Block a user
46aa983189
Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key
2f6a2c7406
Update ruby 3.4.6 -> 3.4.7. Update gems. Add trivy scanning and ignore unfixable Debian CVEs. Ignore a test fixture key for Capybara
5137a25626
Add remainging rate limits. Add docker compose production example. Update beta-checklist.
fcdd2b6de7
Continue adding auth_time - need it in the refresh token too, so we can accurately create new access tokens.
3939ea773f
We already have a login_time stored - the time stamp of the Session instance creation ( created after successful login ).
4b4afe277e
Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record
3db466f5a2
Switch Access / Refresh tokens / Auth Code from bcrypt ( and plain ) to hmac. BCrypt is for low entropy passwords and prevents dictionary attacks - HMAC is suitable for 256-bit random data.
ed7ceedef5
Include the hash of the access token in the JWT / ID Token under the key at_hash as per the requirements. Update the discovery endpoint to describe subject_type as 'pairwise', rather than 'public', since we do pairwise subject ids.
40815d3576
Use SolidQueue in production. Use the find_by_token method, rather than iterating over refresh tokens, as we already fixed for tokens