studio-engine 0.4.1 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da34668d5a20c0af381f45d37de84594937f3687db9f90cd9abb18a88e861f26
-  data.tar.gz: 2ce061aa2892e42dc83609e8a07848bcfbbf1180074b4ec3579068ef12b6cf28
+  metadata.gz: 9666cf8a5b997901079ee936e2ff49cf5b6b653b67e13de85a6588f6bddd93f7
+  data.tar.gz: 62a8338512f0cdf2f01f37bccaff8e2f41bad93233a4f3c62fe1f0eafda61d37
 SHA512:
-  metadata.gz: 49e7e91f9f786b86e9ce38c64f7b86ddb0c07de6dc908e8d5af2c03a945347e7317c90d949a34532762e628348b14f69013bdbcf9d84564722ebd09d62269009
-  data.tar.gz: e570b26da2e8aea1366c3539cb85cfdd160395e686e5dd331f98150b734005be105dcd28b20f158bd9a552c1eff5e9bba50c15f9aa6783f88519004fabc208f7
+  metadata.gz: 873809f43ebcaacb718b8ecec8d45ab933b38f88c706786fa0aa03e89d78c6e41b079579acca0f920d754448d23d1f7a2d899b21483808d20b445077e6b576d7
+  data.tar.gz: 17b0fb9f7997e3b4d5ba8b87188576360b23bfdb5657d29088fab2d0f805fd91b52c38c6472a6892f5225aefdf559a1f73b7484c902f6867bdb93919705d4138

data/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html) — `MAJOR.MINOR.PATCH`. Both consumer Rails apps pin to a tag in their `Gemfile`; bumping the tag is a release.
 
+## v0.4.3 (2026-05-19)
+
+Tier-3 fix from the turf-monster pre-prod opsec audit (OPSEC-016).
+
+### Fixed (security)
+- **`GET /sso_login` no longer mutates the session (OPSEC-016).** The action previously called `authenticate_sso_user!` directly — starting a session on a GET. GETs are not CSRF-covered and are prefetchable (`<img>`, `<link rel=prefetch>`, browser prefetch), so an XSS on any `*.mcritchie.studio` subdomain that wrote `session[:sso_email]` could have a forged `/sso_login` hit silently start a session as that user. `sso_login` now only redirects to the login page; the session mutation happens exclusively through the CSRF-protected `POST /sso_continue` ("Continue as …" button).
+
+### Changed
+- The hub's one-click SSO link to a satellite's `/sso_login` now lands the user on the satellite login page with the "Continue as …" button instead of logging them in directly — one extra click, and the GET endpoint is no longer a session-mutation vector.
+
+## v0.4.2 (2026-05-19)
+
+Security follow-up to v0.4.1 — closes a cross-app session-fixation surface.
+
+### Fixed (security)
+- **Removed legacy `session[:user_id]` fallback in `Studio::ErrorHandling#current_user`** (OPSEC-042). Previously, if `session[Studio.session_key]` was empty but `session[:user_id]` was present, the engine would look up the user by that ID and silently call `set_app_session(user)` — promoting an arbitrary user ID to logged-in status. Combined with the shared `*.mcritchie.studio` cookie scope, any XSS on any subdomain that wrote `session[:user_id]` became cross-app login-as-anyone. The legacy key was a Devise-era migration carrier; consumer apps no longer write to it. Removing the fallback closes the fixation surface.
+
+### Breaking
+- Any user with a stale session that still has `session[:user_id]` set but NOT `session[Studio.session_key]` will be logged out on next request. Practically: nobody, since the engine has been writing `session[Studio.session_key]` since v0.2.x.
+
 ## v0.4.1 (2026-05-17)
 
 Pre-public-release security hardening per `SECURITY-AUDIT-2026-05-17.md`.

data/app/controllers/concerns/studio/error_handling.rb

@@ -15,20 +15,7 @@ module Studio
 
     def current_user
       return @current_user if defined?(@current_user)
-
-      # Try app-specific session key
       @current_user = User.find_by(id: session[Studio.session_key])
-
-      # Legacy migration: old shared session[:user_id]
-      if @current_user.nil? && session[:user_id].present? && Studio.session_key != :user_id
-        @current_user = User.find_by(id: session[:user_id])
-        if @current_user
-          set_app_session(@current_user)  # Migrate to new key
-          session.delete(:user_id)        # Clean up old key
-        end
-      end
-
-      @current_user
     end
 
     def set_app_session(user)

data/app/controllers/sessions_controller.rb

@@ -15,15 +15,20 @@ class SessionsController < ApplicationController
     end
   end
 
-  # GET /sso_login — one-click SSO entry point (linked from hub app nav)
+  # GET /sso_login — one-click SSO entry point (linked from hub app nav).
+  #
+  # OPSEC-016: this previously called authenticate_sso_user! directly, mutating
+  # the session on a GET. GETs are not CSRF-covered and are prefetchable
+  # (browser prefetch, <img>, <link rel=prefetch>), so an XSS on any
+  # *.mcritchie.studio subdomain could write session[:sso_email] and a forged
+  # GET /sso_login would silently start a session as that user. It now only
+  # redirects to the login page — the session mutation happens exclusively via
+  # the CSRF-protected POST /sso_continue ("Continue as …" button rendered
+  # there when sso_user_available?).
   def sso_login
     return redirect_to root_path if logged_in?
-    return redirect_to login_path unless sso_user_available?
 
-    authenticate_sso_user!
-  rescue StandardError => e
-    create_error_log(e)
-    redirect_to login_path, alert: "Could not continue session. Please log in."
+    redirect_to login_path
   end
 
   # POST /sso_continue — form-based SSO from login page button

data/lib/studio/version.rb

@@ -1,3 +1,3 @@
 module Studio
-  VERSION = "0.4.1"
+  VERSION = "0.4.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: studio-engine
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.3
 platform: ruby
 authors:
 - Alex McRitchie
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-18 00:00:00.000000000 Z
+date: 2026-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails