StandardRB fixes

app/controllers/api/csp_controller.rb

@@ -8,7 +8,7 @@ module Api
     def violation_report
       # Parse CSP violation report
       report_data = JSON.parse(request.body.read)
-      csp_report = report_data['csp-report']
+      csp_report = report_data["csp-report"]
 
       # Validate that we have a proper CSP report
       unless csp_report.is_a?(Hash) && csp_report.present?
@@ -19,28 +19,28 @@ module Api
 
       # Log the violation for security monitoring
       Rails.logger.warn "CSP Violation Report:"
-      Rails.logger.warn "  Blocked URI: #{csp_report['blocked-uri']}"
-      Rails.logger.warn "  Document URI: #{csp_report['document-uri']}"
-      Rails.logger.warn "  Referrer: #{csp_report['referrer']}"
-      Rails.logger.warn "  Violated Directive: #{csp_report['violated-directive']}"
-      Rails.logger.warn "  Original Policy: #{csp_report['original-policy']}"
+      Rails.logger.warn "  Blocked URI: #{csp_report["blocked-uri"]}"
+      Rails.logger.warn "  Document URI: #{csp_report["document-uri"]}"
+      Rails.logger.warn "  Referrer: #{csp_report["referrer"]}"
+      Rails.logger.warn "  Violated Directive: #{csp_report["violated-directive"]}"
+      Rails.logger.warn "  Original Policy: #{csp_report["original-policy"]}"
       Rails.logger.warn "  User Agent: #{request.user_agent}"
       Rails.logger.warn "  IP Address: #{request.remote_ip}"
 
       # Emit structured event for CSP violation
       # This allows multiple subscribers to process the event (Sentry, local logging, etc.)
       Rails.event.notify("csp.violation", {
-        blocked_uri: csp_report['blocked-uri'],
-        document_uri: csp_report['document-uri'],
-        referrer: csp_report['referrer'],
-        violated_directive: csp_report['violated-directive'],
-        original_policy: csp_report['original-policy'],
-        disposition: csp_report['disposition'],
-        effective_directive: csp_report['effective-directive'],
-        source_file: csp_report['source-file'],
-        line_number: csp_report['line-number'],
-        column_number: csp_report['column-number'],
-        status_code: csp_report['status-code'],
+        blocked_uri: csp_report["blocked-uri"],
+        document_uri: csp_report["document-uri"],
+        referrer: csp_report["referrer"],
+        violated_directive: csp_report["violated-directive"],
+        original_policy: csp_report["original-policy"],
+        disposition: csp_report["disposition"],
+        effective_directive: csp_report["effective-directive"],
+        source_file: csp_report["source-file"],
+        line_number: csp_report["line-number"],
+        column_number: csp_report["column-number"],
+        status_code: csp_report["status-code"],
         user_agent: request.user_agent,
         ip_address: request.remote_ip,
         current_user_id: Current.user&.id,
@@ -54,4 +54,4 @@ module Api
       head :bad_request
     end
   end
-end
+end

app/controllers/api/forward_auth_controller.rb

@@ -81,22 +81,26 @@ module Api
 
       # User is authenticated and authorized
       # Return 200 with user information headers using app-specific configuration
-      headers = app ? app.headers_for_user(user) : Application::DEFAULT_HEADERS.map { |key, header_name|
-        case key
-        when :user, :email, :name
-          [header_name, user.email_address]
-        when :groups
-          user.groups.any? ? [header_name, user.groups.pluck(:name).join(",")] : nil
-        when :admin
-          [header_name, user.admin? ? "true" : "false"]
-        end
-      }.compact.to_h
+      headers = if app
+        app.headers_for_user(user)
+      else
+        Application::DEFAULT_HEADERS.map { |key, header_name|
+          case key
+          when :user, :email, :name
+            [header_name, user.email_address]
+          when :groups
+            user.groups.any? ? [header_name, user.groups.pluck(:name).join(",")] : nil
+          when :admin
+            [header_name, user.admin? ? "true" : "false"]
+          end
+        }.compact.to_h
+      end
 
       headers.each { |key, value| response.headers[key] = value }
 
       # Log what headers we're sending (helpful for debugging)
       if headers.any?
-        Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(', ')}"
+        Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(", ")}"
       else
         Rails.logger.debug "ForwardAuth: No headers sent (access only)"
       end
@@ -123,14 +127,13 @@ module Api
       # Delete the token immediately (one-time use)
       Rails.cache.delete("forward_auth_token:#{token}")
 
-            session_id
+      session_id
     end
 
     def extract_session_id
       # Extract session ID from cookie
       # Rails uses signed cookies by default
-      session_id = cookies.signed[:session_id]
-            session_id
+      cookies.signed[:session_id]
     end
 
     def extract_app_from_headers
@@ -155,7 +158,7 @@ module Api
       original_uri = request.headers["X-Forwarded-Uri"] || request.headers["X-Forwarded-Path"] || "/"
 
       # Debug logging to see what headers we're getting
-      Rails.logger.info "ForwardAuth Headers: Host=#{request.headers['Host']}, X-Forwarded-Host=#{original_host}, X-Forwarded-Uri=#{request.headers['X-Forwarded-Uri']}, X-Forwarded-Path=#{request.headers['X-Forwarded-Path']}"
+      Rails.logger.info "ForwardAuth Headers: Host=#{request.headers["Host"]}, X-Forwarded-Host=#{original_host}, X-Forwarded-Uri=#{request.headers["X-Forwarded-Uri"]}, X-Forwarded-Path=#{request.headers["X-Forwarded-Path"]}"
 
       original_url = if original_host
         # Use the forwarded host and URI (original behavior)
@@ -203,7 +206,7 @@ module Api
         return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
 
         # Only allow HTTPS in production
-        return nil unless Rails.env.development? || uri.scheme == 'https'
+        return nil unless Rails.env.development? || uri.scheme == "https"
 
         redirect_domain = uri.host.downcase
         return nil unless redirect_domain.present?
@@ -214,7 +217,6 @@ module Api
         end
 
         matching_app ? url : nil
-
       rescue URI::InvalidURIError
         nil
       end
@@ -233,13 +235,13 @@ module Api
       return redirect_url if redirect_url.present?
 
       # Try CLINCH_HOST environment variable first
-      if ENV['CLINCH_HOST'].present?
-        host = ENV['CLINCH_HOST']
+      if ENV["CLINCH_HOST"].present?
+        host = ENV["CLINCH_HOST"]
         # Ensure URL has https:// protocol
         host.match?(/^https?:\/\//) ? host : "https://#{host}"
       else
         # Fallback to the request host
-        request_host = request.host || request.headers['X-Forwarded-Host']
+        request_host = request.host || request.headers["X-Forwarded-Host"]
         if request_host.present?
           Rails.logger.warn "ForwardAuth: CLINCH_HOST not set, using request host: #{request_host}"
           "https://#{request_host}"