Dan Milne fcdd2b6de7 Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.

2025-12-31 16:57:28 +11:00

..

assets

First commit

2025-10-23 16:19:56 +11:00

channels/application_cable

First crack

2025-10-23 16:45:00 +11:00

controllers

Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.

2025-12-31 16:57:28 +11:00

helpers

Add OIDC fixes, add prefered_username, add application-user claims

2025-11-25 16:29:40 +11:00

javascript

PKCE is now default enabled. You can now create public / no-secret apps OIDC apps

2025-12-31 09:22:18 +11:00

jobs

Backchannel complete - improve oidc credential display

2025-11-27 11:52:25 +11:00

mailers

Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN

2025-11-12 16:24:05 +11:00

models

Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data.

2025-12-31 15:48:32 +11:00

services

Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record

2025-12-31 16:36:32 +11:00

views

Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation

2025-12-31 10:33:56 +11:00