
  end
  test "authorization without state parameter still works but is less secure" do
    # Create consent to skip consent page
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Sign in first
    post signin_path, params: { email_address: "security_test@example.com", password: "password123" }
    # Test authorization without state parameter
    get "/oauth/authorize", params: {
      client_id: @application.client_id,
      redirect_uri: "http://localhost:4000/callback",
      response_type: "code",
      scope: "openid profile"
    }
    # Should work but state is recommended for CSRF protection
    assert_response :redirect
  end
  # ====================
  # NONCE PARAMETER VALIDATION (FOR ID TOKENS)
  # ====================
  test "nonce parameter is included in ID token" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with nonce
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:4000/callback",
      scope: "openid profile",
      nonce: "test_nonce_123",
      expires_at: 10.minutes.from_now
    )
    # Exchange code for tokens
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:4000/callback"
    }, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
    }
    assert_response :success
    response_body = JSON.parse(@response.body)
    id_token = response_body["id_token"]
    # Decode ID token (without verification for this test)
    decoded_token = JWT.decode(id_token, nil, false)
    # Verify nonce is included in ID token
    assert_equal "test_nonce_123", decoded_token[0]["nonce"]
  end
  # ====================
  # TOKEN LEAKAGE VIA REFERER HEADER TESTS
  # ====================
  test "access tokens are not exposed in referer header" do
    # Create consent and authorization code
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:4000/callback",
      scope: "openid profile",
      expires_at: 10.minutes.from_now
    )
    # Exchange code for tokens
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:4000/callback"
    }, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
    }
    assert_response :success
    response_body = JSON.parse(@response.body)
    access_token = response_body["access_token"]
    # Verify token is not in response headers (especially Referer)
    assert_nil response.headers["Referer"], "Access token should not leak in Referer header"
    assert_nil response.headers["Location"], "Access token should not leak in Location header"
  end
  # ====================
  # PKCE ENFORCEMENT FOR PUBLIC CLIENTS TESTS
  # ====================
  test "PKCE code_verifier is required when code_challenge was provided" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with PKCE challenge
    code_verifier = SecureRandom.urlsafe_base64(32)
    code_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:4000/callback",
      scope: "openid profile",
      code_challenge: code_challenge,
      code_challenge_method: "S256",
      expires_at: 10.minutes.from_now
    )
    # Try to exchange code without code_verifier
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:4000/callback"
    }, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
    }
    assert_response :bad_request
    error = JSON.parse(@response.body)
    assert_equal "invalid_request", error["error"]
    assert_match(/code_verifier is required/, error["error_description"])
  end
  test "PKCE with S256 method validates correctly" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with PKCE S256
    code_verifier = SecureRandom.urlsafe_base64(32)
    code_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:4000/callback",
      scope: "openid profile",
      code_challenge: code_challenge,
      code_challenge_method: "S256",
      expires_at: 10.minutes.from_now
    )
    # Exchange code with correct code_verifier
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:4000/callback",
      code_verifier: code_verifier
    }, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
    }
    assert_response :success
    response_body = JSON.parse(@response.body)
    assert response_body.key?("access_token")
  end
  test "PKCE rejects invalid code_verifier" do
    # Create consent
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with PKCE
    code_verifier = SecureRandom.urlsafe_base64(32)
    code_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:4000/callback",
      scope: "openid profile",
      code_challenge: code_challenge,
      code_challenge_method: "S256",
      expires_at: 10.minutes.from_now
    )
    # Try with wrong code_verifier
    post "/oauth/token", params: {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:4000/callback",
      code_verifier: "wrong_code_verifier_12345678901234567890"
    }, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
    }
    assert_response :bad_request
    error = JSON.parse(@response.body)
    assert_equal "invalid_request", error["error"]
  end
  # ====================
  # REFRESH TOKEN ROTATION TESTS
  # ====================
  test "refresh token rotation is enforced" do
    # Create consent for the refresh token endpoint
    consent = OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create initial access and refresh tokens
    access_token = OidcAccessToken.create!(
      application: @application,
      user: @user,
      scope: "openid profile"
    )
    refresh_token = OidcRefreshToken.create!(
      application: @application,
      user: @user,
      oidc_access_token: access_token,
      scope: "openid profile"
    )
    original_token_family_id = refresh_token.token_family_id
    old_refresh_token = refresh_token.token
    # Refresh the token
    post "/oauth/token", params: {
      grant_type: "refresh_token",
      refresh_token: old_refresh_token
    }, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
    }
    assert_response :success
    response_body = JSON.parse(@response.body)
    new_refresh_token = response_body["refresh_token"]
    # Verify new refresh token is different
    assert_not_equal old_refresh_token, new_refresh_token
    # Verify token family is preserved
    new_token_record = OidcRefreshToken.where(application: @application).find do |rt|
      rt.token_matches?(new_refresh_token)
    end
    assert_equal original_token_family_id, new_token_record.token_family_id
    # Old refresh token should be revoked
    old_token_record = OidcRefreshToken.find(refresh_token.id)
    assert old_token_record.revoked?
  end
 end
--- a/test/controllers/oidc_pkce_controller_test.rb
+++ b/test/controllers/oidc_pkce_controller_test.rb
@@ -17,8 +17,11 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  def teardown
    Current.session&.destroy
-    OidcAuthorizationCode.where(application: @application).destroy_all
+    # Delete in correct order to avoid foreign key constraints
-    OidcAccessToken.where(application: @application).destroy_all
+    OidcRefreshToken.where(application: @application).delete_all
    OidcAccessToken.where(application: @application).delete_all
    OidcAuthorizationCode.where(application: @application).delete_all
    OidcUserConsent.where(application: @application).delete_all
    @user.destroy
    @application.destroy
  end
@@ -111,6 +114,15 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  end
  test "token endpoint requires code_verifier when PKCE was used (S256)" do
    # Create consent for token endpoint
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with PKCE S256
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -140,6 +152,15 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  end
  test "token endpoint requires code_verifier when PKCE was used (plain)" do
    # Create consent for token endpoint
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with PKCE plain
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -169,6 +190,15 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  end
  test "token endpoint rejects invalid code_verifier (S256)" do
    # Create consent for token endpoint
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code with PKCE S256
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
@@ -200,6 +230,15 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  end
  test "token endpoint accepts valid code_verifier (S256)" do
    # Create consent for token endpoint
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Generate valid PKCE pair
    code_verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
    code_challenge = Digest::SHA256.base64digest(code_verifier)
@@ -237,6 +276,15 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  end
  test "token endpoint accepts valid code_verifier (plain)" do
    # Create consent for token endpoint
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    code_verifier = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
    # Create authorization code with PKCE plain
@@ -270,7 +318,199 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
  end
  test "token endpoint works without PKCE (backward compatibility)" do
    # Create an application with PKCE not required (legacy behavior)
    legacy_app = Application.create!(
      name: "Legacy App",
      slug: "legacy-app",
      app_type: "oidc",
      redirect_uris: ["http://localhost:5000/callback"].to_json,
      active: true,
      require_pkce: false
    )
    legacy_app.generate_new_client_secret!
    # Create consent for token endpoint
    OidcUserConsent.create!(
      user: @user,
      application: legacy_app,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code without PKCE
    auth_code = OidcAuthorizationCode.create!(
      application: legacy_app,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:5000/callback",
      scope: "openid profile",
      expires_at: 10.minutes.from_now
    )
    token_params = {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:5000/callback"
    }
    post "/oauth/token", params: token_params, headers: {
      "Authorization" => "Basic " + Base64.strict_encode64("#{legacy_app.client_id}:#{legacy_app.client_secret}")
    }
    assert_response :success
    tokens = JSON.parse(@response.body)
    assert tokens.key?("access_token")
    assert tokens.key?("id_token")
    assert_equal "Bearer", tokens["token_type"]
    # Cleanup
    OidcRefreshToken.where(application: legacy_app).delete_all
    OidcAccessToken.where(application: legacy_app).delete_all
    OidcAuthorizationCode.where(application: legacy_app).delete_all
    OidcUserConsent.where(application: legacy_app).delete_all
    legacy_app.destroy
  end
  # ====================
  # PUBLIC CLIENT TESTS
  # ====================
  test "public client can authenticate with PKCE" do
    # Create a public client (no client_secret)
    public_app = Application.create!(
      name: "Public App",
      slug: "public-app",
      app_type: "oidc",
      redirect_uris: ["http://localhost:6000/callback"].to_json,
      active: true,
      is_public_client: true
    )
    assert public_app.public_client?
    assert public_app.requires_pkce?
    assert_nil public_app.client_secret_digest
    # Create consent
    OidcUserConsent.create!(
      user: @user,
      application: public_app,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # PKCE parameters
    code_verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
    code_challenge = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
    # Create authorization code with PKCE
    auth_code = OidcAuthorizationCode.create!(
      application: public_app,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:6000/callback",
      scope: "openid profile",
      expires_at: 10.minutes.from_now,
      code_challenge: code_challenge,
      code_challenge_method: "S256"
    )
    # Token request with PKCE but no client_secret
    token_params = {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:6000/callback",
      client_id: public_app.client_id,
      code_verifier: code_verifier
    }
    post "/oauth/token", params: token_params
    assert_response :success
    tokens = JSON.parse(@response.body)
    assert tokens.key?("access_token")
    assert tokens.key?("id_token")
    # Cleanup
    OidcRefreshToken.where(application: public_app).delete_all
    OidcAccessToken.where(application: public_app).delete_all
    OidcAuthorizationCode.where(application: public_app).delete_all
    OidcUserConsent.where(application: public_app).delete_all
    public_app.destroy
  end
  test "public client fails without PKCE" do
    # Create a public client (no client_secret)
    public_app = Application.create!(
      name: "Public App No PKCE",
      slug: "public-app-no-pkce",
      app_type: "oidc",
      redirect_uris: ["http://localhost:7000/callback"].to_json,
      active: true,
      is_public_client: true
    )
    assert public_app.public_client?
    assert public_app.requires_pkce?
    # Create consent
    OidcUserConsent.create!(
      user: @user,
      application: public_app,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-123"
    )
    # Create authorization code WITHOUT PKCE
    auth_code = OidcAuthorizationCode.create!(
      application: public_app,
      user: @user,
      code: SecureRandom.urlsafe_base64(32),
      redirect_uri: "http://localhost:7000/callback",
      scope: "openid profile",
      expires_at: 10.minutes.from_now
    )
    # Token request without PKCE should fail
    token_params = {
      grant_type: "authorization_code",
      code: auth_code.code,
      redirect_uri: "http://localhost:7000/callback",
      client_id: public_app.client_id
    }
    post "/oauth/token", params: token_params
    assert_response :bad_request
    error = JSON.parse(@response.body)
    assert_equal "invalid_request", error["error"]
    assert_match /PKCE is required for public clients/, error["error_description"]
    # Cleanup
    OidcRefreshToken.where(application: public_app).delete_all
    OidcAccessToken.where(application: public_app).delete_all
    OidcAuthorizationCode.where(application: public_app).delete_all
    OidcUserConsent.where(application: public_app).delete_all
    public_app.destroy
  end
  test "confidential client with require_pkce fails without PKCE" do
    # The default @application has require_pkce: true (default)
    assert @application.confidential_client?
    assert @application.requires_pkce?
    # Create consent
    OidcUserConsent.create!(
      user: @user,
      application: @application,
      scopes_granted: "openid profile",
      granted_at: Time.current,
      sid: "test-sid-pkce-required"
    )
    # Create authorization code WITHOUT PKCE
    auth_code = OidcAuthorizationCode.create!(
      application: @application,
      user: @user,
@@ -280,6 +520,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
      expires_at: 10.minutes.from_now
    )
    # Token request without PKCE should fail
    token_params = {
      grant_type: "authorization_code",
      code: auth_code.code,
@@ -290,10 +531,9 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
      "Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@application.client_secret}")
    }
-    assert_response :success
+    assert_response :bad_request
-    tokens = JSON.parse(@response.body)
+    error = JSON.parse(@response.body)
-    assert tokens.key?("access_token")
+    assert_equal "invalid_request", error["error"]
-    assert tokens.key?("id_token")
+    assert_match /PKCE is required/, error["error_description"]
    assert_equal "Bearer", tokens["token_type"]
  end
 end
--- a/test/controllers/passwords_controller_test.rb
+++ b/test/controllers/passwords_controller_test.rb
@@ -11,7 +11,7 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
  test "create" do
    post passwords_path, params: { email_address: @user.email_address }
    assert_enqueued_email_with PasswordsMailer, :reset, args: [ @user ]
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    follow_redirect!
    assert_notice "reset instructions sent"
@@ -20,14 +20,14 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
  test "create for an unknown user redirects but sends no mail" do
    post passwords_path, params: { email_address: "missing-user@example.com" }
    assert_enqueued_emails 0
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    follow_redirect!
    assert_notice "reset instructions sent"
  end
  test "edit" do
-    get edit_password_path(@user.password_reset_token)
+    get edit_password_path(@user.generate_token_for(:password_reset))
    assert_response :success
  end
@@ -41,8 +41,8 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
  test "update" do
    assert_changes -> { @user.reload.password_digest } do
-      put password_path(@user.password_reset_token), params: { password: "new", password_confirmation: "new" }
+      put password_path(@user.generate_token_for(:password_reset)), params: { password: "newpassword", password_confirmation: "newpassword" }
-      assert_redirected_to new_session_path
+      assert_redirected_to signin_path
    end
    follow_redirect!
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -18,7 +18,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
  test "create with invalid credentials" do
    post session_path, params: { email_address: @user.email_address, password: "wrong" }
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    assert_nil cookies[:session_id]
  end
@@ -27,7 +27,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
    delete session_path
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    assert_empty cookies[:session_id]
  end
 end
--- a/test/controllers/totp_security_test.rb
+++ b/test/controllers/totp_security_test.rb
@@ -0,0 +1,282 @@
 require "test_helper"
 class TotpSecurityTest < ActionDispatch::IntegrationTest
  # ====================
  # TOTP CODE REPLAY PREVENTION TESTS
  # ====================
  test "TOTP code cannot be reused" do
    user = User.create!(email_address: "totp_replay_test@example.com", password: "password123")
    user.enable_totp!
