verikloak-rails 0.3.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f473cac2688d575650e3c483eac520fcb910ca7a9fd3c08620337386a705ca27
-  data.tar.gz: d76e49d03d27b336e6c8727f0cf3b82bb783bbe5153051be4ad4d0c1af5cfe7f
+  metadata.gz: f2cf09e4cda410ff55efd34d8e2fb24fa78241de47f3c5cd8942deaca6e83db4
+  data.tar.gz: 8f8ee287a51d3a39e7807b70b4d11c42090de231b898e9eea07b221b518b8f63
 SHA512:
-  metadata.gz: 6326a2ca5a86a50898ebe00094139733e3295203ec050e9c471093c1d3b21f2d161251d6ecf97ce265267718e83b570f1b9d8d82b9288855f732b557d22ac5a4
-  data.tar.gz: 874c03abffe2470e4993b64e0afdcbe42f1b1f27e8b4bbd17aa457445deffce591907a46a62f0be24801786f3e339bfd43fd89deb3d2239defcd3ad37c8410ca
+  metadata.gz: dbb93e90c1408dce20360f186a6a59bb4f47a62db569656279c311c01d1623e6f894709d5ccd73b0df32e3a4e3351bb90a598074ae6ec3a8b9d31c2187a1b937
+  data.tar.gz: b51e2a247c8ca1a145b768e5d59762675669d5ab1b6556ac738197a611fd0c8e925d193d7308c8522f4b072c8645aa93f947a61993b1045f57d803a8903e6c78

data/CHANGELOG.md

@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.4.0] - 2026-02-15
+
+### Security
+- **Header sanitization**: `ErrorRenderer` now delegates to `Verikloak::ErrorResponse.sanitize_header_value` — strips all control characters (`[[:cntrl:]]`), not just CR/LF, consistent with core gem
+- **Request-ID sanitization**: Log tag builder strengthened from `/[\r\n]+/` to `/[[:cntrl:]]+/` to block all control characters in tagged logging
+- **BFF configurator hardening**: `public_send` in `BffConfigurator` is now guarded with a whitelist — rejects keys starting with `_` or containing `!` to prevent accidental invocation of non-accessor methods
+
+### Fixed
+- **`with_required_audience!`**: Was passing two positional arguments to `Error.new` (`'forbidden', 'message'`), which raises `ArgumentError` with core gem 0.4.0's keyword-arg signature. Now uses `Error.new('Required audience not satisfied', code: 'forbidden')`
+- **`authenticate_user!`**: Was passing `Error.new('unauthorized')` which set `code` to `nil` (message became `'unauthorized'` but code was unset). Now uses `Error.new('Unauthorized', code: 'unauthorized')` for correct error rendering
+- Test stubs updated to match core gem's keyword-arg `Error.new(message, code:, http_status:)` signature
+
+### Added
+- `allow_http` configuration option — forwarded to core `Verikloak::Middleware` for development/test environments where HTTPS is unavailable
+- Logger cycle detection using `Set` guard in `_verikloak_base_logger` to prevent infinite loops with circular logger chains
+
+### Changed
+- **BREAKING**: Minimum `verikloak` dependency raised to `>= 0.4.0` (keyword-arg `Error.new` signature)
+- Dev dependency `rspec` pinned to `~> 3.13`, `rubocop-rspec` pinned to `~> 3.9`
+- Extracted `auto_disable_rescue_pundit` method from `apply_configuration` in Railtie for clarity and testability
+- Removed `sanitize_quoted` private method from `ErrorRenderer` in favor of shared `Verikloak::ErrorResponse.sanitize_header_value`
+
+---
+
 ## [0.3.2] - 2026-01-01
 
 ### Changed

data/README.md

@@ -21,7 +21,7 @@ Provide drop-in, token-based authentication for Rails APIs via Verikloak (OIDC d
 ## Compatibility
 - Ruby: >= 3.1
 - Rails: 6.1 – 8.x
-- verikloak: >= 0.3.0, < 1.0.0
+- verikloak: >= 0.4.0, < 1.0.0
 
 ## Quick Start
 ```bash
@@ -168,6 +168,7 @@ Keys under `config.verikloak`:
 | `token_env_key` | String | Custom Rack env key that stores the Bearer token | `nil` (middleware default `verikloak.token`) |
 | `user_env_key` | String | Custom Rack env key that stores decoded claims | `nil` (middleware default `verikloak.user`) |
 | `bff_header_guard_options` | Hash or Proc | Forwarded to `Verikloak::BFF.configure` prior to middleware insertion | `{}` |
+| `allow_http` | Boolean | Allow `http://` discovery URLs (forwarded to core middleware). **Only for development/test.** | `false` |
 
 Environment variable examples are in the generated initializer.
 
@@ -266,14 +267,15 @@ Rails.application.configure do
 end
 ```
 
