Improve some front end views. More descriptive error condition reporting. Updates to CLINCH_HOST for better WEBAUTHN

config/environments/production.rb

@@ -80,14 +80,28 @@ Rails.application.configure do
   # Only use :id for inspections in production.
   config.active_record.attributes_for_inspect = [ :id ]
 
+  # Helper method to extract domain from CLINCH_HOST (removes protocol if present)
+  def self.extract_domain(host)
+    return host if host.blank?
+    # Remove protocol (http:// or https://) if present
+    host.gsub(/^https?:\/\//, '')
+  end
+
+  # Helper method to ensure URL has https:// protocol
+  def self.ensure_https(url)
+    return url if url.blank?
+    # Add https:// if no protocol is present
+    url.match?(/^https?:\/\//) ? url : "https://#{url}"
+  end
+
   # Enable DNS rebinding protection and other `Host` header attacks.
   # Configure allowed hosts based on deployment scenario
   allowed_hosts = [
-    ENV.fetch('CLINCH_HOST', 'auth.example.com'),  # External domain (auth service itself)
+    extract_domain(ENV.fetch('CLINCH_HOST', 'auth.example.com')),  # External domain (auth service itself)
   ]
 
   # Use PublicSuffix to extract registrable domain and allow all subdomains
-  host_domain = ENV.fetch('CLINCH_HOST', 'auth.example.com')
+  host_domain = extract_domain(ENV.fetch('CLINCH_HOST', 'auth.example.com'))
   if host_domain.present?
     begin
       # Use PublicSuffix to properly extract the domain

config/initializers/content_security_policy.rb

@@ -39,6 +39,7 @@ Rails.application.configure do
     policy.base_uri :self
 
     # Form actions: Allow self for all form submissions
+    # Note: OAuth redirects will be handled dynamically in the consent page
     policy.form_action :self
 
     # Manifest sources: Allow self for PWA manifest
@@ -53,9 +54,12 @@ Rails.application.configure do
     # Additional security headers for WebAuthn
     # Required for WebAuthn to work properly
     policy.require_trusted_types_for :none
+
+    # CSP reporting using report_uri (supported method)
     policy.report_uri  "/api/csp-violation-report"
   end
 
+  
   # Start with CSP in report-only mode for testing
   # Set to false after verifying everything works in production
   config.content_security_policy_report_only = Rails.env.development?

config/initializers/csp_local_logger.rb

@@ -23,6 +23,12 @@ Rails.application.config.after_initialize do
     def self.emit(event)
       csp_data = event[:payload] || {}
 
+      # Skip logging if there's no meaningful violation data
+      return if csp_data.empty? ||
+                (csp_data[:violated_directive].nil? &&
+                 csp_data[:blocked_uri].nil? &&
+                 csp_data[:document_uri].nil?)
+
       # Build a structured log message
       violated_directive = csp_data[:violated_directive] || "unknown"
       blocked_uri = csp_data[:blocked_uri] || "unknown"

config/initializers/webauthn.rb

@@ -1,14 +1,31 @@
 # WebAuthn configuration for Clinch Identity Provider
 WebAuthn.configure do |config|
   # Relying Party name (displayed in authenticator prompts)
-  # For development, use http://localhost to match passkey in Passwords app
+  # CLINCH_HOST should include protocol (https://) for WebAuthn
   origin_host = ENV.fetch("CLINCH_HOST", "http://localhost")
   config.allowed_origins = [origin_host]
 
-  # Relying Party ID (must match origin domain)
-  # Extract domain from origin for RP ID
-  origin_uri = URI.parse(origin_host)
-  config.rp_id = ENV.fetch("CLINCH_RP_ID", "localhost")
+  # Relying Party ID (must match origin domain without protocol)
+  # Extract domain from origin for RP ID if CLINCH_RP_ID not set
+  if ENV["CLINCH_RP_ID"].present?
+    config.rp_id = ENV["CLINCH_RP_ID"]
+  else
+    # Extract registrable domain from CLINCH_HOST using PublicSuffix
+    origin_uri = URI.parse(origin_host)
+    if origin_uri.host
+      begin
+        # Use PublicSuffix to get the registrable domain (e.g., "aapamilne.com" from "auth.aapamilne.com")
+        domain = PublicSuffix.parse(origin_uri.host)
+        config.rp_id = domain.domain || origin_uri.host
+      rescue PublicSuffix::DomainInvalid => e
+        Rails.logger.warn "WebAuthn: Failed to parse domain '#{origin_uri.host}': #{e.message}, using host as fallback"
+        config.rp_id = origin_uri.host
+      end
+    else
+      Rails.logger.error "WebAuthn: Could not extract host from CLINCH_HOST '#{origin_host}'"
+      config.rp_id = "localhost"
+    end
+  end
 
   # For development, we also allow localhost with common ports and without port
   if Rails.env.development?