Fixes for OIDC and HTML

2025-11-09 12:04:26 +11:00
parent c92e69fa4a
commit d9f11abbbf
3 changed files with 38 additions and 32 deletions
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -257,7 +257,12 @@ class OidcController < ApplicationController
    end
    # Validate PKCE if code challenge is present
-    unless validate_pkce(auth_code, code_verifier)
+    pkce_result = validate_pkce(auth_code, code_verifier)
    unless pkce_result[:valid]
      render json: {
        error: pkce_result[:error],
        error_description: pkce_result[:error_description]
      }, status: pkce_result[:status]
      return
    end
@@ -376,24 +381,26 @@ class OidcController < ApplicationController
  def validate_pkce(auth_code, code_verifier)
    # Skip PKCE validation if no code challenge was stored (legacy clients)
-    return true unless auth_code.code_challenge.present?
+    return { valid: true } unless auth_code.code_challenge.present?
    # PKCE is required but no verifier provided
    unless code_verifier.present?
-      render json: {
+      return {
        valid: false,
        error: "invalid_request",
-        error_description: "code_verifier is required when code_challenge was provided"
+        error_description: "code_verifier is required when code_challenge was provided",
-      }, status: :bad_request
+        status: :bad_request
-      return false
+      }
    end
    # Validate code verifier format (base64url-encoded, 43-128 characters)
    unless code_verifier.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
-      render json: {
+      return {
        valid: false,
        error: "invalid_request",
-        error_description: "Invalid code_verifier format. Must be 43-128 characters of base64url encoding"
+        error_description: "Invalid code_verifier format. Must be 43-128 characters of base64url encoding",
-      }, status: :bad_request
+        status: :bad_request
-      return false
+      }
    end
    # Recreate code challenge based on method
@@ -405,23 +412,25 @@ class OidcController < ApplicationController
                            .tr("+/", "-_")
                            .tr("=", "")
                        else
-                          render json: {
+                          return {
                            valid: false,
                            error: "server_error",
-                            error_description: "Unsupported code challenge method"
+                            error_description: "Unsupported code challenge method",
-                          }, status: :internal_server_error
+                            status: :internal_server_error
-                          return false
+                          }
                        end
    # Validate the code challenge
    unless auth_code.code_challenge == expected_challenge
-      render json: {
+      return {
        valid: false,
        error: "invalid_grant",
-        error_description: "Invalid code verifier"
+        error_description: "Invalid code verifier",
-      }, status: :bad_request
+        status: :bad_request
-      return false
+      }
    end
-    true
+    { valid: true }
  end
  def extract_client_credentials
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -19,4 +19,14 @@ module ApplicationHelper
      :smtp
    end
  end
  def border_class_for(type)
    case type.to_s
    when 'notice' then 'border-green-200'
    when 'alert', 'error' then 'border-red-200'
    when 'warning' then 'border-yellow-200'
    when 'info' then 'border-blue-200'
    else 'border-gray-200'
    end
  end
 end
--- a/app/views/shared/_flash.html.erb
+++ b/app/views/shared/_flash.html.erb
@@ -71,16 +71,3 @@
    </div>
  </div>
 <% end %>
 <%# Helper method for border colors %>
 <%
 def border_class_for(type)
  case type.to_s
  when 'notice' then 'border-green-200'
  when 'alert', 'error' then 'border-red-200'
  when 'warning' then 'border-yellow-200'
  when 'info' then 'border-blue-200'
  else 'border-gray-200'
  end
 end
 %>