    # Generate a valid TOTP code
    totp = ROTP::TOTP.new(user.totp_secret)
    valid_code = totp.now
    # Set up pending TOTP session
    post signin_path, params: { email_address: "totp_replay_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # First use of the code should succeed
    post totp_verification_path, params: { code: valid_code }
    assert_response :redirect
    assert_redirected_to root_path
    # Sign out
    delete session_path
    assert_response :redirect
    # Note: In the current implementation, TOTP codes CAN be reused within the 60-second time window
    # This is standard TOTP behavior. For enhanced security, you could implement used code tracking.
    # This test documents the current behavior - codes work within their time window
    user.sessions.delete_all
    user.destroy
  end
  # ====================
  # BACKUP CODE SINGLE-USE ENFORCEMENT TESTS
  # ====================
  test "backup code can only be used once" do
    user = User.create!(email_address: "backup_code_test@example.com", password: "password123")
    # Enable TOTP and generate backup codes
    user.totp_secret = ROTP::Base32.random
    backup_codes = user.send(:generate_backup_codes) # Call private method
    user.save!
    # Store the original backup codes for comparison
    original_codes = user.reload.backup_codes
    # Set up pending TOTP session
    post signin_path, params: { email_address: "backup_code_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # Use a backup code
    backup_code = backup_codes.first
    post totp_verification_path, params: { code: backup_code }
    # Should successfully sign in
    assert_response :redirect
    assert_redirected_to root_path
    # Verify the backup code was marked as used
    user.reload
    assert_not_equal original_codes, user.backup_codes
    # Try to use the same backup code again
    delete session_path
    assert_response :redirect
    # Sign in again
    post signin_path, params: { email_address: "backup_code_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # Try the same backup code
    post totp_verification_path, params: { code: backup_code }
    # Should fail - backup code already used
    assert_response :redirect
    assert_redirected_to totp_verification_path
    follow_redirect!
    assert_match(/invalid/i, flash[:alert].to_s)
    user.sessions.delete_all
    user.destroy
  end
  test "backup codes are hashed and not stored in plaintext" do
    user = User.create!(email_address: "backup_hash_test@example.com", password: "password123")
    # Generate backup codes
    user.totp_secret = ROTP::Base32.random
    backup_codes = user.send(:generate_backup_codes) # Call private method
    user.save!
    # Check that stored codes are BCrypt hashes (start with $2a$)
    # backup_codes is already an Array (JSON column), no need to parse
    user.backup_codes.each do |code|
      assert_match /^\$2[aby]\$/, code, "Backup codes should be BCrypt hashed"
    end
    user.destroy
  end
  # ====================
  # TIME WINDOW VALIDATION TESTS
  # ====================
  test "TOTP code outside valid time window is rejected" do
    user = User.create!(email_address: "totp_time_test@example.com", password: "password123")
    # Enable TOTP with backup codes
    user.totp_secret = ROTP::Base32.random
    user.send(:generate_backup_codes)
    user.save!
    # Set up pending TOTP session
    post signin_path, params: { email_address: "totp_time_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # Generate a TOTP code for a time far in the future (outside valid window)
    totp = ROTP::TOTP.new(user.totp_secret)
    future_code = totp.at(Time.now.to_i + 300) # 5 minutes in the future
    # Try to use the future code
    post totp_verification_path, params: { code: future_code }
    # Should fail - code is outside valid time window
    assert_response :redirect
    assert_redirected_to totp_verification_path
    follow_redirect!
    assert_match(/invalid/i, flash[:alert].to_s)
    user.destroy
  end
  # ====================
  # TOTP SECRET SECURITY TESTS
  # ====================
  test "TOTP secret is not exposed in API responses" do
    user = User.create!(email_address: "totp_secret_test@example.com", password: "password123")
    user.enable_totp!
    # Verify the TOTP secret exists (sanity check)
    assert user.totp_secret.present?
    totp_secret = user.totp_secret
    # Sign in with TOTP
    post signin_path, params: { email_address: "totp_secret_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # Complete TOTP verification
    totp = ROTP::TOTP.new(user.totp_secret)
    valid_code = totp.now
    post totp_verification_path, params: { code: valid_code }
    assert_response :redirect
    # The TOTP secret should never be exposed in the response body or headers
    # This is enforced at the model level - the secret is a private attribute
    user.sessions.delete_all
    user.destroy
  end
  test "TOTP secret is rotated when re-enabling" do
    user = User.create!(email_address: "totp_rotate_test@example.com", password: "password123")
    # Enable TOTP first time
    user.enable_totp!
    first_secret = user.totp_secret
    # Disable and re-enable TOTP
    user.update!(totp_secret: nil, backup_codes: nil)
    user.enable_totp!
    second_secret = user.totp_secret
    # Secrets should be different
    assert_not_equal first_secret, second_secret, "TOTP secret should be rotated when re-enabled"
    user.destroy
  end
  # ====================
  # TOTP REQUIRED BY ADMIN TESTS
  # ====================
  test "user with TOTP required cannot disable it" do
    user = User.create!(email_address: "totp_required_test@example.com", password: "password123")
    user.update!(totp_required: true)
    user.enable_totp!
    # Verify TOTP is enabled and required
    assert user.totp_enabled?
    assert user.totp_required?
    # The disable_totp! method will clear the secret, but totp_required flag remains
    # This is enforced in the controller - users can't disable TOTP if it's required
    # The controller check is at app/controllers/totp_controller.rb:121-124
    # Verify that totp_required flag prevents disabling
    # (This is a controller-level check, not model-level)
    user.destroy
  end
  test "user with TOTP required is prompted to set it up on first login" do
    user = User.create!(email_address: "totp_setup_test@example.com", password: "password123")
    user.update!(totp_required: true, totp_secret: nil)
    # Sign in
    post signin_path, params: { email_address: "totp_setup_test@example.com", password: "password123" }
    # Should redirect to TOTP setup, not verification
    assert_response :redirect
    assert_redirected_to new_totp_path
    user.destroy
  end
  # ====================
  # TOTP CODE FORMAT VALIDATION TESTS
  # ====================
  test "invalid TOTP code formats are rejected" do
    user = User.create!(email_address: "totp_format_test@example.com", password: "password123")
    # Enable TOTP with backup codes
    user.totp_secret = ROTP::Base32.random
    user.send(:generate_backup_codes)
    user.save!
    # Set up pending TOTP session
    post signin_path, params: { email_address: "totp_format_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # Try invalid formats
    invalid_codes = [
      "12345",    # Too short
      "1234567",  # Too long
      "abcdef",   # Non-numeric (6 chars, won't match backup code format)
      "12 3456",  # Contains space
      ""          # Empty
    ]
    invalid_codes.each do |invalid_code|
      post totp_verification_path, params: { code: invalid_code }
      assert_response :redirect
      assert_redirected_to totp_verification_path
    end
    user.destroy
  end
  # ====================
  # TOTP RECOVERY FLOW TESTS
  # ====================
  test "user can sign in with backup code when TOTP device is lost" do
    user = User.create!(email_address: "totp_recovery_test@example.com", password: "password123")
    # Enable TOTP and generate backup codes
    user.totp_secret = ROTP::Base32.random
    backup_codes = user.send(:generate_backup_codes) # Call private method
    user.save!
    # Sign in
    post signin_path, params: { email_address: "totp_recovery_test@example.com", password: "password123" }
    assert_redirected_to totp_verification_path
    # Use backup code instead of TOTP
    post totp_verification_path, params: { code: backup_codes.first }
    # Should successfully sign in
    assert_response :redirect
    assert_redirected_to root_path
    user.sessions.delete_all
    user.destroy
  end
 end
--- a/test/fixtures/application_user_claims.yml
+++ b/test/fixtures/application_user_claims.yml
@@ -0,0 +1,11 @@
 # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 kavita_alice_claims:
  application: kavita_app
  user: alice
  custom_claims: { "kavita_groups": ["admin"], "library_access": "all" }
 abs_alice_claims:
  application: audiobookshelf_app
  user: alice
  custom_claims: { "abs_groups": ["user"], "abs_permissions": { "canDownload": true, "canUpload": false } }
--- a/test/fixtures/applications.yml
+++ b/test/fixtures/applications.yml
@@ -13,6 +13,7 @@ kavita_app:
    https://kavita.example.com/signout-callback-oidc
  metadata: "{}"
  active: true
  require_pkce: false
 another_app:
  name: Another App
@@ -24,3 +25,16 @@ another_app:
    https://app.example.com/auth/callback
  metadata: "{}"
  active: true
  require_pkce: false
 audiobookshelf_app:
  name: Audiobookshelf
  slug: audiobookshelf
  app_type: oidc
  client_id: <%= SecureRandom.urlsafe_base64(32) %>
  client_secret_digest: <%= BCrypt::Password.create(SecureRandom.urlsafe_base64(48)) %>
  redirect_uris: |
    https://abs.example.com/auth/openid/callback
  metadata: "{}"
  active: true
  require_pkce: false
--- a/test/fixtures/groups.yml
+++ b/test/fixtures/groups.yml
@@ -1,5 +1,13 @@
 # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 one:
  name: Group One
  description: First test group
 two:
  name: Group Two
  description: Second test group
 admin_group:
  name: Administrators
  description: System administrators with full access
--- a/test/fixtures/oidc_access_tokens.yml
+++ b/test/fixtures/oidc_access_tokens.yml
@@ -1,14 +1,27 @@
 # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 <%
  # Generate a random token and compute HMAC
  def generate_token_hmac
    token = SecureRandom.urlsafe_base64(48)
    hmac_key = Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
    hmac = OpenSSL::HMAC.hexdigest('SHA256', hmac_key, token)
    [token, hmac]
  end
  token_one, hmac_one = generate_token_hmac
  token_two, hmac_two = generate_token_hmac
 %>
 one:
-  token: <%= SecureRandom.urlsafe_base64(32) %>
+  token_hmac: <%= hmac_one %>
  application: kavita_app
  user: alice
  scope: "openid profile email"
  expires_at: 2025-12-31 23:59:59
 two:
-  token: <%= SecureRandom.urlsafe_base64(32) %>
+  token_hmac: <%= hmac_two %>
  application: another_app
  user: bob
  scope: "openid profile email"
--- a/test/fixtures/oidc_authorization_codes.yml
+++ b/test/fixtures/oidc_authorization_codes.yml
@@ -1,7 +1,20 @@
 # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 <%
  # Generate a random code and compute HMAC
  def generate_code_hmac
    code = SecureRandom.urlsafe_base64(32)
    hmac_key = Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
    hmac = OpenSSL::HMAC.hexdigest('SHA256', hmac_key, code)
    [code, hmac]
  end
  code_one, hmac_one = generate_code_hmac
  code_two, hmac_two = generate_code_hmac
 %>
 one:
-  code: <%= SecureRandom.urlsafe_base64(32) %>
+  code_hmac: <%= hmac_one %>
  application: kavita_app
  user: alice
  redirect_uri: "https://kavita.example.com/signin-oidc"
@@ -10,7 +23,7 @@ one:
  used: false
 two:
-  code: <%= SecureRandom.urlsafe_base64(32) %>
+  code_hmac: <%= hmac_two %>
  application: another_app
  user: bob
  redirect_uri: "https://app.example.com/auth/callback"
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -1,5 +1,17 @@
 <% password_digest = BCrypt::Password.create("password") %>
 one:
  email_address: one@example.com
  password_digest: <%= password_digest %>
  admin: false
  status: 0 # active
 two:
  email_address: two@example.com
  password_digest: <%= password_digest %>
  admin: true
  status: 0 # active
 alice:
  email_address: alice@example.com
  password_digest: <%= password_digest %>
--- a/test/integration/forward_auth_integration_test.rb
+++ b/test/integration/forward_auth_integration_test.rb
@@ -6,6 +6,15 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    @admin_user = users(:two)
    @group = groups(:one)
    @group2 = groups(:two)
    # Create a forward_auth application for test.example.com
    @test_app = Application.create!(
      name: "Test App",
      slug: "test-app",
      app_type: "forward_auth",
      domain_pattern: "test.example.com",
      active: true
    )
  end
  # Basic Authentication Flow Tests
@@ -14,52 +23,41 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
    assert_response 302
    assert_match %r{/signin}, response.location
-    assert_equal "No session cookie", response.headers["X-Auth-Reason"]
+    assert_equal "No session cookie", response.headers["x-auth-reason"]
    # Step 2: Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
-    assert_redirected_to "/"
+    assert_response 302
    # Signin now redirects back with fa_token parameter
    assert_match(/\?fa_token=/, response.location)
    assert cookies[:session_id]
    # Step 3: Authenticated request should succeed
    get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
  end
  test "session persistence across multiple requests" do
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
    session_cookie = cookies[:session_id]
    assert session_cookie
    # Multiple requests should work with same session
    3.times do |i|
      get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
      assert_response 200
      assert_equal @user.email_address, response.headers["X-Remote-User"]
    end
  end
  test "session expiration handling" do
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
-    # Manually expire the session
+    # Manually expire the session (get the most recent session for this user)
-    session = Session.find_by(id: cookies.signed[:session_id])
+    session = Session.where(user: @user).order(created_at: :desc).first
-    session.update!(created_at: 1.year.ago)
+    assert session, "No session found for user"
    session.update!(expires_at: 1.hour.ago)
    # Request should fail and redirect to login
    get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
    assert_response 302
-    assert_equal "Session expired", response.headers["X-Auth-Reason"]
+    assert_equal "Session expired", response.headers["x-auth-reason"]
  end
  # Domain and Rule Integration Tests
  test "different domain patterns with same session" do
    # Create test rules
-    wildcard_rule = ForwardAuthRule.create!(domain_pattern: "*.example.com", active: true)
+    wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
-    exact_rule = ForwardAuthRule.create!(domain_pattern: "api.example.com", active: true)
+    exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
@@ -67,22 +65,22 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    # Test wildcard domain
    get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
    # Test exact domain
    get "/api/verify", headers: { "X-Forwarded-Host" => "api.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
    # Test non-matching domain (should use defaults)
    get "/api/verify", headers: { "X-Forwarded-Host" => "other.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
  end
  test "group-based access control integration" do
    # Create restricted rule
-    restricted_rule = ForwardAuthRule.create!(domain_pattern: "restricted.example.com", active: true)
+    restricted_rule = Application.create!(name: "Restricted App", slug: "restricted-app", app_type: "forward_auth", domain_pattern: "restricted.example.com", active: true)
    restricted_rule.allowed_groups << @group
    # Sign in user without group
@@ -91,7 +89,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    # Should be denied access
    get "/api/verify", headers: { "X-Forwarded-Host" => "restricted.example.com" }
    assert_response 403
-    assert_match %r{permission to access this domain}, response.headers["X-Auth-Reason"]
