google_sign_in 0.1.4 → 1.0.0

data/test/models/redirect_protector_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'google_sign_in/redirect_protector'
+
+class GoogleSignIn::RedirectProtectorTest < ActiveSupport::TestCase
+  test "disallows URL target with different host than source" do
+    assert_raises GoogleSignIn::RedirectProtector::Violation do
+      GoogleSignIn::RedirectProtector.ensure_same_origin 'https://malicious.example.com', 'https://basecamp.com'
+    end
+  end
+
+  test "disallows URL target with different port than source" do
+    assert_raises GoogleSignIn::RedirectProtector::Violation do
+      GoogleSignIn::RedirectProtector.ensure_same_origin 'https://basecamp.com:10443', 'https://basecamp.com'
+    end
+  end
+
+  test "disallows URL target with different protocol than source" do
+    assert_raises GoogleSignIn::RedirectProtector::Violation do
+      GoogleSignIn::RedirectProtector.ensure_same_origin 'http://basecamp.com', 'https://basecamp.com'
+    end
+  end
+
+  test "allows URL target with same origin as source" do
+    assert_nothing_raised do
+      GoogleSignIn::RedirectProtector.ensure_same_origin 'https://basecamp.com', 'https://basecamp.com'
+    end
+  end
+
+  test "allows path target" do
+    assert_nothing_raised do
+      GoogleSignIn::RedirectProtector.ensure_same_origin '/callback', 'https://basecamp.com'
+    end
+  end
+end

data/test/test_helper.rb

@@ -1,4 +1,28 @@
-require 'bundler/setup'
-require 'active_support'
-require 'active_support/testing/autorun'
+ENV['RAILS_ENV'] = 'test'
+
+FAKE_GOOGLE_CLIENT_ID = '86179201039-eks5VfVc46WoFYyZVUDpQHeZFDRCqno3.apps.googleusercontent.com'
+FAKE_GOOGLE_CLIENT_SECRET = 'r(XsBajmyMddruvf$jDgLyPK'
+
+require_relative '../test/dummy/config/environment'
+
+require 'rails/test_help'
+require 'webmock/minitest'
 require 'byebug'
+
+require 'openssl'
+GOOGLE_PRIVATE_KEY = OpenSSL::PKey::RSA.new(File.read(File.expand_path('key.pem', __dir__)))
+GOOGLE_X509_CERTIFICATE = OpenSSL::X509::Certificate.new(File.read(File.expand_path('certificate.pem', __dir__)))
+
+if GOOGLE_X509_CERTIFICATE.not_after <= Time.now
+  raise "Test certificate is expired. Generate a new one and run the tests again: `bundle exec rake test:certificate:generate`."
+end
+
+require 'google-id-token'
+GoogleSignIn::Identity.validator = GoogleIDToken::Validator.new(x509_cert: GOOGLE_X509_CERTIFICATE)
+
+class ActionView::TestCase
+  private
+    def assert_dom_equal(expected, actual, message = nil)
+      super expected.remove(/(\A|\n)\s*/), actual, message
+    end
+end

