because of course we're not running in controller context

2026-04-19 22:05:07 +00:00 · 2025-12-02 04:23:29 -05:00 · 2025-12-02 04:23:29 -05:00 · 87a5ac0cce
commit 87a5ac0cce
parent fdd029d5ec
4 changed files with 14 additions and 9 deletions
--- a/app/controllers/step_up_controller.rb
+++ b/app/controllers/step_up_controller.rb
@ -62,8 +62,8 @@ class StepUpController < ApplicationController
      return
    end

-    # Mark step-up as completed in session
-    session[:step_up_completed_at] = Time.current.to_i
+    # Mark step-up as completed on the identity session
+    current_session.update!(last_step_up_at: Time.current)

    # Execute the verified action
    case action_type
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@ -22,16 +22,15 @@ Doorkeeper::OpenidConnect.configure do
  end

  auth_time_from_resource_owner do |resource_owner|
-    # Return the more recent of: last login OR last step-up completion
-    # This allows step-up to satisfy max_age/prompt=login requirements
-    session_time = resource_owner.sessions.order(created_at: :desc).first&.created_at
-    step_up_time = self.session[:step_up_completed_at] ? Time.at(self.session[:step_up_completed_at]) : nil
+    session = resource_owner.sessions.not_expired.order(created_at: :desc).first
+    return nil unless session

-    [session_time, step_up_time].compact.max
+    [session.created_at, session.last_step_up_at].compact.max
  end

  reauthenticate_resource_owner do |resource_owner, return_to|
-    return if self.session[:step_up_completed_at] && self.session[:step_up_completed_at] > 60.seconds.ago.to_i
+    session = resource_owner.sessions.not_expired.order(created_at: :desc).first
+    return if session&.last_step_up_at&.after?(60.seconds.ago)

    redirect_to new_step_up_path(action_type: "oidc_reauth", return_to: return_to)
  end
--- a/db/migrate/20251202092143_add_last_step_up_at_to_identity_sessions.rb
+++ b/db/migrate/20251202092143_add_last_step_up_at_to_identity_sessions.rb
@ -0,0 +1,5 @@
+class AddLastStepUpAtToIdentitySessions < ActiveRecord::Migration[8.0]
+  def change
+    add_column :identity_sessions, :last_step_up_at, :datetime
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[8.0].define(version: 2025_11_26_212239) do
+ActiveRecord::Schema[8.0].define(version: 2025_12_02_092143) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "pg_catalog.plpgsql"
  enable_extension "pgcrypto"
@ -377,6 +377,7 @@ ActiveRecord::Schema[8.0].define(version: 2025_11_26_212239) do
    t.bigint "identity_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
+    t.datetime "last_step_up_at"
    t.index ["identity_id"], name: "index_identity_sessions_on_identity_id"
  end