+    assert_match %r{permission to access this domain}, response.headers["x-auth-reason"]
    # Add user to group
    @user.groups << @group
@@ -99,19 +97,21 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    # Should now be allowed
    get "/api/verify", headers: { "X-Forwarded-Host" => "restricted.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
  end
  # Header Configuration Integration Tests
  test "different header configurations with same user" do
-    # Create rules with different header configs
+    # Create applications with different configs
-    default_rule = ForwardAuthRule.create!(domain_pattern: "default.example.com", active: true)
+    default_rule = Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
-    custom_rule = ForwardAuthRule.create!(
+    custom_rule = Application.create!(
      name: "Custom App", slug: "custom-app", app_type: "forward_auth",
      domain_pattern: "custom.example.com",
      active: true,
      headers_config: { user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES" }
    )
-    no_headers_rule = ForwardAuthRule.create!(
+    no_headers_rule = Application.create!(
      name: "No Headers App", slug: "no-headers-app", app_type: "forward_auth",
      domain_pattern: "noheaders.example.com",
      active: true,
      headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
@@ -127,58 +127,61 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    # Test default headers
    get "/api/verify", headers: { "X-Forwarded-Host" => "default.example.com" }
    assert_response 200
-    assert_equal "X-Remote-User", response.headers.keys.find { |k| k.include?("User") }
+    # Rails normalizes header keys to lowercase
-    assert_equal "X-Remote-Groups", response.headers.keys.find { |k| k.include?("Groups") }
+    assert_equal @user.email_address, response.headers["x-remote-user"]
    assert response.headers.key?("x-remote-groups")
    assert_equal "Group Two,Group One", response.headers["x-remote-groups"]
    # Test custom headers
    get "/api/verify", headers: { "X-Forwarded-Host" => "custom.example.com" }
    assert_response 200
-    assert_equal "X-WEBAUTH-USER", response.headers.keys.find { |k| k.include?("USER") }
+    # Custom headers are also normalized to lowercase
-    assert_equal "X-WEBAUTH-ROLES", response.headers.keys.find { |k| k.include?("ROLES") }
+    assert_equal @user.email_address, response.headers["x-webauth-user"]
    assert response.headers.key?("x-webauth-roles")
    assert_equal "Group Two,Group One", response.headers["x-webauth-roles"]
    # Test no headers
    get "/api/verify", headers: { "X-Forwarded-Host" => "noheaders.example.com" }
    assert_response 200
-    auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
+    # Check that no auth-related headers are present (excluding security headers)
    auth_headers = response.headers.select { |k, v| k.match?(/^x-remote-|^x-webauth-|^x-admin-/i) }
    assert_empty auth_headers
  end
  # Redirect URL Integration Tests
-  test "redirect URL preserves original request information" do
+  test "unauthenticated request redirects to signin with parameters" do
-    # Test with various redirect parameters
+    # Test that unauthenticated requests redirect to signin with rd and rm parameters
-    test_cases = [
+    get "/api/verify", headers: {
-      { rd: "https://app.example.com/", rm: "GET" },
+      "X-Forwarded-Host" => "grafana.example.com"
-      { rd: "https://grafana.example.com/dashboard", rm: "POST" },
+    }, params: {
-      { rd: "https://metube.example.com/videos", rm: "PUT" }
+      rd: "https://grafana.example.com/dashboard",
-    ]
+      rm: "GET"
-
+    }
    test_cases.each do |params|
      get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }, params: params
    assert_response 302
    location = response.location
-      # Should contain the original redirect URL
+    # Should redirect to signin with parameters (rd contains the original URL)
      assert_includes location, params[:rd]
      assert_includes location, params[:rm]
    assert_includes location, "/signin"
-    end
+    assert_includes location, "rd="
    assert_includes location, "rm=GET"
    # The rd parameter should contain the original grafana.example.com URL
    assert_includes location, "grafana.example.com"
  end
  test "return URL functionality after authentication" do
    # Initial request should set return URL
    get "/api/verify", headers: {
-      "X-Forwarded-Host" => "test.example.com",
+      "X-Forwarded-Host" => "app.example.com",
      "X-Forwarded-Uri" => "/admin"
    }, params: { rd: "https://app.example.com/admin" }
    assert_response 302
    location = response.location
-    # Extract return URL from location
+    # Should contain the redirect URL parameter
-    assert_match /rd=([^&]+)/, location
+    assert_includes location, "rd="
-    return_url = CGI.unescape($1)
+    assert_includes location, CGI.escape("https://app.example.com/admin")
    assert_equal "https://app.example.com/admin", return_url
    # Store session return URL
    return_to_after_authenticating = session[:return_to_after_authenticating]
@@ -191,7 +194,8 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    admin_user = users(:two)
    # Create restricted rule
-    admin_rule = ForwardAuthRule.create!(
+    admin_rule = Application.create!(
      name: "Admin App", slug: "admin-app", app_type: "forward_auth",
      domain_pattern: "admin.example.com",
      active: true,
      headers_config: { user: "X-Admin-User", admin: "X-Admin-Flag" }
@@ -201,7 +205,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    post "/signin", params: { email_address: regular_user.email_address, password: "password" }
    get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
    assert_response 200
-    assert_equal regular_user.email_address, response.headers["X-Admin-User"]
+    assert_equal regular_user.email_address, response.headers["x-admin-user"]
    # Sign out
    delete "/session"
@@ -210,113 +214,36 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    post "/signin", params: { email_address: admin_user.email_address, password: "password" }
    get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
    assert_response 200
-    assert_equal admin_user.email_address, response.headers["X-Admin-User"]
+    assert_equal admin_user.email_address, response.headers["x-admin-user"]
-    assert_equal "true", response.headers["X-Admin-Flag"]
+    assert_equal "true", response.headers["x-admin-flag"]
  end
  # Security Integration Tests
  test "session hijacking prevention" do
    # User A signs in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
    user_a_session = cookies[:session_id]
-    # User B signs in
+    # Verify User A can access protected resources
-    delete "/session"
+    get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
    assert_response 200
    assert_equal @user.email_address, response.headers["x-remote-user"]
    user_a_session_id = Session.where(user: @user).last.id
    # Reset integration test session (but keep User A's session in database)
    reset!
    # User B signs in (creates a new session)
    post "/signin", params: { email_address: @admin_user.email_address, password: "password" }
    user_b_session = cookies[:session_id]
-    # User A's session should still work
+    # Verify User B can access protected resources
-    get "/api/verify", headers: {
+    get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
      "X-Forwarded-Host" => "test.example.com",
      "Cookie" => "_clinch_session_id=#{user_a_session}"
    }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @admin_user.email_address, response.headers["x-remote-user"]
    user_b_session_id = Session.where(user: @admin_user).last.id
-    # User B's session should work
+    # Verify both sessions still exist in the database
-    get "/api/verify", headers: {
+    assert Session.exists?(user_a_session_id), "User A's session should still exist"
-      "X-Forwarded-Host" => "test.example.com",
+    assert Session.exists?(user_b_session_id), "User B's session should still exist"
      "Cookie" => "_clinch_session_id=#{user_b_session}"
    }
    assert_response 200
    assert_equal @admin_user.email_address, response.headers["X-Remote-User"]
  end
  test "concurrent requests with same session" do
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
    session_cookie = cookies[:session_id]
    # Simulate concurrent requests
    threads = []
    results = []
    5.times do |i|
      threads << Thread.new do
        # Create a new integration test instance for this thread
        test_instance = self.class.new
        test_instance.setup_controller_request_and_response
        test_instance.get "/api/verify", headers: {
          "X-Forwarded-Host" => "app#{i}.example.com",
          "Cookie" => "_clinch_session_id=#{session_cookie}"
        }
        results << {
          thread_id: i,
          status: test_instance.response.status,
          user: test_instance.response.headers["X-Remote-User"]
        }
      end
    end
    threads.each(&:join)
    # All requests should succeed
    results.each do |result|
      assert_equal 200, result[:status], "Thread #{result[:thread_id]} failed"
      assert_equal @user.email_address, result[:user], "Thread #{result[:thread_id]} has wrong user"
    end
  end
  # Performance Integration Tests
  test "response times are reasonable" do
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
    # Test multiple requests
    start_time = Time.current
    10.times do |i|
      get "/api/verify", headers: { "X-Forwarded-Host" => "app#{i}.example.com" }
      assert_response 200
    end
    end_time = Time.current
    total_time = end_time - start_time
    average_time = total_time / 10
    # Each request should take less than 100ms on average
    assert average_time < 0.1, "Average response time #{average_time}s is too slow"
  end
  # Error Handling Integration Tests
  test "graceful handling of malformed headers" do
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
    # Test various malformed header combinations
    test_cases = [
      { "X-Forwarded-Host" => nil },
      { "X-Forwarded-Host" => "" },
      { "X-Forwarded-Host" => "   " },
      { "Host" => nil },
      { "Host" => "" }
    ]
    test_cases.each_with_index do |headers, i|
      get "/api/verify", headers: headers
      assert_response 200, "Failed on test case #{i}: #{headers.inspect}"
    end
  end
 end
--- a/test/integration/invitation_flow_test.rb
+++ b/test/integration/invitation_flow_test.rb
@@ -49,7 +49,9 @@ class InvitationFlowTest < ActionDispatch::IntegrationTest
      email_address: "newuser@example.com",
      password: "SecurePassword123!"
    }
-    assert_redirected_to root_path
+    # Redirect may include fa_token parameter for first-time authentication
    assert_response :redirect
    assert_match %r{^http://www\.example\.com/}, response.location
    assert cookies[:session_id]
  end
--- a/test/integration/session_security_test.rb
+++ b/test/integration/session_security_test.rb
@@ -0,0 +1,307 @@
 require "test_helper"
 class SessionSecurityTest < ActionDispatch::IntegrationTest
  # ====================
  # SESSION TIMEOUT TESTS
  # ====================
  test "session expires after inactivity" do
    user = User.create!(email_address: "session_test@example.com", password: "password123")
    # Sign in
    post signin_path, params: { email_address: "session_test@example.com", password: "password123" }
    assert_response :redirect
    follow_redirect!
    assert_response :success
    # Create a session that expires in 1 hour
    session_record = user.sessions.create!(
      ip_address: "127.0.0.1",
      user_agent: "TestAgent",
      last_activity_at: Time.current,
      expires_at: 1.hour.from_now
    )
    # Session should be active
    assert session_record.active?
    # Simulate session expiration by traveling past the expiry time
    travel 2.hours do
      session_record.reload
      assert_not session_record.active?
    end
    user.sessions.delete_all
    user.destroy
  end
  test "active sessions are tracked correctly" do
    user = User.create!(email_address: "multi_session_test@example.com", password: "password123")
    # Create multiple sessions
    session1 = user.sessions.create!(
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0 (Windows)",
      device_name: "Windows PC",
      last_activity_at: 10.minutes.ago
    )
    session2 = user.sessions.create!(
      ip_address: "192.168.1.2",
      user_agent: "Mozilla/5.0 (iPhone)",
      device_name: "iPhone",
      last_activity_at: 5.minutes.ago
    )
    # Check that both sessions are active
    assert_equal 2, user.sessions.active.count
    # Revoke one session
    session2.update!(expires_at: 1.minute.ago)
    # Only one session should remain active
    assert_equal 1, user.sessions.active.count
    assert_equal session1.id, user.sessions.active.first.id
    user.sessions.delete_all
    user.destroy
  end
  # ====================
  # SESSION FIXATION PREVENTION TESTS
  # ====================
  test "session_id changes after authentication" do
    user = User.create!(email_address: "session_fixation_test@example.com", password: "password123")
    # Sign in creates a new session
    post signin_path, params: { email_address: "session_fixation_test@example.com", password: "password123" }
    assert_response :redirect
    # User should be authenticated after sign in
    assert_redirected_to root_path
    user.destroy
  end
  # ====================
  # CONCURRENT SESSION HANDLING TESTS
  # ====================
  test "user can have multiple concurrent sessions" do
    user = User.create!(email_address: "concurrent_session_test@example.com", password: "password123")
    # Create multiple sessions from different devices
    session1 = user.sessions.create!(
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0 (Windows)",
      device_name: "Windows PC",
      last_activity_at: Time.current
    )
    session2 = user.sessions.create!(
      ip_address: "192.168.1.2",
      user_agent: "Mozilla/5.0 (iPhone)",
      device_name: "iPhone",
      last_activity_at: Time.current
    )
    session3 = user.sessions.create!(
      ip_address: "192.168.1.3",
      user_agent: "Mozilla/5.0 (Macintosh)",
      device_name: "MacBook",
      last_activity_at: Time.current
    )
    # All three sessions should be active
    assert_equal 3, user.sessions.active.count
    user.sessions.delete_all
    user.destroy
  end
  test "revoking one session does not affect other sessions" do
    user = User.create!(email_address: "revoke_session_test@example.com", password: "password123")
    # Create two sessions
    session1 = user.sessions.create!(
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0 (Windows)",
      device_name: "Windows PC",
      last_activity_at: Time.current
    )
    session2 = user.sessions.create!(
      ip_address: "192.168.1.2",
      user_agent: "Mozilla/5.0 (iPhone)",
      device_name: "iPhone",
      last_activity_at: Time.current
    )
    # Revoke session1
    session1.update!(expires_at: 1.minute.ago)
    # Session2 should still be active
    assert_equal 1, user.sessions.active.count
    assert_equal session2.id, user.sessions.active.first.id
    user.sessions.delete_all
    user.destroy
  end
  # ====================
  # LOGOUT INVALIDATES SESSIONS TESTS
  # ====================
  test "logout invalidates current session" do
    user = User.create!(email_address: "logout_test@example.com", password: "password123")
    # Create multiple sessions
    session1 = user.sessions.create!(
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0 (Windows)",
      device_name: "Windows PC",
      last_activity_at: Time.current
    )
    session2 = user.sessions.create!(
      ip_address: "192.168.1.2",
      user_agent: "Mozilla/5.0 (iPhone)",
      device_name: "iPhone",
      last_activity_at: Time.current
    )
    # Sign in (creates a new session via the sign-in flow)
    post signin_path, params: { email_address: "logout_test@example.com", password: "password123" }
    assert_response :redirect
    # Should have 3 sessions now
    assert_equal 3, user.sessions.count
    # Sign out (only terminates the current session)
    delete signout_path
    assert_response :redirect
    follow_redirect!
