Reads the __session cookie set by accounts.bloombilt.com on the .bloombilt.com
apex, verifies it via the official Clerk Ruby SDK, then finds or
auto-provisions the matching Devise User on Account.first so the rest of the
app (CanCanCan + Devise) sees the request as authenticated. Sign-out and
unauthed redirects both target accounts.bloombilt.com/sign-in so 1Password
sees a single saved entry across all Bloombilt apps.
This is independent of the dead Clerk OIDC code already on master — that
path requires Clerk Pro to register an OAuth Application on the production
instance and is left dormant (gated by Docuseal.clerk_oidc_enabled?) in case
we upgrade later. The session-cookie bridge works on Clerk free.
Devise password login at /users/sign_in stays reachable as emergency access
but isn't linked from the UI.
Files:
- Gemfile: add clerk-sdk-ruby (requires bundle install)
- config/initializers/clerk.rb: SDK config (uses ENV['CLERK_SECRET_KEY'])
- app/controllers/concerns/clerk_devise_bridge.rb: the bridge itself
- app/controllers/application_controller.rb: include the concern, override
authenticate_user! to redirect to Account Portal
- app/controllers/sessions_controller.rb: override respond_to_on_destroy to
send sign-out to Account Portal
Gemfile.lock NOT updated in this commit — needs `bundle install` on a host
with Ruby 4.0.1 before deploy will succeed.
Omar
9e41d3a577