Dan Milne
|
07cddf5823
|
Version bump
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-02 12:57:28 +11:00 |
|
Dan Milne
|
46aa983189
|
Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-02 12:56:03 +11:00 |
|
Dan Milne
|
d0d79ee1da
|
Try ignore capybara's test tripping trivy
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-02 12:52:24 +11:00 |
|
Dan Milne
|
2f6a2c7406
|
Update ruby 3.4.6 -> 3.4.7. Update gems. Add trivy scanning and ignore unfixable Debian CVEs. Ignore a test fixture key for Capybara
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-02 12:48:40 +11:00 |
|
Dan Milne
|
5137a25626
|
Add remainging rate limits. Add docker compose production example. Update beta-checklist.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-02 12:14:13 +11:00 |
|
Dan Milne
|
fed7c3cedb
|
Some beta-checklist updates
|
2026-01-02 11:53:41 +11:00 |
|
Dan Milne
|
e288fcad7c
|
Remove old docs
|
2026-01-01 21:04:26 +11:00 |
|
Dan Milne
|
c1c6e0112e
|
ADd backup / restore documentation
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 15:40:49 +11:00 |
|
Dan Milne
|
7f834fb7fa
|
Version bump
|
2026-01-01 15:27:19 +11:00 |
|
Dan Milne
|
ae99d3d9cf
|
Fix webauthn bug. Fix tests. Update docs
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 15:24:56 +11:00 |
|
Dan Milne
|
1afcd041f9
|
Update README, fix a test
|
2026-01-01 15:17:28 +11:00 |
|
Dan Milne
|
71198340d0
|
fix tests and add a Claude.md file
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 15:11:46 +11:00 |
|
Dan Milne
|
d597ca8810
|
Fix tests
|
2026-01-01 14:52:24 +11:00 |
|
Dan Milne
|
9b81aee490
|
Fix linting error
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 13:45:10 +11:00 |
|
Dan Milne
|
265518ab25
|
Move integration tests into right directory
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 13:43:13 +11:00 |
|
Dan Milne
|
adb789bbea
|
Fix StandardRB
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 13:35:37 +11:00 |
|
Dan Milne
|
93a0edb0a2
|
StandardRB fixes
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 13:29:44 +11:00 |
|
Dan Milne
|
7d3af2bcec
|
SRB fixes
|
2026-01-01 13:19:17 +11:00 |
|
Dan Milne
|
c03034c49f
|
Add files to support brakeman and standardrb. Fix some SRB warnings
|
2026-01-01 13:18:30 +11:00 |
|
Dan Milne
|
9234904e47
|
Add security-todo and beta-checklists, and some security rake tasks
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2026-01-01 13:06:54 +11:00 |
|
Dan Milne
|
e36a9a781a
|
Add new claims to the discovery endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 17:27:28 +11:00 |
|
Dan Milne
|
d036e25fef
|
Add auth_time, acr and azp support for OIDC claims
|
2025-12-31 17:07:54 +11:00 |
|
Dan Milne
|
fcdd2b6de7
|
Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.
|
2025-12-31 16:57:28 +11:00 |
|
Dan Milne
|
3939ea773f
|
We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ).
|
2025-12-31 16:45:45 +11:00 |
|
Dan Milne
|
4b4afe277e
|
Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record
|
2025-12-31 16:36:32 +11:00 |
|
Dan Milne
|
364e6e21dd
|
Fixes for tests and AR Encryption
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 16:08:05 +11:00 |
|
Dan Milne
|
9d352ab8ec
|
Fix tests - add missing files
|
2025-12-31 16:01:31 +11:00 |
|
Dan Milne
|
d1d4ac745f
|
Version bump
|
2025-12-31 15:48:52 +11:00 |
|
Dan Milne
|
3db466f5a2
|
Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 15:48:32 +11:00 |
|
Dan Milne
|
7c6ae7ab7e
|
Store only HMAC'd Auth codes, rather than plain text auth codes.
|
2025-12-31 15:00:00 +11:00 |
|
Dan Milne
|
ed7ceedef5
|
Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 14:45:38 +11:00 |
|
Dan Milne
|
40815d3576
|
Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens
|
2025-12-31 14:32:34 +11:00 |
|
Dan Milne
|
a17c08c890
|
Improve the README
|
2025-12-31 14:31:53 +11:00 |
|
Dan Milne
|
4f31fadc6c
|
Improve the README and remove incorrect claims.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 12:17:15 +11:00 |
|
Dan Milne
|
29c0981a59
|
Improve readme and tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 11:56:09 +11:00 |
|
Dan Milne
|
9d402fcd92
|
Clean up and secure web_authn controller
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 11:44:11 +11:00 |
|
Dan Milne
|
9530c8284f
|
Version bump
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-31 10:35:27 +11:00 |
|
Dan Milne
|
bb5aa2e6d6
|
Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation
|
2025-12-31 10:33:56 +11:00 |
|
Dan Milne
|
cc7beba9de
|
PKCE is now default enabled. You can now create public / no-secret apps OIDC apps
|
2025-12-31 09:22:18 +11:00 |
|
Dan Milne
|
00eca6d8b2
|
Default deny forward_auth requests
|
2025-12-30 16:04:01 +11:00 |
|
Dan Milne
|
32235f9647
|
version bump
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-30 11:58:31 +11:00 |
|
Dan Milne
|
71d59e7367
|
Remove plain text token from everywhere
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-30 11:58:11 +11:00 |
|
Dan Milne
|
99c3ac905f
|
Add a token prefix column, generate the token_prefix and the token_digest, removing the plaintext token from use.
|
2025-12-30 09:45:16 +11:00 |
|
Dan Milne
|
0761c424c1
|
Fix tests. Remove tests which test rails functionality
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-30 00:18:19 +11:00 |
|
Dan Milne
|
2a32d75895
|
Fix tests - don't test standard rails features
|
2025-12-29 19:45:01 +11:00 |
|
Dan Milne
|
4c1df53fd5
|
Fix more tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-29 19:22:08 +11:00 |
|
Dan Milne
|
acab15ce30
|
Fix more tests
|
2025-12-29 18:48:41 +11:00 |
|
Dan Milne
|
0361bfe470
|
Fix forward_auth bugs - including disabled apps still working. Fix forward_auth tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-29 15:37:12 +11:00 |
|
Dan Milne
|
5b9d15584a
|
Add more rate limiting, and more restrictive headers
|
2025-12-29 13:29:14 +11:00 |
|
Dan Milne
|
898fd69a5d
|
Add permissions initializer and missing image paste controller
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
|
2025-12-29 13:27:30 +11:00 |
|