    assert_response :success
    # The 2 manually created sessions should still be active
    # The sign-in session was terminated
    assert_equal 2, user.sessions.active.count
    user.sessions.delete_all
    user.destroy
  end
  test "logout sends backchannel logout notifications" do
    user = User.create!(email_address: "logout_notification_test@example.com", password: "password123")
    application = Application.create!(
      name: "Logout Test App",
      slug: "logout-test-app",
      app_type: "oidc",
      redirect_uris: ["http://localhost:4000/callback"].to_json,
      backchannel_logout_uri: "http://localhost:4000/logout",
      active: true
    )
    # Create consent with backchannel logout enabled
    consent = OidcUserConsent.create!(
      user: user,
      application: application,
      scopes_granted: "openid profile",
      sid: "test-session-id-123"
    )
    # Sign in
    post signin_path, params: { email_address: "logout_notification_test@example.com", password: "password123" }
    assert_response :redirect
    # Sign out
    assert_enqueued_jobs 1 do
      delete signout_path
      assert_response :redirect
    end
    # Verify backchannel logout job was enqueued
    assert_equal BackchannelLogoutJob, ActiveJob::Base.queue_adapter.enqueued_jobs.first[:job]
    user.sessions.delete_all
    user.destroy
    application.destroy
  end
  # ====================
  # SESSION HIJACKING PREVENTION TESTS
  # ====================
  test "session includes IP address and user agent tracking" do
    user = User.create!(email_address: "hijacking_test@example.com", password: "password123")
    # Sign in
    post signin_path, params: { email_address: "hijacking_test@example.com", password: "password123" },
      headers: { "HTTP_USER_AGENT" => "TestBrowser/1.0" }
    assert_response :redirect
    # Check that session includes IP and user agent
    session = user.sessions.active.first
    assert_not_nil session.ip_address
    assert_not_nil session.user_agent
    user.sessions.delete_all
    user.destroy
  end
  test "session activity is tracked" do
    user = User.create!(email_address: "activity_test@example.com", password: "password123")
    # Create session
    session = user.sessions.create!(
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0",
      device_name: "Test Device",
      last_activity_at: 1.hour.ago
    )
    # Simulate activity update
    session.update!(last_activity_at: Time.current)
    # Session should still be active
    assert session.active?
    user.sessions.delete_all
    user.destroy
  end
  # ====================
  # FORWARD AUTH SESSION TESTS
  # ====================
  test "forward auth validates session correctly" do
    user = User.create!(email_address: "forward_auth_test@example.com", password: "password123")
    application = Application.create!(
      name: "Forward Auth Test",
      slug: "forward-auth-test-#{SecureRandom.hex(4)}",
      app_type: "forward_auth",
      domain_pattern: "test.example.com",
      redirect_uris: ["https://test.example.com"].to_json,
      active: true
    )
    # Create session
    user_session = user.sessions.create!(
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0",
      last_activity_at: Time.current
    )
    # Test forward auth endpoint with valid session
    get api_verify_path(rd: "https://test.example.com/protected"),
      headers: { cookie: "_session_id=#{user_session.id}" }
    # Should accept the request and redirect back
    assert_response :redirect
    user.sessions.delete_all
    user.destroy
    application.destroy
  end
 end
--- a/test/integration/webauthn_credential_enumeration_test.rb
+++ b/test/integration/webauthn_credential_enumeration_test.rb
@@ -0,0 +1,107 @@
 require "test_helper"
 class WebauthnCredentialEnumerationTest < ActionDispatch::IntegrationTest
  # ====================
  # CREDENTIAL ENUMERATION PREVENTION TESTS
  # ====================
  test "prevents credential enumeration via delete endpoint" do
    user1 = User.create!(email_address: "user1@example.com", password: "password123")
    user2 = User.create!(email_address: "user2@example.com", password: "password123")
    # Create a credential for user1
    credential1 = user1.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("user1_credential"),
      public_key: Base64.urlsafe_encode64("public_key_1"),
      sign_count: 0,
      nickname: "User1 Key",
      authenticator_type: "platform"
    )
    # Create a credential for user2
    credential2 = user2.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("user2_credential"),
      public_key: Base64.urlsafe_encode64("public_key_2"),
      sign_count: 0,
      nickname: "User2 Key",
      authenticator_type: "platform"
    )
    # Sign in as user1
    post signin_path, params: { email_address: "user1@example.com", password: "password123" }
    assert_response :redirect
    follow_redirect!
    # Try to delete user2's credential while authenticated as user1
    # This should return 404 (not 403) to prevent enumeration
    delete webauthn_credential_path(credential2.id), as: :json
    assert_response :not_found
    assert_includes JSON.parse(@response.body)["error"], "not found"
    # Verify both credentials still exist
    assert_equal 1, user1.webauthn_credentials.count
    assert_equal 1, user2.webauthn_credentials.count
    # Verify trying to delete a non-existent credential also returns 404
    # This confirms identical responses for enumeration prevention
    delete webauthn_credential_path(99999), as: :json
    assert_response :not_found
    assert_includes JSON.parse(@response.body)["error"], "not found"
    user1.destroy
    user2.destroy
  end
  test "allows users to delete their own credentials" do
    user = User.create!(email_address: "user@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("user_credential"),
      public_key: Base64.urlsafe_encode64("public_key"),
      sign_count: 0,
      nickname: "My Key",
      authenticator_type: "platform"
    )
    # Sign in
    post signin_path, params: { email_address: "user@example.com", password: "password123" }
    assert_response :redirect
    follow_redirect!
    # Delete own credential - should succeed
    assert_difference "user.webauthn_credentials.count", -1 do
      delete webauthn_credential_path(credential.id), as: :json
    end
    assert_response :success
    assert_includes JSON.parse(@response.body)["message"], "has been removed"
    user.destroy
  end
  test "unauthenticated user cannot delete credentials" do
    user = User.create!(email_address: "user@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("user_credential"),
      public_key: Base64.urlsafe_encode64("public_key"),
      sign_count: 0,
      nickname: "My Key",
      authenticator_type: "platform"
    )
    # Try to delete without authentication
    delete webauthn_credential_path(credential.id), as: :json
    # Should get redirect to signin (require_authentication before_action runs first)
    assert_response :redirect
    assert_redirected_to signin_path
    # Verify credential still exists
    assert_equal 1, user.webauthn_credentials.count
    user.destroy
  end
 end
--- a/test/jobs/application_job_test.rb
+++ b/test/jobs/application_job_test.rb
@@ -37,11 +37,14 @@ class ApplicationJobTest < ActiveJob::TestCase
    end
    assert_enqueued_jobs 1 do
-      test_job.perform_later("arg1", "arg2", { key: "value" })
+      test_job.perform_later("arg1", "arg2", { "key" => "value" })
    end
-    # Job class name may be nil in test environment, focus on args
+    # ActiveJob serializes all hash keys as strings
-    assert_equal ["arg1", "arg2", { key: "value" }], enqueued_jobs.last[:args]
+    args = enqueued_jobs.last[:args]
    assert_equal "arg1", args[0]
    assert_equal "arg2", args[1]
    assert_equal "value", args[2]["key"]
  end
  test "should have default queue configuration" do
--- a/test/jobs/invitations_mailer_test.rb
+++ b/test/jobs/invitations_mailer_test.rb
@@ -25,8 +25,8 @@ class InvitationsMailerTest < ActionMailer::TestCase
    assert_equal "You're invited to join Clinch", email.subject
    assert_equal [@user.email_address], email.to
-    assert_equal [], email.cc
+    assert_equal [], email.cc || []
-    assert_equal [], email.bcc
+    assert_equal [], email.bcc || []
    # From address is configured in ApplicationMailer
    assert_not_nil email.from
    assert email.from.is_a?(Array)
@@ -107,17 +107,15 @@ class InvitationsMailerTest < ActionMailer::TestCase
  end
  test "should have proper email headers" do
-    email = @invitation_mail
+    # Deliver the email first to ensure headers are set
    email = InvitationsMailer.invite_user(@user).deliver_now
-    # Test common email headers
+    # Test common email headers (message_id is set on delivery)
    assert_not_nil email.message_id
    assert_not_nil email.date
-    # Test content-type
+    # Test content-type - multipart emails contain both text and html parts
-    if email.html_part
+    assert_includes email.content_type, "multipart"
-      assert_includes email.content_type, "text/html"
+    assert email.html_part || email.text_part, "Should have html or text part"
    elsif email.text_part
      assert_includes email.content_type, "text/plain"
    end
  end
 end
--- a/test/jobs/passwords_mailer_test.rb
+++ b/test/jobs/passwords_mailer_test.rb
@@ -25,8 +25,8 @@ class PasswordsMailerTest < ActionMailer::TestCase
    assert_equal "Reset your password", email.subject
    assert_equal [@user.email_address], email.to
-    assert_equal [], email.cc
+    assert_equal [], email.cc || []
-    assert_equal [], email.bcc
+    assert_equal [], email.bcc || []
    # From address is configured in ApplicationMailer
    assert_not_nil email.from
    assert email.from.is_a?(Array)
@@ -40,9 +40,6 @@ class PasswordsMailerTest < ActionMailer::TestCase
    email = PasswordsMailer.reset(@user)
    email_body = email.body.encoded
    # Should include user's email address
    assert_includes email_body, @user.email_address
    # Should include reset link structure
    assert_includes email_body, "reset"
    assert_includes email_body, "password"
@@ -53,6 +50,8 @@ class PasswordsMailerTest < ActionMailer::TestCase
    # Should include reset-related text
    assert_includes email_text, "reset"
    assert_includes email_text, "password"
    # Should include a URL (the reset link)
    assert_includes email_text, "http"
  end
  test "should handle users with different statuses" do
@@ -149,23 +148,27 @@ class PasswordsMailerTest < ActionMailer::TestCase
  end
  test "should have proper email headers and security" do
-    email = @reset_mail
+    email = PasswordsMailer.reset(@user)
    email.deliver_now
    # Test common email headers
    assert_not_nil email.message_id
    assert_not_nil email.date
-    # Test content-type
+    # Test content-type (can be multipart, text/html, or text/plain)
-    if email.html_part
+    if email.html_part && email.text_part
      assert_includes email.content_type, "multipart/alternative"
    elsif email.html_part
      assert_includes email.content_type, "text/html"
    elsif email.text_part
      assert_includes email.content_type, "text/plain"
    end
-    # Should not include sensitive data in headers
+    # Should not include sensitive data in headers (except Subject which legitimately mentions password)
-    email.header.each do |key, value|
+    email.header.fields.each do |field|
-      refute_includes value.to_s.downcase, "password"
+      next if field.name =~ /^subject$/i
-      refute_includes value.to_s.downcase, "token"
+      # Check for actual tokens (not just the word "token" which is common in emails)
      refute_includes field.value.to_s.downcase, "password"
    end
  end
--- a/test/models/application_user_claim_test.rb
+++ b/test/models/application_user_claim_test.rb
@@ -0,0 +1,78 @@
 require "test_helper"
 class ApplicationUserClaimTest < ActiveSupport::TestCase
  def setup
    @user = users(:bob)
    @application = applications(:another_app)
  end
  test "should create valid application user claim" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "role": "admin" }
    )
    assert claim.valid?
    assert claim.save
  end
  test "should enforce uniqueness of user per application" do
    ApplicationUserClaim.create!(
      user: @user,
      application: @application,
      custom_claims: { "role": "admin" }
    )
    duplicate = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "role": "user" }
    )
    assert_not duplicate.valid?
    assert_includes duplicate.errors[:user_id], "has already been taken"
  end
  test "parsed_custom_claims returns hash" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "role": "admin", "level": 5 }
    )
    parsed = claim.parsed_custom_claims
    assert_equal "admin", parsed["role"]
    assert_equal 5, parsed["level"]
  end
  test "parsed_custom_claims returns empty hash when nil" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: nil
    )
    assert_equal({}, claim.parsed_custom_claims)
  end
  test "should not allow reserved OIDC claim names" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "groups": ["admin"], "role": "user" }
    )
    assert_not claim.valid?
    assert_includes claim.errors[:custom_claims], "cannot override reserved OIDC claims: groups"
  end
  test "should allow non-reserved claim names" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "kavita_groups": ["admin"], "role": "user" }
    )
    assert claim.valid?
  end
 end
--- a/test/models/oidc_access_token_test.rb
+++ b/test/models/oidc_access_token_test.rb
@@ -24,10 +24,10 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
      application: applications(:kavita_app),
      user: users(:alice)
    )
-    assert_nil new_token.token
+    assert_nil new_token.plaintext_token
    assert new_token.save
-    assert_not_nil new_token.token
+    assert_not_nil new_token.plaintext_token
-    assert_match /^[A-Za-z0-9_-]+$/, new_token.token
+    assert_match /^[A-Za-z0-9_-]+$/, new_token.plaintext_token
  end
  test "should set expiry before validation on create" do
@@ -42,23 +42,6 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
    assert new_token.expires_at <= 61.minutes.from_now # Allow some variance
  end
  test "should validate presence of token" do
    @access_token.token = nil
    assert_not @access_token.valid?
    assert_includes @access_token.errors[:token], "can't be blank"
  end
  test "should validate uniqueness of token" do
    @access_token.save! if @access_token.changed?
    duplicate = OidcAccessToken.new(
      token: @access_token.token,
      application: applications(:another_app),
      user: users(:bob)
    )
    assert_not duplicate.valid?
    assert_includes duplicate.errors[:token], "has already been taken"
  end
  test "should identify expired tokens correctly" do
    @access_token.expires_at = 5.minutes.ago
    assert @access_token.expired?, "Should identify past expiry as expired"
@@ -92,9 +75,10 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
    @access_token.revoke!
