gds-sso 20.0.0 → 21.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0ce653302bc22f4fd60d83307eff612eac4a491eff439eed0c602c288d798ef9
-  data.tar.gz: de16391f9abe70acb77dbb6b00ca2b2f3e5da82965777bf281099e03e8420204
+  metadata.gz: 1cce044b9dcc019806b1a70222fb30c99abce4df707245ae7c4d795b92bba8d7
+  data.tar.gz: 966b8b0c9ef7b95ee5ec5229c8f087f1870447d4281b1b7b6bcc5fc5627155a6
 SHA512:
-  metadata.gz: 51ad269ab4ba83b3b21c8fe9cdcc8b713c3b14c98e2068a4f6c06b198f75e7641ad087b15422bffabfcb5313e43ba255dce86f5ed6ea7ab6c0c8b92b151656ec
-  data.tar.gz: 261cae8502648293bdd629d09379df37efd5ca632ffb0360463807d609174c9f532ebdce31993a48e55f6fd3576a09c792209a907c7647daa549b62623f044c3
+  metadata.gz: 3f3fe06419fd98b0018ff60ce33f45fe6a0173ac2c632009f2ece0d821539ae12503ad5f0a85716d2db16811e3e3bff4e234122ebff71a708fbcba13339bee78
+  data.tar.gz: eb36c389d730f589805c6e17bbdcdbf30f545cd2874431283082a437b0668312e5be7faa062f58149f9e5ea11f653c6ff52e67acace2213ad28f9383896912dc

data/README.md

@@ -90,7 +90,7 @@ Authorization: Bearer your-token-here
 
 To avoid making these requests for each incoming request, this gem will [automatically cache a successful response](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/bearer_token.rb), using the [Rails cache](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/railtie.rb).
 
-If you are using a Rails 5 app in
+If you are using a Rails app in
 [api_only](http://guides.rubyonrails.org/api_app.html) mode this gem will
 automatically disable the oauth layers which use session persistence. You can
 configure this gem to be in api_only mode (or not) with:
@@ -103,6 +103,19 @@ GDS::SSO.config do |config|
 end
 ```
 
+For apps that have both usage of web and API you can configure a lambda to
+match your API endpoints to ensure they don't support session auth and return
+JSON error messages:
+
+
+```ruby
+GDS::SSO.config do |config|
+  # ...
+  #
+  config.api_request_matcher = ->(request) { request.path.start_with?("/api/") }
+end
+```
+
 ### Use in production mode
 
 To use gds-sso in production you will need to setup the following environment variables, which we look for in [the config](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/config.rb). You will need to have admin access to Signon to get these.

data/lib/gds-sso/api_access.rb

@@ -1,8 +1,29 @@
+require "rack/request"
+
 module GDS
   module SSO
     class ApiAccess
       def self.api_call?(env)
-        env["HTTP_AUTHORIZATION"].to_s =~ /\ABearer /
+        return env["gds_sso.api_call"] unless env["gds_sso.api_call"].nil?
+        return true if GDS::SSO::Config.api_only
+
+        if GDS::SSO::Config.api_request_matcher
+          return GDS::SSO::Config.api_request_matcher.call(Rack::Request.new(env))
+        end
+
+        !bearer_token(env).nil?
+      end
+
+      def self.bearer_token(env)
+        Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.each do |key|
+          next unless env.key?(key)
+
+          if (match = env[key].match(/\ABearer (.+)/))
+            return match[1]
+          end
+        end
+
+        nil
       end
     end
   end

data/lib/gds-sso/authorised_user_constraint.rb

@@ -6,10 +6,9 @@ module GDS
       end
 
       def matches?(request)
-        warden = request.env["warden"]
-        warden.authenticate! if !warden.authenticated? || warden.user.remotely_signed_out?
+        user = GDS::SSO.authenticate_user!(request.env["warden"])
 
-        GDS::SSO::AuthoriseUser.call(warden.user, permissions)
+        GDS::SSO::AuthoriseUser.call(user, permissions)
         true
       end
 

data/lib/gds-sso/bearer_token.rb

@@ -6,6 +6,8 @@ module GDS
   module SSO
     module BearerToken
       def self.locate(token_string)
+        return if token_string.nil? || token_string.empty?