metadata

@@ -1,29 +1,30 @@
 --- !ruby/object:Gem::Specification
 name: google_sign_in
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 1.0.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
+- George Claghorn
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-14 00:00:00.000000000 Z
+date: 2018-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: activesupport
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 5.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 5.2.0
 - !ruby/object:Gem::Dependency
   name: google-id-token
   requirement: !ruby/object:Gem::Requirement
@@ -38,6 +39,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -52,23 +67,130 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
-email: david@basecamp.com
+email:
+- david@basecamp.com
+- george@basecamp.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - Gemfile.lock
 - MIT-LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
+- app/controllers/google_sign_in/authorizations_controller.rb
+- app/controllers/google_sign_in/base_controller.rb
+- app/controllers/google_sign_in/callbacks_controller.rb
+- app/helpers/google_sign_in/button_helper.rb
+- bin/rails
+- config/routes.rb
 - google_sign_in.gemspec
 - lib/google_sign_in.rb
-- lib/google_sign_in/helper.rb
+- lib/google_sign_in/engine.rb
 - lib/google_sign_in/identity.rb
-- lib/google_sign_in/railtie.rb
-- test/identity_test.rb
+- lib/google_sign_in/redirect_protector.rb
+- test/certificate.pem
+- test/controllers/authorizations_controller_test.rb
+- test/controllers/callbacks_controller_test.rb
+- test/dummy/.ruby-version
+- test/dummy/Rakefile
+- test/dummy/app/assets/config/manifest.js
+- test/dummy/app/assets/images/.keep
+- test/dummy/app/assets/javascripts/application.js
+- test/dummy/app/assets/javascripts/cable.js
+- test/dummy/app/assets/javascripts/channels/.keep
+- test/dummy/app/assets/stylesheets/application.css
+- test/dummy/app/channels/application_cable/channel.rb
+- test/dummy/app/channels/application_cable/connection.rb
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/concerns/.keep
+- test/dummy/app/helpers/application_helper.rb
+- test/dummy/app/jobs/application_job.rb
+- test/dummy/app/mailers/application_mailer.rb
+- test/dummy/app/models/application_record.rb
+- test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/layouts/application.html.erb
+- test/dummy/app/views/layouts/mailer.html.erb
+- test/dummy/app/views/layouts/mailer.text.erb
+- test/dummy/bin/bundle
+- test/dummy/bin/rails
+- test/dummy/bin/rake
+- test/dummy/bin/setup
+- test/dummy/bin/update
+- test/dummy/bin/yarn
+- test/dummy/config.ru
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/cable.yml
+- test/dummy/config/database.yml
+- test/dummy/config/environment.rb
+- test/dummy/config/environments/development.rb
+- test/dummy/config/environments/production.rb
+- test/dummy/config/environments/test.rb
+- test/dummy/config/initializers/application_controller_renderer.rb
+- test/dummy/config/initializers/backtrace_silencers.rb
+- test/dummy/config/initializers/content_security_policy.rb
+- test/dummy/config/initializers/cookies_serializer.rb
+- test/dummy/config/initializers/filter_parameter_logging.rb
+- test/dummy/config/initializers/google_sign_in.rb
+- test/dummy/config/initializers/inflections.rb
+- test/dummy/config/initializers/mime_types.rb
+- test/dummy/config/initializers/wrap_parameters.rb
+- test/dummy/config/locales/en.yml
+- test/dummy/config/puma.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/spring.rb
+- test/dummy/config/storage.yml
+- test/dummy/db/test.sqlite3
+- test/dummy/lib/assets/.keep
+- test/dummy/log/.keep
+- test/dummy/package.json
+- test/dummy/public/404.html
+- test/dummy/public/422.html
+- test/dummy/public/500.html
+- test/dummy/public/apple-touch-icon-precomposed.png
+- test/dummy/public/apple-touch-icon.png
+- test/dummy/public/favicon.ico
+- test/dummy/storage/.keep
+- test/dummy/tmp/.keep
+- test/dummy/tmp/storage/.keep
+- test/helpers/button_helper_test.rb
+- test/key.pem
+- test/models/identity_test.rb
+- test/models/redirect_protector_test.rb
 - test/test_helper.rb
 homepage: https://github.com/basecamp/google_sign_in
 licenses:
@@ -95,5 +217,73 @@ signing_key:
 specification_version: 4
 summary: Sign in (or up) with Google for Rails applications
 test_files:
-- test/identity_test.rb
+- test/certificate.pem
+- test/controllers/authorizations_controller_test.rb
+- test/controllers/callbacks_controller_test.rb
+- test/dummy/.ruby-version
+- test/dummy/Rakefile
+- test/dummy/app/assets/config/manifest.js
+- test/dummy/app/assets/images/.keep
+- test/dummy/app/assets/javascripts/application.js
+- test/dummy/app/assets/javascripts/cable.js
+- test/dummy/app/assets/javascripts/channels/.keep
+- test/dummy/app/assets/stylesheets/application.css
+- test/dummy/app/channels/application_cable/channel.rb
+- test/dummy/app/channels/application_cable/connection.rb
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/concerns/.keep
+- test/dummy/app/helpers/application_helper.rb
+- test/dummy/app/jobs/application_job.rb
+- test/dummy/app/mailers/application_mailer.rb
+- test/dummy/app/models/application_record.rb
+- test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/layouts/application.html.erb
+- test/dummy/app/views/layouts/mailer.html.erb
+- test/dummy/app/views/layouts/mailer.text.erb
+- test/dummy/bin/bundle
+- test/dummy/bin/rails
+- test/dummy/bin/rake
+- test/dummy/bin/setup
+- test/dummy/bin/update
+- test/dummy/bin/yarn
+- test/dummy/config.ru
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/cable.yml
+- test/dummy/config/database.yml
+- test/dummy/config/environment.rb
+- test/dummy/config/environments/development.rb
+- test/dummy/config/environments/production.rb
+- test/dummy/config/environments/test.rb
+- test/dummy/config/initializers/application_controller_renderer.rb
+- test/dummy/config/initializers/backtrace_silencers.rb
+- test/dummy/config/initializers/content_security_policy.rb
+- test/dummy/config/initializers/cookies_serializer.rb
+- test/dummy/config/initializers/filter_parameter_logging.rb
+- test/dummy/config/initializers/google_sign_in.rb
+- test/dummy/config/initializers/inflections.rb
+- test/dummy/config/initializers/mime_types.rb
+- test/dummy/config/initializers/wrap_parameters.rb
+- test/dummy/config/locales/en.yml
+- test/dummy/config/puma.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/spring.rb
+- test/dummy/config/storage.yml
+- test/dummy/db/test.sqlite3
+- test/dummy/lib/assets/.keep
+- test/dummy/log/.keep
+- test/dummy/package.json
+- test/dummy/public/404.html
+- test/dummy/public/422.html
+- test/dummy/public/500.html
+- test/dummy/public/apple-touch-icon-precomposed.png
+- test/dummy/public/apple-touch-icon.png
+- test/dummy/public/favicon.ico
+- test/dummy/storage/.keep
+- test/dummy/tmp/.keep
+- test/dummy/tmp/storage/.keep
+- test/helpers/button_helper_test.rb
+- test/key.pem
+- test/models/identity_test.rb
+- test/models/redirect_protector_test.rb
 - test/test_helper.rb

