api-auth 2.5.1 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 232d1199b2fd74328e77ba9dd3362789798585b3d88df7c6d4688cf843475190
-  data.tar.gz: 879689b7f0b691212e0c14a80e087a041769241221b7a88f094c1003b29cfa9c
+  metadata.gz: b642f1c16d0ccca2a260e5440012a3d02fe3b333d3cb769a76e139ec97c39368
+  data.tar.gz: 5f68593348b4cbcf7b76250675c7bb355904b8f365129b8a57696e04fed5a802
 SHA512:
-  metadata.gz: 2cb0fbdf6f5984f7334bdfa8a16309837c35b146eab39cd723203cd6861c9ce1e51d66fa2f73a3bb6a9490eaec2af0e3c73b34a03726d26360fc664aa7095f32
-  data.tar.gz: 9a1e90785610686db8c1a84943d138f9528dd5ce28965774cfe3112ea74850d898694a7a2bd458ef513f0fd48db56015b8662c53ec78ec38d714080b6f59ed68
+  metadata.gz: f148aa229d78829b86af9772e962463866e3ad85653b9fc759494969c901717be7d9c6b11087f6873253777610d9dcf3b209189e0076249d72a5256dc2acf026
+  data.tar.gz: 6fab592a96c63ab8c52665c321c4291a5bd67fea0d366298a1c3efa82a6819e5a7434f2ed18c0cf48cac301cc219963fcdde831c237868e9a03cc5d09c3ae440

data/.github/workflows/main.yml

@@ -9,19 +9,23 @@ jobs:
       fail-fast: true
       matrix:
         ruby-version:
-          - 2.5
           - 2.6
           - 2.7
           - 3.0
+          - 3.1
         gemfile:
-          - rails_52.gemfile
           - rails_60.gemfile
           - rails_61.gemfile
+          - rails_70.gemfile
         exclude:
-          - ruby-version: [ 2.6, 2.7, 3.0 ]
-            gemfile: rails_52.gemfile
           - ruby-version: 3.0
             gemfile: rails_60.gemfile
+          - ruby-version: 3.1
+            gemfile: rails_60.gemfile 
+          - ruby-version: 2.6
+            gemfile: rails_70.gemfile
+          - ruby-version: 2.7
+            gemfile: rails_70.gemfile
     steps:
       - name: Install packages required for `curb` gem
         run: |
@@ -57,7 +61,7 @@ jobs:
       - name: Install Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.0
+          ruby-version: 3.1
           bundler-cache: true
 
       - name: Install required gems

data/.rubocop.yml

@@ -2,7 +2,7 @@ inherit_from: .rubocop_todo.yml
 
 AllCops:
   NewCops: enable
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.6
 
 Metrics/AbcSize:
   Max: 28
@@ -33,3 +33,7 @@ Style/StringLiterals:
 
 Lint/DuplicateBranch:
   Enabled: false
+
+# Development dependencies in gemspec is valid for gems
+Gemspec/DevelopmentDependencies:
+  Enabled: false

data/.rubocop_todo.yml

@@ -1,19 +1,11 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2021-03-26 22:04:17 UTC using RuboCop version 1.12.0.
+# on 2022-08-03 07:19:11 UTC using RuboCop version 1.32.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: TreatCommentsAsGroupSeparators, ConsiderPunctuation, Include.
-# Include: **/*.gemspec
-Gemspec/OrderedDependencies:
-  Exclude:
-    - 'api_auth.gemspec'
-
 # Offense count: 1
 # Configuration parameters: AllowSafeAssignment.
 Lint/AssignmentInCondition:
@@ -41,29 +33,19 @@ Lint/Void:
     - 'lib/api_auth/request_drivers/rack.rb'
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
-# Offense count: 1
-# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
-Metrics/AbcSize:
-  Max: 28
-
-# Offense count: 1
-# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
-# IgnoredMethods: refine
-Metrics/BlockLength:
-  Max: 27
-
 # Offense count: 2
 # Configuration parameters: IgnoredMethods.
 Metrics/CyclomaticComplexity:
-  Max: 15
+  Max: 16
 