+
         user_details = GDS::SSO::Config.cache.fetch(["api-user-cache", token_string], expires_in: 5.minutes) do
           access_token = OAuth2::AccessToken.new(oauth_client, token_string)
           response_body = access_token.get("/user.json?client_id=#{CGI.escape(GDS::SSO::Config.oauth_id)}").body
@@ -56,7 +58,9 @@ module GDS
 
     module MockBearerToken
       def self.locate(_token_string)
-        dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
+        return GDS::SSO.test_user if GDS::SSO.test_user
+
+        dummy_api_user = GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
         if dummy_api_user.nil?
           dummy_api_user = GDS::SSO::Config.user_klass.new
           dummy_api_user.email = "dummyapiuser@domain.com"

data/lib/gds-sso/config.rb

@@ -29,6 +29,8 @@ module GDS
 
       mattr_accessor :api_only
 
+      mattr_accessor :api_request_matcher
+
       mattr_accessor :intercept_401_responses
       @@intercept_401_responses = true
 

data/lib/gds-sso/controller_methods.rb

@@ -4,17 +4,9 @@ module GDS
     end
 
     module ControllerMethods
-      # TODO: remove this for the next major release
-      class PermissionDeniedException < PermissionDeniedError
-        def initialize(...)
-          warn "GDS::SSO::ControllerMethods::PermissionDeniedException is deprecated, please replace with GDS::SSO::PermissionDeniedError"
-          super(...)
-        end
-      end
-
       def self.included(base)
         base.rescue_from PermissionDeniedError do |e|
-          if GDS::SSO::Config.api_only
+          if GDS::SSO::ApiAccess.api_call?(request.env)
             render json: { message: e.message }, status: :forbidden
           else
             render "authorisations/unauthorised", layout: "unauthorised", status: :forbidden, locals: { message: e.message }

data/lib/gds-sso/failure_app.rb

@@ -6,20 +6,19 @@ require "rails"
 module GDS
   module SSO
     class FailureApp < ActionController::Metal
-      include ActionController::UrlFor
       include ActionController::Redirecting
       include AbstractController::Rendering
       include ActionController::Rendering
       include ActionController::Renderers
       use_renderers :json
 
-      include Rails.application.routes.url_helpers
-
       def self.call(env)
-        if GDS::SSO::ApiAccess.api_call?(env)
-          action(:api_invalid_token).call(env)
-        elsif GDS::SSO::Config.api_only
-          action(:api_missing_token).call(env)
+        if env["gds_sso.api_call"]
+          if env["gds_sso.api_bearer_token_present"]
+            action(:api_invalid_token).call(env)
+          else
+            action(:api_missing_token).call(env)
+          end
         else
           action(:redirect).call(env)
         end

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "20.0.0".freeze
+    VERSION = "21.0.0".freeze
   end
 end

data/lib/gds-sso/warden_config.rb

@@ -6,6 +6,12 @@ def logger
   Rails.logger || env["rack.logger"]
 end
 
+Warden::Manager.on_request do |proxy|
+  proxy.env["gds_sso.api_call"] ||= ::GDS::SSO::ApiAccess.api_call?(proxy.env)
+  proxy.env["gds_sso.api_bearer_token_present"] ||=
+    proxy.env["gds_sso.api_call"] && !::GDS::SSO::ApiAccess.bearer_token(proxy.env).nil?
+end
+
 Warden::Manager.after_authentication do |user, _auth, _opts|
   # We've successfully signed in.
   # If they were remotely signed out, clear the flag as they're no longer suspended
@@ -35,7 +41,7 @@ end
 
 Warden::Strategies.add(:gds_sso) do
   def valid?
-    !::GDS::SSO::ApiAccess.api_call?(env)
+    !env["gds_sso.api_call"]
   end
 
   def authenticate!
