RubyGems - authorio - Versions diffs - 0.8.4 → 0.8.5 - Mend

authorio 0.8.4 → 0.8.5

Files changed (10) hide show

checksums.yaml +4 -4
data/app/assets/stylesheets/authorio/auth.css +1 -1
data/app/controllers/authorio/auth_controller.rb +26 -37
data/app/models/authorio/request.rb +15 -6
data/app/views/authorio/auth/issue_token.json.jbuilder +1 -1
data/app/views/authorio/users/_profile.json.jbuilder +5 -5
data/app/views/shared/_login_form.html.erb +1 -1
data/db/migrate/20210831155106_add_code_challenge_to_requests.rb +5 -0
data/lib/authorio/version.rb +1 -1
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78659edadab6ff85d24828c318525bac7b62b4a76b9905e0a1d819ec266f9d46
-  data.tar.gz: 817fe77d1c1fd89e68df07a594725997d598e0f0027210d083762da50cb447fd
+  metadata.gz: e4cd85ad8ec9b0e70f4d276f7c600d5cc3ebab5b04f0f0313da9f6151e78d680
+  data.tar.gz: 7ec85565cc8fb4ea711836ab8069f7062929d13af6f1520809095bdee7c859b9
 SHA512:
-  metadata.gz: 8205bfe7bc6798f560da3f56b19f26822653d6f6fb8baac925be38a713f871e1faf90f0492ea25187124cd98db928a7d875da47b53faf14afe1efc6418498dbd
-  data.tar.gz: 3c772c7777f016316911f36573f5d2982ca27a40edb18dcac16782fb380021971feaeea4271adebe411101b39a9bb544d3f27f88dec93d72aae6f0e5adc483fd
+  metadata.gz: 845bc518d44332a7e71eabd020da0f450979dcf35ec35539850ee40b931c270c7c89f6205fa021b27b78b86c07fbcd1b36354c49c79c28d6e5d2b8ea501aad00
+  data.tar.gz: ca1f67ba7804bd630ce55713cfd1c3f2b542f04781583ec165073c1ad0eea829bef439d362af9e302e530da8ccc650736b00039b1151e7559b1cb8b8cdcc64b2

data/app/assets/stylesheets/authorio/auth.css CHANGED Viewed

@@ -50,7 +50,7 @@ div.authorio-auth {
 	margin: 0.1em;
 }
-.authorio-auth .auth-btn-row .auth-btn:last-child {
+.authorio-auth .auth-btn-row .btn-success {
 	float: right;
 }

data/app/controllers/authorio/auth_controller.rb CHANGED Viewed

@@ -2,9 +2,6 @@
 module Authorio
   class AuthController < AuthorioController
-    require 'uri'
-    require 'digest'
     # These API-only endpoints are protected by code challenge and do not need CSRF protextion
     protect_from_forgery with: :exception, except: %i[send_profile issue_token]
@@ -31,22 +28,19 @@ module Authorio
     def authorize_user
       redirect_to session[:client_id] and return if params[:commit] == 'Cancel'
-      user = authenticate_user_from_session_or_password
-      write_session_cookie(user) if auth_user_params[:remember_me]
-      redirect_to_client(user)
+      @user = authenticate_user_from_session_or_password
+      write_session_cookie(@user) if auth_user_params[:remember_me]
+      create_auth_request
+      redirect_to_client
     end
     def send_profile
-      @request = validate_request Request.find_by! code: params[:code]
-    rescue Exceptions::InvalidGrant, ActiveRecord::RecordNotFound => e
-      render oauth_error 'invalid_grant', e.message
+      @auth_request = find_auth_request or (render validation_failed and return)
     end
     def issue_token
-      @request = validate_request Request.find_by! code: params[:code]
-      @token = Token.create_from_request(@request)
-    rescue Exceptions::InvalidGrant, ActiveRecord::RecordNotFound => e
-      render oauth_error 'invalid_grant', e.message
+      @auth_request = find_auth_request or (render validation_failed and return)
+      @token = Token.create_from_request(@auth_request)
     end
     def verify_token
@@ -61,14 +55,10 @@ module Authorio
     def auth_interface_params
       @auth_interface_params ||= begin
-        required = %w[client_id redirect_uri state code_challenge]
-        permitted = %w[me scope code_challenge_method response_type action controller]
-        missing = required - params.keys
-        raise ::ActionController::ParameterMissing, missing unless missing.empty?
-        unpermitted = params.keys - required - permitted
-        raise ::ActionController::UnpermittedParameters, unpermitted unless unpermitted.empty?
+        required = %w[client_id redirect_uri state]
+        permitted = %w[me scope code_challenge_method response_type code_challenge dummy]
+        params.require(required)
+        params.permit(permitted + required)
         params.permit!
       end
     end
@@ -86,27 +76,26 @@ module Authorio
       oauth_error('invalid_token', 'The access token has expired', :unauthorized)
     end
-    def code_challenge_failed?
-      # For now, if original request did not have code challenge, then we pass by default
-      return unless session[:code_challenge]
-      sha256 = Digest::SHA256.hexdigest params[:code_verifier]
-      Base64.urlsafe_encode64(sha256) != session[:code_challenge]
+    def validation_failed
+      oauth_error('invalid_grant', 'validation failed')
     end
-    def validate_request(request)
-      raise Exceptions::InvalidGrant, 'validation failed' if request.invalid?(params) || code_challenge_failed?
+    def find_auth_request
+      auth_request = Request.find_by code: params[:code]
+      auth_request&.validate_oauth params
+    end
-      request
+    def create_auth_request
+      @auth_req = Request.create(client: session[:client_id],
+                                 redirect_uri: session[:redirect_uri],
+                                 code_challenge: (session[:code_challenge] if session.key? :code_challenge),
+                                 scope: (scope_params[:scope].join(' ') if params.key? :scope),
+                                 authorio_user: @user)
     end
-    def redirect_to_client(user)
-      auth_req = Request.create(client: session[:client_id],
-                                redirect_uri: session[:redirect_uri],
-                                scope: (scope_params[:scope].join(' ') if params.key? :scope),
-                                authorio_user: user)
-      redirect_params = { code: auth_req.code, state: session[:state] }
-      redirect_to "#{auth_req.redirect_uri}?#{redirect_params.to_query}"
+    def redirect_to_client
+      redirect_params = { code: @auth_req.code, state: session[:state] }
+      redirect_to "#{@auth_req.redirect_uri}?#{redirect_params.to_query}"
     end
     def authenticate_user_from_session_or_password

