From a988aed4b3505b49603a1998889fc864991543f3 Mon Sep 17 00:00:00 2001
From: End <contact@endoftimee.tech>
Date: Sun, 29 Mar 2026 16:28:45 -0700
Subject: [PATCH] Fix CodeQL security alerts: add CI permissions and document
 OAuth CSRF bypass

---
 .github/workflows/ci.yml               | 3 +++
 app/controllers/sessions_controller.rb | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 08067bf..af32531 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   scan_ruby:
     runs-on: ubuntu-latest
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index b3c8b50..3330029 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class SessionsController < ApplicationController
-  skip_forgery_protection only: :callback
+  # OAuth callback originates from external IdP, not our forms.
+  # CSRF protection is handled by OmniAuth's state parameter validation.
+  skip_forgery_protection only: :callback # codeql[rb/csrf-protection-disabled]
 
   def login
     redirect_to "/auth/oidc", allow_other_host: true