@@ -61,11 +67,32 @@ end
 Warden::OAuth2.configure do |config|
   config.token_model = GDS::SSO::Config.use_mock_strategies? ? GDS::SSO::MockBearerToken : GDS::SSO::BearerToken
 end
-Warden::Strategies.add(:gds_bearer_token, Warden::OAuth2::Strategies::Bearer)
+
+# We're using our own bearer token strategy rather than the one in Warden::OAuth2
+# so that we can have all requests match either a bearer token or a session
+# strategy. It also allows us to avoid multiple DB queries to locate a user.
+Warden::Strategies.add(:gds_bearer_token, Class.new(Warden::OAuth2::Strategies::Token)) do
+  def valid?
+    env["gds_sso.api_call"]
+  end
+
+  def token_string
+    @token_string ||= GDS::SSO::ApiAccess.bearer_token(env)
+  end
+
+  def token
+    # Using a defined? based memo approach over @token ||= so that we can set
+    # @token to nil and not re-evaluate the assignment.
+    return @token if defined? @token
+
+    @token = Warden::OAuth2.config.token_model.locate(token_string)
+    @token
+  end
+end
 
 Warden::Strategies.add(:mock_gds_sso) do
   def valid?
-    !::GDS::SSO::ApiAccess.api_call?(env)
+    !env["gds_sso.api_call"]
   end
 
   def authenticate!

data/lib/gds-sso.rb

@@ -25,6 +25,12 @@ module GDS
       yield GDS::SSO::Config
     end
 
+    def self.authenticate_user!(warden)
+      warden.authenticate! if !warden.authenticated? || warden.user.remotely_signed_out?
+
+      warden.user
+    end
+
     class Engine < ::Rails::Engine
       # Force routes to be loaded if we are doing any eager load.
       # TODO - check this one - Stolen from Devise because it looked sensible...

data/spec/system/authentication_and_authorisation_spec.rb

@@ -80,6 +80,16 @@ RSpec.describe "Authenication and authorisation" do
       end
     end
 
+    it "restricts access when the request doesn't match the api_request_matcher" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      visit "/restricted"
+      expect(page.status_code).to eql(302)
+      expect(page.response_headers["Location"]).to match("/auth/gds")
+    end
+
     it "allows access when given a valid bearer token" do
       stub_signon_user_request
       page.driver.header("Authorization", "Bearer 123")
@@ -95,13 +105,57 @@ RSpec.describe "Authenication and authorisation" do
 
       visit "/restricted"
       expect(page.status_code).to eq(401)
+      expect(page.response_headers["WWW-Authenticate"]).to eq('Bearer error="invalid_token"')
+      expect_json_response({ "message" => "Bearer token does not appear to be valid" })
     end
 
-    it "returns a 401 when a bearer token is missing and the app is api_only" do
+    it "returns a JSON 401 when a bearer token is missing and the app is api_only" do
       allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
 
       visit "/restricted"
       expect(page.status_code).to eq(401)
+      expect(page.response_headers["WWW-Authenticate"]).to eq('Bearer error="invalid_request"')
+      expect_json_response({ "message" => "No bearer token was provided" })
+    end
+
+    it "returns a JSON 401 when a bearer token is missing and the request matches the api_request_matcher" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(request) { request.path == "/restricted" })
+
+      visit "/restricted"
+      expect(page.status_code).to eq(401)
+      expect(page.response_headers["WWW-Authenticate"]).to eq('Bearer error="invalid_request"')
+      expect_json_response({ "message" => "No bearer token was provided" })
+    end
+  end
+
+  context "when accessing a route that requires authentication with the mock strategies" do
+    before do
+      # Using allow_any_instance_of because it's hard to access the instance
+      # of the class used within the Rails middleware
+      allow_any_instance_of(Warden::Config).to receive(:[]).and_call_original
+      allow_any_instance_of(Warden::Config)
+        .to receive(:[])
+        .with(:default_strategies)
+        .and_return({ _all: %i[mock_gds_sso gds_bearer_token] })
+
+      allow(Warden::OAuth2.config).to receive(:token_model).and_return(GDS::SSO::MockBearerToken)
+      allow(GDS::SSO).to receive(:test_user).and_return(TestUser.new)
+    end
+
+    it "allows access without being logged in" do
+      visit "/restricted"
+      expect(page.status_code).to eq(200)
+      expect(page.body).to have_content("restricted kablooie")
+    end
+
+    it "allows access to an API mock user" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      visit "/restricted"
+      expect(page.status_code).to eq(200)
+      expect(page.body).to have_content("restricted kablooie")
     end
   end
 
@@ -116,6 +170,20 @@ RSpec.describe "Authenication and authorisation" do
       stub_signon_authenticated
       visit "/this-requires-execute-permission"
       expect(page.status_code).to eq(403)
+      expect(page).to have_content("Sorry, you don't seem to have the execute permission for this app.")