data/lib/google_sign_in/helper.rb

@@ -1,76 +0,0 @@
-require 'google_sign_in/identity'
-
-module GoogleSignIn
-  module Helper
-    def google_sign_in(**form_options, &block)
-      content_for :head,
-        google_sign_in_javacript_include_tag +
-        google_sign_in_client_id_meta_tag +
-        turbolinks_reload_meta_tag
-
-      google_sign_in_javascript_tag +
-      google_sign_in_hidden_form_tag(**form_options) +
-      google_sign_in_click_handler(&block)
-    end
-
-    private
-      def google_sign_in_javacript_include_tag
-        javascript_include_tag "https://apis.google.com/js/api.js", async: true, defer: true,
-          onload: "this.onload=function(){};setupGoogleSignIn()",
-          onreadystatechange: "if (this.readyState === 'complete') this.onload()"
-      end
-
-      def google_sign_in_client_id_meta_tag
-        tag.meta name: "google-signin-client_id", content: GoogleSignIn::Identity.client_id
-      end
-
-      def turbolinks_reload_meta_tag
-        tag.meta name: "turbolinks-visit-control", content: "reload"
-      end
-
-      def google_sign_in_hidden_form_tag(**options)
-        options.reverse_merge!(html: { style: "display: none" })
-
-        form_with(**options) do |form|
-          form.hidden_field(:google_id_token, id: "google_sign_in_token") + form.submit(id: "google_sign_in_submit")
-        end
-      end
-
-      def google_sign_in_click_handler(&block)
-        tag.div(id: "google_sign_in_container", style: "visibility: hidden") { capture(&block) }
-      end
-
-      def google_sign_in_javascript_tag
-        javascript_tag <<-JS.strip_heredoc
-          (function() {
-            function installAuthClient(callback) {
-              gapi.load("client:auth2", function() {
-                gapi.auth2.init().then(callback)
-              })
-            }
-
-            function installClickHandler() {
-              var element = document.getElementById("google_sign_in_container")
-              var options = new gapi.auth2.SigninOptionsBuilder()
-              options.setPrompt("select_account")
-              gapi.auth2.getAuthInstance().attachClickHandler(element, options, handleSignIn)
-              element.style.visibility = "visible"
-            }
-
-            function handleSignIn(googleUser) {
-              var token = googleUser.getAuthResponse().id_token
-              if (token) {
-                document.getElementById("google_sign_in_token").value = token
-                document.getElementById("google_sign_in_submit").click()
-                gapi.auth2.getAuthInstance().signOut()
-              }
-            }
-
-            window.setupGoogleSignIn = function() {
-              installAuthClient(installClickHandler)
-            }
-          })()
-        JS
-      end
-  end
-end

data/lib/google_sign_in/railtie.rb

@@ -1,12 +0,0 @@
-require 'rails/railtie'
-require 'google_sign_in/helper'
-
-module GoogleSignIn
-  class Engine < ::Rails::Engine
-    initializer :google_sign_in do |app|
-      ActiveSupport.on_load :action_controller do
-        ActionController::Base.send :helper, GoogleSignIn::Helper
-      end
-    end
-  end
-end

data/test/identity_test.rb

@@ -1,13 +0,0 @@
-require 'test_helper'
-require 'google_sign_in/identity'
-
-class GoogleSignIn::IdentityTest < ActiveSupport::TestCase
-  test "client_id must be set" do
-    GoogleSignIn::Identity.client_id = nil
-    assert_raises(ArgumentError) { GoogleSignIn::Identity.new("some_fake_token") }
-  end
-
-  test "client_id must be part of the audience" do
-    # FIXME: Need to build a mock/simulate the google token to test this
-  end
-end