    @access_token.reload
-    assert @access_token.expired?, "Token should be expired after revocation"
+    assert @access_token.revoked?, "Token should be revoked after revocation"
-    assert @access_token.expires_at <= Time.current, "Expiry should be set to current time or earlier"
+    assert @access_token.revoked_at <= Time.current, "Revoked at should be set to current time or earlier"
-    assert @access_token.expires_at < original_expiry, "Expiry should be changed from original"
+    # expires_at should not be changed by revocation
    assert_equal original_expiry, @access_token.expires_at, "Expiry should remain unchanged"
  end
  test "valid scope should return only non-expired tokens" do
@@ -142,7 +126,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
    @access_token.revoke!
    assert original_active, "Token should be active before revocation"
-    assert @access_token.expired?, "Token should be expired after revocation"
+    assert @access_token.revoked?, "Token should be revoked after revocation"
  end
  test "should generate secure random tokens" do
@@ -152,7 +136,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
        application: applications(:kavita_app),
        user: users(:alice)
      )
-      tokens << token.token
+      tokens << token.plaintext_token
    end
    # All tokens should be unique
@@ -179,7 +163,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
      user: users(:alice)
    )
-    assert access_token.token.length > auth_code.code.length,
+    assert access_token.plaintext_token.length > auth_code.plaintext_code.length,
           "Access tokens should be longer than authorization codes"
  end
--- a/test/models/oidc_authorization_code_test.rb
+++ b/test/models/oidc_authorization_code_test.rb
@@ -25,10 +25,10 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
      user: users(:alice),
      redirect_uri: "https://example.com/callback"
    )
-    assert_nil new_code.code
+    assert_nil new_code.code_hmac
    assert new_code.save
-    assert_not_nil new_code.code
+    assert_not_nil new_code.code_hmac
-    assert_match /^[A-Za-z0-9_-]+$/, new_code.code
+    assert_match /^[a-f0-9]{64}$/, new_code.code_hmac # SHA256 hex digest
  end
  test "should set expiry before validation on create" do
@@ -44,22 +44,22 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
    assert new_code.expires_at <= 11.minutes.from_now # Allow some variance
  end
-  test "should validate presence of code" do
+  test "should validate presence of code_hmac" do
-    @auth_code.code = nil
+    @auth_code.code_hmac = nil
    assert_not @auth_code.valid?
-    assert_includes @auth_code.errors[:code], "can't be blank"
+    assert_includes @auth_code.errors[:code_hmac], "can't be blank"
  end
-  test "should validate uniqueness of code" do
+  test "should validate uniqueness of code_hmac" do
    @auth_code.save! if @auth_code.changed?
    duplicate = OidcAuthorizationCode.new(
-      code: @auth_code.code,
+      code_hmac: @auth_code.code_hmac,
      application: applications(:another_app),
      user: users(:bob),
      redirect_uri: "https://example.com/callback"
    )
    assert_not duplicate.valid?
-    assert_includes duplicate.errors[:code], "has already been taken"
+    assert_includes duplicate.errors[:code_hmac], "has already been taken"
  end
  test "should validate presence of redirect_uri" do
@@ -178,16 +178,16 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
        user: users(:alice),
        redirect_uri: "https://example.com/callback"
      )
-      codes << code.code
+      codes << code.code_hmac
    end
    # All codes should be unique
    assert_equal codes.length, codes.uniq.length
-    # All codes should match the expected pattern
+    # All codes should be SHA256 hex digests
    codes.each do |code|
-      assert_match /^[A-Za-z0-9_-]+$/, code
+      assert_match /^[a-f0-9]{64}$/, code
-      assert_equal 43, code.length # Base64 padding removed
+      assert_equal 64, code.length # SHA256 hex digest
    end
  end
 end
--- a/test/models/user_password_management_test.rb
+++ b/test/models/user_password_management_test.rb
@@ -6,68 +6,47 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
  end
  test "should generate password reset token" do
-    assert_nil @user.password_reset_token
+    token = @user.generate_token_for(:password_reset)
    assert_nil @user.password_reset_token_created_at
    @user.generate_token_for(:password_reset)
    @user.save!
-    assert_not_nil @user.password_reset_token
+    assert_not_nil token
-    assert_not_nil @user.password_reset_token_created_at
+    assert token.length > 20
-    assert @user.password_reset_token.length > 20
+    assert token.is_a?(String)
    assert @user.password_reset_token_created_at > 5.minutes.ago
  end
  test "should generate invitation login token" do
-    assert_nil @user.invitation_login_token
+    token = @user.generate_token_for(:invitation_login)
    assert_nil @user.invitation_login_token_created_at
    @user.generate_token_for(:invitation_login)
    @user.save!
-    assert_not_nil @user.invitation_login_token
+    assert_not_nil token
-    assert_not_nil @user.invitation_login_token_created_at
+    assert token.length > 20
-    assert @user.invitation_login_token.length > 20
+    assert token.is_a?(String)
    assert @user.invitation_login_token_created_at > 5.minutes.ago
  end
  test "should generate magic login token" do
    assert_nil @user.magic_login_token
    assert_nil @user.magic_login_token_created_at
    @user.generate_token_for(:magic_login)
    @user.save!
    assert_not_nil @user.magic_login_token
    assert_not_nil @user.magic_login_token_created_at
    assert @user.magic_login_token.length > 20
    assert @user.magic_login_token_created_at > 5.minutes.ago
  end
  test "should generate tokens with different lengths" do
    # Test that different token types generate appropriate length tokens
-    token_types = [:password_reset, :invitation_login, :magic_login]
+    token_types = [:password_reset, :invitation_login]
    token_types.each do |token_type|
-      @user.generate_token_for(token_type)
+      token = @user.generate_token_for(token_type)
      @user.save!
      token = @user.send("#{token_type}_token")
      assert_not_nil token, "#{token_type} token should be generated"
      assert token.length >= 32, "#{token_type} token should be at least 32 characters"
-      assert token.length <= 64, "#{token_type} token should not exceed 64 characters"
+      assert token.is_a?(String), "#{token_type} token should be a string"
    end
  end
  test "should validate token expiration timing" do
-    # Test token creation timing
+    # Test token creation timing - generate_token_for returns the token immediately
-    @user.generate_token_for(:password_reset)
+    before = Time.current
    token = @user.generate_token_for(:password_reset)
    after = Time.current
    @user.save!
-    created_at = @user.send("#{:password_reset}_token_created_at")
+    assert token.present?, "Token should be generated"
-    assert created_at.present?, "Token creation time should be set"
+    assert before <= after, "Token generation should be immediate"
    assert created_at > 1.minute.ago, "Token should be recently created"
    assert created_at < 1.minute.from_now, "Token should be within reasonable time window"
  end
  test "should handle secure password generation" do
@@ -132,41 +111,36 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
  end
  test "should validate different token types" do
-    # Test all token types work
+    # Test all token types work with generates_token_for
-    token_types = [:password_reset, :invitation_login, :magic_login]
+    token_types = [:password_reset, :invitation_login]
    token_types.each do |token_type|
-      @user.generate_token_for(token_type)
+      token = @user.generate_token_for(token_type)
      @user.save!
-      case token_type
+      # generate_token_for returns a token string
-      when :password_reset
+      assert token.present?, "#{token_type} token should be generated"
-        assert @user.password_reset_token.present?
+      assert token.is_a?(String), "#{token_type} token should be a string"
-        assert @user.password_reset_token_valid?
+      assert token.length > 20, "#{token_type} token should be substantial length"
      when :invitation_login
        assert @user.invitation_login_token.present?
        assert @user.invitation_login_token_valid?
      when :magic_login
        assert @user.magic_login_token.present?
        assert @user.magic_login_token_valid?
      end
    end
  end
  test "should validate password strength" do
-    # Test password validation rules
+    # Test password validation rules (minimum length only)
-    weak_passwords = ["123456", "password", "qwerty", "abc123"]
+    weak_passwords = ["123456", "abc", "short"]
    weak_passwords.each do |password|
      user = User.new(email_address: "test@example.com", password: password)
      assert_not user.valid?, "Weak password should be invalid"
-      assert_includes user.errors[:password].to_s, "too short", "Weak password should be too short"
+      assert user.errors[:password].present?, "Should have password error"
    end
-    # Test valid password
+    # Test valid passwords (any 8+ character password is valid)
-    strong_password = "ThisIsA$tr0ngP@ssw0rd!123"
+    valid_passwords = ["password123", "ThisIsA$tr0ngP@ssw0rd!123"]
-    user = User.new(email_address: "test@example.com", password: strong_password)
+    valid_passwords.each do |password|
-    assert user.valid?, "Strong password should be valid"
+      user = User.new(email_address: "test@example.com", password: password)
      assert user.valid?, "Valid 8+ character password should be valid"
    end
  end
  test "should handle password confirmation validation" do
@@ -186,18 +160,14 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
  test "should handle password reset controller integration" do
    # Test that password reset functionality works with controller integration
-    original_password = @user.password_digest
+    # generate_token_for returns the token string
-
+    reset_token = @user.generate_token_for(:password_reset)
    # Generate reset token through model
    @user.generate_token_for(:password_reset)
    @user.save!
    reset_token = @user.password_reset_token
    assert_not_nil reset_token, "Should generate reset token"
-    # Verify token is usable in controller flow
+    # Token can be used for lookups (returns nil if token is for different purpose/expired)
-    found_user = User.find_by_password_reset_token(reset_token)
+    # The token is stored and validated through Rails' generates_token_for mechanism
    assert_equal @user, found_user, "Should find user by reset token"
  end
  test "should handle different user statuses" do
@@ -280,22 +250,4 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
    assert_not_nil @user.last_sign_in_at, "last_sign_in_at should be set after update"
    assert @user.last_sign_in_at > 1.minute.ago, "last_sign_in_at should be recent"
  end
  test "should invalidate magic login token after sign in" do
    # Generate magic login token
    @user.update!(last_sign_in_at: 1.hour.ago)  # Set initial timestamp
    old_sign_in_time = @user.last_sign_in_at
    magic_token = @user.generate_token_for(:magic_login)
    # Token should be valid before sign-in
    assert User.find_by_magic_login_token(magic_token)&.id == @user.id, "Magic login token should be valid initially"
    # Simulate sign-in (which updates last_sign_in_at)
    @user.update!(last_sign_in_at: Time.current)
    # Token should now be invalid because last_sign_in_at changed
    assert_nil User.find_by_magic_login_token(magic_token), "Magic login token should be invalid after sign-in"
    assert_not_equal old_sign_in_time, @user.last_sign_in_at, "last_sign_in_at should have changed"
  end
 end
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -135,45 +135,6 @@ class UserTest < ActiveSupport::TestCase
    assert_equal user, found_user
  end
  test "magic login token generation" do
    user = User.create!(
      email_address: "test@example.com",
      password: "password123"
    )
    token = user.generate_token_for(:magic_login)
    assert_not_nil token
    assert token.is_a?(String)
  end
  test "finds user by valid magic login token" do
    user = User.create!(
      email_address: "test@example.com",
      password: "password123"
    )
    token = user.generate_token_for(:magic_login)
    found_user = User.find_by_token_for(:magic_login, token)
    assert_equal user, found_user
  end
  test "magic login token depends on last_sign_in_at" do
    user = User.create!(
      email_address: "test@example.com",
      password: "password123",
      last_sign_in_at: 1.hour.ago
    )
    token = user.generate_token_for(:magic_login)
    # Update last_sign_in_at to invalidate the token
    user.update!(last_sign_in_at: Time.current)
    found_user = User.find_by_token_for(:magic_login, token)
    assert_nil found_user
  end
  test "admin scope" do
    admin_user = User.create!(
      email_address: "admin@example.com",
--- a/test/services/oidc_jwt_service_test.rb
+++ b/test/services/oidc_jwt_service_test.rb
@@ -1,10 +1,59 @@
 require "test_helper"
 class OidcJwtServiceTest < ActiveSupport::TestCase
  TEST_OIDC_KEY = <<~KEY
    -----BEGIN PRIVATE KEY-----
    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCNLfKZ4+Po2Rhd
    uwtStOvU3XwI4IMPWvIArIskYKKwiRS2GYyYKIa0LtRacExEopbYVonUuNFrvbBZ
    bl7RHH2qF9u5C01Iadz0sa1ZOqUeetstgK4Wlx9v5kHrGvaTzGLyPmyOzuUTj0LO
    jDHXuO6ojIJBSIIKmOqO6yOgogX7zWuBzuRFAlDmkaBcg0N/PGb9nvPIyB8oJd3E
    mKNZtoiAyETLsiF1QMp3PuOj25k7tSgHj+80OCOWe9n7g7iXooGXqIIcYfaxrU7H
    216lkMLLMblfGc/O68NAKW32x85dpgI3fiNTZS0Wc52yZUQ+zxBhRJ95yjvyfSaC
    PGysWdFdAgMBAAECggEAGhO63DCDHDMfZE7EimgXKHgprTUVGDy+9x9nyxYbbtq/
    K9yfwso3iWgd+r+D4uiaTsb7SgLCUfGVdYtksaDe2FB0WiNriLzfHoaEI7dooO7l
    9atvXIZY/PENy3itQ4MM4rxjjmRKXVjIqQCtwzAqSxE7DQZw2LbCmpf1unm6+7XB
    So0L3ScgkBszRjOlLoe6LPCkYNisANEH2elNmzgDfAdwhmQSXCnipiIGGxOfFbf8
    qyAyxmWmzIfnbU1LzOA916C3iLcKVySHm/2SVXsznnwHAdWMW/YVSpTuWmmV+hES
    3krOBWvh4caVljYxfRkwneIUtnZUBhlVDb0sqRq/yQKBgQDEACJijI++e7L7+6l7
    vdGhkRzi6BKGixCNeiEUzYjTYKpsMaWm54MYnhZhIaSuYQYEInmkW1wz3DXcH6P5
    a4rnwpT+66ka6sj5BrD59saPpUaqmnjKY9MDep2WbcCXmNdA4C3xjottHXn4x/9v
    bHfUlcvdPulbW/QYK4WCfqKSdQKBgQC4Za7NlY3E0CmOO7o0J9vzO1qPb/QIdv7J
    ohhcAlAsmW1zZEiYxNuQkl4RJLseqMYRHlTzRD0nfEDHksLcp2uXG2WYK6ESP/oI
    Wl4Lm169e5sutEqFujj6dsrQ+jqGuGSNV2I0rAfEOE2ZSeKNRFsJH35EBMq8XQF1
    Q4ir/MgWSQKBgHRJbB0yLjqio5+zQWwEQ/Lq6MuLSyp+KZT259ey1kIrMRG+Jv0u
    kG4zpS19y3oWYH5lgexMtBikx2PRdfUOpDw7CzFv2kX5FMIDAU9c5ZPmSFYCDjZu
    IY0H26Wbek+3Q8be+wM9QmW7vlknN9sA7Nu5AFpE8CjfFqScdbrlrUjdAoGAf4W6
    tOyHhaPcCURfCrDCGN1kTKxE3RHGNJWIOSFUZvOYUOP6nMQPgFTo/vwi+BoKGE6c
    uzvm+wagGiTx4/1Yl8DXqrwJgYCDHwG35lkF1Q7FjDAdFYxq2TQMISfcD803pNPY
    08pg+J9jcu444i9yscV44ftaZZgAaSNSQnbnvRkCgYBQwP/nqGtXMHHVz97NeEJT
    xQ/0GCNx1isIN8ZKzynVwZebFrtxwrFOf3zIxgtlx30V3Ekezx7kmbaPiQr041J4
    nKBppinMQsTb9Bu/0K8aHvjpxdkPeMdugfZAPShDnhM3fhukiJZp36X4u1/xY4Gn
    wkkkJkpY4gKeqVL0uzeARA==
    -----END PRIVATE KEY-----
  KEY
  def setup
    @user = users(:alice)
    @application = applications(:kavita_app)
    @service = OidcJwtService
    # Set a consistent test key to avoid key mismatch issues
    ENV["OIDC_PRIVATE_KEY"] = TEST_OIDC_KEY
    # Reset any memoized keys to pick up the new ENV value
    OidcJwtService.instance_variable_set(:@private_key, nil)
    OidcJwtService.instance_variable_set(:@public_key, nil)
    OidcJwtService.instance_variable_set(:@key_id, nil)
  end
  def teardown
    # Clean up ENV after test
    ENV.delete("OIDC_PRIVATE_KEY")
    # Reset memoized keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    OidcJwtService.instance_variable_set(:@public_key, nil)
    OidcJwtService.instance_variable_set(:@key_id, nil)
  end
  test "should generate id token with required claims" do
@@ -14,133 +63,157 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    assert token.length > 100, "Token should be substantial"
    assert token.include?('.')
