mirror of https://github.com/docusealco/docuseal
master
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.10
1.1.11
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.9.0
1.9.1
1.9.10
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
${ noResults }
4 Commits (b8be4c09e20883cd2483f6aab330f5741ce25246)
| Author | SHA1 | Message | Date |
|---|---|---|---|
Wabo
|
8dbf5b6cab |
Fix CI lint + flaky dashboard test on first fork-Actions run
Previously CI had never run on the wabolabs/wabosign fork (Actions
gated until owner consent). Now that the gate is lifted, run rubocop /
erblint / brakeman / rspec against current master uncovered backlog:
- rubocop: 97 auto-corrected across the WaboSign-fork files (account
logo, SMS, SSO, ability specs, role auth specs, omniauth callbacks).
Remaining 8 fixed by hand:
* lib/wabosign.rb chained map collapsed to filter_map; `hd` param
renamed to `hosted_domain` (Naming/MethodParameterName)
* app/models/user.rb default_sso_account split for line length +
SafeNavigation
* spec/rails_helper.rb abort calls marked `# rubocop:disable
Rails/Exit` (upstream pattern, intentional)
* spec/requests/users/omniauth_callbacks_spec.rb let! used for
side-effect-only setup -> moved into before blocks
- erblint: 21 auto-corrected (mostly Style/StringLiterals from a
sed substitution that picked double quotes) + a missing
autocomplete attribute added to the SMS test-message input.
- brakeman: clean. Removed one obsolete ignore entry (was for the
deleted enquiries controller) and added one new ignore for the
MCP-settings token preview (HighlightCode returns escaped HTML).
- rspec: dashboard "shows the list of templates" was flaky because
other_template's Faker::Book.title could randomly collide with one
of the 5 in-account templates. Pin the name to a unique suffix.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
1 month ago |
|
Wabo
|
dacefffd24 |
Allow Google SSO to be configured from /settings/sso (DB fallback)
Until now, Google SSO required setting GOOGLE_CLIENT_ID /
GOOGLE_CLIENT_SECRET / GOOGLE_ALLOWED_DOMAINS in the environment and
restarting the container. This commit adds a UI-driven configuration
path that doesn't need a restart, while keeping ENV as the priority
source for production deployments.
Storage: new EncryptedConfig key `google_sso_configs` (added to
CONFIG_KEYS) with shape:
{ enabled: bool, client_id, client_secret, allowed_domains: [..] }
The secret rides on Rails' `encrypts :value` like every other
EncryptedConfig record.
Strategy registration: the Devise initializer now always registers
:google_oauth2 with a setup proc, so the omniauth routes exist
unconditionally. The setup proc calls Wabosign.google_sso_credentials
per request — that helper checks ENV first (priority) and falls back
to the DB. Empty creds yield :source => :none and the Google button
is hidden by the sign-in partial.
User model: :omniauthable + omniauth_providers: [:google_oauth2] are
now unconditional (matches the always-registered route). The
boot-time fragile gating that broke `bundle exec puma` when env vars
weren't set is gone.
Routes: omniauth_callbacks no longer depends on ENV. /settings/sso
gains a :create action. SsoSettingsController#create persists the
form payload via the existing EncryptedConfig pattern (and never
overwrites a saved secret with a blank).
View: /settings/sso is now a real form (client_id, client_secret,
allowed_domains, enabled toggle) instead of an env-only status panel.
A banner explains ENV precedence when GOOGLE_CLIENT_ID is set. The
redirect URI to register in Google Cloud Console is shown in the
"not configured" state.
User#default_sso_account now prefers the account that owns the
UI-saved config so JIT-provisioned users land in the right tenant
when an admin sets up SSO from the UI in a multi-account deployment.
Specs: the omniauth_callbacks request specs were stubbing the removed
Wabosign::GOOGLE_* constants. Switched them to
`allow(Wabosign).to receive(:google_sso_credentials)`. All 5 pass.
Smoke-tested the rebuilt image in three states:
- No ENV, no DB: container boots, /sign_in 200, no button.
- DB config saved: button appears on the very next /sign_in render.
- ENV set + DB set: ENV wins (allowed_domains and creds come from ENV).
Docs: GOOGLE_SSO.md gains a section describing the UI path and how
the two sources interact.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
1 month ago |
|
Wabo
|
45ed368a26 |
Fix Google SSO boot order and route plumbing surfaced by specs
Three fixes uncovered while running the new omniauth_callbacks specs in a Ruby 4.0.1 container: - config/initializers/devise.rb: read GOOGLE_CLIENT_ID / SECRET / ALLOWED_DOMAINS directly from ENV instead of via Wabosign::*. The module isn't autoloadable yet at initializer-load time (Rails.root isn't set), but ENV is. The User model and controllers still go through Wabosign helpers, which load fine once Rails is up. - app/models/user.rb: stop passing `omniauth_providers:` when :omniauthable isn't in the modules list. Devise raises NoMethodError omniauth_providers= otherwise. Now both the module inclusion and the keyword are gated on Wabosign.google_sso_enabled? - spec/requests/users/omniauth_callbacks_spec.rb: post to user_google_oauth2_omniauth_callback_path instead of the hardcoded /users/auth/... URL. With devise_for :users, path: '/' the actual callback route is /auth/google_oauth2/callback. Also create a placeholder admin user so ApplicationController#maybe_redirect_to_setup doesn't intercept the request before the callback action runs. Schema dump and .gitignore (adds /vendor) bundled in. All 5 specs now pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
1 month ago |
|
Wabo
|
ad12ef7fb5 |
Add Google Workspace SSO via omniauth-google-oauth2
Adds "Sign in with Google" as an additive auth path next to email and password. When GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are set, the Google button appears on the sign-in page and the SSO settings page shows an env-driven status panel. Access is restricted to Workspace domains listed in GOOGLE_ALLOWED_DOMAINS (CSV); the hd claim is re-verified server-side on every callback so a misconfigured Google consent screen cannot bypass it. New users from an allowed domain are JIT-provisioned in the default account (oldest, or pinned via GOOGLE_DEFAULT_ACCOUNT_ID). Existing users with a matching email get linked to their Google identity on first sign-in; identity collisions (same email, different Google uid) are rejected. Google's MFA is trusted: users signed in via Google do not see the WaboSign OTP prompt or the FORCE_MFA setup redirect. Password sign-in keeps working unchanged, including its existing OTP gate. Implementation: - Devise gains :omniauthable when SSO is enabled; users get provider/uid columns with a partial unique index that allows NULL for password-only rows. - Users::OmniauthCallbacksController handles /users/auth/google_oauth2/ callback, sets session[:bypass_otp_for_sso], and redirects on failure. - SessionsController#destroy clears the bypass flag on sign-out. - DashboardController#maybe_redirect_mfa_setup honours the flag and User#signed_in_via_sso?. - The previously empty _omniauthable.html.erb stub now renders the Google button. Request specs cover happy path, link-existing-user, domain rejection, identity collision, and 2FA bypass. GOOGLE_SSO.md is the operator-facing setup, behaviour, verification, and troubleshooting guide. README links to it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
1 month ago |