dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 444ae6291c Add missing files, fix formatting main Dan Milne 2026-01-05 23:34:11 +11:00
  • 233fb723d5 More accurate language around passing the OpenID Conformance tests Dan Milne 2026-01-05 23:32:34 +11:00
  • cc6d4fcc65 Add test files, update checklist Dan Milne 2026-01-05 23:28:55 +11:00
  • 5268f10eb3 Don't allow claim escalation Dan Milne 2026-01-05 16:40:11 +11:00
  • 5c5662eaab Expose 'username' via forward auth headers Dan Milne 2026-01-05 15:12:24 +11:00
  • 27d77ebf47 Expose 'username' via forward auth headers Dan Milne 2026-01-05 15:12:02 +11:00
  • ba08158c85 Bug fix for background jobs Dan Milne 2026-01-05 14:43:06 +11:00
  • a6480b0860 Verion Bump Dan Milne 2026-01-05 13:08:22 +11:00
  • 75cc223329 303 is the correct response Dan Milne 2026-01-05 13:05:24 +11:00
  • 46ae65f4d2 Move the 'remove_query_param' to the application controller Dan Milne 2026-01-05 13:03:03 +11:00
  • 95d0d844e9 Add a method to remove parameters from urls, so we can redirect without risk of infinite redirect. Fix a bunch of redirects to login afer being foced to log out. Add missing migrations Dan Milne 2026-01-05 13:01:32 +11:00
  • 524a7719c3 Merge branch 'main' into feature/claims Dan Milne 2026-01-05 12:11:53 +11:00
  • 8110d547dd Fix bug with session deletion when logout forced and we have a redirect to follow Dan Milne 2026-01-05 12:11:52 +11:00
  • 25e1043312 Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example. Dan Milne 2026-01-05 12:03:01 +11:00
  • 074a734c0c Accidentally added skip-consent to this branch Dan Milne 2026-01-05 12:01:04 +11:00
  • 4a48012a82 Add claims support Dan Milne 2026-01-05 12:00:29 +11:00
  • e631f606e7 Better error messages 0.8.6 Dan Milne 2026-01-03 12:29:27 +11:00
  • f4a697ae9b More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers Dan Milne 2026-01-03 12:28:43 +11:00
  • 16e34ffaf0 Updates for oidc conformance Dan Milne 2026-01-03 10:11:10 +11:00
  • 0bb84f08d6 OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience. 2026.01 Dan Milne 2026-01-02 16:35:12 +11:00
  • 182682024d OpenID Conformance: Include all required scopes when profile is requested, even if they're empty Dan Milne 2026-01-02 15:47:40 +11:00
  • b517ebe809 OpenID conformance test: Allow posting the access token in the body for userinfo endpoint Dan Milne 2026-01-02 15:41:07 +11:00
  • dd8bd15a76 CSRF issue with API endpoint Dan Milne 2026-01-02 15:29:34 +11:00
  • f67a73821c OpenID Conformance: user info endpoint should support get and post requets, not just get Dan Milne 2026-01-02 15:26:39 +11:00
  • b09ddf6db5 OpenID Conformance: We need to return to the redirect_uri in the case of errors. Dan Milne 2026-01-02 15:12:55 +11:00
  • abbb11a41d Return only scopes requested, add tests ( OpenID conformance test ) Dan Milne 2026-01-02 14:55:06 +11:00
  • b2030df8c2 Return only scopes requested ( OpenID conformance test. Update README Dan Milne 2026-01-02 14:05:54 +11:00
  • 07cddf5823 Version bump Dan Milne 2026-01-02 12:57:28 +11:00
  • 46aa983189 Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key Dan Milne 2026-01-02 12:56:03 +11:00
  • d0d79ee1da Try ignore capybara's test tripping trivy Dan Milne 2026-01-02 12:52:24 +11:00
