Add Icons for apps

Add OIDC fixes, add prefered_username, add application-user claims
Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user
2025-11-25 19:11:22 +11:00 · 2025-11-25 16:29:40 +11:00 · 2025-11-23 11:16:06 +11:00
43 changed files with 1566 additions and 131 deletions
--- a/README.md
+++ b/README.md
@@ -76,11 +76,11 @@ Clinch sits in a sweet spot between two excellent open-source identity solutions
 - **User statuses** - Active, disabled, or pending invitation
 ### Authentication Methods
 - **WebAuthn/Passkeys** - Modern passwordless authentication using FIDO2 standards
 - **Password authentication** - Secure bcrypt-based password storage
 - **Magic login links** - Passwordless login via email (15-minute expiry)
 - **TOTP 2FA** - Optional time-based one-time passwords with QR code setup
 - **Backup codes** - 10 single-use recovery codes per user
- **Configurable 2FA enforcement** - Admins can require TOTP for specific users/groups
+- **Configurable 2FA enforcement** - Admins can require TOTP for specific users
 ### SSO Protocols
@@ -96,6 +96,7 @@ Features:
 - **Refresh tokens** - Long-lived tokens (30 days default) with automatic rotation and revocation
 - **Configurable token expiry** - Set access token (5min-24hr), refresh token (1-90 days), and ID token TTL per application
 - **Token security** - BCrypt-hashed tokens, automatic cleanup of expired tokens
 - **Pairwise subject identifiers** - Each user gets a unique, stable `sub` claim per application for enhanced privacy
 Client apps (Audiobookshelf, Kavita, Grafana, etc.) redirect to Clinch for login and receive ID tokens, access tokens, and refresh tokens.
@@ -121,10 +122,54 @@ Send emails for:
 - **Session revocation** - Users and admins can revoke individual sessions
 ### Access Control
- **Group-based allowlists** - Restrict applications to specific user groups
+
- **Per-application access** - Each app defines which groups can access it
+#### Group-Based Application Access
- **Automatic enforcement** - Access checks during OIDC authorization and ForwardAuth
+Clinch uses groups to control which users can access which applications:
- **Custom claims** - Add arbitrary claims to OIDC tokens via groups and users (perfect for app-specific roles)
+
 - **Create groups** - Organize users into logical groups (readers, editors, family, developers, etc.)
 - **Assign groups to applications** - Each app defines which groups are allowed to access it
  - Example: Kavita app allows the "readers" group → only users in the "readers" group can sign in
  - If no groups are assigned to an app → all active users can access it
 - **Automatic enforcement** - Access checks happen automatically:
  - During OIDC authorization flow (before consent)
  - During ForwardAuth verification (before proxying requests)
  - Users not in allowed groups receive a "You do not have permission" error
 #### Group Claims in Tokens
 - **OIDC tokens include group membership** - ID tokens contain a `groups` claim with all user's groups
 - **Custom claims** - Add arbitrary key-value pairs to tokens via groups and users
  - Group claims apply to all members (e.g., `{"role": "viewer"}`)
  - User claims override group claims for fine-grained control
  - Perfect for app-specific authorization (e.g., admin vs. read-only roles)
 #### Custom Claims Merging
 Custom claims from groups and users are merged into OIDC ID tokens with the following precedence:
 1. **Default OIDC claims** - Standard claims (`iss`, `sub`, `aud`, `exp`, `email`, etc.)
 2. **Standard Clinch claims** - `groups` array (list of user's group names)
 3. **Group custom claims** - Merged in order; later groups override earlier ones
 4. **User custom claims** - Override all group claims
 5. **Application-specific claims** - Highest priority; override all other claims
 **Example:**
 - Group "readers" has `{"role": "viewer", "max_items": 10}`
 - Group "premium" has `{"role": "subscriber", "max_items": 100}`
 - User (in both groups) has `{"max_items": 500}`
 - **Result:** `{"role": "subscriber", "max_items": 500}` (user overrides max_items, premium overrides role)
 #### Application-Specific Claims
 Configure different claims for different applications on a per-user basis:
 - **Per-app customization** - Each application can have unique claims for each user
 - **Highest precedence** - App-specific claims override group and user global claims
 - **Use case** - Different roles in different apps (e.g., admin in Kavita, user in Audiobookshelf)
 - **Admin UI** - Configure via Admin → Users → Edit User → App-Specific Claim Overrides
 **Example:**
 - User Alice, global claims: `{"theme": "dark"}`
 - Kavita app-specific: `{"kavita_groups": ["admin"]}`
 - Audiobookshelf app-specific: `{"abs_groups": ["user"]}`
 - **Result:** Kavita receives `{"theme": "dark", "kavita_groups": ["admin"]}`, Audiobookshelf receives `{"theme": "dark", "abs_groups": ["user"]}`
 ---
--- a/2
+++ b/2
@@ -1 +1 @@
-2025.02
+2025.03
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -18,7 +18,25 @@ module Admin
    end
    def create
-      @group = Group.new(group_params)
+      create_params = group_params
      # Parse custom_claims JSON if provided
      if create_params[:custom_claims].present?
        begin
          create_params[:custom_claims] = JSON.parse(create_params[:custom_claims])
        rescue JSON::ParserError
          @group = Group.new
          @group.errors.add(:custom_claims, "must be valid JSON")
          @available_users = User.order(:email_address)
          render :new, status: :unprocessable_entity
          return
        end
      else
        # If empty or blank, set to empty hash (NOT NULL constraint)
        create_params[:custom_claims] = {}
      end
      @group = Group.new(create_params)
      if @group.save
        # Handle user assignments
@@ -39,7 +57,24 @@ module Admin
    end
    def update
-      if @group.update(group_params)
+      update_params = group_params
      # Parse custom_claims JSON if provided
      if update_params[:custom_claims].present?
        begin
          update_params[:custom_claims] = JSON.parse(update_params[:custom_claims])
        rescue JSON::ParserError
          @group.errors.add(:custom_claims, "must be valid JSON")
          @available_users = User.order(:email_address)
          render :edit, status: :unprocessable_entity
          return
        end
      else
        # If empty or blank, set to empty hash (NOT NULL constraint)
        update_params[:custom_claims] = {}
      end
      if @group.update(update_params)
        # Handle user assignments
        if params[:group][:user_ids].present?
          user_ids = params[:group][:user_ids].reject(&:blank?)
@@ -67,7 +102,7 @@ module Admin
    end
    def group_params
-      params.require(:group).permit(:name, :description, custom_claims: {})
+      params.require(:group).permit(:name, :description, :custom_claims)
    end
  end
 end
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -1,6 +1,6 @@
 module Admin
  class UsersController < BaseController
-    before_action :set_user, only: [:show, :edit, :update, :destroy, :resend_invitation]
+    before_action :set_user, only: [:show, :edit, :update, :destroy, :resend_invitation, :update_application_claims, :delete_application_claims]
    def index
      @users = User.order(created_at: :desc)
@@ -27,23 +27,34 @@ module Admin
    end
    def edit
      @applications = Application.active.order(:name)
    end
    def update
-      # Prevent changing params for the current user's email and admin status
+      update_params = user_params
      # to avoid locking themselves out
      update_params = user_params.dup
      if @user == Current.session.user
        update_params.delete(:admin)
      end
      # Only update password if provided
      update_params.delete(:password) if update_params[:password].blank?
      # Parse custom_claims JSON if provided
      if update_params[:custom_claims].present?
        begin
          update_params[:custom_claims] = JSON.parse(update_params[:custom_claims])
        rescue JSON::ParserError
          @user.errors.add(:custom_claims, "must be valid JSON")
          @applications = Application.active.order(:name)
          render :edit, status: :unprocessable_entity
          return
        end
      else
        # If empty or blank, set to empty hash (NOT NULL constraint)
        update_params[:custom_claims] = {}
      end
      if @user.update(update_params)
        redirect_to admin_users_path, notice: "User updated successfully."
      else
        @applications = Application.active.order(:name)
        render :edit, status: :unprocessable_entity
      end
    end
@@ -69,6 +80,41 @@ module Admin
      redirect_to admin_users_path, notice: "User deleted successfully."
    end
    # POST /admin/users/:id/update_application_claims
    def update_application_claims
      application = Application.find(params[:application_id])
      claims_json = params[:custom_claims].presence || "{}"
      begin
        claims = JSON.parse(claims_json)
      rescue JSON::ParserError
        redirect_to edit_admin_user_path(@user), alert: "Invalid JSON format for claims."
        return
      end
      app_claim = @user.application_user_claims.find_or_initialize_by(application: application)
      app_claim.custom_claims = claims
      if app_claim.save
        redirect_to edit_admin_user_path(@user), notice: "App-specific claims updated for #{application.name}."
      else
        error_message = app_claim.errors.full_messages.join(", ")
        redirect_to edit_admin_user_path(@user), alert: "Failed to update claims: #{error_message}"
      end
    end
    # DELETE /admin/users/:id/delete_application_claims
    def delete_application_claims
      application = Application.find(params[:application_id])
      app_claim = @user.application_user_claims.find_by(application: application)
      if app_claim&.destroy
        redirect_to edit_admin_user_path(@user), notice: "App-specific claims removed for #{application.name}."
      else
        redirect_to edit_admin_user_path(@user), alert: "No claims found to remove."
      end
    end
    private
    def set_user
@@ -76,7 +122,15 @@ module Admin
    end
    def user_params
-      params.require(:user).permit(:email_address, :name, :password, :admin, :status, custom_claims: {})
+      # Base attributes that all admins can modify
      base_params = params.require(:user).permit(:email_address, :username, :name, :password, :status, :totp_required, :custom_claims)
      # Only allow modifying admin status when editing other users (prevent self-demotion)
      if params[:id] != Current.session.user.id.to_s
        base_params[:admin] = params[:user][:admin] if params[:user][:admin].present?
      end
      base_params
    end
  end
 end
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -365,8 +365,17 @@ class OidcController < ApplicationController
          scope: auth_code.scope
        )
-        # Generate ID token (JWT)
+        # Find user consent for this application
-        id_token = OidcJwtService.generate_id_token(user, application, nonce: auth_code.nonce)
+        consent = OidcUserConsent.find_by(user: user, application: application)
        unless consent
          Rails.logger.error "OIDC Security: Token requested without consent record (user: #{user.id}, app: #{application.id})"
          render json: { error: "invalid_grant", error_description: "Authorization consent not found" }, status: :bad_request
          return
        end
        # Generate ID token (JWT) with pairwise SID
        id_token = OidcJwtService.generate_id_token(user, application, consent: consent, nonce: auth_code.nonce)
        # Return tokens
        render json: {
@@ -457,8 +466,17 @@ class OidcController < ApplicationController
      token_family_id: refresh_token_record.token_family_id  # Keep same family for rotation tracking
    )
-    # Generate new ID token (JWT, no nonce for refresh grants)
+    # Find user consent for this application
-    id_token = OidcJwtService.generate_id_token(user, application)
+    consent = OidcUserConsent.find_by(user: user, application: application)
    unless consent
      Rails.logger.error "OIDC Security: Refresh token used without consent record (user: #{user.id}, app: #{application.id})"
      render json: { error: "invalid_grant", error_description: "Authorization consent not found" }, status: :bad_request
      return
    end
    # Generate new ID token (JWT with pairwise SID, no nonce for refresh grants)
    id_token = OidcJwtService.generate_id_token(user, application, consent: consent)
    # Return new tokens
    render json: {
@@ -498,9 +516,13 @@ class OidcController < ApplicationController
      return
    end
    # Find user consent for this application to get pairwise SID
    consent = OidcUserConsent.find_by(user: user, application: access_token.application)
    subject = consent&.sid || user.id.to_s
    # Return user claims
    claims = {
-      sub: user.id.to_s,
+      sub: subject,
      email: user.email_address,
      email_verified: true,
      preferred_username: user.email_address,
@@ -512,9 +534,6 @@ class OidcController < ApplicationController
      claims[:groups] = user.groups.pluck(:name)
    end
    # Add admin claim if user is admin
    claims[:admin] = true if user.admin?
