dkam/clinch
1
0
Fork 0
Code Issues 7 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Commit Graph

  • c85d25c4b9 Untrack SECURITY_REVIEW_TODO.md and gitignore it main Dan Milne 2026-06-28 23:09:17 +10:00
  • 1b0d323572 Bump version to 0.16.3 Dan Milne 2026-06-21 18:29:39 +10:00
  • d1d626c540 Rework build workflow to trigger on version bump + manual dispatch Dan Milne 2026-06-21 18:08:04 +10:00
  • 782e197d91 Fix access check form: use GET so results render v0.16.2 Dan Milne 2026-06-21 15:42:57 +10:00
  • 020759bfb3 Fix invalid require-trusted-types-for CSP directive Dan Milne 2026-06-21 15:39:35 +10:00
  • 85f50bfc96 Add GitHub Actions workflow to build and publish image to GHCR Dan Milne 2026-06-21 14:02:29 +10:00
  • b55139eb1c Fix Sentry config to use Sentry.init API Dan Milne 2026-06-21 13:57:26 +10:00
  • 8f578ed3f4 Upgrade Ruby to 4.0.5 Dan Milne 2026-06-21 13:51:28 +10:00
  • aa5736ddab Update gems and fix lint to clear CI failures Dan Milne 2026-06-21 13:51:23 +10:00
  • 49068aa344 Add tests Dan Milne 2026-06-15 08:22:19 +10:00
  • 07ea031b61 Remove hardcoded internal IP from production hosts allowlist Dan Milne 2026-06-11 23:55:02 +10:00
  • 209c5496d8 Fix asset precompile boot and bump version to 0.16.0 Dan Milne 2026-06-11 23:53:09 +10:00
  • d49e7ce4f5 Move CSP to nonces; remove unsafe-inline from script-src and style-src Dan Milne 2026-06-11 20:42:28 +10:00
  • 44892e3301 Make WebAuthn clone detection actually block, and fix false positives Dan Milne 2026-06-11 20:28:38 +10:00
  • 24266872f9 Revoke access tokens too on refresh-token reuse detection Dan Milne 2026-06-11 20:23:17 +10:00
  • cd862c7cd7 Filter code params from logs (TOTP, backup, OAuth code, PKCE) Dan Milne 2026-06-11 20:21:41 +10:00
  • 89bd5f1432 Enforce account-active status across the auth lifecycle Dan Milne 2026-06-11 19:53:50 +10:00
  • 57d7d1f691 Anchor host-authorization regex to prevent look-alike domain bypass Dan Milne 2026-06-11 19:47:35 +10:00
  • 406a79d9eb Block SSRF via backchannel_logout_uri Dan Milne 2026-06-11 08:14:45 +10:00
  • f38ac2ecc8 Prevent TOTP code replay within the drift window Dan Milne 2026-06-11 08:10:34 +10:00
  • 84ed462f40 Require CLINCH_HOST in deployed environments; drop request-host fallback Dan Milne 2026-06-11 08:04:42 +10:00
  • 96a657e349 Validate X-Forwarded-Host before using it as a post-login redirect target Dan Milne 2026-06-11 08:00:12 +10:00
  • 8a095e4939 Enforce group access on Bearer API key forward-auth at use-time Dan Milne 2026-06-11 07:54:48 +10:00
  • 703d24e4e4 Fix ForwardAuth fail-open and consent CSRF bypass Dan Milne 2026-06-11 07:52:56 +10:00
  • 2843790cef Apps index access column + summary + admin access checker Dan Milne 2026-06-07 18:38:56 +10:00
  • 0e9ec71013 Link the user show page from the admin users index Dan Milne 2026-06-07 18:26:55 +10:00
  • fe68f6e81e Use Tailwind dark: toggles for dark-mode icons Dan Milne 2026-06-07 17:19:36 +10:00
  • c5ab7dc2a5 Compact icon uploader shared between light and dark icon fields Dan Milne 2026-06-07 17:13:52 +10:00
  • bfad9c4e9d Generated monogram fallback + optional dark-mode icon per application Dan Milne 2026-06-07 17:02:53 +10:00
  • 5b41db2c6a Fix FileNotFoundError when uploading an SVG icon Dan Milne 2026-06-07 16:43:24 +10:00
  • 03dfdbd83a Default-deny access control with group flags and access enumeration Dan Milne 2026-06-07 15:53:27 +10:00
  • 6b58b685c4 Bump version to 0.12.0 Dan Milne 2026-05-28 21:18:35 +10:00
  • a399907dfd Allow assigning applications to a group from the group form Dan Milne 2026-05-28 21:17:43 +10:00
