You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Fixed
Passwordless login_verify OTP input now respects config.passwordless.code_length. The built-in ERB verification-code field
hardcoded maxlength: 6, so apps configuring a longer code (e.g. code_length = 8) rendered a field that truncated input to 6 characters —
users could not enter the full code. The input now derives maxlength from StandardId::Passwordless.otp_code_length (the same clamped 4..10 value the
OTP generator uses), exposed to views via a new StandardId::ApplicationHelper#otp_code_length helper, so the form and the
generated code stay in sync end-to-end.
WebEngine rate-limit responses no longer 500 on hosts without a root
route. When a web auth action (login, login_verify, email/phone verification
start) hit its rate limit, the handler redirected to request.referer || main_app.root_path. That raised — and returned a 500
error page instead of the intended graceful response — for any host app that
doesn't define a root route (e.g. an API/control-plane that only mounts the
engine), and also for cross-origin Referer headers (Rails' open-redirect
guard). The handler now redirects back to the rate-limited form's own path
(request.path), which is always a valid same-origin GET. The ApiEngine
responses (JSON 429) are unchanged.
OAuth/OIDC metadata no longer advertises a jwks_uri under symmetric
signing. With the default HS256 (and HS384/HS512) there are no public keys
to publish, so the JWKS endpoint deliberately returns 404 — but the
authorization-server and openid-configuration documents advertised jwks_uri
unconditionally, pointing clients at a dead URL. jwks_uri is now emitted only
when signing is asymmetric (RS*/ES*). RFC 8414 makes it optional; HS-signed
tokens are verified with the shared secret, not JWKS.
Sign-out / unauthenticated requests no longer leave a non-HttpOnly session_token cookie.clear_session! assigned cookies.encrypted[:session_token] = nil, which wrote a fresh encrypted blob
through the cookie jar's default options (no HttpOnly) on every
unauthenticated request. It now uses cookies.delete(:session_token) to remove
the cookie cleanly. The token-bearing sign-in write was already httponly: true
and is unchanged, so this is a hygiene/consistency fix, not a token exposure.