Add IndieAuth delegation and domain whitelist support

[Copilot]

Implementation Complete: IndieAuth Delegation and Domain Whitelist

✅ All tasks completed and review feedback addressed

Summary

Successfully implemented support for IndieAuth delegation and domain whitelisting with comprehensive security hardening based on PR review feedback.

Review Feedback Addressed

• SSRF Protection: Block private/loopback/link-local IPs and non-HTTP(S) schemes
• Link Header Parsing: Enhanced to handle multiple rel values and various quoting styles
• HTML Rel Parsing: Now handles space-separated rel token lists
• View Partials: Removed unused local assignments (partials use instance variables)
• Test Structure: Moved tests inside main describe block with proper setup
• Network Stubbing: Stubbed HTTP calls in tests to avoid real network requests
• Config Restoration: Tests now restore original config to prevent state leakage
• URL Validation: Validates URLs even when whitelist is empty
• Normalized URLs: Controller stores normalized URLs instead of raw params

Security Enhancements

• SSRF protection via IP range blocking (loopback, private, link-local)
• Scheme validation (only http/https allowed)
• ReDoS protection with input size limits
• 5-second timeout on external HTTP requests
• DNS resolution with fallback for IP checks

Files Changed

• app/services/authorio/domain_validator.rb - SSRF protection, HTML/Link parsing improvements
• app/controllers/authorio/auth_controller.rb - Store normalized URLs
• app/views/authorio/auth/send_profile.json.jbuilder - Remove unused locals
• app/views/authorio/auth/issue_token.json.jbuilder - Remove unused locals
• spec/requests/auth_spec.rb - Fix test structure
• spec/services/authorio/domain_validator_spec.rb - Add config restoration and network stubbing

Original prompt

Add Domain Whitelist and Delegated Authentication Support

Implement support for IndieAuth delegation and domain whitelisting to allow users to authenticate with their own domains while using this authorio server as the authorization endpoint.

Changes Required

1. Configuration Updates

File: lib/authorio/configuration.rb

• Add allowed_domains attribute (array) to whitelist domains that can use this server
• Add verify_delegation attribute (boolean) to optionally verify link rel tags
• Initialize allowed_domains to empty array (allow all by default)
• Initialize verify_delegation to false (backward compatible)

File: lib/generators/authorio/install/templates/authorio.rb

• Add documentation and example configuration for allowed_domains
• Add documentation for verify_delegation option
• Include examples for single domain, multiple domains, and wildcard subdomain support

2. Domain Validator Service

Create new file: app/services/authorio/domain_validator.rb

Implement a service class with the following functionality:

• initialize(me_url, request_env = nil) - constructor that takes the me URL and optional request environment
• valid? - main validation method that checks both whitelist and delegation
• domain_whitelisted? - checks if the domain is in the allowed_domains list
  • Support exact domain matching (e.g., 'example.com')
  • Support wildcard subdomains (e.g., '*.example.com' matches 'blog.example.com', 'www.example.com')
  • Return true if allowed_domains is empty (no restriction)
• delegation_verified? - fetches the me URL and verifies it has proper link rel tags
  • Check for <link rel="authorization_endpoint"> in HTML
  • Check for Link: HTTP headers
  • Verify the authorization_endpoint URL points to this authorio server
  • Handle redirects (follow up to 5 redirects)
  • Return true if verify_delegation config is false
• Include proper error handling and logging
• Add URL normalization helper (auto-add https:// if no scheme)
• Add HTTP fetching with timeout (5 seconds)
• Parse both HTML link tags and HTTP Link headers

3. Database Migration

Create migration: db/migrate/XXXXXX_add_me_to_authorio_requests.rb

• Add me column (string) to authorio_requests table
• Add index on me column

4. Model Updates

File: app/models/authorio/request.rb

• Add me attribute
• Add validation: validate :me_domain_allowed, if: -> { me.present? }
• Implement me_domain_allowed method that uses DomainValidator to check if domain is whitelisted
• Add error message if domain is not allowed

5. Controller Updates

File: app/controllers/authorio/auth_controller.rb

In authorization_interface method:

• Add validation check for me parameter using DomainValidator
• If validation fails, render oauth_error with message 'The domain is not authorized to use this authentication server'
• Update session to include :me in the slice: session.update auth_interface_params.slice(:state, :client_id, :code_challenge, :redirect_uri, :me)

In create_auth_request method:

• Add me: session[:me] to the Request.create parameters

6. View Updates

File: app/views/authorio/users/_profile.json.jbuilder

• Change the json.me line to: json.me @auth_request.me.presence || profile_url(@auth_request.authorio_user)
• This returns the delegated me URL if present, otherwise falls back to the server's profile URL

File: app/views/authorio/auth/send_profile.json.jbuilder

• Ensure it uses the @request variable (should already be calling the profile partial)

7. Service Directory

Ensure the app/services/authorio/ directory exists (create if needed).

