google_sign_in 0.1.4 → 1.0.0

data/SECURITY.md

@@ -0,0 +1,15 @@
+# Google-Sign in for Rails: Security
+
+Security is of utmost importance in an authentication library like Google Sign-In for Rails. We at Basecamp use this plugin in our own apps, so we have a vested interest in investigating and mitigating all reported vulnerabilities. We welcome responsible security reviews and reports from our peers in the open-source software community and strive to acknowledge such valuable contributions.
+
+
+## Reporting a vulnerability
+
+Send urgent or sensitive reports to **<security@basecamp.com>**. If necessary, use our [public key] to protect your message and provide us with a secure way to respond. We’ll get back to you as soon as we can—usually within one business day. Please follow up or [ping us on Twitter][twitter] if you don’t hear back. For non-urgent or non-sensitive requests, please contact our [support team][support].
+
+Read more about our security response policy [on our website][policy].
+
+[public key]: https://basecamp.com/about/policies/security/Basecamp-security.pub
+[twitter]: https://twitter.com/basecamp
+[support]: https://basecamp.com/support
+[policy]: https://basecamp.com/about/policies/security/response

data/app/controllers/google_sign_in/authorizations_controller.rb

@@ -0,0 +1,17 @@
+require 'securerandom'
+
+class GoogleSignIn::AuthorizationsController < GoogleSignIn::BaseController
+  def create
+    redirect_to login_url(scope: 'openid profile email', state: state),
+      flash: { proceed_to: params.require(:proceed_to), state: state }
+  end
+
+  private
+    def login_url(**params)
+      client.auth_code.authorize_url(prompt: 'login', **params)
+    end
+
+    def state
+      @state ||= SecureRandom.base64(16)
+    end
+end

data/app/controllers/google_sign_in/base_controller.rb

@@ -0,0 +1,15 @@
+require 'oauth2'
+
+class GoogleSignIn::BaseController < ActionController::Base
+  protect_from_forgery with: :exception
+
+  private
+    def client
+      @client ||= OAuth2::Client.new \
+        GoogleSignIn.client_id,
+        GoogleSignIn.client_secret,
+        authorize_url: 'https://accounts.google.com/o/oauth2/auth',
+        token_url: 'https://www.googleapis.com/oauth2/v3/token',
+        redirect_uri: callback_url
+    end
+end

data/app/controllers/google_sign_in/callbacks_controller.rb

@@ -0,0 +1,27 @@
+require_dependency 'google_sign_in/redirect_protector'
+
+class GoogleSignIn::CallbacksController < GoogleSignIn::BaseController
+  def show
+    if valid_request?
+      redirect_to proceed_to_url, flash: { google_sign_in_token: id_token }
+    else
+      head :unprocessable_entity
+    end
+  rescue GoogleSignIn::RedirectProtector::Violation => error
+    logger.error error.message
+    head :bad_request
+  end
+
+  private
+    def valid_request?
+      flash[:state].present? && params.require(:state) == flash[:state]
+    end
+
+    def proceed_to_url
+      flash[:proceed_to].tap { |url| GoogleSignIn::RedirectProtector.ensure_same_origin(url, request.url) }
+    end
+
+    def id_token
+      client.auth_code.get_token(params.require(:code))['id_token']
+    end
+end

data/app/helpers/google_sign_in/button_helper.rb

@@ -0,0 +1,7 @@
+module GoogleSignIn::ButtonHelper
+  def google_sign_in_button(text = nil, proceed_to:, **options, &block)
+    form_with url: google_sign_in.authorization_path do
+      hidden_field_tag(:proceed_to, proceed_to, id: nil) + button_tag(text, name: nil, **options, &block)
+    end
+  end
+end

data/bin/rails

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails gems
+# installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('..', __dir__)
+ENGINE_PATH = File.expand_path('../lib/blorgh/engine', __dir__)
+APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+
+require 'rails'
+require 'action_controller/railtie'
+require 'rails/test_unit/railtie'
+require 'rails/engine/commands'

data/config/routes.rb

@@ -0,0 +1,4 @@
+GoogleSignIn::Engine.routes.draw do
+  resource :authorization, only: :create
+  resource :callback, only: :show
+end

data/google_sign_in.gemspec

@@ -1,19 +1,22 @@
 Gem::Specification.new do |s|
   s.name     = 'google_sign_in'
-  s.version  = '0.1.4'
-  s.authors  = 'David Heinemeier Hansson'
-  s.email    = 'david@basecamp.com'
+  s.version  = '1.0.0'
+  s.authors  = ['David Heinemeier Hansson', 'George Claghorn']
+  s.email    = ['david@basecamp.com', 'george@basecamp.com']
   s.summary  = 'Sign in (or up) with Google for Rails applications'
   s.homepage = 'https://github.com/basecamp/google_sign_in'
   s.license  = 'MIT'
 
   s.required_ruby_version = '>= 1.9.3'
 
