api-auth 2.2.1 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 74847c2470f870ce0206badfda86189773a6bb96b109d0fca6ab276f5bb70523
-  data.tar.gz: 5b24a84ec9a7617b3dfe33e9c97cccf5edc7caa627b51b76b3044f2952e32e80
+  metadata.gz: cdc2295825296be5b720b2df6ca984f247a71f549af9f4a8397a68e37e08707e
+  data.tar.gz: 9171431679afa0ab3bc8ab74a06a0bd14424034b0fb3af4202bfb45458f6b7a0
 SHA512:
-  metadata.gz: 507f3c7f5e1570c9014e953179a42c13c5502ea50483172fd7650a6b9853297e9220cb096599c4498a95f1873bf06d37852355cb2bc566481c2b93c61a4a9cb6
-  data.tar.gz: 05515f1bd95793f5c0497e2d3e0ea9cd65d9d14015f8f2abe151aa40ea0dfb849250505f0a132ba6b161d31d0839ebaec6adb7e8cef91dc286d123f7b04a1f37
+  metadata.gz: e07b3ad4db78a4f12339dc542827b0c43ee4aa3c7c1068f1ee639ca88c67ead6953e4158b6f9950127ab200fff06f7ee66312cc54dd6b3a59810ee1ceeb987b4
+  data.tar.gz: '051628373d800d5248fa1d9bdd6f3b57ba27ad898199dc84a241be2b551f22468e79facf208ba47141ef2d6591d462bf2f279233d7f8df4d7cef05b179e87da7'

data/.rubocop.yml

@@ -1,16 +1,26 @@
 inherit_from: .rubocop_todo.yml
 
+AllCops:
+  TargetRubyVersion: 2.5
+
 Metrics/AbcSize:
-  Max: 25
+  Max: 28
 
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
 # URISchemes: http, https
-Metrics/LineLength:
+Layout/LineLength:
   Max: 140
 
 Metrics/MethodLength:
   Max: 40
 
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*.rb'
+
 Naming/FileName:
   Exclude:
     - 'lib/api-auth.rb'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false

data/.rubocop_todo.yml

@@ -1,60 +1,102 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2018-02-12 13:27:16 +0300 using RuboCop version 0.52.1.
+# on 2021-03-26 22:04:17 UTC using RuboCop version 1.12.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: TreatCommentsAsGroupSeparators, ConsiderPunctuation, Include.
+# Include: **/*.gemspec
+Gemspec/OrderedDependencies:
+  Exclude:
+    - 'api_auth.gemspec'
+
 # Offense count: 1
 # Configuration parameters: AllowSafeAssignment.
 Lint/AssignmentInCondition:
   Exclude:
     - 'lib/api_auth/base.rb'
 
-# Offense count: 8
+# Offense count: 4
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: enums
+Lint/ConstantDefinitionInBlock:
+  Exclude:
+    - 'spec/railtie_spec.rb'
+
+# Offense count: 9
+# Configuration parameters: CheckForMethodsWithNoSideEffects.
 Lint/Void:
   Exclude:
     - 'lib/api_auth/headers.rb'
     - 'lib/api_auth/request_drivers/action_controller.rb'
     - 'lib/api_auth/request_drivers/curb.rb'
     - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/grape_request.rb'
     - 'lib/api_auth/request_drivers/httpi.rb'
     - 'lib/api_auth/request_drivers/net_http.rb'
     - 'lib/api_auth/request_drivers/rack.rb'
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
 # Offense count: 1
-Metrics/CyclomaticComplexity:
-  Max: 14
+# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
+Metrics/AbcSize:
+  Max: 28
 
 # Offense count: 1
-Metrics/PerceivedComplexity:
-  Max: 8
+# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
+# IgnoredMethods: refine
+Metrics/BlockLength:
+  Max: 27
 
