clinch

Files

Dan Milne 703d24e4e4 Fix ForwardAuth fail-open and consent CSRF bypass

Two HIGH-severity findings from the security review:

- ForwardAuth: when no host header was present, /api/verify skipped the
  application lookup and group check entirely, returning 200 with identity
  headers (including all of the user's groups). This bypassed per-domain
  access control. Now fails closed with 403, and the unreachable
  DEFAULT_HEADERS fallback (the bypass path) is removed so headers are
  always scoped to a resolved, active application.

- OIDC: the consent endpoint was in the verify_authenticity_token skip
  list, so a forged cross-site POST could silently grant OAuth scopes.
  Removed :consent from the skip list (the form already embeds the token).

Adds regression tests for both: fail-closed with no identity headers when
host is absent, and 422 on a tokenless consent POST.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-11 07:52:56 +10:00

admin

Apps index access column + summary + admin access checker

2026-06-07 18:38:56 +10:00

api

Fix ForwardAuth fail-open and consent CSRF bypass

2026-06-11 07:52:56 +10:00

concerns

Allow OAuth redirect_uri host in form-action CSP on sign-in pages

2026-05-23 11:03:32 +10:00

active_sessions_controller.rb

Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.