  • 2f6a2c7406 Update ruby 3.4.6 -> 3.4.7. Update gems. Add trivy scanning and ignore unfixable Debian CVEs. Ignore a test fixture key for Capybara Dan Milne 2026-01-02 12:48:40 +11:00
  • 5137a25626 Add remainging rate limits. Add docker compose production example. Update beta-checklist. Dan Milne 2026-01-02 12:14:13 +11:00
  • fed7c3cedb Some beta-checklist updates Dan Milne 2026-01-02 11:53:41 +11:00
  • e288fcad7c Remove old docs Dan Milne 2026-01-01 21:04:26 +11:00
  • c1c6e0112e ADd backup / restore documentation Dan Milne 2026-01-01 15:40:49 +11:00
  • 7f834fb7fa Version bump Dan Milne 2026-01-01 15:27:19 +11:00
  • ae99d3d9cf Fix webauthn bug. Fix tests. Update docs Dan Milne 2026-01-01 15:24:56 +11:00
  • 1afcd041f9 Update README, fix a test Dan Milne 2026-01-01 15:17:28 +11:00
  • 71198340d0 fix tests and add a Claude.md file Dan Milne 2026-01-01 15:11:46 +11:00
  • d597ca8810 Fix tests Dan Milne 2026-01-01 14:52:24 +11:00
  • 9b81aee490 Fix linting error Dan Milne 2026-01-01 13:45:10 +11:00
  • 265518ab25 Move integration tests into right directory Dan Milne 2026-01-01 13:43:13 +11:00
  • adb789bbea Fix StandardRB Dan Milne 2026-01-01 13:35:37 +11:00
  • 93a0edb0a2 StandardRB fixes Dan Milne 2026-01-01 13:29:44 +11:00
  • 7d3af2bcec SRB fixes Dan Milne 2026-01-01 13:19:17 +11:00
  • c03034c49f Add files to support brakeman and standardrb. Fix some SRB warnings Dan Milne 2026-01-01 13:18:30 +11:00
  • 9234904e47 Add security-todo and beta-checklists, and some security rake tasks Dan Milne 2026-01-01 13:06:54 +11:00
  • e36a9a781a Add new claims to the discovery endpoint Dan Milne 2025-12-31 17:27:28 +11:00
  • d036e25fef Add auth_time, acr and azp support for OIDC claims Dan Milne 2025-12-31 17:07:54 +11:00
  • fcdd2b6de7 Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens. Dan Milne 2025-12-31 16:57:28 +11:00
  • 3939ea773f We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ). Dan Milne 2025-12-31 16:45:45 +11:00
  • 4b4afe277e Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record Dan Milne 2025-12-31 16:36:32 +11:00
  • 364e6e21dd Fixes for tests and AR Encryption Dan Milne 2025-12-31 16:08:05 +11:00
  • 9d352ab8ec Fix tests - add missing files Dan Milne 2025-12-31 16:01:31 +11:00
  • d1d4ac745f Version bump Dan Milne 2025-12-31 15:48:52 +11:00
  • 3db466f5a2 Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data. Dan Milne 2025-12-31 15:48:32 +11:00
  • 7c6ae7ab7e Store only HMAC'd Auth codes, rather than plain text auth codes. Dan Milne 2025-12-31 15:00:00 +11:00
  • ed7ceedef5 Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids. Dan Milne 2025-12-31 14:45:38 +11:00
  • 40815d3576 Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens Dan Milne 2025-12-31 14:32:34 +11:00
  • a17c08c890 Improve the README Dan Milne 2025-12-31 14:31:53 +11:00
  • 4f31fadc6c Improve the README and remove incorrect claims. Dan Milne 2025-12-31 12:17:15 +11:00
  • 29c0981a59 Improve readme and tests Dan Milne 2025-12-31 11:56:09 +11:00
  • 9d402fcd92 Clean up and secure web_authn controller Dan Milne 2025-12-31 11:44:11 +11:00
  • 9530c8284f Version bump Dan Milne 2025-12-31 10:35:27 +11:00
  • bb5aa2e6d6 Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation Dan Milne 2025-12-31 10:33:56 +11:00