-# Offense count: 9
+# Offense count: 2
+# Configuration parameters: IgnoredMethods.
+Metrics/CyclomaticComplexity:
+  Max: 15
+
+# Offense count: 10
 Naming/AccessorMethodName:
   Exclude:
     - 'lib/api_auth/railtie.rb'
     - 'lib/api_auth/request_drivers/action_controller.rb'
     - 'lib/api_auth/request_drivers/curb.rb'
     - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/grape_request.rb'
     - 'lib/api_auth/request_drivers/http.rb'
     - 'lib/api_auth/request_drivers/httpi.rb'
     - 'lib/api_auth/request_drivers/net_http.rb'
     - 'lib/api_auth/request_drivers/rack.rb'
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
+# Offense count: 3
+# Configuration parameters: MinNameLength, AllowNamesEndingInNumbers, AllowedNames, ForbiddenNames.
+# AllowedNames: at, by, db, id, in, io, ip, of, on, os, pp, to
+Naming/MethodParameterName:
+  Exclude:
+    - 'lib/api_auth/base.rb'
+    - 'spec/railtie_spec.rb'
+
 # Offense count: 9
+# Cop supports --auto-correct.
 Style/CommentedKeyword:
   Exclude:
     - 'lib/api_auth/base.rb'
     - 'lib/api_auth/railtie.rb'
 
-# Offense count: 4
+# Offense count: 3
+# Configuration parameters: AllowedConstants.
 Style/Documentation:
   Exclude:
     - 'spec/**/*'
     - 'test/**/*'
     - 'lib/api_auth/railtie.rb'
-    - 'lib/api_auth/request_drivers/rest_client.rb'
+
+# Offense count: 1
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: respond_to_missing?
+Style/OptionalBooleanParameter:
+  Exclude:
+    - 'lib/api_auth/railtie.rb'

data/.travis.yml

@@ -2,19 +2,14 @@ language: ruby
 sudo: false
 cache: bundler
 rvm:
-  - 2.1.10
-  - 2.2.9
-  - 2.3.6
-  - 2.4.3
-  - 2.5.0
+  - 2.5.3
+  - 2.6.1
+  - 2.7.1
+  - 3.0.0
 gemfile:
-  - gemfiles/rails_4.gemfile
-  - gemfiles/rails_41.gemfile
-  - gemfiles/rails_42.gemfile
-  - gemfiles/rails_5.gemfile
-  - gemfiles/rails_51.gemfile
-  - gemfiles/http2.gemfile
-  - gemfiles/http3.gemfile
+  - gemfiles/rails_52.gemfile
+  - gemfiles/rails_60.gemfile
+  - gemfiles/rails_61.gemfile
   - gemfiles/http4.gemfile
 env:
   - TEST_SUITE=rake
@@ -26,20 +21,9 @@ script:
   - bundle exec $TEST_SUITE
 
 matrix:
-  exclude:
-    - rvm: 2.1.10
-      gemfile: gemfiles/rails_5.gemfile
-    - rvm: 2.1.10
-      gemfile: gemfiles/rails_51.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/http2.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/http3.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/http4.gemfile
   include:
-    - rvm: 2.5.0
-      gemfile: gemfiles/rails_5.gemfile
+    - rvm: 3.0.0
+      gemfile: gemfiles/rails_61.gemfile
       env: TEST_SUITE="rubocop lib/ spec/"
 
 notifications:

