api-auth 2.2.0 → 2.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51fee150bf8e85fbaa3195608e96a25ad4ef7cb19bcc026137c1831c94f652c1
-  data.tar.gz: 7c0aeeefdf36f93e53cef4ac76f0015efa587c5a7b572dafe6670276d786e92a
+  metadata.gz: 60f6b22c31a0167767c8aa90d9e831bde874fd6831798d1c1a5104849005a4f4
+  data.tar.gz: 9be6acbac2c38e6fc0d0af33d6ba9fd6f9bc4ca0dc5dc6050fee1a8e139d94b5
 SHA512:
-  metadata.gz: 4cf7349cdbed677337b82e3c0ad87ce1271ce0a92c65a9bda8514dadde6c3a6fd40e962fc9b23cb937e0b1b804d456930d6ddeb245d5d3d5ed021639c077a3c8
-  data.tar.gz: c4935420257b03f3f90460c7caffb64d0da2792f9793c24c02bf00e7abdc1a80a509d73c3ed86a95098de3cb5aaeb96776e383a537dfab3233fd043a6077c928
+  metadata.gz: 30f33a8543297ceb7e99bb028cca8377e5af639957d9edc06e36f1968d252a0012357030e726d9ff7024ebc99da30e9a1bb324eba686ffb6c784931ac2063620
+  data.tar.gz: 00b796d683a878643d152f8bad511f38d92fcf6182e941eff490609b5f122b301b08c8820af7229b9a5b744414ded4069054523244bba571a1bc408da6b4ba06

data/.rubocop.yml

@@ -1,63 +1,22 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2016-02-10 17:06:30 +0100 using RuboCop version 0.37.1.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
+inherit_from: .rubocop_todo.yml
 
-# Offense count: 1
-# Configuration parameters: AllowSafeAssignment.
-Lint/AssignmentInCondition:
-  Exclude:
-    - 'lib/api_auth/base.rb'
+AllCops:
+  TargetRubyVersion: 2.4
 
-# Offense count: 2
 Metrics/AbcSize:
   Max: 25
 
-# Offense count: 2
-Metrics/CyclomaticComplexity:
-  Max: 13
-
-# Offense count: 74
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes.
+# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
 # URISchemes: http, https
-Metrics/LineLength:
-  Max: 137
+Layout/LineLength:
+  Max: 140
 
-# Offense count: 4
-# Configuration parameters: CountComments.
 Metrics/MethodLength:
-  Max: 30
-
-# Offense count: 1
-Metrics/PerceivedComplexity:
-  Max: 8
-
-# Offense count: 8
-Style/AccessorMethodName:
-  Exclude:
-    - 'lib/api_auth/railtie.rb'
-    - 'lib/api_auth/request_drivers/action_controller.rb'
-    - 'lib/api_auth/request_drivers/curb.rb'
-    - 'lib/api_auth/request_drivers/faraday.rb'
-    - 'lib/api_auth/request_drivers/httpi.rb'
-    - 'lib/api_auth/request_drivers/net_http.rb'
-    - 'lib/api_auth/request_drivers/rack.rb'
-    - 'lib/api_auth/request_drivers/rest_client.rb'
-
-# Offense count: 4
-Style/Documentation:
-  Exclude:
-    - 'spec/**/*'
-    - 'test/**/*'
-    - 'lib/api_auth/railtie.rb'
-    - 'lib/api_auth/request_drivers/rest_client.rb'
+  Max: 40
 
