Dan Milne
43958f50ce
Add @tailwindcss/forms plugin and improve application form UX
...
Install @tailwindcss/forms to fix missing padding on form inputs across
the app. Move the Application Type selector earlier in the new application
form (after slug, before description) so it gates type-specific fields
sooner. On the edit page, replace the confusing disabled dropdown with a
read-only badge since the type can't be changed after creation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-22 00:36:37 +11:00
Dan Milne
d8d8000b92
Add tests for forward auth cache gaps: invalidation, rate limiting, and debounce
...
- Test ApplicationGroup cache busting on add and remove
- Test first failure persists in rate limit cache (increment fallback)
- Test bearer token failures count toward rate limit
- Test rd parameter rejected for deactivated applications
- Test last_activity_at updates after debounce window expires
- Test successful requests don't reset failure counter
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-21 23:59:18 +11:00
Dan Milne
6844c5fab3
Clean up forward auth caching: remove duplication, fix rate limiting, and plug cache gaps
...
- Remove duplicated app_allows_user_cached?/headers_for_user_cached methods; call model methods directly
- Fix sliding-window rate limit bug by using increment instead of write (avoids TTL reset)
- Use cached app lookup in validate_redirect_url instead of hitting DB on every unauthorized request
- Add cache busting to ApplicationGroup so group assignment changes invalidate the cache
- Eager-load user groups (includes(user: :groups)) to eliminate N+1 queries
- Replace pluck(:name) with map(&:name) to use already-loaded associations
- Remove hardcoded fallback domain, dead methods, and unnecessary comments
- Fix test indentation and make group-order assertions deterministic
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-21 23:54:19 +11:00
Dan Milne
5505f99287
Add rate limiting and in-memory caching for forward auth endpoint
...
Rate limit failed attempts (50/min per IP) with 429 + Retry-After.
Cache forward auth applications in a dedicated MemoryStore (8MB LRU)
to avoid loading all apps from SQLite on every request. Debounce
last_activity_at writes to at most once per minute per session.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-07 11:15:54 +11:00
Dan Milne
1b691ad341
Bump Rails from 8.1.1 to 8.1.2
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-07 11:11:13 +11:00
Dan Milne
f65df76d99
Show user-friendly error when passkey authentication fails
...
Add error target to login page so WebAuthn errors are visible instead
of only appearing in the console. Use a helpful fallback message that
suggests a browser extension may be interfering.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 23:11:43 +11:00
Dan Milne
c5898bd9a4
Add passkey option on TOTP page and auto-trigger passkey for TOTP users
...
When a user has both passkeys and TOTP configured, auto-trigger the
passkey flow on login to save them from the password→TOTP path. Also
add a "Use Passkey Instead" button on the TOTP verification page as
an escape hatch for users who end up there.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 23:09:01 +11:00
Dan Milne
9dbde8ea31
Fix README: don't claim OIDC certification, just conformance
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 22:39:10 +11:00
Dan Milne
191a7b5fb3
Update README: add API keys docs, VoidAuth, highlight conformance
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
- Document API keys / bearer tokens for forward auth
- Add VoidAuth to alternatives list
- Move OIDC conformance certification and test counts to top
- Update Ruby requirement to 4.0+, test count to 450
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 22:36:12 +11:00
Dan Milne
7a9348c1f1
Add voidauth to the list of alternatives
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-03-05 22:30:08 +11:00
Dan Milne
225d8ae5ca
Update the README
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-03-05 22:27:24 +11:00
Dan Milne
65c19fa732
Upgrade to Ruby 4.0.1, bump version to 0.9.0
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Replace CGI.parse (removed in Ruby 4.0) with Rack::Utils.parse_query
in application controller, sessions controller, and OIDC tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:52:11 +11:00
Dan Milne
fd8785a43d
Add API keys / bearer tokens for forward auth
...
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
Enables server-to-server authentication for forward auth applications
(e.g., video players accessing WebDAV) where browser cookies aren't
available. API keys use clk_ prefixed tokens stored as HMAC hashes.
Bearer token auth is checked before cookie auth in /api/verify.