-# Offense count: 10
+# Offense count: 11
 Naming/AccessorMethodName:
   Exclude:
     - 'lib/api_auth/railtie.rb'
     - 'lib/api_auth/request_drivers/action_controller.rb'
     - 'lib/api_auth/request_drivers/curb.rb'
     - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/faraday_env.rb'
     - 'lib/api_auth/request_drivers/grape_request.rb'
     - 'lib/api_auth/request_drivers/http.rb'
     - 'lib/api_auth/request_drivers/httpi.rb'
@@ -79,20 +61,14 @@ Naming/MethodParameterName:
     - 'lib/api_auth/base.rb'
     - 'spec/railtie_spec.rb'
 
-# Offense count: 9
-# Cop supports --auto-correct.
-Style/CommentedKeyword:
-  Exclude:
-    - 'lib/api_auth/base.rb'
-    - 'lib/api_auth/railtie.rb'
-
-# Offense count: 3
+# Offense count: 4
 # Configuration parameters: AllowedConstants.
 Style/Documentation:
   Exclude:
     - 'spec/**/*'
     - 'test/**/*'
     - 'lib/api_auth/railtie.rb'
+    - 'lib/api_auth/request_drivers/rest_client.rb'
 
 # Offense count: 1
 # Configuration parameters: AllowedMethods.
@@ -100,3 +76,8 @@ Style/Documentation:
 Style/OptionalBooleanParameter:
   Exclude:
     - 'lib/api_auth/railtie.rb'
+
+# Offense count: 1
+Lint/UselessConstantScoping:
+  Exclude:
+    - 'lib/api_auth/base.rb'

data/Appraisals

@@ -1,9 +1,3 @@
-appraise 'rails-52' do
-  gem 'actionpack', '~> 5.2'
-  gem 'activeresource', '~> 5.1'
-  gem 'activesupport', '~> 5.2'
-end
-
 appraise 'rails-60' do
   gem 'actionpack', '~> 6.0'
   gem 'activeresource', '~> 5.1'
@@ -15,3 +9,9 @@ appraise 'rails-61' do
   gem 'activeresource', '~> 5.1'
   gem 'activesupport', '~> 6.1'
 end
+
+appraise 'rails-70' do
+  gem 'actionpack', '~> 7.0'
+  gem 'activeresource', '~> 6.0'
+  gem 'activesupport', '~> 7.0'
+end

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+# 2.6.0 (2025-01-18)
+- Add Faraday middleware support (#1322051 Frédéric Mangano)
+- Add MD5 compatibility option in authentic? method (#a618e15 Samir ALI CHERIF)
+- Add support for Ruby 3.1 and Rails 7.0 (#552cab0 fwininger)
+- Drop support for Rails 5 and Ruby 2.5 (#552cab0 fwininger)
+- Fix HTTPS URL handling (#c734a88 fwininger)
+- Update Grape to v2.0+ for Rails 7/Rack 3 compatibility
+- Update Rubocop to v1.50+ and Curb to v1.0+ for Ruby 3.x compatibility
+- Fix Ruby 2.6 compatibility with Rails 6.x (Logger loading issue)
+- Add drb gem dependency (2.0.4-2.0.5) for Ruby 3.4+ compatibility while avoiding Ruby 2.6 conflicts
+
+# 2.5.1 (2021-11-26)
+- Add spec coverage for all content hashes (#202 fwininger)
+- Require MFA for Rubygems (#203 fwininger)
+- Integration with GitHub Actions
+- Fix look up of `X-AUTHORIZATION-CONTENT-SHA256` header
+- Adding license information to the gemspec
+
 # 2.5.0 (2021-05-11)
 - Add support for Ruby 3.0 (#194 fwininger)
 - Add support for Rails 6.1 (#194 fwininger)

data/README.md

@@ -7,7 +7,7 @@ Logins and passwords are for humans. Communication between applications need to
 be protected through different means.
 