-Note: Always sanitize values placed into `WWW-Authenticate` header parameters to avoid header injection. For example:
+Note: Always sanitize values placed into `WWW-Authenticate` header parameters to avoid header injection. You can use the shared helper from the core gem:
 
 ```ruby
 class CompactErrorRenderer
   private
-  def sanitize_quoted(val)
-    # Escape quotes/backslashes and strip CR/LF (collapse runs to a single space)
-    val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]+/, ' ')
+  def sanitize(val)
+    # Delegates to core gem's sanitizer — escapes quotes/backslashes,
+    # truncates at CRLF, and strips all control characters.
+    Verikloak::ErrorResponse.sanitize_header_value(val)
   end
 end
 ```

data/lib/generators/verikloak/install/install_generator.rb

@@ -26,7 +26,7 @@ module Verikloak
           ✅ verikloak: initializer created.
 
           Next steps:
-          1) Ensure the base gem is installed:   gem 'verikloak', '>= 0.3.0', '< 1.0.0'
+          1) Ensure the base gem is installed:   gem 'verikloak', '>= 0.4.0', '< 1.0.0'
           2) Set discovery_url / audience in config/initializers/verikloak.rb
           3) (Optional) If you disable auto-include, add this line to ApplicationController:
                include Verikloak::Rails::Controller

data/lib/verikloak/rails/bff_configurator.rb

@@ -103,7 +103,12 @@ module Verikloak
         target.configure do |config|
           entries.each do |key, value|
             writer = "#{key}="
-            config.public_send(writer, value) if config.respond_to?(writer)
+            # Guard: only call known attr_accessor writers to prevent
+            # accidental invocation of arbitrary public methods.
+            next unless config.respond_to?(writer)
+            next if key.to_s.start_with?('_') || key.to_s.include?('!')
+
+            config.public_send(writer, value)
           end
         end
       end

data/lib/verikloak/rails/configuration.rb

@@ -61,7 +61,8 @@ module Verikloak
                     :auto_insert_bff_header_guard,
                     :bff_header_guard_insert_before, :bff_header_guard_insert_after,
                     :token_verify_options, :decoder_cache_limit,
-                    :token_env_key, :user_env_key, :bff_header_guard_options
+                    :token_env_key, :user_env_key, :bff_header_guard_options,
+                    :allow_http
 
       # Initialize configuration with sensible defaults for Rails apps.
       # @return [void]
@@ -86,6 +87,7 @@ module Verikloak
         @token_env_key = nil
         @user_env_key = nil
         @bff_header_guard_options = {}
+        @allow_http = false
       end
 
       # Options forwarded to the base Verikloak Rack middleware.
@@ -103,7 +105,8 @@ module Verikloak
           token_verify_options: token_verify_options,
           decoder_cache_limit: decoder_cache_limit,
           token_env_key: token_env_key,
-          user_env_key: user_env_key
+          user_env_key: user_env_key,
+          allow_http: allow_http
         }.compact
       end
     end

data/lib/verikloak/rails/controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'active_support/concern'
+require 'set'
 
 module Verikloak
   module Rails
@@ -43,11 +44,7 @@ module Verikloak
       def authenticate_user!
         return if authenticated?
 
-        e = begin
-          ::Verikloak::Error.new('unauthorized')
-        rescue StandardError
-          StandardError.new('Unauthorized')
-        end
+        e = ::Verikloak::Error.new('Unauthorized', code: 'unauthorized')
         Verikloak::Rails.config.error_renderer.render(self, e)
       end
 
@@ -84,7 +81,7 @@ module Verikloak
         aud = Array(current_user_claims&.dig('aud'))
         return if required.flatten.all? { |r| aud.include?(r) }
 