+    end
+
+    it "returns a JSON response when it's an API call" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(request) { request.path == "/this-requires-execute-permission" })
+
+      stub_signon_user_request
+      page.driver.header("Authorization", "Bearer 123")
+
+      visit "/this-requires-execute-permission"
+      expect(page.status_code).to eq(403)
+      expect_json_response({ "message" => "Sorry, you don't seem to have the execute permission for this app." })
     end
   end
 
@@ -169,4 +237,9 @@ RSpec.describe "Authenication and authorisation" do
         headers: { content_type: "application/json" },
       )
   end
+
+  def expect_json_response(json_match)
+    expect(page.response_headers["content-type"]).to match(/application\/json/)
+    expect(JSON.parse(page.body)).to match(json_match)
+  end
 end

data/spec/unit/api_access_spec.rb

@@ -1,17 +1,71 @@
 require "spec_helper"
 require "gds-sso/api_access"
+require "rack/mock_request"
 
 describe GDS::SSO::ApiAccess do
-  it "should not consider IE7 accept header as an api call" do
-    ie7_accept_header = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, " \
-      "application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, " \
-      "application/x-ms-application, */*"
-    expect(GDS::SSO::ApiAccess.api_call?("HTTP_ACCEPT" => ie7_accept_header)).to be_falsey
+  describe ".api_call?" do
+    it "returns true if the rack env has already been tagged as an api_call" do
+      expect(described_class.api_call?({ "gds_sso.api_call" => true })).to be(true)
+    end
+
+    it "returns false if the rack env has already been tagged as not an api_call" do
+      expect(described_class.api_call?({ "gds_sso.api_call" => false })).to be(false)
+    end
+
+    it "returns true if GDS::SSO has been configured as api_only" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      expect(described_class.api_call?({})).to be(true)
+    end
+
+    it "returns true if the request matches the api_request_matcher" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(request) { request.path == "/api" })
+
+      env = Rack::MockRequest.env_for("/api")
+      expect(described_class.api_call?(env)).to be(true)
+    end
+
+    it "returns false if the request doesn't match the api_request_matcher" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(request) { request.path == "/api" })
+
+      env = Rack::MockRequest.env_for("/other")
+      expect(described_class.api_call?(env)).to be(false)
+    end
+
+    it "returns true if a bearer token is present" do
+      env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
+      expect(described_class.api_call?(env)).to be(true)
+    end
+
+    it "returns false otherwise" do
+      expect(described_class.api_call?({})).to be(false)
+    end
   end
 
-  context "with a bearer token" do
-    it "it is considered an api call" do
-      expect(GDS::SSO::ApiAccess.api_call?("HTTP_AUTHORIZATION" => "Bearer deadbeef12345678")).to be_truthy
+  describe ".bearer_token" do
+    it "returns a bearer token set in a HTTP_AUTHORIZATION header" do
+      env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
+      expect(described_class.bearer_token(env)).to eq("1234:5678")
+    end
+
+    it "returns nil for an empty bearer token in the HTTP_AUTHORIZATION header" do
+      env = { "HTTP_AUTHORIZATION" => "Bearer " }
+      expect(described_class.bearer_token(env)).to be_nil
+    end
+
+    it "supports all the authorization headers configured in Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS" do
+      Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.each do |header|
+        env = { header => "Bearer 1234" }
+        expect(described_class.bearer_token(env)).to eq("1234")
