dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dkam:ed7ceedef51d8aa137e64f94ec92ff4f47a69e06
Branches Tags
dkam:main dkam:feature/enhance-jwt
dkam:0.8.6 dkam:2026.01 dkam:2025.03 dkam:0.5.0 dkam:2025.02 dkam:2025.01
...
compare: dkam:2026.01
Branches Tags
dkam:main dkam:feature/enhance-jwt
dkam:0.8.6 dkam:2026.01 dkam:2025.03 dkam:0.5.0 dkam:2025.02 dkam:2025.01

38 Commits
ed7ceedef5 ... 2026.01

Author SHA1 Message Date
Dan Milne
0bb84f08d6 OpenID conformance test: we get a warning for not having a value for every claim. But we can explictly list support claims. Nothing we can do about a warning in the complience.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 16:35:12 +11:00
Dan Milne
182682024d OpenID Conformance: Include all required scopes when profile is requested, even if they're empty
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:47:40 +11:00
Dan Milne
b517ebe809 OpenID conformance test: Allow posting the access token in the body for userinfo endpoint
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:41:07 +11:00
Dan Milne
dd8bd15a76 CSRF issue with API endpoint
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:29:34 +11:00
Dan Milne
f67a73821c OpenID Conformance: user info endpoint should support get and post requets, not just get
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:26:39 +11:00
Dan Milne
b09ddf6db5 OpenID Conformance: We need to return to the redirect_uri in the case of errors.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 15:12:55 +11:00
Dan Milne
abbb11a41d Return only scopes requested, add tests ( OpenID conformance test )
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 14:55:06 +11:00
Dan Milne
b2030df8c2 Return only scopes requested ( OpenID conformance test. Update README 2026-01-02 14:05:54 +11:00
Dan Milne
07cddf5823 Version bump
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:57:28 +11:00
Dan Milne
46aa983189 Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:56:03 +11:00
Dan Milne
d0d79ee1da Try ignore capybara's test tripping trivy
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:52:24 +11:00
Dan Milne
2f6a2c7406 Update ruby 3.4.6 -> 3.4.7. Update gems. Add trivy scanning and ignore unfixable Debian CVEs. Ignore a test fixture key for Capybara
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:48:40 +11:00
Dan Milne
5137a25626 Add remainging rate limits. Add docker compose production example. Update beta-checklist.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-02 12:14:13 +11:00
Dan Milne
fed7c3cedb Some beta-checklist updates 2026-01-02 11:53:41 +11:00
Dan Milne
e288fcad7c Remove old docs 2026-01-01 21:04:26 +11:00
Dan Milne
c1c6e0112e ADd backup / restore documentation
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 15:40:49 +11:00
Dan Milne
7f834fb7fa Version bump 2026-01-01 15:27:19 +11:00
Dan Milne
ae99d3d9cf Fix webauthn bug. Fix tests. Update docs
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 15:24:56 +11:00
Dan Milne
1afcd041f9 Update README, fix a test 2026-01-01 15:17:28 +11:00
Dan Milne
71198340d0 fix tests and add a Claude.md file
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 15:11:46 +11:00
Dan Milne
d597ca8810 Fix tests 2026-01-01 14:52:24 +11:00
Dan Milne
9b81aee490 Fix linting error
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 13:45:10 +11:00
Dan Milne
265518ab25 Move integration tests into right directory
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 13:43:13 +11:00
Dan Milne
adb789bbea Fix StandardRB
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 13:35:37 +11:00
Dan Milne
93a0edb0a2 StandardRB fixes
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 13:29:44 +11:00
Dan Milne
7d3af2bcec SRB fixes 2026-01-01 13:19:17 +11:00
Dan Milne
c03034c49f Add files to support brakeman and standardrb. Fix some SRB warnings 2026-01-01 13:18:30 +11:00
Dan Milne
9234904e47 Add security-todo and beta-checklists, and some security rake tasks
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2026-01-01 13:06:54 +11:00
Dan Milne
e36a9a781a Add new claims to the discovery endpoint
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2025-12-31 17:27:28 +11:00
Dan Milne
d036e25fef Add auth_time, acr and azp support for OIDC claims 2025-12-31 17:07:54 +11:00
Dan Milne
fcdd2b6de7 Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens. 2025-12-31 16:57:28 +11:00
Dan Milne
3939ea773f We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ). 2025-12-31 16:45:45 +11:00
Dan Milne
4b4afe277e Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record 2025-12-31 16:36:32 +11:00
Dan Milne
364e6e21dd Fixes for tests and AR Encryption
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2025-12-31 16:08:05 +11:00
Dan Milne
9d352ab8ec Fix tests - add missing files 2025-12-31 16:01:31 +11:00
Dan Milne
d1d4ac745f Version bump 2025-12-31 15:48:52 +11:00
Dan Milne
3db466f5a2 Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data.
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
2025-12-31 15:48:32 +11:00
Dan Milne
7c6ae7ab7e Store only HMAC'd Auth codes, rather than plain text auth codes. 2025-12-31 15:00:00 +11:00
117 changed files with 5847 additions and 1339 deletions
Expand all files Collapse all files

46
.github/workflows/ci.yml vendored
View File

@@ -19,7 +19,9 @@ jobs:
bundler-cache: true
- name: Scan for common Rails security vulnerabilities using static analysis
run: bin/brakeman --no-pager
run: bin/brakeman --no-pager --no-exit-on-warn
# Note: 2 weak warnings exist and are documented as acceptable
# See docs/beta-checklist.md for details
- name: Scan for known security vulnerabilities in gems used
run: bin/bundler-audit
@@ -39,10 +41,36 @@ jobs:
- name: Scan for security vulnerabilities in JavaScript dependencies
run: bin/importmap audit
scan_container:
runs-on: ubuntu-latest
permissions:
security-events: write # Required for uploading SARIF results
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Build Docker image
run: docker build -t clinch:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: clinch:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
scanners: 'vuln' # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems)
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
lint:
runs-on: ubuntu-latest
env:
RUBOCOP_CACHE_ROOT: tmp/rubocop
steps:
- name: Checkout code
uses: actions/checkout@v5
@@ -52,18 +80,8 @@ jobs:
with:
bundler-cache: true
- name: Prepare RuboCop cache
uses: actions/cache@v4
env:
DEPENDENCIES_HASH: ${{ hashFiles('.ruby-version', '**/.rubocop.yml', '**/.rubocop_todo.yml', 'Gemfile.lock') }}
with:
path: ${{ env.RUBOCOP_CACHE_ROOT }}
key: rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-${{ github.ref_name == github.event.repository.default_branch && github.run_id || 'default' }}
restore-keys: |
rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-
- name: Lint code for consistent style
run: bin/rubocop -f github
run: bin/standardrb
test:
runs-on: ubuntu-latest

2
.ruby-version
View File

@@ -1 +1 @@
3.4.6
3.4.8

7
.standard.yml Normal file
View File

@@ -0,0 +1,7 @@
ignore:
- 'test_*.rb' # Ignore test files in root directory
- 'tmp/**/*'
- 'vendor/**/*'
- 'node_modules/**/*'
- 'config/initializers/csp_local_logger.rb' # Complex CSP logger with intentional block structure
- 'config/initializers/sentry_subscriber.rb' # Sentry subscriber with module structure

48
.trivyignore Normal file
View File

@@ -0,0 +1,48 @@
# Trivy ignore file
# This file tells Trivy to skip specific vulnerabilities or files
# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
# =============================================================================
# False Positives - Test Fixtures
# =============================================================================
# Capybara test fixture - not a real private key
# Ignore secrets in test fixtures
# Format: secret:<rule-id>:<exact-file-path>
secret:private-key:/usr/local/bundle/ruby/3.4.0/gems/capybara-3.40.0/spec/fixtures/key.pem
# =============================================================================
# Unfixable CVEs - No Patches Available (Status: affected/fix_deferred)
# =============================================================================
# GnuPG vulnerabilities - not used by Clinch at runtime
# Low risk: dirmngr/gpg tools not invoked during normal operation
CVE-2025-68973
# Image processing library vulnerabilities
# Low risk for Clinch: Only admins upload images (app icons), not untrusted users
# Waiting on Debian security team to release patches
# ImageMagick - Integer overflow (32-bit only)
CVE-2025-66628
# glib - Integer overflow in URI escaping
CVE-2025-13601
# HDF5 - Critical vulnerabilities in scientific data format library
CVE-2025-2153
CVE-2025-2308
CVE-2025-2309
CVE-2025-2310
# libmatio - MATLAB file format library
CVE-2025-2338
# OpenEXR - Image format vulnerabilities
CVE-2025-12495
CVE-2025-12839
CVE-2025-12840
CVE-2025-64181
# libvips - Image processing library
CVE-2025-59933

65
Claude.md Normal file
View File

@@ -0,0 +1,65 @@
# Claude Code Guidelines for Clinch
This document provides guidelines for AI assistants (Claude, ChatGPT, etc.) working on this codebase.
## Project Context
Clinch is a lightweight identity provider (IdP) supporting:
- **OIDC/OAuth2** - Standard OAuth flows for modern apps
- **ForwardAuth** - Trusted-header SSO for reverse proxies (Traefik, Caddy, Nginx)
- **WebAuthn/Passkeys** - Passwordless authentication
- Group-based access control
Key characteristics:
- Rails 8 application with SQLite database
- Focus on simplicity and self-hosting
- No external dependencies for core functionality
## Testing Guidelines
### Do Not Test Rails Framework Functionality
When writing tests, focus on testing **our application's specific behavior and logic**, not standard Rails framework functionality.
**Examples of what NOT to test:**
- Session isolation between users (Rails handles this)
- Basic ActiveRecord associations (Rails handles this)
- Standard cookie signing/verification (Rails handles this)
- Default controller rendering behavior (Rails handles this)
- Infrastructure-level error handling (database connection failures, network issues, etc.)
**Examples of what TO test:**
- Forward auth business logic (group-based access control, header configuration, etc.)
- Custom authentication flows
- Application-specific session expiration behavior
- Domain pattern matching logic
- Custom response header generation
**Why:**
Testing Rails framework functionality adds no value and can create maintenance burden. Trust that Rails works correctly and focus tests on verifying our application's unique behavior.
### Integration Test Patterns
**Session handling:**
- Do NOT manually manipulate cookies in integration tests
- Use the session provided by the test framework
- To get the actual session ID, use `Session.last.id` after sign-in, not `cookies[:session_id]` (which is signed)
**Application setup:**
- Always create Application records for the domains you're testing
- Use wildcard patterns (e.g., `*.example.com`) when testing multiple subdomains
- Remember: `*` matches one level only (`*.example.com` matches `app.example.com` but NOT `sub.app.example.com`)
**Header assertions:**
- Always normalize header names to lowercase when asserting (HTTP headers are case-insensitive)
- Use `response.headers["x-remote-user"]` not `response.headers["X-Remote-User"]`
**Avoid threading in integration tests:**
- Rails integration tests use a single cookie jar
- Convert threaded tests to sequential requests instead
### Common Testing Pitfalls
1. **Don't test concurrent users with manual cookie manipulation** - Integration tests can't properly simulate multiple concurrent sessions
2. **Don't expect `cookies[:session_id]` to be the actual ID** - It's a signed cookie value
3. **Don't assume wildcard patterns match multiple levels** - `*.domain.com` only matches one level

5
Dockerfile
View File

@@ -8,7 +8,7 @@
# For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html
# Make sure RUBY_VERSION matches the Ruby version in .ruby-version
ARG RUBY_VERSION=3.4.6
ARG RUBY_VERSION=3.4.8
FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base
LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
@@ -16,8 +16,9 @@ LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
# Rails app lives here
WORKDIR /rails
# Install base packages
# Install base packages and upgrade to latest security patches
RUN apt-get update -qq && \
apt-get upgrade -y && \
apt-get install --no-install-recommends -y curl libjemalloc2 libvips sqlite3 && \
ln -s /usr/lib/$(uname -m)-linux-gnu/libjemalloc.so.2 /usr/local/lib/libjemalloc.so && \
rm -rf /var/lib/apt/lists /var/cache/apt/archives

11
Gemfile
View File

@@ -47,6 +47,7 @@ gem "tzinfo-data", platforms: %i[ windows jruby ]
# Use the database-backed adapters for Rails.cache and Action Cable
gem "solid_cache"
gem "solid_cable"
gem "solid_queue", "~> 1.2"
# Reduces boot times through caching; required in config/boot.rb
gem "bootsnap", require: false
@@ -70,8 +71,8 @@ group :development, :test do
# Static analysis for security vulnerabilities [https://brakemanscanner.org/]
gem "brakeman", require: false
# Omakase Ruby styling [https://github.com/rails/rubocop-rails-omakase/]
gem "rubocop-rails-omakase", require: false
# Standard Ruby style guide, linter, and formatter [https://github.com/standardrb/standard]
gem "standard", require: false
end
group :development do
@@ -86,4 +87,10 @@ group :test do
# Use system testing [https://guides.rubyonrails.org/testing.html#system-testing]
gem "capybara"
gem "selenium-webdriver"
# Code coverage analysis
gem "simplecov", require: false
# Pin minitest to < 6.0 until Rails 8.1 supports the new API
gem "minitest", "< 6.0"
end

184
Gemfile.lock
View File

@@ -1,7 +1,7 @@
GEM
remote: https://rubygems.org/
specs:
action_text-trix (2.1.15)
action_text-trix (2.1.16)
railties
actioncable (8.1.1)
actionpack (= 8.1.1)
@@ -80,14 +80,14 @@ GEM
android_key_attestation (0.3.0)
ast (2.4.3)
base64 (0.3.0)
bcrypt (3.1.20)
bcrypt_pbkdf (1.1.1)
bigdecimal (3.3.1)
bcrypt (3.1.21)
bcrypt_pbkdf (1.1.2)
bigdecimal (4.0.1)
bindata (2.5.1)
bindex (0.8.1)
bootsnap (1.19.0)
bootsnap (1.20.1)
msgpack (~> 1.2)
brakeman (7.1.1)
brakeman (7.1.2)
racc
builder (3.3.0)
bundler-audit (0.9.3)
@@ -106,32 +106,37 @@ GEM
childprocess (5.1.0)
logger (~> 1.5)
chunky_png (1.4.0)
concurrent-ruby (1.3.5)
connection_pool (2.5.5)
concurrent-ruby (1.3.6)
connection_pool (3.0.2)
cose (1.3.1)
cbor (~> 0.5.9)
openssl-signature_algorithm (~> 1.0)
crass (1.0.6)
date (3.5.0)
debug (1.11.0)
date (3.5.1)
debug (1.11.1)
irb (~> 1.10)
reline (>= 0.3.8)
dotenv (3.1.8)
docile (1.4.1)
dotenv (3.2.0)
drb (2.2.3)
ed25519 (1.4.0)
erb (6.0.0)
erb (6.0.1)
erubi (1.13.1)
ffi (1.17.2)
ffi (1.17.2-aarch64-linux-gnu)
ffi (1.17.2-aarch64-linux-musl)
ffi (1.17.2-arm-linux-gnu)
ffi (1.17.2-arm-linux-musl)
ffi (1.17.2-arm64-darwin)
ffi (1.17.2-x86_64-linux-gnu)
ffi (1.17.2-x86_64-linux-musl)
et-orbi (1.4.0)
tzinfo
ffi (1.17.3-aarch64-linux-gnu)
ffi (1.17.3-aarch64-linux-musl)
ffi (1.17.3-arm-linux-gnu)
ffi (1.17.3-arm-linux-musl)
ffi (1.17.3-arm64-darwin)
ffi (1.17.3-x86_64-linux-gnu)
ffi (1.17.3-x86_64-linux-musl)
fugit (1.12.1)
et-orbi (~> 1.4)
raabro (~> 1.4)
globalid (1.3.0)
activesupport (>= 6.1)
i18n (1.14.7)
i18n (1.14.8)
concurrent-ruby (~> 1.0)
image_processing (1.14.0)
mini_magick (>= 4.9.5, < 6)
@@ -140,18 +145,18 @@ GEM
actionpack (>= 6.0.0)
activesupport (>= 6.0.0)
railties (>= 6.0.0)
io-console (0.8.1)
irb (1.15.3)
io-console (0.8.2)
irb (1.16.0)
pp (>= 0.6.0)
rdoc (>= 4.0.0)
reline (>= 0.4.2)
jbuilder (2.14.1)
actionview (>= 7.0.0)
activesupport (>= 7.0.0)
json (2.16.0)
json (2.18.0)
jwt (3.1.2)
base64
kamal (2.9.0)
kamal (2.10.1)
activesupport (>= 7.0)
base64 (~> 0.2)
bcrypt_pbkdf (~> 1.0)
@@ -171,7 +176,7 @@ GEM
launchy (>= 2.2, < 4)
lint_roller (1.1.0)
logger (1.7.0)
loofah (2.24.1)
loofah (2.25.0)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
mail (2.9.0)
@@ -185,10 +190,9 @@ GEM
mini_magick (5.3.1)
logger
mini_mime (1.1.5)
mini_portile2 (2.8.9)
minitest (5.26.2)
minitest (5.27.0)
msgpack (1.8.0)
net-imap (0.5.12)
net-imap (0.6.2)
date
net-protocol
net-pop (0.1.2)
@@ -203,24 +207,21 @@ GEM
net-protocol
net-ssh (7.3.0)
nio4r (2.7.5)
nokogiri (1.18.10)
mini_portile2 (~> 2.8.2)
nokogiri (1.19.0-aarch64-linux-gnu)
racc (~> 1.4)
nokogiri (1.18.10-aarch64-linux-gnu)
nokogiri (1.19.0-aarch64-linux-musl)
racc (~> 1.4)
nokogiri (1.18.10-aarch64-linux-musl)
nokogiri (1.19.0-arm-linux-gnu)
racc (~> 1.4)
nokogiri (1.18.10-arm-linux-gnu)
nokogiri (1.19.0-arm-linux-musl)
racc (~> 1.4)
nokogiri (1.18.10-arm-linux-musl)
nokogiri (1.19.0-arm64-darwin)
racc (~> 1.4)
nokogiri (1.18.10-arm64-darwin)
nokogiri (1.19.0-x86_64-linux-gnu)
racc (~> 1.4)
nokogiri (1.18.10-x86_64-linux-gnu)
nokogiri (1.19.0-x86_64-linux-musl)
racc (~> 1.4)
nokogiri (1.18.10-x86_64-linux-musl)
racc (~> 1.4)
openssl (3.3.2)
openssl (4.0.0)
openssl-signature_algorithm (1.3.0)
openssl (> 2.0)
ostruct (0.6.3)
@@ -231,17 +232,18 @@ GEM
pp (0.6.3)
prettyprint
prettyprint (0.2.0)
prism (1.6.0)
prism (1.7.0)
propshaft (1.3.1)
actionpack (>= 7.0.0)
activesupport (>= 7.0.0)
rack
psych (5.2.6)
psych (5.3.1)
date
stringio
public_suffix (7.0.0)
puma (7.1.0)
nio4r (~> 2.0)
raabro (1.4.0)
racc (1.8.1)
rack (3.2.4)
rack-session (2.1.1)
@@ -249,7 +251,7 @@ GEM
rack (>= 3.0.0)
rack-test (2.2.0)
rack (>= 1.3)
rackup (2.2.1)
rackup (2.3.1)
rack (>= 3)
rails (8.1.1)
actioncable (= 8.1.1)
@@ -283,7 +285,7 @@ GEM
zeitwerk (~> 2.6)
rainbow (3.1.1)
rake (13.3.1)
rdoc (6.16.1)
rdoc (7.0.3)
erb
psych (>= 4.0.0)
tsort
@@ -307,32 +309,22 @@ GEM
rubocop-ast (>= 1.47.1, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 2.4.0, < 4.0)
rubocop-ast (1.48.0)
rubocop-ast (1.49.0)
parser (>= 3.3.7.2)
prism (~> 1.4)
prism (~> 1.7)
rubocop-performance (1.26.1)
lint_roller (~> 1.1)
rubocop (>= 1.75.0, < 2.0)
rubocop-ast (>= 1.47.1, < 2.0)
rubocop-rails (2.34.2)
activesupport (>= 4.2.0)
lint_roller (~> 1.1)
rack (>= 1.1)
rubocop (>= 1.75.0, < 2.0)
rubocop-ast (>= 1.44.0, < 2.0)
rubocop-rails-omakase (1.1.0)
rubocop (>= 1.72)
rubocop-performance (>= 1.24)
rubocop-rails (>= 2.30)
ruby-progressbar (1.13.0)
ruby-vips (2.2.5)
ruby-vips (2.3.0)
ffi (~> 1.12)
logger
rubyzip (3.2.2)
safety_net_attestation (0.5.0)
jwt (>= 2.0, < 4.0)
securerandom (0.4.1)
selenium-webdriver (4.38.0)
selenium-webdriver (4.39.0)
base64 (~> 0.2)
logger (~> 1.4)
rexml (~> 3.2, >= 3.2.5)
@@ -344,6 +336,12 @@ GEM
sentry-ruby (6.2.0)
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
simplecov (0.22.0)
docile (~> 1.1)
simplecov-html (~> 0.11)
simplecov_json_formatter (~> 0.1)
simplecov-html (0.13.2)
simplecov_json_formatter (0.1.4)
solid_cable (3.0.12)
actioncable (>= 7.2)
activejob (>= 7.2)
@@ -353,40 +351,57 @@ GEM
activejob (>= 7.2)
activerecord (>= 7.2)
railties (>= 7.2)
sqlite3 (2.8.1)
mini_portile2 (~> 2.8.0)
sqlite3 (2.8.1-aarch64-linux-gnu)
sqlite3 (2.8.1-aarch64-linux-musl)
sqlite3 (2.8.1-arm-linux-gnu)
sqlite3 (2.8.1-arm-linux-musl)
sqlite3 (2.8.1-arm64-darwin)
sqlite3 (2.8.1-x86_64-linux-gnu)
sqlite3 (2.8.1-x86_64-linux-musl)
sshkit (1.24.0)
solid_queue (1.2.4)
activejob (>= 7.1)
activerecord (>= 7.1)
concurrent-ruby (>= 1.3.1)
fugit (~> 1.11)
railties (>= 7.1)
thor (>= 1.3.1)
sqlite3 (2.9.0-aarch64-linux-gnu)
sqlite3 (2.9.0-aarch64-linux-musl)
sqlite3 (2.9.0-arm-linux-gnu)
sqlite3 (2.9.0-arm-linux-musl)
sqlite3 (2.9.0-arm64-darwin)
sqlite3 (2.9.0-x86_64-linux-gnu)
sqlite3 (2.9.0-x86_64-linux-musl)
sshkit (1.25.0)
base64
logger
net-scp (>= 1.1.2)
net-sftp (>= 2.1.2)
net-ssh (>= 2.8.0)
ostruct
standard (1.52.0)
language_server-protocol (~> 3.17.0.2)
lint_roller (~> 1.0)
rubocop (~> 1.81.7)
standard-custom (~> 1.0.0)
standard-performance (~> 1.8)
standard-custom (1.0.2)
lint_roller (~> 1.0)
rubocop (~> 1.50)
standard-performance (1.9.0)
lint_roller (~> 1.1)
rubocop-performance (~> 1.26.0)
stimulus-rails (1.3.4)
railties (>= 6.0.0)
stringio (3.1.8)
stringio (3.2.0)
tailwindcss-rails (4.4.0)
railties (>= 7.0.0)
tailwindcss-ruby (~> 4.0)
tailwindcss-ruby (4.1.16)
tailwindcss-ruby (4.1.16-aarch64-linux-gnu)
tailwindcss-ruby (4.1.16-aarch64-linux-musl)
tailwindcss-ruby (4.1.16-arm64-darwin)
tailwindcss-ruby (4.1.16-x86_64-linux-gnu)
tailwindcss-ruby (4.1.16-x86_64-linux-musl)
tailwindcss-ruby (4.1.18)
tailwindcss-ruby (4.1.18-aarch64-linux-gnu)
tailwindcss-ruby (4.1.18-aarch64-linux-musl)
tailwindcss-ruby (4.1.18-arm64-darwin)
tailwindcss-ruby (4.1.18-x86_64-linux-gnu)
tailwindcss-ruby (4.1.18-x86_64-linux-musl)
thor (1.4.0)
thruster (0.1.16)
thruster (0.1.16-aarch64-linux)
thruster (0.1.16-arm64-darwin)
thruster (0.1.16-x86_64-linux)
timeout (0.4.4)
thruster (0.1.17)
thruster (0.1.17-aarch64-linux)
thruster (0.1.17-arm64-darwin)
thruster (0.1.17-x86_64-linux)
timeout (0.6.0)
tpm-key_attestation (0.14.1)
bindata (~> 2.4)
openssl (> 2.0)
@@ -422,7 +437,7 @@ GEM
websocket-extensions (0.1.5)
xpath (3.2.0)
nokogiri (~> 1.8)
zeitwerk (2.7.3)
zeitwerk (2.7.4)
PLATFORMS
aarch64-linux
@@ -448,19 +463,22 @@ DEPENDENCIES
jwt (~> 3.1)
kamal
letter_opener
minitest (< 6.0)
propshaft
public_suffix (~> 7.0)
puma (>= 5.0)
rails (~> 8.1.1)
rotp (~> 6.3)
rqrcode (~> 3.1)
rubocop-rails-omakase
selenium-webdriver
sentry-rails (~> 6.2)
sentry-ruby (~> 6.2)
simplecov
solid_cable
solid_cache
solid_queue (~> 1.2)
sqlite3 (>= 2.1)
standard
stimulus-rails
tailwindcss-rails
thruster
@@ -470,4 +488,4 @@ DEPENDENCIES
webauthn (~> 3.0)
BUNDLED WITH
2.7.2
4.0.3

