dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Bug fix for domain names with empty string instead of null. Form errors and some security fixes
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-11-09 12:22:41 +11:00
parent d9f11abbbf
commit 4df2eee4d9
6 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/controllers/application_controller.rb
View File

@@ -5,4 +5,7 @@ class ApplicationController < ActionController::Base
# Changes to the importmap will invalidate the etag for HTML responses # Changes to the importmap will invalidate the etag for HTML responses
stale_when_importmap_changes stale_when_importmap_changes
# CSRF protection
protect_from_forgery with: :exception
end end

4
app/controllers/oidc_controller.rb
View File

@@ -408,9 +408,7 @@ class OidcController < ApplicationController
when "plain" when "plain"
code_verifier code_verifier
when "S256" when "S256"
Digest::SHA256.base64digest(code_verifier) Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
.tr("+/", "-_")
.tr("=", "")
else else
return { return {
valid: false, valid: false,

5
app/models/application.rb
View File

@@ -18,7 +18,10 @@ class Application < ApplicationRecord
validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" } validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }
normalizes :slug, with: ->(slug) { slug.strip.downcase } normalizes :slug, with: ->(slug) { slug.strip.downcase }
normalizes :domain_pattern, with: ->(pattern) { pattern&.strip&.downcase } normalizes :domain_pattern, with: ->(pattern) {
normalized = pattern&.strip&.downcase
normalized.blank? ? nil : normalized
}
before_validation :generate_client_credentials, on: :create, if: :oidc? before_validation :generate_client_credentials, on: :create, if: :oidc?

4
app/views/shared/_form_errors.html.erb
View File

@@ -1,5 +1,5 @@
<%# Usage: <%= render "shared/form_errors", object: @user %> %> <%# Usage: render "shared/form_errors", object: @user %>
<%# Usage: <%= render "shared/form_errors", form: form %> %> <%# Usage: render "shared/form_errors", form: form %>
<% form_object = form.respond_to?(:object) ? form.object : (object || form) %> <% form_object = form.respond_to?(:object) ? form.object : (object || form) %>
<% if form_object&.errors&.any? %> <% if form_object&.errors&.any? %>

17
db/migrate/20251109011443_fix_empty_domain_patterns.rb Normal file
View File

@@ -0,0 +1,17 @@
class FixEmptyDomainPatterns < ActiveRecord::Migration[8.1]
def up
# Convert empty string domain_patterns to NULL
# This fixes a unique constraint issue where multiple OIDC apps
# had empty string domain_patterns, causing uniqueness violations
execute <<-SQL
UPDATE applications
SET domain_pattern = NULL
WHERE domain_pattern = ''
SQL
end
def down
# No need to reverse this - empty strings and NULL are functionally equivalent
# for OIDC applications where domain_pattern is not used
end
end

2
db/schema.rb generated
View File

@@ -10,7 +10,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[8.1].define(version: 2025_11_08_090123) do ActiveRecord::Schema[8.1].define(version: 2025_11_09_011443) do
create_table "application_groups", force: :cascade do |t| create_table "application_groups", force: :cascade do |t|
t.integer "application_id", null: false t.integer "application_id", null: false
t.datetime "created_at", null: false t.datetime "created_at", null: false