standard_id 0.26.0 → 0.26.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/concerns/standard_id/rate_limit_handling.rb +8 -1
- data/app/controllers/standard_id/web/base_controller.rb +1 -0
- data/app/helpers/standard_id/application_helper.rb +6 -0
- data/app/views/standard_id/web/login_verify/show.html.erb +1 -1
- data/lib/standard_id/oauth/discovery_document.rb +8 -1
- data/lib/standard_id/version.rb +1 -1
- data/lib/standard_id/web/session_manager.rb +6 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6b1486a551a57501f794685296e6d40c7c356917168fce7a515c7d869c887c1c
|
|
4
|
+
data.tar.gz: 9520bd31e28f591e0e5b65e95e4b8861c7fedc233471914740304984da666f6c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a2122cccd43faf84a5a332788f10f02a6a91928dfcc9452e080fb27704951da83dcaaffc02e0e91d7b1668b9f5696c0142b7744924908a5e03ac74c539bada1e
|
|
7
|
+
data.tar.gz: b287c31906e30d58e977ce778a9daa77010a346eaa355a343b0952ec82865ece850e6686b622af9f228e5f69010efd2d9e8914fbb56bd6fe7c4b497976ebb2a6
|
|
@@ -20,7 +20,14 @@ module StandardId
|
|
|
20
20
|
}, status: :too_many_requests
|
|
21
21
|
else
|
|
22
22
|
flash[:alert] = "Too many requests. Please try again later."
|
|
23
|
-
|
|
23
|
+
# Bounce back to the rate-limited form's own GET action. Previously this
|
|
24
|
+
# used `request.referer || main_app.root_path`, which raised (→ 500) for
|
|
25
|
+
# two real cases: a host app that doesn't define a root route (e.g. an
|
|
26
|
+
# API/control-plane that only mounts the engine — `main_app.root_path`
|
|
27
|
+
# then doesn't exist), and a cross-origin `Referer` (Rails refuses the
|
|
28
|
+
# redirect as unsafe). `request.path` is always a valid, same-origin GET
|
|
29
|
+
# for every rate-limited action here, so it degrades gracefully.
|
|
30
|
+
redirect_to request.path, status: :see_other
|
|
24
31
|
end
|
|
25
32
|
end
|
|
26
33
|
end
|
|
@@ -1,4 +1,10 @@
|
|
|
1
1
|
module StandardId
|
|
2
2
|
module ApplicationHelper
|
|
3
|
+
# The configured OTP code length, clamped to the engine's supported range
|
|
4
|
+
# (4..10). Views use this so the verification-code input's `maxlength`
|
|
5
|
+
# stays in sync with the length of codes the generator actually produces.
|
|
6
|
+
def otp_code_length
|
|
7
|
+
StandardId::Passwordless.otp_code_length
|
|
8
|
+
end
|
|
3
9
|
end
|
|
4
10
|
end
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
<div>
|
|
23
23
|
<%= form.label :code, "Verification code", class: "block text-sm/6 font-medium text-gray-900 dark:text-white" %>
|
|
24
24
|
<div class="mt-2">
|
|
25
|
-
<%= form.text_field :code, required: true, autofocus: true, autocomplete: "one-time-code", inputmode: "numeric", maxlength:
|
|
25
|
+
<%= form.text_field :code, required: true, autofocus: true, autocomplete: "one-time-code", inputmode: "numeric", maxlength: otp_code_length, class: "block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6 dark:bg-white/5 dark:text-white dark:outline-white/10 dark:placeholder:text-gray-500 dark:focus:outline-indigo-500" %>
|
|
26
26
|
</div>
|
|
27
27
|
</div>
|
|
28
28
|
|
|
@@ -34,7 +34,6 @@ module StandardId
|
|
|
34
34
|
token_endpoint: "#{base}/oauth/token",
|
|
35
35
|
revocation_endpoint: "#{base}/oauth/revoke",
|
|
36
36
|
userinfo_endpoint: "#{base}/userinfo",
|
|
37
|
-
jwks_uri: "#{base}/.well-known/jwks.json",
|
|
38
37
|
response_types_supported: %w[code],
|
|
39
38
|
grant_types_supported: %w[authorization_code refresh_token client_credentials],
|
|
40
39
|
subject_types_supported: %w[public],
|
|
@@ -47,6 +46,14 @@ module StandardId
|
|
|
47
46
|
code_challenge_methods_supported: %w[S256]
|
|
48
47
|
}
|
|
49
48
|
|
|
49
|
+
# Only advertise jwks_uri when signing is asymmetric. With symmetric
|
|
50
|
+
# (HS256/384/512) signing there are no public keys to publish, so the
|
|
51
|
+
# jwks endpoint deliberately returns 404 — advertising it would point
|
|
52
|
+
# clients at a dead URL. HS-signed tokens are verified with the shared
|
|
53
|
+
# secret, not JWKS. (RFC 8414 makes jwks_uri optional; an OIDC client
|
|
54
|
+
# using HS256 id_tokens verifies them with the client_secret.)
|
|
55
|
+
doc[:jwks_uri] = "#{base}/.well-known/jwks.json" if StandardId::JwtService.asymmetric?
|
|
56
|
+
|
|
50
57
|
doc[:registration_endpoint] = "#{base}/oauth/register" if registration_enabled
|
|
51
58
|
|
|
52
59
|
doc
|
data/lib/standard_id/version.rb
CHANGED
|
@@ -63,7 +63,12 @@ module StandardId
|
|
|
63
63
|
# TODO: make token key names configurable
|
|
64
64
|
session.delete(:session_token)
|
|
65
65
|
session.delete(:standard_id_scopes)
|
|
66
|
-
cookies.encrypted[:session_token] = nil
|
|
66
|
+
# Delete the cookie outright. Assigning `cookies.encrypted[:session_token] = nil`
|
|
67
|
+
# writes a fresh encrypted blob through the jar's default options (no httponly)
|
|
68
|
+
# on every unauthenticated request, leaving a confusing non-HttpOnly
|
|
69
|
+
# `session_token` cookie that carries no real token. `cookies.delete` removes it
|
|
70
|
+
# cleanly — the token-bearing write (write_session_cookie) keeps httponly: true.
|
|
71
|
+
cookies.delete(:session_token)
|
|
67
72
|
cookies.delete(:remember_token)
|
|
68
73
|
|
|
69
74
|
Current.session = nil
|