Force all developer application redirect URIs to use HTTPS

app/controllers/developers/applications_controller.rb

@@ -1,20 +1,18 @@
 class Developers::ApplicationsController < ApplicationController
-  nested_layouts "layouts/admin"
+  nested_layouts 'layouts/admin'
 
   before_action do
     @developers = true
   end
 
-  before_action except: [:index, :request, :provision, :create] do
+  before_action except: %i[index request provision create] do
     if (current_application.provisional? || current_application.owner_id != current_user.id) && !current_user.admin?
-      render plain: "403 Forbidden or Provisional Domain", status: 403
+      render plain: '403 Forbidden or Provisional Domain', status: 403
     end
   end
 
   before_action only: [:create] do
-    if !current_user.admin?
-      render plain: "403 Forbidden", status: 403
-    end
+    render plain: '403 Forbidden', status: 403 unless current_user.admin?
   end
 
   def index
@@ -44,10 +42,16 @@ def destroy_scope
     scopes = @application.scopes.to_a
     scopes.delete(params[:scope])
     @application.update!(scopes: Doorkeeper::OAuth::Scopes.from_array(scopes))
-    redirect_back(fallback_location: developers_applications_path(id: params[:id]), notice: "Destroyed scope #{params[:scope]}")
+    redirect_back(fallback_location: developers_applications_path(id: params[:id]),
+                  notice: "Destroyed scope #{params[:scope]}")
   end
 
   def add_redirect_uri
+    uri = URI.parse(params[:redirect_uri])
+    if uri.scheme != 'https'
+      redirect_back(fallback_location: developers_applications_path, notice: 'URIs must use HTTPS')
+      return
+    end
     @application = current_application
     uris = @application.redirect_uri.split("\r\n")
     uris.push(params[:redirect_uri])
@@ -56,7 +60,7 @@ def add_redirect_uri
     rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotUnique => e
       flash.notice = e.message
     else
-      flash.notice = "Added Redirect URI"
+      flash.notice = 'Added Redirect URI'
     ensure
       redirect_back(fallback_location: developers_applications_path(id: params[:id]))
     end
@@ -67,14 +71,14 @@ def destroy_redirect_uri
     uris = @application.redirect_uri.split("\r\n")
     uris.delete(params[:redirect_uri])
     @application.update!(redirect_uri: uris.join("\r\n"))
-    redirect_back(fallback_location: developers_applications_path(id: params[:id]), notice: "Destroyed Redirect URI")
+    redirect_back(fallback_location: developers_applications_path(id: params[:id]), notice: 'Destroyed Redirect URI')
   end
 
   def update
     @application = current_application
     @application.update!(name: params[:name]) if params[:name]
     @application.update!(confidential: params[:confidential].to_i.zero?) if params[:confidential]
-    redirect_back(fallback_location: developers_applications_path(id: params[:id]), notice: "Updated application")
+    redirect_back(fallback_location: developers_applications_path(id: params[:id]), notice: 'Updated application')
   end
 
   def destroy
@@ -83,14 +87,22 @@ def destroy
   end
 
   def create
-    @application = Doorkeeper::Application.new(name: params[:name], redirect_uri: params[:redirect_uri], confidential: true)
+    @application = Doorkeeper::Application.new(name: params[:name], redirect_uri: params[:redirect_uri],
+                                               confidential: true)
     @application.owner = current_user
     @application.save!
     redirect_to developers_application_path(id: @application.id)
   end
 
   def provision
-    @application = Doorkeeper::Application.new(name: params[:name], redirect_uri: params[:redirect_uri], plan: params[:plan], confidential: true, provisional: true)
+    uri = URI.parse(params[:redirect_uri])
+    if uri.scheme != 'https'
+      redirect_back(fallback_location: developers_applications_path, notice: 'URIs must use HTTPS')
+      return
+    end
+
+    @application = Doorkeeper::Application.new(name: params[:name], redirect_uri: params[:redirect_uri],
+                                               plan: params[:plan], confidential: true, provisional: true)
     @application.owner = current_user
     @application.save!
     redirect_to developers_path

app/views/developers/applications/index.html.erb

@@ -3,7 +3,12 @@
 <% end %>
 
 <div class="flex flex-col items-center gap-8" style="scroll-behavior: smooth;">
+<% flash.each do |type, msg| %>
 
