Merge remote-tracking branch 'upstream/main' into sso-upgrades

# Conflicts: # app/views/simplefin_items/_simplefin_item.html.erb # db/schema.rb
2026-06-05 10:49:01 +00:00 · 2026-01-10 11:57:23 -05:00
parent e607667b26 78aa064bb0
commit 238fa8e0ca
301 changed files with 20707 additions and 967 deletions
--- a/test/controllers/oidc_accounts_controller_test.rb
+++ b/test/controllers/oidc_accounts_controller_test.rb
@@ -191,4 +191,30 @@ class OidcAccountsControllerTest < ActionController::TestCase
    assert_redirected_to new_session_path
    assert_equal "No pending OIDC authentication found", flash[:alert]
  end
+
+  # Security: JIT users should NOT have password_digest set
+  test "JIT user is created without password_digest to prevent chained auth attacks" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    post :create_user
+
+    new_user = User.find_by(email: new_user_auth["email"])
+    assert_not_nil new_user, "User should be created"
+    assert_nil new_user.password_digest, "JIT user should have nil password_digest"
+    assert new_user.sso_only?, "JIT user should be SSO-only"
+  end
+
+  test "JIT user cannot authenticate with local password" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    post :create_user
+
+    new_user = User.find_by(email: new_user_auth["email"])
+
+    # Attempting to authenticate should return nil (no password set)
+    assert_nil User.authenticate_by(
+      email: new_user.email,
+      password: "anypassword"
+    ), "SSO-only user should not authenticate with password"
+  end
 end