From 87a5ac0cce0fefbb3ac7e8ab2d5ded3ffc47c7c7 Mon Sep 17 00:00:00 2001 From: 24c02 <163450896+24c02@users.noreply.github.com> Date: Tue, 2 Dec 2025 04:23:29 -0500 Subject: [PATCH] because of course we're not running in controller context --- app/controllers/step_up_controller.rb | 4 ++-- config/initializers/doorkeeper_openid_connect.rb | 11 +++++------ ...092143_add_last_step_up_at_to_identity_sessions.rb | 5 +++++ db/schema.rb | 3 ++- 4 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 db/migrate/20251202092143_add_last_step_up_at_to_identity_sessions.rb diff --git a/app/controllers/step_up_controller.rb b/app/controllers/step_up_controller.rb index 25e9365..b29388f 100644 --- a/app/controllers/step_up_controller.rb +++ b/app/controllers/step_up_controller.rb @@ -62,8 +62,8 @@ class StepUpController < ApplicationController return end - # Mark step-up as completed in session - session[:step_up_completed_at] = Time.current.to_i + # Mark step-up as completed on the identity session + current_session.update!(last_step_up_at: Time.current) # Execute the verified action case action_type diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb index d5b80fa..2bd17b0 100644 --- a/config/initializers/doorkeeper_openid_connect.rb +++ b/config/initializers/doorkeeper_openid_connect.rb @@ -22,16 +22,15 @@ Doorkeeper::OpenidConnect.configure do end auth_time_from_resource_owner do |resource_owner| - # Return the more recent of: last login OR last step-up completion - # This allows step-up to satisfy max_age/prompt=login requirements - session_time = resource_owner.sessions.order(created_at: :desc).first&.created_at - step_up_time = self.session[:step_up_completed_at] ? Time.at(self.session[:step_up_completed_at]) : nil + session = resource_owner.sessions.not_expired.order(created_at: :desc).first + return nil unless session - [session_time, step_up_time].compact.max + [session.created_at, session.last_step_up_at].compact.max end reauthenticate_resource_owner do |resource_owner, return_to| - return if self.session[:step_up_completed_at] && self.session[:step_up_completed_at] > 60.seconds.ago.to_i + session = resource_owner.sessions.not_expired.order(created_at: :desc).first + return if session&.last_step_up_at&.after?(60.seconds.ago) redirect_to new_step_up_path(action_type: "oidc_reauth", return_to: return_to) end diff --git a/db/migrate/20251202092143_add_last_step_up_at_to_identity_sessions.rb b/db/migrate/20251202092143_add_last_step_up_at_to_identity_sessions.rb new file mode 100644 index 0000000..0e3df7d --- /dev/null +++ b/db/migrate/20251202092143_add_last_step_up_at_to_identity_sessions.rb @@ -0,0 +1,5 @@ +class AddLastStepUpAtToIdentitySessions < ActiveRecord::Migration[8.0] + def change + add_column :identity_sessions, :last_step_up_at, :datetime + end +end diff --git a/db/schema.rb b/db/schema.rb index 3f10e21..fc2ab14 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[8.0].define(version: 2025_11_26_212239) do +ActiveRecord::Schema[8.0].define(version: 2025_12_02_092143) do # These are extensions that must be enabled in order to support this database enable_extension "pg_catalog.plpgsql" enable_extension "pgcrypto" @@ -377,6 +377,7 @@ ActiveRecord::Schema[8.0].define(version: 2025_11_26_212239) do t.bigint "identity_id", null: false t.datetime "created_at", null: false t.datetime "updated_at", null: false + t.datetime "last_step_up_at" t.index ["identity_id"], name: "index_identity_sessions_on_identity_id" end