mirror of https://github.com/docusealco/docuseal
master
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.10
1.1.11
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.9.0
1.9.1
1.9.10
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
${ noResults }
2 Commits (2e18084a04edef0ce092b5da1c214a22695a090e)
| Author | SHA1 | Message | Date |
|---|---|---|---|
mohammed-guiga
|
2e18084a04 |
Fix Clerk SSO auto-admin: fail closed + explicit admin allowlist (BLO-287)
clerk_email_allowed? failed OPEN on an empty CLERK_ALLOWED_EMAIL_DOMAINS (empty env = anyone could sign in), and both SSO entrypoints (from_clerk_oidc and the apex-cookie ClerkDeviseBridge) auto-provisioned every first-time user as ADMIN_ROLE. - Fail closed: an unset/empty allowlist now matches no one. - New CLERK_ADMIN_EMAIL_DOMAINS allowlist gates admin provisioning; SSO never silently mints an admin. - Single chokepoint User.provision_clerk_admin used by both SSO paths. - Add RSpec coverage (none existed). |
2 weeks ago |
Omar
|
9e41d3a577 |
Bridge Clerk apex SSO into Devise via clerk-sdk-ruby
Reads the __session cookie set by accounts.bloombilt.com on the .bloombilt.com apex, verifies it via the official Clerk Ruby SDK, then finds or auto-provisions the matching Devise User on Account.first so the rest of the app (CanCanCan + Devise) sees the request as authenticated. Sign-out and unauthed redirects both target accounts.bloombilt.com/sign-in so 1Password sees a single saved entry across all Bloombilt apps. This is independent of the dead Clerk OIDC code already on master — that path requires Clerk Pro to register an OAuth Application on the production instance and is left dormant (gated by Docuseal.clerk_oidc_enabled?) in case we upgrade later. The session-cookie bridge works on Clerk free. Devise password login at /users/sign_in stays reachable as emergency access but isn't linked from the UI. Files: - Gemfile: add clerk-sdk-ruby (requires bundle install) - config/initializers/clerk.rb: SDK config (uses ENV['CLERK_SECRET_KEY']) - app/controllers/concerns/clerk_devise_bridge.rb: the bridge itself - app/controllers/application_controller.rb: include the concern, override authenticate_user! to redirect to Account Portal - app/controllers/sessions_controller.rb: override respond_to_on_destroy to send sign-out to Account Portal Gemfile.lock NOT updated in this commit — needs `bundle install` on a host with Ruby 4.0.1 before deploy will succeed. |
4 weeks ago |