 ApiAuth is a Ruby gem designed to be used both in your client and server
-HTTP-based applications. It implements the same authentication methods (HMAC-SHA1)
+HTTP-based applications. It implements the same authentication methods (HMAC-SHA2)
 used by Amazon Web Services.
 
 The gem will sign your requests on the client side and authenticate that
@@ -48,10 +48,10 @@ Authorization = APIAuth "#{client access id}:#{signature from step 2}"
 A cURL request would look like:
 
 ```sh
-curl -X POST --header 'Content-Type: application/json' --header "Date: Tue, 30 May 2017 03:51:43 GMT" --header "Authorization: ${AUTHORIZATION}"  http://my-app.com/request_path`
+curl -X POST --header 'Content-Type: application/json' --header "Date: Tue, 30 May 2017 03:51:43 GMT" --header "Authorization: ${AUTHORIZATION}"  https://my-app.com/request_path`
 ```
 
-5. On the server side, the SHA1 HMAC is computed in the same way using the
+5. On the server side, the SHA2 HMAC is computed in the same way using the
 request headers and the client's secret key, which is known to only
 the client and the server but can be looked up on the server using the client's
 access id that was attached in the header. The access id can be any integer or
@@ -60,18 +60,14 @@ minutes in order to avoid replay attacks.
 
 ## References
 
-* [Hash functions](http://en.wikipedia.org/wiki/Cryptographic_hash_function)
-* [SHA-1 Hash function](http://en.wikipedia.org/wiki/SHA-1)
-* [HMAC algorithm](http://en.wikipedia.org/wiki/HMAC)
-* [RFC 2104 (HMAC)](http://tools.ietf.org/html/rfc2104)
+* [Hash functions](https://en.wikipedia.org/wiki/Cryptographic_hash_function)
+* [SHA-2 Hash function](https://en.wikipedia.org/wiki/SHA-2)
+* [HMAC algorithm](https://en.wikipedia.org/wiki/HMAC)
+* [RFC 2104 (HMAC)](https://tools.ietf.org/html/rfc2104)
 
 ## Requirement
 
-This gem require Ruby >= 2.5 and Rails >= 5.1 if you use rails.
-
-For older version of Ruby or Rails, please use ApiAuth v2.1 and older.
-
-**IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.**
+This gem require Ruby >= 2.6 and Rails >= 6.0 if you use rails.
 
 ## Install
 
@@ -186,6 +182,19 @@ Simply add this configuration to your Flexirest initializer in your app and it w
 Flexirest::Base.api_auth_credentials(@access_id, @secret_key)
 ```
 
+### Faraday
+
+ApiAuth provides a middleware for adding authentication to a Faraday connection:
+
+```ruby
+require 'faraday/api_auth'
+Faraday.new do |f|
+  f.request :api_auth, @access_id, @secret_key
+end
+```
+
+The order of middlewares is important. You should make sure api_auth is last.
+
 ## Server
 
 ApiAuth provides some built in methods to help you generate API keys for your
@@ -289,9 +298,9 @@ the public methods for each driver are required to be implemented by your driver
 
 ## Authors
 
-* [Mauricio Gomes](http://github.com/mgomes)
-* [Kevin Glowacz](http://github.com/kjg)
-* [Florian Wininger](http://github.com/fwininger)
+* [Mauricio Gomes](https://github.com/mgomes)
+* [Kevin Glowacz](https://github.com/kjg)
+* [Florian Wininger](https://github.com/fwininger)
 
 ## Copyright
 

data/VERSION

@@ -1 +1 @@
-2.5.1
+2.6.0

data/api_auth.gemspec

@@ -14,28 +14,29 @@ Gem::Specification.new do |s|
     'rubygems_mfa_required' => 'true'
   }
 
-  s.required_ruby_version = '>= 2.5.0'
+  s.required_ruby_version = '>= 2.6.0'
 
-  s.add_development_dependency 'actionpack', '< 6.2', '> 5.0'
+  s.add_development_dependency 'actionpack', '>= 6.0'
   s.add_development_dependency 'activeresource', '>= 4.0'
-  s.add_development_dependency 'activesupport', '< 6.2', '> 5.0'
+  s.add_development_dependency 'activesupport', '>= 6.0'
   s.add_development_dependency 'amatch'
   s.add_development_dependency 'appraisal'
-  s.add_development_dependency 'curb', '~> 0.8'
+  s.add_development_dependency 'curb', '~> 1.0'
+  # DRb is required for Ruby 3.4+ but must avoid 2.0.6 which breaks Ruby 2.6
+  s.add_development_dependency 'drb', '>= 2.0.4', '< 2.0.6'
   s.add_development_dependency 'faraday', '>= 1.1.0'
+  s.add_development_dependency 'grape', '~> 2.0'
   s.add_development_dependency 'http'
   s.add_development_dependency 'httpi'
   s.add_development_dependency 'multipart-post', '~> 2.0'
   s.add_development_dependency 'pry'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rest-client', '~> 2.0'
-  s.add_development_dependency 'grape', '~> 1.1.0'
-  s.add_development_dependency 'rspec', '~> 3.4'
   s.add_development_dependency 'rexml'
-  s.add_development_dependency 'rubocop'
+  s.add_development_dependency 'rspec', '~> 3.4'
+  s.add_development_dependency 'rubocop', '~> 1.50'
 
   s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
 end

data/gemfiles/{rails_52.gemfile → rails_70.gemfile}

@@ -2,8 +2,8 @@
 
 source "https://rubygems.org"
 
-gem "actionpack", "~> 5.2"
-gem "activeresource", "~> 5.1"
-gem "activesupport", "~> 5.2"
+gem "actionpack", "~> 7.0"
+gem "activeresource", "~> 6.0"
+gem "activesupport", "~> 7.0"
 
 gemspec path: "../"

data/lib/api_auth/base.rb

@@ -32,9 +32,9 @@ module ApiAuth
     def authentic?(request, secret_key, options = {})
       return false if secret_key.nil?
 
-      options = { override_http_method: nil }.merge(options)
+      options = { override_http_method: nil, authorize_md5: false }.merge(options)
 
-      headers = Headers.new(request)
+      headers = Headers.new(request, authorize_md5: options[:authorize_md5])
 
       # 900 seconds is 15 minutes
       clock_skew = options.fetch(:clock_skew, 900)
@@ -118,5 +118,5 @@ module ApiAuth
     def parse_auth_header(auth_header)
       AUTH_HEADER_PATTERN.match(auth_header)
     end
-  end # class methods
-end # ApiAuth
+  end
+end

data/lib/api_auth/headers.rb

@@ -3,13 +3,13 @@ module ApiAuth
   class Headers
     include RequestDrivers
 
-    def initialize(request)
+    def initialize(request, authorize_md5: false)
       @original_request = request
-      @request = initialize_request_driver(request)
+      @request = initialize_request_driver(request, authorize_md5: authorize_md5)
       true
     end
 
-    def initialize_request_driver(request)
+    def initialize_request_driver(request, authorize_md5: false)
       new_request =
         case request.class.to_s
         when /Net::HTTP/
@@ -29,13 +29,15 @@ module ApiAuth
         when /Grape::Request/
           GrapeRequest.new(request)
         when /ActionDispatch::Request/
-          ActionDispatchRequest.new(request)
+          ActionDispatchRequest.new(request, authorize_md5: authorize_md5)
         when /ActionController::CgiRequest/
           ActionControllerRequest.new(request)
         when /HTTPI::Request/
           HttpiRequest.new(request)
         when /Faraday::Request/
           FaradayRequest.new(request)
+        when /Faraday::Env/
+          FaradayEnv.new(request)
         when /HTTP::Request/
           HttpRequest.new(request)
         end

data/lib/api_auth/helpers.rb

@@ -8,6 +8,10 @@ module ApiAuth
       Digest::SHA256.base64digest(string)
     end
 
+    def md5_base64digest(string)
+      Digest::MD5.base64digest(string)
+    end
+
     # Capitalizes the keys of a hash
     def capitalize_keys(hsh)
       capitalized_hash = {}

data/lib/api_auth/railtie.rb

@@ -18,7 +18,7 @@ module ApiAuth
           ActionController::Base.include(ControllerMethods::InstanceMethods)
         end
       end
-    end # ControllerMethods
+    end
 
     module ActiveResourceExtension # :nodoc:
       module ActiveResourceApiAuth # :nodoc:
@@ -51,11 +51,11 @@ module ApiAuth
             c.api_auth_options = api_auth_options
             c
           end
-        end # class methods
+        end
 
         module InstanceMethods
         end
-      end # BaseApiAuth
+      end
 
       module Connection
         def self.included(base)
@@ -82,7 +82,7 @@ module ApiAuth
 
           request_without_auth(method, path, *arguments)
         end
-      end # Connection
+      end
 
       if defined?(ActiveSupport)
         ActiveSupport.on_load(:active_resource) do
@@ -90,6 +90,6 @@ module ApiAuth
           ActiveResource::Connection.include(Connection)
         end
       end
-    end # ActiveResourceExtension
-  end # Rails
-end # ApiAuth
+    end
+  end
+end

data/lib/api_auth/request_drivers/action_controller.rb

@@ -3,8 +3,9 @@ module ApiAuth
     class ActionControllerRequest # :nodoc:
       include ApiAuth::Helpers
 
-      def initialize(request)
+      def initialize(request, authorize_md5: false)
         @request = request
+        @authorize_md5 = authorize_md5
         fetch_headers
         true
       end
@@ -17,7 +18,9 @@ module ApiAuth
 
       def calculated_hash
         body = @request.raw_post
-        sha256_base64digest(body)
+        hashes = [sha256_base64digest(body)]
+        hashes << md5_base64digest(body) if @authorize_md5
+        hashes
       end
 
       def populate_content_hash
@@ -29,7 +32,7 @@ module ApiAuth
 
       def content_hash_mismatch?
         if @request.put? || @request.post?
-          calculated_hash != content_hash
+          !calculated_hash.include?(content_hash)
         else
           false
         end
@@ -48,7 +51,9 @@ module ApiAuth
       end
 
       def content_hash
-        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256 X_AUTHORIZATION_CONTENT_SHA256 HTTP_X_AUTHORIZATION_CONTENT_SHA256])
+        headers = %w[X-AUTHORIZATION-CONTENT-SHA256 X_AUTHORIZATION_CONTENT_SHA256 HTTP_X_AUTHORIZATION_CONTENT_SHA256]
+        headers += %w[CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5] if @authorize_md5
+        find_header(headers)
       end
 
       def original_uri

data/lib/api_auth/request_drivers/faraday_env.rb

@@ -0,0 +1,102 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    # Internally, Faraday uses the class Faraday::Env to represent requests. The class is not meant
+    # to be directly exposed to users, but this is what Faraday middlewares work with. See
+    # <https://lostisland.github.io/faraday/middleware/>.
+    class FaradayEnv
+      include ApiAuth::Helpers
+
+      def initialize(env)
+        @env = env
+      end
+
+      def set_auth_header(header)
+        @env.request_headers['Authorization'] = header
+        @env
+      end
+
+      def calculated_hash
+        sha256_base64digest(body)
+      end
+
+      def populate_content_hash
+        return unless %w[POST PUT PATCH].include?(http_method)
+
+        @env.request_headers['X-Authorization-Content-SHA256'] = calculated_hash