Invalid tokens return 401 JSON (no redirect). Requests without
bearer tokens fall through to existing cookie flow unchanged.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-05 21:45:40 +11:00
Dan Milne
444ae6291c
Add missing files, fix formatting
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:34:11 +11:00
Dan Milne
233fb723d5
More accurate language around passing the OpenID Conformance tests
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:32:34 +11:00
Dan Milne
cc6d4fcc65
Add test files, update checklist
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 23:28:55 +11:00
Dan Milne
5268f10eb3
Don't allow claim escalation
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 16:40:11 +11:00
Dan Milne
5c5662eaab
Expose 'username' via forward auth headers
2026-01-05 15:12:24 +11:00
Dan Milne
27d77ebf47
Expose 'username' via forward auth headers
2026-01-05 15:12:02 +11:00
Dan Milne
ba08158c85
Bug fix for background jobs
2026-01-05 14:43:06 +11:00
Dan Milne
a6480b0860
Verion Bump
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-05 13:08:22 +11:00
Dan Milne
75cc223329
303 is the correct response
2026-01-05 13:05:24 +11:00
Dan Milne
46ae65f4d2
Move the 'remove_query_param' to the application controller
2026-01-05 13:03:03 +11:00
Dan Milne
95d0d844e9
Add a method to remove parameters from urls, so we can redirect without risk of infinite redirect. Fix a bunch of redirects to login afer being foced to log out. Add missing migrations
2026-01-05 13:01:32 +11:00
Dan Milne
524a7719c3
Merge branch 'main' into feature/claims
2026-01-05 12:11:53 +11:00
Dan Milne
8110d547dd
Fix bug with session deletion when logout forced and we have a redirect to follow
2026-01-05 12:11:52 +11:00
Dan Milne
25e1043312
Add skip-consent, correctly use 303, rather than 302, actually rename per app 'logout' to 'require re-auth'. Add helper methods for token lifetime - allowing 10d for 10days for example.
2026-01-05 12:03:01 +11:00
Dan Milne
074a734c0c
Accidentally added skip-consent to this branch
2026-01-05 12:01:04 +11:00
Dan Milne
4a48012a82
Add claims support
2026-01-05 12:00:29 +11:00
Dan Milne
e631f606e7
Better error messages
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-03 12:29:27 +11:00
Dan Milne
f4a697ae9b
More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers
2026-01-03 12:28:43 +11:00
Dan Milne
16e34ffaf0
Updates for oidc conformance
2026-01-03 10:11:10 +11:00
Dan Milne
0bb84f08d6
OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 16:35:12 +11:00
Dan Milne
182682024d
OpenID Conformance: Include all required scopes when profile is requested, even if they're empty
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:47:40 +11:00
Dan Milne
b517ebe809
OpenID conformance test: Allow posting the access token in the body for userinfo endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:41:07 +11:00
Dan Milne
dd8bd15a76
CSRF issue with API endpoint
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:29:34 +11:00
Dan Milne
f67a73821c
OpenID Conformance: user info endpoint should support get and post requets, not just get
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:26:39 +11:00
Dan Milne
b09ddf6db5
OpenID Conformance: We need to return to the redirect_uri in the case of errors.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 15:12:55 +11:00
Dan Milne
abbb11a41d
Return only scopes requested, add tests ( OpenID conformance test )
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 14:55:06 +11:00
Dan Milne
b2030df8c2
Return only scopes requested ( OpenID conformance test. Update README
2026-01-02 14:05:54 +11:00
Dan Milne
07cddf5823
Version bump
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 12:57:28 +11:00
Dan Milne
46aa983189
Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 12:56:03 +11:00
Dan Milne
d0d79ee1da
Try ignore capybara's test tripping trivy
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 12:52:24 +11:00
Dan Milne
2f6a2c7406
Update ruby 3.4.6 -> 3.4.7. Update gems. Add trivy scanning and ignore unfixable Debian CVEs. Ignore a test fixture key for Capybara
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / scan_container (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 12:48:40 +11:00
Dan Milne
5137a25626
Add remainging rate limits. Add docker compose production example. Update beta-checklist.
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-02 12:14:13 +11:00
Dan Milne
fed7c3cedb
Some beta-checklist updates
2026-01-02 11:53:41 +11:00
Dan Milne
e288fcad7c
Remove old docs
2026-01-01 21:04:26 +11:00
Dan Milne
c1c6e0112e
ADd backup / restore documentation
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 15:40:49 +11:00
Dan Milne
7f834fb7fa
Version bump
2026-01-01 15:27:19 +11:00
Dan Milne
ae99d3d9cf
Fix webauthn bug. Fix tests. Update docs
CI / scan_ruby (push) Has been cancelled
CI / scan_js (push) Has been cancelled
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / system-test (push) Has been cancelled
2026-01-01 15:24:56 +11:00