-        raise ::Verikloak::Error.new('forbidden', 'Required audience not satisfied')
+        raise ::Verikloak::Error.new('Required audience not satisfied', code: 'forbidden')
       end
 
       private
@@ -108,7 +105,7 @@ module Verikloak
         tags = []
         if config.logger_tags.include?(:request_id)
           rid = request.request_id || request.headers['X-Request-Id']
-          rid = rid.to_s.gsub(/[\r\n]+/, ' ')
+          rid = rid.to_s.gsub(/[[:cntrl:]]+/, ' ').strip
           tags << "req:#{rid}" unless rid.empty?
         end
         if config.logger_tags.include?(:sub)
@@ -164,7 +161,10 @@ module Verikloak
                         logger
                       end
         current = root_logger
+        seen = Set.new
         while current.respond_to?(:logger)
+          break unless seen.add?(current.object_id)
+
           next_logger = current.logger
           break if next_logger.nil? || next_logger.equal?(current)
 

data/lib/verikloak/rails/error_renderer.rb

@@ -1,11 +1,16 @@
 # frozen_string_literal: true
 
+require 'verikloak/error_response'
+
 module Verikloak
   module Rails
     # Renders JSON errors for authentication/authorization failures.
     #
     # When status is 401, adds a `WWW-Authenticate: Bearer` header including
     # `error` and `error_description` fields when available.
+    #
+    # Header sanitization is delegated to {Verikloak::ErrorResponse} to ensure
+    # consistent control-character stripping across all Verikloak gems.
     class ErrorRenderer
       DEFAULT_STATUS_MAP = {
         'invalid_token' => 401,
@@ -67,6 +72,8 @@ module Verikloak
       end
 
       # Build WWW-Authenticate headers when returning 401 responses.
+      # Delegates sanitization to {Verikloak::ErrorResponse.sanitize_header_value}
+      # to ensure control-character stripping is consistent with the core gem.
       # @param status [Integer]
       # @param code [String, nil]
       # @param message [String]
@@ -74,23 +81,12 @@ module Verikloak
       def auth_headers(status, code, message)
         return {} unless status == 401
 
+        sanitize = ->(v) { Verikloak::ErrorResponse.sanitize_header_value(v) }
         header = +'Bearer'
-        header << %( error="#{sanitize_quoted(code)}") if code
-        header << %( error_description="#{sanitize_quoted(message)}") if message
+        header << %( error="#{sanitize.call(code)}") if code
+        header << %( error_description="#{sanitize.call(message)}") if message
         { 'WWW-Authenticate' => header }
       end
-
-      # Sanitize a value for inclusion inside a quoted HTTP header parameter.
-      # Escapes quotes and backslashes, and strips CR/LF to prevent header injection.
-      # Why block replacement? String replacements like '\\1' are parsed as
-      # backreferences/escapes in Ruby, making precise escaping error‑prone.
-      # The block receives the literal match and we return it prefixed with a
-      # backslash, guaranteeing predictable escaping for both " and \\.
-      # @param val [String]
-      # @return [String]
-      def sanitize_quoted(val)
-        val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]+/, ' ')
-      end
     end
   end
 end

data/lib/verikloak/rails/railtie.rb

@@ -20,7 +20,7 @@ module Verikloak
         middleware_insert_after auto_insert_bff_header_guard
         bff_header_guard_insert_before bff_header_guard_insert_after
         token_verify_options decoder_cache_limit token_env_key user_env_key
-        bff_header_guard_options
+        bff_header_guard_options allow_http
       ].freeze
 
       config.verikloak = ActiveSupport::OrderedOptions.new
@@ -100,10 +100,24 @@ module Verikloak
             CONFIG_KEYS.each do |key|
               c.send("#{key}=", rails_cfg[key]) if rails_cfg.key?(key)
             end
-            c.rescue_pundit = false if !rails_cfg.key?(:rescue_pundit) && defined?(::Verikloak::Pundit)
+            auto_disable_rescue_pundit(c, rails_cfg)
           end
         end
 
+        # When verikloak-pundit is loaded and the user has not explicitly set
+        # rescue_pundit, disable the built-in Pundit rescue to avoid
+        # double-handling errors.
+        #
+        # @param config [Verikloak::Rails::Configuration]
+        # @param rails_cfg [ActiveSupport::OrderedOptions]
+        # @return [void]
+        def auto_disable_rescue_pundit(config, rails_cfg)
+          return if rails_cfg.key?(:rescue_pundit)
+          return unless defined?(::Verikloak::Pundit)
+
+          config.rescue_pundit = false
+        end
+
         # Insert the base Verikloak::Middleware into the application middleware stack.
         # Respects the configured insertion point (before or after specified middleware).
         #

data/lib/verikloak/rails/version.rb

@@ -2,6 +2,6 @@
 
 module Verikloak
   module Rails
-    VERSION = '0.3.2'
+    VERSION = '0.4.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-rails
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
 platform: ruby
 authors:
 - taiyaky
@@ -55,7 +55,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: 0.4.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 1.0.0
@@ -65,7 +65,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.3.0
+        version: 0.4.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 1.0.0
@@ -96,7 +96,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-rails
   changelog_uri: https://github.com/taiyaky/verikloak-rails/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-rails/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.3.2
+  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.4.0
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: