Bug fix for domain names with empty string instead of null. Form errors and some security fixes

app/controllers/application_controller.rb

@@ -5,4 +5,7 @@ class ApplicationController < ActionController::Base
 
   # Changes to the importmap will invalidate the etag for HTML responses
   stale_when_importmap_changes
+
+  # CSRF protection
+  protect_from_forgery with: :exception
 end

app/controllers/oidc_controller.rb

@@ -408,9 +408,7 @@ class OidcController < ApplicationController
                         when "plain"
                           code_verifier
                         when "S256"
-                          Digest::SHA256.base64digest(code_verifier)
-                            .tr("+/", "-_")
-                            .tr("=", "")
+                          Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
                         else
                           return {
                             valid: false,

app/models/application.rb

@@ -18,7 +18,10 @@ class Application < ApplicationRecord
   validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }
 
   normalizes :slug, with: ->(slug) { slug.strip.downcase }
-  normalizes :domain_pattern, with: ->(pattern) { pattern&.strip&.downcase }
+  normalizes :domain_pattern, with: ->(pattern) {
+    normalized = pattern&.strip&.downcase
+    normalized.blank? ? nil : normalized
+  }
 
   before_validation :generate_client_credentials, on: :create, if: :oidc?
 

app/views/shared/_form_errors.html.erb

@@ -1,5 +1,5 @@
-<%# Usage: <%= render "shared/form_errors", object: @user %> %>
-<%# Usage: <%= render "shared/form_errors", form: form %> %>
+<%# Usage: render "shared/form_errors", object: @user %>
+<%# Usage: render "shared/form_errors", form: form %>
 
 <% form_object = form.respond_to?(:object) ? form.object : (object || form) %>
 <% if form_object&.errors&.any? %>