data/app/models/authorio/request.rb CHANGED Viewed

@@ -16,10 +16,20 @@ module Authorio
       self.client = value
     end
-    def invalid?(params)
-      redirect_uri != params[:redirect_uri] ||
-        client != params[:client_id] ||
-        created_at < Time.now - 10.minutes
+    def validate_oauth(params)
+      redirect_uri == params[:redirect_uri] &&
+        client == params[:client_id] &&
+        created_at > 10.minutes.ago &&
+        code_challenge_matches(params[:code_verifier]) &&
+        self
+    end
+    def code_challenge_matches(verifier)
+      # For now, if original request did not have code challenge, then we pass by default
+      return true if code_challenge.blank?
+      sha256 = Digest::SHA256.digest verifier
+      Base64.urlsafe_encode64(sha256).sub(/=*$/, '') == code_challenge
     end
     def self.user_scope_description(scope)
@@ -38,8 +48,7 @@ module Authorio
     USER_SCOPE_DESCRIPTION = {
       profile: 'View basic profile information',
-      email: 'View your email address',
-      offline_access: 'Keep you logged in permanently (until revoked)'
+      email: 'View your email address'
     }.freeze
   end
 end

data/app/views/authorio/auth/issue_token.json.jbuilder CHANGED Viewed

@@ -4,4 +4,4 @@ json.access_token @token.auth_token
 json.expires_in Authorio.configuration.token_expiration
 json.token_type 'Bearer'
 json.scope @token.scope
-json.partial! 'authorio/users/profile', request: @request
+json.partial! 'authorio/users/profile', request: @auth_request

data/app/views/authorio/users/_profile.json.jbuilder CHANGED Viewed

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
-json.me profile_url(request.authorio_user)
-if request.scope&.include? 'profile'
+json.me profile_url(@auth_request.authorio_user)
+if @auth_request.scope&.include? 'profile'
   json.profile do
-    json.name(request.authorio_user.full_name)
-    json.call(request.authorio_user, :url, :photo)
-    json.email(request.authorio_user.email) if request.scope.include?('email')
+    json.name(@auth_request.authorio_user.full_name)
+    json.call(@auth_request.authorio_user, :url, :photo)
+    json.email(@auth_request.authorio_user.email) if @auth_request.scope.include?('email')
   end
 end

data/app/views/shared/_login_form.html.erb CHANGED Viewed

@@ -33,9 +33,9 @@
     <% end %>
   <% end -%>
   <div class='auth-btn-row'>
+    <%= form.submit("Sign in", class: 'btn btn-success auth-btn') %>
     <% if cancel %>
       <%= form.submit("Cancel", class: 'btn btn-default auth-btn') %>
     <% end %>
-    <%= form.submit("Sign in", class: 'btn btn-success auth-btn') %>
   </div>
 <% end %>

data/db/migrate/20210831155106_add_code_challenge_to_requests.rb ADDED Viewed

@@ -0,0 +1,5 @@
+class AddCodeChallengeToRequests < ActiveRecord::Migration[6.1]
+  def change
+    add_column :authorio_requests, :code_challenge, :string
+  end
+end

data/lib/authorio/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Authorio
-  VERSION = '0.8.4'
+  VERSION = '0.8.5'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authorio
 version: !ruby/object:Gem::Version
-  version: 0.8.4
+  version: 0.8.5
 platform: ruby
 authors:
 - Michael Meckler
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-25 00:00:00.000000000 Z
+date: 2021-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -157,6 +157,7 @@ files:
 - db/migrate/20210726164625_create_authorio_sessions.rb
 - db/migrate/20210801184120_add_profile_to_users.rb
 - db/migrate/20210817010101_change_path_to_username_in_users.rb
+- db/migrate/20210831155106_add_code_challenge_to_requests.rb
 - lib/authorio.rb
 - lib/authorio/configuration.rb
 - lib/authorio/engine.rb
@@ -187,7 +188,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.11
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Indieauth Authentication endpoint for Rails