+      end
+
+      def content_hash_mismatch?
+        if %w[POST PUT PATCH].include?(http_method)
+          calculated_hash != content_hash
+        else
+          false
+        end
+      end
+
+      def http_method
+        @env.method.to_s.upcase
+      end
+
+      def content_type
+        type = find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+
+        # When sending a body-less POST request, the Content-Type is set at the last minute by the
+        # Net::HTTP adapter, which states in the documentation for Net::HTTP#post:
+        #
+        # > You should set Content-Type: header field for POST. If no Content-Type: field given,
+        # > this method uses “application/x-www-form-urlencoded” by default.
+        #
+        # The same applies to PATCH and PUT. Hopefully the other HTTP adapters behave similarly.
+        #
+        type ||= 'application/x-www-form-urlencoded' if %w[POST PATCH PUT].include?(http_method)
+
+        type
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
+      end
+
+      def request_uri
+        @env.url.request_uri
+      end
+
+      def set_date
+        @env.request_headers['Date'] = Time.now.utc.httpdate
+      end
+
+      def timestamp
+        find_header(%w[DATE HTTP_DATE])
+      end
+
+      def authorization_header
+        find_header(%w[Authorization AUTHORIZATION HTTP_AUTHORIZATION])
+      end
+
+      def body
+        body_source = @env.request_body
+        if body_source.respond_to?(:read)
+          result = body_source.read
+          body_source.rewind
+          result
+        else
+          body_source.to_s
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @env.request_headers
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @env.request_headers[key] }.compact.first
+      end
+    end
+  end
+end

data/lib/api_auth.rb

@@ -14,6 +14,7 @@ require 'api_auth/request_drivers/action_dispatch'
 require 'api_auth/request_drivers/rack'
 require 'api_auth/request_drivers/httpi'
 require 'api_auth/request_drivers/faraday'
+require 'api_auth/request_drivers/faraday_env'
 require 'api_auth/request_drivers/http'
 
 require 'api_auth/headers'

data/lib/faraday/api_auth/middleware.rb

@@ -0,0 +1,35 @@
+require 'api_auth'
+
+module Faraday
+  module ApiAuth
+    # Request middleware for Faraday. It takes the same arguments as ApiAuth.sign!.
+    #
+    # You will usually need to include it after the other middlewares since ApiAuth needs to hash
+    # the final request.
+    #
+    # Usage:
+    #
+    # ```ruby
+    # require 'faraday/api_auth'
+    #
+    # conn = Faraday.new do |f|
+    #   f.request :api_auth, access_id, secret_key
+    #   # Alternatively:
+    #   # f.use Faraday::ApiAuth::Middleware, access_id, secret_key
+    # end
+    # ```
+    #
+    class Middleware < Faraday::Middleware
+      def initialize(app, access_id, secret_key, options = {})
+        super(app)
+        @access_id = access_id
+        @secret_key = secret_key
+        @options = options
+      end
+
+      def on_request(env)
+        ::ApiAuth.sign!(env, @access_id, @secret_key, @options)
+      end
+    end
+  end
+end

data/lib/faraday/api_auth.rb

@@ -0,0 +1,8 @@
+require_relative 'api_auth/middleware'
+
+module Faraday
+  # Integrate ApiAuth into Faraday.
+  module ApiAuth
+    Faraday::Request.register_middleware(api_auth: Middleware)
+  end
+end

data/spec/api_auth_spec.rb

@@ -24,7 +24,7 @@ describe 'ApiAuth' do
   end
 
   describe '.sign!' do
-    let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
+    let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
     let(:headers) { ApiAuth::Headers.new(request) }
 
     it 'generates date header before signing' do
@@ -182,7 +182,7 @@ describe 'ApiAuth' do
     context 'normal APIAuth Auth header' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :get,
           headers: { authorization: 'APIAuth 1044:aGVsbG8gd29ybGQ=' }
         )
@@ -196,7 +196,7 @@ describe 'ApiAuth' do
     context 'Corporate prefixed APIAuth header' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :get,
           headers: { authorization: 'Corporate APIAuth 1044:aGVsbG8gd29ybGQ=' }
         )