-# Offense count: 1
-# Configuration parameters: ExpectMatchingDefinition, Regex, IgnoreExecutableScripts.
-Style/FileName:
+Naming/FileName:
   Exclude:
     - 'lib/api-auth.rb'
-    - 'Appraisals'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,92 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2018-10-22 20:30:52 +0700 using RuboCop version 0.59.2.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: Include, TreatCommentsAsGroupSeparators.
+# Include: **/*.gemspec
+Gemspec/OrderedDependencies:
+  Exclude:
+    - 'api_auth.gemspec'
+
+# Offense count: 1
+# Configuration parameters: AllowSafeAssignment.
+Lint/AssignmentInCondition:
+  Exclude:
+    - 'lib/api_auth/base.rb'
+
+# Offense count: 9
+# Configuration parameters: CheckForMethodsWithNoSideEffects.
+Lint/Void:
+  Exclude:
+    - 'lib/api_auth/headers.rb'
+    - 'lib/api_auth/request_drivers/action_controller.rb'
+    - 'lib/api_auth/request_drivers/curb.rb'
+    - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/grape_request.rb'
+    - 'lib/api_auth/request_drivers/httpi.rb'
+    - 'lib/api_auth/request_drivers/net_http.rb'
+    - 'lib/api_auth/request_drivers/rack.rb'
+    - 'lib/api_auth/request_drivers/rest_client.rb'
+
+# Offense count: 1
+# Configuration parameters: CountComments, ExcludedMethods.
+# ExcludedMethods: refine
+Metrics/BlockLength:
+  Max: 27
+
+# Offense count: 1
+Metrics/CyclomaticComplexity:
+  Max: 15
+
+# Offense count: 1
+Metrics/PerceivedComplexity:
+  Max: 8
+
+# Offense count: 10
+Naming/AccessorMethodName:
+  Exclude:
+    - 'lib/api_auth/railtie.rb'
+    - 'lib/api_auth/request_drivers/action_controller.rb'
+    - 'lib/api_auth/request_drivers/curb.rb'
+    - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/grape_request.rb'
+    - 'lib/api_auth/request_drivers/http.rb'
+    - 'lib/api_auth/request_drivers/httpi.rb'
+    - 'lib/api_auth/request_drivers/net_http.rb'
+    - 'lib/api_auth/request_drivers/rack.rb'
+    - 'lib/api_auth/request_drivers/rest_client.rb'
+
+# Offense count: 3
+# Configuration parameters: MinNameLength, AllowNamesEndingInNumbers, AllowedNames, ForbiddenNames.
+# AllowedNames: io, id, to, by, on, in, at, ip, db
+Naming/MethodParameterName:
+  Exclude:
+    - 'lib/api_auth/base.rb'
+    - 'spec/railtie_spec.rb'
+
+# Offense count: 1
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: inline, group
+Style/AccessModifierDeclarations:
+  Exclude:
+    - 'lib/api_auth/headers.rb'
+
+# Offense count: 9
+Style/CommentedKeyword:
+  Exclude:
+    - 'lib/api_auth/base.rb'
+    - 'lib/api_auth/railtie.rb'
+
+# Offense count: 4
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/api_auth/railtie.rb'
+    - 'lib/api_auth/request_drivers/rest_client.rb'

data/.travis.yml

@@ -2,16 +2,18 @@ language: ruby
 sudo: false
 cache: bundler
 rvm:
-  - 2.1.9
-  - 2.2.6
-  - 2.3.3
-  - 2.4.1
+  - 2.4.3
+  - 2.5.3
+  - 2.6.1
+  - 2.7.1
 gemfile:
-  - gemfiles/rails_4.gemfile
-  - gemfiles/rails_41.gemfile
-  - gemfiles/rails_42.gemfile
   - gemfiles/rails_5.gemfile
   - gemfiles/rails_51.gemfile
+  - gemfiles/rails_52.gemfile
+  - gemfiles/rails_60.gemfile
+  - gemfiles/http2.gemfile
+  - gemfiles/http3.gemfile
+  - gemfiles/http4.gemfile
 env:
   - TEST_SUITE=rake
 
@@ -22,15 +24,14 @@ script:
   - bundle exec $TEST_SUITE
 
 matrix:
-  exclude:
-    - rvm: 2.1.9
-      gemfile: gemfiles/rails_5.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/rails_51.gemfile
   include:
-    - rvm: 2.4.1
-      gemfile: gemfiles/rails_5.gemfile
+    - rvm: 2.7.1
+      gemfile: gemfiles/rails_60.gemfile
       env: TEST_SUITE="rubocop lib/ spec/"
+  exclude:
+    - rvm: 2.4.3
+      gemfile: gemfiles/rails_60.gemfile
+      env: TEST_SUITE=rake
 
 notifications:
   email: false

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+# 2.4.1 (2020-06-23)
+- Fix inadvertant ActiveSupport dependecy (#189 taylorthurlow)
+
+# 2.4.0 (2020-05-05)
+- Improved support for Rails 6.0 (#179 taylorthurlow, #177 fwininger)
+- Added Ruby 2.6.0 support (#174 fwininger)
+- README updates (#186 iranthau)
+
+# 2.3.1 (2018-11-06)
+- Fixed a regression in the http.rb driver (#173 tycooon)
+
+# 2.3.0 (2018-10-23)
+- Added support for Grape API (#169 phuongnd08 & dunghuynh)
+- Added option for specifying customer headers to sign via new `headers_to_sign`
+  argument (#170 fakenine)
+- Fix tests and drop support for Ruby < 2.3 (#171 fwininger)
+
+# 2.2.0 (2018-03-12)
+- Drop support ruby 1.x, rails 2.x, rails 3.x (#141 fwininger)
+- Add http.rb request driver (#164 tycooon)
+- Fix POST and PUT requests in RestClient (#151 fwininger)
+- Allow clock skew to be user-defined (#136 mlarraz)
+- Adds #original_uri method to all request drivers (#137 iMacTia)
+- Rubocop and test fixes (fwininger & nicolasleger)
+- Changed return type for request #content_md5 #timestamp #content_type (fwininger)
+- Fix URI edge case where a URI contains another URI (zfletch)
+- Updates to the README (zfletch)
+
 # 2.1.0 (2016-12-22)
 - Fixed a NoMethodError that might occur when using the NetHttp Driver (#130 grahamkenville)
 - More securely compare signatures in a way that prevents timing attacks (#56 leishman, #133 will0)

