Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN

2025-11-12 16:24:05 +11:00
parent 33ad956508
commit 67f28faaca
12 changed files with 114 additions and 24 deletions
--- a/app/controllers/api/csp_controller.rb
+++ b/app/controllers/api/csp_controller.rb
@@ -10,6 +10,13 @@ module Api
      report_data = JSON.parse(request.body.read)
      csp_report = report_data['csp-report']

+      # Validate that we have a proper CSP report
+      unless csp_report.is_a?(Hash) && csp_report.present?
+        Rails.logger.warn "Received empty or invalid CSP violation report"
+        head :bad_request
+        return
+      end
+
      # Log the violation for security monitoring
      Rails.logger.warn "CSP Violation Report:"
      Rails.logger.warn "  Blocked URI: #{csp_report['blocked-uri']}"
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -221,7 +221,9 @@ module Api

      # Try CLINCH_HOST environment variable first
      if ENV['CLINCH_HOST'].present?
-        "https://#{ENV['CLINCH_HOST']}"
+        host = ENV['CLINCH_HOST']
+        # Ensure URL has https:// protocol
+        host.match?(/^https?:\/\//) ? host : "https://#{host}"
      else
        # Fallback to the request host
        request_host = request.host || request.headers['X-Forwarded-Host']
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -134,13 +134,16 @@ module Authentication
        original_url = controller_session[:return_to_after_authenticating]
        uri = URI.parse(original_url)

-        # Add token as query parameter
-        query_params = URI.decode_www_form(uri.query || "").to_h
-        query_params['fa_token'] = token
-        uri.query = URI.encode_www_form(query_params)
+        # Skip adding fa_token for OAuth URLs (OAuth flow should not have forward auth tokens)
+        unless uri.path&.start_with?("/oauth/")
+          # Add token as query parameter
+          query_params = URI.decode_www_form(uri.query || "").to_h
+          query_params['fa_token'] = token
+          uri.query = URI.encode_www_form(query_params)

-        # Update the session with the tokenized URL
-        controller_session[:return_to_after_authenticating] = uri.to_s
+          # Update the session with the tokenized URL
+          controller_session[:return_to_after_authenticating] = uri.to_s
+        end
      end
    end
 end
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -34,7 +34,7 @@ class OidcController < ApplicationController

  # GET /oauth/authorize
  def authorize
-    # Get parameters
+    # Get parameters (ignore forward auth tokens and other unknown params)
    client_id = params[:client_id]
    redirect_uri = params[:redirect_uri]
    state = params[:state]
@@ -46,7 +46,12 @@ class OidcController < ApplicationController

    # Validate required parameters
    unless client_id.present? && redirect_uri.present? && response_type == "code"
-      render plain: "Invalid request", status: :bad_request
+      error_details = []
+      error_details << "client_id is required" unless client_id.present?
+      error_details << "redirect_uri is required" unless redirect_uri.present?
+      error_details << "response_type must be 'code'" unless response_type == "code"
+
+      render plain: "Invalid request: #{error_details.join(', ')}", status: :bad_request
      return
    end

@@ -67,13 +72,33 @@ class OidcController < ApplicationController
    # Find the application
    @application = Application.find_by(client_id: client_id, app_type: "oidc")
    unless @application
-      render plain: "Invalid request", status: :bad_request
+      # Log all OIDC applications for debugging
+      all_oidc_apps = Application.where(app_type: "oidc")
+      Rails.logger.error "OAuth: Invalid request - application not found for client_id: #{client_id}"
+      Rails.logger.error "OAuth: Available OIDC applications: #{all_oidc_apps.pluck(:id, :client_id, :name)}"
+
+      error_msg = if Rails.env.development?
+        "Invalid request: Application not found for client_id '#{client_id}'. Available OIDC applications: #{all_oidc_apps.pluck(:name, :client_id).map { |name, id| "#{name} (#{id})" }.join(', ')}"
+      else
+        "Invalid request: Application not found"
+      end
+
+      render plain: error_msg, status: :bad_request
      return
    end

    # Validate redirect URI
    unless @application.parsed_redirect_uris.include?(redirect_uri)
-      render plain: "Invalid request", status: :bad_request
+      Rails.logger.error "OAuth: Invalid request - redirect URI mismatch. Expected: #{@application.parsed_redirect_uris}, Got: #{redirect_uri}"
+
+      # For development, show detailed error
+      error_msg = if Rails.env.development?
+        "Invalid request: Redirect URI mismatch. Application is configured for: #{@application.parsed_redirect_uris.join(', ')}, but received: #{redirect_uri}"
+      else
+        "Invalid request: Redirect URI not registered for this application"
+      end
+
+      render plain: error_msg, status: :bad_request
      return
    end

@@ -139,9 +164,17 @@ class OidcController < ApplicationController
      code_challenge_method: code_challenge_method
    }

-    # Render consent page
+    # Render consent page with dynamic CSP for OAuth redirect
    @redirect_uri = redirect_uri
    @scopes = requested_scopes
+
+    # Add the redirect URI to CSP form-action for this specific request
+    # This allows the OAuth redirect to work while maintaining security
+    if redirect_uri.present?
+      redirect_host = URI.parse(redirect_uri).host
+      request.content_security_policy.form_action << "https://#{redirect_host}" if redirect_host
+    end
+
    render :consent
  end

--- a/app/mailers/application_mailer.rb
+++ b/app/mailers/application_mailer.rb
@@ -1,4 +1,4 @@
 class ApplicationMailer < ActionMailer::Base
-  default from: ENV.fetch('CLINCH_EMAIL_FROM', 'clinch@example.com')
+  default from: ENV.fetch('CLINCH_FROM_EMAIL', 'clinch@example.com')
  layout "mailer"
 end
--- a/app/views/admin/applications/index.html.erb
+++ b/app/views/admin/applications/index.html.erb
@@ -37,6 +37,8 @@
                <% case application.app_type %>
                <% when "oidc" %>
                  <span class="inline-flex items-center rounded-full bg-purple-100 px-2 py-1 text-xs font-medium text-purple-700">OIDC</span>
+                <% when "forward_auth" %>
+                  <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Forward Auth</span>
                <% when "saml" %>
                  <span class="inline-flex items-center rounded-full bg-orange-100 px-2 py-1 text-xs font-medium text-orange-700">SAML</span>
                <% end %>
--- a/app/views/admin/groups/index.html.erb
+++ b/app/views/admin/groups/index.html.erb
@@ -39,9 +39,11 @@
                <%= pluralize(group.applications.count, "app") %>
              </td>
              <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-0">
-                <%= link_to "View", admin_group_path(group), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= link_to "Edit", edit_admin_group_path(group), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= button_to "Delete", admin_group_path(group), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this group?" }, class: "text-red-600 hover:text-red-900" %>
+                <div class="flex justify-end space-x-3">
+                  <%= link_to "View", admin_group_path(group), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= link_to "Edit", edit_admin_group_path(group), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= button_to "Delete", admin_group_path(group), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this group?" }, class: "text-red-600 hover:text-red-900 whitespace-nowrap" %>
+                </div>
              </td>
            </tr>
          <% end %>
--- a/app/views/oidc/consent.html.erb
+++ b/app/views/oidc/consent.html.erb
@@ -57,7 +57,7 @@
      </div>
    </div>

-    <%= form_with url: oauth_consent_path, method: :post, class: "space-y-3", data: { turbo: false } do |form| %>
+    <%= form_with url: "/oauth/authorize/consent", method: :post, class: "space-y-3", data: { turbo: false }, local: true do |form| %>
      <%= form.submit "Authorize",
          class: "w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-blue-600 hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500" %>