+      end
+    end
+
+    it "returns nil if a bearer token isn't set" do
+      expect(described_class.bearer_token({})).to be_nil
     end
   end
 end

data/spec/unit/authorised_user_constraint_spec.rb

@@ -3,48 +3,25 @@ require "gds-sso/authorised_user_constraint"
 
 describe GDS::SSO::AuthorisedUserConstraint do
   before do
+    allow(GDS::SSO).to receive(:authenticate_user!).and_return(user)
     allow(GDS::SSO::AuthoriseUser).to receive(:call).and_return(true)
   end
 
   describe "#matches?" do
-    let(:user) { double("user", remotely_signed_out?: remotely_signed_out) }
-    let(:warden) do
-      double(
-        "warden",
-        authenticated?: user_authenticated,
-        user:,
-        authenticate!: nil,
-      )
-    end
-    let(:user_authenticated) { true }
-    let(:remotely_signed_out) { false }
+    let(:user) { TestUser.new }
+    let(:warden) { instance_double("Warden::Proxy") }
     let(:request) { double("request", env: { "warden" => warden }) }
 
-    it "authorises the user" do
-      expect(GDS::SSO::AuthoriseUser).to receive(:call).with(warden.user, %w[signin])
-      expect(warden).not_to receive(:authenticate!)
+    it "authenticates the user" do
+      expect(GDS::SSO).to receive(:authenticate_user!).with(warden)
 
       described_class.new(%w[signin]).matches?(request)
     end
 
-    context "when the user is not authenticated" do
-      let(:user_authenticated) { false }
-
-      it "authenticates the user" do
-        expect(warden).to receive(:authenticate!)
-
-        described_class.new(%w[signin]).matches?(request)
-      end
-    end
-
-    context "when the user is remotely signed out" do
-      let(:remotely_signed_out) { true }
-
-      it "authenticates the user" do
-        expect(warden).to receive(:authenticate!)
+    it "authorises the user" do
+      expect(GDS::SSO::AuthoriseUser).to receive(:call).with(user, %w[signin])
 
-        described_class.new(%w[signin]).matches?(request)
-      end
+      described_class.new(%w[signin]).matches?(request)
     end
   end
 end

data/spec/unit/bearer_token_spec.rb

@@ -25,5 +25,13 @@ describe GDS::SSO::BearerToken do
 
       expect(same_user_again.id).to eql(created_user.id)
     end
+
+    it "returns nil for a nil token string" do
+      expect(described_class.locate(nil)).to be_nil
+    end
+
+    it "returns nil for an empty token string" do
+      expect(described_class.locate("")).to be_nil
+    end
   end
 end

data/spec/unit/gds_sso_spec.rb

@@ -0,0 +1,37 @@
+require "spec_helper"
+
+describe GDS::SSO do
+  describe "#authenticate_user!" do
+    let(:user) { TestUser.new }
+    let(:warden) do
+      instance_double("Warden::Proxy",
+                      authenticate!: true,
+                      authenticated?: false,
+                      user:)
+    end
+
+    context "when a user is not already authenticated" do
+      it "authenticates the user and returns the user object" do
+        expect(described_class.authenticate_user!(warden)).to be(user)
+        expect(warden).to have_received(:authenticate!)
+      end
+    end
+
+    context "when a user is already authenticated and not remotely signed out" do
+      it "doesn't reauthenticate the user" do
+        allow(warden).to receive(:authenticated?).and_return(true)
+        expect(described_class.authenticate_user!(warden)).to be(user)
+
+        expect(warden).not_to have_received(:authenticate!)
+      end
+    end
+
+    context "when a user is already authenticated and remotely signed out" do
+      it "authenticates the user again" do
+        user.remotely_signed_out = true
+        expect(described_class.authenticate_user!(warden)).to be(user)
+        expect(warden).to have_received(:authenticate!)