  • bbfb564e1c Show Clinch, Rails and Ruby versions in sidebar footer; bump to 0.11.0 Dan Milne 2026-05-26 23:39:11 +10:00
  • 9663110938 Bump version to 0.10.2 Dan Milne 2026-05-26 18:32:25 +10:00
  • 0bca1d2bac Allow OAuth redirect_uri host in form-action CSP on sign-in pages Dan Milne 2026-05-23 11:03:32 +10:00
  • bdb10d86fb Show OIDC env vars on application show page under a toggle Dan Milne 2026-05-15 21:19:14 +10:00
  • 37e6e2cc19 Show copy-pasteable OIDC env vars after creating an app Dan Milne 2026-05-15 08:30:30 +10:00
  • 9648b64043 Bump version to 0.10.1 Dan Milne 2026-05-03 00:09:27 +10:00
  • a5eba9a5cd Update transitive gems Dan Milne 2026-05-03 00:09:20 +10:00
  • afa90303c8 Bump Rails from 8.1.2 to 8.1.3 Dan Milne 2026-05-03 00:06:22 +10:00
  • df5dbfc46c Bump Ruby from 4.0.1 to 4.0.3 Dan Milne 2026-05-03 00:06:22 +10:00
  • 2768104c1e Bump version to 0.10.0 Dan Milne 2026-05-03 00:02:40 +10:00
  • 2e427a0520 Add SvgScrubber to strip XSS payloads from uploaded app icons Dan Milne 2026-05-02 23:57:22 +10:00
  • 556656d090 Drop Remember-me cookie's Expires when the box is unchecked Dan Milne 2026-05-02 23:54:09 +10:00
  • cc93f72f0a Notify users out-of-band when security settings change Dan Milne 2026-05-02 23:52:12 +10:00
  • 09e9b32e46 Run SolidQueue supervisor inside Puma in production Dan Milne 2026-05-02 23:51:37 +10:00
  • 7d352654fd Fix broken password reset email templates Dan Milne 2026-05-02 23:40:43 +10:00
  • e39721c7e6 Fix broken invitation email text template Dan Milne 2026-05-02 23:39:29 +10:00
  • 5178cf3d81 Drop redundant MemoryStore internals peek from fa_token creation test Dan Milne 2026-04-20 20:28:28 +10:00
  • 2d5650e620 Bind forward-auth fa_token to its destination host Dan Milne 2026-04-20 19:04:53 +10:00
  • 7f0d3d3900 Tighten TOTP enrollment comments to explain the threat, not the change Dan Milne 2026-04-20 18:58:39 +10:00
  • b876e02c3a Hold TOTP enrollment secret server-side and email user on activation Dan Milne 2026-04-20 18:17:50 +10:00
  • 93d8381214 Nullify token to auth-code FK on delete so cleanup job can purge codes Dan Milne 2026-04-20 18:12:03 +10:00
  • 2068675173 Collapse auth-code replay revocation to two update_all queries Dan Milne 2026-04-20 18:11:54 +10:00
  • b7fa49953c Revoke full token chain on OIDC authorization-code replay Dan Milne 2026-04-20 17:39:08 +10:00
  • b7dd3c02e7 Extract client_id and redirect_uri validation into before_actions Dan Milne 2026-04-20 17:29:36 +10:00
  • 17a464fd15 Fix OIDC claims validation against undefined scopes variable Dan Milne 2026-04-20 17:26:46 +10:00
  • 9197524c88 Add remember me checkbox, center and narrow sign-in form Dan Milne 2026-04-11 11:22:51 +10:00
  • 2235924f37 Harden OIDC, add SVG sanitization, improve form UX and security defaults Dan Milne 2026-04-06 21:06:51 +10:00
  • c7d9df48b5 Remove auto-trigger of passkey authentication on page load Dan Milne 2026-03-22 00:38:48 +11:00
  • 3d98261a51 Add dark mode with toggle and localStorage persistence Dan Milne 2026-03-22 00:37:58 +11:00
  • 43958f50ce Add @tailwindcss/forms plugin and improve application form UX Dan Milne 2026-03-22 00:36:37 +11:00
  • d8d8000b92 Add tests for forward auth cache gaps: invalidation, rate limiting, and debounce Dan Milne 2026-03-21 23:59:18 +11:00
  • 6844c5fab3 Clean up forward auth caching: remove duplication, fix rate limiting, and plug cache gaps Dan Milne 2026-03-21 23:54:19 +11:00
  • 5505f99287 Add rate limiting and in-memory caching for forward auth endpoint Dan Milne 2026-03-07 11:15:54 +11:00