368
README.md
View File

@@ -1,8 +1,10 @@
# Clinch
## Position and Control for your Authentication
> [!NOTE]
> This software is experimental. If you'd like to try it out, find bugs, security flaws and improvements, please do.
We do these things not because they're easy, but because we thought they'd be easy.
**A lightweight, self-hosted identity & SSO / IpD portal**
Clinch gives you one place to manage users and lets any web app authenticate against it without managing its own users.
@@ -11,6 +13,8 @@ Clinch gives you one place to manage users and lets any web app authenticate aga
Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea, Grafana, Proxmox? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
Clinch runs as a single Docker container, using SQLite as the database, the job queue (Solid Queue) and the shared cache (Solid Cache). The webserver, Puma, runs the job queue in-process, avoiding the need for another container.
Clinch sits in a sweet spot between two excellent open-source identity solutions:
**[Authelia](https://www.authelia.com)** is a fantastic choice for those who prefer external user management through LDAP and enjoy comprehensive YAML-based configuration. It's lightweight, secure, and works beautifully with reverse proxies.
@@ -82,9 +86,37 @@ Features:
- **Refresh tokens** - Long-lived tokens (30 days default) with automatic rotation and revocation
- **Token family tracking** - Advanced security detects token replay attacks and revokes compromised token families
- **Configurable token expiry** - Set access token (5min-24hr), refresh token (1-90 days), and ID token TTL per application
- **Token security** - BCrypt-hashed tokens, automatic cleanup of expired tokens
- **Token security** - All tokens HMAC-SHA256 hashed (suitable for 256-bit random data), automatic cleanup of expired tokens
- **Pairwise subject identifiers** - Each user gets a unique, stable `sub` claim per application for enhanced privacy
**ID Token Claims** (JWT with RS256 signature):
| Claim | Description | Notes |
|-------|-------------|-------|
| Standard Claims | | |
| `iss` | Issuer (Clinch URL) | From `CLINCH_HOST` |
| `sub` | Subject (user identifier) | Pairwise SID - unique per app |
| `aud` | Audience | OAuth client_id |
| `exp` | Expiration timestamp | Configurable TTL |
| `iat` | Issued-at timestamp | Token creation time |
| `email` | User email | |
| `email_verified` | Email verification | Always `true` |
| `preferred_username` | Username/email | Fallback to email |
| `name` | Display name | User's name or email |
| `nonce` | Random value | From auth request (prevents replay) |
| **Security Claims** | | |
| `at_hash` | Access token hash | SHA-256 hash of access_token (OIDC Core §3.1.3.6) |
| `auth_time` | Authentication time | Unix timestamp of when user logged in (OIDC Core §2) |
| `acr` | Auth context class | `"1"` = password, `"2"` = 2FA/passkey (OIDC Core §2) |
| `azp` | Authorized party | OAuth client_id (OIDC Core §2) |
| Custom Claims | | |
| `groups` | User's groups | Array of group names |
| *custom* | Arbitrary key-values | From groups, users, or app-specific config |
**Authentication Context Class Reference (`acr`):**
- `"1"` - Something you know (password only)
- `"2"` - Two-factor or phishing-resistant (TOTP, backup codes, WebAuthn/passkey)
Client apps (Audiobookshelf, Kavita, Proxmox, Grafana, etc.) redirect to Clinch for login and receive ID tokens, access tokens, and refresh tokens.
#### Trusted-Header SSO (ForwardAuth)
@@ -199,9 +231,9 @@ Configure different claims for different applications on a per-user basis:
- Many-to-many with Groups (allowlist)
**OIDC Tokens**
- Authorization codes (10-minute expiry, one-time use, PKCE support)
- Access tokens (opaque, BCrypt-hashed, configurable expiry 5min-24hr, revocable)
- Refresh tokens (opaque, BCrypt-hashed, configurable expiry 1-90 days, single-use with rotation)
- Authorization codes (opaque, HMAC-SHA256 hashed, 10-minute expiry, one-time use, PKCE support)
- Access tokens (opaque, HMAC-SHA256 hashed, configurable expiry 5min-24hr, revocable)
- Refresh tokens (opaque, HMAC-SHA256 hashed, configurable expiry 1-90 days, single-use with rotation)
- ID tokens (JWT, signed with RS256, configurable expiry 5min-24hr)
---
@@ -229,6 +261,24 @@ Configure different claims for different applications on a per-user basis:
- Proxy redirects to Clinch login page
- After login, redirect back to original URL
#### Race Condition Handling
After successful login, you may notice an `fa_token` query parameter appended to redirect URLs (e.g., `https://app.example.com/dashboard?fa_token=...`). This solves a timing issue:
**The Problem:**
1. User signs in → session cookie is set
2. Browser gets redirected to protected resource
3. Browser may not have processed the `Set-Cookie` header yet
4. Reverse proxy checks `/api/verify` → no cookie yet → auth fails ❌
**The Solution:**
- A one-time token (`fa_token`) is added to the redirect URL as a query parameter
- `/api/verify` checks for this token first, before checking cookies
- Token is cached for 60 seconds and deleted immediately after use
- This gives the browser's cookie handling time to catch up
This is transparent to end users and requires no configuration.
---
## Setup & Installation
@@ -254,56 +304,207 @@ bin/rails db:migrate
bin/dev
```
### Docker Deployment
---
## Production Deployment
### Docker Compose (Recommended)
Create a `docker-compose.yml` file:
```yaml
services:
clinch:
image: ghcr.io/dkam/clinch:latest
ports:
- "127.0.0.1:3000:3000" # Bind to localhost only (reverse proxy on same host)
# Use "3000:3000" if reverse proxy is in Docker network or different host
environment:
# Rails Configuration
RAILS_ENV: production
SECRET_KEY_BASE: ${SECRET_KEY_BASE}
# Application Configuration
CLINCH_HOST: ${CLINCH_HOST}
CLINCH_FROM_EMAIL: ${CLINCH_FROM_EMAIL:-noreply@example.com}
# SMTP Configuration
SMTP_ADDRESS: ${SMTP_ADDRESS}
SMTP_PORT: ${SMTP_PORT}
SMTP_DOMAIN: ${SMTP_DOMAIN}
SMTP_USERNAME: ${SMTP_USERNAME}
SMTP_PASSWORD: ${SMTP_PASSWORD}
SMTP_AUTHENTICATION: ${SMTP_AUTHENTICATION:-plain}
SMTP_ENABLE_STARTTLS: ${SMTP_ENABLE_STARTTLS:-true}
# OIDC Configuration (optional - generates temporary key if not provided)
OIDC_PRIVATE_KEY: ${OIDC_PRIVATE_KEY}
# Optional Configuration
FORCE_SSL: ${FORCE_SSL:-false}
volumes:
- ./storage:/rails/storage
restart: unless-stopped
```
Create a `.env` file in the same directory:
**Generate required secrets first:**
```bash
# Build image
docker build -t clinch .
# Generate SECRET_KEY_BASE (required)
openssl rand -hex 64
# Run container
docker run -p 3000:3000 \
-v clinch-storage:/rails/storage \
-e SECRET_KEY_BASE=your-secret-key \
-e SMTP_ADDRESS=smtp.example.com \
-e SMTP_PORT=587 \
-e SMTP_USERNAME=your-username \
-e SMTP_PASSWORD=your-password \
clinch
# Generate OIDC private key (optional - auto-generated if not provided)
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
cat private_key.pem # Copy the output into OIDC_PRIVATE_KEY below
```
**Then create `.env`:**
```bash
# Rails Secret (REQUIRED)
SECRET_KEY_BASE=paste-output-from-openssl-rand-hex-64-here
# Application URLs (REQUIRED)
CLINCH_HOST=https://auth.yourdomain.com
CLINCH_FROM_EMAIL=noreply@yourdomain.com
# SMTP Settings (REQUIRED for invitations and password resets)
SMTP_ADDRESS=smtp.example.com
SMTP_PORT=587
SMTP_DOMAIN=yourdomain.com
SMTP_USERNAME=your-smtp-username
SMTP_PASSWORD=your-smtp-password
# OIDC Private Key (OPTIONAL - generates temporary key if not provided)
# For production, generate a persistent key and paste the ENTIRE contents here
OIDC_PRIVATE_KEY=
# Optional: Force SSL redirects (only if NOT behind a reverse proxy handling SSL)
FORCE_SSL=false
```
Start Clinch:
```bash
docker compose up -d
```
**First Run:**
1. Visit `http://localhost:3000` (or your configured domain)
2. Complete the first-run wizard to create your admin account
3. Configure applications and invite users
**Upgrading:**
```bash
# Pull latest image
docker compose pull
# Restart with new image (migrations run automatically)
docker compose up -d
```
**Logs:**
```bash
# View logs
docker compose logs -f clinch
# View last 100 lines
docker compose logs --tail=100 clinch
```
### Backup & Restore
Clinch stores all persistent data in the `storage/` directory (or `/rails/storage` in Docker):
- SQLite database (`production.sqlite3`)
- Uploaded files via ActiveStorage (application icons)
**Database Backup:**
Use SQLite's `VACUUM INTO` command for safe, atomic backups of a running database:
```bash
# Local development
sqlite3 storage/production.sqlite3 "VACUUM INTO 'backup.sqlite3';"
```
This creates an optimized copy of the database that's safe to make even while Clinch is running.
**Full Backup (Database + Uploads):**
For complete backups including uploaded files, backup the database and uploads separately:
```bash
# 1. Backup database (safe while running)
sqlite3 storage/production.sqlite3 "VACUUM INTO 'backup-$(date +%Y%m%d).sqlite3';"
# 2. Backup uploaded files (ActiveStorage files are immutable)
tar -czf uploads-backup-$(date +%Y%m%d).tar.gz storage/uploads/
# Docker Compose equivalent
docker compose exec clinch sqlite3 /rails/storage/production.sqlite3 "VACUUM INTO '/rails/storage/backup-$(date +%Y%m%d).sqlite3';"
docker compose exec clinch tar -czf /rails/storage/uploads-backup-$(date +%Y%m%d).tar.gz /rails/storage/uploads/
```
**Restore:**
```bash
# Stop Clinch first
# Then restore database
cp backup-YYYYMMDD.sqlite3 storage/production.sqlite3
# Restore uploads
tar -xzf uploads-backup-YYYYMMDD.tar.gz -C storage/
```
**Docker Volume Backup:**
**Option 1: While Running (Online Backup)**
a) **Mapped volumes** (recommended, e.g., `-v /host/path:/rails/storage`):
```bash
# Database backup (safe while running)
sqlite3 /host/path/production.sqlite3 "VACUUM INTO '/host/path/backup-$(date +%Y%m%d).sqlite3';"
# Then sync to off-server storage
rsync -av /host/path/backup-*.sqlite3 /host/path/uploads/ remote:/backups/clinch/
```
b) **Docker volumes** (e.g., using named volumes in compose):
```bash
# Database backup (safe while running)
docker compose exec clinch sqlite3 /rails/storage/production.sqlite3 "VACUUM INTO '/rails/storage/backup.sqlite3';"
# Copy out of container
docker compose cp clinch:/rails/storage/backup.sqlite3 ./backup-$(date +%Y%m%d).sqlite3
```
**Option 2: While Stopped (Offline Backup)**
If Docker is stopped, you can copy the entire storage:
```bash
docker compose down
# For mapped volumes
tar -czf clinch-backup-$(date +%Y%m%d).tar.gz /host/path/
# For docker volumes
docker run --rm -v clinch_storage:/data -v $(pwd):/backup ubuntu \
tar czf /backup/clinch-backup-$(date +%Y%m%d).tar.gz /data
docker compose up -d
```
**Important:** Do not use tar/snapshots on a running database - use `VACUUM INTO` instead or stop the container first.
---
## Configuration
### Environment Variables
Create a `.env` file (see `.env.example`):
```bash
# Rails
SECRET_KEY_BASE=generate-with-bin-rails-secret
RAILS_ENV=production
# Database
# SQLite database stored in storage/ directory (Docker volume mount point)
# SMTP (for sending emails)
SMTP_ADDRESS=smtp.example.com
SMTP_PORT=587
SMTP_DOMAIN=example.com
SMTP_USERNAME=your-username
SMTP_PASSWORD=your-password
SMTP_AUTHENTICATION=plain
SMTP_ENABLE_STARTTLS=true
# Application
CLINCH_HOST=https://auth.example.com
CLINCH_FROM_EMAIL=noreply@example.com
# OIDC (optional - generates temporary key in development)
# Generate with: openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
OIDC_PRIVATE_KEY=<contents-of-private-key.pem>
```
All configuration is handled via environment variables (see the `.env` file in the Docker Compose section above).
### First Run
1. Visit Clinch at `http://localhost:3000` (or your configured domain)
@@ -493,6 +694,81 @@ user.revoke_all_consents!
---
## Testing & Security
### Running Tests
Clinch has comprehensive test coverage with 341 tests covering integration, models, controllers, services, and system tests.
```bash
# Run all tests
bin/rails test
# Run specific test types
bin/rails test:integration
bin/rails test:models
bin/rails test:controllers
bin/rails test:system
# Run with code coverage report
COVERAGE=1 bin/rails test
# View coverage report at coverage/index.html
```
### Security Scanning
Clinch uses multiple automated security tools to ensure code quality and security:
```bash
# Run all security checks
bin/rake security
# Individual security scans
bin/brakeman --no-pager # Static security analysis
bin/bundler-audit check --update # Dependency vulnerability scan
bin/importmap audit # JavaScript dependency scan
```
**Container Image Scanning:**
```bash
# Install Trivy
brew install trivy # macOS
# or use Docker: alias trivy='docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy'
# Build and scan image (CRITICAL and HIGH severity only, like CI)
docker build -t clinch:local .
trivy image --severity CRITICAL,HIGH --scanners vuln clinch:local
# Scan only for fixable vulnerabilities
trivy image --severity CRITICAL,HIGH --scanners vuln --ignore-unfixed clinch:local
```
**CI/CD Integration:**
All security scans run automatically on every pull request and push to main via GitHub Actions.
**Security Tools:**
- **Brakeman** - Static analysis for Rails security vulnerabilities
- **bundler-audit** - Checks gems for known CVEs
- **Trivy** - Container image vulnerability scanning (OS/system packages)
- **Dependabot** - Automated dependency updates
- **GitHub Secret Scanning** - Detects leaked credentials with push protection
- **SimpleCov** - Code coverage tracking
- **RuboCop** - Code style and quality enforcement
**Current Status:**
- ✅ All security scans passing
- ✅ 341 tests, 1349 assertions, 0 failures
- ✅ No known dependency vulnerabilities
- ✅ Phases 1-4 security hardening complete (18+ vulnerabilities fixed)
- 🟡 3 outstanding security issues (all MEDIUM/LOW priority)
**Security Documentation:**
- [docs/security-todo.md](docs/security-todo.md) - Detailed vulnerability tracking and remediation history
- [docs/beta-checklist.md](docs/beta-checklist.md) - Beta release readiness criteria
---
## Technology Stack
- **Rails 8.1** - Modern Rails with authentication generator

3
app/channels/application_cable/connection.rb
View File

@@ -7,8 +7,9 @@ module ApplicationCable
end
private
def set_current_user
if session = Session.find_by(id: cookies.signed[:session_id])
if (session = Session.find_by(id: cookies.signed[:session_id]))
self.current_user = session.user
end
end

4
app/controllers/admin/applications_controller.rb
View File

@@ -32,13 +32,11 @@ module Admin
client_secret = @application.generate_new_client_secret!
end
if @application.oidc?
flash[:notice] = "Application created successfully."
if @application.oidc?
flash[:client_id] = @application.client_id
flash[:client_secret] = client_secret if client_secret
flash[:public_client] = true if @application.public_client?
else
flash[:notice] = "Application created successfully."
end
redirect_to admin_application_path(@application)

34
app/controllers/api/csp_controller.rb
View File

@@ -8,7 +8,7 @@ module Api
def violation_report
# Parse CSP violation report
report_data = JSON.parse(request.body.read)
csp_report = report_data['csp-report']
csp_report = report_data["csp-report"]
# Validate that we have a proper CSP report
unless csp_report.is_a?(Hash) && csp_report.present?
@@ -19,28 +19,28 @@ module Api
# Log the violation for security monitoring
Rails.logger.warn "CSP Violation Report:"
Rails.logger.warn " Blocked URI: #{csp_report['blocked-uri']}"
Rails.logger.warn " Document URI: #{csp_report['document-uri']}"
Rails.logger.warn " Referrer: #{csp_report['referrer']}"
Rails.logger.warn " Violated Directive: #{csp_report['violated-directive']}"
Rails.logger.warn " Original Policy: #{csp_report['original-policy']}"
Rails.logger.warn " Blocked URI: #{csp_report["blocked-uri"]}"
Rails.logger.warn " Document URI: #{csp_report["document-uri"]}"
Rails.logger.warn " Referrer: #{csp_report["referrer"]}"
Rails.logger.warn " Violated Directive: #{csp_report["violated-directive"]}"
Rails.logger.warn " Original Policy: #{csp_report["original-policy"]}"
Rails.logger.warn " User Agent: #{request.user_agent}"
Rails.logger.warn " IP Address: #{request.remote_ip}"
# Emit structured event for CSP violation
# This allows multiple subscribers to process the event (Sentry, local logging, etc.)
Rails.event.notify("csp.violation", {
blocked_uri: csp_report['blocked-uri'],
document_uri: csp_report['document-uri'],
referrer: csp_report['referrer'],
violated_directive: csp_report['violated-directive'],
original_policy: csp_report['original-policy'],
disposition: csp_report['disposition'],
effective_directive: csp_report['effective-directive'],
source_file: csp_report['source-file'],
line_number: csp_report['line-number'],
column_number: csp_report['column-number'],
status_code: csp_report['status-code'],
blocked_uri: csp_report["blocked-uri"],
document_uri: csp_report["document-uri"],
referrer: csp_report["referrer"],
violated_directive: csp_report["violated-directive"],
original_policy: csp_report["original-policy"],
disposition: csp_report["disposition"],
effective_directive: csp_report["effective-directive"],
source_file: csp_report["source-file"],
line_number: csp_report["line-number"],
column_number: csp_report["column-number"],
status_code: csp_report["status-code"],
user_agent: request.user_agent,
ip_address: request.remote_ip,
current_user_id: Current.user&.id,

22
app/controllers/api/forward_auth_controller.rb
View File

@@ -81,7 +81,10 @@ module Api
# User is authenticated and authorized
# Return 200 with user information headers using app-specific configuration
headers = app ? app.headers_for_user(user) : Application::DEFAULT_HEADERS.map { |key, header_name|
headers = if app
app.headers_for_user(user)
else
Application::DEFAULT_HEADERS.map { |key, header_name|
case key
when :user, :email, :name
[header_name, user.email_address]
@@ -91,12 +94,13 @@ module Api
[header_name, user.admin? ? "true" : "false"]
end
}.compact.to_h
end
headers.each { |key, value| response.headers[key] = value }
# Log what headers we're sending (helpful for debugging)
if headers.any?
Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(', ')}"
Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(", ")}"
else
Rails.logger.debug "ForwardAuth: No headers sent (access only)"
end
@@ -129,8 +133,7 @@ module Api
def extract_session_id
# Extract session ID from cookie
# Rails uses signed cookies by default
session_id = cookies.signed[:session_id]
session_id
cookies.signed[:session_id]
end
def extract_app_from_headers
@@ -155,7 +158,7 @@ module Api
original_uri = request.headers["X-Forwarded-Uri"] || request.headers["X-Forwarded-Path"] || "/"
# Debug logging to see what headers we're getting
Rails.logger.info "ForwardAuth Headers: Host=#{request.headers['Host']}, X-Forwarded-Host=#{original_host}, X-Forwarded-Uri=#{request.headers['X-Forwarded-Uri']}, X-Forwarded-Path=#{request.headers['X-Forwarded-Path']}"
Rails.logger.info "ForwardAuth Headers: Host=#{request.headers["Host"]}, X-Forwarded-Host=#{original_host}, X-Forwarded-Uri=#{request.headers["X-Forwarded-Uri"]}, X-Forwarded-Path=#{request.headers["X-Forwarded-Path"]}"
original_url = if original_host
# Use the forwarded host and URI (original behavior)
@@ -203,7 +206,7 @@ module Api
return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
# Only allow HTTPS in production
return nil unless Rails.env.development? || uri.scheme == 'https'
return nil unless Rails.env.development? || uri.scheme == "https"
redirect_domain = uri.host.downcase
return nil unless redirect_domain.present?
@@ -214,7 +217,6 @@ module Api
end
matching_app ? url : nil
rescue URI::InvalidURIError
nil
end
@@ -233,13 +235,13 @@ module Api
return redirect_url if redirect_url.present?
# Try CLINCH_HOST environment variable first
if ENV['CLINCH_HOST'].present?
host = ENV['CLINCH_HOST']
if ENV["CLINCH_HOST"].present?
host = ENV["CLINCH_HOST"]
# Ensure URL has https:// protocol
host.match?(/^https?:\/\//) ? host : "https://#{host}"
else
# Fallback to the request host
request_host = request.host || request.headers['X-Forwarded-Host']
request_host = request.host || request.headers["X-Forwarded-Host"]
if request_host.present?
Rails.logger.warn "ForwardAuth: CLINCH_HOST not set, using request host: #{request_host}"
"https://#{request_host}"

1
app/controllers/application_controller.rb
View File

@@ -1,5 +1,6 @@
class ApplicationController < ActionController::Base
include Authentication
# Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
allow_browser versions: :modern

26
app/controllers/concerns/authentication.rb
View File

@@ -1,6 +1,6 @@
require 'uri'
require 'public_suffix'
require 'ipaddr'
require "uri"
require "public_suffix"
require "ipaddr"
module Authentication
extend ActiveSupport::Concern
@@ -17,6 +17,7 @@ module Authentication
end
private
def authenticated?
resume_session
end
@@ -39,14 +40,13 @@ module Authentication
end
def after_authentication_url
return_url = session[:return_to_after_authenticating]
final_url = session.delete(:return_to_after_authenticating) || root_url
final_url
session[:return_to_after_authenticating]
session.delete(:return_to_after_authenticating) || root_url
end
def start_new_session_for(user)
def start_new_session_for(user, acr: "1")
user.update!(last_sign_in_at: Time.current)
user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip, acr: acr).tap do |session|
Current.session = session
# Extract root domain for cross-subdomain cookies (required for forward auth)
@@ -101,10 +101,14 @@ module Authentication
return nil if host.blank? || host.match?(/^(localhost|127\.0\.0\.1|::1)$/)
# Strip port number for domain parsing
host_without_port = host.split(':').first
host_without_port = host.split(":").first
# Check if it's an IP address (IPv4 or IPv6) - if so, don't set domain cookie
return nil if IPAddr.new(host_without_port) rescue false
begin
return nil if IPAddr.new(host_without_port)
rescue
false
end
# Use Public Suffix List for accurate domain parsing
domain = PublicSuffix.parse(host_without_port)
@@ -138,7 +142,7 @@ module Authentication
unless uri.path&.start_with?("/oauth/")
# Add token as query parameter
query_params = URI.decode_www_form(uri.query || "").to_h
query_params['fa_token'] = token
query_params["fa_token"] = token
uri.query = URI.encode_www_form(query_params)
# Update the session with the tokenized URL

10
app/controllers/invitations_controller.rb
View File

@@ -1,7 +1,9 @@
class InvitationsController < ApplicationController
include Authentication
allow_unauthenticated_access
before_action :set_user_by_invitation_token, only: %i[show update]
rate_limit to: 10, within: 10.minutes, only: :update, with: -> { redirect_to signin_path, alert: "Too many attempts. Try again later." }
def show
# Show the password setup form
@@ -35,16 +37,16 @@ class InvitationsController < ApplicationController
# Check if user is still pending invitation
if @user.nil?
redirect_to signin_path, alert: "Invitation link is invalid or has expired."
return false
false
elsif @user.pending_invitation?
# User is valid and pending - proceed
return true
true
else
redirect_to signin_path, alert: "This invitation has already been used or is no longer valid."
return false
false
end
rescue ActiveSupport::MessageVerifier::InvalidSignature
redirect_to signin_path, alert: "Invitation link is invalid or has expired."
return false
false
end
end

239
app/controllers/oidc_controller.rb
View File

@@ -1,7 +1,7 @@
class OidcController < ApplicationController
# Discovery and JWKS endpoints are public
allow_unauthenticated_access only: [:discovery, :jwks, :token, :revoke, :userinfo, :logout]
skip_before_action :verify_authenticity_token, only: [:token, :revoke, :logout]
skip_before_action :verify_authenticity_token, only: [:token, :revoke, :userinfo, :logout]
# Rate limiting to prevent brute force and abuse
rate_limit to: 60, within: 1.minute, only: [:token, :revoke], with: -> {
@@ -30,7 +30,17 @@ class OidcController < ApplicationController
id_token_signing_alg_values_supported: ["RS256"],
scopes_supported: ["openid", "profile", "email", "groups", "offline_access"],
token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
claims_supported: ["sub", "email", "email_verified", "name", "preferred_username", "groups", "admin"],
claims_supported: [
"sub", # Always included
"email", # email scope
"email_verified", # email scope
"name", # profile scope
"preferred_username", # profile scope
"updated_at", # profile scope
"groups" # groups scope
# Note: Custom claims are also supported but not listed here
# ID-token-only claims (auth_time, acr, azp, at_hash, nonce) are not listed
],
code_challenge_methods_supported: ["plain", "S256"],
backchannel_logout_supported: true,
backchannel_logout_session_supported: true
@@ -56,32 +66,14 @@ class OidcController < ApplicationController
code_challenge = params[:code_challenge]
code_challenge_method = params[:code_challenge_method] || "plain"
# Validate required parameters
unless client_id.present? && redirect_uri.present? && response_type == "code"
error_details = []
error_details << "client_id is required" unless client_id.present?
error_details << "redirect_uri is required" unless redirect_uri.present?
error_details << "response_type must be 'code'" unless response_type == "code"
render plain: "Invalid request: #{error_details.join(', ')}", status: :bad_request
# Validate client_id first (required before we can look up the application)
# OAuth2 RFC 6749 Section 4.1.2.1: If client_id is missing/invalid, show error page (don't redirect)
unless client_id.present?
render plain: "Invalid request: client_id is required", status: :bad_request
return
end
# Validate PKCE parameters if present
if code_challenge.present?
unless %w[plain S256].include?(code_challenge_method)
render plain: "Invalid code_challenge_method: must be 'plain' or 'S256'", status: :bad_request
return
end
# Validate code challenge format (base64url-encoded, 43-128 characters)
unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
render plain: "Invalid code_challenge format: must be 43-128 characters of base64url encoding", status: :bad_request
return
end
end
# Find the application
# Find the application by client_id
@application = Application.find_by(client_id: client_id, app_type: "oidc")
unless @application
# Log all OIDC applications for debugging
@@ -90,7 +82,7 @@ class OidcController < ApplicationController
Rails.logger.error "OAuth: Available OIDC applications: #{all_oidc_apps.pluck(:id, :client_id, :name)}"
error_msg = if Rails.env.development?
"Invalid request: Application not found for client_id '#{client_id}'. Available OIDC applications: #{all_oidc_apps.pluck(:name, :client_id).map { |name, id| "#{name} (#{id})" }.join(', ')}"
"Invalid request: Application not found for client_id '#{client_id}'. Available OIDC applications: #{all_oidc_apps.pluck(:name, :client_id).map { |name, id| "#{name} (#{id})" }.join(", ")}"
else
"Invalid request: Application not found"
end
@@ -99,13 +91,20 @@ class OidcController < ApplicationController
return
end
# Validate redirect URI first (required before we can safely redirect with errors)
# Validate redirect_uri presence and format
# OAuth2 RFC 6749 Section 4.1.2.1: If redirect_uri is missing/invalid, show error page (don't redirect)
unless redirect_uri.present?
render plain: "Invalid request: redirect_uri is required", status: :bad_request
return
end
# Validate redirect URI matches one of the registered URIs
unless @application.parsed_redirect_uris.include?(redirect_uri)
Rails.logger.error "OAuth: Invalid request - redirect URI mismatch. Expected: #{@application.parsed_redirect_uris}, Got: #{redirect_uri}"
# For development, show detailed error
error_msg = if Rails.env.development?
"Invalid request: Redirect URI mismatch. Application is configured for: #{@application.parsed_redirect_uris.join(', ')}, but received: #{redirect_uri}"
"Invalid request: Redirect URI mismatch. Application is configured for: #{@application.parsed_redirect_uris.join(", ")}, but received: #{redirect_uri}"
else
"Invalid request: Redirect URI not registered for this application"
end
@@ -114,6 +113,44 @@ class OidcController < ApplicationController
return
end
# ============================================================================
# At this point we have a valid client_id and redirect_uri
# All subsequent errors should redirect back to the client with error parameters
# per OAuth2 RFC 6749 Section 4.1.2.1
# ============================================================================
# Validate response_type (now we can safely redirect with error)
unless response_type == "code"
Rails.logger.error "OAuth: Invalid response_type: #{response_type}"
error_uri = "#{redirect_uri}?error=unsupported_response_type"
error_uri += "&error_description=#{CGI.escape("Only 'code' response_type is supported")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Validate PKCE parameters if present (now we can safely redirect with error)
if code_challenge.present?
unless %w[plain S256].include?(code_challenge_method)
Rails.logger.error "OAuth: Invalid code_challenge_method: #{code_challenge_method}"
error_uri = "#{redirect_uri}?error=invalid_request"
error_uri += "&error_description=#{CGI.escape("Invalid code_challenge_method: must be 'plain' or 'S256'")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
# Validate code challenge format (base64url-encoded, 43-128 characters)
unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
Rails.logger.error "OAuth: Invalid code_challenge format"
error_uri = "#{redirect_uri}?error=invalid_request"
error_uri += "&error_description=#{CGI.escape("Invalid code_challenge format: must be 43-128 characters of base64url encoding")}"
error_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to error_uri, allow_other_host: true
return
end
end
# Check if application is active (now we can safely redirect with error)
unless @application.active?
Rails.logger.error "OAuth: Application is not active: #{@application.name}"
@@ -154,21 +191,21 @@ class OidcController < ApplicationController
existing_consent = user.has_oidc_consent?(@application, requested_scopes)
if existing_consent
# User has already consented, generate authorization code directly
code = SecureRandom.urlsafe_base64(32)
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: user,
code: code,
redirect_uri: redirect_uri,
scope: scope,
nonce: nonce,
code_challenge: code_challenge,
code_challenge_method: code_challenge_method,
auth_time: Current.session.created_at.to_i,
acr: Current.session.acr,
expires_at: 10.minutes.from_now
)
# Redirect back to client with authorization code
redirect_uri = "#{redirect_uri}?code=#{code}"
# Redirect back to client with authorization code (plaintext)
redirect_uri = "#{redirect_uri}?code=#{auth_code.plaintext_code}"
redirect_uri += "&state=#{CGI.escape(state)}" if state.present?
redirect_to redirect_uri, allow_other_host: true
return
@@ -223,22 +260,22 @@ class OidcController < ApplicationController
# User denied consent
if params[:deny].present?
session.delete(:oauth_params)
error_uri = "#{oauth_params['redirect_uri']}?error=access_denied"
error_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state']
error_uri = "#{oauth_params["redirect_uri"]}?error=access_denied"
error_uri += "&state=#{CGI.escape(oauth_params["state"])}" if oauth_params["state"]
redirect_to error_uri, allow_other_host: true
return
end
# Find the application
client_id = oauth_params['client_id']
client_id = oauth_params["client_id"]
application = Application.find_by(client_id: client_id, app_type: "oidc")
# Check if application is active (redirect with OAuth error)
unless application&.active?
Rails.logger.error "OAuth: Application is not active: #{application&.name || client_id}"
session.delete(:oauth_params)
error_uri = "#{oauth_params['redirect_uri']}?error=unauthorized_client&error_description=Application+is+not+active"
error_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state'].present?
error_uri = "#{oauth_params["redirect_uri"]}?error=unauthorized_client&error_description=Application+is+not+active"
error_uri += "&state=#{CGI.escape(oauth_params["state"])}" if oauth_params["state"].present?
redirect_to error_uri, allow_other_host: true
return
end
@@ -246,37 +283,32 @@ class OidcController < ApplicationController
user = Current.session.user
# Record user consent
requested_scopes = oauth_params['scope'].split(' ')
OidcUserConsent.upsert(
{
user_id: user.id,
application_id: application.id,
scopes_granted: requested_scopes.join(' '),
granted_at: Time.current
},
unique_by: [:user_id, :application_id]
)
requested_scopes = oauth_params["scope"].split(" ")
consent = OidcUserConsent.find_or_initialize_by(user: user, application: application)
consent.scopes_granted = requested_scopes.join(" ")
consent.granted_at = Time.current
consent.save!
# Generate authorization code
code = SecureRandom.urlsafe_base64(32)
auth_code = OidcAuthorizationCode.create!(
application: application,
user: user,
code: code,
redirect_uri: oauth_params['redirect_uri'],
scope: oauth_params['scope'],
nonce: oauth_params['nonce'],
code_challenge: oauth_params['code_challenge'],
code_challenge_method: oauth_params['code_challenge_method'],
redirect_uri: oauth_params["redirect_uri"],
scope: oauth_params["scope"],
nonce: oauth_params["nonce"],
code_challenge: oauth_params["code_challenge"],
code_challenge_method: oauth_params["code_challenge_method"],
auth_time: Current.session.created_at.to_i,
acr: Current.session.acr,
expires_at: 10.minutes.from_now
)
# Clear OAuth params from session
session.delete(:oauth_params)
# Redirect back to client with authorization code
redirect_uri = "#{oauth_params['redirect_uri']}?code=#{code}"
redirect_uri += "&state=#{CGI.escape(oauth_params['state'])}" if oauth_params['state']
# Redirect back to client with authorization code (plaintext)
redirect_uri = "#{oauth_params["redirect_uri"]}?code=#{auth_code.plaintext_code}"
redirect_uri += "&state=#{CGI.escape(oauth_params["state"])}" if oauth_params["state"]
redirect_to redirect_uri, allow_other_host: true
end
@@ -335,12 +367,10 @@ class OidcController < ApplicationController
redirect_uri = params[:redirect_uri]
code_verifier = params[:code_verifier]
auth_code = OidcAuthorizationCode.find_by(
application: application,
code: code
)
# Find authorization code using HMAC verification
auth_code = OidcAuthorizationCode.find_by_plaintext(code)
unless auth_code
unless auth_code && auth_code.application == application
render json: {error: "invalid_grant"}, status: :bad_request
return
end
@@ -410,7 +440,9 @@ class OidcController < ApplicationController
application: application,
user: user,
oidc_access_token: access_token_record,
scope: auth_code.scope
scope: auth_code.scope,
auth_time: auth_code.auth_time,
acr: auth_code.acr
)
# Find user consent for this application
@@ -422,13 +454,18 @@ class OidcController < ApplicationController
return
end
# Generate ID token (JWT) with pairwise SID and at_hash
# Generate ID token (JWT) with pairwise SID, at_hash, auth_time, and acr
# auth_time and acr come from the authorization code (captured at /authorize time)
# scopes determine which claims are included (per OIDC Core spec)
id_token = OidcJwtService.generate_id_token(
user,
application,
consent: consent,
nonce: auth_code.nonce,
access_token: access_token_record.plaintext_token
access_token: access_token_record.plaintext_token,
auth_time: auth_code.auth_time,
acr: auth_code.acr,
scopes: auth_code.scope
)
# Return tokens
@@ -533,7 +570,9 @@ class OidcController < ApplicationController
user: user,
oidc_access_token: new_access_token,
scope: refresh_token_record.scope,
token_family_id: refresh_token_record.token_family_id # Keep same family for rotation tracking
token_family_id: refresh_token_record.token_family_id, # Keep same family for rotation tracking
auth_time: refresh_token_record.auth_time, # Carry over original auth_time
acr: refresh_token_record.acr # Carry over original acr
)
# Find user consent for this application
@@ -545,12 +584,17 @@ class OidcController < ApplicationController
return
end
# Generate new ID token (JWT with pairwise SID and at_hash, no nonce for refresh grants)
# Generate new ID token (JWT with pairwise SID, at_hash, auth_time, acr; no nonce for refresh grants)
# auth_time and acr come from the original refresh token (carried over from initial auth)
# scopes determine which claims are included (per OIDC Core spec)
id_token = OidcJwtService.generate_id_token(
user,
application,
consent: consent,
access_token: new_access_token.plaintext_token
access_token: new_access_token.plaintext_token,