+      end
+    end
+  end
+end

data/spec/unit/mock_bearer_token_spec.rb

@@ -2,21 +2,54 @@ require "spec_helper"
 require "gds-sso/bearer_token"
 
 describe GDS::SSO::MockBearerToken do
-  it "updates the permissions of the user" do
-    # setup - ensure extra mock permissions required are nil and
-    # call .locate to create the dummy user initially
-    GDS::SSO::Config.additional_mock_permissions_required = nil
-    dummy_user = subject.locate("ABC")
-    expect(dummy_user.permissions).to match_array(%w[signin])
-
-    # add an extra permission
-    GDS::SSO::Config.additional_mock_permissions_required = "extra_permission"
-
-    # ensure the dummy user is returned
-    expect(GDS::SSO).to receive(:test_user).and_return(dummy_user)
-
-    # call .locate again...this should update our permissions
-    dummy_user_two = subject.locate("ABC")
-    expect(dummy_user_two.permissions).to match_array(%w[signin extra_permission])
+  describe ".locate" do
+    it "returns a GDS::SSO.test_user if one is set" do
+      test_user = TestUser.new
+      allow(GDS::SSO).to receive(:test_user).and_return(test_user)
+
+      expect(described_class.locate("anything")).to be(test_user)
+    end
+
+    it "doesn't modify the permissions of GDS::SSO.test_user" do
+      test_user = TestUser.new(permissions: [])
+      allow(GDS::SSO).to receive(:test_user).and_return(test_user)
+      allow(GDS::SSO::Config).to receive(:permissions_for_dummy_api_user)
+        .and_return(%w[signin extra_permission])
+
+      expect(described_class.locate("anything")).to be(test_user)
+      expect(test_user.permissions).not_to include("extra_permission")
+    end
+
+    it "returns a user with dummyapiuser@domain.com if one exists" do
+      test_user = TestUser.new
+      allow(GDS::SSO::Config).to receive(:user_klass).and_return(TestUser)
+      allow(TestUser).to receive(:where).and_return([test_user])
+
+      expect(described_class.locate("anything")).to be(test_user)
+      expect(TestUser).to have_received(:where).with(email: "dummyapiuser@domain.com")
+    end
+
+    it "creates a user with dummyapiuser@domain.com if one does not exist" do
+      allow(GDS::SSO::Config).to receive(:user_klass).and_return(TestUser)
+      allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(nil)
+      allow(TestUser).to receive(:where).and_return([])
+
+      test_user = described_class.locate("anything")
+      expect(test_user).to be_an_instance_of(TestUser)
+      expect(test_user).to have_attributes(email: "dummyapiuser@domain.com",
+                                           name: "Dummy API user created by gds-sso",
+                                           permissions: %w[signin])
+    end
+
+    it "uses GDS::SSO::Config to overwrite any existing permissions" do
+      test_user = TestUser.new(permissions: %w[signin other_permission])
+      allow(GDS::SSO::Config).to receive(:user_klass).and_return(TestUser)
+      allow(TestUser).to receive(:where).and_return([test_user])
+      allow(GDS::SSO::Config).to receive(:permissions_for_dummy_api_user)
+        .and_return(%w[signin extra_permission])
+
+      test_user = described_class.locate("anything")
+      expect(test_user.permissions).to match_array(%w[signin extra_permission])
+    end
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: gds-sso
 version: !ruby/object:Gem::Version
-  version: 20.0.0
+  version: 21.0.0
 platform: ruby
 authors:
 - GOV.UK Dev
 bindir: bin
 cert_chain: []
-date: 2025-03-26 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -65,6 +65,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -271,6 +285,7 @@ files:
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
 - spec/unit/session_serialisation_spec.rb
@@ -293,7 +308,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.6
+rubygems_version: 3.7.1
 specification_version: 4
 summary: Client for GDS' OAuth 2-based SSO
 test_files:
@@ -318,6 +333,7 @@ test_files:
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
 - spec/unit/session_serialisation_spec.rb