data/Gemfile

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
 gemspec
 
-gem 'rubocop', platforms: %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
+gem 'rubocop'

data/README.md

@@ -1,6 +1,7 @@
 # ApiAuth
 
-[![Build Status](https://travis-ci.org/mgomes/api_auth.png?branch=master)](https://travis-ci.org/mgomes/api_auth)
+[![Build Status](https://travis-ci.org/mgomes/api_auth.svg?branch=master)](https://travis-ci.org/mgomes/api_auth)
+[![Gem Version](https://badge.fury.io/rb/api-auth.svg)](https://badge.fury.io/rb/api-auth)
 
 Logins and passwords are for humans. Communication between applications need to
 be protected through different means.
@@ -20,19 +21,33 @@ have to be written in the same language as the clients.
 ## How it works
 
 1. A canonical string is first created using your HTTP headers containing the
-content-type, content-MD5, request URI and the timestamp. If content-type or
+content-type, content-MD5, request path and the date/time stamp. If content-type or
 content-MD5 are not present, then a blank string is used in their place. If the
 timestamp isn't present, a valid HTTP date is automatically added to the
 request. The canonical string is computed as follows:
 
-    canonical_string = 'http method,content-type,content-MD5,request URI,timestamp'
+```
+canonical_string = "#{http method},#{content-type},#{content-MD5},#{request URI},#{timestamp}"
+
+e.g.,
+
+canonical_string = 'POST,application/json,,request_path,Tue, 30 May 2017 03:51:43 GMT'
+```
 
 2. This string is then used to create the signature which is a Base64 encoded
 SHA1 HMAC, using the client's private secret key.
 
 3. This signature is then added as the `Authorization` HTTP header in the form:
 
-    Authorization = APIAuth 'client access id':'signature from step 2'
+```
+Authorization = APIAuth "#{client access id}:#{signature from step 2}"
+```
+
+A cURL request would look like:
+
+```
+curl -X POST --header 'Content-Type: application/json' --header "Date: Tue, 30 May 2017 03:51:43 GMT" --header "Authorization: ${AUTHORIZATION}"  http://my-app.com/request_path`
+```
 
 5. On the server side, the SHA1 HMAC is computed in the same way using the
 request headers and the client's secret key, which is known to only
@@ -51,9 +66,9 @@ minutes in order to avoid replay attacks.
 
 ## Requirement
 
-v3.X require Ruby 2.X and if you use Rails at least Rails 4.0.
+This gem require Ruby >= 2.3 and Rails >= 4.0 if you use rails.
 
-For older version of Ruby or Rails, please use ApiAuth v2.X.
+For older version of Ruby or Rails, please use ApiAuth v2.1 and older.
 
 **IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.**
 
@@ -62,7 +77,9 @@ For older version of Ruby or Rails, please use ApiAuth v2.X.
 The gem doesn't have any dependencies outside of having a working OpenSSL
 configuration for your Ruby VM. To install:
 
-    [sudo] gem install api-auth
+```bash
+[sudo] gem install api-auth
+```
 
 Please note the dash in the name versus the underscore.
 
@@ -78,8 +95,8 @@ Here is the current list of supported request objects:
 * Curb (Curl::Easy)
 * RestClient
 * Faraday
-* HTTParty
-* Httpi
+* HTTPI
+* HTTP
 
 ### HTTP Client Objects
 
@@ -88,25 +105,29 @@ Here's a sample implementation of signing a request created with RestClient.
 Assuming you have a client access id and secret as follows:
 
 ``` ruby
-    @access_id = "1044"
-    @secret_key = ApiAuth.generate_secret_key
+@access_id = "1044"
+@secret_key = ApiAuth.generate_secret_key
 ```
 