auth_time: refresh_token_record.auth_time,
acr: refresh_token_record.acr,
scopes: refresh_token_record.scope
)
# Return new tokens
@@ -566,17 +610,22 @@ class OidcController < ApplicationController
render json: {error: "invalid_grant"}, status: :bad_request
end
# GET /oauth/userinfo
# GET/POST /oauth/userinfo
# OIDC Core spec: UserInfo endpoint MUST support GET, SHOULD support POST
def userinfo
# Extract access token from Authorization header
auth_header = request.headers["Authorization"]
unless auth_header&.start_with?("Bearer ")
# Extract access token from Authorization header or POST body
# RFC 6750: Bearer token can be in Authorization header, request body, or query string
token = if request.headers["Authorization"]&.start_with?("Bearer ")
request.headers["Authorization"].sub("Bearer ", "")
elsif request.params["access_token"].present?
request.params["access_token"]
end
unless token
head :unauthorized
return
end
token = auth_header.sub("Bearer ", "")
# Find and validate access token (opaque token with BCrypt hashing)
access_token = OidcAccessToken.find_by_token(token)
unless access_token&.active?
@@ -602,17 +651,35 @@ class OidcController < ApplicationController
consent = OidcUserConsent.find_by(user: user, application: access_token.application)
subject = consent&.sid || user.id.to_s
# Return user claims
# Parse scopes from access token (space-separated string)
requested_scopes = access_token.scope.to_s.split
# Return user claims (filter by scope per OIDC Core spec)
# Required claims (always included)
claims = {
sub: subject,
email: user.email_address,
email_verified: true,
preferred_username: user.email_address,
name: user.name.presence || user.email_address
sub: subject
}
# Add groups if user has any
if user.groups.any?
# Email claims (only if 'email' scope requested)
if requested_scopes.include?("email")
claims[:email] = user.email_address
claims[:email_verified] = true
end
# Profile claims (only if 'profile' scope requested)
# Per OIDC Core spec section 5.4, include available profile claims
# Only include claims we have data for - omit unknown claims rather than returning null
if requested_scopes.include?("profile")
# Use username if available, otherwise email as preferred_username
claims[:preferred_username] = user.username.presence || user.email_address
# Name: use stored name or fall back to email
claims[:name] = user.name.presence || user.email_address
# Time the user's information was last updated
claims[:updated_at] = user.updated_at.to_i
end
# Groups claim (only if 'groups' scope requested)
if requested_scopes.include?("groups") && user.groups.any?
claims[:groups] = user.groups.pluck(:name)
end
@@ -647,7 +714,7 @@ class OidcController < ApplicationController
# Find and validate the application
application = Application.find_by(client_id: client_id)
unless application && application.authenticate_client_secret(client_secret)
unless application&.authenticate_client_secret(client_secret)
Rails.logger.warn "OAuth: Token revocation attempted for invalid application: #{client_id}"
head :ok
return
@@ -692,7 +759,7 @@ class OidcController < ApplicationController
if access_token_record
access_token_record.revoke!
Rails.logger.info "OAuth: Access token revoked for application #{application.name}"
revoked = true
true
end
end
@@ -706,7 +773,7 @@ class OidcController < ApplicationController
# OpenID Connect RP-Initiated Logout
# Handle id_token_hint and post_logout_redirect_uri parameters
id_token_hint = params[:id_token_hint]
params[:id_token_hint]
post_logout_redirect_uri = params[:post_logout_redirect_uri]
state = params[:state]
@@ -832,7 +899,7 @@ class OidcController < ApplicationController
return nil unless parsed_uri.is_a?(URI::HTTP) || parsed_uri.is_a?(URI::HTTPS)
# Only allow HTTPS in production
return nil if Rails.env.production? && parsed_uri.scheme != 'https'
return nil if Rails.env.production? && parsed_uri.scheme != "https"
# Check if URI matches any registered OIDC application's redirect URIs
# According to OIDC spec, post_logout_redirect_uri should be pre-registered

4
app/controllers/passwords_controller.rb
View File

@@ -2,12 +2,13 @@ class PasswordsController < ApplicationController
allow_unauthenticated_access
before_action :set_user_by_token, only: %i[edit update]
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_password_path, alert: "Try again later." }
rate_limit to: 10, within: 10.minutes, only: :update, with: -> { redirect_to new_password_path, alert: "Too many attempts. Try again later." }
def new
end
def create
if user = User.find_by(email_address: params[:email_address])
if (user = User.find_by(email_address: params[:email_address]))
PasswordsMailer.reset(user).deliver_later
end
@@ -27,6 +28,7 @@ class PasswordsController < ApplicationController
end
private
def set_user_by_token
@user = User.find_by_token_for(:password_reset, params[:token])
redirect_to new_password_path, alert: "Password reset link is invalid or has expired." if @user.nil?

23
app/controllers/sessions_controller.rb
View File

@@ -71,8 +71,8 @@ class SessionsController < ApplicationController
return
end
# Sign in successful
start_new_session_for user
# Sign in successful (password only)
start_new_session_for user, acr: "1"
redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
end
@@ -101,33 +101,33 @@ class SessionsController < ApplicationController
return
end
# Try TOTP verification first
# Try TOTP verification first (password + TOTP = 2FA)
if user.verify_totp(code)
session.delete(:pending_totp_user_id)
# Restore redirect URL if it was preserved
if session[:totp_redirect_url].present?
session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
end
start_new_session_for user
start_new_session_for user, acr: "2"
redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
return
end
# Try backup code verification
# Try backup code verification (password + backup code = 2FA)
if user.verify_backup_code(code)
session.delete(:pending_totp_user_id)
# Restore redirect URL if it was preserved
if session[:totp_redirect_url].present?
session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
end
start_new_session_for user
start_new_session_for user, acr: "2"
redirect_to after_authentication_url, notice: "Signed in successfully using backup code.", allow_other_host: true
return
end
# Invalid code
redirect_to totp_verification_path, alert: "Invalid verification code. Please try again."
return
nil
end
# Just render the form
@@ -191,7 +191,6 @@ class SessionsController < ApplicationController
session[:webauthn_challenge] = options.challenge
render json: options
rescue => e
Rails.logger.error "WebAuthn challenge generation error: #{e.message}"
render json: {error: "Failed to generate WebAuthn challenge"}, status: :internal_server_error
@@ -268,15 +267,14 @@ class SessionsController < ApplicationController
session[:return_to_after_authenticating] = session.delete(:webauthn_redirect_url)
end
# Create session
start_new_session_for user
# Create session (WebAuthn/passkey = phishing-resistant, ACR = "2")
start_new_session_for user, acr: "2"
render json: {
success: true,
redirect_to: after_authentication_url,
message: "Signed in successfully with passkey"
}
rescue WebAuthn::Error => e
Rails.logger.error "WebAuthn verification error: #{e.message}"
render json: {error: "Authentication failed: #{e.message}"}, status: :unprocessable_entity
@@ -301,7 +299,7 @@ class SessionsController < ApplicationController
return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
# Only allow HTTPS in production
return nil unless Rails.env.development? || uri.scheme == 'https'
return nil unless Rails.env.development? || uri.scheme == "https"
redirect_domain = uri.host.downcase
return nil unless redirect_domain.present?
@@ -312,7 +310,6 @@ class SessionsController < ApplicationController
end
matching_app ? url : nil
rescue URI::InvalidURIError
nil
end

8
app/controllers/webauthn_controller.rb
View File

@@ -96,7 +96,6 @@ class WebauthnController < ApplicationController
message: "Passkey '#{nickname}' registered successfully",
credential_id: @webauthn_credential.id
}
rescue WebAuthn::Error => e
Rails.logger.error "WebAuthn registration error: #{e.message}"
render json: {error: "Failed to register passkey: #{e.message}"}, status: :unprocessable_entity
@@ -158,7 +157,7 @@ class WebauthnController < ApplicationController
def extract_credential_params
# Use require.permit which is working and reliable
# The JavaScript sends params both directly and wrapped in webauthn key
begin
# Try direct parameters first
credential_params = params.require(:credential).permit(:id, :rawId, :type, response: {}, clientExtensionResults: {})
nickname = params.require(:nickname)
@@ -169,7 +168,6 @@ class WebauthnController < ApplicationController
webauthn_params = params.require(:webauthn).permit(:nickname, credential: [:id, :rawId, :type, response: {}, clientExtensionResults: {}])
[webauthn_params[:credential], webauthn_params[:nickname]]
end
end
def set_webauthn_credential
user = Current.session&.user
@@ -184,11 +182,11 @@ class WebauthnController < ApplicationController
# Helper method to convert Base64 to Base64URL if needed
def base64_to_base64url(str)
str.gsub('+', '-').gsub('/', '_').gsub(/=+$/, '')
str.tr("+", "-").tr("/", "_").gsub(/=+$/, "")
end
# Helper method to convert Base64URL to Base64 if needed
def base64url_to_base64(str)
str.gsub('-', '+').gsub('_', '/') + '=' * (4 - str.length % 4) % 4
str.tr("-", "+").tr("_", "/") + "=" * (4 - str.length % 4) % 4
end
end

10
app/helpers/application_helper.rb
View File

@@ -22,11 +22,11 @@ module ApplicationHelper
def border_class_for(type)
case type.to_s
when 'notice' then 'border-green-200'
when 'alert', 'error' then 'border-red-200'
when 'warning' then 'border-yellow-200'
when 'info' then 'border-blue-200'
else 'border-gray-200'
when "notice" then "border-green-200"
when "alert", "error" then "border-red-200"
when "warning" then "border-yellow-200"
when "info" then "border-blue-200"
else "border-gray-200"
end
end
end

4
app/helpers/claims_helper.rb
View File

@@ -25,9 +25,7 @@ module ClaimsHelper
claims = deep_merge_claims(claims, user.parsed_custom_claims)
# Merge app-specific claims (arrays are combined)
claims = deep_merge_claims(claims, application.custom_claims_for_user(user))
claims
deep_merge_claims(claims, application.custom_claims_for_user(user))
end
# Get claim sources breakdown for display

8
app/jobs/backchannel_logout_job.rb
View File

@@ -29,9 +29,9 @@ class BackchannelLogoutJob < ApplicationJob
uri = URI.parse(application.backchannel_logout_uri)
begin
response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https', open_timeout: 5, read_timeout: 5) do |http|
request = Net::HTTP::Post.new(uri.path.presence || '/')
request['Content-Type'] = 'application/x-www-form-urlencoded'
response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", open_timeout: 5, read_timeout: 5) do |http|
request = Net::HTTP::Post.new(uri.path.presence || "/")
request["Content-Type"] = "application/x-www-form-urlencoded"
request.set_form_data({logout_token: logout_token})
http.request(request)
end
@@ -44,7 +44,7 @@ class BackchannelLogoutJob < ApplicationJob
rescue Net::OpenTimeout, Net::ReadTimeout => e
Rails.logger.warn "BackchannelLogout: Timeout sending logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.message}"
raise # Retry on timeout
rescue StandardError => e
rescue => e
Rails.logger.error "BackchannelLogout: Failed to send logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.class} - #{e.message}"
raise # Retry on error
end

2
app/mailers/application_mailer.rb
View File

@@ -1,4 +1,4 @@
class ApplicationMailer < ActionMailer::Base
default from: ENV.fetch('CLINCH_FROM_EMAIL', 'clinch@example.com')
default from: ENV.fetch("CLINCH_FROM_EMAIL", "clinch@example.com")
layout "mailer"
end

42
app/models/application.rb
View File

@@ -20,15 +20,15 @@ class Application < ApplicationRecord
validates :name, presence: true
validates :slug, presence: true, uniqueness: {case_sensitive: false},
format: { with: /\A[a-z0-9\-]+\z/, message: "only lowercase letters, numbers, and hyphens" }
format: {with: /\A[a-z0-9-]+\z/, message: "only lowercase letters, numbers, and hyphens"}
validates :app_type, presence: true,
inclusion: {in: %w[oidc forward_auth]}
validates :client_id, uniqueness: {allow_nil: true}
validates :client_secret, presence: true, on: :create, if: -> { oidc? && confidential_client? }
validates :domain_pattern, presence: true, uniqueness: {case_sensitive: false}, if: :forward_auth?
validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }
validates :landing_url, format: {with: URI::RFC2396_PARSER.make_regexp(%w[http https]), allow_nil: true, message: "must be a valid URL"}
validates :backchannel_logout_uri, format: {
with: URI::regexp(%w[http https]),
with: URI::RFC2396_PARSER.make_regexp(%w[http https]),
allow_nil: true,
message: "must be a valid HTTP or HTTPS URL"
}
@@ -56,11 +56,11 @@ class Application < ApplicationRecord
# Default header configuration for ForwardAuth
DEFAULT_HEADERS = {
user: 'X-Remote-User',
email: 'X-Remote-Email',
name: 'X-Remote-Name',
groups: 'X-Remote-Groups',
admin: 'X-Remote-Admin'
user: "X-Remote-User",
email: "X-Remote-Email",
name: "X-Remote-Name",
groups: "X-Remote-Groups",
admin: "X-Remote-Admin"
}.freeze
# Scopes
@@ -135,8 +135,8 @@ class Application < ApplicationRecord
def matches_domain?(domain)
return false if domain.blank? || !forward_auth?
pattern = domain_pattern.gsub('.', '\.')
pattern = pattern.gsub('*', '[^.]*')
pattern = domain_pattern.gsub(".", '\.')
pattern = pattern.gsub("*", "[^.]*")
regex = Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
regex.match?(domain.downcase)
@@ -144,18 +144,18 @@ class Application < ApplicationRecord
# Policy determination based on user status (for ForwardAuth)
def policy_for_user(user)
return 'deny' unless active?
return 'deny' unless user.active?
return "deny" unless active?
return "deny" unless user.active?
# If no groups specified, bypass authentication
return 'bypass' if allowed_groups.empty?
return "bypass" if allowed_groups.empty?
# If user is in allowed groups, determine auth level
if user_allowed?(user)
# Require 2FA if user has TOTP configured, otherwise one factor
user.totp_enabled? ? 'two_factor' : 'one_factor'
user.totp_enabled? ? "two_factor" : "one_factor"
else
'deny'
"deny"
end
end
@@ -197,7 +197,7 @@ class Application < ApplicationRecord
def generate_new_client_secret!
secret = SecureRandom.urlsafe_base64(48)
self.client_secret = secret
self.save!
save!
secret
end
@@ -260,14 +260,14 @@ class Application < ApplicationRecord
return unless icon.attached?
# Check content type
allowed_types = ['image/png', 'image/jpg', 'image/jpeg', 'image/gif', 'image/svg+xml']
allowed_types = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
unless allowed_types.include?(icon.content_type)
errors.add(:icon, 'must be a PNG, JPG, GIF, or SVG image')
errors.add(:icon, "must be a PNG, JPG, GIF, or SVG image")
end
# Check file size (2MB limit)
if icon.blob.byte_size > 2.megabytes
errors.add(:icon, 'must be less than 2MB')
errors.add(:icon, "must be less than 2MB")
end
end
@@ -302,8 +302,8 @@ class Application < ApplicationRecord
begin
uri = URI.parse(backchannel_logout_uri)
unless uri.scheme == 'https'
errors.add(:backchannel_logout_uri, 'must use HTTPS in production')
unless uri.scheme == "https"
errors.add(:backchannel_logout_uri, "must use HTTPS in production")
end
rescue URI::InvalidURIError
# Let the format validator handle invalid URIs

2
app/models/application_user_claim.rb
View File

@@ -25,7 +25,7 @@ class ApplicationUserClaim < ApplicationRecord
reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
if reserved_used.any?
errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(", ")}")
end
end
end

53
app/models/concerns/token_prefixable.rb
View File

@@ -1,53 +0,0 @@
module TokenPrefixable
extend ActiveSupport::Concern
class_methods do
# Compute HMAC prefix from plaintext token
# Returns first 8 chars of Base64url-encoded HMAC
# Does NOT reveal anything about the token
def compute_token_prefix(plaintext_token)
return nil if plaintext_token.blank?
hmac = OpenSSL::HMAC.digest('SHA256', TokenHmac::KEY, plaintext_token)
Base64.urlsafe_encode64(hmac)[0..7]
end
# Find token using HMAC prefix lookup (fast, indexed)
def find_by_token(plaintext_token)
return nil if plaintext_token.blank?
prefix = compute_token_prefix(plaintext_token)
# Fast indexed lookup by HMAC prefix
where(token_prefix: prefix).find_each do |token|
return token if token.token_matches?(plaintext_token)
end
nil
end
end
# Check if a plaintext token matches the hashed token
def token_matches?(plaintext_token)
return false if plaintext_token.blank? || token_digest.blank?
BCrypt::Password.new(token_digest) == plaintext_token
rescue BCrypt::Errors::InvalidHash
false
end
# Generate new token with HMAC prefix
# Sets both virtual attribute (for returning to client) and digest (for storage)
def generate_token_with_prefix
plaintext = SecureRandom.urlsafe_base64(48)
self.token_prefix = self.class.compute_token_prefix(plaintext)
self.token_digest = BCrypt::Password.create(plaintext)
# Set the virtual attribute - different models use different names
if respond_to?(:plaintext_token=)
self.plaintext_token = plaintext # OidcAccessToken
elsif respond_to?(:token=)
self.token = plaintext # OidcRefreshToken
end
end
end

2
app/models/group.rb
View File

@@ -28,7 +28,7 @@ class Group < ApplicationRecord
reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
if reserved_used.any?
errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(", ")}")
end
end
end

30
app/models/oidc_access_token.rb
View File

@@ -1,15 +1,12 @@
class OidcAccessToken < ApplicationRecord
include TokenPrefixable
belongs_to :application
belongs_to :user
has_many :oidc_refresh_tokens, dependent: :destroy
before_validation :generate_token_with_prefix, on: :create
before_validation :generate_token, on: :create
before_validation :set_expiry, on: :create
validates :token_digest, presence: true
validates :token_prefix, presence: true
validates :token_hmac, presence: true, uniqueness: true
scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -18,6 +15,19 @@ class OidcAccessToken < ApplicationRecord
attr_accessor :plaintext_token # Store plaintext temporarily for returning to client
# Find access token by plaintext token using HMAC verification
def self.find_by_token(plaintext_token)
return nil if plaintext_token.blank?
token_hmac = compute_token_hmac(plaintext_token)
find_by(token_hmac: token_hmac)
end
# Compute HMAC for token lookup
def self.compute_token_hmac(plaintext_token)
OpenSSL::HMAC.hexdigest("SHA256", TokenHmac::KEY, plaintext_token)
end
def expired?
expires_at <= Time.current
end
@@ -36,11 +46,15 @@ class OidcAccessToken < ApplicationRecord
oidc_refresh_tokens.each(&:revoke!)
end
# find_by_token, token_matches?, and generate_token_with_prefix
# are now provided by TokenPrefixable concern
private
def generate_token
# Generate random plaintext token
self.plaintext_token ||= SecureRandom.urlsafe_base64(48)
# Store HMAC in database (not plaintext)
self.token_hmac ||= self.class.compute_token_hmac(plaintext_token)
end
def set_expiry
self.expires_at ||= application.access_token_expiry
end

22
app/models/oidc_authorization_code.rb
View File

@@ -2,10 +2,12 @@ class OidcAuthorizationCode < ApplicationRecord
belongs_to :application
belongs_to :user
attr_accessor :plaintext_code
before_validation :generate_code, on: :create
before_validation :set_expiry, on: :create
validates :code, presence: true, uniqueness: true
validates :code_hmac, presence: true, uniqueness: true
validates :redirect_uri, presence: true
validates :code_challenge_method, inclusion: {in: %w[plain S256], allow_nil: true}
validate :validate_code_challenge_format, if: -> { code_challenge.present? }
@@ -13,6 +15,19 @@ class OidcAuthorizationCode < ApplicationRecord
scope :valid, -> { where(used: false).where("expires_at > ?", Time.current) }
scope :expired, -> { where("expires_at <= ?", Time.current) }
# Find authorization code by plaintext code using HMAC verification
def self.find_by_plaintext(plaintext_code)
return nil if plaintext_code.blank?
code_hmac = compute_code_hmac(plaintext_code)
find_by(code_hmac: code_hmac)
end
# Compute HMAC for code lookup
def self.compute_code_hmac(plaintext_code)
OpenSSL::HMAC.hexdigest("SHA256", TokenHmac::KEY, plaintext_code)
end
def expired?
expires_at <= Time.current
end
@@ -32,7 +47,10 @@ class OidcAuthorizationCode < ApplicationRecord
private
def generate_code
self.code ||= SecureRandom.urlsafe_base64(32)
# Generate random plaintext code
self.plaintext_code ||= SecureRandom.urlsafe_base64(32)
# Store HMAC in database (not plaintext)
self.code_hmac ||= self.class.compute_code_hmac(plaintext_code)
end
def set_expiry

30
app/models/oidc_refresh_token.rb
View File

@@ -1,16 +1,13 @@
class OidcRefreshToken < ApplicationRecord
include TokenPrefixable
belongs_to :application
belongs_to :user
belongs_to :oidc_access_token
before_validation :generate_token_with_prefix, on: :create
before_validation :generate_token, on: :create
before_validation :set_expiry, on: :create
before_validation :set_token_family_id, on: :create
validates :token_digest, presence: true, uniqueness: true
validates :token_prefix, presence: true
validates :token_hmac, presence: true, uniqueness: true
scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
scope :expired, -> { where("expires_at <= ?", Time.current) }
@@ -22,6 +19,19 @@ class OidcRefreshToken < ApplicationRecord
attr_accessor :token # Store plaintext token temporarily for returning to client
# Find refresh token by plaintext token using HMAC verification
def self.find_by_token(plaintext_token)
return nil if plaintext_token.blank?
token_hmac = compute_token_hmac(plaintext_token)
find_by(token_hmac: token_hmac)
end
# Compute HMAC for token lookup
def self.compute_token_hmac(plaintext_token)
OpenSSL::HMAC.hexdigest("SHA256", TokenHmac::KEY, plaintext_token)
end
def expired?
expires_at <= Time.current
end
@@ -45,11 +55,15 @@ class OidcRefreshToken < ApplicationRecord
OidcRefreshToken.in_family(token_family_id).update_all(revoked_at: Time.current)
end
# find_by_token, token_matches?, and generate_token_with_prefix
# are now provided by TokenPrefixable concern
private
def generate_token
# Generate random plaintext token
self.token ||= SecureRandom.urlsafe_base64(48)
# Store HMAC in database (not plaintext)
self.token_hmac ||= self.class.compute_token_hmac(token)
end
def set_expiry
# Use application's configured refresh token TTL
self.expires_at ||= application.refresh_token_expiry

22
app/models/oidc_user_consent.rb
View File

@@ -10,12 +10,12 @@ class OidcUserConsent < ApplicationRecord
# Parse scopes_granted into an array
def scopes
scopes_granted.split(' ')
scopes_granted.split(" ")
end
# Set scopes from an array
def scopes=(scope_array)
self.scopes_granted = Array(scope_array).uniq.join(' ')
self.scopes_granted = Array(scope_array).uniq.join(" ")
end
# Check if this consent covers the requested scopes
@@ -31,18 +31,18 @@ class OidcUserConsent < ApplicationRecord
def formatted_scopes
scopes.map do |scope|
case scope
when 'openid'
'Basic authentication'
when 'profile'
'Profile information'
when 'email'
'Email address'
when 'groups'
'Group membership'
when "openid"
"Basic authentication"
when "profile"
"Profile information"
when "email"
"Email address"
when "groups"
"Group membership"
else
scope.humanize
end
end.join(', ')
end.join(", ")
end
# Find consent by SID

9
app/models/user.rb
View File

@@ -122,12 +122,7 @@ class User < ApplicationRecord
cache_key = "backup_code_failed_attempts_#{id}"
attempts = Rails.cache.read(cache_key) || 0
if attempts >= 5 # Allow max 5 failed attempts per hour
true
else
# Don't increment here - increment only on failed attempts
false
end
attempts >= 5
end
# Increment failed attempt counter
@@ -231,7 +226,7 @@ class User < ApplicationRecord
reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
if reserved_used.any?
errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(', ')}")
errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(", ")}")
end
end

13
app/models/webauthn_credential.rb
View File

@@ -1,6 +1,9 @@
class WebauthnCredential < ApplicationRecord
belongs_to :user
# Set default authenticator_type if not provided
after_initialize :set_default_authenticator_type, if: :new_record?
# Validations
validates :external_id, presence: true, uniqueness: true
validates :public_key, presence: true
@@ -77,6 +80,10 @@ class WebauthnCredential < ApplicationRecord
private
def set_default_authenticator_type
self.authenticator_type ||= "cross-platform"
end
def time_ago_in_words(time)
seconds = Time.current - time
minutes = seconds / 60
@@ -84,11 +91,11 @@ class WebauthnCredential < ApplicationRecord
days = hours / 24
if days > 0
"#{days.floor} day#{'s' if days > 1} ago"
"#{days.floor} day#{"s" if days > 1} ago"
elsif hours > 0
"#{hours.floor} hour#{'s' if hours > 1} ago"
"#{hours.floor} hour#{"s" if hours > 1} ago"
elsif minutes > 0
"#{minutes.floor} minute#{'s' if minutes > 1} ago"
"#{minutes.floor} minute#{"s" if minutes > 1} ago"
else
"Just now"
end

10
app/services/concerns/claims_merger.rb
View File

@@ -13,20 +13,20 @@ module ClaimsMerger
result = base.dup
incoming.each do |key, value|
if result.key?(key)
result[key] = if result.key?(key)
# If both values are arrays, combine them (union to avoid duplicates)
if result[key].is_a?(Array) && value.is_a?(Array)
result[key] = (result[key] + value).uniq
(result[key] + value).uniq
# If both values are hashes, recursively merge them
elsif result[key].is_a?(Hash) && value.is_a?(Hash)
result[key] = deep_merge_claims(result[key], value)
deep_merge_claims(result[key], value)
else
# Otherwise, incoming value wins (override)
result[key] = value
value
end
else
# New key, just add it
result[key] = value
value
end
end

32
app/services/oidc_jwt_service.rb
View File

@@ -3,7 +3,7 @@ class OidcJwtService
class << self
# Generate an ID token (JWT) for the user
def generate_id_token(user, application, consent: nil, nonce: nil, access_token: nil)
def generate_id_token(user, application, consent: nil, nonce: nil, access_token: nil, auth_time: nil, acr: nil, scopes: "openid")
now = Time.current.to_i
# Use application's configured ID token TTL (defaults to 1 hour)
ttl = application.id_token_expiry_seconds
@@ -11,21 +11,36 @@ class OidcJwtService
# Use pairwise SID from consent if available, fallback to user ID
subject = consent&.sid || user.id.to_s
# Parse scopes (space-separated string)
requested_scopes = scopes.to_s.split
# Required claims (always included per OIDC Core spec)
payload = {
iss: issuer_url,
sub: subject,
aud: application.client_id,
exp: now + ttl,
iat: now,
email: user.email_address,
email_verified: true,
preferred_username: user.username.presence || user.email_address,
name: user.name.presence || user.email_address
iat: now
}
# NOTE: Email and profile claims are NOT included in the ID token for authorization code flow
# Per OIDC Core spec §5.4, these claims should only be returned via the UserInfo endpoint
# For implicit flow (response_type=id_token), claims would be included here, but we only
# support authorization code flow, so these claims are omitted from the ID token.
# Add nonce if provided (OIDC requires this for implicit flow)
payload[:nonce] = nonce if nonce.present?
# Add auth_time if provided (OIDC Core §2 - required when max_age is used)
payload[:auth_time] = auth_time if auth_time.present?
# Add acr if provided (OIDC Core §2 - authentication context class reference)
payload[:acr] = acr if acr.present?
# Add azp (authorized party) - the client_id this token was issued to
# OIDC Core §2 - required when aud has multiple values, optional but useful for single
payload[:azp] = application.client_id
# Add at_hash if access token is provided (OIDC Core spec §3.1.3.6)
# at_hash = left-most 128 bits of SHA-256 hash of access token, base64url encoded
if access_token.present?
@@ -34,12 +49,13 @@ class OidcJwtService
payload[:at_hash] = at_hash
end
# Add groups if user has any
if user.groups.any?
# Groups claims (only if 'groups' scope requested)
if requested_scopes.include?("groups") && user.groups.any?
payload[:groups] = user.groups.pluck(:name)
end
# Merge custom claims from groups (arrays are combined, not overwritten)
# Note: Custom claims from groups are always merged (not scope-dependent)
user.groups.each do |group|
payload = deep_merge_claims(payload, group.parsed_custom_claims)
end

2
bin/brakeman
View File

@@ -2,6 +2,4 @@
require "rubygems"
require "bundler/setup"
ARGV.unshift("--ensure-latest")
load Gem.bin_path("brakeman", "brakeman")

5
bin/standardrb Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env ruby
require "rubygems"
require "bundler/setup"
load Gem.bin_path("standard", "standardrb")

14
config/application.rb
View File

@@ -27,13 +27,13 @@ module Clinch
# Configure SMTP settings using environment variables
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
address: ENV.fetch('SMTP_ADDRESS', 'localhost'),
port: ENV.fetch('SMTP_PORT', 587),
domain: ENV.fetch('SMTP_DOMAIN', 'localhost'),
user_name: ENV.fetch('SMTP_USERNAME', nil),
password: ENV.fetch('SMTP_PASSWORD', nil),
authentication: ENV.fetch('SMTP_AUTHENTICATION', 'plain').to_sym,
enable_starttls_auto: ENV.fetch('SMTP_STARTTLS_AUTO', 'true') == 'true',
address: ENV.fetch("SMTP_ADDRESS", "localhost"),
port: ENV.fetch("SMTP_PORT", 587),
domain: ENV.fetch("SMTP_DOMAIN", "localhost"),
user_name: ENV.fetch("SMTP_USERNAME", nil),
password: ENV.fetch("SMTP_PASSWORD", nil),
authentication: ENV.fetch("SMTP_AUTHENTICATION", "plain").to_sym,
enable_starttls_auto: ENV.fetch("SMTP_STARTTLS_AUTO", "true") == "true",
openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER
}
end

1
config/environments/development.rb
View File

@@ -62,7 +62,6 @@ Rails.application.configure do
# Use async processor for background jobs in development
config.active_job.queue_adapter = :async
# Highlight code that triggered redirect in logs.
config.action_dispatch.verbose_redirect_logs = true

28
config/environments/production.rb
View File

@@ -34,8 +34,8 @@ Rails.application.configure do
# Note: Rails already sets X-Content-Type-Options: nosniff by default
# Note: Permissions-Policy is configured in config/initializers/permissions_policy.rb
config.action_dispatch.default_headers.merge!(
'X-Frame-Options' => 'DENY', # Override default SAMEORIGIN to prevent clickjacking
'Referrer-Policy' => 'strict-origin-when-cross-origin' # Control referrer information
"X-Frame-Options" => "DENY", # Override default SAMEORIGIN to prevent clickjacking
"Referrer-Policy" => "strict-origin-when-cross-origin" # Control referrer information
)
# Skip http-to-https redirect for the default health check endpoint.
@@ -43,7 +43,7 @@ Rails.application.configure do
# Log to STDOUT with the current request id as a default log tag.
config.log_tags = [:request_id]
config.logger = ActiveSupport::TaggedLogging.logger(STDOUT)
config.logger = ActiveSupport::TaggedLogging.logger($stdout)
# Change to "debug" to log everything (including potentially personally-identifiable information!).
config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
@@ -66,7 +66,7 @@ Rails.application.configure do
# Set host to be used by links generated in mailer templates.
config.action_mailer.default_url_options = {
host: ENV.fetch('CLINCH_HOST', 'example.com')
host: ENV.fetch("CLINCH_HOST", "example.com")
}
# Specify outgoing SMTP server. Remember to add smtp/* credentials via bin/rails credentials:edit.
@@ -92,7 +92,7 @@ Rails.application.configure do
def self.extract_domain(host)
return host if host.blank?
# Remove protocol (http:// or https://) if present
host.gsub(/^https?:\/\//, '')
host.gsub(/^https?:\/\//, "")
end
# Helper method to ensure URL has https:// protocol
@@ -105,11 +105,11 @@ Rails.application.configure do
# Enable DNS rebinding protection and other `Host` header attacks.
# Configure allowed hosts based on deployment scenario
allowed_hosts = [
extract_domain(ENV.fetch('CLINCH_HOST', 'auth.example.com')), # External domain (auth service itself)
extract_domain(ENV.fetch("CLINCH_HOST", "auth.example.com")) # External domain (auth service itself)
]
# Use PublicSuffix to extract registrable domain and allow all subdomains
host_domain = extract_domain(ENV.fetch('CLINCH_HOST', 'auth.example.com'))
host_domain = extract_domain(ENV.fetch("CLINCH_HOST", "auth.example.com"))
if host_domain.present?
begin
# Use PublicSuffix to properly extract the domain
@@ -123,20 +123,20 @@ Rails.application.configure do
rescue PublicSuffix::DomainInvalid
# Fallback to simple domain extraction if PublicSuffix fails
Rails.logger.warn "Could not parse domain '#{host_domain}' with PublicSuffix, using fallback"
base_domain = host_domain.split('.').last(2).join('.')
base_domain = host_domain.split(".").last(2).join(".")
allowed_hosts << /.*#{Regexp.escape(base_domain)}/
end
end
# Allow Docker service names if running in same compose
if ENV['CLINCH_DOCKER_SERVICE_NAME']
allowed_hosts << ENV['CLINCH_DOCKER_SERVICE_NAME']
if ENV["CLINCH_DOCKER_SERVICE_NAME"]
allowed_hosts << ENV["CLINCH_DOCKER_SERVICE_NAME"]
end
# Allow internal IP access for cross-compose or host networking
if ENV['CLINCH_ALLOW_INTERNAL_IPS'] == 'true'
if ENV["CLINCH_ALLOW_INTERNAL_IPS"] == "true"
# Specific host IP
allowed_hosts << '192.168.2.246'
allowed_hosts << "192.168.2.246"
# Private IP ranges for internal network access
allowed_hosts += [
@@ -147,8 +147,8 @@ Rails.application.configure do
end
# Local development fallbacks
if ENV['CLINCH_ALLOW_LOCALHOST'] == 'true'
allowed_hosts += ['localhost', '127.0.0.1', '0.0.0.0']
if ENV["CLINCH_ALLOW_LOCALHOST"] == "true"
allowed_hosts += ["localhost", "127.0.0.1", "0.0.0.0"]
end
config.hosts = allowed_hosts

28
config/initializers/active_record_encryption.rb Normal file
View File

@@ -0,0 +1,28 @@
# ActiveRecord Encryption Configuration
# Encryption keys derived from SECRET_KEY_BASE (no separate key storage needed)
# Used for encrypting sensitive columns (currently: TOTP secrets)
#
# Optional: Override with env vars (for key rotation or explicit key management):
# - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
# - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
# - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
# Use env vars if set, otherwise derive from SECRET_KEY_BASE (deterministic)
primary_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY") do
Rails.application.key_generator.generate_key("active_record_encryption_primary", 32)
end
deterministic_key = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY") do
Rails.application.key_generator.generate_key("active_record_encryption_deterministic", 32)
end
key_derivation_salt = ENV.fetch("ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT") do
Rails.application.key_generator.generate_key("active_record_encryption_salt", 32)
end
# Configure Rails 7.1+ ActiveRecord encryption
Rails.application.config.active_record.encryption.primary_key = primary_key
Rails.application.config.active_record.encryption.deterministic_key = deterministic_key
Rails.application.config.active_record.encryption.key_derivation_salt = key_derivation_salt
# Allow unencrypted data for existing records (new/updated records will be encrypted)
# Set to false after all existing encrypted columns have been migrated
Rails.application.config.active_record.encryption.support_unencrypted_data = true

1
config/initializers/content_security_policy.rb
View File

@@ -59,7 +59,6 @@ Rails.application.configure do
policy.report_uri "/api/csp-violation-report"
end
# Start with CSP in report-only mode for testing
# Set to false after verifying everything works in production
config.content_security_policy_report_only = Rails.env.development?

10
config/initializers/csp_local_logger.rb
View File

@@ -8,7 +8,7 @@ Rails.application.config.after_initialize do
# Configure log rotation
csp_logger = Logger.new(
csp_log_path,
'daily', # Rotate daily
"daily", # Rotate daily
30 # Keep 30 old log files
)
@@ -16,7 +16,7 @@ Rails.application.config.after_initialize do
# Format: [TIMESTAMP] LEVEL MESSAGE
csp_logger.formatter = proc do |severity, datetime, progname, msg|
"[#{datetime.strftime('%Y-%m-%d %H:%M:%S')}] #{severity} #{msg}\n"
"[#{datetime.strftime("%Y-%m-%d %H:%M:%S")}] #{severity} #{msg}\n"
end
module CspViolationLocalLogger
@@ -69,7 +69,6 @@ Rails.application.config.after_initialize do
# Also log to main Rails logger for visibility
Rails.logger.info "CSP violation logged to csp_violations.log: #{violated_directive} - #{blocked_uri}"