    # Merge custom claims from groups
    user.groups.each do |group|
      claims.merge!(group.parsed_custom_claims)
@@ -523,6 +542,10 @@ class OidcController < ApplicationController
    # Merge custom claims from user (overrides group claims)
    claims.merge!(user.parsed_custom_claims)
    # Merge app-specific custom claims (highest priority)
    application = access_token.application
    claims.merge!(application.custom_claims_for_user(user))
    render json: claims
  end
@@ -609,11 +632,19 @@ class OidcController < ApplicationController
      reset_session
    end
-    # If post_logout_redirect_uri is provided, redirect there
+    # If post_logout_redirect_uri is provided, validate and redirect
    if post_logout_redirect_uri.present?
-      redirect_uri = post_logout_redirect_uri
+      validated_uri = validate_logout_redirect_uri(post_logout_redirect_uri)
-      redirect_uri += "?state=#{state}" if state.present?
+
-      redirect_to redirect_uri, allow_other_host: true
+      if validated_uri
        redirect_uri = validated_uri
        redirect_uri += "?state=#{state}" if state.present?
        redirect_to redirect_uri, allow_other_host: true
      else
        # Invalid redirect URI - log warning and go to default
        Rails.logger.warn "OIDC Logout: Invalid post_logout_redirect_uri attempted: #{post_logout_redirect_uri}"
        redirect_to root_path
      end
    else
      # Default redirect to home page
      redirect_to root_path
@@ -685,4 +716,54 @@ class OidcController < ApplicationController
      [params[:client_id], params[:client_secret]]
    end
  end
  def validate_logout_redirect_uri(uri)
    return nil unless uri.present?
    begin
      parsed_uri = URI.parse(uri)
      # Only allow HTTP/HTTPS schemes (prevent javascript:, data:, etc.)
      return nil unless parsed_uri.is_a?(URI::HTTP) || parsed_uri.is_a?(URI::HTTPS)
      # Only allow HTTPS in production
      return nil if Rails.env.production? && parsed_uri.scheme != 'https'
      # Check if URI matches any registered OIDC application's redirect URIs
      # According to OIDC spec, post_logout_redirect_uri should be pre-registered
      Application.oidc.active.find_each do |app|
        # Check if this URI matches any of the app's registered redirect URIs
        if app.parsed_redirect_uris.any? { |registered_uri| logout_uri_matches?(uri, registered_uri) }
          return uri
        end
      end
      # No matching application found
      nil
    rescue URI::InvalidURIError
      nil
    end
  end
  # Check if logout URI matches a registered redirect URI
  # More lenient than exact match - allows same host/path with different query params
  def logout_uri_matches?(provided, registered)
    # Exact match is always valid
    return true if provided == registered
    # Parse both URIs to compare components
    begin
      provided_parsed = URI.parse(provided)
      registered_parsed = URI.parse(registered)
      # Match if scheme, host, port, and path are the same
      # (allows different query params which is common for logout redirects)
      provided_parsed.scheme == registered_parsed.scheme &&
        provided_parsed.host == registered_parsed.host &&
        provided_parsed.port == registered_parsed.port &&
        provided_parsed.path == registered_parsed.path
    rescue URI::InvalidURIError
      false
    end
  end
 end
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -11,7 +11,7 @@ class PasswordsController < ApplicationController
      PasswordsMailer.reset(user).deliver_later
    end
-    redirect_to new_session_path, notice: "Password reset instructions sent (if user with that email address exists)."
+    redirect_to signin_path, notice: "Password reset instructions sent (if user with that email address exists)."
  end
  def edit
@@ -20,7 +20,7 @@ class PasswordsController < ApplicationController
  def update
    if @user.update(params.permit(:password, :password_confirmation))
      @user.sessions.destroy_all
-      redirect_to new_session_path, notice: "Password has been reset."
+      redirect_to signin_path, notice: "Password has been reset."
    else
      redirect_to edit_password_path(params[:token]), alert: "Passwords did not match."
    end
@@ -29,6 +29,7 @@ class PasswordsController < ApplicationController
  private
    def set_user_by_token
      @user = User.find_by_token_for(:password_reset, params[:token])
      redirect_to new_password_path, alert: "Password reset link is invalid or has expired." if @user.nil?
    rescue ActiveSupport::MessageVerifier::InvalidSignature
      redirect_to new_password_path, alert: "Password reset link is invalid or has expired."
    end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -6,7 +6,18 @@ class SessionsController < ApplicationController
  def new
    # Redirect to signup if this is first run
-    redirect_to signup_path if User.count.zero?
+    if User.count.zero?
      respond_to do |format|
        format.html { redirect_to signup_path }
        format.json { render json: { error: "No users exist. Please complete initial setup." }, status: :service_unavailable }
      end
      return
    end
    respond_to do |format|
      format.html # render HTML login page
      format.json { render json: { error: "Authentication required" }, status: :unauthorized }
    end
  end
  def create
@@ -33,8 +44,22 @@ class SessionsController < ApplicationController
      return
    end
-    # Check if TOTP is required
+    # Check if TOTP is required or enabled
-    if user.totp_enabled?
+    if user.totp_required? || user.totp_enabled?
      # If TOTP is required but not yet set up, redirect to setup
      if user.totp_required? && !user.totp_enabled?
        # Store user ID in session for TOTP setup
        session[:pending_totp_setup_user_id] = user.id
        # Preserve the redirect URL through TOTP setup
        if params[:rd].present?
          validated_url = validate_redirect_url(params[:rd])
          session[:totp_redirect_url] = validated_url if validated_url
        end
        redirect_to new_totp_path, alert: "Your administrator requires two-factor authentication. Please set it up now to continue."
        return
      end
      # TOTP is enabled, proceed to verification
      # Store user ID in session temporarily for TOTP verification
      session[:pending_totp_user_id] = user.id
      # Preserve the redirect URL through TOTP verification (after validation)
@@ -275,12 +300,12 @@ class SessionsController < ApplicationController
      redirect_domain = uri.host.downcase
      return nil unless redirect_domain.present?
-      # Check against our ForwardAuthRules
+      # Check against our forward auth applications
-      matching_rule = ForwardAuthRule.active.find do |rule|
+      matching_app = Application.forward_auth.active.find do |app|
-        rule.matches_domain?(redirect_domain)
+        app.matches_domain?(redirect_domain)
      end
-      matching_rule ? url : nil
+      matching_app ? url : nil
    rescue URI::InvalidURIError
      nil
--- a/app/controllers/totp_controller.rb
+++ b/app/controllers/totp_controller.rb
@@ -5,6 +5,9 @@ class TotpController < ApplicationController
  # GET /totp/new - Show QR code to set up TOTP
  def new
    # Check if user is being forced to set up TOTP by admin
    @totp_setup_required = session[:pending_totp_setup_user_id].present?
    # Generate TOTP secret but don't save yet
    @totp_secret = ROTP::Base32.random
    @provisioning_uri = ROTP::TOTP.new(@totp_secret, issuer: "Clinch").provisioning_uri(@user.email_address)
@@ -30,8 +33,16 @@ class TotpController < ApplicationController
      # Store plain codes temporarily in session for display after redirect
      session[:temp_backup_codes] = plain_codes
-      # Redirect to backup codes page with success message
+      # Check if this was a required setup from login
-      redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes now."
+      if session[:pending_totp_setup_user_id].present?
        session.delete(:pending_totp_setup_user_id)
        # Mark that user should be auto-signed in after viewing backup codes
        session[:auto_signin_after_forced_totp] = true
        redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes, then you'll be signed in."
      else
        # Regular setup from profile
        redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes now."
      end
    else
      redirect_to new_totp_path, alert: "Invalid verification code. Please try again."
    end
@@ -43,6 +54,12 @@ class TotpController < ApplicationController
    if session[:temp_backup_codes].present?
      @backup_codes = session[:temp_backup_codes]
      session.delete(:temp_backup_codes) # Clear after use
      # Check if this was a forced TOTP setup during login
      @auto_signin_pending = session[:auto_signin_after_forced_totp].present?
      if @auto_signin_pending
        session.delete(:auto_signin_after_forced_totp)
      end
    else
      # This will be shown after password verification for existing users
      # Since we can't display BCrypt hashes, redirect to regenerate
@@ -81,6 +98,18 @@ class TotpController < ApplicationController
    redirect_to backup_codes_totp_path, notice: "New backup codes have been generated. Save them now!"
  end
  # POST /totp/complete_setup - Complete forced TOTP setup and sign in
  def complete_setup
    # Sign in the user after they've saved their backup codes
    # This is only used when admin requires TOTP and user just set it up during login
    if session[:totp_redirect_url].present?
      session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
    end
    start_new_session_for @user
    redirect_to after_authentication_url, notice: "Two-factor authentication enabled. Signed in successfully.", allow_other_host: true
  end
  # DELETE /totp - Disable TOTP (requires password)
  def destroy
    unless @user.authenticate(params[:password])
@@ -88,6 +117,12 @@ class TotpController < ApplicationController
      return
    end
    # Prevent disabling if admin requires TOTP
    if @user.totp_required?
      redirect_to profile_path, alert: "Two-factor authentication is required by your administrator and cannot be disabled."
      return
    end
    @user.disable_totp!
    redirect_to profile_path, notice: "Two-factor authentication has been disabled."
  end
@@ -99,7 +134,8 @@ class TotpController < ApplicationController
  end
  def redirect_if_totp_enabled
-    if @user.totp_enabled?
