docuseal

History

Omar 9e41d3a577 Bridge Clerk apex SSO into Devise via clerk-sdk-ruby Reads the __session cookie set by accounts.bloombilt.com on the .bloombilt.com apex, verifies it via the official Clerk Ruby SDK, then finds or auto-provisions the matching Devise User on Account.first so the rest of the app (CanCanCan + Devise) sees the request as authenticated. Sign-out and unauthed redirects both target accounts.bloombilt.com/sign-in so 1Password sees a single saved entry across all Bloombilt apps. This is independent of the dead Clerk OIDC code already on master — that path requires Clerk Pro to register an OAuth Application on the production instance and is left dormant (gated by Docuseal.clerk_oidc_enabled?) in case we upgrade later. The session-cookie bridge works on Clerk free. Devise password login at /users/sign_in stays reachable as emergency access but isn't linked from the UI. Files: - Gemfile: add clerk-sdk-ruby (requires bundle install) - config/initializers/clerk.rb: SDK config (uses ENV['CLERK_SECRET_KEY']) - app/controllers/concerns/clerk_devise_bridge.rb: the bridge itself - app/controllers/application_controller.rb: include the concern, override authenticate_user! to redirect to Account Portal - app/controllers/sessions_controller.rb: override respond_to_on_destroy to send sign-out to Account Portal Gemfile.lock NOT updated in this commit — needs `bundle install` on a host with Ruby 4.0.1 before deploy will succeed.	4 weeks ago
..
clerk_devise_bridge.rb	Bridge Clerk apex SSO into Devise via clerk-sdk-ruby	4 weeks ago

Omar 9e41d3a577 Bridge Clerk apex SSO into Devise via clerk-sdk-ruby

Reads the __session cookie set by accounts.bloombilt.com on the .bloombilt.com
apex, verifies it via the official Clerk Ruby SDK, then finds or
auto-provisions the matching Devise User on Account.first so the rest of the
app (CanCanCan + Devise) sees the request as authenticated. Sign-out and
unauthed redirects both target accounts.bloombilt.com/sign-in so 1Password
sees a single saved entry across all Bloombilt apps.

This is independent of the dead Clerk OIDC code already on master — that
path requires Clerk Pro to register an OAuth Application on the production
instance and is left dormant (gated by Docuseal.clerk_oidc_enabled?) in case
we upgrade later. The session-cookie bridge works on Clerk free.

Devise password login at /users/sign_in stays reachable as emergency access
but isn't linked from the UI.

Files:
- Gemfile: add clerk-sdk-ruby (requires bundle install)
- config/initializers/clerk.rb: SDK config (uses ENV['CLERK_SECRET_KEY'])
- app/controllers/concerns/clerk_devise_bridge.rb: the bridge itself
- app/controllers/application_controller.rb: include the concern, override
  authenticate_user! to redirect to Account Portal
- app/controllers/sessions_controller.rb: override respond_to_on_destroy to
  send sign-out to Account Portal

Gemfile.lock NOT updated in this commit — needs `bundle install` on a host
with Ruby 4.0.1 before deploy will succeed.

clerk_devise_bridge.rb

Bridge Clerk apex SSO into Devise via clerk-sdk-ruby