rescue => e
# Ensure logger errors don't break the CSP reporting flow
Rails.logger.error "Failed to log CSP violation to file: #{e.message}"
@@ -81,12 +80,12 @@ Rails.application.config.after_initialize do
csp_log_path = Rails.root.join("log", "csp_violations.log")
logger = Logger.new(
csp_log_path,
'daily', # Rotate daily
"daily", # Rotate daily
30 # Keep 30 old log files
)
logger.level = Logger::INFO
logger.formatter = proc do |severity, datetime, progname, msg|
"[#{datetime.strftime('%Y-%m-%d %H:%M:%S')}] #{severity} #{msg}\n"
"[#{datetime.strftime("%Y-%m-%d %H:%M:%S")}] #{severity} #{msg}\n"
end
logger
end
@@ -120,7 +119,6 @@ Rails.application.config.after_initialize do
# Test write to ensure permissions are correct
csp_logger.info "CSP Logger initialized at #{Time.current}"
rescue => e
Rails.logger.error "Failed to initialize CSP local logger: #{e.message}"
Rails.logger.error "CSP violations will only be sent to Sentry (if configured)"

2
config/initializers/filter_parameter_logging.rb
View File

@@ -4,5 +4,5 @@
# Use this to limit dissemination of sensitive information.
# See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
Rails.application.config.filter_parameters += [
:passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc
:passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc, :backup
]

4
config/initializers/sentry_subscriber.rb
View File

@@ -69,10 +69,10 @@ Rails.application.config.after_initialize do
parsed.host
rescue URI::InvalidURIError
# Handle cases where URI might be malformed or just a path
if uri.start_with?('/')
if uri.start_with?("/")
nil # It's a relative path, no domain
else
uri.split('/').first # Best effort extraction
uri.split("/").first # Best effort extraction
end
end
end

2
config/initializers/token_hmac.rb
View File

@@ -3,5 +3,5 @@
# Derived from SECRET_KEY_BASE - no storage needed, deterministic output
# Optional: Set OIDC_TOKEN_PREFIX_HMAC env var to override with explicit key
module TokenHmac
KEY = ENV['OIDC_TOKEN_PREFIX_HMAC'] || Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
KEY = ENV["OIDC_TOKEN_PREFIX_HMAC"] || Rails.application.key_generator.generate_key("oidc_token_prefix", 32)
end

2
config/initializers/version.rb
View File

@@ -1,5 +1,5 @@
# frozen_string_literal: true
module Clinch
VERSION = "0.8.0"
VERSION = "0.8.4"
end

1
config/puma.rb
View File

@@ -31,7 +31,6 @@ threads threads_count, threads_count
# Specifies the `port` that Puma will listen on to receive requests; default is 3000.
port ENV.fetch("PORT", 3000)
# Allow puma to be restarted by `bin/rails restart` command.
plugin :tmp_restart

30
config/routes.rb
View File

@@ -8,7 +8,7 @@ Rails.application.routes.draw do
# Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
# Can be used by load balancers and uptime monitors to verify that the app is live.
get "up" => "rails/health#show", as: :rails_health_check
get "up" => "rails/health#show", :as => :rails_health_check
# Authentication routes
get "/signup", to: "users#new", as: :signup
@@ -30,7 +30,7 @@ Rails.application.routes.draw do
post "/oauth/authorize/consent", to: "oidc#consent", as: :oauth_consent
post "/oauth/token", to: "oidc#token"
post "/oauth/revoke", to: "oidc#revoke"
get "/oauth/userinfo", to: "oidc#userinfo"
match "/oauth/userinfo", to: "oidc#userinfo", via: [:get, :post]
get "/logout", to: "oidc#logout"
# ForwardAuth / Trusted Header SSO
@@ -61,21 +61,21 @@ Rails.application.routes.draw do
end
# TOTP (2FA) routes
get '/totp/new', to: 'totp#new', as: :new_totp
post '/totp', to: 'totp#create', as: :totp
delete '/totp', to: 'totp#destroy'
get '/totp/backup_codes', to: 'totp#backup_codes', as: :backup_codes_totp
post '/totp/verify_password', to: 'totp#verify_password', as: :verify_password_totp
get '/totp/regenerate_backup_codes', to: 'totp#regenerate_backup_codes', as: :regenerate_backup_codes_totp
post '/totp/regenerate_backup_codes', to: 'totp#create_new_backup_codes', as: :create_new_backup_codes_totp
post '/totp/complete_setup', to: 'totp#complete_setup', as: :complete_totp_setup
get "/totp/new", to: "totp#new", as: :new_totp
post "/totp", to: "totp#create", as: :totp
delete "/totp", to: "totp#destroy"
get "/totp/backup_codes", to: "totp#backup_codes", as: :backup_codes_totp
post "/totp/verify_password", to: "totp#verify_password", as: :verify_password_totp
get "/totp/regenerate_backup_codes", to: "totp#regenerate_backup_codes", as: :regenerate_backup_codes_totp
post "/totp/regenerate_backup_codes", to: "totp#create_new_backup_codes", as: :create_new_backup_codes_totp
post "/totp/complete_setup", to: "totp#complete_setup", as: :complete_totp_setup
# WebAuthn (Passkeys) routes
get '/webauthn/new', to: 'webauthn#new', as: :new_webauthn
post '/webauthn/challenge', to: 'webauthn#challenge'
post '/webauthn/create', to: 'webauthn#create'
delete '/webauthn/:id', to: 'webauthn#destroy', as: :webauthn_credential
get '/webauthn/check', to: 'webauthn#check'
get "/webauthn/new", to: "webauthn#new", as: :new_webauthn
post "/webauthn/challenge", to: "webauthn#challenge"
post "/webauthn/create", to: "webauthn#create"
delete "/webauthn/:id", to: "webauthn#destroy", as: :webauthn_credential
get "/webauthn/check", to: "webauthn#check"
# Admin routes
namespace :admin do

6
db/migrate/20251024012201_add_role_mapping_to_applications.rb
View File

@@ -1,9 +1,9 @@
class AddRoleMappingToApplications < ActiveRecord::Migration[8.1]
def change
add_column :applications, :role_mapping_mode, :string, default: 'disabled', null: false
add_column :applications, :role_mapping_mode, :string, default: "disabled", null: false
add_column :applications, :role_prefix, :string
add_column :applications, :managed_permissions, :json, default: {}
add_column :applications, :role_claim_name, :string, default: 'roles'
add_column :applications, :role_claim_name, :string, default: "roles"
create_table :application_roles do |t|
t.references :application, null: false, foreign_key: true
@@ -21,7 +21,7 @@ class AddRoleMappingToApplications < ActiveRecord::Migration[8.1]
create_table :user_role_assignments do |t|
t.references :user, null: false, foreign_key: true
t.references :application_role, null: false, foreign_key: true
t.string :source, default: 'oidc' # 'oidc', 'manual', 'group_sync'
t.string :source, default: "oidc" # 'oidc', 'manual', 'group_sync'
t.json :metadata, default: {}
t.timestamps

4
db/migrate/20251104014955_migrate_forward_auth_rules_to_applications.rb
View File

@@ -41,7 +41,7 @@ class MigrateForwardAuthRulesToApplications < ActiveRecord::Migration[8.1]
app = application_class.create!(
name: rule.domain_pattern.titleize,
slug: rule.domain_pattern.parameterize.presence || "forward-auth-#{rule.id}",
app_type: 'forward_auth',
app_type: "forward_auth",
domain_pattern: rule.domain_pattern,
headers_config: rule.headers_config || {},
active: rule.active
@@ -59,7 +59,7 @@ class MigrateForwardAuthRulesToApplications < ActiveRecord::Migration[8.1]
def down
# Remove all forward_auth applications created by this migration
Application.where(app_type: 'forward_auth').destroy_all
Application.where(app_type: "forward_auth").destroy_all
end
private

2
db/migrate/20251123052026_create_application_user_claims.rb
View File

@@ -8,6 +8,6 @@ class CreateApplicationUserClaims < ActiveRecord::Migration[8.1]
t.timestamps
end
add_index :application_user_claims, [:application_id, :user_id], unique: true, name: 'index_app_user_claims_unique'
add_index :application_user_claims, [:application_id, :user_id], unique: true, name: "index_app_user_claims_unique"
end
end

1
db/migrate/20251125063248_create_active_storage_tables.active_storage.rb
View File

@@ -47,6 +47,7 @@ class CreateActiveStorageTables < ActiveRecord::Migration[7.0]
end
private
def primary_and_foreign_key_types
config = Rails.configuration.generators
setting = config.options[config.orm][:primary_key_type]

14
db/migrate/20251230073656_add_pkce_options_to_applications.rb Normal file
View File

@@ -0,0 +1,14 @@
class AddPkceOptionsToApplications < ActiveRecord::Migration[8.1]
def change
# Add require_pkce column for confidential clients
# Default true for new apps (secure by default), existing apps will be false
add_column :applications, :require_pkce, :boolean, default: true, null: false
# Set existing applications to not require PKCE (backwards compatibility)
reversible do |dir|
dir.up do
execute "UPDATE applications SET require_pkce = false WHERE id > 0"
end
end
end
end

20
db/migrate/20251231043838_rename_code_to_code_hmac_and_add_token_hmac.rb Normal file
View File

@@ -0,0 +1,20 @@
class RenameCodeToCodeHmacAndAddTokenHmac < ActiveRecord::Migration[8.1]
def change
# Authorization codes: rename code to code_hmac
rename_column :oidc_authorization_codes, :code, :code_hmac
# Access tokens: add token_hmac, remove old columns
add_column :oidc_access_tokens, :token_hmac, :string
add_index :oidc_access_tokens, :token_hmac, unique: true
remove_column :oidc_access_tokens, :token_prefix
remove_column :oidc_access_tokens, :token_digest
# Refresh tokens: add token_hmac, remove old columns
add_column :oidc_refresh_tokens, :token_hmac, :string
add_index :oidc_refresh_tokens, :token_hmac, unique: true
remove_column :oidc_refresh_tokens, :token_prefix
remove_column :oidc_refresh_tokens, :token_digest
end
end

6
db/migrate/20251231055350_add_auth_time_to_oidc_tokens.rb Normal file
View File

@@ -0,0 +1,6 @@
class AddAuthTimeToOidcTokens < ActiveRecord::Migration[8.1]
def change
add_column :oidc_authorization_codes, :auth_time, :integer
add_column :oidc_refresh_tokens, :auth_time, :integer
end
end

7
db/migrate/20251231060112_add_acr_to_oidc_tokens_and_sessions.rb Normal file
View File

@@ -0,0 +1,7 @@
class AddAcrToOidcTokensAndSessions < ActiveRecord::Migration[8.1]
def change
add_column :sessions, :acr, :string
add_column :oidc_authorization_codes, :acr, :string
add_column :oidc_refresh_tokens, :acr, :string
end
end

23
db/schema.rb generated
View File

@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema[8.1].define(version: 2025_12_30_073656) do
ActiveRecord::Schema[8.1].define(version: 2025_12_31_060112) do
create_table "active_storage_attachments", force: :cascade do |t|
t.bigint "blob_id", null: false
t.datetime "created_at", null: false
@@ -101,24 +101,24 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_30_073656) do
t.datetime "expires_at", null: false
t.datetime "revoked_at"
t.string "scope"
t.string "token_digest"
t.string "token_prefix", limit: 8
t.string "token_hmac"
t.datetime "updated_at", null: false
t.integer "user_id", null: false
t.index ["application_id", "user_id"], name: "index_oidc_access_tokens_on_application_id_and_user_id"
t.index ["application_id"], name: "index_oidc_access_tokens_on_application_id"
t.index ["expires_at"], name: "index_oidc_access_tokens_on_expires_at"
t.index ["revoked_at"], name: "index_oidc_access_tokens_on_revoked_at"
t.index ["token_digest"], name: "index_oidc_access_tokens_on_token_digest", unique: true
t.index ["token_prefix"], name: "index_oidc_access_tokens_on_token_prefix"
t.index ["token_hmac"], name: "index_oidc_access_tokens_on_token_hmac", unique: true
t.index ["user_id"], name: "index_oidc_access_tokens_on_user_id"
end
create_table "oidc_authorization_codes", force: :cascade do |t|
t.string "acr"
t.integer "application_id", null: false
t.string "code", null: false
t.integer "auth_time"
t.string "code_challenge"
t.string "code_challenge_method"
t.string "code_hmac", null: false
t.datetime "created_at", null: false
t.datetime "expires_at", null: false
t.string "nonce"
@@ -129,22 +129,23 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_30_073656) do
t.integer "user_id", null: false
t.index ["application_id", "user_id"], name: "index_oidc_authorization_codes_on_application_id_and_user_id"
t.index ["application_id"], name: "index_oidc_authorization_codes_on_application_id"
t.index ["code"], name: "index_oidc_authorization_codes_on_code", unique: true
t.index ["code_challenge"], name: "index_oidc_authorization_codes_on_code_challenge"
t.index ["code_hmac"], name: "index_oidc_authorization_codes_on_code_hmac", unique: true
t.index ["expires_at"], name: "index_oidc_authorization_codes_on_expires_at"
t.index ["user_id"], name: "index_oidc_authorization_codes_on_user_id"
end
create_table "oidc_refresh_tokens", force: :cascade do |t|
t.string "acr"
t.integer "application_id", null: false
t.integer "auth_time"
t.datetime "created_at", null: false
t.datetime "expires_at", null: false
t.integer "oidc_access_token_id", null: false
t.datetime "revoked_at"
t.string "scope"
t.string "token_digest", null: false
t.integer "token_family_id"
t.string "token_prefix", limit: 8
t.string "token_hmac"
t.datetime "updated_at", null: false
t.integer "user_id", null: false
t.index ["application_id", "user_id"], name: "index_oidc_refresh_tokens_on_application_id_and_user_id"
@@ -152,9 +153,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_30_073656) do
t.index ["expires_at"], name: "index_oidc_refresh_tokens_on_expires_at"
t.index ["oidc_access_token_id"], name: "index_oidc_refresh_tokens_on_oidc_access_token_id"
t.index ["revoked_at"], name: "index_oidc_refresh_tokens_on_revoked_at"
t.index ["token_digest"], name: "index_oidc_refresh_tokens_on_token_digest", unique: true
t.index ["token_family_id"], name: "index_oidc_refresh_tokens_on_token_family_id"
t.index ["token_prefix"], name: "index_oidc_refresh_tokens_on_token_prefix"
t.index ["token_hmac"], name: "index_oidc_refresh_tokens_on_token_hmac", unique: true
t.index ["user_id"], name: "index_oidc_refresh_tokens_on_user_id"
end
@@ -174,6 +174,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_12_30_073656) do
end
create_table "sessions", force: :cascade do |t|
t.string "acr"
t.datetime "created_at", null: false
t.string "device_name"
t.datetime "expires_at"

304
docs/beta-checklist.md Normal file
View File

@@ -0,0 +1,304 @@
# Beta Release Readiness Checklist
This checklist ensures Clinch meets security, quality, and documentation standards before moving from "experimental" to "Beta" status.
> **Security Implementation Status:** See [security-todo.md](security-todo.md) for detailed vulnerability tracking and fixes.
> **Outstanding Security Issues:** 3 (all MEDIUM/LOW priority) - Phases 1-4 complete ✅
---
## Security Scanning
### Automated Security Tools
- [x] **Brakeman** - Static security analysis for Rails
- Status: ✅ Passing (2 weak warnings documented and accepted)
- Command: `bin/brakeman --no-pager`
- CI: Runs on every PR and push to main
- Warnings documented in `config/brakeman.ignore`
- [x] **bundler-audit** - Dependency vulnerability scanning
- Status: ✅ No vulnerabilities found
- Command: `bin/bundler-audit check --update`
- CI: Runs on every PR and push to main
- [x] **importmap audit** - JavaScript dependency scanning
- CI: Runs on every PR and push to main
- [x] **Trivy** - Container image vulnerability scanning
- Scans Docker images for OS and system package vulnerabilities
- CI: Builds and scans image on every PR and push to main
- Results uploaded to GitHub Security tab
- [x] **Dependabot** - Automated dependency updates
- Creates PRs for outdated dependencies
- Enabled for Ruby gems and GitHub Actions
- [x] **GitHub Secret Scanning** - Detects leaked credentials
- Push protection enabled to block commits with secrets
- [x] **Test Coverage** - SimpleCov integration
- Command: `COVERAGE=1 bin/rails test`
- Coverage report: `coverage/index.html`
### Security Features Implemented
#### Authentication
- [x] Secure password storage (bcrypt with Rails defaults)
- [x] TOTP 2FA with backup codes
- [x] WebAuthn/Passkey support (FIDO2)
- [x] Session management with device tracking
- [x] Session revocation (individual and bulk)
- [x] Remember me with configurable expiry
- [x] Account invitation flow with expiring tokens
- [x] Password reset with expiring tokens
#### OIDC Security
- [x] Authorization code flow with PKCE support
- [x] Refresh token rotation
- [x] Token family tracking (detects replay attacks)
- [x] All tokens HMAC-SHA256 hashed in database
- [x] Configurable token expiry (access, refresh, ID)
- [x] One-time use authorization codes
- [x] Pairwise subject identifiers (privacy)
- [x] ID tokens signed with RS256
- [x] Token revocation endpoint (RFC 7009)
- [x] Proper `at_hash` validation
- [x] OIDC standard claims (auth_time, acr, azp)
- [x] Automatic cleanup of expired tokens
#### Access Control
- [x] Group-based authorization
- [x] Application-level access control
- [x] Admin vs. regular user roles
- [x] User status management (active, disabled, pending)
- [x] TOTP enforcement per-user
- [x] ForwardAuth policy enforcement
#### Input Validation
- [x] Strong parameter filtering
- [x] URL validation for redirect URIs and landing URLs
- [x] Email validation and normalization
- [x] Slug validation (alphanumeric + hyphens)
- [x] Domain pattern validation for ForwardAuth
- [x] JSON parsing with error handling
- [x] File upload validation (type, size for app icons)
#### Output Encoding
- [x] HTML escaping by default (Rails 8)
- [x] JSON encoding for API responses
- [x] JWT encoding for ID tokens
- [x] Proper content types for responses
#### Session Security
- [x] Secure, httponly cookies
- [x] SameSite cookie attribute
- [x] Session timeout
- [x] IP and User-Agent tracking
- [x] CSRF protection
#### Cryptography
- [x] SecureRandom for tokens
- [x] bcrypt for passwords
- [x] HMAC-SHA256 for token hashing
- [x] RS256 for JWT signing
- [x] Proper secret management (Rails credentials)
## Testing
### Test Coverage
- [x] **341 tests** across integration, model, controller, service, and system tests
- [x] **1349 assertions**
- [x] **0 failures, 0 errors**
### Test Categories
- [x] Integration tests (invitation flow, forward auth, WebAuthn, session security)
- [x] Model tests (OIDC tokens, users, applications, groups, authorization codes)
- [x] Controller tests (TOTP, sessions, passwords, OIDC flows, input validation)
- [x] Service tests (JWT generation and validation)
- [x] System tests (forward auth, WebAuthn security)
### Security-Critical Test Coverage
- [x] OIDC authorization code flow
- [x] PKCE flow
- [x] Refresh token rotation
- [x] Token replay attack detection
- [x] Access control (group-based)
- [x] Input validation
- [x] Session security
- [x] WebAuthn credential handling
- [x] TOTP validation
## Code Quality
- [x] **RuboCop** - Code style and linting
- Configuration: Rails Omakase
- CI: Runs on every PR and push to main
- [x] **Documentation** - Comprehensive README
- Feature documentation
- Setup instructions
- Configuration guide
- Rails console guide
- API/protocol documentation
## Production Readiness
### Configuration
- [ ] Review all environment variables
- [ ] Document required vs. optional configuration
- [ ] Provide sensible defaults
- [ ] Validate production SMTP configuration
- [x] Ensure OIDC private key generation process is documented
### Database
- [x] Migrations are idempotent
- [x] Indexes on foreign keys
- [x] Proper constraints and validations
- [x] SQLite production-ready (Rails 8)
### Performance
- [ ] Review N+1 queries
- [ ] Add database indexes where needed
- [ ] Test with realistic data volumes
- [ ] Review token cleanup job performance
### Deployment
- [x] Docker support
- [x] Docker Compose example
- [x] Production deployment guide (Docker Compose with .env configuration, upgrading, logs)
- [x] Backup and restore documentation
## Security Hardening
### Headers & CSP
- [x] Content Security Policy (comprehensive policy in config/initializers/content_security_policy.rb)
- [x] X-Frame-Options (DENY in production config)
- [x] X-Content-Type-Options (nosniff - Rails default)
- [x] Referrer-Policy (strict-origin-when-cross-origin in production config)
### Rate Limiting
- [x] Login attempt rate limiting (20/3min on sessions#create)
- [x] TOTP verification rate limiting (10/3min on sessions#verify_totp)
- [x] WebAuthn rate limiting (10/1min on webauthn endpoints, 10/3min on session endpoints)
- [x] Password reset rate limiting (10/3min on request, 10/10min on completion)
- [x] Invitation acceptance rate limiting (10/10min)
- [x] OAuth token endpoint rate limiting (60/1min on token, 30/1min on authorize)
- [x] Backup code rate limiting (5 failed attempts per hour, model-level)
### Secrets Management
- [x] No secrets in code
- [x] Rails credentials for sensitive data
- [ ] Document secret rotation process
- [ ] Document OIDC key rotation process
### Logging & Monitoring
- [x] Sentry integration (optional)
- [x] Parameter filtering configured (passwords, tokens, secrets, backup codes, emails filtered from logs)
- [ ] Audit log for admin actions
## Known Limitations & Risks
### Documented Risks
- [x] Document that ForwardAuth requires same-domain setup
- [ ] Document HTTPS requirement for production
- [ ] Document backup code security (single-use, store securely)
- [ ] Document admin password security requirements
### Future Security Enhancements (Post-Beta)
- [x] Rate limiting on authentication endpoints (comprehensive coverage implemented)
- [ ] Account lockout after N failed attempts (rate limiting provides similar protection)
- [ ] Admin audit logging
- [ ] Security event notifications (email/webhook alerts for suspicious activity)
- [ ] Advanced brute force detection (pattern analysis beyond rate limiting)
- [ ] Suspicious login detection (geolocation, device fingerprinting)
- [ ] IP allowlist/blocklist
## Protocol Conformance & Security Review
**Protocol Conformance (Completed):**
- [x] **OpenID Connect Conformance Testing** - [48/48 tests passed](https://www.certification.openid.net/log-detail.html?log=TZ8vOG0kf35lUiD)
- OIDC authorization code flow ✅
- PKCE flow ✅
- Token security (ID tokens, access tokens, refresh tokens) ✅
- Scope-based claim filtering ✅
- Standard OIDC claims and metadata ✅
- Proper OAuth2 error handling (redirect vs. error page) ✅
**External Security Review (Optional for Post-Beta):**
- [ ] Traditional security audit or penetration test
- Note: OIDC conformance tests protocol compliance, not security vulnerabilities
- A dedicated security audit would test for injection, XSS, auth bypasses, etc.
- [ ] Bug bounty program
- [ ] WebAuthn implementation security review
## Documentation for Users
- [ ] Security best practices guide
- [ ] Incident response guide
- [x] Backup and disaster recovery guide
- [ ] Upgrade guide
- [ ] Breaking change policy
## Beta Release Criteria
To move from "experimental" to "Beta", the following must be completed:
**Critical (Required for Beta):**
- [x] All automated security scans passing
- [x] All tests passing
- [x] Core features implemented and tested
- [x] Basic documentation complete
- [x] Backup/restore documentation
- [x] Production deployment guide
- [x] Protocol conformance validation
- [OpenID Connect Conformance Testing](https://www.certification.openid.net/log-detail.html?log=TZ8vOG0kf35lUiD) - **48 tests PASSED**, 0 failures, 0 warnings
**Important (Should have for Beta):**
- [x] Rate limiting on auth endpoints
- [x] Security headers configuration documented (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- [x] Known limitations documented (ForwardAuth same-domain requirement in README)
- [ ] Admin audit logging
**Nice to have (Can defer to post-Beta):**
- [ ] Bug bounty program
- [ ] Advanced monitoring/alerting
- [x] Automated security testing in CI beyond brakeman/bundler-audit
- [x] Dependabot (automated dependency updates)
- [x] GitHub Secret Scanning (automatic with push protection enabled)
- [x] Container image scanning (Trivy scans Docker images for OS/system vulnerabilities)
- [ ] DAST/Dynamic testing (OWASP ZAP) - optional for post-Beta
## Status Summary
**Current Status:** Ready for Beta Release 🎉
**Strengths:**
- ✅ Comprehensive security tooling in place
- ✅ Strong test coverage (374 tests, 1538 assertions)
- ✅ Modern security features (PKCE, token rotation, WebAuthn)
- ✅ Clean security scans (brakeman, bundler-audit, Trivy)
- ✅ Well-documented codebase
-**OpenID Connect Conformance certified** - 48/48 tests passed
**All Critical Requirements Met:**
- All automated security scans passing ✅
- All tests passing (374 tests, 1542 assertions) ✅
- Core features implemented and tested ✅
- Documentation complete ✅
- Production deployment guide ✅
- Protocol conformance validation complete ✅
**Optional for Post-Beta:**
- Admin audit logging
- Traditional security audit/penetration test
- Bug bounty program
- Advanced monitoring/alerting
**Recommendation:**
Clinch meets all critical requirements for Beta release. The OIDC implementation is protocol-compliant (48/48 conformance tests passed), security scans are clean, and the codebase has strong test coverage.
For production use in security-sensitive environments, consider a traditional security audit or penetration test post-Beta to validate against common vulnerabilities (injection, XSS, auth bypasses, etc.) beyond protocol conformance.
---
Last updated: 2026-01-02

176
docs/caddy-example.md Normal file
View File

@@ -0,0 +1,176 @@
# Caddy ForwardAuth Configuration Examples
## Basic Configuration (Protecting MEtube)
Assuming Caddy and Clinch are running in a docker compose, and we can use the sevice name `clinch`. Exterally, assume you're connecting to https://clinch.example.com/
```caddyfile
# Clinch SSO (main authentication server)
clinch.yourdomain.com {
reverse_proxy clinch:3000
}
# MEtube (protected by Clinch)
metube.yourdomain.com {
# Forward authentication to Clinch
forward_auth clinch:3000 {
uri /api/verify
# uri /api/verify?rd=https://clinch.yourdomain.com # Shouldn't need this, the rd value should be sent via headers
copy_headers Remote-User Remote-Email Remote-Groups Remote-Admin
}
# If authentication succeeds, proxy to MEtube
handle {
reverse_proxy * {
to http://<ip-address-of-metube>:8081
header_up X-Real-IP {remote_host}
}
}
}
```
## How It Works
1. User visits `https://metube.yourdomain.com`
2. Caddy makes request to `http://clinch:3000/api/verify passing in the url destination for metueb
3. Clinch checks if user is authenticated and authorized:
- If **200**: Caddy forwards request to MEtube with user headers
- If **302**: User is redirected to clinch.yourdomain.com to login
- If **403**: Access denied
4. User signs into Clinch (with TOTP if enabled or Passkey)
5. Clinch redirects back to MEtube
6. User can now access MEtube!
## Protecting Multiple Applications
```caddyfile
# Clinch SSO
clinch.yourdomain.com {
reverse_proxy clinch:3000
}
# MEtube - Anyone can access (no groups required)
metube.yourdomain.com {
forward_auth clinch:3000 {
uri /api/verify
copy_headers Remote-User Remote-Email Remote-Groups Remote-Admin
}
handle {
reverse_proxy * {
to http://metube:8081
header_up X-Real-IP {remote_host}
}
}
}
# Sonarr - Only "media-managers" group
sonarr.yourdomain.com {
forward_auth clinch:3000 {
uri /api/verify
copy_headers Remote-User Remote-Email Remote-Groups Remote-Admin
}
handle {
reverse_proxy * {
to http://sonarr:8989
header_up X-Real-IP {remote_host}
}
}
}
# Grafana - Only "admins" group
grafana.yourdomain.com {
forward_auth clinch:3000 {
uri /api/verify
copy_headers Remote-User Remote-Email Remote-Groups Remote-Admin
}
handle {
reverse_proxy * {
to http://grafana:3001
header_up X-Real-IP {remote_host}
}
}
}
```
## Setup Steps
### 1. Create Applications in Clinch
Create the Application within Clinch, making sure to set Forward Auth application type
### 2. Update Caddyfile
Add the forward_auth directives shown above.
### 3. Reload Caddy
```bash
caddy reload
```
### 4. Test
Visit https://metube.yourdomain.com - you should be redirected to Clinch login!
## Advanced: Passing Headers to Application
Some applications can use the forwarded headers for user identification:
```caddyfile
metube.yourdomain.com {
forward_auth clinch:3000 {
uri /api/verify
copy_headers Remote-User Remote-Email Remote-Groups Remote-Admin
}
# The headers are automatically passed to the backend
handle {
reverse_proxy * {
to http://metube:8081
header_up X-Real-IP {remote_host}
}
}
}
```
Now MEtube receives these headers with every request:
- `Remote-User`: user@example.com
- `Remote-Email`: user@example.com
- `Remote-Groups`: media-managers,users
- `Remote-Admin`: false
## Troubleshooting
### Users not staying logged in
Ensure your Caddy configuration preserves cookies:
```caddyfile
clinch.yourdomain.com {
reverse_proxy localhost:3000 {
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Proto {scheme}
}
}
```
### Authentication loop
Check that the `/api/verify` endpoint is not itself protected:
- `/api/verify` must be accessible without authentication
- It returns 401/403 for unauthenticated users (this is expected)
### Check Clinch logs
```bash
tail -f log/production.log
```
You'll see ForwardAuth log messages like:
```
ForwardAuth: User user@example.com granted access to metube
ForwardAuth: Unauthorized - No session cookie
```

315
docs/claude-review.md Normal file
View File

@@ -0,0 +1,315 @@
# Clinch - Independent Code Review
**Reviewer:** Claude (Anthropic)
**Review Date:** December 2024
**Codebase Version:** Commit 4f31fad
**Review Type:** Security-focused OIDC/OAuth2 correctness review with full application assessment
---
## Executive Summary
Clinch is a self-hosted identity and SSO portal built with Ruby on Rails. This review examined the complete codebase with particular focus on the OIDC/OAuth2 implementation, comparing it against production-grade reference implementations (Rodauth-OAuth, Authelia, Authentik).
**Overall Assessment: Production-Ready**
The implementation demonstrates solid security practices, proper adherence to OAuth 2.0 and OpenID Connect specifications, and comprehensive test coverage. The codebase is well-structured, readable, and maintainable.
---
## Feature Overview
### Authentication Methods
| Feature | Status | Notes |
|---------|--------|-------|
| Password Authentication | Implemented | bcrypt hashing, rate-limited |
| WebAuthn/Passkeys | Implemented | FIDO2 compliant, clone detection |
| TOTP 2FA | Implemented | With backup codes, admin enforcement |
| Session Management | Implemented | Device tracking, revocation |
### SSO Protocols
| Protocol | Status | Notes |
|----------|--------|-------|
| OpenID Connect | Implemented | Full OIDC Core compliance |
| OAuth 2.0 | Implemented | Authorization Code + Refresh Token grants |
| ForwardAuth | Implemented | Traefik/Caddy/nginx compatible |
### User & Access Management
| Feature | Status | Notes |
|---------|--------|-------|
| User CRUD | Implemented | Invitation flow, status management |
| Group Management | Implemented | With custom claims |
| Application Management | Implemented | OIDC + ForwardAuth types |
| Group-based Access Control | Implemented | Per-application restrictions |
---
## OIDC/OAuth2 Implementation Review
### Specification Compliance
| Specification | Status | Evidence |
|---------------|--------|----------|
| RFC 6749 (OAuth 2.0) | Compliant | Proper auth code flow, client authentication |
| RFC 7636 (PKCE) | Compliant | S256 and plain methods, enforced for public clients |
| RFC 7009 (Token Revocation) | Compliant | Always returns 200 OK, prevents scanning |
| OpenID Connect Core 1.0 | Compliant | All required claims, proper JWT structure |
| OIDC Discovery | Compliant | `.well-known/openid-configuration` |
| OIDC Back-Channel Logout | Compliant | Logout tokens per spec |
### ID Token Claims
The implementation includes all required and recommended OIDC claims:
```
Standard: iss, sub, aud, exp, iat, nonce
Profile: email, email_verified, preferred_username, name
Security: at_hash, auth_time, acr, azp
Custom: groups, plus arbitrary claims from groups/users/apps
```
### Token Security
| Aspect | Implementation | Assessment |
|--------|----------------|------------|
| Authorization Codes | HMAC-SHA256 hashed, 10-min expiry, single-use | Secure |
| Access Tokens | HMAC-SHA256 hashed, configurable TTL, indexed lookup | Secure |
| Refresh Tokens | HMAC-SHA256 hashed, rotation with family tracking | Secure |
| ID Tokens | RS256 signed JWTs | Secure |
### Security Features
1. **Authorization Code Reuse Prevention**
- Pessimistic database locking prevents race conditions
- Code reuse triggers revocation of all tokens from that code
- Location: `oidc_controller.rb:342-364`
2. **Refresh Token Rotation**
- Old refresh tokens revoked on use
- Token family tracking detects stolen token reuse
- Revoked token reuse triggers family-wide revocation
- Location: `oidc_controller.rb:504-513`
3. **PKCE Enforcement**
- Required for all public clients
- Configurable for confidential clients
- Proper S256 challenge verification
- Location: `oidc_controller.rb:749-814`
4. **Pairwise Subject Identifiers**
- Each user gets a unique `sub` per application
- Prevents cross-application user tracking
- Location: `oidc_user_consent.rb:59-61`
---
## Security Assessment
### Strengths
1. **Token Storage Architecture**
- All tokens (auth codes, access, refresh) are HMAC-hashed before storage
- Database compromise does not reveal usable tokens
- O(1) indexed lookup via HMAC (not O(n) iteration)
2. **Rate Limiting**
- Sign-in: 20/3min
- TOTP verification: 10/3min
- Token endpoint: 60/min
- Authorization: 30/min
- WebAuthn enumeration check: 10/min
3. **WebAuthn Implementation**
- Sign count validation (clone detection)
- Backup eligibility tracking
- Platform vs roaming authenticator distinction
- Credential enumeration prevention
4. **TOTP Implementation**
- Encrypted secret storage (ActiveRecord Encryption)
- Backup codes are bcrypt-hashed and single-use
- Admin can enforce TOTP requirement per user
5. **Session Security**
- ACR (Authentication Context Class Reference) tracking
- `acr: "1"` for password-only, `acr: "2"` for 2FA/passkey
- Session activity timestamps
- Remote session revocation
### Attack Mitigations
| Attack Vector | Mitigation |
|---------------|------------|
| Credential Stuffing | Rate limiting, account lockout via status |
| Token Theft | HMAC storage, short-lived access tokens, rotation |
| Session Hijacking | Secure cookies, session binding |
| CSRF | Rails CSRF protection, state parameter validation |
| Open Redirect | Strict redirect_uri validation against registered URIs |
| Authorization Code Injection | PKCE enforcement, redirect_uri binding |
| Refresh Token Replay | Token rotation, family-based revocation |
| User Enumeration | Constant-time responses, rate limiting |
### Areas Reviewed (No Issues Found)
- Redirect URI validation (exact match required)
- Client authentication (bcrypt for secrets)
- Error response handling (no sensitive data leakage in production)
- Logout implementation (backchannel notifications, session cleanup)
- Custom claims handling (reserved claim protection)
---
## Code Quality Assessment
### Architecture
| Aspect | Assessment |
|--------|------------|
| Controller Structure | Clean separation, ~900 lines for OIDC (acceptable) |
| Model Design | Well-normalized, proper associations |
| Service Objects | Used appropriately (OidcJwtService, ClaimsMerger) |
| Concerns | TokenPrefixable for shared hashing logic |
### Code Metrics
```
Controllers: ~1,500 lines
Models: ~1,500 lines
Services: ~200 lines
Total App Code: ~3,100 lines
Test Files: 36 files
```
### Readability
- Clear method naming
- Inline documentation for complex logic
- Consistent Ruby style
- No deeply nested conditionals
---
## Test Coverage
### Test Statistics
```
Total Tests: 341
Assertions: 1,349
Failures: 0
Errors: 0
Run Time: 23.5 seconds (parallel)
```
### Test Categories
| Category | Files | Coverage |
|----------|-------|----------|
| OIDC Security | 2 | Auth code reuse, token rotation, PKCE |
| Integration | 4 | WebAuthn, sessions, invitations, forward auth |
| Controllers | 8 | All major endpoints |
| Models | 10 | Validations, associations, business logic |
| Jobs | 4 | Mailers, token cleanup |
### Security-Specific Tests
The test suite includes dedicated security tests:
- `oidc_authorization_code_security_test.rb` - Code reuse, timing attacks, client auth
- `oidc_pkce_controller_test.rb` - PKCE flow validation
- `webauthn_credential_enumeration_test.rb` - Enumeration prevention
- `session_security_test.rb` - Session handling
- `totp_security_test.rb` - 2FA bypass prevention
- `input_validation_test.rb` - Input sanitization
---
## Comparison with Reference Implementations
### vs. Rodauth-OAuth (OpenID Certified)
| Aspect | Rodauth | Clinch |
|--------|---------|--------|
| Modularity | 46 feature modules | Monolithic controller |
| Token Storage | Optional hashing | HMAC-SHA256 (always) |
| PKCE | Dedicated feature | Integrated |