+    # Allow setup if admin requires it, even if already enabled (for regeneration)
    if @user.totp_enabled? && !session[:pending_totp_setup_user_id].present?
      redirect_to profile_path, alert: "Two-factor authentication is already enabled."
    end
  end
--- a/app/helpers/claims_helper.rb
+++ b/app/helpers/claims_helper.rb
@@ -0,0 +1,69 @@
 module ClaimsHelper
  include ClaimsMerger
  # Preview final merged claims for a user accessing an application
  def preview_user_claims(user, application)
    claims = {
      # Standard OIDC claims
      email: user.email_address,
      email_verified: true,
      preferred_username: user.username.presence || user.email_address,
      name: user.name.presence || user.email_address
    }
    # Add groups
    if user.groups.any?
      claims[:groups] = user.groups.pluck(:name)
    end
    # Merge group custom claims (arrays are combined, not overwritten)
    user.groups.each do |group|
      claims = deep_merge_claims(claims, group.parsed_custom_claims)
    end
    # Merge user custom claims (arrays are combined, other values override)
    claims = deep_merge_claims(claims, user.parsed_custom_claims)
    # Merge app-specific claims (arrays are combined)
    claims = deep_merge_claims(claims, application.custom_claims_for_user(user))
    claims
  end
  # Get claim sources breakdown for display
  def claim_sources(user, application)
    sources = []
    # Group claims
    user.groups.each do |group|
      if group.parsed_custom_claims.any?
        sources << {
          type: :group,
          name: group.name,
          claims: group.parsed_custom_claims
        }
      end
    end
    # User claims
    if user.parsed_custom_claims.any?
      sources << {
        type: :user,
        name: "User Override",
        claims: user.parsed_custom_claims
      }
    end
    # App-specific claims
    app_claims = application.custom_claims_for_user(user)
    if app_claims.any?
      sources << {
        type: :application,
        name: "App-Specific (#{application.name})",
        claims: app_claims
      }
    end
    sources
  end
 end
--- a/app/javascript/controllers/file_drop_controller.js
+++ b/app/javascript/controllers/file_drop_controller.js
@@ -0,0 +1,96 @@
 import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
  static targets = ["input", "dropzone", "preview", "previewImage", "filename", "filesize"]
  connect() {
    // Prevent default drag behaviors on the whole document
    ["dragenter", "dragover", "dragleave", "drop"].forEach(eventName => {
      document.body.addEventListener(eventName, this.preventDefaults, false)
    })
  }
  disconnect() {
    ["dragenter", "dragover", "dragleave", "drop"].forEach(eventName => {
      document.body.removeEventListener(eventName, this.preventDefaults, false)
    })
  }
  preventDefaults(e) {
    e.preventDefault()
    e.stopPropagation()
  }
  dragover(e) {
    e.preventDefault()
    e.stopPropagation()
    this.dropzoneTarget.classList.add("border-blue-500", "bg-blue-50")
  }
  dragleave(e) {
    e.preventDefault()
    e.stopPropagation()
    this.dropzoneTarget.classList.remove("border-blue-500", "bg-blue-50")
  }
  drop(e) {
    e.preventDefault()
    e.stopPropagation()
    this.dropzoneTarget.classList.remove("border-blue-500", "bg-blue-50")
    const files = e.dataTransfer.files
    if (files.length > 0) {
      // Set the file to the input element
      this.inputTarget.files = files
      this.handleFiles()
    }
  }
  handleFiles() {
    const file = this.inputTarget.files[0]
    if (!file) return
    // Validate file type
    const validTypes = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
    if (!validTypes.includes(file.type)) {
      alert("Please upload a PNG, JPG, GIF, or SVG image")
      this.clear()
      return
    }
    // Validate file size (2MB)
    if (file.size > 2 * 1024 * 1024) {
      alert("File size must be less than 2MB")
      this.clear()
      return
    }
    // Show preview
    this.filenameTarget.textContent = file.name
    this.filesizeTarget.textContent = this.formatFileSize(file.size)
    // Create preview image
    const reader = new FileReader()
    reader.onload = (e) => {
      this.previewImageTarget.src = e.target.result
      this.previewTarget.classList.remove("hidden")
    }
    reader.readAsDataURL(file)
  }
  clear(e) {
    if (e) {
      e.preventDefault()
    }
    this.inputTarget.value = ""
    this.previewTarget.classList.add("hidden")
  }
  formatFileSize(bytes) {
    if (bytes === 0) return "0 Bytes"
    const k = 1024
    const sizes = ["Bytes", "KB", "MB"]
    const i = Math.floor(Math.log(bytes) / Math.log(k))
    return Math.round(bytes / Math.pow(k, i) * 100) / 100 + " " + sizes[i]
  }
 }
--- a/app/models/application.rb
+++ b/app/models/application.rb
@@ -3,6 +3,7 @@ class Application < ApplicationRecord
  has_many :application_groups, dependent: :destroy
  has_many :allowed_groups, through: :application_groups, source: :group
  has_many :application_user_claims, dependent: :destroy
  has_many :oidc_authorization_codes, dependent: :destroy
  has_many :oidc_access_tokens, dependent: :destroy
  has_many :oidc_refresh_tokens, dependent: :destroy
@@ -186,6 +187,12 @@ class Application < ApplicationRecord
    duration_to_human(id_token_ttl || 3600)
  end
  # Get app-specific custom claims for a user
  def custom_claims_for_user(user)
    app_claim = application_user_claims.find_by(user: user)
    app_claim&.parsed_custom_claims || {}
  end
  private
  def duration_to_human(seconds)
--- a/app/models/application_user_claim.rb
+++ b/app/models/application_user_claim.rb
@@ -0,0 +1,31 @@
 class ApplicationUserClaim < ApplicationRecord
  belongs_to :application
  belongs_to :user
  # Reserved OIDC claim names that should not be overridden
  RESERVED_CLAIMS = %w[
    iss sub aud exp iat nbf jti nonce azp
    email email_verified preferred_username name
    groups
  ].freeze
  validates :user_id, uniqueness: { scope: :application_id }
  validate :no_reserved_claim_names
  # Parse custom_claims JSON field
  def parsed_custom_claims
    return {} if custom_claims.blank?
    custom_claims.is_a?(Hash) ? custom_claims : {}
  end
  private
  def no_reserved_claim_names
    return if custom_claims.blank?
    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
    if reserved_used.any?
      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
    end
  end
 end
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -4,11 +4,31 @@ class Group < ApplicationRecord
  has_many :application_groups, dependent: :destroy
  has_many :applications, through: :application_groups
  # Reserved OIDC claim names that should not be overridden
  RESERVED_CLAIMS = %w[
    iss sub aud exp iat nbf jti nonce azp
    email email_verified preferred_username name
    groups
  ].freeze
  validates :name, presence: true, uniqueness: { case_sensitive: false }
  normalizes :name, with: ->(name) { name.strip.downcase }
  validate :no_reserved_claim_names
  # Parse custom_claims JSON field
  def parsed_custom_claims
-    custom_claims || {}
+    return {} if custom_claims.blank?
    custom_claims.is_a?(Hash) ? custom_claims : {}
  end
  private
  def no_reserved_claim_names
    return if custom_claims.blank?
    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
    if reserved_used.any?
      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
    end
  end
 end
--- a/app/models/oidc_user_consent.rb
+++ b/app/models/oidc_user_consent.rb
@@ -6,6 +6,7 @@ class OidcUserConsent < ApplicationRecord
  validates :user_id, uniqueness: { scope: :application_id }
  before_validation :set_granted_at, on: :create
  before_validation :set_sid, on: :create
  # Parse scopes_granted into an array
  def scopes
@@ -44,9 +45,18 @@ class OidcUserConsent < ApplicationRecord
    end.join(', ')
  end
  # Find consent by SID
  def self.find_by_sid(sid)
    find_by(sid: sid)
  end
  private
  def set_granted_at
    self.granted_at ||= Time.current
  end
  def set_sid
    self.sid ||= SecureRandom.uuid
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,6 +3,7 @@ class User < ApplicationRecord
  has_many :sessions, dependent: :destroy
  has_many :user_groups, dependent: :destroy
  has_many :groups, through: :user_groups
  has_many :application_user_claims, dependent: :destroy
  has_many :oidc_user_consents, dependent: :destroy
  has_many :webauthn_credentials, dependent: :destroy
@@ -20,10 +21,22 @@ class User < ApplicationRecord
  end
  normalizes :email_address, with: ->(e) { e.strip.downcase }
  normalizes :username, with: ->(u) { u.strip.downcase if u.present? }
  # Reserved OIDC claim names that should not be overridden
  RESERVED_CLAIMS = %w[
    iss sub aud exp iat nbf jti nonce azp
    email email_verified preferred_username name
    groups
  ].freeze
  validates :email_address, presence: true, uniqueness: { case_sensitive: false },
                           format: { with: URI::MailTo::EMAIL_REGEXP }
  validates :username, uniqueness: { case_sensitive: false }, allow_nil: true,
                      format: { with: /\A[a-zA-Z0-9_-]+\z/, message: "can only contain letters, numbers, underscores, and hyphens" },
                      length: { minimum: 2, maximum: 30 }
  validates :password, length: { minimum: 8 }, allow_nil: true
  validate :no_reserved_claim_names
  # Enum - automatically creates scopes (User.active, User.disabled, etc.)
  enum :status, { active: 0, disabled: 1, pending_invitation: 2 }
@@ -44,7 +57,9 @@ class User < ApplicationRecord
  end
  def disable_totp!
-    update!(totp_secret: nil, totp_required: false, backup_codes: nil)
+    # Note: This does NOT clear totp_required flag
    # Admins control that flag via admin panel, users cannot remove admin-required 2FA
    update!(totp_secret: nil, backup_codes: nil)
  end
  def totp_provisioning_uri(issuer: "Clinch")
@@ -180,11 +195,39 @@ class User < ApplicationRecord
  # Parse custom_claims JSON field
  def parsed_custom_claims
-    custom_claims || {}
+    return {} if custom_claims.blank?
    custom_claims.is_a?(Hash) ? custom_claims : {}
  end
  # Get fully merged claims for a specific application
  def merged_claims_for_application(application)
    merged = {}
    # Start with group claims (in order)
    groups.each do |group|
      merged.merge!(group.parsed_custom_claims)
    end
    # Merge user global claims
    merged.merge!(parsed_custom_claims)
    # Merge app-specific claims (highest priority)
    merged.merge!(application.custom_claims_for_user(self))
    merged
  end
  private
  def no_reserved_claim_names
    return if custom_claims.blank?
