activeadmin-oidc 2.0.1 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a4d32669000d3de07114d54dc1c5d408899c1c8cf40e86b154e328ab08ed385
-  data.tar.gz: d1f002c56666e32b794bc1024a37b8bb06e275642c625b198664febd7caf6805
+  metadata.gz: 8afe2cffbac6a3491a7bcef10a33b8e87385b2574237826c4932bf0dda809536
+  data.tar.gz: 3984564073d074906197fe8bc8101935cfe293a88d515db0f6b228b389bb144d
 SHA512:
-  metadata.gz: 79d676e27f836c5d271925d067cb5a072450e237394b07a590ac988b779ff5200a39c79208170ec3ef930837b8ad46dbf0f97e8403b9899fb73c1a6983092ab9
-  data.tar.gz: 13ac29d12fda8a44ba24aa992ac61d65f63c607894e576d66276cf18f2fa478f26b881b335bf93f767296c65c2c35a9d43b1bf76ddcb48d19078dd75ce94bb8f
+  metadata.gz: 9186f4de83c070356b1b980d42247ebdada9abbbbee0c8894a037d84487791bff7791617d0c31c19c36b7c95a7789640cded88a345da9d07720d4046869c2c65
+  data.tar.gz: e500884e14d9f88e8d08e3d082487410091557ea83a6fc3c7bedd17678e9a38bff0eb8627c16fd54c5cf961dfafe618ec5456451aa8c887fae682c07ee1d5436

data/app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb

@@ -38,18 +38,19 @@ module ActiveAdmin
             provider: ActiveAdmin::Oidc::Engine::PROVIDER_NAME.to_s
           ).call
 
-          # Devise checks active_for_authentication? on session
-          # deserialization but NOT on initial OmniAuth sign-in.
-          # Guard here so disabled/locked users are rejected immediately.
-          unless admin_user.active_for_authentication?
-            message = admin_user.inactive_message
-            flash[:alert] = I18n.t("devise.failure.#{message}", default: message.to_s)
-            redirect_to after_omniauth_failure_path_for(resource_name)
-            return
-          end
-
           sign_in_and_redirect admin_user, event: :authentication
           set_flash_message(:notice, :success, kind: 'OIDC') if is_navigational_format?
+        rescue ActiveAdmin::Oidc::InactiveError => e
+          Rails.logger.warn("[activeadmin-oidc] inactive: #{e.inactive_message_key}")
+          # Fall back to the standard `inactive` translation rather
+          # than the raw symbol — custom keys like :locked_by_admin
+          # would otherwise leak host-internal state into a flash
+          # visible to unauthenticated visitors.
+          flash[:alert] = I18n.t(
+            "devise.failure.#{e.inactive_message_key}",
+            default: I18n.t("devise.failure.inactive")
+          )
+          redirect_to after_omniauth_failure_path_for(resource_name)
         rescue ActiveAdmin::Oidc::ProvisioningError => e
           Rails.logger.warn("[activeadmin-oidc] denial: #{e.message}")
           flash[:alert] = ActiveAdmin::Oidc.config.access_denied_message
@@ -78,14 +79,18 @@ module ActiveAdmin
         # `:database_authenticatable` is in the mapping's `used_helpers`,
         # so an OIDC-only model never gets it. The engine mounts
         # `new_<scope>_session_path` itself, but the helper lives on
-        # whichever route set the mapping's `router_name` points at —
-        # main_app by default, or `<engine_name>` for hosts that mount
-        # Devise inside a Rails engine. Replicate Devise's own dispatch
-        # so the right context is asked.
+        # whichever route set Devise's URL helper dispatcher points at:
+        # the per-mapping `router_name` (set by
+        # `devise_for :scope, router_name: :engine`) when present,
+        # otherwise the global `Devise.available_router_name`
+        # (set by `Devise.router_name = :engine`), which defaults to
+        # `:main_app`. Replicate that dispatcher here so the helper is
+        # resolved on the right context (Rails.application proxy or
+        # mounted engine proxy).
         def after_omniauth_failure_path_for(scope)
-          router_name = ::Devise.mappings[scope].router_name
-          context     = router_name ? send(router_name) : self
-          context.public_send(:"new_#{scope}_session_path")
+          router_name = ::Devise.mappings[scope].router_name ||
+                        ::Devise.available_router_name
+          send(router_name).public_send(:"new_#{scope}_session_path")
         end
       end
     end

data/app/views/active_admin/devise/sessions/new.html.erb

@@ -5,7 +5,7 @@
     </h2>
 
     <%= button_to ActiveAdmin::Oidc.config.login_button_label,
-                  "/admin/auth/oidc",
+                  "#{OmniAuth.config.path_prefix}/oidc",
                   method: :post,
                   class: "activeadmin-oidc-login-button w-full",
                   form_class: 'formtastic',
@@ -15,10 +15,12 @@
   <div id="login">
     <h2><%= active_admin_application.site_title(self) %></h2>
 
-    <%= button_to ActiveAdmin::Oidc.config.login_button_label,
-                  "/admin/auth/oidc",
-                  method: :post,
-                  class: "activeadmin-oidc-login-button",
-                  data: { turbo: false } %>
+    <%= form_tag "#{OmniAuth.config.path_prefix}/oidc",
+                 method: :post,
+                 class: "activeadmin-oidc-login-form formtastic",
+                 data: { turbo: false } do %>
+      <%= submit_tag ActiveAdmin::Oidc.config.login_button_label,
+                     class: "activeadmin-oidc-login-button" %>
+    <% end %>
   </div>
 <% end %>

data/lib/activeadmin/oidc/user_provisioner.rb

@@ -35,11 +35,31 @@ module ActiveAdmin
         validate_claims!
 