 A typical RestClient PUT request may look like:
 
 ``` ruby
-    headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
-        'Content-Type' => "text/plain",
-        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-    @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-        :headers => headers,
-        :method => :put)
+headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+  'Content-Type' => "text/plain",
+  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT"
+}
+
+@request = RestClient::Request.new(
+    url: "/resource.xml?foo=bar&bar=foo",
+    headers: headers,
+    method: :put
+)
 ```
 
 To sign that request, simply call the `sign!` method as follows:
 
 ``` ruby
-    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+@signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
 ```
 
 The proper `Authorization` request header has now been added to that request
@@ -120,23 +141,27 @@ method detection (like Curb or httpi), you can pass the http method as an option
 into the sign! method like so:
 
 ``` ruby
-    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
+@signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
 ```
 
 If you want to use another digest existing in `OpenSSL::Digest`,
 you can pass the http method as an option into the sign! method like so:
 
 ``` ruby
-    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :digest => 'sha256')
+@signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :digest => 'sha256')
 ```
 
 With the `digest` option, the `Authorization` header will be change from:
 
-    Authorization = APIAuth 'client access id':'signature'
+```
+Authorization = APIAuth 'client access id':'signature'
+```
 
 to:
 
-    Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
+```
+Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
+```
 
 ### ActiveResource Clients
 
@@ -144,9 +169,9 @@ ApiAuth can transparently protect your ActiveResource communications with a
 single configuration line:
 
 ``` ruby
-    class MyResource < ActiveResource::Base
-      with_api_auth(access_id, secret_key)
-    end
+class MyResource < ActiveResource::Base
+  with_api_auth(access_id, secret_key)
+end
 ```
 
 This will automatically sign all outgoing ActiveResource requests from your app.
@@ -168,26 +193,28 @@ clients as well as verifying incoming API requests.
 To generate a Base64 encoded API key for a client:
 
 ``` ruby
-    ApiAuth.generate_secret_key
+ApiAuth.generate_secret_key
 ```
 
 To validate whether or not a request is authentic:
 
 ``` ruby
-    ApiAuth.authentic?(signed_request, secret_key)
+ApiAuth.authentic?(signed_request, secret_key)
 ```
 
 The `authentic?` method uses the digest specified in the `Authorization` header.
 For example SHA256 for:
 
-    Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
+```
+Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
+```
 
 And by default SHA1 if the HMAC-DIGEST is not specified.
 
 If you want to force the usage of another digest method, you should pass it as an option parameter:
 
 ``` ruby
-    ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
+ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
 ```
 
 For security, requests dated older or newer than a certain timespan are considered inauthentic.
@@ -198,16 +225,24 @@ can't be dated into the far future.
 The default span is 15 minutes, but you can override this:
 
 ```ruby
-    ApiAuth.authentic?(signed_request, secret_key, :clock_skew => 60) # or 1.minute in ActiveSupport
+ApiAuth.authentic?(signed_request, secret_key, :clock_skew => 60) # or 1.minute in ActiveSupport
 ```
 
+If you want to sign custom headers, you can pass them as an array of strings in the options like so:
+
+``` ruby
+ApiAuth.authentic?(signed_request, secret_key, headers_to_sign: %w[HTTP_HEADER_NAME])
+```
+
+With the specified headers values being at the end of the canonical string in the same order.
+
 If your server is a Rails app, the signed request will be the `request` object.
 
 In order to obtain the secret key for the client, you first need to look up the
 client's access_id. ApiAuth can pull that from the request headers for you:
 
 ``` ruby
-    ApiAuth.access_id(signed_request)
+ApiAuth.access_id(signed_request)
 ```
 
 Once you've looked up the client's record via the access id, you can then verify
@@ -219,12 +254,12 @@ Here's a sample method that can be used in a `before_action` if your server is a
 Rails app:
 
 ``` ruby
-    before_action :api_authenticate
+before_action :api_authenticate
 
-    def api_authenticate
-      @current_account = Account.find_by_access_id(ApiAuth.access_id(request))
-      head(:unauthorized) unless @current_account && ApiAuth.authentic?(request, @current_account.secret_key)
-    end
+def api_authenticate
+  @current_account = Account.find_by_access_id(ApiAuth.access_id(request))
+  head(:unauthorized) unless @current_account && ApiAuth.authentic?(request, @current_account.secret_key)
+end
 ```
 
 ## Development
@@ -237,11 +272,15 @@ To run the tests:
 
 Install the dependencies for a particular Rails version by specifying a gemfile in `gemfiles` directory:
 
-    BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle install
+```
+BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle install
+```
 
 Run the tests with those dependencies:
 
-    BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle exec rake
+```
+BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle exec rake
+```
 
 If you'd like to add support for additional HTTP clients, check out the already
 implemented drivers in `lib/api_auth/request_drivers` for reference. All of