    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
    if reserved_used.any?
      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
    end
  end
  def generate_backup_codes
    # Generate plain codes for user to see/save
    plain_codes = Array.new(10) { SecureRandom.alphanumeric(8).upcase }
--- a/app/services/concerns/claims_merger.rb
+++ b/app/services/concerns/claims_merger.rb
@@ -0,0 +1,35 @@
 module ClaimsMerger
  extend ActiveSupport::Concern
  # Deep merge claims, combining arrays instead of overwriting them
  # This ensures that array values (like roles) are combined across group/user/app claims
  #
  # Example:
  #   base = { "roles" => ["user"], "level" => 1 }
  #   incoming = { "roles" => ["admin"], "department" => "IT" }
  #   deep_merge_claims(base, incoming)
  #   # => { "roles" => ["user", "admin"], "level" => 1, "department" => "IT" }
  def deep_merge_claims(base, incoming)
    result = base.dup
    incoming.each do |key, value|
      if result.key?(key)
        # If both values are arrays, combine them (union to avoid duplicates)
        if result[key].is_a?(Array) && value.is_a?(Array)
          result[key] = (result[key] + value).uniq
        # If both values are hashes, recursively merge them
        elsif result[key].is_a?(Hash) && value.is_a?(Hash)
          result[key] = deep_merge_claims(result[key], value)
        else
          # Otherwise, incoming value wins (override)
          result[key] = value
        end
      else
        # New key, just add it
        result[key] = value
      end
    end
    result
  end
 end
--- a/app/services/oidc_jwt_service.rb
+++ b/app/services/oidc_jwt_service.rb
@@ -1,20 +1,25 @@
 class OidcJwtService
  extend ClaimsMerger
  class << self
    # Generate an ID token (JWT) for the user
-    def generate_id_token(user, application, nonce: nil)
+    def generate_id_token(user, application, consent: nil, nonce: nil)
      now = Time.current.to_i
      # Use application's configured ID token TTL (defaults to 1 hour)
      ttl = application.id_token_expiry_seconds
      # Use pairwise SID from consent if available, fallback to user ID
      subject = consent&.sid || user.id.to_s
      payload = {
        iss: issuer_url,
-        sub: user.id.to_s,
+        sub: subject,
        aud: application.client_id,
        exp: now + ttl,
        iat: now,
        email: user.email_address,
        email_verified: true,
-        preferred_username: user.email_address,
+        preferred_username: user.username.presence || user.email_address,
        name: user.name.presence || user.email_address
      }
@@ -26,16 +31,16 @@ class OidcJwtService
        payload[:groups] = user.groups.pluck(:name)
      end
-      # Add admin claim if user is admin
+      # Merge custom claims from groups (arrays are combined, not overwritten)
      payload[:admin] = true if user.admin?
      # Merge custom claims from groups
      user.groups.each do |group|
-        payload.merge!(group.parsed_custom_claims)
+        payload = deep_merge_claims(payload, group.parsed_custom_claims)
      end
-      # Merge custom claims from user (overrides group claims)
+      # Merge custom claims from user (arrays are combined, other values override)
-      payload.merge!(user.parsed_custom_claims)
+      payload = deep_merge_claims(payload, user.parsed_custom_claims)
      # Merge app-specific custom claims (highest priority, arrays are combined)
      payload = deep_merge_claims(payload, application.custom_claims_for_user(user))
      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
    end
@@ -66,8 +71,13 @@ class OidcJwtService
      # In production, this should come from ENV or config
      # For now, we'll use a placeholder that can be overridden
      host = ENV.fetch("CLINCH_HOST", "localhost:3000")
-        # Ensure URL has https:// protocol
+      # Ensure URL has protocol - use https:// in production, http:// in development
-        host.match?(/^https?:\/\//) ? host : "https://#{host}"
+      if host.match?(/^https?:\/\//)
        host
      else
        protocol = Rails.env.production? ? "https" : "http"
        "#{protocol}://#{host}"
      end
    end
    private
@@ -75,17 +85,37 @@ class OidcJwtService
    # Get or generate RSA private key
    def private_key
      @private_key ||= begin
        key_source = nil
        # Try ENV variable first (best for Docker/Kamal)
        if ENV["OIDC_PRIVATE_KEY"].present?
-          OpenSSL::PKey::RSA.new(ENV["OIDC_PRIVATE_KEY"])
+          key_source = ENV["OIDC_PRIVATE_KEY"]
        # Then try Rails credentials
        elsif Rails.application.credentials.oidc_private_key.present?
-          OpenSSL::PKey::RSA.new(Rails.application.credentials.oidc_private_key)
+          key_source = Rails.application.credentials.oidc_private_key
        end
        if key_source.present?
          begin
            # Handle both actual newlines and escaped \n sequences
            # Some .env loaders may escape newlines, so we need to convert them back
            key_data = key_source.gsub("\\n", "\n")
            OpenSSL::PKey::RSA.new(key_data)
          rescue OpenSSL::PKey::RSAError => e
            Rails.logger.error "OIDC: Failed to load private key: #{e.message}"
            Rails.logger.error "OIDC: Key source length: #{key_source.length}, starts with: #{key_source[0..50]}"
            raise "Invalid OIDC private key format. Please ensure the key is in PEM format with proper newlines."
          end
        else
-          # Generate a new key for development
+          # In production, we should never generate a key on the fly
-          # In production, you MUST set OIDC_PRIVATE_KEY env var or add to credentials
+          # because it would be different across servers/deployments
          if Rails.env.production?
            raise "OIDC private key not configured. Set OIDC_PRIVATE_KEY environment variable or add to Rails credentials."
          end
          # Generate a new key for development/test only
          Rails.logger.warn "OIDC: No private key found in ENV or credentials, generating new key (development only)"
-          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable in production!"
+          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable for consistency across restarts"
          OpenSSL::PKey::RSA.new(2048)
        end
      end
--- a/app/views/admin/users/_application_claims.html.erb
+++ b/app/views/admin/users/_application_claims.html.erb
@@ -0,0 +1,185 @@
 <% oidc_apps = applications.select(&:oidc?) %>
 <% forward_auth_apps = applications.select(&:forward_auth?) %>
 <!-- OIDC Apps: Custom Claims -->
 <% if oidc_apps.any? %>
  <div class="mt-12 border-t pt-8">
    <h2 class="text-xl font-semibold text-gray-900 mb-4">OIDC App-Specific Claims</h2>
    <p class="text-sm text-gray-600 mb-6">
      Configure custom claims that apply only to specific OIDC applications. These override both group and user global claims and are included in ID tokens.
    </p>
    <div class="space-y-6">
      <% oidc_apps.each do |app| %>
        <% app_claim = user.application_user_claims.find_by(application: app) %>
        <details class="border rounded-lg" <%= "open" if app_claim&.custom_claims&.any? %>>
          <summary class="cursor-pointer bg-gray-50 px-4 py-3 hover:bg-gray-100 rounded-t-lg flex items-center justify-between">
            <div class="flex items-center gap-3">
              <span class="font-medium text-gray-900"><%= app.name %></span>
              <span class="text-xs px-2 py-1 rounded-full bg-blue-100 text-blue-700">
                OIDC
              </span>
              <% if app_claim&.custom_claims&.any? %>
                <span class="text-xs px-2 py-1 rounded-full bg-amber-100 text-amber-700">
                  <%= app_claim.custom_claims.keys.count %> claim(s)
                </span>
              <% end %>
            </div>
            <svg class="h-5 w-5 text-gray-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7" />
            </svg>
          </summary>
          <div class="p-4 space-y-4">
            <%= form_with url: update_application_claims_admin_user_path(user), method: :post, class: "space-y-4", data: { controller: "json-validator" } do |form| %>
              <%= hidden_field_tag :application_id, app.id %>
              <div>
                <label class="block text-sm font-medium text-gray-700 mb-2">Custom Claims (JSON)</label>
                <%= text_area_tag :custom_claims,
                    (app_claim&.custom_claims.present? ? JSON.pretty_generate(app_claim.custom_claims) : ""),
                    rows: 8,
                    class: "w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono",
                    placeholder: '{"kavita_groups": ["admin"], "library_access": "all"}',
                    data: {
                      action: "input->json-validator#validate blur->json-validator#format",
                      json_validator_target: "textarea"
                    } %>
                <div class="mt-2 space-y-1">
                  <p class="text-xs text-gray-600">
                    Example for <%= app.name %>: Add claims that this app specifically needs to read.
                  </p>
                  <p class="text-xs text-amber-600">
                    <strong>Note:</strong> Do not use reserved claim names (<code class="bg-amber-50 px-1 rounded">groups</code>, <code class="bg-amber-50 px-1 rounded">email</code>, <code class="bg-amber-50 px-1 rounded">name</code>, etc.). Use app-specific names like <code class="bg-amber-50 px-1 rounded">kavita_groups</code> instead.
                  </p>
                  <div data-json-validator-target="status" class="text-xs font-medium"></div>
                </div>
              </div>
              <div class="flex gap-3">
                <%= button_tag type: :submit, class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500" do %>
                  <%= app_claim ? "Update" : "Add" %> Claims
                <% end %>
                <% if app_claim %>
                  <%= button_to "Remove Override",
                      delete_application_claims_admin_user_path(user, application_id: app.id),
                      method: :delete,
                      data: { turbo_confirm: "Remove app-specific claims for #{app.name}?" },
                      class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
                <% end %>
              </div>
            <% end %>
            <!-- Preview merged claims -->
            <div class="mt-4 border-t pt-4">
              <h4 class="text-sm font-medium text-gray-700 mb-2">Preview: Final ID Token Claims for <%= app.name %></h4>
              <div class="bg-gray-50 rounded-lg p-3">
                <pre class="text-xs font-mono text-gray-800 overflow-x-auto"><%= JSON.pretty_generate(preview_user_claims(user, app)) %></pre>
              </div>
              <details class="mt-2">
                <summary class="cursor-pointer text-xs text-gray-600 hover:text-gray-900">Show claim sources</summary>
                <div class="mt-2 space-y-1">
                  <% claim_sources(user, app).each do |source| %>
                    <div class="flex gap-2 items-start text-xs">
                      <span class="px-2 py-1 rounded <%= source[:type] == :group ? 'bg-blue-100 text-blue-700' : (source[:type] == :user ? 'bg-green-100 text-green-700' : 'bg-amber-100 text-amber-700') %>">
                        <%= source[:name] %>
                      </span>
                      <code class="text-gray-700"><%= source[:claims].to_json %></code>
                    </div>
                  <% end %>
                </div>
              </details>
            </div>
          </div>
        </details>
      <% end %>
    </div>
  </div>
 <% end %>
 <!-- ForwardAuth Apps: Headers Preview -->
 <% if forward_auth_apps.any? %>
  <div class="mt-12 border-t pt-8">
    <h2 class="text-xl font-semibold text-gray-900 mb-4">ForwardAuth Headers Preview</h2>
    <p class="text-sm text-gray-600 mb-6">
      ForwardAuth applications receive HTTP headers (not OIDC tokens). Headers are based on user's email, name, groups, and admin status.