-  s.add_dependency 'activesupport', '>= 5.1'
+  s.add_dependency 'rails', '>= 5.2.0'
   s.add_dependency 'google-id-token', '>= 1.4.0'
+  s.add_dependency 'oauth2', '>= 1.4.0'
 
   s.add_development_dependency 'bundler', '~> 1.15'
+  s.add_development_dependency 'jwt'
+  s.add_development_dependency 'webmock'
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- test/*`.split("\n")
+  s.files      = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
 end

data/lib/google_sign_in.rb

@@ -1,2 +1,10 @@
+require 'active_support'
+require 'active_support/rails'
+
+module GoogleSignIn
+  mattr_accessor :client_id
+  mattr_accessor :client_secret
+end
+
 require 'google_sign_in/identity'
-require 'google_sign_in/railtie' if defined?(Rails)
+require 'google_sign_in/engine' if defined?(Rails)

data/lib/google_sign_in/engine.rb

@@ -0,0 +1,28 @@
+require 'rails/engine'
+
+module GoogleSignIn
+  class Engine < ::Rails::Engine
+    isolate_namespace GoogleSignIn
+
+    config.google_sign_in = ActiveSupport::OrderedOptions.new
+
+    initializer 'google_sign_in.config' do |app|
+      config.after_initialize do
+        GoogleSignIn.client_id     = config.google_sign_in.client_id || app.credentials.dig(:google_sign_in, :client_id)
+        GoogleSignIn.client_secret = config.google_sign_in.client_secret || app.credentials.dig(:google_sign_in, :client_secret)
+      end
+    end
+
+    initializer 'google_sign_in.helpers' do
+      ActiveSupport.on_load :action_controller do
+        ActionController::Base.helper GoogleSignIn::Engine.helpers
+      end
+    end
+
+    initializer 'google_sign_in.mount' do |app|
+      app.routes.append do
+        mount GoogleSignIn::Engine, at: app.config.google_sign_in.root || 'google_sign_in'
+      end
+    end
+  end
+end

data/lib/google_sign_in/identity.rb

@@ -1,21 +1,15 @@
 require 'google-id-token'
-require 'active_support/core_ext/class/attribute'
-require 'active_support/core_ext/numeric/time'
+require 'active_support/core_ext/module/delegation'
 
 module GoogleSignIn
   class Identity
-    class_attribute :client_id
+    class ValidationError < StandardError; end
 
-    class_attribute :token_expiry
-    self.token_expiry = 5.minutes
-
-    class_attribute :logger
-    self.logger = defined?(Rails) ? Rails.logger : Logger.new(STDOUT)
+    class_attribute :validator, default: GoogleIDToken::Validator.new
 
     def initialize(token)
       ensure_client_id_present
       set_extracted_payload(token)
-      ensure_proper_audience
     end
 
     def user_id
@@ -31,7 +25,7 @@ module GoogleSignIn
     end
 
     def email_verified?
-      @payload["email_verified"] == "true"
+      @payload["email_verified"] == true
     end
 
     def avatar_url
@@ -43,6 +37,8 @@ module GoogleSignIn
     end
 
     private
+      delegate :client_id, to: GoogleSignIn
+
       def ensure_client_id_present
         if client_id.blank?
           raise ArgumentError, "GoogleSignIn.client_id must be set to validate identity"
@@ -50,16 +46,9 @@ module GoogleSignIn
       end
 
       def set_extracted_payload(token)
-        @payload = GoogleIDToken::Validator.new(expiry: token_expiry).check(token, client_id)
-      rescue GoogleIDToken::ValidationError => e
-        logger.error "Google token failed to validate (#{e.message})"
-        @payload = {}
-      end
-
-      def ensure_proper_audience
-        unless @payload["aud"].include?(client_id)
-          raise "Failed to locate the client_id #{client_id} in the authorized audience (#{@payload["aud"]})"
-        end
+        @payload = validator.check(token, client_id)
+      rescue GoogleIDToken::ValidationError => error
+        raise ValidationError, error.message
       end
   end
-end
+end

data/lib/google_sign_in/redirect_protector.rb

@@ -0,0 +1,25 @@
+require 'uri'
+
+module GoogleSignIn
+  module RedirectProtector
+    extend self
+
+    class Violation < StandardError; end
+
+    QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
+
+    def ensure_same_origin(target, source)
+      if target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source)
+        raise Violation, "Redirect target #{target} does not have same origin as request (expected #{origin_of(source)})"
+      end
+    end
+
+    private
+      def origin_of(url)
+        uri = URI(url)
+        "#{uri.scheme}://#{uri.host}:#{uri.port}"
+      rescue ArgumentError
+        nil
+      end
+  end
+end

