studio-engine 0.4.2 → 0.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/app/controllers/sessions_controller.rb +11 -6
- data/lib/studio/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9666cf8a5b997901079ee936e2ff49cf5b6b653b67e13de85a6588f6bddd93f7
|
|
4
|
+
data.tar.gz: 62a8338512f0cdf2f01f37bccaff8e2f41bad93233a4f3c62fe1f0eafda61d37
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 873809f43ebcaacb718b8ecec8d45ab933b38f88c706786fa0aa03e89d78c6e41b079579acca0f920d754448d23d1f7a2d899b21483808d20b445077e6b576d7
|
|
7
|
+
data.tar.gz: 17b0fb9f7997e3b4d5ba8b87188576360b23bfdb5657d29088fab2d0f805fd91b52c38c6472a6892f5225aefdf559a1f73b7484c902f6867bdb93919705d4138
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html) — `MAJOR.MINOR.PATCH`. Both consumer Rails apps pin to a tag in their `Gemfile`; bumping the tag is a release.
|
|
4
4
|
|
|
5
|
+
## v0.4.3 (2026-05-19)
|
|
6
|
+
|
|
7
|
+
Tier-3 fix from the turf-monster pre-prod opsec audit (OPSEC-016).
|
|
8
|
+
|
|
9
|
+
### Fixed (security)
|
|
10
|
+
- **`GET /sso_login` no longer mutates the session (OPSEC-016).** The action previously called `authenticate_sso_user!` directly — starting a session on a GET. GETs are not CSRF-covered and are prefetchable (`<img>`, `<link rel=prefetch>`, browser prefetch), so an XSS on any `*.mcritchie.studio` subdomain that wrote `session[:sso_email]` could have a forged `/sso_login` hit silently start a session as that user. `sso_login` now only redirects to the login page; the session mutation happens exclusively through the CSRF-protected `POST /sso_continue` ("Continue as …" button).
|
|
11
|
+
|
|
12
|
+
### Changed
|
|
13
|
+
- The hub's one-click SSO link to a satellite's `/sso_login` now lands the user on the satellite login page with the "Continue as …" button instead of logging them in directly — one extra click, and the GET endpoint is no longer a session-mutation vector.
|
|
14
|
+
|
|
5
15
|
## v0.4.2 (2026-05-19)
|
|
6
16
|
|
|
7
17
|
Security follow-up to v0.4.1 — closes a cross-app session-fixation surface.
|
|
@@ -15,15 +15,20 @@ class SessionsController < ApplicationController
|
|
|
15
15
|
end
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
-
# GET /sso_login — one-click SSO entry point (linked from hub app nav)
|
|
18
|
+
# GET /sso_login — one-click SSO entry point (linked from hub app nav).
|
|
19
|
+
#
|
|
20
|
+
# OPSEC-016: this previously called authenticate_sso_user! directly, mutating
|
|
21
|
+
# the session on a GET. GETs are not CSRF-covered and are prefetchable
|
|
22
|
+
# (browser prefetch, <img>, <link rel=prefetch>), so an XSS on any
|
|
23
|
+
# *.mcritchie.studio subdomain could write session[:sso_email] and a forged
|
|
24
|
+
# GET /sso_login would silently start a session as that user. It now only
|
|
25
|
+
# redirects to the login page — the session mutation happens exclusively via
|
|
26
|
+
# the CSRF-protected POST /sso_continue ("Continue as …" button rendered
|
|
27
|
+
# there when sso_user_available?).
|
|
19
28
|
def sso_login
|
|
20
29
|
return redirect_to root_path if logged_in?
|
|
21
|
-
return redirect_to login_path unless sso_user_available?
|
|
22
30
|
|
|
23
|
-
|
|
24
|
-
rescue StandardError => e
|
|
25
|
-
create_error_log(e)
|
|
26
|
-
redirect_to login_path, alert: "Could not continue session. Please log in."
|
|
31
|
+
redirect_to login_path
|
|
27
32
|
end
|
|
28
33
|
|
|
29
34
|
# POST /sso_continue — form-based SSO from login page button
|
data/lib/studio/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: studio-engine
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Alex McRitchie
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-05-
|
|
11
|
+
date: 2026-05-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|