| Certification | OpenID Certified | Not certified |
Clinch has comparable security but less modularity.
### vs. Authelia (Production-Grade Go)
| Aspect | Authelia | Clinch |
|--------|----------|--------|
| PKCE Config | `always/public/never` | Per-app toggle |
| Key Rotation | Supported | Single key |
| PAR Support | Yes | No |
| DPoP Support | Yes | No |
Clinch lacks some advanced features but covers core use cases.
### vs. Authentik (Enterprise Python)
| Aspect | Authentik | Clinch |
|--------|-----------|--------|
| Scale | Enterprise/distributed | Single instance |
| Protocols | OAuth, SAML, LDAP, RADIUS | OAuth/OIDC, ForwardAuth |
| Complexity | High | Low |
Clinch is intentionally simpler for self-hosting.
---
## Recommendations
### Implemented During Review
The following issues were identified and fixed during this review:
1. **Token lookup performance** - Changed from O(n) BCrypt iteration to O(1) HMAC lookup
2. **`at_hash` claim** - Added per OIDC Core spec
3. **`auth_time` claim** - Added for authentication timestamp
4. **`acr` claim** - Added for authentication context class
5. **`azp` claim** - Added for authorized party
6. **Authorization code hashing** - Changed from plaintext to HMAC
7. **Consent SID preservation** - Fixed to preserve pairwise subject ID
8. **Discovery metadata** - Fixed `subject_types_supported` to `["pairwise"]`
### Optional Future Enhancements
| Enhancement | Priority | Effort |
|-------------|----------|--------|
| Key Rotation (multi-key JWKS) | Medium | Medium |
| Token Introspection (RFC 7662) | Low | Low |
| PAR (RFC 9126) | Low | Medium |
| OpenID Certification | Low | High |
---
## Conclusion
Clinch provides a solid, security-conscious OIDC/OAuth2 implementation suitable for self-hosted identity management. The codebase demonstrates:
- **Correct protocol implementation** - Follows OAuth 2.0 and OIDC specifications
- **Defense in depth** - Multiple layers of security controls
- **Modern authentication** - WebAuthn/passkeys, TOTP, proper session management
- **Maintainable code** - Clear structure, good test coverage
The implementation is appropriate for its intended use case: a lightweight, self-hosted alternative to complex enterprise identity solutions.
---
## Methodology
This review was conducted by examining:
1. All OIDC-related controllers, models, and services
2. Reference implementations (Rodauth-OAuth, Authelia, Authentik) in `tmp/`
3. Test files and coverage
4. Database schema and migrations
5. Security-critical code paths
Tools used: Static analysis, code reading, test execution, comparison with OpenID-certified implementations.
---
*This review was conducted by Claude (Anthropic) at the request of the project maintainer. The reviewer has no financial interest in the project.*

227
docs/forward-auth-testing.md Normal file
View File

@@ -0,0 +1,227 @@
# Forward Auth Testing Guide
## Overview
Testing forward authentication requires testing multiple layers: HTTP requests, session management, and header forwarding. This guide provides practical testing approaches.
## Quick Start
### 1. Start Rails Server
```bash
rails server
```
### 2. Basic curl Tests
#### Test 1: Unauthenticated Request
```bash
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: test.example.com"
```
**Expected Result:** 302 redirect to login
```
< HTTP/1.1 302 Found
< Location: http://localhost:3000/signin?rd=https://test.example.com/
< X-Auth-Reason: No session cookie
```
#### Test 2: Authenticated Request
1. Sign in at http://localhost:3000/signin
2. Copy session cookie from browser
3. Run:
```bash
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: test.example.com" \
-H "Cookie: _clinch_session_id=YOUR_SESSION_COOKIE"
```
**Expected Result:** 200 OK with headers
```
< HTTP/1.1 200 OK
< X-Remote-User: your-email@example.com
< X-Remote-Email: your-email@example.com
< X-Remote-Name: your-email@example.com
< X-Remote-Groups: group-name
< X-Remote-Admin: true/false
```
## Testing Header Configurations
### Create Test Rules in Admin Interface
1. **Default Headers Rule** (`test.example.com`)
- Leave header fields empty (uses defaults)
- Expected: X-Remote-* headers
2. **No Headers Rule** (`metube.example.com`)
- Set all header fields to empty strings
- Expected: No authentication headers (access only)
3. **Custom Headers Rule** (`grafana.example.com`)
- Set custom header names:
- User Header: `X-WEBAUTH-USER`
- Groups Header: `X-WEBAUTH-ROLES`
- Email Header: `X-WEBAUTH-EMAIL`
- Expected: Custom header names
### Test Different Configurations
```bash
# Test default headers
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: test.example.com" \
-H "Cookie: _clinch_session_id=YOUR_SESSION_COOKIE"
# Test no headers (access only)
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: metube.example.com" \
-H "Cookie: _clinch_session_id=YOUR_SESSION_COOKIE"
# Test custom headers
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: grafana.example.com" \
-H "Cookie: _clinch_session_id=YOUR_SESSION_COOKIE"
```
## Domain Pattern Testing
Test various domain patterns:
```bash
# Wildcard subdomains
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: app.test.example.com"
# Exact domains
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: api.example.com"
# No matching rule (should use defaults)
curl -v http://localhost:3000/api/verify \
-H "X-Forwarded-Host: unknown.example.com"
```
## Integration Testing
### Test with Real Reverse Proxy (Caddy Example)
1. Set up Caddy with forward auth:
```caddyfile
example.com {
forward_auth localhost:3000 {
uri /api/verify
copy_headers X-Remote-User X-Remote-Email X-Remote-Groups X-Remote-Admin
}
reverse_proxy localhost:8080
}
```
2. Test by visiting `https://example.com` in browser
3. Should redirect to Clinch login, then back to application
## Unit Testing (Rails Console)
Test the header logic directly:
```ruby
# Rails console: rails console
# Get a user
user = User.first
# Test default headers
rule = ForwardAuthRule.create!(domain_pattern: 'test.example.com', active: true)
headers = rule.headers_for_user(user)
puts headers
# => {"X-Remote-User" => "user@example.com", "X-Remote-Email" => "user@example.com", ...}
# Test custom headers
rule.update!(headers_config: { user: 'X-Custom-User', groups: 'X-Custom-Groups' })
headers = rule.headers_for_user(user)
puts headers
# => {"X-Custom-User" => "user@example.com", "X-Remote-Email" => "user@example.com", ...}
# Test no headers
rule.update!(headers_config: { user: '', email: '', name: '', groups: '', admin: '' })
headers = rule.headers_for_user(user)
puts headers
# => {}
```
## Testing Checklist
### Basic Functionality
- [ ] Unauthenticated requests redirect to login
- [ ] Authenticated requests return 200 OK
- [ ] Headers are correctly forwarded to applications
- [ ] Session cookies work correctly
### Header Configurations
- [ ] Default headers (X-Remote-*) work
- [ ] Custom headers work with specific applications
- [ ] No headers option works for access-only apps
- [ ] Empty header fields are handled correctly
### Domain Matching
- [ ] Wildcard domains (*.example.com) work
- [ ] Exact domains work
- [ ] Case insensitivity works
- [ ] No matching rule falls back to defaults
### Access Control
- [ ] Group restrictions work correctly
- [ ] Inactive users are denied access
- [ ] Inactive rules are ignored
- [ ] Bypass mode (no groups) works
## Troubleshooting
### Common Issues
1. **Headers not being sent**
- Check rule is active
- Verify headers configuration
- Check user is in allowed groups
2. **Authentication loops**
- Check session cookie domain
- Verify redirect URLs
- Check browser cookie settings
3. **Headers not reaching application**
- Check reverse proxy configuration
- Verify proxy is forwarding headers
- Check application expects correct header names
### Debug Logging
Enable debug logging in `forward_auth_controller.rb`:
```ruby
Rails.logger.level = Logger::DEBUG
```
This will show detailed information about:
- Session extraction
- Rule matching
- Header generation
- Redirect URLs
## Production Testing
Before deploying to production:
1. **SSL/TLS Testing**: Test with HTTPS
2. **Cookie Domains**: Test cross-subdomain cookies
3. **Performance**: Test response times under load
4. **Security**: Test with invalid sessions and malformed headers
5. **Monitoring**: Set up logging and alerting
## Automation
For automated testing, consider:
1. **Integration Tests**: Use Rails integration tests for controller testing
2. **API Tests**: Use tools like Postman or Insomnia for API testing
3. **Browser Tests**: Use Selenium or Cypress for end-to-end testing
4. **Load Testing**: Use tools like k6 or JMeter for performance testing

611
docs/oidc-refresh-tokens-client-guide.md Normal file
View File

@@ -0,0 +1,611 @@
# OIDC Refresh Tokens - Client Implementation Guide
## Overview
Clinch now supports **OAuth 2.0 Refresh Tokens**, allowing your applications to maintain long-lived sessions without requiring users to re-authenticate every hour.
**Key Benefits:**
- ✅ No user re-authentication for 30 days (configurable)
- ✅ Silent token refresh - no redirects, no user interaction
- ✅ Secure token rotation - prevents reuse attacks
- ✅ Token revocation support - users can invalidate sessions
---
## Quick Start
### Before (Without Refresh Tokens)
```
User logs in → Access token (1 hour)
After 1 hour → Redirect to /oauth/authorize
User auto-approves → New access token
Repeat every hour... 😞
```
### Now (With Refresh Tokens)
```
User logs in → Access token (1 hour) + Refresh token (30 days)
After 1 hour → POST to /oauth/token with refresh_token
Get new tokens → No redirect! No user interaction! 🎉
```
---
## Initial Authorization
### 1. Authorization Code Flow (Unchanged)
**Step 1: Redirect user to authorization endpoint**
```
GET https://auth.example.com/oauth/authorize?
client_id=YOUR_CLIENT_ID&
redirect_uri=https://yourapp.com/callback&
response_type=code&
scope=openid%20profile%20email&
state=RANDOM_STATE&
code_challenge=BASE64URL(SHA256(code_verifier))&
code_challenge_method=S256
```
**Step 2: Exchange authorization code for tokens**
```http
POST https://auth.example.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=https://yourapp.com/callback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&code_verifier=CODE_VERIFIER
```
**Response (NEW - now includes refresh_token):**
```json
{
"access_token": "eyJhbGc...",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJhbGc...",
"refresh_token": "abc123xyz...",
"scope": "openid profile email"
}
```
**IMPORTANT:** Store the `refresh_token` securely! You'll need it to get new access tokens.
---
## Token Refresh Flow
When your `access_token` expires (after 1 hour), use the `refresh_token` to get new tokens **without user interaction**.
### How to Refresh Tokens
**Request:**
```http
POST https://auth.example.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
```
**Response:**
```json
{
"access_token": "eyJhbGc...NEW",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJhbGc...NEW",
"refresh_token": "def456uvw...NEW",
"scope": "openid profile email"
}
```
**CRITICAL:**
- The old `refresh_token` is **immediately revoked** (single-use)
- You receive a **new `refresh_token`** to use next time
- **Replace** the old refresh token with the new one in your storage
---
## Token Lifecycle
```
┌─────────────────────────────────────────────────────────┐
│ Initial Authorization │
├─────────────────────────────────────────────────────────┤
│ GET /oauth/authorize → User logs in │
│ POST /oauth/token (authorization_code grant) │
│ ↓ │
│ Receive: access_token (1h) + refresh_token (30d) │
└─────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────┐
│ Token Refresh (Silent, No User Interaction) │
├─────────────────────────────────────────────────────────┤
│ After 1 hour (access_token expires): │
│ POST /oauth/token (refresh_token grant) │
│ ↓ │
│ Receive: NEW access_token + NEW refresh_token │
│ Old refresh_token is revoked │
└─────────────────────────────────────────────────────────┘
↓ (Repeat for 30 days)
┌─────────────────────────────────────────────────────────┐
│ Session Expiry │
├─────────────────────────────────────────────────────────┤
│ After 30 days (refresh_token expires): │
│ Redirect user to /oauth/authorize for re-authentication │
└─────────────────────────────────────────────────────────┘
```
---
## Token Storage Best Practices
### ✅ Secure Storage Recommendations
**Web Applications (Server-Side):**
- Store refresh tokens in **server-side session** (encrypted)
- Use **HttpOnly, Secure cookies** for access tokens
- **Never** send refresh tokens to browser JavaScript
**Single Page Applications (SPAs):**
- Store access tokens in **memory only** (JavaScript variable)
- Store refresh tokens in **HttpOnly, Secure cookie** (via backend)
- Use Backend-for-Frontend (BFF) pattern for refresh
**Mobile Apps:**
- Use platform-specific **secure storage**:
- iOS: Keychain
- Android: EncryptedSharedPreferences or Keystore
- **Never** store in UserDefaults/SharedPreferences
**Desktop Apps:**
- Use OS-specific credential storage
- Encrypt tokens at rest
### ❌ DO NOT Store Refresh Tokens In:
- LocalStorage (XSS vulnerable)
- SessionStorage (XSS vulnerable)
- Unencrypted cookies
- Plain text files
- Source code or config files
---
## Token Revocation
Allow users to invalidate their sessions (e.g., "Sign out of all devices").
### Revoke a Token
**Request:**
```http
POST https://auth.example.com/oauth/revoke
Content-Type: application/x-www-form-urlencoded
token=YOUR_TOKEN
&token_type_hint=refresh_token
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
```
**Parameters:**
- `token` (required) - The token to revoke (access or refresh token)
- `token_type_hint` (optional) - "access_token" or "refresh_token"
- `client_id` + `client_secret` (required) - Client authentication
**Response:**
```
HTTP/1.1 200 OK
```
**Note:** Per RFC 7009, the response is always `200 OK`, even if the token was invalid or already revoked (prevents token scanning attacks).
---
## Error Handling
### Refresh Token Errors
#### 1. Invalid or Expired Refresh Token
```json
{
"error": "invalid_grant",
"error_description": "Invalid refresh token"
}
```
**Action:** Redirect user to /oauth/authorize for re-authentication
#### 2. Refresh Token Revoked (Reuse Detected!)
```json
{
"error": "invalid_grant",
"error_description": "Refresh token has been revoked"
}
```
**Action:**
- This indicates a **security issue** (possible token theft)
- All tokens in the same family are revoked
- Redirect user to /oauth/authorize
- Consider alerting the user about suspicious activity
#### 3. Invalid Client Credentials
```json
{
"error": "invalid_client"
}
```
**Action:** Check your `client_id` and `client_secret`
---
## Implementation Examples
### Example 1: Node.js Express
```javascript
const axios = require('axios');
class OAuthClient {
constructor(config) {
this.clientId = config.clientId;
this.clientSecret = config.clientSecret;
this.tokenEndpoint = config.tokenEndpoint;
this.accessToken = null;
this.refreshToken = null;
this.expiresAt = null;
}
// Exchange authorization code for tokens
async exchangeCode(code, redirectUri, codeVerifier) {
const response = await axios.post(this.tokenEndpoint, new URLSearchParams({
grant_type: 'authorization_code',
code: code,
redirect_uri: redirectUri,
client_id: this.clientId,
client_secret: this.clientSecret,
code_verifier: codeVerifier
}));
this.storeTokens(response.data);
return response.data;
}
// Refresh access token
async refreshAccessToken() {
if (!this.refreshToken) {
throw new Error('No refresh token available');
}
const response = await axios.post(this.tokenEndpoint, new URLSearchParams({
grant_type: 'refresh_token',
refresh_token: this.refreshToken,
client_id: this.clientId,
client_secret: this.clientSecret
}));
this.storeTokens(response.data);
return response.data;
}
// Get valid access token (auto-refresh if needed)
async getAccessToken() {
// Check if token is expired or about to expire (5 min buffer)
if (this.expiresAt && Date.now() >= this.expiresAt - 300000) {
await this.refreshAccessToken();
}
return this.accessToken;
}
storeTokens(tokenResponse) {
this.accessToken = tokenResponse.access_token;
this.refreshToken = tokenResponse.refresh_token;
this.expiresAt = Date.now() + (tokenResponse.expires_in * 1000);
}
// Revoke tokens
async revokeToken(token, tokenTypeHint) {
await axios.post('https://auth.example.com/oauth/revoke', new URLSearchParams({
token: token,
token_type_hint: tokenTypeHint,
client_id: this.clientId,
client_secret: this.clientSecret
}));
}
}
// Usage
const client = new OAuthClient({
clientId: 'your-client-id',
clientSecret: 'your-client-secret',
tokenEndpoint: 'https://auth.example.com/oauth/token'
});
// After initial login
await client.exchangeCode(authCode, redirectUri, codeVerifier);
// Make API calls (auto-refreshes if needed)
const token = await client.getAccessToken();
const apiResponse = await axios.get('https://api.example.com/data', {
headers: { Authorization: `Bearer ${token}` }
});
// Logout - revoke refresh token
await client.revokeToken(client.refreshToken, 'refresh_token');
```
### Example 2: Python
```python
import requests
import time
from urllib.parse import urlencode
class OAuthClient:
def __init__(self, client_id, client_secret, token_endpoint):
self.client_id = client_id
self.client_secret = client_secret
self.token_endpoint = token_endpoint
self.access_token = None
self.refresh_token = None
self.expires_at = None
def exchange_code(self, code, redirect_uri, code_verifier):
"""Exchange authorization code for tokens"""
response = requests.post(self.token_endpoint, data={
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': redirect_uri,
'client_id': self.client_id,
'client_secret': self.client_secret,
'code_verifier': code_verifier
})
response.raise_for_status()
self._store_tokens(response.json())
return response.json()
def refresh_access_token(self):
"""Refresh the access token using refresh token"""
if not self.refresh_token:
raise ValueError('No refresh token available')
response = requests.post(self.token_endpoint, data={
'grant_type': 'refresh_token',
'refresh_token': self.refresh_token,
'client_id': self.client_id,
'client_secret': self.client_secret
})
response.raise_for_status()
self._store_tokens(response.json())
return response.json()
def get_access_token(self):
"""Get valid access token, refresh if needed"""
# Check if token is expired (with 5 min buffer)
if self.expires_at and time.time() >= self.expires_at - 300:
self.refresh_access_token()
return self.access_token
def _store_tokens(self, token_response):
"""Store tokens and expiration time"""
self.access_token = token_response['access_token']
self.refresh_token = token_response['refresh_token']
self.expires_at = time.time() + token_response['expires_in']
def revoke_token(self, token, token_type_hint='refresh_token'):
"""Revoke a token"""
requests.post('https://auth.example.com/oauth/revoke', data={
'token': token,
'token_type_hint': token_type_hint,
'client_id': self.client_id,
'client_secret': self.client_secret
})
# Usage
client = OAuthClient(
client_id='your-client-id',
client_secret='your-client-secret',
token_endpoint='https://auth.example.com/oauth/token'
)
# After initial login
client.exchange_code(auth_code, redirect_uri, code_verifier)
# Make API calls (auto-refreshes if needed)
token = client.get_access_token()
response = requests.get('https://api.example.com/data',
headers={'Authorization': f'Bearer {token}'})
# Logout
client.revoke_token(client.refresh_token, 'refresh_token')
```
---
## Security Considerations
### 1. Token Rotation (Implemented ✅)
- Each refresh token is **single-use only**
- After use, old refresh token is immediately revoked
- New refresh token is issued
- Prevents replay attacks
### 2. Token Family Tracking (Implemented ✅)
- All refresh tokens in a rotation chain share a `token_family_id`
- If a **revoked** refresh token is reused → **entire family is revoked**
- Detects stolen token attacks
### 3. Refresh Token Binding
- Refresh tokens are bound to:
- Specific client (client_id)
- Specific user
- Specific scopes
- Cannot be used by different clients
### 4. Expiration Times (Configurable per application)
- **Access tokens:** 5 minutes - 24 hours (default: 1 hour)
- **Refresh tokens:** 1 day - 90 days (default: 30 days)
- **ID tokens:** 5 minutes - 24 hours (default: 1 hour)
---
## Discovery Endpoint Updates
The OIDC discovery endpoint now advertises refresh token support:
**GET `https://auth.example.com/.well-known/openid-configuration`**
```json
{
"issuer": "https://auth.example.com",
"authorization_endpoint": "https://auth.example.com/oauth/authorize",
"token_endpoint": "https://auth.example.com/oauth/token",
"revocation_endpoint": "https://auth.example.com/oauth/revoke",
"userinfo_endpoint": "https://auth.example.com/oauth/userinfo",
"jwks_uri": "https://auth.example.com/.well-known/jwks.json",
"grant_types_supported": ["authorization_code", "refresh_token"],
"response_types_supported": ["code"],
"scopes_supported": ["openid", "profile", "email", "groups"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
...
}
```
---
## Testing Your Implementation
### Test 1: Initial Token Exchange
```bash
# Get authorization code (manual - visit in browser)
# Then exchange for tokens:
curl -X POST https://auth.example.com/oauth/token \
-d "grant_type=authorization_code" \
-d "code=YOUR_AUTH_CODE" \
-d "redirect_uri=https://yourapp.com/callback" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "code_verifier=YOUR_CODE_VERIFIER"
# Response should include refresh_token
```
### Test 2: Token Refresh
```bash
curl -X POST https://auth.example.com/oauth/token \
-d "grant_type=refresh_token" \
-d "refresh_token=YOUR_REFRESH_TOKEN" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET"
# Response should include NEW access_token and NEW refresh_token
```
### Test 3: Token Revocation
```bash
curl -X POST https://auth.example.com/oauth/revoke \
-d "token=YOUR_REFRESH_TOKEN" \
-d "token_type_hint=refresh_token" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET"
# Should return 200 OK
```
### Test 4: Reuse Detection (Security Test)
```bash
# 1. Use refresh token to get new tokens
curl -X POST ... (as in Test 2)
# 2. Try to use the OLD refresh token again
curl -X POST ... (with OLD refresh_token)
# Should return error: "invalid_grant" - token has been revoked
```
---
## FAQ
### Q: How long do refresh tokens last?
**A:** By default, 30 days. This is configurable per application (1-90 days).
### Q: Can I use the same refresh token multiple times?
**A:** No. Refresh tokens are **single-use**. After using a refresh token, you get a new one.
### Q: What happens if my refresh token is stolen?
**A:** If someone tries to use a revoked refresh token, all tokens in that family are immediately revoked (token rotation security).
### Q: Do I need to store the ID token?
**A:** Usually no. The ID token is for authentication (verify user identity). You typically decode it, verify it, extract claims, then discard it.
### Q: Can I refresh an access token before it expires?
**A:** Yes! It's recommended to refresh tokens 5-10 minutes before expiration to avoid race conditions.
### Q: What if my refresh token expires?
**A:** User must re-authenticate via the normal OAuth flow (redirect to /oauth/authorize).
### Q: Can I revoke all of a user's sessions at once?
**A:** Yes, but you need to track all refresh tokens per user on your backend, then revoke them all.
### Q: Are access tokens revocable?
**A:** Yes! You can revoke access tokens using the same `/oauth/revoke` endpoint.
---
## Migration Guide (From Access Token Only)
### Before (Access Token Only):
```javascript
// User logs in
const tokens = await exchangeAuthCode(code);
localStorage.setItem('access_token', tokens.access_token);
// After 1 hour -> Token expires -> Redirect to login
if (isTokenExpired()) {
window.location = '/oauth/authorize';
}
```
### After (With Refresh Tokens):
```javascript
// User logs in
const tokens = await exchangeAuthCode(code);
sessionStorage.setItem('access_token', tokens.access_token);
secureStorage.set('refresh_token', tokens.refresh_token); // Encrypted
// After 1 hour -> Refresh silently
if (isTokenExpired()) {
const newTokens = await refreshAccessToken();
sessionStorage.setItem('access_token', newTokens.access_token);
secureStorage.set('refresh_token', newTokens.refresh_token);
}
```
---
## Additional Resources
- **RFC 6749 (OAuth 2.0):** https://datatracker.ietf.org/doc/html/rfc6749
- **RFC 7009 (Token Revocation):** https://datatracker.ietf.org/doc/html/rfc7009
- **OIDC Core Spec:** https://openid.net/specs/openid-connect-core-1_0.html
- **OAuth 2.0 Security Best Practices:** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
---
## Support
For issues or questions about refresh token implementation, contact your Clinch administrator or check the application documentation.
**Version:** 1.0
**Last Updated:** November 2025

154
docs/security-todo.md Normal file
View File

@@ -0,0 +1,154 @@
# Security Status
**Last Audit:** 2025-12-31
**Target Users:** Self-hosters, small businesses
> **Beta Release Criteria:** See [beta-checklist.md](beta-checklist.md) for overall release readiness assessment.
>
> This document demonstrates our proactive approach to security through systematic vulnerability tracking and remediation.
---
## Summary
| Phase | Status | Description |
|-------|--------|-------------|
| Phase 1-2 | ✅ Complete | Rate limiting, security headers, tests |
| Phase 3 | ✅ Complete | Critical fixes (token DoS, plaintext storage, fail-open) |
| Phase 4 | ✅ Complete | High priority (PKCE, WebAuthn, email re-auth, TOTP encryption) |
| Phase 5 | 🟡 In Progress | Security enhancements |
| Phase 6 | ⏳ Optional | Hardening & documentation |
---
## Outstanding Security Issues
---
### MEDIUM - Account Lockout Mechanism
**Files:** `app/controllers/sessions_controller.rb`, `app/models/user.rb`
**Impact:** Brute force attack mitigation
**Implementation:**
- Add `failed_login_attempts` and `locked_until` columns to users
- Progressive delays: 5 attempts → 5s, 10 → 1min, 15 → 15min, 20+ → 1hr
- Admin notification on lockout
- Configurable via `MAX_LOGIN_ATTEMPTS` ENV
---
### MEDIUM - Per-Account Rate Limiting
**Files:** `app/controllers/sessions_controller.rb`, `config/initializers/rack_attack.rb`
**Impact:** Distributed brute force prevention
**Current:** Global rate limiting only
**Needed:** Add per-email rate limiting (10 failed attempts/email/hour)
---
### LOW - WebAuthn Clone Detection Action
**File:** `app/controllers/sessions_controller.rb:252-256`
**Impact:** Cloned credential detection
**Current:** Logs warning on suspicious sign count
**Improvement:** Block authentication, notify user/admin
---
## Configuration Choices (Not Vulnerabilities)
These are policy decisions for self-hosters, not security bugs:
| Item | Default | Notes |
|------|---------|-------|
| Session cookie domain | Root domain | Enables SSO across subdomains. Add `SECURE_SUBDOMAIN_ISOLATION` ENV to disable |
| CSP policy | unsafe-inline, unsafe-eval | Required for Stimulus/Turbo. Audit JS to remove if needed |
| Logout redirect validation | Allows query params | Per OAuth 2.0 spec. Document behavior |
| Invitation token lifetime | 24 hours | Add `INVITATION_TOKEN_LIFETIME` ENV for high-security deployments |
| Password minimum length | 8 chars | Add `PASSWORD_MIN_LENGTH` ENV, consider zxcvbn |
| Admin self-demotion check | String comparison | Minor - use `.to_i` for integer comparison |
---
## Completed Fixes
### Phase 3 - Critical (December 2025)
**1. Token Lookup DoS**
- Problem: O(n) BCrypt comparisons on token lookup
- Solution: HMAC-based token prefix for O(1) indexed lookup
- Files: `token_prefixable.rb`, token models, migration
**2. Plaintext Token Storage**
- Problem: Access tokens stored in plaintext
- Solution: Removed `token` column, use BCrypt digest only
- Files: Migration, fixtures, tests
**3. Forward Auth Fail-Open**
- Problem: Unmatched domains allowed by default
- Solution: Changed to fail-closed (403 for unconfigured domains)
- Files: `forward_auth_controller.rb`
---
### Phase 4 - High Priority (December 2025)
**4. PKCE Enforcement**
- Problem: PKCE was optional
- Solution: Per-app PKCE with mandatory enforcement for public clients
- Files: Application model, OIDC controller, migration
**5. WebAuthn Info Disclosure**
- Problem: `/webauthn/check` leaked user_id and preferred_method
- Solution: Minimal response, rate limiting (10/min), identical responses for non-existent users
- Files: `webauthn_controller.rb`
**6. OIDC State URL Encoding**
- Problem: State parameter not consistently URL-encoded
- Solution: `CGI.escape()` on all redirect URLs
- Files: `oidc_controller.rb` (4 locations)
**7. Email Change Re-authentication**
- Problem: Email could be changed without password
- Solution: Require current password for email changes
- Files: `profiles_controller.rb`, view
**12. TOTP Secret Encryption**
- Problem: TOTP secrets stored in plaintext
- Solution: Rails `encrypts` with keys derived from SECRET_KEY_BASE
- Files: `user.rb`, `active_record_encryption.rb`
**13. WebAuthn Credential ID Enumeration**
- Problem: Global credential lookup allowed enumeration via 404 vs 403 responses
- Solution: Scoped credential lookup to current user, identical responses
- Files: `webauthn_controller.rb`, `webauthn_credential_enumeration_test.rb`
---
## Security Strengths
- **Token security:** HMAC prefix + BCrypt, no plaintext storage
- **Authorization codes:** Pessimistic locking, single-use enforcement
- **Refresh tokens:** Family tracking for rotation attack detection
- **Reserved claims:** Validation prevents claim override attacks
- **Rate limiting:** Applied on all authentication endpoints
- **Forward auth:** Fail-closed by default
- **TOTP:** AES-256-GCM encryption at rest
- **Email changes:** Require password re-authentication
- **Credential isolation:** Scoped lookups prevent enumeration attacks
---
## Audit History
| Date | Event |
|------|-------|
| 2025-12-31 | Credential ID enumeration fix (scoped lookups) |
| 2025-12-31 | Security review - 1 new issue found (credential enumeration) |
| 2025-12-31 | Phase 4 completed (PKCE, WebAuthn, email re-auth, TOTP) |
| 2025-12-30 | Phase 3 completed (token DoS, plaintext storage, fail-open) |
| 2025-12-30 | Comprehensive security audit - 18 issues identified |
| Earlier | Phase 1-2 completed (rate limiting, headers, tests) |

330
docs/traefik-example.md Normal file
View File

@@ -0,0 +1,330 @@
# Traefik ForwardAuth Configuration Examples
## Basic Configuration (Protecting MEtube)
### docker-compose.yml with Traefik Labels
```yaml
version: '3'
services:
# Clinch SSO
clinch:
image: your-clinch-image
labels:
- "traefik.enable=true"
- "traefik.http.routers.clinch.rule=Host(`clinch.yourdomain.com`)"
- "traefik.http.routers.clinch.entrypoints=websecure"
- "traefik.http.routers.clinch.tls.certresolver=letsencrypt"
- "traefik.http.services.clinch.loadbalancer.server.port=3000"
# MEtube - Protected by Clinch
metube:
image: ghcr.io/alexta69/metube
labels:
- "traefik.enable=true"
- "traefik.http.routers.metube.rule=Host(`metube.yourdomain.com`)"
- "traefik.http.routers.metube.entrypoints=websecure"
- "traefik.http.routers.metube.tls.certresolver=letsencrypt"
# ForwardAuth middleware
- "traefik.http.routers.metube.middlewares=metube-auth"
- "traefik.http.middlewares.metube-auth.forwardauth.address=http://clinch:3000/api/verify?app=metube"
- "traefik.http.middlewares.metube-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Email,Remote-Groups,Remote-Admin"
- "traefik.http.services.metube.loadbalancer.server.port=8081"
```
## Traefik Static Configuration (File)
### traefik.yml
```yaml
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
certificatesResolvers:
letsencrypt:
acme:
email: your-email@example.com
storage: /letsencrypt/acme.json
tlsChallenge: {}
providers:
docker:
exposedByDefault: false
file:
filename: /config/dynamic.yml
watch: true
```
## Traefik Dynamic Configuration (File)
### dynamic.yml
```yaml
http:
middlewares:
# Clinch ForwardAuth middleware for MEtube
metube-auth:
forwardAuth:
address: "http://clinch:3000/api/verify?app=metube"
authResponseHeaders:
- "Remote-User"
- "Remote-Email"
- "Remote-Groups"
- "Remote-Admin"
# Clinch ForwardAuth for Sonarr (with group restriction)
sonarr-auth:
forwardAuth:
address: "http://clinch:3000/api/verify?app=sonarr"
authResponseHeaders:
- "Remote-User"
- "Remote-Email"
- "Remote-Groups"
- "Remote-Admin"
routers:
clinch:
rule: "Host(`clinch.yourdomain.com`)"
service: clinch
entryPoints:
- websecure
tls:
certResolver: letsencrypt
metube:
rule: "Host(`metube.yourdomain.com`)"
service: metube
middlewares:
- metube-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
sonarr:
rule: "Host(`sonarr.yourdomain.com`)"
service: sonarr
middlewares:
- sonarr-auth
entryPoints:
- websecure
tls:
certResolver: letsencrypt
services:
clinch:
loadBalancer:
servers:
- url: "http://clinch:3000"
metube:
loadBalancer:
servers:
- url: "http://metube:8081"
sonarr:
loadBalancer:
servers:
- url: "http://sonarr:8989"
```
## How It Works
1. User visits `https://metube.yourdomain.com`
2. Traefik intercepts and applies the `metube-auth` middleware
3. Traefik makes request to `http://clinch:3000/api/verify?app=metube`
4. Clinch checks if user is authenticated and authorized:
- If **200**: Traefik forwards request to MEtube with user headers
- If **401/403**: Traefik redirects to Clinch login page
5. User signs into Clinch (with TOTP if enabled)
6. Clinch redirects back to MEtube
7. User can now access MEtube!
## Setup Steps
### 1. Create Applications in Clinch
Via Rails console:
```ruby
# MEtube - No groups = everyone can access
Application.create!(
name: "MEtube",
slug: "metube",
app_type: "trusted_header",
active: true
)
# Sonarr - Restricted to media-managers group
media_group = Group.find_by(name: "media-managers")
sonarr = Application.create!(
name: "Sonarr",
slug: "sonarr",
app_type: "trusted_header",
active: true
)
ApplicationGroup.create!(application: sonarr, group: media_group)
```
### 2. Update Traefik Configuration
Add the ForwardAuth middlewares and labels shown above.
### 3. Restart Traefik
```bash
docker-compose restart traefik
```
### 4. Test
Visit https://metube.yourdomain.com - you should be redirected to Clinch login!
## Advanced: Custom Error Pages
```yaml
http:
middlewares:
clinch-errors:
errors:
status:
- "401-403"
service: clinch
query: "/signin?redirect={url}"
metube-auth:
forwardAuth:
address: "http://clinch:3000/api/verify?app=metube"
authResponseHeaders:
- "Remote-User"
- "Remote-Email"
- "Remote-Groups"
- "Remote-Admin"
routers:
metube:
rule: "Host(`metube.yourdomain.com`)"
service: metube
middlewares:
- metube-auth
- clinch-errors # Add custom error handling
entryPoints:
- websecure
tls:
certResolver: letsencrypt
```
## Kubernetes Ingress Example
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: clinch-metube-auth
spec:
forwardAuth:
address: http://clinch.clinch-system.svc.cluster.local:3000/api/verify?app=metube
authResponseHeaders:
- Remote-User
- Remote-Email
- Remote-Groups
- Remote-Admin
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: metube
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-clinch-metube-auth@kubernetescrd
spec:
rules:
- host: metube.yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: metube
port:
number: 8081
```
## Troubleshooting
### Users not staying logged in
Ensure Traefik preserves cookies and sets correct headers:
```yaml
http:
routers:
clinch:
middlewares:
- clinch-headers
middlewares:
clinch-headers:
headers:
customRequestHeaders:
X-Forwarded-Host: "clinch.yourdomain.com"
X-Forwarded-Proto: "https"
```
### Authentication loop
1. Check that `/api/verify` is accessible from Traefik
2. Verify the ForwardAuth middleware address is correct
3. Check Clinch logs for errors
### Check Clinch logs
```bash
docker-compose logs -f clinch
```
You'll see ForwardAuth log messages like:
```
ForwardAuth: User user@example.com granted access to metube
ForwardAuth: Unauthorized - No session cookie
```
### Debug Traefik
Enable access logs in `traefik.yml`:
```yaml
accessLog:
filePath: "/var/log/traefik/access.log"
format: json
```
## Comparison: Traefik vs. Caddy
### Traefik
- ✅ Better for Docker/Kubernetes environments
- ✅ Automatic service discovery
- ✅ Rich middleware system
- ❌ More complex configuration
### Caddy
- ✅ Simpler configuration
- ✅ Automatic HTTPS by default
- ✅ Better for static configurations
- ❌ Less dynamic than Traefik
Both work great with Clinch ForwardAuth!