    </p>
    <div class="space-y-6">
      <% forward_auth_apps.each do |app| %>
        <details class="border rounded-lg">
          <summary class="cursor-pointer bg-gray-50 px-4 py-3 hover:bg-gray-100 rounded-t-lg flex items-center justify-between">
            <div class="flex items-center gap-3">
              <span class="font-medium text-gray-900"><%= app.name %></span>
              <span class="text-xs px-2 py-1 rounded-full bg-green-100 text-green-700">
                FORWARD AUTH
              </span>
              <span class="text-xs text-gray-500">
                <%= app.domain_pattern %>
              </span>
            </div>
            <svg class="h-5 w-5 text-gray-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7" />
            </svg>
          </summary>
          <div class="p-4 space-y-4">
            <div class="bg-blue-50 border border-blue-200 rounded-lg p-3">
              <div class="flex items-start">
                <svg class="h-5 w-5 text-blue-400 mr-2 flex-shrink-0 mt-0.5" fill="currentColor" viewBox="0 0 20 20">
                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
                </svg>
              </div>
            </div>
            <div>
              <h4 class="text-sm font-medium text-gray-700 mb-2">Headers Sent to <%= app.name %></h4>
              <div class="bg-gray-50 rounded-lg p-3 border">
                <% headers = app.headers_for_user(user) %>
                <% if headers.any? %>
                  <dl class="space-y-2 text-xs font-mono">
                    <% headers.each do |header_name, value| %>
                      <div class="flex">
                        <dt class="text-blue-600 font-semibold w-48"><%= header_name %>:</dt>
                        <dd class="text-gray-800 flex-1"><%= value %></dd>
                      </div>
                    <% end %>
                  </dl>
                <% else %>
                  <p class="text-xs text-gray-500 italic">All headers disabled for this application.</p>
                <% end %>
              </div>
              <p class="mt-2 text-xs text-gray-500">
                These headers are configured in the application settings and sent by your reverse proxy (Caddy/Traefik) to the upstream application.
              </p>
            </div>
            <% if user.groups.any? %>
              <div>
                <h4 class="text-sm font-medium text-gray-700 mb-2">User's Groups</h4>
                <div class="flex flex-wrap gap-2">
                  <% user.groups.each do |group| %>
                    <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-blue-100 text-blue-800">
                      <%= group.name %>
                    </span>
                  <% end %>
                </div>
              </div>
            <% end %>
          </div>
        </details>
      <% end %>
    </div>
  </div>
 <% end %>
 <% if oidc_apps.empty? && forward_auth_apps.empty? %>
  <div class="mt-12 border-t pt-8">
    <div class="text-center py-12 bg-gray-50 rounded-lg">
      <p class="text-gray-500">No active applications found.</p>
      <p class="text-sm text-gray-400 mt-1">Create applications in the Admin panel first.</p>
    </div>
  </div>
 <% end %>
--- a/app/views/admin/users/_form.html.erb
+++ b/app/views/admin/users/_form.html.erb
@@ -6,10 +6,16 @@
    <%= form.email_field :email_address, required: true, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "user@example.com" %>
  </div>
  <div>
    <%= form.label :username, "Username (Optional)", class: "block text-sm font-medium text-gray-700" %>
    <%= form.text_field :username, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "jsmith" %>
    <p class="mt-1 text-sm text-gray-500">Optional: Short username/handle for login. Can only contain letters, numbers, underscores, and hyphens.</p>
  </div>
  <div>
    <%= form.label :name, "Display Name (Optional)", class: "block text-sm font-medium text-gray-700" %>
    <%= form.text_field :name, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "John Smith" %>
-    <p class="mt-1 text-sm text-gray-500">Optional: Name shown in applications. Defaults to email address if not set.</p>
+    <p class="mt-1 text-sm text-gray-500">Optional: Full name shown in applications. Defaults to email address if not set.</p>
  </div>
  <div>
@@ -35,6 +41,25 @@
    <% end %>
  </div>
  <div>
    <div class="flex items-center">
      <%= form.check_box :totp_required, class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-500" %>
      <%= form.label :totp_required, "Require Two-Factor Authentication", class: "ml-2 block text-sm text-gray-900" %>
      <% if user.totp_required? && !user.totp_enabled? %>
        <span class="ml-2 text-xs text-amber-600">(User has not set up 2FA yet)</span>
      <% end %>
    </div>
    <% if user.totp_required? && !user.totp_enabled? %>
      <p class="mt-1 text-sm text-amber-600">
        <svg class="inline h-4 w-4" fill="currentColor" viewBox="0 0 20 20">
          <path fill-rule="evenodd" d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z" clip-rule="evenodd" />
        </svg>
        Warning: This user will be prompted to set up 2FA on their next login.
      </p>
    <% end %>
    <p class="mt-1 text-sm text-gray-500">When enabled, this user must use two-factor authentication to sign in.</p>
  </div>
  <div data-controller="json-validator" data-json-validator-valid-class="border-green-500 focus:border-green-500 focus:ring-green-500" data-json-validator-invalid-class="border-red-500 focus:border-red-500 focus:ring-red-500" data-json-validator-valid-status-class="text-green-600" data-json-validator-invalid-status-class="text-red-600">
    <%= form.label :custom_claims, "Custom Claims (JSON)", class: "block text-sm font-medium text-gray-700" %>
    <%= form.text_area :custom_claims, value: (user.custom_claims.present? ? JSON.pretty_generate(user.custom_claims) : ""), rows: 8,
--- a/app/views/admin/users/edit.html.erb
+++ b/app/views/admin/users/edit.html.erb
@@ -1,5 +1,12 @@
-<div class="max-w-2xl">
+<div class="max-w-4xl">
  <h1 class="text-2xl font-semibold text-gray-900 mb-6">Edit User</h1>
  <p class="text-sm text-gray-600 mb-6">Editing: <%= @user.email_address %></p>
-  <%= render "form", user: @user %>
+
  <div class="max-w-2xl">
    <%= render "form", user: @user %>
  </div>
  <% if @user.persisted? %>
    <%= render "application_claims", user: @user, applications: @applications %>
  <% end %>
 </div>
--- a/app/views/admin/users/index.html.erb
+++ b/app/views/admin/users/index.html.erb
@@ -85,15 +85,20 @@
                <% end %>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
-                <% if user.totp_enabled? %>
+                <div class="flex items-center gap-2">
-                  <svg class="h-5 w-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <% if user.totp_enabled? %>
-                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
+                    <svg class="h-5 w-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="2FA Enabled">
-                  </svg>
+                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
-                <% else %>
+                    </svg>
-                  <svg class="h-5 w-5 text-gray-300" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <% else %>
-                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
+                    <svg class="h-5 w-5 text-gray-300" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="2FA Not Enabled">
-                  </svg>
+                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
-                <% end %>
+                    </svg>
                  <% end %>
                  <% if user.totp_required? %>
                    <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700" title="2FA Required by Admin">Required</span>
                  <% end %>
                </div>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                <%= user.groups.count %>
--- a/app/views/profiles/show.html.erb
+++ b/app/views/profiles/show.html.erb
@@ -98,23 +98,52 @@
                <p class="text-sm font-medium text-green-800">
                  Two-factor authentication is enabled
                </p>
                <% if @user.totp_required? %>
                  <p class="mt-1 text-sm text-green-700">
                    <svg class="inline h-4 w-4" fill="currentColor" viewBox="0 0 20 20">
                      <path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd" />
                    </svg>
                    Required by administrator
                  </p>
                <% end %>
              </div>
            </div>
          </div>
-          <div class="mt-4 flex gap-3">
+          <% if @user.totp_required? %>
-            <button type="button"
+            <div class="mt-4 rounded-md bg-blue-50 p-4">
-                    data-action="click->modal#show"
+              <div class="flex">
-                    data-modal-id="disable-2fa-modal"
+                <svg class="h-5 w-5 text-blue-400 mr-2 flex-shrink-0" viewBox="0 0 20 20" fill="currentColor">
-                    class="inline-flex items-center rounded-md border border-red-300 bg-white px-4 py-2 text-sm font-medium text-red-700 shadow-sm hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2">
+                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
-              Disable 2FA
+                </svg>
-            </button>
+                <p class="text-sm text-blue-800">
-            <button type="button"
+                  Your administrator requires two-factor authentication. You cannot disable it.