-    decoded = JWT.decode(token, nil, true)
+    # Decode without verification for testing the payload
    decoded = JWT.decode(token, nil, false).first
    assert_equal @application.client_id, decoded['aud'], "Should have correct audience"
    assert_equal @user.id.to_s, decoded['sub'], "Should have correct subject"
    assert_equal @user.email_address, decoded['email'], "Should have correct email"
    assert_equal true, decoded['email_verified'], "Should have email verified"
    assert_equal @user.email_address, decoded['preferred_username'], "Should have preferred username"
    assert_equal @user.email_address, decoded['name'], "Should have name"
-    assert_equal "https://localhost:3000", decoded['iss'], "Should have correct issuer"
+    assert_equal @service.issuer_url, decoded['iss'], "Should have correct issuer"
-    assert_equal Time.now.to_i + 3600, decoded['exp'], "Should have correct expiration"
+    assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration"
  end
  test "should handle nonce in id token" do
    nonce = "test-nonce-12345"
    token = @service.generate_id_token(@user, @application, nonce: nonce)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    assert_equal nonce, decoded['nonce'], "Should preserve nonce in token"
-    assert_equal Time.now.to_i + 3600, decoded['exp'], "Should have correct expiration with nonce"
+    assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration with nonce"
  end
  test "should include groups in token when user has groups" do
-    @user.groups << groups(:admin_group)
+    admin_group = groups(:admin_group)
    @user.groups << admin_group unless @user.groups.include?(admin_group)
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
-    assert_includes decoded['groups'], "admin", "Should include user's groups"
+    assert_includes decoded['groups'], "Administrators", "Should include user's groups"
  end
-  test "should include admin claim for admin users" do
+  test "admin claim should not be included in token" do
    @user.update!(admin: true)
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
-    assert_equal true, decoded['admin'], "Admin users should have admin claim"
+    refute decoded.key?('admin'), "Admin claim should not be included in ID tokens (use groups instead)"
  end
  test "should handle role-based claims when enabled" do
    @application.update!(
      role_mapping_enabled: true,
      role_mapping_mode: "oidc_managed",
      role_claim_name: "roles"
    )
    @application.assign_role_to_user!(@user, "editor", source: 'oidc', metadata: { synced_at: Time.current })
    token = @service.generate_id_token(@user, @application)
    decoded = JWT.decode(token, nil, true)
    assert_includes decoded['roles'], "editor", "Should include user's role"
  end
  test "should include role metadata when configured" do
    @application.update!(
      role_mapping_enabled: true,
      role_mapping_mode: "oidc_managed",
      parsed_managed_permissions: {
        "include_permissions" => true,
        "include_metadata" => true
      }
    )
    role = @application.application_roles.create!(
      name: "editor",
      display_name: "Content Editor",
      permissions: ["read", "write"]
    )
    @application.assign_role_to_user!(
      @user,
      "editor",
      source: 'oidc',
      metadata: {
        synced_at: Time.current,
        department: "Content Team",
        level: "2"
      }
    )
    token = @service.generate_id_token(@user, @application)
    decoded = JWT.decode(token, nil, true)
    assert_equal "Content Editor", decoded['role_display_name'], "Should include role display name"
    assert_includes decoded['role_permissions'], "read", "Should include read permission"
    assert_includes decoded['role_permissions'], "write", "Should include write permission"
    assert_equal "Content Team", decoded['role_department'], "Should include department"
    assert_equal "2", decoded['role_level'], "Should include level"
  end
  test "should handle missing roles gracefully" do
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    refute_includes decoded, 'roles', "Should not have roles when not configured"
  end
-  test "should use RSA private key from environment" do
+  test "should load RSA private key from environment with escaped newlines" do
-    ENV.stub(:fetch, "OIDC_PRIVATE_KEY") { "test-private-key" }
+    # Simulate how direnv exports multi-line strings with \n escape sequences
    key_with_escaped_newlines = "-----BEGIN PRIVATE KEY-----\\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDg3SfOR4UW6wV2\\nyKnE/pN5/tvUC7Fpol5/NjJQHm24F8+r6iipdLWJrJ3T2oEzaKw/RTGYPBQvjj6c\\nz3+tc7QkJLOESJCA0WqgawE1WdKSx5ug3sP0Y7woTPipt+afGaV58YvV/sqFD1ft\\nU+2w8olBHqWphUCd/LakfvqHbwrmF58IASk4IbGceqQ7f98d/8C8TrR6k3SKQAto\\n0OWo+xuyJg0RoSS8S220/qyIukXxtHS89NQj3dgJI06fGCSATCu8uVdsKwBDNw3F\\nBSQEX3xhk8E/JXXZfwRFR1K3zUIVQu8haQ3YA52b0jkzE2xI6TaHVbuGdifmGAmX\\nb5jsJ/eNAgMBAAECggEAAWJb3PwlOUANWTe630Pp1OegV5M1Tn2vi+oQPosPl1iX\\nFlbymrj80EfaRPWo84oKnq0t1/RnogrbDa3txgdpSVCsEWk9N2SyoJXy8+MZu6Er\\nQHka8qfBVfe4PbHyRj3FSeQKvZOEvvOgNJkYpIFeb5zkHa1ISyloEWvAxr0njJbQ\\n0F2jML4sUeduYulCWI9dSJdB+yp8BsmOPu8VzUFthW/GPPuw4a4ngzoGtPV6f/kp\\ncjPa2YT8L8z6zXE0IiDU8bc5abC++QBNLJrMy55tM+zfgGyShandITbcpuWptIqT\\n2yhMulifOMw0hdV0cYRqetkWkevz07nrwnh/1FGjYQKBgQD9C/Ls720tULS7SIdh\\nuDWnrtMG4sidSbxWJTOqPUNZ9a0vaHnx/FwlmvURyCojn5leLByY8ZNN08DxKBVq\\nwH6ZJe7KGOik5wMtFV1zrhyHNpa/H/RrLaYAZqCVlGYyOVqNa7mA7oOIeqtbv9x+\\nOaEz3BnoXHOJOwM10h20Nos6bQKBgQDjfQCSQXcrkV8hKf+F65N7Kcf7JMlZQAA3\\n9dvJxxek683bhYTLZhubY/tegfhxlZGkgP3eHKI1XyUYBCNBnztn3t1zD0ovcqRX\\no21m5TaJ0fGW4X3iyi1IWioMBPXffR8tXk5+LnWVZ26RgmaBG1rgOJEQ5bHYMtHj\\n+jo9JLV9oQKBgQDt1nNHm2qEcxzMAsmsYVWc+8bA7BsfKxTn6yN6WQaa4T0cGBi2\\nBzoc5l59jiN9RB8E0nU2k6ieN+9bOw+WPMNA8tRUA8F2bOMhVrl1ZyrNM9PQZBp5\\nOniSW+OHc+nyPtILpjq/Im9isdmp7NUzlrsbYT7AlVTKoTrNNWZR4gpOqQKBgQC3\\nIWwSUS00H4TrV7nh/zDsl0fr/0Mv2/vRENTsbJ+2HjXMIII0k3Bp+WTkQdDU70kd\\nmtHDul1CheOAn+QZ8auLBLhU5dwcsjdmbaOmj6MF88J+aexDY+psMlli76NXVIyC\\no0ahAZmaunciIE2QZYsUsbTmW2J93vtkgY3cpu6LwQKBgDigl7dCQl38Vt7FhxjJ\\naC6wmmM8YX6y5f5t3caVVBizVhx8xOXQla96zB0nW6ibTpaIKCSdORxMGAoajTZ9\\n8Ww2gOfZpZeojU2YHTV/KFd7wHGYE8QaBKqP6DuibLnP5farjuwPeGvbjZW6e9cy\\nntHkSPI0VmhqsUQEMgPnYuCg\\n-----END PRIVATE KEY-----"
-    private_key = @service.private_key
+    # Clear any cached keys
-    assert_equal "test-private-key", private_key.to_s, "Should use private key from environment"
+    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Stub ENV to return the test key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV["OIDC_PRIVATE_KEY"] = key_with_escaped_newlines
    # The service should convert \n to actual newlines and load successfully
    private_key = OidcJwtService.send(:private_key)
    assert_not_nil private_key
    assert_kind_of OpenSSL::PKey::RSA, private_key
    assert_equal 2048, private_key.n.num_bits
  ensure
    # Restore original value and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should handle key with actual newlines" do
    # Generate a real test key
    test_key = OpenSSL::PKey::RSA.new(2048)
    key_pem = test_key.to_pem
    # Clear any cached keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Stub ENV to return the test key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV["OIDC_PRIVATE_KEY"] = key_pem
    private_key = OidcJwtService.send(:private_key)
    assert_not_nil private_key
    assert_kind_of OpenSSL::PKey::RSA, private_key
    assert_equal 2048, private_key.n.num_bits
  ensure
    # Restore original value and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should raise error for invalid key format" do
    # Clear any cached keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Stub ENV to return invalid key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV["OIDC_PRIVATE_KEY"] = "invalid-key-data"
    error = assert_raises RuntimeError do
      OidcJwtService.send(:private_key)
    end
    assert_match /Invalid OIDC private key format/, error.message
  ensure
    # Restore original value and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should raise error in production when no key configured" do
    # Skip this test if we can't properly stub Rails.env
    skip "Skipping production env test" unless Rails.env.development? || Rails.env.test?