data/test/certificate.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAQIBADANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDDCRnb29n
+bGUtc2lnbi1pbi1mb3ItcmFpbHMuZXhhbXBsZS5jb20wHhcNMTgwOTAyMjI0MTQw
+WhcNMjMwOTAyMjI0MTQwWjAvMS0wKwYDVQQDDCRnb29nbGUtc2lnbi1pbi1mb3It
+cmFpbHMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCtnO1OcLbdxj4f6I/aUMJkCJfrDNvp0v2ljUJoaq6hqWPmoZgcl92njBvt91np
+JPfGaCy0ZYLfizUNBRKkfo6u3MXvubktYqk3SVCejy0TUE11PwRx1u/x0c2rCTa6
+Y7ppAoO9Ur3yoccDmkceP8MpofHWetrdaxyhktlqy6gpM7V+kjj+anySQk4XqDJl
+F4FXHt82HMNK3xbjXJyEoyMudGUISBDn/rG8b3LxEKawUiLVCI54g3+L/Oi4nZCE
+XNCd/mvWpVFoPpFQGMoKW3S9KxFowvfkDSxWYwgYnWnsO0ueXS+WYML88KO1Qf7V
+mEZ91u7w1/EiMVxiuczxycSfAgMBAAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0P
+AQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUA
+A4IBAQCVXynTCZhpbINC4j1prGaPfY6mRkCZzcRpQFim4C6hJtYSRn57qjpmYWG3
+eVc3ElfNUAWgC3trACjN3hDqKv0/hH9TGTY9iFhc747L/VSaKWzH/uWewj1qTwsX
+dUEFxZILAWvAMBNUT060t8bt+pSFc2h4fHsftOqFLfkFUcCr22QsWyueXzWZyDeZ
+XWFGtD+WOR5SC4mIY359e75/vZsJymzZIfM+pfcaHnXtXez9SeLM81rvnRdR1b+H
+/S0LT0dPRkXSvC2HRPwzHxVctNrDoaxON+OIMgd4lHAFs6doVoYmnprzO69+IBUK
+s0LBENxbn2rd7IEl6EaC91cXCl3y
+-----END CERTIFICATE-----

data/test/controllers/authorizations_controller_test.rb

@@ -0,0 +1,26 @@
+require 'test_helper'
+
+class GoogleSignIn::AuthorizationsControllerTest < ActionDispatch::IntegrationTest
+  test "redirecting to Google for authorization" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_match 'https://accounts.google.com/o/oauth2/auth', response.location
+
+    params = extract_query_params_from(response.location)
+    assert_equal FAKE_GOOGLE_CLIENT_ID, params[:client_id]
+    assert_equal 'login', params[:prompt]
+    assert_equal 'code', params[:response_type]
+    assert_equal 'http://www.example.com/google_sign_in/callback', params[:redirect_uri]
+    assert_equal 'openid profile email', params[:scope]
+    assert_match /[A-Za-z0-9+\/]{22}==/, params[:state]
+
+    assert_equal 'http://www.example.com/login', flash[:proceed_to]
+    assert_equal params[:state], flash[:state]
+  end
+
+  private
+    def extract_query_params_from(url)
+      query = URI(url).query
+      Rack::Utils.parse_query(query).symbolize_keys
+    end
+end

data/test/controllers/callbacks_controller_test.rb

@@ -0,0 +1,36 @@
+require 'test_helper'
+
+class GoogleSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
+  test "receiving an authorization code" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    stub_token_request code: '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
+
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_equal 'eyJhbGciOiJSUzI', flash[:google_sign_in_token]
+  end
+
+  test "protecting against CSRF" do
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_response :unprocessable_entity
+  end
+
+  test "protecting against open redirects" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://malicious.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+    assert_response :bad_request
+  end
+
+  private
+    def stub_token_request(code:, **params)
+      stub_request(:post, 'https://www.googleapis.com/oauth2/v3/token').
+        with(body: { grant_type: 'authorization_code', code: code,
+          client_id: FAKE_GOOGLE_CLIENT_ID, client_secret: FAKE_GOOGLE_CLIENT_SECRET,
+          redirect_uri: 'http://www.example.com/google_sign_in/callback' }).
+        to_return(status: 200, headers: { 'Content-Type' => 'application/json' }, body: JSON.generate(params))
+    end
+end

data/test/dummy/.ruby-version

@@ -0,0 +1 @@
+2.5.0

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative 'config/application'
+
+Rails.application.load_tasks

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+//= link_tree ../images
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/test/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,15 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require rails-ujs
+//= require activestorage
+//= require_tree .

data/test/dummy/app/assets/javascripts/cable.js

@@ -0,0 +1,13 @@
+// Action Cable provides the framework to deal with WebSockets in Rails.
+// You can generate new channels where WebSocket features live using the `rails generate channel` command.
+//
+//= require action_cable
+//= require_self
+//= require_tree ./channels
+
+(function() {
+  this.App || (this.App = {});
+
+  App.cable = ActionCable.createConsumer();
+
+}).call(this);

data/test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/test/dummy/app/channels/application_cable/channel.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Channel < ActionCable::Channel::Base
+  end
+end

data/test/dummy/app/channels/application_cable/connection.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+  end
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end