QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-07 14:31:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
14993d871c8578d817b113091e729512ce0e940a
sure/app/controllers/application_controller.rb
Josh Waldrep 14993d871c feat: comprehensive SSO/OIDC upgrade with enterprise features 
Multi-provider SSO support:
   - Database-backed SSO provider management with admin UI
   - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0
   - Flipper feature flag (db_sso_providers) for dynamic provider loading
   - ProviderLoader service for YAML or database configuration

   Admin functionality:
   - Admin::SsoProvidersController for CRUD operations
   - Admin::UsersController for super_admin role management
   - Pundit policies for authorization
   - Test connection endpoint for validating provider config

   User provisioning improvements:
   - JIT (just-in-time) account creation with configurable default role
   - Changed default JIT role from admin to member (security)
   - User attribute sync on each SSO login
   - Group/role mapping from IdP claims

   SSO identity management:
   - Settings::SsoIdentitiesController for users to manage connected accounts
   - Issuer validation for OIDC identities
   - Unlink protection when no password set

   Audit logging:
   - SsoAuditLog model tracking login, logout, link, unlink, JIT creation
   - Captures IP address, user agent, and metadata

   Advanced OIDC features:
   - Custom scopes per provider
   - Configurable prompt parameter (login, consent, select_account, none)
   - RP-initiated logout (federated logout to IdP)
   - id_token storage for logout

   SAML 2.0 support:
   - omniauth-saml gem integration
   - IdP metadata URL or manual configuration
   - Certificate and fingerprint validation
   - NameID format configuration
2026-01-03 17:56:42 -05:00

63 lines
1.6 KiB
Ruby
Raw Blame History

class ApplicationController < ActionController::Base
include RestoreLayoutPreferences, Onboardable, Localize, AutoSync, Authentication, Invitable,
SelfHostable, StoreLocation, Impersonatable, Breadcrumbable,
FeatureGuardable, Notifiable
include Pundit::Authorization
include Pagy::Backend
# Pundit uses current_user by default, but this app uses Current.user
def pundit_user
Current.user
end
before_action :detect_os
before_action :set_default_chat
before_action :set_active_storage_url_options
helper_method :demo_config, :demo_host_match?, :show_demo_warning?
private
def detect_os
user_agent = request.user_agent
@os = case user_agent
when /Windows/i then "windows"
when /Macintosh/i then "mac"
when /Linux/i then "linux"
when /Android/i then "android"
when /iPhone|iPad/i then "ios"
else ""
end
end
# By default, we show the user the last chat they interacted with
def set_default_chat
@last_viewed_chat = Current.user&.last_viewed_chat
@chat = @last_viewed_chat
end
def set_active_storage_url_options
ActiveStorage::Current.url_options = {
protocol: request.protocol,
host: request.host,
port: request.optional_port
}
end
def demo_config
Rails.application.config_for(:demo)
rescue RuntimeError, Errno::ENOENT, Psych::SyntaxError
nil
end
def demo_host_match?(demo = demo_config)
return false unless demo.is_a?(Hash) && demo["hosts"].present?
demo["hosts"].include?(request.host)
end
def show_demo_warning?
demo_host_match?
end
end
Reference in New Issue View Git Blame Copy Permalink