-                    data-action="click->modal#show"
+                </p>
-                    data-modal-id="view-backup-codes-modal"
+              </div>
-                    class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+            </div>
-              View Backup Codes
+            <div class="mt-4 flex gap-3">
-            </button>
+              <button type="button"
-          </div>
+                      data-action="click->modal#show"
                      data-modal-id="view-backup-codes-modal"
                      class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
                View Backup Codes
              </button>
            </div>
          <% else %>
            <div class="mt-4 flex gap-3">
              <button type="button"
                      data-action="click->modal#show"
                      data-modal-id="disable-2fa-modal"
                      class="inline-flex items-center rounded-md border border-red-300 bg-white px-4 py-2 text-sm font-medium text-red-700 shadow-sm hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2">
                Disable 2FA
              </button>
              <button type="button"
                      data-action="click->modal#show"
                      data-modal-id="view-backup-codes-modal"
                      class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
                View Backup Codes
              </button>
            </div>
          <% end %>
        <% else %>
          <%= link_to new_totp_path, class: "inline-flex items-center rounded-md border border-transparent bg-blue-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" do %>
            Enable 2FA
--- a/app/views/totp/backup_codes.html.erb
+++ b/app/views/totp/backup_codes.html.erb
@@ -45,8 +45,13 @@
      </div>
      <div class="mt-8">
-        <%= link_to "Done", profile_path,
+        <% if @auto_signin_pending %>
-            class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
+          <%= button_to "Continue to Sign In", complete_totp_setup_path, method: :post,
              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
        <% else %>
          <%= link_to "Done", profile_path,
              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
        <% end %>
      </div>
    </div>
  </div>
--- a/config/initializers/active_storage.rb
+++ b/config/initializers/active_storage.rb
@@ -0,0 +1,14 @@
 # Configure ActiveStorage content type resolution
 Rails.application.config.after_initialize do
  # Ensure SVG files are served with the correct content type
  ActiveStorage::Blob.class_eval do
    def content_type_for_serving
      # Override content type for SVG files
      if filename.extension == "svg" && content_type == "application/octet-stream"
        "image/svg+xml"
      else
        content_type
      end
    end
  end
 end
--- a/config/recurring.yml
+++ b/config/recurring.yml
@@ -0,0 +1,17 @@
 # Solid Queue Recurring Jobs Configuration
 # This file defines scheduled/cron-like jobs that run periodically
 production:
  oidc_token_cleanup:
    class: OidcTokenCleanupJob
    schedule: "0 3 * * *"  # Run daily at 3:00 AM
    queue: default
 development:
  oidc_token_cleanup:
    class: OidcTokenCleanupJob
    schedule: "0 3 * * *"  # Run daily at 3:00 AM
    queue: default
 test:
  # No recurring jobs in test environment
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -67,6 +67,7 @@ Rails.application.routes.draw do
  post '/totp/verify_password', to: 'totp#verify_password', as: :verify_password_totp
  get '/totp/regenerate_backup_codes', to: 'totp#regenerate_backup_codes', as: :regenerate_backup_codes_totp
  post '/totp/regenerate_backup_codes', to: 'totp#create_new_backup_codes', as: :create_new_backup_codes_totp
  post '/totp/complete_setup', to: 'totp#complete_setup', as: :complete_totp_setup
  # WebAuthn (Passkeys) routes
  get '/webauthn/new', to: 'webauthn#new', as: :new_webauthn
@@ -81,6 +82,8 @@ Rails.application.routes.draw do
    resources :users do
      member do
        post :resend_invitation
        post :update_application_claims
        delete :delete_application_claims
      end
    end
    resources :applications do
--- a/db/migrate/20251122235519_add_sid_to_oidc_user_consent.rb
+++ b/db/migrate/20251122235519_add_sid_to_oidc_user_consent.rb
@@ -0,0 +1,15 @@
 class AddSidToOidcUserConsent < ActiveRecord::Migration[8.1]
  def change
    add_column :oidc_user_consents, :sid, :string
    add_index :oidc_user_consents, :sid
    # Generate UUIDs for existing consent records
    reversible do |dir|
      dir.up do
        OidcUserConsent.where(sid: nil).find_each do |consent|
          consent.update_column(:sid, SecureRandom.uuid)
        end
      end
    end
  end
 end
--- a/db/migrate/20251123052026_create_application_user_claims.rb
+++ b/db/migrate/20251123052026_create_application_user_claims.rb
@@ -0,0 +1,13 @@
 class CreateApplicationUserClaims < ActiveRecord::Migration[8.1]
  def change
    create_table :application_user_claims do |t|
      t.references :application, null: false, foreign_key: { on_delete: :cascade }
      t.references :user, null: false, foreign_key: { on_delete: :cascade }
      t.json :custom_claims, default: {}, null: false
      t.timestamps
    end
    add_index :application_user_claims, [:application_id, :user_id], unique: true, name: 'index_app_user_claims_unique'
  end
 end
--- a/db/migrate/20251125012446_add_username_to_users.rb
+++ b/db/migrate/20251125012446_add_username_to_users.rb
@@ -0,0 +1,6 @@
 class AddUsernameToUsers < ActiveRecord::Migration[8.1]
  def change
    add_column :users, :username, :string
    add_index :users, :username, unique: true
  end
 end
--- a/db/migrate/20251125063248_create_active_storage_tables.active_storage.rb
+++ b/db/migrate/20251125063248_create_active_storage_tables.active_storage.rb
@@ -0,0 +1,57 @@
 # This migration comes from active_storage (originally 20170806125915)
 class CreateActiveStorageTables < ActiveRecord::Migration[7.0]
  def change
    # Use Active Record's configured type for primary and foreign keys
    primary_key_type, foreign_key_type = primary_and_foreign_key_types
    create_table :active_storage_blobs, id: primary_key_type do |t|
      t.string   :key,          null: false
      t.string   :filename,     null: false
      t.string   :content_type
      t.text     :metadata
      t.string   :service_name, null: false
      t.bigint   :byte_size,    null: false
      t.string   :checksum
      if connection.supports_datetime_with_precision?
        t.datetime :created_at, precision: 6, null: false
      else
        t.datetime :created_at, null: false
      end
      t.index [ :key ], unique: true
    end
    create_table :active_storage_attachments, id: primary_key_type do |t|
      t.string     :name,     null: false
      t.references :record,   null: false, polymorphic: true, index: false, type: foreign_key_type
      t.references :blob,     null: false, type: foreign_key_type
      if connection.supports_datetime_with_precision?
        t.datetime :created_at, precision: 6, null: false
      else
        t.datetime :created_at, null: false
      end
      t.index [ :record_type, :record_id, :name, :blob_id ], name: :index_active_storage_attachments_uniqueness, unique: true
      t.foreign_key :active_storage_blobs, column: :blob_id
    end
    create_table :active_storage_variant_records, id: primary_key_type do |t|
      t.belongs_to :blob, null: false, index: false, type: foreign_key_type
      t.string :variation_digest, null: false
      t.index [ :blob_id, :variation_digest ], name: :index_active_storage_variant_records_uniqueness, unique: true
      t.foreign_key :active_storage_blobs, column: :blob_id
    end
  end
  private
    def primary_and_foreign_key_types
      config = Rails.configuration.generators
      setting = config.options[config.orm][:primary_key_type]
      primary_key_type = setting || :primary_key
      foreign_key_type = setting || :bigint
      [ primary_key_type, foreign_key_type ]
    end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
+ActiveRecord::Schema[8.1].define(version: 2025_11_25_012446) do
  create_table "application_groups", force: :cascade do |t|
    t.integer "application_id", null: false
    t.datetime "created_at", null: false
@@ -21,6 +21,17 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.index ["group_id"], name: "index_application_groups_on_group_id"
  end
  create_table "application_user_claims", force: :cascade do |t|
    t.integer "application_id", null: false
    t.datetime "created_at", null: false
    t.json "custom_claims", default: {}, null: false
    t.datetime "updated_at", null: false
    t.integer "user_id", null: false
    t.index ["application_id", "user_id"], name: "index_app_user_claims_unique", unique: true
    t.index ["application_id"], name: "index_application_user_claims_on_application_id"
    t.index ["user_id"], name: "index_application_user_claims_on_user_id"
  end
  create_table "applications", force: :cascade do |t|
    t.integer "access_token_ttl", default: 3600
    t.boolean "active", default: true, null: false
@@ -120,10 +131,12 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.datetime "created_at", null: false
    t.datetime "granted_at", null: false
    t.text "scopes_granted", null: false
    t.string "sid"
    t.datetime "updated_at", null: false
    t.integer "user_id", null: false
    t.index ["application_id"], name: "index_oidc_user_consents_on_application_id"
    t.index ["granted_at"], name: "index_oidc_user_consents_on_granted_at"
    t.index ["sid"], name: "index_oidc_user_consents_on_sid"
    t.index ["user_id", "application_id"], name: "index_oidc_user_consents_on_user_id_and_application_id", unique: true
    t.index ["user_id"], name: "index_oidc_user_consents_on_user_id"
  end
@@ -167,10 +180,12 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
    t.boolean "totp_required", default: false, null: false
    t.string "totp_secret"
    t.datetime "updated_at", null: false
    t.string "username"
    t.string "webauthn_id"
    t.boolean "webauthn_required", default: false, null: false
    t.index ["email_address"], name: "index_users_on_email_address", unique: true
    t.index ["status"], name: "index_users_on_status"
    t.index ["username"], name: "index_users_on_username", unique: true
    t.index ["webauthn_id"], name: "index_users_on_webauthn_id", unique: true
  end
@@ -198,6 +213,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_12_120314) do
  add_foreign_key "application_groups", "applications"
  add_foreign_key "application_groups", "groups"
  add_foreign_key "application_user_claims", "applications", on_delete: :cascade
  add_foreign_key "application_user_claims", "users", on_delete: :cascade
  add_foreign_key "oidc_access_tokens", "applications"
  add_foreign_key "oidc_access_tokens", "users"
  add_foreign_key "oidc_authorization_codes", "applications"
--- a/test/controllers/oidc_authorization_code_security_test.rb
+++ b/test/controllers/oidc_authorization_code_security_test.rb
@@ -19,8 +19,9 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
  end
  def teardown
-    OidcAuthorizationCode.where(application: @application).destroy_all
+    OidcAuthorizationCode.where(application: @application).delete_all
-    OidcAccessToken.where(application: @application).destroy_all
+    # Use delete_all to avoid triggering callbacks that might have issues with the schema
    OidcAccessToken.where(application: @application).delete_all
    @user.destroy
    @application.destroy
  end
--- a/test/controllers/passwords_controller_test.rb
+++ b/test/controllers/passwords_controller_test.rb
@@ -11,7 +11,7 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
  test "create" do
    post passwords_path, params: { email_address: @user.email_address }
    assert_enqueued_email_with PasswordsMailer, :reset, args: [ @user ]
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    follow_redirect!
    assert_notice "reset instructions sent"
@@ -20,14 +20,14 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
  test "create for an unknown user redirects but sends no mail" do
    post passwords_path, params: { email_address: "missing-user@example.com" }
    assert_enqueued_emails 0
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    follow_redirect!
    assert_notice "reset instructions sent"
  end
  test "edit" do
-    get edit_password_path(@user.password_reset_token)
+    get edit_password_path(@user.generate_token_for(:password_reset))
    assert_response :success
  end
@@ -41,8 +41,8 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
  test "update" do
    assert_changes -> { @user.reload.password_digest } do
-      put password_path(@user.password_reset_token), params: { password: "new", password_confirmation: "new" }
+      put password_path(@user.generate_token_for(:password_reset)), params: { password: "newpassword", password_confirmation: "newpassword" }
-      assert_redirected_to new_session_path
+      assert_redirected_to signin_path
    end
    follow_redirect!
