703d24e4e4
Two HIGH-severity findings from the security review: - ForwardAuth: when no host header was present, /api/verify skipped the application lookup and group check entirely, returning 200 with identity headers (including all of the user's groups). This bypassed per-domain access control. Now fails closed with 403, and the unreachable DEFAULT_HEADERS fallback (the bypass path) is removed so headers are always scoped to a resolved, active application. - OIDC: the consent endpoint was in the verify_authenticity_token skip list, so a forged cross-site POST could silently grant OAuth scopes. Removed :consent from the skip list (the form already embeds the token). Adds regression tests for both: fail-closed with no identity headers when host is absent, and 422 on a tokenless consent POST. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
8.6 KiB
8.6 KiB