dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.

Browse Source
This commit is contained in:
Dan Milne
2026-01-05 12:03:01 +11:00
parent e631f606e7
commit 25e1043312
10 changed files with 148 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/controllers/sessions_controller.rb
View File

@@ -86,8 +86,17 @@ class SessionsController < ApplicationController
end
# Sign in successful (password only)
# Preserve the return_to_after_authenticating value across session boundary
# (e.g., when max_age flow destroys the session and creates a temporary one)
preserved_return_url = session[:return_to_after_authenticating]
start_new_session_for user, acr: "1"
# Restore the return URL if it was lost during session recreation
if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
session[:return_to_after_authenticating] = preserved_return_url
end
# Use status: :see_other to ensure browser makes a GET request
# This prevents Turbo from converting it to a TURBO_STREAM request
redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true, status: :see_other
@@ -125,7 +134,12 @@ class SessionsController < ApplicationController
if session[:totp_redirect_url].present?
session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
end
# Preserve return URL across session boundary for max_age flow
preserved_return_url = session[:return_to_after_authenticating]
start_new_session_for user, acr: "2"
if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
session[:return_to_after_authenticating] = preserved_return_url
end
redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
return
end
@@ -137,7 +151,12 @@ class SessionsController < ApplicationController
if session[:totp_redirect_url].present?
session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
end
# Preserve return URL across session boundary for max_age flow
preserved_return_url = session[:return_to_after_authenticating]
start_new_session_for user, acr: "2"
if preserved_return_url.present? && session[:return_to_after_authenticating].blank?
session[:return_to_after_authenticating] = preserved_return_url
end
redirect_to after_authentication_url, notice: "Signed in successfully using backup code.", allow_other_host: true
return
end