Requirements

• Require 'net/http' and 'uri' in the DomainValidator
• All changes should maintain backward compatibility
• Empty allowed_domains array means no restrictions (allow all domains)
• verify_delegation defaults to false
• Proper error messages in English
• Use Rails logger for error logging
• Handle URI parsing errors gracefully
• HTTP timeouts set to 5 seconds for external requests

Testing Considerations

The changes should support these use cases:

1. No restrictions (default): allowed_domains = [] - works as before
2. Single domain: allowed_domains = ['example.com'] - only example.com can authenticate
3. Multiple domains: allowed_domains = ['example.com', 'mysite.org']
4. Wildcard subdomains: allowed_domains = ['*.example.com'] - matches blog.example.com, www.example.com, etc.
5. With verification: verify_delegation = true - fetches me URL and verifies link rel tags
6. Without verification: verify_delegation = false - only checks whitelist

Example Configuration

Users should be able to configure in config/initializers/authorio.rb:

Authorio.configure do |config|
  config.allowed_domains = ['example.com']
  config.verify_delegation = true
end

HTML Tags on User's Domain

When configure...

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Adds IndieAuth “delegated me” support so clients can authenticate using user-owned domains against this Authorio server, with optional domain whitelisting and delegation verification.

Changes:

• Add allowed_domains + verify_delegation configuration and initializer template docs.
• Introduce Authorio::DomainValidator to whitelist domains and (optionally) verify authorization_endpoint delegation via HTTP/HTML.
• Persist me on authorio_requests and return it from profile JSON when present.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
lib/authorio/configuration.rb	Adds configuration knobs for whitelisting + delegation verification.
lib/generators/authorio/install/templates/authorio.rb	Documents new configuration options in the install template.
app/services/authorio/domain_validator.rb	Implements whitelist matching + optional delegation verification.
app/controllers/authorio/auth_controller.rb	Validates me, stores it in session, and persists it on requests.
app/models/authorio/request.rb	Adds model-level whitelist validation for persisted me.
db/migrate/20260212110310_add_me_to_authorio_requests.rb	Adds me column + index to requests table.
app/views/authorio/users/_profile.json.jbuilder	Returns delegated me when present, otherwise server profile URL.
app/views/authorio/auth/send_profile.json.jbuilder	Adjusts partial invocation for profile JSON rendering.
app/views/authorio/auth/issue_token.json.jbuilder	Adjusts partial invocation for profile JSON rendering.
spec/services/authorio/domain_validator_spec.rb	Adds unit coverage for whitelist + delegation verification toggles.
spec/requests/auth_spec.rb	Adds request coverage for whitelist behavior and me persistence.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

SSRF risk: when verify_delegation is enabled and allowed_domains is empty ("allow all"), this will fetch a user-controlled URL. Consider blocking private/loopback/link-local IP ranges, restricting schemes to http/https, and validating redirect targets before following them to avoid internal network access.

[GrassBlock1]

@copilot apply changes based on this feedback

[Copilot]

Applied SSRF protection in commit 9da1e3d. The implementation now:

• Blocks private/loopback/link-local IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, IPv6 equivalents)
• Restricts schemes to http/https only
• Validates redirect targets before following them
• Uses DNS resolution with Resolv to check IP addresses against blocked ranges

[Copilot]

HTML parsing only matches rel="authorization_endpoint" as a single value. In HTML, rel can be a space-separated list (e.g., rel="authorization_endpoint something"), which would incorrectly fail verification. Consider checking rel as a token list and matching authorization_endpoint as one of the values.

[GrassBlock1]

@copilot apply changes based on this feedback

[Copilot]

Fixed in commit 9da1e3d. HTML rel parsing now handles space-separated token lists by splitting on whitespace and checking if 'authorization_endpoint' is one of the tokens.

[Copilot]

The new describe 'domain whitelist and delegation' block is placed after the closing end of the existing RSpec.describe block, so it won't inherit the shared examples/helpers (params, post_params, etc.) and may fail with undefined variables. Move this block inside the existing RSpec.describe 'Requests', type: :request do ... end (or wrap it in its own RSpec.describe ... with the needed setup).

[GrassBlock1]

@copilot apply changes based on this feedback

[Copilot]

Fixed in commit 9da1e3d. Tests are now inside the main RSpec.describe block and inherit shared examples/helpers properly.

[Copilot]

This example makes a real network call to a non-existent domain. With no WebMock/VCR configured in this repo, it can add ~5s timeouts and cause flaky test runs. Stub Net::HTTP (or fetch_authorization_endpoint) and assert behavior without external I/O.

[GrassBlock1]

@copilot apply changes based on this feedback

[Copilot]

Fixed in commit 9da1e3d. Network calls are now stubbed using allow(validator).to receive(:fetch_authorization_endpoint) to avoid real HTTP requests in tests.

[Copilot]

These specs mutate global Authorio.configuration but never restore prior values, which can leak state into other specs depending on run order. Capture existing allowed_domains/verify_delegation in an around block (or after) and restore them after each example.

[GrassBlock1]

@copilot apply changes based on this feedback

[Copilot]

Fixed in commit 9da1e3d. Added around(:each) block to save and restore configuration values (allowed_domains, verify_delegation) after each test to prevent state leakage.

[Copilot]

The controller validates a normalized me via DomainValidator, but it stores the original params[:me] value in session and persists it to Authorio::Request. This means inputs without a scheme won't get the documented https:// normalization, and the me echoed back may differ from what was validated. Store the normalized URL (e.g., via a normalized_me_url accessor on the validator) instead of the raw param.

[GrassBlock1]

@copilot apply changes based on this feedback

[Copilot]

Fixed in commit 9da1e3d. Controller now stores the normalized URL via validator.normalized_me_url instead of the raw parameter, ensuring consistent HTTPS scheme normalization.