data/CHANGELOG.md

@@ -1,3 +1,39 @@
+# 2.5.0 (2021-05-11)
+- Add support for Ruby 3.0 (#194 fwininger)
+- Add support for Rails 6.1 (#194 fwininger)
+- Drop support for Ruby 2.4 (#193 fwininger)
+- Drop support for Rails 5.0 (#194 fwininger)
+- Drop support for Rails 5.1 (#194 fwininger)
+- Fix Faraday warning: `WARNING: Faraday::Request#method is deprecated` (#191 fwininger)
+
+# 2.4.1 (2020-06-23)
+- Fix inadvertant ActiveSupport dependecy (#189 taylorthurlow)
+
+# 2.4.0 (2020-05-05)
+- Improved support for Rails 6.0 (#179 taylorthurlow, #177 fwininger)
+- Added Ruby 2.6.0 support (#174 fwininger)
+- README updates (#186 iranthau)
+
+# 2.3.1 (2018-11-06)
+- Fixed a regression in the http.rb driver (#173 tycooon)
+
+# 2.3.0 (2018-10-23)
+- Added support for Grape API (#169 phuongnd08 & dunghuynh)
+- Added option for specifying customer headers to sign via new `headers_to_sign`
+  argument (#170 fakenine)
+- Fix tests and drop support for Ruby < 2.3 (#171 fwininger)
+
+# 2.2.0 (2018-03-12)
+- Drop support ruby 1.x, rails 2.x, rails 3.x (#141 fwininger)
+- Add http.rb request driver (#164 tycooon)
+- Fix POST and PUT requests in RestClient (#151 fwininger)
+- Allow clock skew to be user-defined (#136 mlarraz)
+- Adds #original_uri method to all request drivers (#137 iMacTia)
+- Rubocop and test fixes (fwininger & nicolasleger)
+- Changed return type for request #content_md5 #timestamp #content_type (fwininger)
+- Fix URI edge case where a URI contains another URI (zfletch)
+- Updates to the README (zfletch)
+
 # 2.1.0 (2016-12-22)
 - Fixed a NoMethodError that might occur when using the NetHttp Driver (#130 grahamkenville)
 - More securely compare signatures in a way that prevents timing attacks (#56 leishman, #133 will0)

data/Gemfile

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
 gemspec
 
-gem 'rubocop', platforms: %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
+gem 'rubocop'

data/README.md

@@ -1,6 +1,7 @@
 # ApiAuth
 
-[![Build Status](https://travis-ci.org/mgomes/api_auth.png?branch=master)](https://travis-ci.org/mgomes/api_auth)
+[![Build Status](https://travis-ci.org/mgomes/api_auth.svg?branch=master)](https://travis-ci.org/mgomes/api_auth)
+[![Gem Version](https://badge.fury.io/rb/api-auth.svg)](https://badge.fury.io/rb/api-auth)
 
 Logins and passwords are for humans. Communication between applications need to
 be protected through different means.
@@ -20,19 +21,35 @@ have to be written in the same language as the clients.
 ## How it works
 
 1. A canonical string is first created using your HTTP headers containing the
-content-type, content-MD5, request URI and the timestamp. If content-type or
-content-MD5 are not present, then a blank string is used in their place. If the
-timestamp isn't present, a valid HTTP date is automatically added to the
-request. The canonical string is computed as follows:
+`content-type`, `X-Authorization-Content-SHA256`, request path and the date/time stamp.
+If `content-type` or `X-Authorization-Content-SHA256` are not present, then a blank
+string is used in their place. If the timestamp isn't present, a valid HTTP date is
+automatically added to the request. The canonical string is computed as follows:
 
-    canonical_string = 'http method,content-type,content-MD5,request URI,timestamp'
+```ruby
+canonical_string = "#{http method},#{content-type},#{X-Authorization-Content-SHA256},#{request URI},#{timestamp}"
+```
+
+e.g.,
+
+```ruby
+canonical_string = 'POST,application/json,,request_path,Tue, 30 May 2017 03:51:43 GMT'
+```
 
 2. This string is then used to create the signature which is a Base64 encoded
 SHA1 HMAC, using the client's private secret key.
 
