dkam/clinch
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2d5650e620b9531be1c39b6d8d325909e23c4fdb
clinch/app/controllers
History
Dan Milne 2d5650e620 Bind forward-auth fa_token to its destination host 
An observed fa_token (via Referer leaks, access logs, JS monitors)
could previously be redeemed against a different reverse-proxied app
within the 60s TTL. The token now stores the destination host at
creation and the verifier rejects mismatches without burning the cache
entry, so legitimate destinations can still redeem.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
2026-04-20 19:04:53 +10:00
..
admin
Harden OIDC, add SVG sanitization, improve form UX and security defaults
2026-04-06 21:06:51 +10:00
api
Bind forward-auth fa_token to its destination host
2026-04-20 19:04:53 +10:00
concerns
Bind forward-auth fa_token to its destination host
2026-04-20 19:04:53 +10:00
active_sessions_controller.rb
Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.
2026-01-05 12:03:01 +11:00
api_keys_controller.rb
Add API keys / bearer tokens for forward auth
2026-03-05 21:45:40 +11:00
application_controller.rb
Upgrade to Ruby 4.0.1, bump version to 0.9.0
2026-03-05 21:52:11 +11:00
dashboard_controller.rb
Fix CSP errors - migrate inline JS to stimulus controllers. Add a URL for applications so users can discover them
2025-11-04 17:06:53 +11:00
invitations_controller.rb
Add remainging rate limits. Add docker compose production example. Update beta-checklist.
2026-01-02 12:14:13 +11:00
oidc_controller.rb
Collapse auth-code replay revocation to two update_all queries
2026-04-20 18:11:54 +10:00
passwords_controller.rb
Add remainging rate limits. Add docker compose production example. Update beta-checklist.
2026-01-02 12:14:13 +11:00
profiles_controller.rb
Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation
2025-12-31 10:33:56 +11:00
sessions_controller.rb
Add remember me checkbox, center and narrow sign-in form
2026-04-11 11:22:51 +10:00
totp_controller.rb
Tighten TOTP enrollment comments to explain the threat, not the change
2026-04-20 18:58:39 +10:00
users_controller.rb
StandardRB fixes
2026-01-01 13:29:44 +11:00
webauthn_controller.rb
Add passkey option on TOTP page and auto-trigger passkey for TOTP users
2026-03-05 23:09:01 +11:00