Skip to content

Releases: activeadmin-plugins/activeadmin-oidc

v2.1.1

02 Jun 15:32
@Fivell Fivell
v2.1.1
cfdc802
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.1.1 Latest
Latest

What's Changed

  • Tighten dependency version constraints to silence gem build warnings by @Fivell in #13

Full Changelog: v2.1.0...v2.1.1

Contributors

Fivell
Assets 2
Loading

v2.1.0

02 Jun 15:11
@Fivell Fivell
v2.1.0
3594b11
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.1.0

What's Changed

Improvements

  • on_login fires only once on a race. When two first sign-ins for the same (provider, uid) happen concurrently, the loser hits RecordNotUnique and the provisioner retries. The
    retry path used to re-run on_login on the now-persisted winner row — so any non-idempotent host side effects (audit log row, webhook, welcome email, billing call) double-fired. The
    retry now short-circuits after finding the winner, so the hook runs exactly once.
  • Disabled users are no longer persisted before being rejected. If a host's on_login flips enabled = false (or any other Devise inactivity flag) and returns truthy, the provisioner
    now enforces active_for_authentication? BEFORE save!. Previously the row was written and only the controller rejected the sign-in — repeated hostile attempts grew the table.
  • Account adoption via unverified email refused. A pre-seeded admin row with provider: nil, uid: nil (e.g. DBA-created ceo@example.com from before SSO) could be claimed by anyone
    the IdP said owned that email — including IdPs that don't verify email ownership (guest tenants, lax Keycloak realms). The provisioner now refuses adoption when the IdP explicitly
    marks the email as email_verified: false. IdPs that don't emit the claim keep the previous behaviour.

New

  • ActiveAdmin::Oidc::InactiveError — raised by the provisioner when active_for_authentication? returns false. Carries the model's inactive_message symbol so the controller can
    translate it via I18n.t("devise.failure.") instead of showing the generic denial flash. Falls back to :inactive if the host returns nil/blank, and to the standard
    devise.failure.inactive translation if a custom symbol has no translation (so internal state like :locked_by_admin never leaks to the public flash).

Bug fixes

  • SSO login form action no longer hardcoded. The login view sourced its form action from a literal /admin/auth/oidc, breaking hosts that customised Devise.omniauth_path_prefix
    (different mount point, different SSO sub-prefix). Both the live view (AA v3 form_tag and AA v4 button_to branches) and the install generator templates now derive the path from
    OmniAuth.config.path_prefix, which is the Rack-level value where OmniAuth actually listens.
  • OmniAuth failure handler now resolves the right session path under engine-mounted Devise. When the host pins helpers via the global Devise.router_name = :engine (no per-mapping
    option), Devise.mappings[scope].router_name is nil. The handler now falls back to Devise.available_router_name so it finds the engine's route proxy instead of raising NoMethodError
    on the controller itself.
  • AA v3 login button restored as so it picks up the standard ActiveAdmin theme styling without extra CSS.

Full Changelog: v2.0.0...v2.1.0

Loading