 3. This signature is then added as the `Authorization` HTTP header in the form:
 
-    Authorization = APIAuth 'client access id':'signature from step 2'
+```ruby
+Authorization = APIAuth "#{client access id}:#{signature from step 2}"
+```
+
+A cURL request would look like:
+
+```sh
+curl -X POST --header 'Content-Type: application/json' --header "Date: Tue, 30 May 2017 03:51:43 GMT" --header "Authorization: ${AUTHORIZATION}"  http://my-app.com/request_path`
+```
 
 5. On the server side, the SHA1 HMAC is computed in the same way using the
 request headers and the client's secret key, which is known to only
@@ -41,7 +58,6 @@ access id that was attached in the header. The access id can be any integer or
 string that uniquely identifies the client. The signed request expires after 15
 minutes in order to avoid replay attacks.
 
-
 ## References
 
 * [Hash functions](http://en.wikipedia.org/wiki/Cryptographic_hash_function)
@@ -51,9 +67,9 @@ minutes in order to avoid replay attacks.
 
 ## Requirement
 
-v3.X require Ruby >= 2.1 and Rails >= 4.0 if you use rails.
+This gem require Ruby >= 2.5 and Rails >= 5.1 if you use rails.
 
-For older version of Ruby or Rails, please use ApiAuth v2.X.
+For older version of Ruby or Rails, please use ApiAuth v2.1 and older.
 
 **IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.**
 
@@ -62,7 +78,9 @@ For older version of Ruby or Rails, please use ApiAuth v2.X.
 The gem doesn't have any dependencies outside of having a working OpenSSL
 configuration for your Ruby VM. To install:
 
-    [sudo] gem install api-auth
+```sh
+[sudo] gem install api-auth
+```
 
 Please note the dash in the name versus the underscore.
 
@@ -87,26 +105,30 @@ Here's a sample implementation of signing a request created with RestClient.
 
 Assuming you have a client access id and secret as follows:
 
-``` ruby
-    @access_id = "1044"
-    @secret_key = ApiAuth.generate_secret_key
+```ruby
+@access_id = "1044"
+@secret_key = ApiAuth.generate_secret_key
 ```
 
 A typical RestClient PUT request may look like:
 
-``` ruby
-    headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
-        'Content-Type' => "text/plain",
-        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-    @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-        :headers => headers,
-        :method => :put)
+```ruby
+headers = { 'X-Authorization-Content-SHA256' => "dWiCWEMZWMxeKM8W8Yuh/TbI29Hw5xUSXZWXEJv63+Y=",
+  'Content-Type' => "text/plain",
+  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT"
+}
+
+@request = RestClient::Request.new(
+    url: "/resource.xml?foo=bar&bar=foo",
+    headers: headers,
+    method: :put
+)
 ```
 
 To sign that request, simply call the `sign!` method as follows:
 
-``` ruby
-    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+```ruby
+@signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
 ```
 
 The proper `Authorization` request header has now been added to that request
@@ -119,34 +141,38 @@ If you are signing a request for a driver that doesn't support automatic http
 method detection (like Curb or httpi), you can pass the http method as an option
 into the sign! method like so:
 
-``` ruby
-    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
+```ruby
+@signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
 ```
 
 If you want to use another digest existing in `OpenSSL::Digest`,
 you can pass the http method as an option into the sign! method like so:
 
-``` ruby
-    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :digest => 'sha256')
+```ruby
+@signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :digest => 'sha256')
 ```
 
 With the `digest` option, the `Authorization` header will be change from:
 
-    Authorization = APIAuth 'client access id':'signature'
+```sh
+Authorization = APIAuth 'client access id':'signature'
+```
 
 to:
 
-    Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
+```sh
+Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
+```
 
 ### ActiveResource Clients
 
 ApiAuth can transparently protect your ActiveResource communications with a
 single configuration line:
 
-``` ruby
-    class MyResource < ActiveResource::Base
-      with_api_auth(access_id, secret_key)
-    end
+```ruby
+class MyResource < ActiveResource::Base
+  with_api_auth(access_id, secret_key)
+end
 ```
 
 This will automatically sign all outgoing ActiveResource requests from your app.
@@ -156,7 +182,7 @@ This will automatically sign all outgoing ActiveResource requests from your app.
 ApiAuth also works with [Flexirest](https://github.com/andyjeffries/flexirest) (used to be ActiveRestClient, but that is now unsupported) in a very similar way.
 Simply add this configuration to your Flexirest initializer in your app and it will automatically sign all outgoing requests.
 