         admin_user = find_or_adopt_or_build
+
+        # Retry path: a concurrent first sign-in inserted between our
+        # initial miss-and-build and our failed save. Return the
+        # winner's row verbatim — on_login already ran on our (now
+        # discarded) in-memory build, and re-firing it would double
+        # any host-side side effects (audit log, webhook, email).
+        return admin_user if @retried
+
         assign_base_attributes(admin_user)
 
         allowed = invoke_on_login(admin_user)
         raise ProvisioningError, denial_message unless allowed
 
+        # Devise's `active_for_authentication?` guard runs in the
+        # controller post-sign-in, but by then we've already saved
+        # the record. Hostile attempts where on_login flips an
+        # inactivity flag (e.g. enabled=false) would otherwise leave
+        # provisional rows in the DB on every try. Refuse before
+        # persisting. Raise the dedicated InactiveError so the
+        # controller can surface the model's I18n inactive_message
+        # instead of the generic denial flash.
+        unless admin_user.active_for_authentication?
+          raise InactiveError, admin_user.inactive_message
+        end
+
         save!(admin_user)
         admin_user
       rescue RetryProvisioning
@@ -84,6 +104,19 @@ module ActiveAdmin
                   "Identity #{identity_value.inspect} is already linked to a different account (takeover guard)"
           end
 
+          # Adoption of a pre-existing row (provider/uid still nil) by
+          # an IdP-supplied identity value is a privilege-escalation
+          # vector when the IdP allows external / unverified emails:
+          # an attacker registers `ceo@example.com` at the IdP and
+          # adopts the seeded admin row. Refuse when the IdP explicitly
+          # marks the claim as unverified. (Absent claim → unchanged
+          # behaviour, since many IdPs don't ship `email_verified` at
+          # all.)
+          if @claims["email_verified"] == false
+            raise ProvisioningError,
+                  "Identity #{identity_value.inspect} is not verified by the IdP — refusing adoption"
+          end
+
           identity_match.provider = @provider
           identity_match.uid      = uid
           return identity_match

data/lib/activeadmin/oidc/version.rb

@@ -2,6 +2,6 @@
 
 module ActiveAdmin
   module Oidc
-    VERSION = "2.0.1"
+    VERSION = "2.1.1"
   end
 end

data/lib/activeadmin-oidc.rb

@@ -28,6 +28,23 @@ module ActiveAdmin
     class ProvisioningError < Error; end
     class RetryProvisioning < Error; end
 
+    # Raised when active_for_authentication? rejects the user. Carries
+    # the model's inactive_message symbol so the controller can
+    # translate it via I18n (devise.failure.<symbol>) instead of
+    # falling back to the generic denial flash.
+    class InactiveError < ProvisioningError
+      attr_reader :inactive_message_key
+
+      # Devise's default inactive_message is :inactive. Hosts can
+      # override the method and legitimately return nil on some
+      # branches; fall back to :inactive so the controller never
+      # ends up with an empty flash.
+      def initialize(inactive_message_key)
+        @inactive_message_key = inactive_message_key.presence || :inactive
+        super(@inactive_message_key.to_s)
+      end
+    end
+
     class << self
       def config
         @config ||= Configuration.new

data/lib/generators/active_admin/oidc/install/templates/sessions_new.html.erb

@@ -1,9 +1,11 @@
 <div id="login">
   <h2><%%= active_admin_application.site_title(self) %></h2>
 
-  <%%= button_to ActiveAdmin::Oidc.config.login_button_label,
-                "/admin/auth/oidc",
-                method: :post,
-                class: "activeadmin-oidc-login-button",
-                data: { turbo: false } %>
+  <%%= form_tag "#{OmniAuth.config.path_prefix}/oidc",
+               method: :post,
+               class: "activeadmin-oidc-login-form formtastic",
+               data: { turbo: false } do %>
+    <%%= submit_tag ActiveAdmin::Oidc.config.login_button_label,
+                   class: "activeadmin-oidc-login-button" %>
+  <%% end %>
 </div>

data/lib/generators/active_admin/oidc/install/templates/sessions_new_v4.html.erb

@@ -4,7 +4,7 @@
   </h2>
 
   <%%= button_to ActiveAdmin::Oidc.config.login_button_label,
-       "/admin/auth/oidc",
+       "#{OmniAuth.config.path_prefix}/oidc",
        method: :post,
        class: "activeadmin-oidc-login-button w-full",
        form_class: 'formtastic',

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: activeadmin-oidc
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.1.1
 platform: ruby
 authors:
 - Igor Fedoronchuk
@@ -33,42 +33,42 @@ dependencies:
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
 - !ruby/object:Gem::Dependency
   name: omniauth-rails_csrf_protection
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
@@ -78,6 +78,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -85,6 +88,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -92,6 +98,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '7.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -99,60 +108,63 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '7.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '6.0'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.40'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.40'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.19'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.19'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
 - !ruby/object:Gem::Dependency
@@ -162,6 +174,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -169,60 +184,63 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.60'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.60'
 - !ruby/object:Gem::Dependency
   name: rubocop-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.20'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.20'
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.25'
 description: |