+      <div class="flash flash-<%= type %>">
+        <%= msg %>
+      </div>
+<% end %>
   <a href="/"><h2 class="text-yellow p-none m-none">← Back to Obl.ong</h2></a>
   <h1 class="text-center text-yellow text-4 lg:text-5 xl:text-6 font-heading">Manage your applications</h1>
 

app/views/developers/applications/request.html.erb

@@ -1,54 +1,40 @@
 <h1 class="font-heading text-3 lg:text-4 xl:text-5">Request an application</h1>
 <br><br>
-
+<% flash.each do |type, msg| %>
+  <div class="flash flash-<%= type %>">
+    <%= msg %>
+  </div>
+<% end %>
 <%= form_with url: provision_developers_applications_path do |form| %>
-    <%= form.label :name, "What is the name of the app?" %><br>
-    <br>
-    <%= form.text_field :name, placeholder: "Dynamic" %>
-    <br><br><br>
-    <%= form.label :redirect_uri, "Add a Redirect URI" %><br>
-    <p>This is where we'll redirect after the user authorizes your app</p>
-    <br>
-    <%= form.text_field :redirect_uri, placeholder: "https://oidcdebugger.com/debug" %>
-    <br><br><br>
-    <%= form.label :plan, "What are you planning on using it for?" %><br>
-    <p>Don't worry, it doesn't need to be anything important or serious (it can be if you want though!)</p><br>
-    <%= form.text_area :plan, placeholder: "I'm going to make a Dynamic DNS app" %>
-    <br><br><br>
-    <%= form.label :coc, "Do you agree to our Code of Conduct?" %><br>
-    <p>We want to make sure our domains aren't used for bad purposes. Please read our Code of Conduct and Acceptable Use Policy: <a href="https://github.com/obl-ong/code-of-conduct">https://github.com/obl-ong/code-of-conduct</a></p>
-    <br>
-    <%= form.check_box :coc, required: true %>
-    <br><br>
-
-    <%= form.submit "Request" %>
+  <%= form.label :name, "What is the name of the app?" %><br>
+  <br>
+  <%= form.text_field :name, placeholder: "Dynamic" %>
+  <br><br><br>
+  <%= form.label :redirect_uri, "Add a Redirect URI" %><br>
+  <p>This is where we'll redirect after the user authorizes your app</p>
+  <br>
+  <%= form.text_field :redirect_uri, placeholder: "https://oidcdebugger.com/debug" %>
+  <br><br><br>
+  <%= form.label :plan, "What are you planning on using it for?" %><br>
+  <p>Don't worry, it doesn't need to be anything important or serious (it can be
+    if you want though!)</p><br>
+  <%= form.text_area :plan, placeholder: "I'm going to make a Dynamic DNS app" %>
+  <br><br><br>
+  <%= form.label :coc, "Do you agree to our Code of Conduct?" %><br>
+  <p>We want to make sure our domains aren't used for bad purposes. Please read
+    our Code of Conduct and Acceptable Use Policy:
+    <a href="https://github.com/obl-ong/code-of-conduct">https://github.com/obl-ong/code-of-conduct</a></p>
+  <br>
+  <%= form.check_box :coc, required: true %>
+  <br><br>
+
+  <%= form.submit "Request" %>
 <% end %>
 
-
 <%= style_tag nonce: true do %>
-    form {
-        max-width: 50vw;
-    }
-
-    .domain {
-        font-size: 2rem;
-    }
-
-    label {
-        font-size: 2rem;
-        font-weight: 600;
-    }
-
-    textarea {
-        background-color: #f5f5f51a !important;
-        border: 1.5px solid var(--cultured) !important;
-        border-radius: 5px !important;
-        color: #fff;
-        min-width: 450px;
-        min-height: 10rem;
-    }
-
-    a {
-        color: var(--winter-sky);
-    }
-<% end %>
+  form { max-width: 50vw; } .domain { font-size: 2rem; } label { font-size:
+  2rem; font-weight: 600; } textarea { background-color: #f5f5f51a !important;
+  border: 1.5px solid var(--cultured) !important; border-radius: 5px
+  !important; color: #fff; min-width: 450px; min-height: 10rem; } a { color:
+  var(--winter-sky); }
+<% end %>