-``` ruby
+```ruby
 Flexirest::Base.api_auth_credentials(@access_id, @secret_key)
 ```
 
@@ -167,27 +193,29 @@ clients as well as verifying incoming API requests.
 
 To generate a Base64 encoded API key for a client:
 
-``` ruby
-    ApiAuth.generate_secret_key
+```ruby
+ApiAuth.generate_secret_key
 ```
 
 To validate whether or not a request is authentic:
 
-``` ruby
-    ApiAuth.authentic?(signed_request, secret_key)
+```ruby
+ApiAuth.authentic?(signed_request, secret_key)
 ```
 
 The `authentic?` method uses the digest specified in the `Authorization` header.
 For example SHA256 for:
 
-    Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
+```sh
+Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
+```
 
 And by default SHA1 if the HMAC-DIGEST is not specified.
 
 If you want to force the usage of another digest method, you should pass it as an option parameter:
 
-``` ruby
-    ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
+```ruby
+ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
 ```
 
 For security, requests dated older or newer than a certain timespan are considered inauthentic.
@@ -198,16 +226,24 @@ can't be dated into the far future.
 The default span is 15 minutes, but you can override this:
 
 ```ruby
-    ApiAuth.authentic?(signed_request, secret_key, :clock_skew => 60) # or 1.minute in ActiveSupport
+ApiAuth.authentic?(signed_request, secret_key, :clock_skew => 60) # or 1.minute in ActiveSupport
+```
+
+If you want to sign custom headers, you can pass them as an array of strings in the options like so:
+
+``` ruby
+ApiAuth.authentic?(signed_request, secret_key, headers_to_sign: %w[HTTP_HEADER_NAME])
 ```
 
+With the specified headers values being at the end of the canonical string in the same order.
+
 If your server is a Rails app, the signed request will be the `request` object.
 
 In order to obtain the secret key for the client, you first need to look up the
 client's access_id. ApiAuth can pull that from the request headers for you:
 
 ``` ruby
-    ApiAuth.access_id(signed_request)
+ApiAuth.access_id(signed_request)
 ```
 
 Once you've looked up the client's record via the access id, you can then verify
@@ -219,12 +255,12 @@ Here's a sample method that can be used in a `before_action` if your server is a
 Rails app:
 
 ``` ruby
-    before_action :api_authenticate
+before_action :api_authenticate
 
-    def api_authenticate
-      @current_account = Account.find_by_access_id(ApiAuth.access_id(request))
-      head(:unauthorized) unless @current_account && ApiAuth.authentic?(request, @current_account.secret_key)
-    end
+def api_authenticate
+  @current_account = Account.find_by_access_id(ApiAuth.access_id(request))
+  head(:unauthorized) unless @current_account && ApiAuth.authentic?(request, @current_account.secret_key)
+end
 ```
 
 ## Development
@@ -237,11 +273,15 @@ To run the tests:
 
 Install the dependencies for a particular Rails version by specifying a gemfile in `gemfiles` directory:
 
-    BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle install
+```sh
+BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle install
+```
 
 Run the tests with those dependencies:
 
-    BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle exec rake
+```sh
+BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle exec rake
+```
 
 If you'd like to add support for additional HTTP clients, check out the already
 implemented drivers in `lib/api_auth/request_drivers` for reference. All of
@@ -251,6 +291,7 @@ the public methods for each driver are required to be implemented by your driver
 
 * [Mauricio Gomes](http://github.com/mgomes)
 * [Kevin Glowacz](http://github.com/kjg)
+* [Florian Wininger](http://github.com/fwininger)
 
 ## Copyright