Add OIDC fixes, add prefered_username, add application-user claims

2025-11-25 16:29:40 +11:00
parent 7796c38c08
commit d6029556d3
34 changed files with 1003 additions and 64 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,6 +3,7 @@ class User < ApplicationRecord
  has_many :sessions, dependent: :destroy
  has_many :user_groups, dependent: :destroy
  has_many :groups, through: :user_groups
+  has_many :application_user_claims, dependent: :destroy
  has_many :oidc_user_consents, dependent: :destroy
  has_many :webauthn_credentials, dependent: :destroy

@@ -20,10 +21,22 @@ class User < ApplicationRecord
  end

  normalizes :email_address, with: ->(e) { e.strip.downcase }
+  normalizes :username, with: ->(u) { u.strip.downcase if u.present? }
+
+  # Reserved OIDC claim names that should not be overridden
+  RESERVED_CLAIMS = %w[
+    iss sub aud exp iat nbf jti nonce azp
+    email email_verified preferred_username name
+    groups
+  ].freeze

  validates :email_address, presence: true, uniqueness: { case_sensitive: false },
                           format: { with: URI::MailTo::EMAIL_REGEXP }
+  validates :username, uniqueness: { case_sensitive: false }, allow_nil: true,
+                      format: { with: /\A[a-zA-Z0-9_-]+\z/, message: "can only contain letters, numbers, underscores, and hyphens" },
+                      length: { minimum: 2, maximum: 30 }
  validates :password, length: { minimum: 8 }, allow_nil: true
+  validate :no_reserved_claim_names

  # Enum - automatically creates scopes (User.active, User.disabled, etc.)
  enum :status, { active: 0, disabled: 1, pending_invitation: 2 }
@@ -182,11 +195,39 @@ class User < ApplicationRecord

  # Parse custom_claims JSON field
  def parsed_custom_claims
-    custom_claims || {}
+    return {} if custom_claims.blank?
+    custom_claims.is_a?(Hash) ? custom_claims : {}
+  end
+
+  # Get fully merged claims for a specific application
+  def merged_claims_for_application(application)
+    merged = {}
+
+    # Start with group claims (in order)
+    groups.each do |group|
+      merged.merge!(group.parsed_custom_claims)
+    end
+
+    # Merge user global claims
+    merged.merge!(parsed_custom_claims)
+
+    # Merge app-specific claims (highest priority)
+    merged.merge!(application.custom_claims_for_user(self))
+
+    merged
  end

  private

+  def no_reserved_claim_names
+    return if custom_claims.blank?
+
+    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
+    if reserved_used.any?
+      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
+    end
+  end
+
  def generate_backup_codes
    # Generate plain codes for user to see/save
    plain_codes = Array.new(10) { SecureRandom.alphanumeric(8).upcase }