  • cc7beba9de PKCE is now default enabled. You can now create public / no-secret apps OIDC apps Dan Milne 2025-12-31 09:22:18 +11:00
  • 00eca6d8b2 Default deny forward_auth requests Dan Milne 2025-12-30 16:04:01 +11:00
  • 32235f9647 version bump Dan Milne 2025-12-30 11:58:31 +11:00
  • 71d59e7367 Remove plain text token from everywhere Dan Milne 2025-12-30 11:58:11 +11:00
  • 99c3ac905f Add a token prefix column, generate the token_prefix and the token_digest, removing the plaintext token from use. Dan Milne 2025-12-30 09:45:16 +11:00
  • 0761c424c1 Fix tests. Remove tests which test rails functionality Dan Milne 2025-12-30 00:18:19 +11:00
  • 2a32d75895 Fix tests - don't test standard rails features Dan Milne 2025-12-29 19:45:01 +11:00
  • 4c1df53fd5 Fix more tests Dan Milne 2025-12-29 19:22:08 +11:00
  • acab15ce30 Fix more tests Dan Milne 2025-12-29 18:48:41 +11:00
  • 0361bfe470 Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests Dan Milne 2025-12-29 15:37:12 +11:00
  • 5b9d15584a Add more rate limiting, and more restrictive headers Dan Milne 2025-12-29 13:29:14 +11:00
  • 898fd69a5d Add permissions initializer and missing image paste controller Dan Milne 2025-12-29 13:27:30 +11:00
  • 9cf01f7c7a Bump versoin 2025.03 Dan Milne 2025-12-28 14:43:26 +11:00
  • ab362aabac Remove the rate limit for the forward auth system Dan Milne 2025-12-28 14:40:53 +11:00
  • 283feea175 Update depenencies, bump versoin Dan Milne 2025-11-30 23:13:25 +11:00
  • 7af8624bf8 Handle empty backchannel logout urls Dan Milne 2025-11-27 19:19:34 +11:00
  • f8543f98cc Add a subdirectory for active storage Dan Milne 2025-11-27 19:12:09 +11:00
  • 6be23c2c37 Add backchannel logout, per application logout. Dan Milne 2025-11-27 16:38:27 +11:00
  • eb2d7379bf Backchannel complete - improve oidc credential display Dan Milne 2025-11-27 11:52:25 +11:00
  • 67d86e5835 Add Icons for apps 0.5.0 Dan Milne 2025-11-25 19:11:22 +11:00
  • d6029556d3 Add OIDC fixes, add prefered_username, add application-user claims Dan Milne 2025-11-25 16:29:40 +11:00
  • 7796c38c08 Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user Dan Milne 2025-11-23 11:16:06 +11:00
  • e882a4d6d1 More complete oidc feature/enhance-jwt Dan Milne 2025-11-18 20:03:03 +11:00
  • ab0085e9c9 More complete oidc Dan Milne 2025-11-18 20:02:45 +11:00
  • 1ee3302319 Improvements derived from rodauth-oauth Dan Milne 2025-11-12 22:17:55 +11:00
  • 67f28faaca Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN Dan Milne 2025-11-12 16:24:05 +11:00
  • 33ad956508 Add test Dan Milne 2025-11-12 15:50:04 +11:00
  • 11ec753c68 Bump up the forward auth token ttl, fix leaking of error data Dan Milne 2025-11-09 12:27:53 +11:00
  • 4df2eee4d9 Bug fix for domain names with empty string instead of null. Form errors and some security fixes Dan Milne 2025-11-09 12:22:41 +11:00
  • d9f11abbbf Fixes for OIDC and HTML Dan Milne 2025-11-09 12:04:26 +11:00
  • c92e69fa4a Add PCKE Dan Milne 2025-11-09 11:54:45 +11:00
  • 038801f34b Add pkce Dan Milne 2025-11-09 10:21:29 +11:00
  • 8e0b2c28eb CSP fixes 2025.02 Dan Milne 2025-11-08 20:01:07 +11:00
  • f02665f690 Consolidate all the error messages - add some stimulus controller. Dan Milne 2025-11-07 16:58:28 +11:00
  • 631b2b53bb Fix CSP reporting endpoitn. Fix the SER for CSP Dan Milne 2025-11-04 23:22:15 +11:00