dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Bump up the forward auth token ttl, fix leaking of error data
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-11-09 12:27:53 +11:00
parent 4df2eee4d9
commit 11ec753c68
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/concerns/authentication.rb
View File

@@ -120,11 +120,11 @@ module Authentication
# Generate a secure random token # Generate a secure random token
token = SecureRandom.urlsafe_base64(32) token = SecureRandom.urlsafe_base64(32)
# Store it with an expiry of 30 seconds # Store it with an expiry of 60 seconds
Rails.cache.write( Rails.cache.write(
"forward_auth_token:#{token}", "forward_auth_token:#{token}",
session_obj.id, session_obj.id,
expires_in: 30.seconds expires_in: 60.seconds
) )
# Set the token as a query parameter on the redirect URL # Set the token as a query parameter on the redirect URL

10
app/controllers/oidc_controller.rb
View File

@@ -46,20 +46,20 @@ class OidcController < ApplicationController
# Validate required parameters # Validate required parameters
unless client_id.present? && redirect_uri.present? && response_type == "code" unless client_id.present? && redirect_uri.present? && response_type == "code"
render plain: "Invalid request: missing required parameters", status: :bad_request render plain: "Invalid request", status: :bad_request
return return
end end
# Validate PKCE parameters if present # Validate PKCE parameters if present
if code_challenge.present? if code_challenge.present?
unless %w[plain S256].include?(code_challenge_method) unless %w[plain S256].include?(code_challenge_method)
render plain: "Invalid code_challenge_method. Supported: plain, S256", status: :bad_request render plain: "Invalid request", status: :bad_request
return return
end end
# Validate code challenge format (base64url-encoded, 43-128 characters) # Validate code challenge format (base64url-encoded, 43-128 characters)
unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/) unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
render plain: "Invalid code_challenge format. Must be 43-128 characters of base64url encoding", status: :bad_request render plain: "Invalid request", status: :bad_request
return return
end end
end end
@@ -67,13 +67,13 @@ class OidcController < ApplicationController
# Find the application # Find the application
@application = Application.find_by(client_id: client_id, app_type: "oidc") @application = Application.find_by(client_id: client_id, app_type: "oidc")
unless @application unless @application
render plain: "Invalid client_id", status: :bad_request render plain: "Invalid request", status: :bad_request
return return
end end
# Validate redirect URI # Validate redirect URI
unless @application.parsed_redirect_uris.include?(redirect_uri) unless @application.parsed_redirect_uris.include?(redirect_uri)
render plain: "Invalid redirect_uri", status: :bad_request render plain: "Invalid request", status: :bad_request
return return
end end