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -18,7 +18,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
  test "create with invalid credentials" do
    post session_path, params: { email_address: @user.email_address, password: "wrong" }
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    assert_nil cookies[:session_id]
  end
@@ -27,7 +27,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
    delete session_path
-    assert_redirected_to new_session_path
+    assert_redirected_to signin_path
    assert_empty cookies[:session_id]
  end
 end
--- a/test/fixtures/application_user_claims.yml
+++ b/test/fixtures/application_user_claims.yml
@@ -0,0 +1,11 @@
 # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 kavita_alice_claims:
  application: kavita_app
  user: alice
  custom_claims: { "kavita_groups": ["admin"], "library_access": "all" }
 abs_alice_claims:
  application: audiobookshelf_app
  user: alice
  custom_claims: { "abs_groups": ["user"], "abs_permissions": { "canDownload": true, "canUpload": false } }
--- a/test/fixtures/applications.yml
+++ b/test/fixtures/applications.yml
@@ -24,3 +24,14 @@ another_app:
    https://app.example.com/auth/callback
  metadata: "{}"
  active: true
 audiobookshelf_app:
  name: Audiobookshelf
  slug: audiobookshelf
  app_type: oidc
  client_id: <%= SecureRandom.urlsafe_base64(32) %>
  client_secret_digest: <%= BCrypt::Password.create(SecureRandom.urlsafe_base64(48)) %>
  redirect_uris: |
    https://abs.example.com/auth/openid/callback
  metadata: "{}"
  active: true
--- a/test/fixtures/groups.yml
+++ b/test/fixtures/groups.yml
@@ -1,5 +1,13 @@
 # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 one:
  name: Group One
  description: First test group
 two:
  name: Group Two
  description: Second test group
 admin_group:
  name: Administrators
  description: System administrators with full access
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -1,5 +1,17 @@
 <% password_digest = BCrypt::Password.create("password") %>
 one:
  email_address: one@example.com
  password_digest: <%= password_digest %>
  admin: false
  status: 0 # active
 two:
  email_address: two@example.com
  password_digest: <%= password_digest %>
  admin: true
  status: 0 # active
 alice:
  email_address: alice@example.com
  password_digest: <%= password_digest %>
--- a/test/integration/forward_auth_integration_test.rb
+++ b/test/integration/forward_auth_integration_test.rb
@@ -58,8 +58,8 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
  # Domain and Rule Integration Tests
  test "different domain patterns with same session" do
    # Create test rules
-    wildcard_rule = ForwardAuthRule.create!(domain_pattern: "*.example.com", active: true)
+    wildcard_rule = Application.create!(domain_pattern: "*.example.com", active: true)
-    exact_rule = ForwardAuthRule.create!(domain_pattern: "api.example.com", active: true)
+    exact_rule = Application.create!(domain_pattern: "api.example.com", active: true)
    # Sign in
    post "/signin", params: { email_address: @user.email_address, password: "password" }
@@ -82,7 +82,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
  test "group-based access control integration" do
    # Create restricted rule
-    restricted_rule = ForwardAuthRule.create!(domain_pattern: "restricted.example.com", active: true)
+    restricted_rule = Application.create!(domain_pattern: "restricted.example.com", active: true)
    restricted_rule.allowed_groups << @group
    # Sign in user without group
@@ -104,17 +104,19 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
  # Header Configuration Integration Tests
  test "different header configurations with same user" do
-    # Create rules with different header configs
+    # Create applications with different configs
-    default_rule = ForwardAuthRule.create!(domain_pattern: "default.example.com", active: true)
+    default_rule = Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
-    custom_rule = ForwardAuthRule.create!(
+    custom_rule = Application.create!(
      name: "Custom App", slug: "custom-app", app_type: "forward_auth",
      domain_pattern: "custom.example.com",
      active: true,
-      headers_config: { user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES" }
+      metadata: { headers: { user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES" } }.to_json
    )
-    no_headers_rule = ForwardAuthRule.create!(
+    no_headers_rule = Application.create!(
      name: "No Headers App", slug: "no-headers-app", app_type: "forward_auth",
      domain_pattern: "noheaders.example.com",
      active: true,
-      headers_config: { user: "", email: "", name: "", groups: "", admin: "" }
+      metadata: { headers: { user: "", email: "", name: "", groups: "", admin: "" } }.to_json
    )
    # Add user to groups
@@ -191,7 +193,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
    admin_user = users(:two)
    # Create restricted rule
-    admin_rule = ForwardAuthRule.create!(
+    admin_rule = Application.create!(
      domain_pattern: "admin.example.com",
      active: true,
      headers_config: { user: "X-Admin-User", admin: "X-Admin-Flag" }
--- a/test/jobs/invitations_mailer_test.rb
+++ b/test/jobs/invitations_mailer_test.rb
@@ -25,8 +25,8 @@ class InvitationsMailerTest < ActionMailer::TestCase
    assert_equal "You're invited to join Clinch", email.subject
    assert_equal [@user.email_address], email.to
-    assert_equal [], email.cc
+    assert_equal [], email.cc || []
-    assert_equal [], email.bcc
+    assert_equal [], email.bcc || []
    # From address is configured in ApplicationMailer
    assert_not_nil email.from
    assert email.from.is_a?(Array)
--- a/test/jobs/passwords_mailer_test.rb
+++ b/test/jobs/passwords_mailer_test.rb
@@ -25,8 +25,8 @@ class PasswordsMailerTest < ActionMailer::TestCase
    assert_equal "Reset your password", email.subject
    assert_equal [@user.email_address], email.to
-    assert_equal [], email.cc
+    assert_equal [], email.cc || []
-    assert_equal [], email.bcc
+    assert_equal [], email.bcc || []
    # From address is configured in ApplicationMailer
    assert_not_nil email.from
    assert email.from.is_a?(Array)
--- a/test/models/application_user_claim_test.rb
+++ b/test/models/application_user_claim_test.rb
@@ -0,0 +1,78 @@
 require "test_helper"
 class ApplicationUserClaimTest < ActiveSupport::TestCase
  def setup
    @user = users(:bob)
    @application = applications(:another_app)
  end
  test "should create valid application user claim" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "role": "admin" }
    )
    assert claim.valid?
    assert claim.save
  end
  test "should enforce uniqueness of user per application" do
    ApplicationUserClaim.create!(
      user: @user,
      application: @application,
      custom_claims: { "role": "admin" }
    )
    duplicate = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "role": "user" }
    )
    assert_not duplicate.valid?
    assert_includes duplicate.errors[:user_id], "has already been taken"
  end
  test "parsed_custom_claims returns hash" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "role": "admin", "level": 5 }
    )
    parsed = claim.parsed_custom_claims
    assert_equal "admin", parsed["role"]
    assert_equal 5, parsed["level"]
  end
  test "parsed_custom_claims returns empty hash when nil" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: nil
    )
    assert_equal({}, claim.parsed_custom_claims)
  end
  test "should not allow reserved OIDC claim names" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "groups": ["admin"], "role": "user" }
    )
    assert_not claim.valid?
    assert_includes claim.errors[:custom_claims], "cannot override reserved OIDC claims: groups"
  end
  test "should allow non-reserved claim names" do
    claim = ApplicationUserClaim.new(
      user: @user,
      application: @application,
      custom_claims: { "kavita_groups": ["admin"], "role": "user" }
    )
    assert claim.valid?
  end
 end
--- a/test/services/oidc_jwt_service_test.rb
+++ b/test/services/oidc_jwt_service_test.rb
@@ -14,7 +14,8 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    assert token.length > 100, "Token should be substantial"
    assert token.include?('.')
-    decoded = JWT.decode(token, nil, true)
+    # Decode without verification for testing the payload
    decoded = JWT.decode(token, nil, false).first
    assert_equal @application.client_id, decoded['aud'], "Should have correct audience"
    assert_equal @user.id.to_s, decoded['sub'], "Should have correct subject"
    assert_equal @user.email_address, decoded['email'], "Should have correct email"
@@ -22,16 +23,16 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    assert_equal @user.email_address, decoded['preferred_username'], "Should have preferred username"
    assert_equal @user.email_address, decoded['name'], "Should have name"
    assert_equal "https://localhost:3000", decoded['iss'], "Should have correct issuer"
-    assert_equal Time.now.to_i + 3600, decoded['exp'], "Should have correct expiration"
+    assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration"
  end
  test "should handle nonce in id token" do
    nonce = "test-nonce-12345"
    token = @service.generate_id_token(@user, @application, nonce: nonce)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    assert_equal nonce, decoded['nonce'], "Should preserve nonce in token"
-    assert_equal Time.now.to_i + 3600, decoded['exp'], "Should have correct expiration with nonce"
+    assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration with nonce"
  end
  test "should include groups in token when user has groups" do
@@ -39,17 +40,17 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    assert_includes decoded['groups'], "admin", "Should include user's groups"
  end
-  test "should include admin claim for admin users" do
+  test "admin claim should not be included in token" do
    @user.update!(admin: true)
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
-    assert_equal true, decoded['admin'], "Admin users should have admin claim"
+    refute decoded.key?('admin'), "Admin claim should not be included in ID tokens (use groups instead)"
  end
  test "should handle role-based claims when enabled" do
@@ -63,7 +64,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    assert_includes decoded['roles'], "editor", "Should include user's role"
  end
@@ -96,7 +97,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    assert_equal "Content Editor", decoded['role_display_name'], "Should include role display name"
    assert_includes decoded['role_permissions'], "read", "Should include read permission"
    assert_includes decoded['role_permissions'], "write", "Should include write permission"
@@ -107,15 +108,99 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
  test "should handle missing roles gracefully" do
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    refute_includes decoded, 'roles', "Should not have roles when not configured"
  end
-  test "should use RSA private key from environment" do
+  test "should load RSA private key from environment with escaped newlines" do
-    ENV.stub(:fetch, "OIDC_PRIVATE_KEY") { "test-private-key" }
+    # Simulate how direnv exports multi-line strings with \n escape sequences
