Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation

app/controllers/oidc_controller.rb

@@ -169,7 +169,7 @@ class OidcController < ApplicationController
 
       # Redirect back to client with authorization code
       redirect_uri = "#{redirect_uri}?code=#{code}"
-      redirect_uri += "&state=#{state}" if state.present?
+      redirect_uri += "&state=#{CGI.escape(state)}" if state.present?
       redirect_to redirect_uri, allow_other_host: true
       return
     end
@@ -224,7 +224,7 @@ class OidcController < ApplicationController
     if params[:deny].present?
       session.delete(:oauth_params)
       error_uri = "#{oauth_params['redirect_uri']}?error=access_denied"
-      error_uri += "&state=#{oauth_params['state']}" if oauth_params['state']
+      error_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state']
       redirect_to error_uri, allow_other_host: true
       return
     end
@@ -276,7 +276,7 @@ class OidcController < ApplicationController
 
     # Redirect back to client with authorization code
     redirect_uri = "#{oauth_params['redirect_uri']}?code=#{code}"
-    redirect_uri += "&state=#{oauth_params['state']}" if oauth_params['state']
+    redirect_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state']
 
     redirect_to redirect_uri, allow_other_host: true
   end
@@ -724,7 +724,7 @@ class OidcController < ApplicationController
 
       if validated_uri
         redirect_uri = validated_uri
-        redirect_uri += "?state=#{state}" if state.present?
+        redirect_uri += "?state=#{CGI.escape(state)}" if state.present?
         redirect_to redirect_uri, allow_other_host: true
       else
         # Invalid redirect URI - log warning and go to default