238
docs/webauthn-implementation-summary.md Normal file
View File

@@ -0,0 +1,238 @@
# WebAuthn/Passkeys Implementation - Quick Start
This is a companion summary to the [full implementation plan](webauthn-passkeys-plan.md).
## What We're Building
Add modern passwordless authentication (passkeys) to Clinch, allowing users to sign in with Face ID, Touch ID, Windows Hello, or hardware security keys (YubiKey).
## Quick Overview
### Features
- **Passwordless login** - Sign in with biometrics, no password needed
- **Multi-device support** - Register passkeys on multiple devices
- **Synced passkeys** - Works with iCloud Keychain, Google Password Manager
- **2FA option** - Use passkeys as second factor instead of TOTP
- **Hardware keys** - Support for YubiKey and other FIDO2 devices
- **User management** - Register, name, and delete multiple passkeys
### Tech Stack
- `webauthn` gem (~3.0) - Server-side WebAuthn implementation
- Browser WebAuthn API - Native browser support (no JS libraries needed)
- Stimulus controller - Frontend UX management
## 5-Phase Implementation
### Phase 1: Foundation (Week 1-2)
Core WebAuthn registration and authentication
- Database schema for credentials
- Registration ceremony (add passkey)
- Authentication ceremony (sign in with passkey)
- Basic JavaScript integration
### Phase 2: User Experience (Week 2-3)
Polished UI and management
- Profile page: list/manage passkeys
- Login page: "Sign in with Passkey" button
- Nickname management
- First-run wizard update
### Phase 3: Security (Week 3-4)
Advanced security features
- Sign count verification (clone detection)
- Attestation validation (optional)
- User verification requirements
- Admin controls and policies
### Phase 4: Integration (Week 4)
Connect with existing features
- OIDC integration (AMR claims)
- WebAuthn as 2FA option
- ForwardAuth compatibility
- Account recovery flows
### Phase 5: Testing & Docs (Week 4-5)
Quality assurance
- Unit, integration, and system tests
- Virtual authenticator testing
- User and admin documentation
- Security audit
## Database Schema
### New Table: `webauthn_credentials`
```ruby
create_table :webauthn_credentials do |t|
t.references :user, null: false, foreign_key: true
t.string :external_id, null: false # Credential ID
t.string :public_key, null: false # Public key
t.integer :sign_count, default: 0 # For clone detection
t.string :nickname # "MacBook Touch ID"
t.string :authenticator_type # platform/cross-platform
t.datetime :last_used_at
t.timestamps
end
```
### Update `users` table
```ruby
add_column :users, :webauthn_id, :string # User handle
add_column :users, :webauthn_required, :boolean # Policy enforcement
```
## Key User Flows
### 1. Register Passkey
```
User profile → "Add Passkey" → Browser prompt →
Touch ID/Face ID → Passkey saved → Can sign in
```
### 2. Sign In with Passkey
```
Login page → Enter email → "Continue with Passkey" →
Browser prompt → Touch ID/Face ID → Signed in
```
### 3. WebAuthn as 2FA
```
Enter password → Prompted for passkey →
Touch ID/Face ID → Signed in
```
## Security Highlights
1. **Phishing-resistant** - Passkeys are bound to the domain
2. **No shared secrets** - Public key cryptography
3. **Clone detection** - Sign count verification
4. **User verification** - Biometric or PIN required
5. **Privacy-preserving** - Opaque user handles
## Integration Points
### OIDC
- Add `amr` claim: `["webauthn"]`
- Support `acr_values=webauthn` in authorization request
- Include authentication method in ID token
### ForwardAuth
- WebAuthn creates standard sessions
- Works automatically with existing `/api/verify` endpoint
- Optional header: `Remote-Auth-Method: webauthn`
### Admin Controls
- Require WebAuthn for specific users/groups
- View all registered passkeys
- Revoke compromised credentials
- Audit log of authentications
## Files to Create/Modify
### New Files (~12)
- `app/models/webauthn_credential.rb`
- `app/controllers/webauthn_controller.rb`
- `app/javascript/controllers/webauthn_controller.js`
- `config/initializers/webauthn.rb`
- Views for registration/management
- Tests (model, controller, integration, system)
- Documentation (user guide, admin guide)
### Modified Files (~8)
- `Gemfile` - Add webauthn gem
- `app/models/user.rb` - Add associations/methods
- `app/controllers/sessions_controller.rb` - WebAuthn authentication
- `app/views/sessions/new.html.erb` - Add passkey button
- `app/views/profiles/show.html.erb` - Passkey management
- `config/routes.rb` - WebAuthn routes
- `README.md` - Document feature
- `app/controllers/oidc_controller.rb` - AMR claims
## Browser Support
### Supported (WebAuthn Level 2)
- Chrome/Edge 90+
- Firefox 90+
- Safari 14+ (macOS Big Sur / iOS 14+)
### Platform Authenticators
- macOS: Touch ID
- iOS/iPadOS: Face ID, Touch ID
- Windows: Windows Hello (face, fingerprint, PIN)
- Android: Fingerprint, face unlock
### Roaming Authenticators
- YubiKey 5 series
- SoloKeys
- Google Titan Security Key
- Any FIDO2-certified hardware key
## Open Questions
1. **Attestation**: Validate authenticator hardware? (Recommend: No for v1)
2. **Resident Keys**: Require discoverable credentials? (Recommend: Preferred, not required)
3. **Synced Passkeys**: Allow iCloud/Google sync? (Recommend: Yes)
4. **Recovery**: How to recover if all passkeys lost? (Recommend: Email verification)
5. **2FA**: Replace TOTP or offer both? (Recommend: Offer both)
6. **Enforcement**: When to require passkeys? (Recommend: 3 months after launch for admins)
## Success Metrics
### Adoption
- % of users with ≥1 passkey
- % of logins using passkey vs password
- Average registration time
### Security
- Reduced password reset requests
- Reduced account takeover attempts
- Zero phishing success (passkeys can't be phished)
### Performance
- Faster authentication time
- Low error rate (<5%)
- High browser compatibility (>95%)
## Timeline
- **Week 1-2**: Foundation (Phase 1)
- **Week 2-3**: UX & Testing (Phase 2 + Phase 5 start)
- **Week 3-4**: Security & Integration (Phase 3 + Phase 4)
- **Week 4-5**: Beta testing and documentation
- **Week 5+**: Production rollout
**Total**: 4-6 weeks for full implementation and testing
## Next Steps
1. ✅ Review this plan
2. ⬜ Create Gitea issues for each phase
3. ⬜ Add `webauthn` gem to Gemfile
4. ⬜ Create database migrations
5. ⬜ Implement Phase 1 (registration ceremony)
6. ⬜ Implement Phase 1 (authentication ceremony)
7. ⬜ Add JavaScript frontend
8. ⬜ Test with virtual authenticators
9. ⬜ Continue through remaining phases
## Resources
- [Full Implementation Plan](webauthn-passkeys-plan.md) - Detailed 50+ page document
- [W3C WebAuthn Spec](https://www.w3.org/TR/webauthn-2/)
- [webauthn-ruby gem](https://github.com/cedarcode/webauthn-ruby)
- [WebAuthn Guide](https://webauthn.guide/)
- [MDN Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)
## Questions?
Refer to the [full implementation plan](webauthn-passkeys-plan.md) for:
- Detailed technical specifications
- Security considerations
- Code examples
- Testing strategies
- Migration strategies
- Complete API reference
---
*Status: Ready for Review*
*See: [webauthn-passkeys-plan.md](webauthn-passkeys-plan.md) for full details*

787
docs/webauthn-passkeys-plan.md Normal file
View File

@@ -0,0 +1,787 @@
# WebAuthn / Passkeys Implementation Plan for Clinch
## Executive Summary
This document outlines a comprehensive plan to add WebAuthn/Passkeys support to Clinch, enabling modern passwordless authentication alongside the existing password + TOTP authentication methods.
## Goals
1. **Primary Authentication**: Allow users to register and use passkeys as their primary login method (passwordless)
2. **MFA Enhancement**: Support passkeys as a second factor alongside TOTP
3. **Cross-Device Support**: Enable both platform authenticators (Face ID, Touch ID, Windows Hello) and roaming authenticators (YubiKey, security keys)
4. **User Experience**: Provide seamless registration, authentication, and management of multiple passkeys
5. **Backward Compatibility**: Maintain existing password + TOTP flows without disruption
## Architecture Overview
### Technology Stack
- **webauthn gem** (~3.0): Ruby library for WebAuthn server implementation
- **Rails 8.1**: Existing framework
- **Browser WebAuthn API**: Native browser support (all modern browsers)
### Core Components
1. **WebAuthn Credentials Model**: Store registered authenticators
2. **WebAuthn Controller**: Handle registration and authentication ceremonies
3. **Session Flow Updates**: Integrate passkey authentication into existing login flow
4. **User Management UI**: Allow users to register, name, and delete passkeys
5. **Admin Controls**: Configure WebAuthn policies per user/group
---
## Database Schema
### New Table: `webauthn_credentials`
```ruby
create_table :webauthn_credentials do |t|
t.references :user, null: false, foreign_key: true, index: true
# WebAuthn specification fields
t.string :external_id, null: false, index: { unique: true } # credential ID (base64)
t.string :public_key, null: false # public key (base64)
t.integer :sign_count, null: false, default: 0 # signature counter (clone detection)
# Metadata
t.string :nickname # User-friendly name ("MacBook Touch ID")
t.string :authenticator_type # "platform" or "cross-platform"
t.boolean :backup_eligible, default: false # Can be backed up (passkey sync)
t.boolean :backup_state, default: false # Currently backed up
# Tracking
t.datetime :last_used_at
t.string :last_used_ip
t.string :user_agent # Browser/OS info
timestamps
end
add_index :webauthn_credentials, [:user_id, :external_id], unique: true
```
### Update `users` table
```ruby
add_column :users, :webauthn_required, :boolean, default: false, null: false
add_column :users, :webauthn_id, :string # WebAuthn user handle (random, stable, opaque)
add_index :users, :webauthn_id, unique: true
```
---
## Implementation Phases
### Phase 1: Foundation (Core WebAuthn Support)
**Objective**: Enable basic passkey registration and authentication
#### 1.1 Setup & Dependencies
- [ ] Add `webauthn` gem to Gemfile (~3.0)
- [ ] Create WebAuthn initializer with configuration
- [ ] Generate migration for `webauthn_credentials` table
- [ ] Add WebAuthn user handle generation to User model
#### 1.2 Models
**File**: `app/models/webauthn_credential.rb`
```ruby
class WebauthnCredential < ApplicationRecord
belongs_to :user
validates :external_id, presence: true, uniqueness: true
validates :public_key, presence: true
validates :sign_count, presence: true, numericality: { greater_than_or_equal_to: 0 }
scope :active, -> { where(revoked_at: nil) }
scope :platform_authenticators, -> { where(authenticator_type: "platform") }
scope :roaming_authenticators, -> { where(authenticator_type: "cross-platform") }
# Update last used timestamp and sign count after successful authentication
def update_usage!(sign_count:, ip_address: nil)
update!(
last_used_at: Time.current,
last_used_ip: ip_address,
sign_count: sign_count
)
end
end
```
**Update**: `app/models/user.rb`
```ruby
has_many :webauthn_credentials, dependent: :destroy
# Generate stable WebAuthn user handle on first use
def webauthn_user_handle
return webauthn_id if webauthn_id.present?
# Generate random 64-byte opaque identifier (base64url encoded)
handle = SecureRandom.urlsafe_base64(64)
update_column(:webauthn_id, handle)
handle
end
def webauthn_enabled?
webauthn_credentials.active.exists?
end
def can_authenticate_with_webauthn?
webauthn_enabled? && active?
end
```
#### 1.3 WebAuthn Configuration
**File**: `config/initializers/webauthn.rb`
```ruby
WebAuthn.configure do |config|
# Relying Party name (displayed in authenticator)
config.origin = ENV.fetch("CLINCH_HOST", "http://localhost:3000")
# Relying Party ID (must match origin domain)
config.rp_name = "Clinch Identity Provider"
# Credential timeout (60 seconds)
config.credential_options_timeout = 60_000
# Supported algorithms (ES256, RS256)
config.algorithms = ["ES256", "RS256"]
end
```
#### 1.4 Registration Flow (Ceremony)
**File**: `app/controllers/webauthn_controller.rb`
Key actions:
- `GET /webauthn/new` - Display registration page
- `POST /webauthn/challenge` - Generate registration challenge
- `POST /webauthn/create` - Verify and store credential
**Registration Process**:
1. User clicks "Add Passkey" in profile settings
2. Server generates challenge options (stored in session)
3. Browser calls `navigator.credentials.create()`
4. User authenticates with device (Touch ID, Face ID, etc.)
5. Browser returns signed credential
6. Server verifies signature and stores credential
#### 1.5 Authentication Flow (Ceremony)
**Update**: `app/controllers/sessions_controller.rb`
New actions:
- `POST /sessions/webauthn/challenge` - Generate authentication challenge
- `POST /sessions/webauthn/verify` - Verify credential and sign in
**Authentication Process**:
1. User clicks "Sign in with Passkey" on login page
2. Server generates challenge (stored in session)
3. Browser calls `navigator.credentials.get()`
4. User authenticates with device
5. Browser returns signed assertion
6. Server verifies signature, checks sign count, creates session
#### 1.6 Frontend JavaScript
**File**: `app/javascript/controllers/webauthn_controller.js` (Stimulus)
Responsibilities:
- Encode/decode base64url data for WebAuthn API
- Handle browser WebAuthn API calls
- Error handling and user feedback
- Progressive enhancement (feature detection)
**Example registration**:
```javascript
async register() {
const options = await this.fetchChallenge()
const credential = await navigator.credentials.create(options)
await this.submitCredential(credential)
}
```
---
### Phase 2: User Experience & Management
**Objective**: Provide intuitive UI for managing passkeys
#### 2.1 Profile Management
**File**: `app/views/profiles/show.html.erb` (update)
Features:
- List all registered passkeys with nicknames
- Show last used timestamp
- Badge for platform vs roaming authenticators
- Add new passkey button
- Delete passkey button (with confirmation)
- Show "synced passkey" badge if backup_state is true
#### 2.2 Registration Improvements
- Auto-detect device type and suggest nickname ("Chrome on MacBook")
- Show preview of what authenticator will display
- Require at least one authentication method (password OR passkey)
- Warning if removing last authentication method
#### 2.3 Login Page Updates
**File**: `app/views/sessions/new.html.erb` (update)
- Add "Sign in with Passkey" button (conditional rendering)
- Show button only if WebAuthn is supported by browser
- Progressive enhancement: fallback to password if WebAuthn fails
- Email field for identifying which user's passkeys to request
**Flow**:
1. User enters email address
2. Server checks if user has passkeys
3. If yes, show "Continue with Passkey" button
4. If no passkeys, show password field
#### 2.4 First-Run Wizard Update
**File**: `app/views/users/new.html.erb` (first-run wizard)
- Option to register passkey immediately after creating account
- Skip passkey registration if not supported or user declines
- Encourage passkey setup but don't require it
---
### Phase 3: Security & Advanced Features
**Objective**: Harden security and add enterprise features
#### 3.1 Sign Count Verification
**Purpose**: Detect cloned authenticators
Implementation:
- Store sign_count after each authentication
- Verify new sign_count > old sign_count
- If count doesn't increase: log warning, optionally disable credential
- Add admin alert for suspicious activity
#### 3.2 Attestation Validation (Optional)
**Purpose**: Verify authenticator is genuine hardware
Options:
- None (most compatible, recommended for self-hosted)
- Indirect (some validation)
- Direct (strict validation, enterprise)
**Configuration** (per-application):
```ruby
class Application < ApplicationRecord
enum webauthn_attestation: {
none: 0,
indirect: 1,
direct: 2
}, _default: :none
end
```
#### 3.3 User Verification Requirements
**Levels**:
- `discouraged`: No user verification (not recommended)
- `preferred`: Request if available (default)
- `required`: Must have PIN/biometric (high security apps)
**Configuration**: Per-application setting
#### 3.4 Resident Keys (Discoverable Credentials)
**Feature**: Passkey contains username, no email entry needed
**Implementation**:
- Set `residentKey: "preferred"` or `"required"` in credential options
- Allow users to sign in without entering email first
- Add `POST /sessions/webauthn/discoverable` endpoint
**Benefits**:
- Faster login (no email typing)
- Better UX on mobile devices
- Works with password managers (1Password, etc.)
#### 3.5 Admin Controls
**File**: `app/views/admin/users/edit.html.erb`
Admin capabilities:
- View all user passkeys
- Revoke compromised passkeys
- Require WebAuthn for specific users/groups
- View WebAuthn authentication audit log
- Configure WebAuthn policies
**New fields**:
```ruby
# On User model
webauthn_required: boolean # Must have at least one passkey
# On Group model
webauthn_enforcement: enum # :none, :encouraged, :required
```
---
### Phase 4: Integration with Existing Flows
**Objective**: Seamlessly integrate with OIDC, ForwardAuth, and 2FA
#### 4.1 OIDC Authorization Flow
**Update**: `app/controllers/oidc_controller.rb`
Integration points:
- If user has no password but has passkey, trigger WebAuthn
- Application can request `webauthn` in `acr_values` parameter
- Include `amr` claim in ID token: `["webauthn"]` or `["pwd", "totp"]`
**Example ID token**:
```json
{
"sub": "user-123",
"email": "user@example.com",
"amr": ["webauthn"], // Authentication Methods References
"acr": "urn:mace:incommon:iap:silver"
}
```
#### 4.2 WebAuthn as Second Factor
**Scenario**: User signs in with password, then WebAuthn as 2FA
**Flow**:
1. User enters password (first factor)
2. If `webauthn_required` is true OR user chooses WebAuthn
3. Trigger WebAuthn challenge (instead of TOTP)
4. User authenticates with passkey
5. Create session
**Configuration**:
```ruby
# User can choose 2FA method
user.preferred_2fa # :totp or :webauthn
# Admin can require specific 2FA method
user.required_2fa # :any, :totp, :webauthn
```
#### 4.3 ForwardAuth Integration
**Update**: `app/controllers/api/forward_auth_controller.rb`
No changes needed! WebAuthn creates standard sessions, ForwardAuth works as-is.
**Header injection**:
```
Remote-User: user@example.com
Remote-Groups: admin,family
Remote-Auth-Method: webauthn # NEW optional header
```
#### 4.4 Backup Codes
**Consideration**: What if user loses all passkeys?
**Options**:
1. Keep existing backup codes system (works for TOTP, not WebAuthn-only)
2. Require email verification for account recovery
3. Require at least one roaming authenticator (YubiKey) + platform authenticator
**Recommended**: Require password OR email-verified recovery flow
---
### Phase 5: Testing & Documentation
**Objective**: Ensure reliability and provide clear documentation
#### 5.1 Automated Tests
**Test Coverage**:
1. **Model tests** (`test/models/webauthn_credential_test.rb`)
- Credential creation and validation
- Sign count updates
- Credential scopes and queries
2. **Controller tests** (`test/controllers/webauthn_controller_test.rb`)
- Registration challenge generation
- Credential verification
- Authentication challenge generation
- Assertion verification
3. **Integration tests** (`test/integration/webauthn_authentication_test.rb`)
- Full registration flow
- Full authentication flow
- Error handling (invalid signatures, expired challenges)
4. **System tests** (`test/system/webauthn_test.rb`)
- End-to-end browser testing with virtual authenticator
- Chrome DevTools Protocol virtual authenticator
**Example virtual authenticator test**:
```ruby
test "user registers passkey" do
driver.add_virtual_authenticator(protocol: :ctap2)
visit profile_path
click_on "Add Passkey"
fill_in "Nickname", with: "Test Key"
click_on "Register"
assert_text "Passkey registered successfully"
end
```
#### 5.2 Documentation
**Files to create/update**:
1. **User Guide** (`docs/webauthn-user-guide.md`)
- What are passkeys?
- How to register a passkey
- How to sign in with a passkey
- Managing multiple passkeys
- Troubleshooting
2. **Admin Guide** (`docs/webauthn-admin-guide.md`)
- WebAuthn policies and configuration
- Enforcing passkeys for users/groups
- Security considerations
- Audit logging
3. **Developer Guide** (`docs/webauthn-developer-guide.md`)
- Architecture overview
- WebAuthn ceremony flows
- Testing with virtual authenticators
- OIDC integration details
4. **README Update** (`README.md`)
- Add WebAuthn/Passkeys to Authentication Methods section
- Update feature list
#### 5.3 Browser Compatibility
**Supported Browsers**:
- Chrome/Edge 90+ (Chromium)
- Firefox 90+
- Safari 14+ (macOS Big Sur, iOS 14)
**Graceful Degradation**:
- Feature detection: check `window.PublicKeyCredential`
- Hide passkey UI if not supported
- Always provide password fallback
---
## Security Considerations
### 1. Challenge Storage
- Store challenges in server-side session (not cookies)
- Challenges expire after 60 seconds
- One-time use (mark as used after verification)
### 2. Origin Validation
- WebAuthn library automatically validates origin
- Ensure `CLINCH_HOST` environment variable is correct
- Must use HTTPS in production (required by WebAuthn spec)
### 3. Relying Party ID
- Must match the origin domain
- Cannot be changed after credentials are registered
- Use apex domain for subdomain compatibility (e.g., `example.com` works for `auth.example.com` and `app.example.com`)
### 4. User Handle Privacy
- User handle is opaque, random, and stable
- Never use email or user ID as user handle
- Store in `users.webauthn_id` column
### 5. Sign Count Verification
- Always check sign_count increases
- Log suspicious activity (counter didn't increase)
- Consider disabling credential if counter resets
### 6. Credential Backup Awareness
- Track `backup_eligible` and `backup_state` flags
- Inform users about synced passkeys
- Higher security apps may want to disallow backed-up credentials
### 7. Account Recovery
- Don't lock users out if they lose all passkeys
- Require email verification for recovery
- Send alerts when recovery is used
---
## Migration Strategy
### For Existing Users
**Option 1: Opt-in (Recommended)**
- Add "Register Passkey" button in profile settings
- Show banner encouraging passkey setup
- Don't require passkeys initially
- Gradually increase adoption through UI prompts
**Option 2: Mandatory Migration**
- Set deadline for passkey registration
- Email users with instructions
- Admins can enforce passkey requirement per group
- Provide support documentation
### For New Users
**During First-Run Wizard**:
1. Create account with email + password (existing flow)
2. Offer optional passkey registration
3. If accepted, walk through registration
4. If declined, remind later in dashboard
---
## Performance Considerations
### Database Indexes
```ruby
# Essential indexes for performance
add_index :webauthn_credentials, :user_id
add_index :webauthn_credentials, :external_id, unique: true
add_index :webauthn_credentials, [:user_id, :last_used_at]
```
### Query Optimization
- Eager load credentials with user: `User.includes(:webauthn_credentials)`
- Cache credential count: `user.webauthn_credentials.count`
### Cleanup Jobs
- Remove expired challenges from session store
- Archive old credentials (last_used > 1 year ago)
---
## Rollout Plan
### Phase 1: Development (Week 1-2)
- [ ] Setup gem and database schema
- [ ] Implement registration ceremony
- [ ] Implement authentication ceremony
- [ ] Add basic UI components
### Phase 2: Testing (Week 2-3)
- [ ] Write unit and integration tests
- [ ] Test with virtual authenticators
- [ ] Test on real devices (iOS, Android, Windows, macOS)
- [ ] Security audit
### Phase 3: Beta (Week 3-4)
- [ ] Deploy to staging environment
- [ ] Enable for admin users only
- [ ] Gather feedback
- [ ] Fix bugs and UX issues
### Phase 4: Production (Week 4-5)
- [ ] Deploy to production
- [ ] Enable for all users (opt-in)
- [ ] Monitor error rates and adoption
- [ ] Document and share user guides
### Phase 5: Enforcement (Week 6+)
- [ ] Analyze adoption metrics
- [ ] Consider enforcement for high-security groups
- [ ] Continuous improvement based on feedback
---
## Open Questions & Decisions Needed
1. **Attestation Level**: Should we validate authenticator attestation? (Recommendation: No for v1)
2. **Resident Key Strategy**: Require resident keys (discoverable credentials)? (Recommendation: Preferred, not required)
3. **Backup Credential Policy**: Allow synced passkeys (iCloud Keychain, Google Password Manager)? (Recommendation: Yes, allow)
4. **Account Recovery**: How should users recover if they lose all passkeys? (Recommendation: Email verification + temporary password)
5. **2FA Replacement**: Should WebAuthn replace TOTP for 2FA? (Recommendation: Offer both, user choice)
6. **Enforcement Timeline**: When should we require passkeys for admins? (Recommendation: 3 months after launch)
7. **Cross-Platform Keys**: Encourage users to register both platform and roaming authenticators? (Recommendation: Yes, show prompt)
8. **Audit Logging**: Log all WebAuthn events? (Recommendation: Yes, use Rails ActiveSupport::Notifications)
---
## Dependencies
### Ruby Gems
- `webauthn` (~> 3.0) - WebAuthn server library
- `base64` (stdlib) - Encoding/decoding credentials
### JavaScript Libraries
- Native WebAuthn API (no libraries needed)
- Stimulus controller for UX
### Browser Requirements
- WebAuthn API support
- HTTPS (required in production)
- Modern browser (Chrome 90+, Firefox 90+, Safari 14+)
---
## Success Metrics
### Adoption Metrics
- % of users with at least one passkey registered
- % of logins using passkey vs password
- Time to register passkey (UX metric)
### Security Metrics
- Reduction in password reset requests
- Reduction in account takeover attempts
- Phishing resistance (passkeys can't be phished)
### Performance Metrics
- Average authentication time (should be faster)
- Error rate during registration/authentication
- Browser compatibility issues
---
## Future Enhancements
### Post-Launch Improvements
1. **Conditional UI**: Show passkey option only if user has credentials for that device
2. **Cross-Device Flow**: QR code to authenticate on one device, complete login on another
3. **Passkey Sync Status**: Show which passkeys are synced vs device-only
4. **Authenticator Icons**: Display icons for known authenticators (YubiKey, etc.)
5. **Security Key Attestation**: Verify hardware security keys for high-security apps
6. **Multi-Device Registration**: Easy workflow to register passkey on multiple devices
7. **Admin Analytics**: Dashboard showing WebAuthn adoption and usage stats
8. **FIDO2 Compliance**: Full FIDO2 conformance certification
---
## References
### Specifications
- [W3C WebAuthn Level 2](https://www.w3.org/TR/webauthn-2/)
- [FIDO2 Overview](https://fidoalliance.org/fido2/)
- [WebAuthn Guide](https://webauthn.guide/)
### Ruby Libraries
- [webauthn-ruby gem](https://github.com/cedarcode/webauthn-ruby)
- [webauthn-ruby documentation](https://github.com/cedarcode/webauthn-ruby#usage)
### Browser APIs
- [MDN: Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)
- [Chrome: WebAuthn](https://developer.chrome.com/docs/devtools/webauthn/)
### Best Practices
- [FIDO2 Server Best Practices](https://fidoalliance.org/specifications/)
- [WebAuthn Awesome List](https://github.com/herrjemand/awesome-webauthn)
---
## Appendix A: File Changes Summary
### New Files
- `app/models/webauthn_credential.rb`
- `app/controllers/webauthn_controller.rb`
- `app/javascript/controllers/webauthn_controller.js`
- `app/views/webauthn/new.html.erb`
- `app/views/webauthn/show.html.erb`
- `config/initializers/webauthn.rb`
- `db/migrate/YYYYMMDD_create_webauthn_credentials.rb`
- `db/migrate/YYYYMMDD_add_webauthn_to_users.rb`
- `test/models/webauthn_credential_test.rb`
- `test/controllers/webauthn_controller_test.rb`
- `test/integration/webauthn_authentication_test.rb`
- `test/system/webauthn_test.rb`
- `docs/webauthn-user-guide.md`
- `docs/webauthn-admin-guide.md`
- `docs/webauthn-developer-guide.md`
### Modified Files
- `Gemfile` - Add webauthn gem
- `app/models/user.rb` - Add webauthn associations and methods
- `app/controllers/sessions_controller.rb` - Add webauthn authentication
- `app/views/sessions/new.html.erb` - Add "Sign in with Passkey" button
- `app/views/profiles/show.html.erb` - Add passkey management section
- `app/controllers/oidc_controller.rb` - Add AMR claim support
- `config/routes.rb` - Add webauthn routes
- `README.md` - Document WebAuthn feature
### Database Migrations
1. Create `webauthn_credentials` table
2. Add `webauthn_id` and `webauthn_required` to `users` table
---
## Appendix B: Example User Flows
### Flow 1: Register First Passkey
1. User logs in with password
2. Sees banner: "Secure your account with a passkey"
3. Clicks "Set up passkey"
4. Browser prompts: "Save a passkey for auth.example.com?"
5. User authenticates with Touch ID
6. Success message: "Passkey registered as 'MacBook Touch ID'"
### Flow 2: Sign In with Passkey
1. User visits login page
2. Enters email address
3. Clicks "Continue with Passkey"
4. Browser prompts: "Sign in to auth.example.com with your passkey?"
5. User authenticates with Touch ID
6. Immediately signed in, redirected to dashboard
### Flow 3: WebAuthn as 2FA
1. User enters password (first factor)
2. Instead of TOTP, prompted for passkey
3. User authenticates with Face ID
4. Signed in successfully
### Flow 4: Cross-Device Authentication
1. User on desktop enters email
2. Clicks "Use passkey from phone"
3. QR code displayed
4. User scans with phone, authenticates
5. Desktop session created
---
## Conclusion
This plan provides a comprehensive roadmap for adding WebAuthn/Passkeys to Clinch. The phased approach allows for iterative development, testing, and rollout while maintaining backward compatibility with existing authentication methods.
**Key Benefits**:
- Enhanced security (phishing-resistant)
- Better UX (faster, no passwords to remember)
- Modern authentication standard (FIDO2)
- Cross-platform support (iOS, Android, Windows, macOS)
- Synced passkeys (iCloud, Google Password Manager)
**Estimated Timeline**: 4-6 weeks for full implementation and testing.
**Next Steps**:
1. Review and approve this plan
2. Create GitHub issues for each phase
3. Begin Phase 1 implementation
4. Set up development environment for testing
---
*Document Version: 1.0*
*Last Updated: 2025-10-26*
*Author: Claude (Anthropic)*
*Status: Awaiting Review*