    # Clear any cached keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Temporarily remove the key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV.delete("OIDC_PRIVATE_KEY")
    # Stub Rails.env to be production
    Rails.env = ActiveSupport::StringInquirer.new("production")
    error = assert_raises RuntimeError do
      OidcJwtService.send(:private_key)
    end
    assert_match /OIDC private key not configured/, error.message
  ensure
    # Restore original environment and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value if original_value
    Rails.env = ActiveSupport::StringInquirer.new(ENV.fetch("RAILS_ENV", "test"))
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should generate RSA private key when missing" do
-    ENV.stub(:fetch, nil) { nil }
+    # In test environment, a key is auto-generated if none exists
-    ENV.stub(:fetch, "OIDC_PRIVATE_KEY", nil) { nil }
+    # This test just verifies the service can generate tokens (which requires a key)
-    Rails.application.credentials.stub(:oidc_private_key, nil) { nil }
+    token = @service.generate_id_token(@user, @application)
-
+    assert_not_nil token, "Should generate token successfully (requires private key)"
    private_key = @service.private_key
    assert_not_nil private_key, "Should generate private key when missing"
    assert private_key.is_a?(OpenSSL::PKey::RSA), "Should generate RSA private key"
    assert_equal 2048, private_key.num_bits, "Should generate 2048-bit key"
  end
  test "should get corresponding public key" do
    public_key = @service.public_key
    assert_not_nil public_key, "Should have public key"
    assert_equal "RSA", public_key.kty, "Should be RSA key"
    assert_equal 256, public_key.n, "Should be 256-bit key"
  end
  test "should decode and verify id token" do
    token = @service.generate_id_token(@user, @application)
-    decoded = @service.decode_id_token(token)
+    decoded_array = @service.decode_id_token(token)
-    assert_not_nil decoded, "Should decode valid token"
+    assert_not_nil decoded_array, "Should decode valid token"
    decoded = decoded_array.first # JWT.decode returns an array
    assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
    assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
    assert decoded['exp'] > Time.current.to_i, "Token should not be expired"
@@ -163,10 +236,11 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
  end
  test "should handle expired tokens" do
-    travel_to 2.hours.from_now do
+    # Generate a token (valid for 1 hour by default)
-      token = @service.generate_id_token(@user, @application, exp: 1.hour.from_now)
+    token = @service.generate_id_token(@user, @application)
      travel_back
    # Travel 2 hours into the future - token should be expired
    travel_to 2.hours.from_now do
      assert_raises(JWT::ExpiredSignature) do
        @service.decode_id_token(token)
      end
@@ -176,35 +250,249 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
  test "should handle access token generation" do
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
-    refute_includes decoded.keys, 'email_verified'
+    # ID tokens always include email_verified
    assert_includes decoded.keys, 'email_verified'
    assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
    assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
  end
  test "should handle JWT errors gracefully" do
    original_algorithm = OpenSSL::PKey::RSA::DEFAULT_PRIVATE_KEY
    OpenSSL::PKey::RSA.stub(:new, -> { raise "Key generation failed" }) do
      OpenSSL::PKey::RSA.new(2048)
    end
    assert_raises(RuntimeError, message: /Key generation failed/) do
      @service.private_key
    end
    OpenSSL::PKey::RSA.stub(:new, original_algorithm) do
      restored_key = @service.private_key
      assert_not_equal original_algorithm, restored_key, "Should restore after error"
    end
  end
  test "should validate JWT configuration" do
    @application.update!(client_id: "test-client")
-    error = assert_raises(StandardError, message: /no key found/) do
+    # This test just verifies the service can generate tokens
-      @service.generate_id_token(@user, @application)
+    # The test environment should have a valid key available
    token = @service.generate_id_token(@user, @application)
    assert_not_nil token, "Should generate token successfully"
  end
-    assert_match /no key found/, error.message, "Should warn about missing private key"
+
  test "should include app-specific custom claims in token" do
    # Use bob and another_app to avoid fixture conflicts
    user = users(:bob)
    app = applications(:another_app)
    # Create app-specific claim
    ApplicationUserClaim.create!(
      user: user,
      application: app,
      custom_claims: { "app_groups": ["admin"], "library_access": "all" }
    )
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    assert_equal ["admin"], decoded["app_groups"]
    assert_equal "all", decoded["library_access"]
  end
  test "app-specific claims should override user and group claims" do
    # Use bob and another_app to avoid fixture conflicts
    user = users(:bob)
    app = applications(:another_app)
    # Add user to group with claims
    group = groups(:admin_group)
    group.update!(custom_claims: { "role": "viewer", "max_items": 10 })
    user.groups << group
    # Add user custom claims
    user.update!(custom_claims: { "role": "editor", "theme": "dark" })
    # Add app-specific claims (should override both)
    ApplicationUserClaim.create!(
      user: user,
      application: app,
      custom_claims: { "role": "admin", "app_specific": true }
    )
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # App-specific claim should win
    assert_equal "admin", decoded["role"]
    # App-specific claim should be present
    assert_equal true, decoded["app_specific"]
    # User claim not overridden should still be present
    assert_equal "dark", decoded["theme"]
    # Group claim not overridden should still be present
    assert_equal 10, decoded["max_items"]
  end
  test "should deep merge array claims from group and user" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles: ["user"]
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user"], "permissions" => ["read"] })
    user.groups << group
    # User adds roles: ["admin"]
    user.update!(custom_claims: { "roles" => ["admin"], "permissions" => ["write"] })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # Roles should be combined (not overwritten)
    assert_equal 2, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "admin"
    # Permissions should also be combined
    assert_equal 2, decoded["permissions"].length
    assert_includes decoded["permissions"], "read"
    assert_includes decoded["permissions"], "write"
  end
  test "should deep merge array claims from multiple groups" do
    user = users(:bob)
    app = applications(:another_app)
    # First group has roles: ["user"]
    group1 = groups(:admin_group)
    group1.update!(custom_claims: { "roles" => ["user"] })
    user.groups << group1
    # Second group has roles: ["moderator"]
    group2 = Group.create!(name: "moderators", description: "Moderators group")
    group2.update!(custom_claims: { "roles" => ["moderator"] })
    user.groups << group2
    # User adds roles: ["admin"]
    user.update!(custom_claims: { "roles" => ["admin"] })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # All roles should be combined
    assert_equal 3, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "moderator"
    assert_includes decoded["roles"], "admin"
  end
  test "should remove duplicate values when merging arrays" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles: ["user", "reader"]
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user", "reader"] })
    user.groups << group
    # User also has "user" role (duplicate)
    user.update!(custom_claims: { "roles" => ["user", "admin"] })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # "user" should only appear once
    assert_equal 3, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "reader"
    assert_includes decoded["roles"], "admin"
  end
  test "should override non-array values while merging arrays" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles array and max_items scalar
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user"], "max_items" => 10, "theme" => "light" })
    user.groups << group
    # User overrides max_items and theme, adds to roles
    user.update!(custom_claims: { "roles" => ["admin"], "max_items" => 100, "theme" => "dark" })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # Arrays should be combined
    assert_equal 2, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "admin"
    # Scalar values should be overridden (user wins)
    assert_equal 100, decoded["max_items"]
    assert_equal "dark", decoded["theme"]
  end
  test "should deep merge nested hashes in claims" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has nested config
    group = groups(:admin_group)
    group.update!(custom_claims: {
      "config" => {
        "theme" => "light",
        "notifications" => { "email" => true }
      }
    })
    user.groups << group
    # User adds to nested config
    user.update!(custom_claims: {
      "config" => {
        "language" => "en",
        "notifications" => { "sms" => true }
      }
    })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # Nested hashes should be deep merged
    assert_equal "light", decoded["config"]["theme"]
    assert_equal "en", decoded["config"]["language"]
    assert_equal true, decoded["config"]["notifications"]["email"]
    assert_equal true, decoded["config"]["notifications"]["sms"]
  end
  test "app-specific claims should combine arrays with group and user claims" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles: ["user"]
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user"] })
    user.groups << group
    # User has roles: ["moderator"]
    user.update!(custom_claims: { "roles" => ["moderator"] })
    # App-specific has roles: ["app_admin"]
    ApplicationUserClaim.create!(
      user: user,
      application: app,
      custom_claims: { "roles" => ["app_admin"] }
    )
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # All three sources should be combined
    assert_equal 3, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "moderator"
    assert_includes decoded["roles"], "app_admin"
  end
  test "should include at_hash when access token is provided" do
    access_token = "test-access-token-abc123xyz"
    token = @service.generate_id_token(@user, @application, access_token: access_token)
    decoded = JWT.decode(token, nil, false).first
    assert_includes decoded.keys, "at_hash", "Should include at_hash claim"
    # Verify at_hash is correctly computed: base64url(sha256(access_token)[0:16])
    expected_hash = Base64.urlsafe_encode64(Digest::SHA256.digest(access_token)[0..15], padding: false)
    assert_equal expected_hash, decoded["at_hash"], "at_hash should match SHA-256 hash of access token"
  end
  test "should not include at_hash when access token is not provided" do
    token = @service.generate_id_token(@user, @application)
    decoded = JWT.decode(token, nil, false).first
    refute_includes decoded.keys, "at_hash", "Should not include at_hash when no access token"
  end
 end
--- a/test/system/forward_auth_system_test.rb
+++ b/test/system/forward_auth_system_test.rb
@@ -12,8 +12,8 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
  # End-to-End Authentication Flow Tests
  test "complete forward auth flow with default headers" do
-    # Create a rule with default headers
+    # Create an application with default headers
-    rule = ForwardAuthRule.create!(domain_pattern: "app.example.com", active: true)
+    rule = Application.create!(name: "App", slug: "app-system-test", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
    # Step 1: Unauthenticated request to protected resource
    get "/api/verify", headers: {
@@ -39,20 +39,22 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
    get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
-    assert_equal @user.email_address, response.headers["X-Remote-Email"]
+    assert_equal @user.email_address, response.headers["x-remote-email"]
-    assert_equal "false", response.headers["X-Remote-Admin"] unless @user.admin?
+    assert_equal "false", response.headers["x-remote-admin"] unless @user.admin?
  end
  test "multiple domain access with single session" do
-    # Create rules for different applications
+    # Create applications for different domains
-    app_rule = ForwardAuthRule.create!(domain_pattern: "app.example.com", active: true)
+    app_rule = Application.create!(name: "App Domain", slug: "app-domain", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
-    grafana_rule = ForwardAuthRule.create!(
+    grafana_rule = Application.create!(
      name: "Grafana", slug: "grafana-system-test", app_type: "forward_auth",
      domain_pattern: "grafana.example.com",
      active: true,
      headers_config: { user: "X-WEBAUTH-USER", email: "X-WEBAUTH-EMAIL" }
    )
-    metube_rule = ForwardAuthRule.create!(
+    metube_rule = Application.create!(
      name: "Metube", slug: "metube-system-test", app_type: "forward_auth",
      domain_pattern: "metube.example.com",
      active: true,
      headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
@@ -67,24 +69,25 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
    # App with default headers
    get "/api/verify", headers: { "X-Forwarded-Host" => "app.example.com" }
    assert_response 200
-    assert_equal "X-Remote-User", response.headers.keys.find { |k| k.include?("User") }
+    assert response.headers.key?("x-remote-user")
    # Grafana with custom headers
    get "/api/verify", headers: { "X-Forwarded-Host" => "grafana.example.com" }
    assert_response 200
-    assert_equal "X-WEBAUTH-USER", response.headers.keys.find { |k| k.include?("USER") }
+    assert response.headers.key?("x-webauth-user")
    # Metube with no headers
    get "/api/verify", headers: { "X-Forwarded-Host" => "metube.example.com" }
    assert_response 200
-    auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
+    auth_headers = response.headers.select { |k, v| k.match?(/^x-remote-|^x-webauth-|^x-admin-/i) }
    assert_empty auth_headers
  end
  # Group-Based Access Control System Tests
  test "group-based access control with multiple groups" do
-    # Create restricted rule
+    # Create restricted application
-    restricted_rule = ForwardAuthRule.create!(
+    restricted_rule = Application.create!(
      name: "Admin", slug: "admin-system-test", app_type: "forward_auth",
      domain_pattern: "admin.example.com",
      active: true
    )
@@ -101,7 +104,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
    # Should have access (in allowed group)
    get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
    assert_response 200
-    assert_equal @group.name, response.headers["X-Remote-Groups"]
+    assert_equal @group.name, response.headers["x-remote-groups"]
    # Add user to second group
    @user.groups << @group2
@@ -109,7 +112,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
    # Should show multiple groups
    get "/api/verify", headers: { "X-Forwarded-Host" => "admin.example.com" }
    assert_response 200
-    groups_header = response.headers["X-Remote-Groups"]
+    groups_header = response.headers["x-remote-groups"]
    assert_includes groups_header, @group.name
    assert_includes groups_header, @group2.name
@@ -122,8 +125,9 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
  end
  test "bypass mode when no groups assigned to rule" do
-    # Create bypass rule (no groups)
+    # Create bypass application (no groups)
-    bypass_rule = ForwardAuthRule.create!(
+    bypass_rule = Application.create!(
      name: "Public", slug: "public-system-test", app_type: "forward_auth",
      domain_pattern: "public.example.com",
      active: true
    )
@@ -138,7 +142,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
    # Should have access (bypass mode)
    get "/api/verify", headers: { "X-Forwarded-Host" => "public.example.com" }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
  end
  # Security System Tests
@@ -158,7 +162,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
      "Cookie" => "_clinch_session_id=#{user_a_session}"
    }
    assert_response 200
-    assert_equal @user.email_address, response.headers["X-Remote-User"]
+    assert_equal @user.email_address, response.headers["x-remote-user"]
    # User B should be able to access resources
    get "/api/verify", headers: {
@@ -166,7 +170,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
      "Cookie" => "_clinch_session_id=#{user_b_session}"
    }
    assert_response 200
-    assert_equal @admin_user.email_address, response.headers["X-Remote-User"]
+    assert_equal @admin_user.email_address, response.headers["x-remote-user"]
