dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix more tests

Browse Source
This commit is contained in:
Dan Milne
2025-12-29 18:48:41 +11:00
parent 0361bfe470
commit acab15ce30
6 changed files with 359 additions and 266 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
app/controllers/oidc_controller.rb
View File

@@ -99,7 +99,7 @@ class OidcController < ApplicationController
return
end
# Validate redirect URI
# Validate redirect URI first (required before we can safely redirect with errors)
unless @application.parsed_redirect_uris.include?(redirect_uri)
Rails.logger.error "OAuth: Invalid request - redirect URI mismatch. Expected: #{@application.parsed_redirect_uris}, Got: #{redirect_uri}"
@@ -114,6 +114,15 @@ class OidcController < ApplicationController
return
end
# Check if application is active (now we can safely redirect with error)
unless @application.active?
Rails.logger.error "OAuth: Application is not active: #{@application.name}"
error_uri = "#{redirect_uri}?error=unauthorized_client&error_description=Application+is+not+active"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Check if user is authenticated
unless authenticated?
# Store OAuth parameters in session and redirect to sign in
@@ -223,6 +232,17 @@ class OidcController < ApplicationController
# Find the application
client_id = oauth_params['client_id']
application = Application.find_by(client_id: client_id, app_type: "oidc")
# Check if application is active (redirect with OAuth error)
unless application&.active?
Rails.logger.error "OAuth: Application is not active: #{application&.name || client_id}"
session.delete(:oauth_params)
error_uri = "#{oauth_params['redirect_uri']}?error=unauthorized_client&error_description=Application+is+not+active"
error_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state'].present?
redirect_to error_uri, allow_other_host: true
return
end
user = Current.session.user
# Record user consent
@@ -292,6 +312,13 @@ class OidcController < ApplicationController
return
end
# Check if application is active
unless application.active?
Rails.logger.error "OAuth: Token request for inactive application: #{application.name}"
render json: { error: "invalid_client", error_description: "Application is not active" }, status: :forbidden
return
end
# Get the authorization code
code = params[:code]
redirect_uri = params[:redirect_uri]
@@ -418,6 +445,13 @@ class OidcController < ApplicationController
return
end
# Check if application is active
unless application.active?
Rails.logger.error "OAuth: Refresh token request for inactive application: #{application.name}"
render json: { error: "invalid_client", error_description: "Application is not active" }, status: :forbidden
return
end
# Get the refresh token
refresh_token = params[:refresh_token]
unless refresh_token.present?
@@ -519,6 +553,13 @@ class OidcController < ApplicationController
return
end
# Check if application is active (immediate cutoff when app is disabled)
unless access_token.application&.active?
Rails.logger.warn "OAuth: Userinfo request for inactive application: #{access_token.application&.name}"
head :forbidden
return
end
# Get the user (with fresh data from database)
user = access_token.user
unless user
@@ -581,6 +622,13 @@ class OidcController < ApplicationController
return
end
# Check if application is active (RFC 7009: still return 200 OK for privacy)
unless application.active?
Rails.logger.warn "OAuth: Token revocation attempted for inactive application: #{application.name}"
head :ok
return
end
# Get the token to revoke
token = params[:token]
token_type_hint = params[:token_type_hint] # Optional hint: "access_token" or "refresh_token"