31
lib/tasks/security.rake Normal file
View File

@@ -0,0 +1,31 @@
namespace :security do
desc "Run all security checks (brakeman + bundler-audit)"
task all: :environment do
Rake::Task["security:brakeman"].invoke
Rake::Task["security:bundler_audit"].invoke
end
desc "Run Brakeman static security scanner"
task brakeman: :environment do
puts "Running Brakeman security scanner..."
system("bin/brakeman --no-pager") || abort("Brakeman found security issues!")
end
desc "Run bundler-audit to check for vulnerable dependencies"
task bundler_audit: :environment do
puts "Running bundler-audit..."
system("bin/bundler-audit check --update") || abort("bundler-audit found vulnerable dependencies!")
end
desc "Generate code coverage report (requires tests to be run with COVERAGE=1)"
task :coverage do
puts "Running tests with coverage..."
ENV["COVERAGE"] = "1"
system("bin/rails test") || abort("Tests failed!")
puts "\nCoverage report generated at coverage/index.html"
end
end
# Alias for convenience
desc "Run all security checks"
task security: "security:all"

8
test/controllers/api/forward_auth_controller_test.rb
View File

@@ -86,7 +86,7 @@ module Api
# Domain Pattern Tests
test "should match wildcard domains correctly" do
wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
sign_in_as(@user)
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
@@ -101,7 +101,7 @@ module Api
end
test "should match exact domains correctly" do
exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
sign_in_as(@user)
get "/api/verify", headers: {"X-Forwarded-Host" => "api.example.com"}
@@ -126,7 +126,7 @@ module Api
end
test "should return custom headers when configured" do
custom_rule = Application.create!(
Application.create!(
name: "Custom App",
slug: "custom-app",
app_type: "forward_auth",
@@ -151,7 +151,7 @@ module Api
end
test "should return no headers when all headers disabled" do
no_headers_rule = Application.create!(
Application.create!(
name: "No Headers App",
slug: "no-headers-app",
app_type: "forward_auth",

8
test/controllers/concerns/authentication_test.rb
View File

@@ -10,10 +10,14 @@ class AuthenticationTest < ActiveSupport::TestCase
return nil if host.blank? || host.match?(/^(localhost|127\.0\.0\.1|::1)$/)
# Strip port number for domain parsing
host_without_port = host.split(':').first
host_without_port = host.split(":").first
# Check if it's an IP address (IPv4 or IPv6) - if so, don't set domain cookie
return nil if IPAddr.new(host_without_port) rescue false
begin
return nil if IPAddr.new(host_without_port)
rescue
false
end
# Use Public Suffix List for accurate domain parsing
domain = PublicSuffix.parse(host_without_port)

2
test/controllers/invitations_controller_test.rb
View File

@@ -100,7 +100,7 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
test "should destroy existing sessions when accepting invitation" do
# Create an existing session for the user
existing_session = @user.sessions.create!
@user.sessions.create!
put invitation_path(@token), params: {
password: "newpassword123",

88
test/controllers/oidc_authorization_code_security_test.rb
View File

@@ -35,7 +35,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "prevents authorization code reuse - sequential attempts" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -47,7 +47,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -55,7 +54,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -82,7 +81,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "revokes existing tokens when authorization code is reused" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -94,7 +93,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -102,7 +100,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -137,7 +135,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects already used authorization code" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -149,7 +147,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
used: true,
@@ -158,7 +155,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -174,7 +171,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects expired authorization code" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -186,7 +183,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 5.minutes.ago
@@ -194,7 +190,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -210,7 +206,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects authorization code with mismatched redirect_uri" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -221,7 +217,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -229,7 +224,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://evil.com/callback" # Wrong redirect URI
}
@@ -261,7 +256,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects authorization code for different application" do
# Create consent for the first application
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -284,7 +279,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -293,7 +287,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# Try to use it with different application credentials
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -314,7 +308,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects invalid client_id in Basic auth" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -325,7 +319,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -333,7 +326,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -348,7 +341,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects invalid client_secret in Basic auth" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -359,7 +352,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -367,7 +359,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -382,7 +374,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "accepts client credentials in POST body" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -393,7 +385,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -401,7 +392,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
client_id: @application.client_id,
client_secret: @plain_client_secret
@@ -417,7 +408,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "rejects request with no client authentication" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -428,7 +419,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -436,7 +426,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -484,7 +474,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "client authentication uses constant-time comparison" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -495,7 +485,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -503,7 +492,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -604,7 +593,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "nonce parameter is included in ID token" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -616,7 +605,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
nonce: "test_nonce_123",
@@ -626,7 +614,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# Exchange code for tokens
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
@@ -649,7 +637,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "access tokens are not exposed in referer header" do
# Create consent and authorization code
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -660,7 +648,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -669,7 +656,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# Exchange code for tokens
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
@@ -677,7 +664,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
assert_response :success
response_body = JSON.parse(@response.body)
access_token = response_body["access_token"]
response_body["access_token"]
# Verify token is not in response headers (especially Referer)
assert_nil response.headers["Referer"], "Access token should not leak in Referer header"
@@ -690,7 +677,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "PKCE code_verifier is required when code_challenge was provided" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -705,7 +692,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
@@ -716,7 +702,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# Try to exchange code without code_verifier
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@plain_client_secret}")
@@ -730,7 +716,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "PKCE with S256 method validates correctly" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -745,7 +731,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
@@ -756,7 +741,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# Exchange code with correct code_verifier
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
code_verifier: code_verifier
}, headers: {
@@ -770,7 +755,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "PKCE rejects invalid code_verifier" do
# Create consent
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -785,7 +770,6 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
@@ -796,7 +780,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
# Try with wrong code_verifier
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
code_verifier: "wrong_code_verifier_12345678901234567890"
}, headers: {
@@ -814,7 +798,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
test "refresh token rotation is enforced" do
# Create consent for the refresh token endpoint
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
@@ -855,9 +839,7 @@ class OidcAuthorizationCodeSecurityTest < ActionDispatch::IntegrationTest
assert_not_equal old_refresh_token, new_refresh_token
# Verify token family is preserved
new_token_record = OidcRefreshToken.where(application: @application).find do |rt|
rt.token_matches?(new_refresh_token)
end
new_token_record = OidcRefreshToken.find_by_token(new_refresh_token)
assert_equal original_token_family_id, new_token_record.token_family_id
# Old refresh token should be revoked

218
test/controllers/oidc_pkce_controller_test.rb
View File

@@ -38,7 +38,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
end
test "authorization endpoint accepts PKCE parameters (S256)" do
code_verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
code_challenge = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
auth_params = {
@@ -56,7 +55,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Should show consent page (user is already authenticated)
assert_response :success
assert_match /consent/, @response.body.downcase
assert_match(/consent/, @response.body.downcase)
end
test "authorization endpoint accepts PKCE parameters (plain)" do
@@ -77,7 +76,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Should show consent page (user is already authenticated)
assert_response :success
assert_match /consent/, @response.body.downcase
assert_match(/consent/, @response.body.downcase)
end
test "authorization endpoint rejects invalid code_challenge_method" do
@@ -92,8 +91,10 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
get "/oauth/authorize", params: auth_params
assert_response :bad_request
assert_match(/Invalid code_challenge_method/, @response.body)
# Should redirect back to client with error parameters (OAuth2 spec)
assert_response :redirect
assert_match(/error=invalid_request/, @response.location)
assert_match(/error_description=.*code_challenge_method/, @response.location)
end
test "authorization endpoint rejects invalid code_challenge format" do
@@ -109,8 +110,10 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
get "/oauth/authorize", params: auth_params
assert_response :bad_request
assert_match(/Invalid code_challenge format/, @response.body)
# Should redirect back to client with error parameters (OAuth2 spec)
assert_response :redirect
assert_match(/error=invalid_request/, @response.location)
assert_match(/error_description=.*code_challenge.*format/, @response.location)
end
test "token endpoint requires code_verifier when PKCE was used (S256)" do
@@ -127,7 +130,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
@@ -137,7 +139,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -165,7 +167,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
@@ -175,7 +176,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -203,7 +204,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
@@ -213,7 +213,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
# Use a properly formatted but wrong verifier (43+ chars, base64url)
code_verifier: "wrongverifier_with_enough_characters_base64url"
@@ -249,7 +249,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
@@ -259,7 +258,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
code_verifier: code_verifier
}
@@ -291,7 +290,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_verifier, # Same as verifier for plain method
@@ -301,7 +299,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
code_verifier: code_verifier
}
@@ -342,7 +340,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: legacy_app,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:5000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -350,7 +347,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:5000/callback"
}
@@ -408,7 +405,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: public_app,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:6000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now,
@@ -419,7 +415,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Token request with PKCE but no client_secret
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:6000/callback",
client_id: public_app.client_id,
code_verifier: code_verifier
@@ -467,7 +463,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: public_app,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:7000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -476,7 +471,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Token request without PKCE should fail
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:7000/callback",
client_id: public_app.client_id
}
@@ -486,7 +481,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
assert_response :bad_request
error = JSON.parse(@response.body)
assert_equal "invalid_request", error["error"]
assert_match /PKCE is required for public clients/, error["error_description"]
assert_match(/PKCE is required for public clients/, error["error_description"])
# Cleanup
OidcRefreshToken.where(application: public_app).delete_all
@@ -514,7 +509,6 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -523,7 +517,7 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
# Token request without PKCE should fail
token_params = {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
@@ -534,6 +528,176 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
assert_response :bad_request
error = JSON.parse(@response.body)
assert_equal "invalid_request", error["error"]
assert_match /PKCE is required/, error["error_description"]
assert_match(/PKCE is required/, error["error_description"])
end
# ====================
# AUTH_TIME CLAIM TESTS
# ====================
test "ID token includes auth_time claim from authorization code" do
# Create consent
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
granted_at: Time.current,
sid: "test-sid-auth-time"
)
# Generate valid PKCE pair
code_verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
code_challenge = Digest::SHA256.base64digest(code_verifier)
.tr("+/", "-_")
.tr("=", "")
# Get the expected auth_time from the session's created_at
expected_auth_time = Current.session.created_at.to_i
# Create authorization code with auth_time
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
code_challenge_method: "S256",
auth_time: expected_auth_time,
expires_at: 10.minutes.from_now
)
token_params = {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
code_verifier: code_verifier
}
post "/oauth/token", params: token_params, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@application.client_secret}")
}
assert_response :success
tokens = JSON.parse(@response.body)
assert tokens.key?("id_token")
# Decode and verify auth_time is present and matches what we stored
decoded = JWT.decode(tokens["id_token"], nil, false).first
assert_includes decoded.keys, "auth_time", "ID token should include auth_time"
assert_equal expected_auth_time, decoded["auth_time"], "auth_time should match authorization code"
end
test "ID token includes auth_time in refresh token flow" do
# Create consent
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile offline_access",
granted_at: Time.current,
sid: "test-sid-refresh-auth-time"
)
# Get the expected auth_time from the session's created_at
expected_auth_time = Current.session.created_at.to_i
# Create initial access and refresh tokens with auth_time
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile offline_access",
code_challenge: nil,
code_challenge_method: nil,
auth_time: expected_auth_time,
expires_at: 10.minutes.from_now
)
# Update application to not require PKCE for testing
@application.update!(require_pkce: false)
token_params = {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback"
}
post "/oauth/token", params: token_params, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@application.client_secret}")
}
assert_response :success
tokens = JSON.parse(@response.body)
refresh_token = tokens["refresh_token"]
# Now use the refresh token
refresh_params = {
grant_type: "refresh_token",
refresh_token: refresh_token
}
post "/oauth/token", params: refresh_params, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@application.client_secret}")
}
assert_response :success
new_tokens = JSON.parse(@response.body)
assert new_tokens.key?("id_token")
# Decode and verify auth_time is preserved from original authorization
decoded = JWT.decode(new_tokens["id_token"], nil, false).first
assert_includes decoded.keys, "auth_time", "Refreshed ID token should include auth_time"
assert_equal expected_auth_time, decoded["auth_time"], "auth_time should match original authorization code"
end
test "at_hash is correctly computed and included in ID token" do
# Create consent
OidcUserConsent.create!(
user: @user,
application: @application,
scopes_granted: "openid profile",
granted_at: Time.current,
sid: "test-sid-at-hash"
)
# Generate valid PKCE pair
code_verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
code_challenge = Digest::SHA256.base64digest(code_verifier)
.tr("+/", "-_")
.tr("=", "")
# Create authorization code
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
code_challenge_method: "S256",
expires_at: 10.minutes.from_now
)
token_params = {
grant_type: "authorization_code",
code: auth_code.plaintext_code,
redirect_uri: "http://localhost:4000/callback",
code_verifier: code_verifier
}
post "/oauth/token", params: token_params, headers: {
"Authorization" => "Basic " + Base64.strict_encode64("#{@application.client_id}:#{@application.client_secret}")
}
assert_response :success
tokens = JSON.parse(@response.body)
access_token = tokens["access_token"]
id_token = tokens["id_token"]
# Decode ID token
decoded = JWT.decode(id_token, nil, false).first
assert_includes decoded.keys, "at_hash", "ID token should include at_hash"
# Verify at_hash matches the access token hash
expected_hash = Base64.urlsafe_encode64(Digest::SHA256.digest(access_token)[0..15], padding: false)
assert_equal expected_hash, decoded["at_hash"], "at_hash should match SHA-256 hash of access token"
end
end

9
test/controllers/oidc_refresh_token_controller_test.rb
View File

@@ -15,7 +15,6 @@ class OidcRefreshTokenControllerTest < ActionDispatch::IntegrationTest
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: @application.parsed_redirect_uris.first,
scope: "openid profile email",
expires_at: 10.minutes.from_now
@@ -24,7 +23,7 @@ class OidcRefreshTokenControllerTest < ActionDispatch::IntegrationTest
# Exchange authorization code for tokens
post "/oauth/token", params: {
grant_type: "authorization_code",
code: auth_code.code,
code: auth_code.plaintext_code,
redirect_uri: @application.parsed_redirect_uris.first,
client_id: @application.client_id,
client_secret: @client_secret
@@ -229,7 +228,11 @@ class OidcRefreshTokenControllerTest < ActionDispatch::IntegrationTest
assert_response :success
json = JSON.parse(response.body)
assert_equal @user.id.to_s, json["sub"]
# Should return pairwise SID from consent (alice has consent for kavita_app in fixtures)
consent = OidcUserConsent.find_by(user: @user, application: @application)
expected_sub = consent&.sid || @user.id.to_s
assert_equal expected_sub, json["sub"]
assert_equal @user.email_address, json["email"]
end
end

269
test/controllers/oidc_userinfo_controller_test.rb Normal file
View File

@@ -0,0 +1,269 @@
require "test_helper"
class OidcUserinfoControllerTest < ActionDispatch::IntegrationTest
def setup
@user = users(:alice)
@application = applications(:kavita_app)
# Add user to a group for groups claim testing
@admin_group = groups(:admin_group)
@user.groups << @admin_group unless @user.groups.include?(@admin_group)
end
def teardown
# Clean up
OidcAccessToken.where(user: @user, application: @application).destroy_all
end
# ============================================================================
# HTTP Method Tests (GET and POST)
# ============================================================================
test "userinfo endpoint accepts GET requests" do
access_token = create_access_token("openid email profile")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
assert json["sub"].present?
end
test "userinfo endpoint accepts POST requests" do
access_token = create_access_token("openid email profile")
post "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
assert json["sub"].present?
end
test "userinfo endpoint accepts POST with access_token in body" do
access_token = create_access_token("openid email profile")
post "/oauth/userinfo", params: {
access_token: access_token.plaintext_token
}
assert_response :success
json = JSON.parse(response.body)
assert json["sub"].present?
end
# ============================================================================
# Scope-Based Claim Filtering Tests
# ============================================================================
test "userinfo with openid scope only returns minimal claims" do
access_token = create_access_token("openid")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?, "Should include sub claim"
# Scope-dependent claims should NOT be present
assert_nil json["email"], "Should not include email without email scope"
assert_nil json["email_verified"], "Should not include email_verified without email scope"
assert_nil json["name"], "Should not include name without profile scope"
assert_nil json["preferred_username"], "Should not include preferred_username without profile scope"
assert_nil json["groups"], "Should not include groups without groups scope"
end
test "userinfo with email scope includes email claims" do
access_token = create_access_token("openid email")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?
# Email claims should be present
assert_equal @user.email_address, json["email"], "Should include email with email scope"
assert_equal true, json["email_verified"], "Should include email_verified with email scope"
# Profile claims should NOT be present
assert_nil json["name"], "Should not include name without profile scope"
assert_nil json["preferred_username"], "Should not include preferred_username without profile scope"
end
test "userinfo with profile scope includes profile claims" do
access_token = create_access_token("openid profile")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?
# Profile claims we support should be present
assert json["name"].present?, "Should include name with profile scope"
assert json["preferred_username"].present?, "Should include preferred_username with profile scope"
assert json["updated_at"].present?, "Should include updated_at with profile scope"
# Email claims should NOT be present
assert_nil json["email"], "Should not include email without email scope"
assert_nil json["email_verified"], "Should not include email_verified without email scope"
end
test "userinfo with groups scope includes groups claim" do
access_token = create_access_token("openid groups")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# Required claims
assert json["sub"].present?
# Groups claim should be present
assert json["groups"].present?, "Should include groups with groups scope"
assert_includes json["groups"], "Administrators", "Should include user's groups"
# Email and profile claims should NOT be present
assert_nil json["email"], "Should not include email without email scope"
assert_nil json["name"], "Should not include name without profile scope"
end
test "userinfo with multiple scopes includes all requested claims" do
access_token = create_access_token("openid email profile groups")
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
# All scope-based claims should be present
assert json["sub"].present?
assert json["email"].present?, "Should include email"
assert json["email_verified"].present?, "Should include email_verified"
assert json["name"].present?, "Should include name"
assert json["preferred_username"].present?, "Should include preferred_username"
assert json["groups"].present?, "Should include groups"
end
test "userinfo returns same filtered claims for GET and POST" do
access_token = create_access_token("openid email")
# GET request
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
get_json = JSON.parse(response.body)
# POST request
post "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
post_json = JSON.parse(response.body)
# Both should return the same claims
assert_equal get_json, post_json, "GET and POST should return identical claims"
end
# ============================================================================
# Authentication Tests
# ============================================================================
test "userinfo endpoint requires Bearer token" do
get "/oauth/userinfo"
assert_response :unauthorized
end
test "userinfo endpoint rejects invalid token" do
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer invalid_token_12345"
}
assert_response :unauthorized
end
test "userinfo endpoint rejects expired token" do
access_token = create_access_token("openid email profile")
# Expire the token
access_token.update!(expires_at: 1.hour.ago)
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :unauthorized
end
test "userinfo endpoint rejects revoked token" do
access_token = create_access_token("openid email profile")
# Revoke the token
access_token.revoke!
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :unauthorized
end
# ============================================================================
# Pairwise Subject Identifier Test
# ============================================================================
test "userinfo returns pairwise SID when consent exists" do
access_token = create_access_token("openid")
# Find existing consent or create new one (ensure it has a SID)
consent = OidcUserConsent.find_or_initialize_by(
user: @user,
application: @application
)
consent.scopes_granted ||= "openid"
consent.save!
# Reload to get the auto-generated SID
consent.reload
get "/oauth/userinfo", headers: {
"Authorization" => "Bearer #{access_token.plaintext_token}"
}
assert_response :success
json = JSON.parse(response.body)
assert_equal consent.sid, json["sub"], "Should use pairwise SID from consent"
assert consent.sid.present?, "Consent should have a SID"
end
private
def create_access_token(scope)
OidcAccessToken.create!(
application: @application,
user: @user,
scope: scope
)
end
end

1
test/controllers/passwords_controller_test.rb
View File

@@ -61,6 +61,7 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
end
private
def assert_notice(text)
assert_select "div", /#{text}/
end

6
test/controllers/totp_security_test.rb
View File

@@ -91,13 +91,13 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
# Generate backup codes
user.totp_secret = ROTP::Base32.random
backup_codes = user.send(:generate_backup_codes) # Call private method
user.send(:generate_backup_codes) # Call private method
user.save!
# Check that stored codes are BCrypt hashes (start with $2a$)
# backup_codes is already an Array (JSON column), no need to parse
user.backup_codes.each do |code|
assert_match /^\$2[aby]\$/, code, "Backup codes should be BCrypt hashed"
assert_match(/^\$2[aby]\$/, code, "Backup codes should be BCrypt hashed")
end
user.destroy
@@ -145,7 +145,7 @@ class TotpSecurityTest < ActionDispatch::IntegrationTest
# Verify the TOTP secret exists (sanity check)
assert user.totp_secret.present?
totp_secret = user.totp_secret
user.totp_secret
# Sign in with TOTP
post signin_path, params: {email_address: "totp_secret_test@example.com", password: "password123"}

19
test/fixtures/oidc_access_tokens.yml vendored
View File

@@ -1,16 +1,27 @@
# Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
<%
# Generate a random token and compute HMAC
def generate_token_hmac
token = SecureRandom.urlsafe_base64(48)
hmac_key = Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
hmac = OpenSSL::HMAC.hexdigest('SHA256', hmac_key, token)
[token, hmac]
end
token_one, hmac_one = generate_token_hmac
token_two, hmac_two = generate_token_hmac
%>
one:
token_digest: <%= BCrypt::Password.create(SecureRandom.urlsafe_base64(48)) %>
token_prefix: <%= SecureRandom.urlsafe_base64(8)[0..7] %>
token_hmac: <%= hmac_one %>
application: kavita_app
user: alice
scope: "openid profile email"
expires_at: 2025-12-31 23:59:59
two:
token_digest: <%= BCrypt::Password.create(SecureRandom.urlsafe_base64(48)) %>
token_prefix: <%= SecureRandom.urlsafe_base64(8)[0..7] %>
token_hmac: <%= hmac_two %>
application: another_app
user: bob
scope: "openid profile email"

17
test/fixtures/oidc_authorization_codes.yml vendored
View File

@@ -1,7 +1,20 @@
# Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
<%
# Generate a random code and compute HMAC
def generate_code_hmac
code = SecureRandom.urlsafe_base64(32)
hmac_key = Rails.application.key_generator.generate_key('oidc_token_prefix', 32)
hmac = OpenSSL::HMAC.hexdigest('SHA256', hmac_key, code)
[code, hmac]
end
code_one, hmac_one = generate_code_hmac
code_two, hmac_two = generate_code_hmac
%>
one:
code: <%= SecureRandom.urlsafe_base64(32) %>
code_hmac: <%= hmac_one %>
application: kavita_app
user: alice
redirect_uri: "https://kavita.example.com/signin-oidc"
@@ -10,7 +23,7 @@ one:
used: false
two:
code: <%= SecureRandom.urlsafe_base64(32) %>
code_hmac: <%= hmac_two %>
application: another_app
user: bob
redirect_uri: "https://app.example.com/auth/callback"

2
test/fixtures/oidc_user_consents.yml vendored
View File

@@ -5,9 +5,11 @@ alice_consent:
application: kavita_app
scopes_granted: openid profile email
granted_at: 2025-10-24 16:57:39
sid: alice-kavita-sid-12345
bob_consent:
user: bob
application: another_app
scopes_granted: openid email groups
granted_at: 2025-10-24 16:57:39
sid: bob-another-sid-67890

145
test/system/forward_auth_system_test.rb → test/integration/forward_auth_advanced_test.rb
View File

@@ -1,8 +1,7 @@
require "test_helper"
class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
driven_by :rack_test
# Advanced integration tests for Forward Auth API
class ForwardAuthAdvancedTest < ActionDispatch::IntegrationTest
setup do
@user = users(:one)
@admin_user = users(:two)
@@ -13,7 +12,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# End-to-End Authentication Flow Tests
test "complete forward auth flow with default headers" do
# Create an application with default headers
rule = Application.create!(name: "App", slug: "app-system-test", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
Application.create!(name: "App", slug: "app-system-test", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
# Step 1: Unauthenticated request to protected resource
get "/api/verify", headers: {
@@ -24,7 +23,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
assert_response 302
location = response.location
assert_match %r{/signin}, location
assert_match %r{rd=https://app.example.com/dashboard}, location
assert_match %r{rd=https%3A%2F%2Fapp\.example\.com%2Fdashboard}, location
# Step 2: Extract return URL from session
assert_equal "https://app.example.com/dashboard", session[:return_to_after_authenticating]
@@ -33,7 +32,10 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
post "/signin", params: {email_address: @user.email_address, password: "password"}
assert_response 302
assert_redirected_to "https://app.example.com/dashboard"
redirect_uri = URI.parse(response.location)
assert_equal "https", redirect_uri.scheme
assert_equal "app.example.com", redirect_uri.host
assert_equal "/dashboard", redirect_uri.path
# Step 4: Authenticated request to protected resource
get "/api/verify", headers: {"X-Forwarded-Host" => "app.example.com"}
@@ -46,14 +48,14 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
test "multiple domain access with single session" do
# Create applications for different domains
app_rule = Application.create!(name: "App Domain", slug: "app-domain", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
grafana_rule = Application.create!(
Application.create!(name: "App Domain", slug: "app-domain", app_type: "forward_auth", domain_pattern: "app.example.com", active: true)
Application.create!(
name: "Grafana", slug: "grafana-system-test", app_type: "forward_auth",
domain_pattern: "grafana.example.com",
active: true,
headers_config: {user: "X-WEBAUTH-USER", email: "X-WEBAUTH-EMAIL"}
)
metube_rule = Application.create!(
Application.create!(
name: "Metube", slug: "metube-system-test", app_type: "forward_auth",
domain_pattern: "metube.example.com",
active: true,
@@ -126,7 +128,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
test "bypass mode when no groups assigned to rule" do
# Create bypass application (no groups)
bypass_rule = Application.create!(
Application.create!(
name: "Public", slug: "public-system-test", app_type: "forward_auth",
domain_pattern: "public.example.com",
active: true
@@ -146,40 +148,17 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
end
# Security System Tests
test "session security and isolation" do
# User A signs in
post "/signin", params: { email_address: @user.email_address, password: "password" }
user_a_session = cookies[:session_id]
# User B signs in
delete "/session"
post "/signin", params: { email_address: @admin_user.email_address, password: "password" }
user_b_session = cookies[:session_id]
# User A should still be able to access resources
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"Cookie" => "_clinch_session_id=#{user_a_session}"
}
assert_response 200
assert_equal @user.email_address, response.headers["x-remote-user"]
# User B should be able to access resources
get "/api/verify", headers: {
"X-Forwarded-Host" => "test.example.com",
"Cookie" => "_clinch_session_id=#{user_b_session}"
}
assert_response 200
assert_equal @admin_user.email_address, response.headers["x-remote-user"]
# Sessions should be independent
assert_not_equal user_a_session, user_b_session
end
test "session expiration and cleanup" do
# Create test application
Application.create!(
name: "Test", slug: "test-system-test", app_type: "forward_auth",
domain_pattern: "test.example.com",
active: true
)
# Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
session_id = cookies[:session_id]
session_id = Session.last.id
# Should work initially
get "/api/verify", headers: {"X-Forwarded-Host" => "test.example.com"}
@@ -199,42 +178,42 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
end
test "concurrent access with rate limiting considerations" do
# Create wildcard application
Application.create!(
name: "Wildcard", slug: "wildcard-test", app_type: "forward_auth",
domain_pattern: "*.example.com",
active: true
)
# Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
session_cookie = cookies[:session_id]
# Simulate multiple concurrent requests from different IPs
threads = []
# Make multiple sequential requests (threads don't work in integration tests)
results = []
10.times do |i|
threads << Thread.new do
start_time = Time.current
get "/api/verify", headers: {
"X-Forwarded-Host" => "app#{i}.example.com",
"X-Forwarded-For" => "192.168.1.#{100 + i}",
"Cookie" => "_clinch_session_id=#{session_cookie}"
"X-Forwarded-For" => "192.168.1.#{100 + i}"
}
end_time = Time.current
results << {
thread_id: i,
request_id: i,
status: response.status,
user: response.headers["x-remote-user"],
duration: end_time - start_time
}
end
end
threads.each(&:join)
# All requests should succeed
results.each do |result|
assert_equal 200, result[:status], "Thread #{result[:thread_id]} failed"
assert_equal @user.email_address, result[:user], "Thread #{result[:thread_id]} has wrong user"
assert result[:duration] < 1.0, "Thread #{result[:thread_id]} was too slow"
assert_equal 200, result[:status], "Request #{result[:request_id]} failed"
assert_equal @user.email_address, result[:user], "Request #{result[:request_id]} has wrong user"
assert result[:duration] < 1.0, "Request #{result[:request_id]} was too slow"
end
end
@@ -260,7 +239,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
]
# Create applications for each app
rules = apps.map.with_index do |app, idx|
apps.map.with_index do |app, idx|
rule = Application.create!(
name: "Multi App #{idx}", slug: "multi-app-#{idx}", app_type: "forward_auth",
domain_pattern: app[:domain],
@@ -285,28 +264,29 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# Verify headers are correct
if app[:headers_config][:user].present?
assert_equal app[:headers_config][:user],
response.headers.keys.find { |k| k.include?("USER") },
"Wrong user header for #{app[:domain]}"
assert_equal @user.email_address, response.headers[app[:headers_config][:user]]
assert response.headers.key?(app[:headers_config][:user]),
"Missing header #{app[:headers_config][:user]} for #{app[:domain]}"
assert_equal @user.email_address, response.headers[app[:headers_config][:user]],
"Wrong user value in #{app[:headers_config][:user]} for #{app[:domain]}"
else
# Should have no auth headers
auth_headers = response.headers.select { |k, v| k.match?(/^(X-|Remote-)/i) }
assert_empty auth_headers, "Should have no headers for #{app[:domain]}"
auth_headers = response.headers.select { |k, v| k.match?(/^(x-remote-|x-webauth-|x-admin-)/i) }
assert_empty auth_headers, "Should have no headers for #{app[:domain]}, got: #{auth_headers.keys.join(", ")}"
end
end
end
test "domain pattern edge cases" do
# Test various domain patterns
# Note: * matches one level only (no dots), so *.example.com matches app.example.com but not sub.app.example.com
patterns = [
{ pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "sub.app.example.com"] },
{pattern: "*.example.com", domains: ["app.example.com", "api.example.com", "grafana.example.com"]},
{pattern: "api.*.com", domains: ["api.example.com", "api.test.com"]},
{pattern: "*.*.example.com", domains: ["app.dev.example.com", "api.staging.example.com"]}
]
patterns.each_with_index do |pattern_config, idx|
rule = Application.create!(
Application.create!(
name: "Pattern Test #{idx}", slug: "pattern-test-#{idx}", app_type: "forward_auth",
domain_pattern: pattern_config[:pattern],
active: true
@@ -329,12 +309,11 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
# Performance System Tests
test "system performance under load" do
# Create test application
rule = Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "loadtest.example.com", active: true)
# Create test application with wildcard pattern
Application.create!(name: "Load Test", slug: "loadtest", app_type: "forward_auth", domain_pattern: "*.loadtest.example.com", active: true)
# Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
session_cookie = cookies[:session_id]
# Performance test
start_time = Time.current
@@ -345,8 +324,7 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
request_start = Time.current
get "/api/verify", headers: {
"X-Forwarded-Host" => "app#{i}.loadtest.example.com",
"Cookie" => "_clinch_session_id=#{session_cookie}"
"X-Forwarded-Host" => "app#{i}.loadtest.example.com"
}
request_end = Time.current
@@ -370,35 +348,4 @@ class ForwardAuthSystemTest < ActionDispatch::SystemTestCase
rps = request_count / total_time
assert rps > 10, "Requests per second #{rps} is too low"
end
# Error Recovery System Tests
test "graceful degradation with database issues" do
# Sign in first
post "/signin", params: { email_address: @user.email_address, password: "password" }
assert_response 302
# Simulate database connection issue by mocking
original_method = Session.method(:find_by)
# Mock database failure
Session.define_singleton_method(:find_by) do |id|
raise ActiveRecord::ConnectionNotEstablished, "Database connection lost"
end
begin
# Request should handle the error gracefully
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
# Should return 302 (redirect to login) rather than 500 error
assert_response 302, "Should gracefully handle database issues"
assert_equal "Invalid session", response.headers["x-auth-reason"]
ensure
# Restore original method
Session.define_singleton_method(:find_by, original_method)
end
# Normal operation should still work
get "/api/verify", headers: { "X-Forwarded-Host" => "test.example.com" }
assert_response 200
end
end

13
test/integration/forward_auth_integration_test.rb
View File

@@ -56,8 +56,8 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Domain and Rule Integration Tests
test "different domain patterns with same session" do
# Create test rules
wildcard_rule = Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
exact_rule = Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
Application.create!(name: "Wildcard App", slug: "wildcard-app", app_type: "forward_auth", domain_pattern: "*.example.com", active: true)
Application.create!(name: "Exact App", slug: "exact-app", app_type: "forward_auth", domain_pattern: "api.example.com", active: true)
# Sign in
post "/signin", params: {email_address: @user.email_address, password: "password"}
@@ -103,14 +103,14 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
# Header Configuration Integration Tests
test "different header configurations with same user" do
# Create applications with different configs
default_rule = Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
custom_rule = Application.create!(
Application.create!(name: "Default App", slug: "default-app", app_type: "forward_auth", domain_pattern: "default.example.com", active: true)
Application.create!(
name: "Custom App", slug: "custom-app", app_type: "forward_auth",
domain_pattern: "custom.example.com",
active: true,
headers_config: {user: "X-WEBAUTH-USER", groups: "X-WEBAUTH-ROLES"}
)
no_headers_rule = Application.create!(
Application.create!(
name: "No Headers App", slug: "no-headers-app", app_type: "forward_auth",
domain_pattern: "noheaders.example.com",
active: true,
@@ -194,7 +194,7 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
admin_user = users(:two)
# Create restricted rule
admin_rule = Application.create!(
Application.create!(
name: "Admin App", slug: "admin-app", app_type: "forward_auth",
domain_pattern: "admin.example.com",
active: true,
@@ -245,5 +245,4 @@ class ForwardAuthIntegrationTest < ActionDispatch::IntegrationTest
assert Session.exists?(user_a_session_id), "User A's session should still exist"
assert Session.exists?(user_b_session_id), "User B's session should still exist"
end
end