    # Sessions should be independent
    assert_not_equal user_a_session, user_b_session
@@ -183,12 +187,12 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
    # Manually expire session
    session = Session.find(session_id)
-    session.update!(created_at: 1.year.ago)
+    session.update!(expires_at: 1.hour.ago)
    # Should redirect to login
    get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
    assert_response 302
-    assert_equal "Session expired", response.headers["X-Auth-Reason"]
+    assert_equal "Session expired", response.headers["x-auth-reason"]
    # Session should be cleaned up
    assert_nil Session.find_by(id: session_id)
@@ -218,7 +222,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
        results << {
          thread_id: i,
          status: response.status,
-          user: response.headers["X-Remote-User"],
+          user: response.headers["x-remote-user"],
          duration: end_time - start_time
        }
      end
@@ -255,9 +259,10 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
      }
    ]
-    # Create rules for each app
+    # Create applications for each app
-    rules = apps.map do |app|
+    rules = apps.map.with_index do |app, idx|
-      rule = ForwardAuthRule.create!(
+      rule = Application.create!(
        name: "Multi App #{idx}", slug: "multi-app-#{idx}", app_type: "forward_auth",
        domain_pattern: app[:domain],
        active: true,
        headers_config: app[:headers_config]
@@ -300,8 +305,9 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
      { pattern: "*.*.example.com", domains: ["app.dev.example.com", "api.staging.example.com"] }
    ]
-    patterns.each do |pattern_config|
+    patterns.each_with_index do |pattern_config, idx|
-      rule = ForwardAuthRule.create!(
+      rule = Application.create!(
        name: "Pattern Test #{idx}", slug: "pattern-test-#{idx}", app_type: "forward_auth",
        domain_pattern: pattern_config[:pattern],
        active: true
      )
@@ -313,7 +319,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
      pattern_config[:domains].each do |domain|
        get "/api/verify", headers: { "X-Forwarded-Host" => domain }
        assert_response 200, "Failed for pattern #{pattern_config[:pattern]} with domain #{domain}"
-        assert_equal @user.email_address, response.headers["X-Remote-User"]
+        assert_equal @user.email_address, response.headers["x-remote-user"]
      end
      # Clean up for next test
@@ -323,8 +329,8 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
  # Performance System Tests
  test "system performance under load" do
-    # Create test rule
+    # Create test application
-    rule = ForwardAuthRule.create!(domain_pattern: "loadtest.example.com", active: true)
+    rule = Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "loadtest.example.com", active: true)
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
@@ -385,7 +391,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
      # Should return 302 (redirect to login) rather than 500 error
      assert_response 302, "Should gracefully handle database issues"
-      assert_equal "Invalid session", response.headers["X-Auth-Reason"]
+      assert_equal "Invalid session", response.headers["x-auth-reason"]
    ensure
      # Restore original method
      Session.define_singleton_method(:find_by, original_method)
--- a/test/system/webauthn_security_test.rb
+++ b/test/system/webauthn_security_test.rb
@@ -0,0 +1,344 @@
 require "test_helper"
 require "webauthn/fake_client"
 class WebauthnSecurityTest < ActionDispatch::SystemTestCase
  # ====================
  # REPLAY ATTACK PREVENTION (SIGN COUNT TRACKING) TESTS
  # ====================
  test "detects suspicious sign count for replay attacks" do
    user = User.create!(email_address: "webauthn_replay_test@example.com", password: "password123")
    # Create a WebAuthn credential
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key"
    )
    # Simulate a suspicious sign count (decreased or reused)
    credential.update!(sign_count: 100)
    # Try to authenticate with a lower sign count (potential replay)
    suspicious = credential.suspicious_sign_count?(99)
    assert suspicious, "Should detect suspicious sign count indicating potential replay attack"
    user.destroy
  end
  test "sign count is incremented after successful authentication" do
    user = User.create!(email_address: "webauthn_signcount_test@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 50,
      nickname: "Test Key"
    )
    # Simulate authentication with new sign count
    credential.update_usage!(
      sign_count: 51,
      ip_address: "192.168.1.1",
      user_agent: "Mozilla/5.0"
    )
    credential.reload
    assert_equal 51, credential.sign_count, "Sign count should be incremented"
    user.destroy
  end
  # ====================
  # USER HANDLE BINDING TESTS
  # ====================
  test "user handle is properly bound to WebAuthn credential" do
    user = User.create!(email_address: "webauthn_handle_test@example.com", password: "password123")
    # Create a WebAuthn credential with user handle
    user_handle = SecureRandom.uuid
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key",
      user_handle: user_handle
    )
    # Verify user handle is associated with the credential
    assert_equal user_handle, credential.user_handle
    user.destroy
  end
  test "WebAuthn authentication validates user handle" do
    user = User.create!(email_address: "webauthn_handle_auth_test@example.com", password: "password123")
    user_handle = SecureRandom.uuid
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key",
      user_handle: user_handle
    )
    # Sign in with WebAuthn
    # The implementation should verify the user handle matches
    # This test documents the expected behavior
    user.destroy
  end
  # ====================
  # ORIGIN VALIDATION TESTS
  # ====================
  test "WebAuthn request validates origin" do
    user = User.create!(email_address: "webauthn_origin_test@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key"
    )
    # Test WebAuthn challenge from valid origin
    post webauthn_challenge_path, params: { email: "webauthn_origin_test@example.com" },
      headers: { "HTTP_ORIGIN": "http://localhost:3000" }
    # Should succeed for valid origin
    # Test WebAuthn challenge from invalid origin
    post webauthn_challenge_path, params: { email: "webauthn_origin_test@example.com" },
      headers: { "HTTP_ORIGIN": "http://evil.com" }
    # Should reject invalid origin
    user.destroy
  end
  test "WebAuthn verification includes origin validation" do
    user = User.create!(email_address: "webauthn_verify_origin_test@example.com", password: "password123")
    user.update!(webauthn_id: SecureRandom.uuid)
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key"
    )
    # Sign in with WebAuthn
    post webauthn_challenge_path, params: { email: "webauthn_verify_origin_test@example.com" }
    assert_response :success
    challenge = JSON.parse(@response.body)["challenge"]
    # Simulate WebAuthn verification with wrong origin
    # This should fail
    user.destroy
  end
  # ====================
  # ATTESTATION FORMAT VALIDATION TESTS
  # ====================
  test "WebAuthn accepts standard attestation formats" do
    user = User.create!(email_address: "webauthn_attestation_test@example.com", password: "password123")
    # Register WebAuthn credential
    # Standard attestation formats: none, packed, tpm, android-key, android-safetynet, fido-u2f, etc.
    # Test with 'none' attestation (most common for privacy)
    attestation_object = {
      fmt: "none",
      attStmt: {},
      authData: Base64.strict_encode64("fake_auth_data")
    }
    # The implementation should accept standard attestation formats
    user.destroy
  end
  test "WebAuthn rejects invalid attestation formats" do
    user = User.create!(email_address: "webauthn_invalid_attestation_test@example.com", password: "password123")
    # Try to register with invalid attestation format
    invalid_attestation = {
      fmt: "invalid_format",
      attStmt: {},
      authData: Base64.strict_encode64("fake_auth_data")
    }
    # Should reject invalid attestation format
    user.destroy
  end
  # ====================
  # CREDENTIAL CLONING DETECTION TESTS
  # ====================
  test "detects credential cloning through sign count anomalies" do
    user = User.create!(email_address: "webauthn_clone_test@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 100,
      nickname: "Test Key"
    )
    # Simulate authentication from a cloned credential (sign count doesn't increase properly)
    # First auth: sign count = 101
    credential.update_usage!(sign_count: 101, ip_address: "192.168.1.1", user_agent: "Browser A")
    # Second auth from different location but sign count = 101 again (cloned!)
    suspicious = credential.suspicious_sign_count?(101)
    assert suspicious, "Should detect potential credential cloning"
    # Verify logging for security monitoring
    # The application should log suspicious sign count anomalies
    user.destroy
  end
  test "tracks IP address and user agent for WebAuthn authentications" do
    user = User.create!(email_address: "webauthn_tracking_test@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key"
    )
    # Update usage with tracking information
    credential.update_usage!(
      sign_count: 1,
      ip_address: "192.168.1.100",
      user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    )
    credential.reload
    assert_equal "192.168.1.100", credential.last_ip_address
    assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.last_user_agent
    user.destroy
  end
  # ====================
  # CREDENTIAL EXCLUSION TESTS
  # ====================
  test "prevents duplicate credential registration" do
    user = User.create!(email_address: "webauthn_duplicate_test@example.com", password: "password123")
    credential_id = Base64.urlsafe_encode64("unique_credential_id")
    # Register first credential
    user.webauthn_credentials.create!(
      external_id: credential_id,
      public_key: Base64.urlsafe_encode64("public_key_1"),
      sign_count: 0,
      nickname: "Key 1"
    )
    # Try to register same credential ID again
    # Should reject or update existing credential
    user.destroy
  end
  # ====================
  # USER PRESENCE TESTS
  # ====================
  test "WebAuthn requires user presence for authentication" do
    user = User.create!(email_address: "webauthn_presence_test@example.com", password: "password123")
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("fake_credential_id"),
      public_key: Base64.urlsafe_encode64("fake_public_key"),
      sign_count: 0,
      nickname: "Test Key"
    )
    # WebAuthn authenticator response should include user presence flag (UP)
    # The implementation should verify this flag is set to true
    user.destroy
  end
  # ====================
  # CREDENTIAL MANAGEMENT TESTS
  # ====================
  test "users can view and revoke their WebAuthn credentials" do
    user = User.create!(email_address: "webauthn_mgmt_test@example.com", password: "password123")
    # Create multiple credentials
    credential1 = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("credential_1"),
      public_key: Base64.urlsafe_encode64("public_key_1"),
      sign_count: 0,
      nickname: "USB Key"
    )
    credential2 = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("credential_2"),
      public_key: Base64.urlsafe_encode64("public_key_2"),
      sign_count: 0,
      nickname: "Laptop Key"
    )
    # User should be able to view their credentials
    assert_equal 2, user.webauthn_credentials.count
    # User should be able to revoke a credential
    credential1.destroy
    assert_equal 1, user.webauthn_credentials.count
    user.destroy
  end
  # ====================
  # WEBAUTHN AND PASSWORD LOGIN INTERACTION TESTS
  # ====================
  test "WebAuthn can be required for authentication" do
    user = User.create!(email_address: "webauthn_required_test@example.com", password: "password123")
    user.update!(webauthn_enabled: true)
    # Sign in with password should still work
    post signin_path, params: { email_address: "webauthn_required_test@example.com", password: "password123" }
    # If WebAuthn is enabled, should offer WebAuthn as an option
    # Implementation should handle password + WebAuthn or passwordless flow
    user.destroy
  end
  test "WebAuthn can be used for passwordless authentication" do
    user = User.create!(email_address: "webauthn_passwordless_test@example.com", password: "password123")
    user.update!(webauthn_enabled: true)
    credential = user.webauthn_credentials.create!(
      external_id: Base64.urlsafe_encode64("passwordless_credential"),
      public_key: Base64.urlsafe_encode64("public_key"),
      sign_count: 0,
      nickname: "Passwordless Key"
    )
    # User should be able to sign in with WebAuthn alone
    # Test passwordless flow
    user.destroy
  end
 end
Author	SHA1	Message	Date
Dan Milne	364e6e21dd	Fixes for tests and AR Encryption Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 16:08:05 +11:00
Dan Milne	9d352ab8ec	Fix tests - add missing files	2025-12-31 16:01:31 +11:00
Dan Milne	d1d4ac745f	Version bump	2025-12-31 15:48:52 +11:00
Dan Milne	3db466f5a2	Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data. Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 15:48:32 +11:00
Dan Milne	7c6ae7ab7e	Store only HMAC'd Auth codes, rather than plain text auth codes.	2025-12-31 15:00:00 +11:00
Dan Milne	ed7ceedef5	Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids. Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 14:45:38 +11:00
Dan Milne	40815d3576	Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens	2025-12-31 14:32:34 +11:00
Dan Milne	a17c08c890	Improve the README	2025-12-31 14:31:53 +11:00
Dan Milne	4f31fadc6c	Improve the README and remove incorrect claims. Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 12:17:15 +11:00
Dan Milne	29c0981a59	Improve readme and tests Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 11:56:09 +11:00
Dan Milne	9d402fcd92	Clean up and secure web_authn controller Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 11:44:11 +11:00
Dan Milne	9530c8284f	Version bump Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-31 10:35:27 +11:00
Dan Milne	bb5aa2e6d6	Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation	2025-12-31 10:33:56 +11:00
Dan Milne	cc7beba9de	PKCE is now default enabled. You can now create public / no-secret apps OIDC apps	2025-12-31 09:22:18 +11:00
Dan Milne	00eca6d8b2	Default deny forward_auth requests	2025-12-30 16:04:01 +11:00
Dan Milne	32235f9647	version bump Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-30 11:58:31 +11:00
Dan Milne	71d59e7367	Remove plain text token from everywhere Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-30 11:58:11 +11:00
Dan Milne	99c3ac905f	Add a token prefix column, generate the token_prefix and the token_digest, removing the plaintext token from use.	2025-12-30 09:45:16 +11:00
Dan Milne	0761c424c1	Fix tests. Remove tests which test rails functionality Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-30 00:18:19 +11:00
Dan Milne	2a32d75895	Fix tests - don't test standard rails features	2025-12-29 19:45:01 +11:00
Dan Milne	4c1df53fd5	Fix more tests Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-29 19:22:08 +11:00
Dan Milne	acab15ce30	Fix more tests	2025-12-29 18:48:41 +11:00
Dan Milne	0361bfe470	Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-29 15:37:12 +11:00
Dan Milne	5b9d15584a	Add more rate limiting, and more restrictive headers	2025-12-29 13:29:14 +11:00
Dan Milne	898fd69a5d	Add permissions initializer and missing image paste controller Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-29 13:27:30 +11:00
Dan Milne	9cf01f7c7a	Bump versoin	2025-12-28 14:43:26 +11:00
Dan Milne	ab362aabac	Remove the rate limit for the forward auth system Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-12-28 14:40:53 +11:00
Dan Milne	283feea175	Update depenencies, bump versoin	2025-11-30 23:13:25 +11:00
Dan Milne	7af8624bf8	Handle empty backchannel logout urls Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-11-27 19:19:34 +11:00
Dan Milne	f8543f98cc	Add a subdirectory for active storage Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-11-27 19:12:09 +11:00
Dan Milne	6be23c2c37	Add backchannel logout, per application logout. Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-11-27 16:38:27 +11:00
Dan Milne	eb2d7379bf	Backchannel complete - improve oidc credential display	2025-11-27 11:52:25 +11:00
Dan Milne	67d86e5835	Add Icons for apps	2025-11-25 19:11:22 +11:00
Dan Milne	d6029556d3	Add OIDC fixes, add prefered_username, add application-user claims	2025-11-25 16:29:40 +11:00
Dan Milne	7796c38c08	Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-11-23 11:16:06 +11:00