Fix webauthn bug. Fix tests. Update docs

README.md

@@ -11,6 +11,8 @@ Clinch gives you one place to manage users and lets any web app authenticate aga
 
 Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea, Grafana, Proxmox? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
 
+Clinch runs as a single Docker container, using SQLite as the database, the job queue (Solid Queue) and the shared cache (Solid Cache). The webserver, Puma, runs the job queue in-process, avoiding the need for another container.
+
 Clinch sits in a sweet spot between two excellent open-source identity solutions:
 
 **[Authelia](https://www.authelia.com)** is a fantastic choice for those who prefer external user management through LDAP and enjoy comprehensive YAML-based configuration. It's lightweight, secure, and works beautifully with reverse proxies.

app/models/webauthn_credential.rb

@@ -1,6 +1,9 @@
 class WebauthnCredential < ApplicationRecord
   belongs_to :user
 
+  # Set default authenticator_type if not provided
+  after_initialize :set_default_authenticator_type, if: :new_record?
+
   # Validations
   validates :external_id, presence: true, uniqueness: true
   validates :public_key, presence: true
@@ -77,6 +80,10 @@ class WebauthnCredential < ApplicationRecord
 
   private
 
+  def set_default_authenticator_type
+    self.authenticator_type ||= "cross-platform"
+  end
+
   def time_ago_in_words(time)
     seconds = Time.current - time
     minutes = seconds / 60

docs/beta-checklist.md

@@ -136,7 +136,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
 - [ ] Document required vs. optional configuration
 - [ ] Provide sensible defaults
 - [ ] Validate production SMTP configuration
-- [ ] Ensure OIDC private key generation process is documented
+- [x] Ensure OIDC private key generation process is documented
 
 ### Database
 - [x] Migrations are idempotent
@@ -187,7 +187,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
 ## Known Limitations & Risks
 
 ### Documented Risks
-- [ ] Document that ForwardAuth requires same-domain setup
+- [x] Document that ForwardAuth requires same-domain setup
 - [ ] Document HTTPS requirement for production
 - [ ] Document backup code security (single-use, store securely)
 - [ ] Document admin password security requirements

test/integration/forward_auth_advanced_test.rb

@@ -271,7 +271,7 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
       else
         # Should have no auth headers
         auth_headers = response.headers.select { |k, v| k.match?(/^(x-remote-|x-webauth-|x-admin-)/i) }
-        assert_empty auth_headers, "Should have no headers for #{app[:domain]}, got: #{auth_headers.keys.join(', ')}"
+        assert_empty auth_headers, "Should have no headers for #{app[:domain]}, got: #{auth_headers.keys.join(", ")}"
       end
     end
   end
@@ -348,5 +348,4 @@ class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
     rps = request_count / total_time
     assert rps > 10, "Requests per second #{rps} is too low"
   end
-
 end

test/integration/webauthn_security_test.rb

@@ -128,7 +128,10 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
       nickname: "Test Key"
     )
 
-    # Sign in with WebAuthn
+    # Sign in first
+    post signin_path, params: {email_address: user.email_address, password: "password123"}
+
+    # Get WebAuthn challenge
     post webauthn_challenge_path, params: {email: "webauthn_verify_origin_test@example.com"}
     assert_response :success
 
@@ -224,8 +227,8 @@ class WebauthnSecurityTest < ActionDispatch::IntegrationTest
     )
 
     credential.reload
-    assert_equal "192.168.1.100", credential.last_ip_address
+    assert_equal "192.168.1.100", credential.last_used_ip
-    assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.last_user_agent
+    assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.user_agent
 
     user.destroy
   end