2
test/integration/invitation_flow_test.rb
View File

@@ -94,7 +94,7 @@ class InvitationFlowTest < ActionDispatch::IntegrationTest
end
test "expired invitation token flow" do
user = User.create!(
User.create!(
email_address: "expired@example.com",
password: "temppassword",
status: :pending_invitation

12
test/integration/session_security_test.rb
View File

@@ -92,21 +92,21 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "concurrent_session_test@example.com", password: "password123")
# Create multiple sessions from different devices
session1 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.1",
user_agent: "Mozilla/5.0 (Windows)",
device_name: "Windows PC",
last_activity_at: Time.current
)
session2 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.2",
user_agent: "Mozilla/5.0 (iPhone)",
device_name: "iPhone",
last_activity_at: Time.current
)
session3 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.3",
user_agent: "Mozilla/5.0 (Macintosh)",
device_name: "MacBook",
@@ -157,14 +157,14 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
user = User.create!(email_address: "logout_test@example.com", password: "password123")
# Create multiple sessions
session1 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.1",
user_agent: "Mozilla/5.0 (Windows)",
device_name: "Windows PC",
last_activity_at: Time.current
)
session2 = user.sessions.create!(
user.sessions.create!(
ip_address: "192.168.1.2",
user_agent: "Mozilla/5.0 (iPhone)",
device_name: "iPhone",
@@ -204,7 +204,7 @@ class SessionSecurityTest < ActionDispatch::IntegrationTest
)
# Create consent with backchannel logout enabled
consent = OidcUserConsent.create!(
OidcUserConsent.create!(
user: user,
application: application,
scopes_granted: "openid profile",

107
test/integration/webauthn_credential_enumeration_test.rb Normal file
View File

@@ -0,0 +1,107 @@
require "test_helper"
class WebauthnCredentialEnumerationTest < ActionDispatch::IntegrationTest
# ====================
# CREDENTIAL ENUMERATION PREVENTION TESTS
# ====================
test "prevents credential enumeration via delete endpoint" do
user1 = User.create!(email_address: "user1@example.com", password: "password123")
user2 = User.create!(email_address: "user2@example.com", password: "password123")
# Create a credential for user1
user1.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("user1_credential"),
public_key: Base64.urlsafe_encode64("public_key_1"),
sign_count: 0,
nickname: "User1 Key",
authenticator_type: "platform"
)
# Create a credential for user2
credential2 = user2.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("user2_credential"),
public_key: Base64.urlsafe_encode64("public_key_2"),
sign_count: 0,
nickname: "User2 Key",
authenticator_type: "platform"
)
# Sign in as user1
post signin_path, params: {email_address: "user1@example.com", password: "password123"}
assert_response :redirect
follow_redirect!
# Try to delete user2's credential while authenticated as user1
# This should return 404 (not 403) to prevent enumeration
delete webauthn_credential_path(credential2.id), as: :json
assert_response :not_found
assert_includes JSON.parse(@response.body)["error"], "not found"
# Verify both credentials still exist
assert_equal 1, user1.webauthn_credentials.count
assert_equal 1, user2.webauthn_credentials.count
# Verify trying to delete a non-existent credential also returns 404
# This confirms identical responses for enumeration prevention
delete webauthn_credential_path(99999), as: :json
assert_response :not_found
assert_includes JSON.parse(@response.body)["error"], "not found"
user1.destroy
user2.destroy
end
test "allows users to delete their own credentials" do
user = User.create!(email_address: "user@example.com", password: "password123")
credential = user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("user_credential"),
public_key: Base64.urlsafe_encode64("public_key"),
sign_count: 0,
nickname: "My Key",
authenticator_type: "platform"
)
# Sign in
post signin_path, params: {email_address: "user@example.com", password: "password123"}
assert_response :redirect
follow_redirect!
# Delete own credential - should succeed
assert_difference "user.webauthn_credentials.count", -1 do
delete webauthn_credential_path(credential.id), as: :json
end
assert_response :success
assert_includes JSON.parse(@response.body)["message"], "has been removed"
user.destroy
end
test "unauthenticated user cannot delete credentials" do
user = User.create!(email_address: "user@example.com", password: "password123")
credential = user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("user_credential"),
public_key: Base64.urlsafe_encode64("public_key"),
sign_count: 0,
nickname: "My Key",
authenticator_type: "platform"
)
# Try to delete without authentication
delete webauthn_credential_path(credential.id), as: :json
# Should get redirect to signin (require_authentication before_action runs first)
assert_response :redirect
assert_redirected_to signin_path
# Verify credential still exists
assert_equal 1, user.webauthn_credentials.count
user.destroy
end
end

91
test/system/webauthn_security_test.rb → test/integration/webauthn_security_test.rb
View File

@@ -1,7 +1,9 @@
require "test_helper"
require "webauthn/fake_client"
class WebauthnSecurityTest < ActionDispatch::SystemTestCase
# Note: This file tests API endpoints directly (post/get/assert_response)
# so it should use IntegrationTest, not SystemTestCase
class WebauthnSecurityTest < ActionDispatch::IntegrationTest
# ====================
# REPLAY ATTACK PREVENTION (SIGN COUNT TRACKING) TESTS
# ====================
@@ -52,45 +54,39 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
end
# ====================
# USER HANDLE BINDING TESTS
# USER HANDLE SECURITY TESTS
# ====================
test "user handle is properly bound to WebAuthn credential" do
user = User.create!(email_address: "webauthn_handle_test@example.com", password: "password123")
test "WebAuthn challenge includes authenticated user's handle (not another user's)" do
# Create two users
user_a = User.create!(email_address: "usera@example.com", password: "password123")
user_b = User.create!(email_address: "userb@example.com", password: "password123")
# Create a WebAuthn credential with user handle
user_handle = SecureRandom.uuid
credential = user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
nickname: "Test Key",
user_handle: user_handle
)
# Generate handles for both users
handle_a = user_a.webauthn_user_handle
handle_b = user_b.webauthn_user_handle
# Verify user handle is associated with the credential
assert_equal user_handle, credential.user_handle
# Sign in as User A
post signin_path, params: {email_address: user_a.email_address, password: "password123"}
assert_response :redirect
user.destroy
end
# Request WebAuthn challenge (for registration)
post webauthn_challenge_path, params: {email: user_a.email_address}
assert_response :success
test "WebAuthn authentication validates user handle" do
user = User.create!(email_address: "webauthn_handle_auth_test@example.com", password: "password123")
# Parse the JSON response
challenge_data = JSON.parse(response.body)
user_handle = SecureRandom.uuid
credential = user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
nickname: "Test Key",
user_handle: user_handle
)
# SECURITY: Verify challenge includes User A's handle
assert challenge_data.key?("user")
assert_equal handle_a, challenge_data["user"]["id"], "Challenge should include authenticated user's handle"
assert_equal user_a.email_address, challenge_data["user"]["name"]
# Sign in with WebAuthn
# The implementation should verify the user handle matches
# This test documents the expected behavior
# SECURITY: Verify challenge does NOT include User B's handle
assert_not_equal handle_b, challenge_data["user"]["id"], "Challenge should NOT include another user's handle"
user.destroy
user_a.destroy
user_b.destroy
end
# ====================
@@ -99,7 +95,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
test "WebAuthn request validates origin" do
user = User.create!(email_address: "webauthn_origin_test@example.com", password: "password123")
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
@@ -108,13 +104,13 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
# Test WebAuthn challenge from valid origin
post webauthn_challenge_path, params: {email: "webauthn_origin_test@example.com"},
headers: { "HTTP_ORIGIN": "http://localhost:3000" }
headers: {HTTP_ORIGIN: "http://localhost:3000"}
# Should succeed for valid origin
# Test WebAuthn challenge from invalid origin
post webauthn_challenge_path, params: {email: "webauthn_origin_test@example.com"},
headers: { "HTTP_ORIGIN": "http://evil.com" }
headers: {HTTP_ORIGIN: "http://evil.com"}
# Should reject invalid origin
@@ -125,18 +121,21 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user = User.create!(email_address: "webauthn_verify_origin_test@example.com", password: "password123")
user.update!(webauthn_id: SecureRandom.uuid)
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
nickname: "Test Key"
)
# Sign in with WebAuthn
# Sign in first
post signin_path, params: {email_address: user.email_address, password: "password123"}
# Get WebAuthn challenge
post webauthn_challenge_path, params: {email: "webauthn_verify_origin_test@example.com"}
assert_response :success
challenge = JSON.parse(@response.body)["challenge"]
JSON.parse(@response.body)["challenge"]
# Simulate WebAuthn verification with wrong origin
# This should fail
@@ -155,7 +154,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
# Standard attestation formats: none, packed, tpm, android-key, android-safetynet, fido-u2f, etc.
# Test with 'none' attestation (most common for privacy)
attestation_object = {
{
fmt: "none",
attStmt: {},
authData: Base64.strict_encode64("fake_auth_data")
@@ -170,7 +169,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
user = User.create!(email_address: "webauthn_invalid_attestation_test@example.com", password: "password123")
# Try to register with invalid attestation format
invalid_attestation = {
{
fmt: "invalid_format",
attStmt: {},
authData: Base64.strict_encode64("fake_auth_data")
@@ -228,8 +227,8 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
)
credential.reload
assert_equal "192.168.1.100", credential.last_ip_address
assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.last_user_agent
assert_equal "192.168.1.100", credential.last_used_ip
assert_equal "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", credential.user_agent
user.destroy
end
@@ -263,7 +262,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
test "WebAuthn requires user presence for authentication" do
user = User.create!(email_address: "webauthn_presence_test@example.com", password: "password123")
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("fake_credential_id"),
public_key: Base64.urlsafe_encode64("fake_public_key"),
sign_count: 0,
@@ -291,7 +290,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
nickname: "USB Key"
)
credential2 = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("credential_2"),
public_key: Base64.urlsafe_encode64("public_key_2"),
sign_count: 0,
@@ -314,7 +313,7 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
test "WebAuthn can be required for authentication" do
user = User.create!(email_address: "webauthn_required_test@example.com", password: "password123")
user.update!(webauthn_enabled: true)
user.update!(webauthn_required: true)
# Sign in with password should still work
post signin_path, params: {email_address: "webauthn_required_test@example.com", password: "password123"}
@@ -327,9 +326,9 @@ class WebauthnSecurityTest < ActionDispatch::SystemTestCase
test "WebAuthn can be used for passwordless authentication" do
user = User.create!(email_address: "webauthn_passwordless_test@example.com", password: "password123")
user.update!(webauthn_enabled: true)
user.update!(webauthn_required: true)
credential = user.webauthn_credentials.create!(
user.webauthn_credentials.create!(
external_id: Base64.urlsafe_encode64("passwordless_credential"),
public_key: Base64.urlsafe_encode64("public_key"),
sign_count: 0,

2
test/jobs/application_job_test.rb
View File

@@ -77,7 +77,7 @@ class ApplicationJobTest < ActiveJob::TestCase
args = enqueued_jobs.last[:args]
if args.is_a?(Array) && args.first.is_a?(Hash)
# GlobalID serialization format
assert_equal user.to_global_id.to_s, args.first['_aj_globalid']
assert_equal user.to_global_id.to_s, args.first["_aj_globalid"]
else
# Direct object serialization
assert_equal user.id, args.first.id

2
test/jobs/passwords_mailer_test.rb
View File

@@ -166,7 +166,7 @@ class PasswordsMailerTest < ActionMailer::TestCase
# Should not include sensitive data in headers (except Subject which legitimately mentions password)
email.header.fields.each do |field|
next if field.name =~ /^subject$/i
next if /^subject$/i.match?(field.name)
# Check for actual tokens (not just the word "token" which is common in emails)
refute_includes field.value.to_s.downcase, "password"
end

12
test/models/application_user_claim_test.rb
View File

@@ -10,7 +10,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "role": "admin" }
custom_claims: {role: "admin"}
)
assert claim.valid?
assert claim.save
@@ -20,13 +20,13 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
ApplicationUserClaim.create!(
user: @user,
application: @application,
custom_claims: { "role": "admin" }
custom_claims: {role: "admin"}
)
duplicate = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "role": "user" }
custom_claims: {role: "user"}
)
assert_not duplicate.valid?
@@ -37,7 +37,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "role": "admin", "level": 5 }
custom_claims: {role: "admin", level: 5}
)
parsed = claim.parsed_custom_claims
@@ -59,7 +59,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "groups": ["admin"], "role": "user" }
custom_claims: {groups: ["admin"], role: "user"}
)
assert_not claim.valid?
@@ -70,7 +70,7 @@ class ApplicationUserClaimTest < ActiveSupport::TestCase
claim = ApplicationUserClaim.new(
user: @user,
application: @application,
custom_claims: { "kavita_groups": ["admin"], "role": "user" }
custom_claims: {kavita_groups: ["admin"], role: "user"}
)
assert claim.valid?

6
test/models/oidc_access_token_test.rb
View File

@@ -27,7 +27,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
assert_nil new_token.plaintext_token
assert new_token.save
assert_not_nil new_token.plaintext_token
assert_match /^[A-Za-z0-9_-]+$/, new_token.plaintext_token
assert_match(/^[A-Za-z0-9_-]+$/, new_token.plaintext_token)
end
test "should set expiry before validation on create" do
@@ -144,7 +144,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
# All tokens should match the expected pattern
tokens.each do |token|
assert_match /^[A-Za-z0-9_-]+$/, token
assert_match(/^[A-Za-z0-9_-]+$/, token)
# Base64 token length may vary due to padding, just ensure it's reasonable
assert token.length >= 43, "Token should be at least 43 characters"
assert token.length <= 64, "Token should not exceed 64 characters"
@@ -163,7 +163,7 @@ class OidcAccessTokenTest < ActiveSupport::TestCase
user: users(:alice)
)
assert access_token.plaintext_token.length > auth_code.code.length,
assert access_token.plaintext_token.length > auth_code.plaintext_code.length,
"Access tokens should be longer than authorization codes"
end

26
test/models/oidc_authorization_code_test.rb
View File

@@ -25,10 +25,10 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
user: users(:alice),
redirect_uri: "https://example.com/callback"
)
assert_nil new_code.code
assert_nil new_code.code_hmac
assert new_code.save
assert_not_nil new_code.code
assert_match /^[A-Za-z0-9_-]+$/, new_code.code
assert_not_nil new_code.code_hmac
assert_match(/^[a-f0-9]{64}$/, new_code.code_hmac) # SHA256 hex digest
end
test "should set expiry before validation on create" do
@@ -44,22 +44,22 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
assert new_code.expires_at <= 11.minutes.from_now # Allow some variance
end
test "should validate presence of code" do
@auth_code.code = nil
test "should validate presence of code_hmac" do
@auth_code.code_hmac = nil
assert_not @auth_code.valid?
assert_includes @auth_code.errors[:code], "can't be blank"
assert_includes @auth_code.errors[:code_hmac], "can't be blank"
end
test "should validate uniqueness of code" do
test "should validate uniqueness of code_hmac" do
@auth_code.save! if @auth_code.changed?
duplicate = OidcAuthorizationCode.new(
code: @auth_code.code,
code_hmac: @auth_code.code_hmac,
application: applications(:another_app),
user: users(:bob),
redirect_uri: "https://example.com/callback"
)
assert_not duplicate.valid?
assert_includes duplicate.errors[:code], "has already been taken"
assert_includes duplicate.errors[:code_hmac], "has already been taken"
end
test "should validate presence of redirect_uri" do
@@ -178,16 +178,16 @@ class OidcAuthorizationCodeTest < ActiveSupport::TestCase
user: users(:alice),
redirect_uri: "https://example.com/callback"
)
codes << code.code
codes << code.code_hmac
end
# All codes should be unique
assert_equal codes.length, codes.uniq.length
# All codes should match the expected pattern
# All codes should be SHA256 hex digests
codes.each do |code|
assert_match /^[A-Za-z0-9_-]+$/, code
assert_equal 43, code.length # Base64 padding removed
assert_match(/^[a-f0-9]{64}$/, code)
assert_equal 64, code.length # SHA256 hex digest
end
end
end

9
test/models/pkce_authorization_code_test.rb
View File

@@ -26,7 +26,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
@@ -46,7 +45,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: code_challenge,
@@ -63,7 +61,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.create!(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now
@@ -78,7 +75,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.new(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
@@ -93,7 +89,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.new(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
@@ -112,7 +107,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.new(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: valid_challenge,
@@ -130,7 +124,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.new(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: invalid_challenge,
@@ -149,7 +142,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.new(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
code_challenge: short_challenge,
@@ -165,7 +157,6 @@ class PkceAuthorizationCodeTest < ActiveSupport::TestCase
auth_code = OidcAuthorizationCode.new(
application: @application,
user: @user,
code: SecureRandom.urlsafe_base64(32),
redirect_uri: "http://localhost:4000/callback",
scope: "openid profile",
expires_at: 10.minutes.from_now

4
test/models/user_password_management_test.rb
View File

@@ -73,7 +73,7 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
assert_not authenticated_user.authenticate("WrongPassword"), "Should not authenticate with wrong password"
# Test password changes invalidate old sessions
old_password_digest = @user.password_digest
@user.password_digest
@user.password = "NewPassword123!"
@user.save!
@@ -102,7 +102,7 @@ class UserPasswordManagementTest < ActiveSupport::TestCase
assert new_user.password_digest.length > 50, "Password digest should be substantial"
# Test digest format (bcrypt hashes start with $2a$)
assert_match /^\$2a\$/, new_user.password_digest, "Password digest should be bcrypt format"
assert_match(/^\$2a\$/, new_user.password_digest, "Password digest should be bcrypt format")
# Test authentication against digest
authenticated_user = User.find(new_user.id)

35
test/models/user_test.rb
View File

@@ -33,7 +33,7 @@ class UserTest < ActiveSupport::TestCase
end
test "does not find user with invalid invitation token" do
user = User.create!(
User.create!(
email_address: "test@example.com",
password: "password123",
status: :pending_invitation
@@ -222,7 +222,7 @@ class UserTest < ActiveSupport::TestCase
# Should store 10 BCrypt hashes
assert_equal 10, stored_hashes.length
stored_hashes.each do |hash|
assert hash.start_with?('$2a$'), "Should be BCrypt hash"
assert hash.start_with?("$2a$"), "Should be BCrypt hash"
end
# Verify each plain code matches its corresponding hash
@@ -319,4 +319,35 @@ class UserTest < ActiveSupport::TestCase
# Note: parsed_backup_codes method and legacy tests removed
# All users now use BCrypt hashes stored in JSON column
# WebAuthn user handle tests
test "generates and persists unique webauthn user handle" do
user = User.create!(email_address: "webauthn_test@example.com", password: "password123")
# User should not have a webauthn_id initially
assert_nil user.webauthn_id
# Getting the user handle should generate and persist it
handle = user.webauthn_user_handle
assert_not_nil handle
assert_equal 86, handle.length # Base64-urlsafe-encoded 64 bytes (no padding)
# Reload and verify it was persisted
user.reload
assert_equal handle, user.webauthn_id
# Subsequent calls should return the same handle (stable)
assert_equal handle, user.webauthn_user_handle
end
test "webauthn user handles are unique across users" do
user1 = User.create!(email_address: "user1@example.com", password: "password123")
user2 = User.create!(email_address: "user2@example.com", password: "password123")
handle1 = user1.webauthn_user_handle
handle2 = user2.webauthn_user_handle
# Each user should get a unique handle
assert_not_equal handle1, handle2
end
end

272
test/services/oidc_jwt_service_test.rb
View File

@@ -57,22 +57,22 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
end
test "should generate id token with required claims" do
token = @service.generate_id_token(@user, @application)
token = @service.generate_id_token(@user, @application, scopes: "openid email profile")
assert_not_nil token, "Should generate token"
assert token.length > 100, "Token should be substantial"
assert token.include?('.')
assert token.include?(".")
# Decode without verification for testing the payload
decoded = JWT.decode(token, nil, false).first
assert_equal @application.client_id, decoded['aud'], "Should have correct audience"
assert_equal @user.id.to_s, decoded['sub'], "Should have correct subject"
assert_equal @user.email_address, decoded['email'], "Should have correct email"
assert_equal true, decoded['email_verified'], "Should have email verified"
assert_equal @user.email_address, decoded['preferred_username'], "Should have preferred username"
assert_equal @user.email_address, decoded['name'], "Should have name"
assert_equal @service.issuer_url, decoded['iss'], "Should have correct issuer"
assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration"
assert_equal @application.client_id, decoded["aud"], "Should have correct audience"
assert_equal @user.id.to_s, decoded["sub"], "Should have correct subject"
assert_equal @user.email_address, decoded["email"], "Should have correct email"
assert_equal true, decoded["email_verified"], "Should have email verified"
assert_equal @user.email_address, decoded["preferred_username"], "Should have preferred username"
assert_equal @user.email_address, decoded["name"], "Should have name"
assert_equal @service.issuer_url, decoded["iss"], "Should have correct issuer"
assert_in_delta Time.current.to_i + 3600, decoded["exp"], 5, "Should have correct expiration"
end
test "should handle nonce in id token" do
@@ -80,18 +80,18 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
token = @service.generate_id_token(@user, @application, nonce: nonce)
decoded = JWT.decode(token, nil, false).first
assert_equal nonce, decoded['nonce'], "Should preserve nonce in token"
assert_in_delta Time.current.to_i + 3600, decoded['exp'], 5, "Should have correct expiration with nonce"
assert_equal nonce, decoded["nonce"], "Should preserve nonce in token"
assert_in_delta Time.current.to_i + 3600, decoded["exp"], 5, "Should have correct expiration with nonce"
end
test "should include groups in token when user has groups" do
admin_group = groups(:admin_group)
@user.groups << admin_group unless @user.groups.include?(admin_group)
token = @service.generate_id_token(@user, @application)
token = @service.generate_id_token(@user, @application, scopes: "openid groups")
decoded = JWT.decode(token, nil, false).first
assert_includes decoded['groups'], "Administrators", "Should include user's groups"
assert_includes decoded["groups"], "Administrators", "Should include user's groups"
end
test "admin claim should not be included in token" do
@@ -100,14 +100,14 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
refute decoded.key?('admin'), "Admin claim should not be included in ID tokens (use groups instead)"
refute decoded.key?("admin"), "Admin claim should not be included in ID tokens (use groups instead)"
end
test "should handle missing roles gracefully" do
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
refute_includes decoded, 'roles', "Should not have roles when not configured"
refute_includes decoded, "roles", "Should not have roles when not configured"
end
test "should load RSA private key from environment with escaped newlines" do
@@ -168,7 +168,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
OidcJwtService.send(:private_key)
end
assert_match /Invalid OIDC private key format/, error.message
assert_match(/Invalid OIDC private key format/, error.message)
ensure
# Restore original value and clear cached key
ENV["OIDC_PRIVATE_KEY"] = original_value
@@ -193,7 +193,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
OidcJwtService.send(:private_key)
end
assert_match /OIDC private key not configured/, error.message
assert_match(/OIDC private key not configured/, error.message)
ensure
# Restore original environment and clear cached key
ENV["OIDC_PRIVATE_KEY"] = original_value if original_value
@@ -214,9 +214,9 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
assert_not_nil decoded_array, "Should decode valid token"
decoded = decoded_array.first # JWT.decode returns an array
assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
assert decoded['exp'] > Time.current.to_i, "Token should not be expired"
assert_equal @user.id.to_s, decoded["sub"], "Should decode subject correctly"
assert_equal @application.client_id, decoded["aud"], "Should decode audience correctly"
assert decoded["exp"] > Time.current.to_i, "Token should not be expired"
end
test "should reject invalid id tokens" do
@@ -248,13 +248,13 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
end
test "should handle access token generation" do
token = @service.generate_id_token(@user, @application)
token = @service.generate_id_token(@user, @application, scopes: "openid email")
decoded = JWT.decode(token, nil, false).first
# ID tokens always include email_verified
assert_includes decoded.keys, 'email_verified'
assert_equal @user.id.to_s, decoded['sub'], "Should decode subject correctly"
assert_equal @application.client_id, decoded['aud'], "Should decode audience correctly"
# ID tokens include email_verified when email scope is requested
assert_includes decoded.keys, "email_verified"
assert_equal @user.id.to_s, decoded["sub"], "Should decode subject correctly"
assert_equal @application.client_id, decoded["aud"], "Should decode audience correctly"
end
test "should validate JWT configuration" do
@@ -275,10 +275,10 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
ApplicationUserClaim.create!(
user: user,
application: app,
custom_claims: { "app_groups": ["admin"], "library_access": "all" }
custom_claims: {app_groups: ["admin"], library_access: "all"}
)
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
assert_equal ["admin"], decoded["app_groups"]
@@ -292,20 +292,20 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# Add user to group with claims
group = groups(:admin_group)
group.update!(custom_claims: { "role": "viewer", "max_items": 10 })
group.update!(custom_claims: {role: "viewer", max_items: 10})
user.groups << group
# Add user custom claims
user.update!(custom_claims: { "role": "editor", "theme": "dark" })
user.update!(custom_claims: {role: "editor", theme: "dark"})
# Add app-specific claims (should override both)
ApplicationUserClaim.create!(
user: user,
application: app,
custom_claims: { "role": "admin", "app_specific": true }
custom_claims: {role: "admin", app_specific: true}
)
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# App-specific claim should win
@@ -330,7 +330,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User adds roles: ["admin"]
user.update!(custom_claims: {"roles" => ["admin"], "permissions" => ["write"]})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# Roles should be combined (not overwritten)
@@ -360,7 +360,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User adds roles: ["admin"]
user.update!(custom_claims: {"roles" => ["admin"]})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# All roles should be combined
@@ -382,7 +382,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User also has "user" role (duplicate)
user.update!(custom_claims: {"roles" => ["user", "admin"]})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# "user" should only appear once
@@ -404,7 +404,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
# User overrides max_items and theme, adds to roles
user.update!(custom_claims: {"roles" => ["admin"], "max_items" => 100, "theme" => "dark"})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# Arrays should be combined
@@ -438,7 +438,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
}
})
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# Nested hashes should be deep merged
@@ -467,7 +467,7 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
custom_claims: {"roles" => ["app_admin"]}
)
token = @service.generate_id_token(user, app)
token = @service.generate_id_token(user, app, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# All three sources should be combined
@@ -495,4 +495,200 @@ class OidcJwtServiceTest < ActiveSupport::TestCase
decoded = JWT.decode(token, nil, false).first
refute_includes decoded.keys, "at_hash", "Should not include at_hash when no access token"
end
test "should include auth_time when provided" do
auth_time = Time.now.to_i - 300 # 5 minutes ago
token = @service.generate_id_token(@user, @application, auth_time: auth_time)
decoded = JWT.decode(token, nil, false).first
assert_includes decoded.keys, "auth_time", "Should include auth_time claim"
assert_equal auth_time, decoded["auth_time"], "auth_time should match provided value"
end
test "should not include auth_time when not provided" do
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
refute_includes decoded.keys, "auth_time", "Should not include auth_time when not provided"
end
test "auth_time should be included in both authorization code and refresh token flows" do
auth_time = Time.now.to_i - 600 # 10 minutes ago
access_token = "test-access-token"
# Authorization code flow (with nonce)
token_with_auth_code = @service.generate_id_token(
@user,
@application,
nonce: "test-nonce",
access_token: access_token,
auth_time: auth_time
)
# Refresh token flow (no nonce)
token_with_refresh = @service.generate_id_token(
@user,
@application,
access_token: access_token,
auth_time: auth_time
)
decoded_auth_code = JWT.decode(token_with_auth_code, nil, false).first
decoded_refresh = JWT.decode(token_with_refresh, nil, false).first
assert_equal auth_time, decoded_auth_code["auth_time"], "auth_time should be in authorization code flow"
assert_equal auth_time, decoded_refresh["auth_time"], "auth_time should be in refresh token flow"
end
test "should include acr when provided" do
token = @service.generate_id_token(@user, @application, acr: "2")
decoded = JWT.decode(token, nil, false).first
assert_includes decoded.keys, "acr", "Should include acr claim"
assert_equal "2", decoded["acr"], "acr should match provided value"
end
test "should not include acr when not provided" do
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
refute_includes decoded.keys, "acr", "Should not include acr when not provided"
end
test "should include azp (authorized party) with client_id" do
token = @service.generate_id_token(@user, @application)
decoded = JWT.decode(token, nil, false).first
assert_includes decoded.keys, "azp", "Should include azp claim"
assert_equal @application.client_id, decoded["azp"], "azp should be the application's client_id"
end
# Scope-based claim filtering tests (OIDC Core compliance)
test "openid scope only should include minimal required claims" do
token = @service.generate_id_token(@user, @application, scopes: "openid")
decoded = JWT.decode(token, nil, false).first
# Required claims should always be present
assert_includes decoded.keys, "iss", "Should include issuer"
assert_includes decoded.keys, "sub", "Should include subject"
assert_includes decoded.keys, "aud", "Should include audience"
assert_includes decoded.keys, "exp", "Should include expiration"
assert_includes decoded.keys, "iat", "Should include issued at"
assert_includes decoded.keys, "azp", "Should include authorized party"
# Scope-dependent claims should NOT be present
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "email_verified", "Should not include email_verified without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
refute_includes decoded.keys, "preferred_username", "Should not include preferred_username without profile scope"
refute_includes decoded.keys, "groups", "Should not include groups without groups scope"
end
test "email scope should include email claims" do
token = @service.generate_id_token(@user, @application, scopes: "openid email")
decoded = JWT.decode(token, nil, false).first
# Email claims should be present
assert_includes decoded.keys, "email", "Should include email with email scope"
assert_includes decoded.keys, "email_verified", "Should include email_verified with email scope"
assert_equal @user.email_address, decoded["email"]
assert_equal true, decoded["email_verified"]
# Profile claims should NOT be present
refute_includes decoded.keys, "name", "Should not include name without profile scope"
refute_includes decoded.keys, "preferred_username", "Should not include preferred_username without profile scope"
end
test "profile scope should include profile claims" do
token = @service.generate_id_token(@user, @application, scopes: "openid profile")
decoded = JWT.decode(token, nil, false).first
# Profile claims should be present
assert_includes decoded.keys, "name", "Should include name with profile scope"
assert_includes decoded.keys, "preferred_username", "Should include preferred_username with profile scope"
assert_equal @user.email_address, decoded["name"]
assert_equal @user.email_address, decoded["preferred_username"]
# Email claims should NOT be present
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "email_verified", "Should not include email_verified without email scope"
end
test "groups scope should include groups claim" do
admin_group = groups(:admin_group)
@user.groups << admin_group unless @user.groups.include?(admin_group)
token = @service.generate_id_token(@user, @application, scopes: "openid groups")
decoded = JWT.decode(token, nil, false).first
# Groups claim should be present
assert_includes decoded.keys, "groups", "Should include groups with groups scope"
assert_includes decoded["groups"], "Administrators"
# Email and profile claims should NOT be present
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
end
test "groups scope should not include groups claim when user has no groups" do
# Ensure user has no groups
@user.groups.clear
token = @service.generate_id_token(@user, @application, scopes: "openid groups")
decoded = JWT.decode(token, nil, false).first
# Groups claim should not be present when user has no groups
refute_includes decoded.keys, "groups", "Should not include empty groups claim"
end
test "multiple scopes should include all requested claims" do
admin_group = groups(:admin_group)
@user.groups << admin_group unless @user.groups.include?(admin_group)
token = @service.generate_id_token(@user, @application, scopes: "openid email profile groups")
decoded = JWT.decode(token, nil, false).first
# All scope-based claims should be present
assert_includes decoded.keys, "email", "Should include email"
assert_includes decoded.keys, "email_verified", "Should include email_verified"
assert_includes decoded.keys, "name", "Should include name"
assert_includes decoded.keys, "preferred_username", "Should include preferred_username"
assert_includes decoded.keys, "groups", "Should include groups"
end
test "scope parameter should handle space-separated string" do
token = @service.generate_id_token(@user, @application, scopes: "openid email profile")
decoded = JWT.decode(token, nil, false).first
assert_includes decoded.keys, "email", "Should parse space-separated scopes"
assert_includes decoded.keys, "name", "Should parse space-separated scopes"
end
test "custom claims should always be merged regardless of scopes" do
user = users(:bob)
app = applications(:another_app)
# Add user custom claim
user.update!(custom_claims: {"custom_field" => "custom_value"})
# Request only openid scope (no email, profile, or groups)
token = @service.generate_id_token(user, app, scopes: "openid")
decoded = JWT.decode(token, nil, false).first
# Custom claims should be present even with minimal scopes
assert_equal "custom_value", decoded["custom_field"], "Custom claims should be included regardless of scopes"
# Standard claims should be filtered
refute_includes decoded.keys, "email", "Should not include email without email scope"
refute_includes decoded.keys, "name", "Should not include name without profile scope"
end
end

22
test/test_helper.rb
View File

@@ -1,3 +1,22 @@
# Code coverage must be started before loading application code
if ENV["COVERAGE"]
require "simplecov"
SimpleCov.start "rails" do
add_filter "/test/"
add_filter "/config/"
add_filter "/vendor/"
add_group "Models", "app/models"
add_group "Controllers", "app/controllers"
add_group "Services", "app/services"
add_group "Jobs", "app/jobs"
add_group "Mailers", "app/mailers"
# Minimum coverage thresholds (can be adjusted)
# minimum_coverage 90
end
end
ENV["RAILS_ENV"] ||= "test"
require_relative "../config/environment"
require "rails/test_help"
@@ -6,7 +25,8 @@ require_relative "test_helpers/session_test_helper"
module ActiveSupport
class TestCase
# Run tests in parallel with specified workers
parallelize(workers: :number_of_processors)
# Disable parallelization when running coverage (SimpleCov incompatible with parallel tests)
parallelize(workers: :number_of_processors) unless ENV["COVERAGE"]
# Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
fixtures :all