Skip to content

v0.26.1

Choose a tag to compare

@github-actions github-actions released this 15 Jun 02:00
d237b56

Fixed

  • Passwordless login_verify OTP input now respects
    config.passwordless.code_length.
    The built-in ERB verification-code field
    hardcoded maxlength: 6, so apps configuring a longer code (e.g.
    code_length = 8) rendered a field that truncated input to 6 characters —
    users could not enter the full code. The input now derives maxlength from
    StandardId::Passwordless.otp_code_length (the same clamped 4..10 value the
    OTP generator uses), exposed to views via a new
    StandardId::ApplicationHelper#otp_code_length helper, so the form and the
    generated code stay in sync end-to-end.
  • WebEngine rate-limit responses no longer 500 on hosts without a root
    route.
    When a web auth action (login, login_verify, email/phone verification
    start) hit its rate limit, the handler redirected to
    request.referer || main_app.root_path. That raised — and returned a 500
    error page instead of the intended graceful response — for any host app that
    doesn't define a root route (e.g. an API/control-plane that only mounts the
    engine), and also for cross-origin Referer headers (Rails' open-redirect
    guard). The handler now redirects back to the rate-limited form's own path
    (request.path), which is always a valid same-origin GET. The ApiEngine
    responses (JSON 429) are unchanged.
  • OAuth/OIDC metadata no longer advertises a jwks_uri under symmetric
    signing.
    With the default HS256 (and HS384/HS512) there are no public keys
    to publish, so the JWKS endpoint deliberately returns 404 — but the
    authorization-server and openid-configuration documents advertised jwks_uri
    unconditionally, pointing clients at a dead URL. jwks_uri is now emitted only
    when signing is asymmetric (RS*/ES*). RFC 8414 makes it optional; HS-signed
    tokens are verified with the shared secret, not JWKS.
  • Sign-out / unauthenticated requests no longer leave a non-HttpOnly
    session_token cookie.
    clear_session! assigned
    cookies.encrypted[:session_token] = nil, which wrote a fresh encrypted blob
    through the cookie jar's default options (no HttpOnly) on every
    unauthenticated request. It now uses cookies.delete(:session_token) to remove
    the cookie cleanly. The token-bearing sign-in write was already httponly: true
    and is unchanged, so this is a hygiene/consistency fix, not a token exposure.