  • 1b691ad341 Bump Rails from 8.1.1 to 8.1.2 Dan Milne 2026-03-07 11:11:13 +11:00
  • f65df76d99 Show user-friendly error when passkey authentication fails Dan Milne 2026-03-05 23:11:43 +11:00
  • c5898bd9a4 Add passkey option on TOTP page and auto-trigger passkey for TOTP users Dan Milne 2026-03-05 23:09:01 +11:00
  • 9dbde8ea31 Fix README: don't claim OIDC certification, just conformance Dan Milne 2026-03-05 22:39:10 +11:00
  • 191a7b5fb3 Update README: add API keys docs, VoidAuth, highlight conformance Dan Milne 2026-03-05 22:36:12 +11:00
  • 7a9348c1f1 Add voidauth to the list of alternatives Dan Milne 2026-03-05 22:30:08 +11:00
  • 225d8ae5ca Update the README Dan Milne 2026-03-05 22:27:24 +11:00
  • 65c19fa732 Upgrade to Ruby 4.0.1, bump version to 0.9.0 v0.9.0 Dan Milne 2026-03-05 21:52:11 +11:00
  • fd8785a43d Add API keys / bearer tokens for forward auth v0.8.8 Dan Milne 2026-03-05 21:45:40 +11:00
  • 444ae6291c Add missing files, fix formatting Dan Milne 2026-01-05 23:34:11 +11:00
  • 233fb723d5 More accurate language around passing the OpenID Conformance tests Dan Milne 2026-01-05 23:32:34 +11:00
  • cc6d4fcc65 Add test files, update checklist Dan Milne 2026-01-05 23:28:55 +11:00
  • 5268f10eb3 Don't allow claim escalation Dan Milne 2026-01-05 16:40:11 +11:00
  • 5c5662eaab Expose 'username' via forward auth headers Dan Milne 2026-01-05 15:12:24 +11:00
  • 27d77ebf47 Expose 'username' via forward auth headers Dan Milne 2026-01-05 15:12:02 +11:00
  • ba08158c85 Bug fix for background jobs Dan Milne 2026-01-05 14:43:06 +11:00
  • a6480b0860 Verion Bump Dan Milne 2026-01-05 13:08:22 +11:00
  • 75cc223329 303 is the correct response Dan Milne 2026-01-05 13:05:24 +11:00
  • 46ae65f4d2 Move the 'remove_query_param' to the application controller Dan Milne 2026-01-05 13:03:03 +11:00
  • 95d0d844e9 Add a method to remove parameters from urls, so we can redirect without risk of infinite redirect. Fix a bunch of redirects to login afer being foced to log out. Add missing migrations Dan Milne 2026-01-05 13:01:32 +11:00
  • 524a7719c3 Merge branch 'main' into feature/claims Dan Milne 2026-01-05 12:11:53 +11:00
  • 8110d547dd Fix bug with session deletion when logout forced and we have a redirect to follow Dan Milne 2026-01-05 12:11:52 +11:00
  • 25e1043312 Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example. Dan Milne 2026-01-05 12:03:01 +11:00
  • 074a734c0c Accidentally added skip-consent to this branch Dan Milne 2026-01-05 12:01:04 +11:00
  • 4a48012a82 Add claims support Dan Milne 2026-01-05 12:00:29 +11:00
  • e631f606e7 Better error messages 0.8.6 Dan Milne 2026-01-03 12:29:27 +11:00
  • f4a697ae9b More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers Dan Milne 2026-01-03 12:28:43 +11:00
  • 16e34ffaf0 Updates for oidc conformance Dan Milne 2026-01-03 10:11:10 +11:00
  • 0bb84f08d6 OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience. 2026.01 Dan Milne 2026-01-02 16:35:12 +11:00
  • 182682024d OpenID Conformance: Include all required scopes when profile is requested, even if they're empty Dan Milne 2026-01-02 15:47:40 +11:00
  • b517ebe809 OpenID conformance test: Allow posting the access token in the body for userinfo endpoint Dan Milne 2026-01-02 15:41:07 +11:00
  • dd8bd15a76 CSRF issue with API endpoint Dan Milne 2026-01-02 15:29:34 +11:00
  • f67a73821c OpenID Conformance: user info endpoint should support get and post requets, not just get Dan Milne 2026-01-02 15:26:39 +11:00
  • b09ddf6db5 OpenID Conformance: We need to return to the redirect_uri in the case of errors. Dan Milne 2026-01-02 15:12:55 +11:00