    key_with_escaped_newlines = "-----BEGIN PRIVATE KEY-----\\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDg3SfOR4UW6wV2\\nyKnE/pN5/tvUC7Fpol5/NjJQHm24F8+r6iipdLWJrJ3T2oEzaKw/RTGYPBQvjj6c\\nz3+tc7QkJLOESJCA0WqgawE1WdKSx5ug3sP0Y7woTPipt+afGaV58YvV/sqFD1ft\\nU+2w8olBHqWphUCd/LakfvqHbwrmF58IASk4IbGceqQ7f98d/8C8TrR6k3SKQAto\\n0OWo+xuyJg0RoSS8S220/qyIukXxtHS89NQj3dgJI06fGCSATCu8uVdsKwBDNw3F\\nBSQEX3xhk8E/JXXZfwRFR1K3zUIVQu8haQ3YA52b0jkzE2xI6TaHVbuGdifmGAmX\\nb5jsJ/eNAgMBAAECggEAAWJb3PwlOUANWTe630Pp1OegV5M1Tn2vi+oQPosPl1iX\\nFlbymrj80EfaRPWo84oKnq0t1/RnogrbDa3txgdpSVCsEWk9N2SyoJXy8+MZu6Er\\nQHka8qfBVfe4PbHyRj3FSeQKvZOEvvOgNJkYpIFeb5zkHa1ISyloEWvAxr0njJbQ\\n0F2jML4sUeduYulCWI9dSJdB+yp8BsmOPu8VzUFthW/GPPuw4a4ngzoGtPV6f/kp\\ncjPa2YT8L8z6zXE0IiDU8bc5abC++QBNLJrMy55tM+zfgGyShandITbcpuWptIqT\\n2yhMulifOMw0hdV0cYRqetkWkevz07nrwnh/1FGjYQKBgQD9C/Ls720tULS7SIdh\\nuDWnrtMG4sidSbxWJTOqPUNZ9a0vaHnx/FwlmvURyCojn5leLByY8ZNN08DxKBVq\\nwH6ZJe7KGOik5wMtFV1zrhyHNpa/H/RrLaYAZqCVlGYyOVqNa7mA7oOIeqtbv9x+\\nOaEz3BnoXHOJOwM10h20Nos6bQKBgQDjfQCSQXcrkV8hKf+F65N7Kcf7JMlZQAA3\\n9dvJxxek683bhYTLZhubY/tegfhxlZGkgP3eHKI1XyUYBCNBnztn3t1zD0ovcqRX\\no21m5TaJ0fGW4X3iyi1IWioMBPXffR8tXk5+LnWVZ26RgmaBG1rgOJEQ5bHYMtHj\\n+jo9JLV9oQKBgQDt1nNHm2qEcxzMAsmsYVWc+8bA7BsfKxTn6yN6WQaa4T0cGBi2\\nBzoc5l59jiN9RB8E0nU2k6ieN+9bOw+WPMNA8tRUA8F2bOMhVrl1ZyrNM9PQZBp5\\nOniSW+OHc+nyPtILpjq/Im9isdmp7NUzlrsbYT7AlVTKoTrNNWZR4gpOqQKBgQC3\\nIWwSUS00H4TrV7nh/zDsl0fr/0Mv2/vRENTsbJ+2HjXMIII0k3Bp+WTkQdDU70kd\\nmtHDul1CheOAn+QZ8auLBLhU5dwcsjdmbaOmj6MF88J+aexDY+psMlli76NXVIyC\\no0ahAZmaunciIE2QZYsUsbTmW2J93vtkgY3cpu6LwQKBgDigl7dCQl38Vt7FhxjJ\\naC6wmmM8YX6y5f5t3caVVBizVhx8xOXQla96zB0nW6ibTpaIKCSdORxMGAoajTZ9\\n8Ww2gOfZpZeojU2YHTV/KFd7wHGYE8QaBKqP6DuibLnP5farjuwPeGvbjZW6e9cy\\nntHkSPI0VmhqsUQEMgPnYuCg\\n-----END PRIVATE KEY-----"
-    private_key = @service.private_key
+    # Clear any cached keys
-    assert_equal "test-private-key", private_key.to_s, "Should use private key from environment"
+    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Stub ENV to return the test key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV["OIDC_PRIVATE_KEY"] = key_with_escaped_newlines
    # The service should convert \n to actual newlines and load successfully
    private_key = OidcJwtService.send(:private_key)
    assert_not_nil private_key
    assert_kind_of OpenSSL::PKey::RSA, private_key
    assert_equal 2048, private_key.n.num_bits
  ensure
    # Restore original value and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should handle key with actual newlines" do
    # Generate a real test key
    test_key = OpenSSL::PKey::RSA.new(2048)
    key_pem = test_key.to_pem
    # Clear any cached keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Stub ENV to return the test key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV["OIDC_PRIVATE_KEY"] = key_pem
    private_key = OidcJwtService.send(:private_key)
    assert_not_nil private_key
    assert_kind_of OpenSSL::PKey::RSA, private_key
    assert_equal 2048, private_key.n.num_bits
  ensure
    # Restore original value and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should raise error for invalid key format" do
    # Clear any cached keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Stub ENV to return invalid key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV["OIDC_PRIVATE_KEY"] = "invalid-key-data"
    error = assert_raises RuntimeError do
      OidcJwtService.send(:private_key)
    end
    assert_match /Invalid OIDC private key format/, error.message
  ensure
    # Restore original value and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should raise error in production when no key configured" do
    # Skip this test if we can't properly stub Rails.env
    skip "Skipping production env test" unless Rails.env.development? || Rails.env.test?
    # Clear any cached keys
    OidcJwtService.instance_variable_set(:@private_key, nil)
    # Temporarily remove the key
    original_value = ENV["OIDC_PRIVATE_KEY"]
    ENV.delete("OIDC_PRIVATE_KEY")
    # Stub Rails.env to be production
    Rails.env = ActiveSupport::StringInquirer.new("production")
    error = assert_raises RuntimeError do
      OidcJwtService.send(:private_key)
    end
    assert_match /OIDC private key not configured/, error.message
  ensure
    # Restore original environment and clear cached key
    ENV["OIDC_PRIVATE_KEY"] = original_value if original_value
    Rails.env = ActiveSupport::StringInquirer.new(ENV.fetch("RAILS_ENV", "test"))
    OidcJwtService.instance_variable_set(:@private_key, nil)
  end
  test "should generate RSA private key when missing" do
@@ -176,7 +261,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
  test "should handle access token generation" do
    token = @service.generate_id_token(@user, @application)
-    decoded = JWT.decode(token, nil, true)
+    decoded = JWT.decode(token, nil, false).first
    refute_includes decoded.keys, 'email_verified'
    assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
    assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
@@ -207,4 +292,215 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
    end
    assert_match /no key found/, error.message, "Should warn about missing private key"
  end
  test "should include app-specific custom claims in token" do
    # Use bob and another_app to avoid fixture conflicts
    user = users(:bob)
    app = applications(:another_app)
    # Create app-specific claim
    ApplicationUserClaim.create!(
      user: user,
      application: app,
      custom_claims: { "app_groups": ["admin"], "library_access": "all" }
    )
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    assert_equal ["admin"], decoded["app_groups"]
    assert_equal "all", decoded["library_access"]
  end
  test "app-specific claims should override user and group claims" do
    # Use bob and another_app to avoid fixture conflicts
    user = users(:bob)
    app = applications(:another_app)
    # Add user to group with claims
    group = groups(:admin_group)
    group.update!(custom_claims: { "role": "viewer", "max_items": 10 })
    user.groups << group
    # Add user custom claims
    user.update!(custom_claims: { "role": "editor", "theme": "dark" })
    # Add app-specific claims (should override both)
    ApplicationUserClaim.create!(
      user: user,
      application: app,
      custom_claims: { "role": "admin", "app_specific": true }
    )
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # App-specific claim should win
    assert_equal "admin", decoded["role"]
    # App-specific claim should be present
    assert_equal true, decoded["app_specific"]
    # User claim not overridden should still be present
    assert_equal "dark", decoded["theme"]
    # Group claim not overridden should still be present
    assert_equal 10, decoded["max_items"]
  end
  test "should deep merge array claims from group and user" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles: ["user"]
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user"], "permissions" => ["read"] })
    user.groups << group
    # User adds roles: ["admin"]
    user.update!(custom_claims: { "roles" => ["admin"], "permissions" => ["write"] })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # Roles should be combined (not overwritten)
    assert_equal 2, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "admin"
    # Permissions should also be combined
    assert_equal 2, decoded["permissions"].length
    assert_includes decoded["permissions"], "read"
    assert_includes decoded["permissions"], "write"
  end
  test "should deep merge array claims from multiple groups" do
    user = users(:bob)
    app = applications(:another_app)
    # First group has roles: ["user"]
    group1 = groups(:admin_group)
    group1.update!(custom_claims: { "roles" => ["user"] })
    user.groups << group1
    # Second group has roles: ["moderator"]
    group2 = Group.create!(name: "moderators", description: "Moderators group")
    group2.update!(custom_claims: { "roles" => ["moderator"] })
    user.groups << group2
    # User adds roles: ["admin"]
    user.update!(custom_claims: { "roles" => ["admin"] })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # All roles should be combined
    assert_equal 3, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "moderator"
    assert_includes decoded["roles"], "admin"
  end
  test "should remove duplicate values when merging arrays" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles: ["user", "reader"]
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user", "reader"] })
    user.groups << group
    # User also has "user" role (duplicate)
    user.update!(custom_claims: { "roles" => ["user", "admin"] })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # "user" should only appear once
    assert_equal 3, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "reader"
    assert_includes decoded["roles"], "admin"
  end
  test "should override non-array values while merging arrays" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles array and max_items scalar
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user"], "max_items" => 10, "theme" => "light" })
    user.groups << group
    # User overrides max_items and theme, adds to roles
    user.update!(custom_claims: { "roles" => ["admin"], "max_items" => 100, "theme" => "dark" })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # Arrays should be combined
    assert_equal 2, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "admin"
    # Scalar values should be overridden (user wins)
    assert_equal 100, decoded["max_items"]
    assert_equal "dark", decoded["theme"]
  end
  test "should deep merge nested hashes in claims" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has nested config
    group = groups(:admin_group)
    group.update!(custom_claims: {
      "config" => {
        "theme" => "light",
        "notifications" => { "email" => true }
      }
    })
    user.groups << group
    # User adds to nested config
    user.update!(custom_claims: {
      "config" => {
        "language" => "en",
        "notifications" => { "sms" => true }
      }
    })
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # Nested hashes should be deep merged
    assert_equal "light", decoded["config"]["theme"]
    assert_equal "en", decoded["config"]["language"]
    assert_equal true, decoded["config"]["notifications"]["email"]
    assert_equal true, decoded["config"]["notifications"]["sms"]
  end
  test "app-specific claims should combine arrays with group and user claims" do
    user = users(:bob)
    app = applications(:another_app)
    # Group has roles: ["user"]
    group = groups(:admin_group)
    group.update!(custom_claims: { "roles" => ["user"] })
    user.groups << group
    # User has roles: ["moderator"]
    user.update!(custom_claims: { "roles" => ["moderator"] })
    # App-specific has roles: ["app_admin"]
    ApplicationUserClaim.create!(
      user: user,
      application: app,
      custom_claims: { "roles" => ["app_admin"] }
    )
    token = @service.generate_id_token(user, app)
    decoded = JWT.decode(token, nil, false).first
    # All three sources should be combined
    assert_equal 3, decoded["roles"].length
    assert_includes decoded["roles"], "user"
    assert_includes decoded["roles"], "moderator"
    assert_includes decoded["roles"], "app_admin"
  end
 end
Author	SHA1	Message	Date
Dan Milne	67d86e5835	Add Icons for apps	2025-11-25 19:11:22 +11:00
Dan Milne	d6029556d3	Add OIDC fixes, add prefered_username, add application-user claims	2025-11-25 16:29:40 +11:00
Dan Milne	7796c38c08	Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details	2025-11-23 11:16:06 +11:00