google_sign_in 1.1.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9f61243974b069b039924957b8a03b39daad94f8e76109f88cfbbb60769b321
-  data.tar.gz: 782d1b3520a08d7ea1ee9b0d4bd1179d94679d02ab9187d2bc82aeaa8c28a481
+  metadata.gz: 07ffe2df555e62583212eeed44495dad288e37609a46c4eb1f4717aedb11f4c9
+  data.tar.gz: b4eff8b60ac9cfdb32c835bf0780722f87fb34cfd4b0673a57bdfe4708841569
 SHA512:
-  metadata.gz: 7d53ffc9c30b06696d4f6e726570a9262e711cb1d5b2700d2deee935cc2009d68b2addd8262a6cd105380f1ba210a42b6e070cd8b6dfe45b6cb80584e70c4051
-  data.tar.gz: b01f4f9a120d08c61f00169622162461435c26ba154c73d20f232815411b2636d582a3de3c6bca3209a0fe69bea79ab31aa164b75768958759b87b3a6ed81870
+  metadata.gz: 5fd9e9b40717cf051753ec5bf737281d33f0e3ba6914fbd364e9c8c1d316c9a21a8d0cdead93df94e1a674aa6d6774e3ec9608b6427e56e70021d6da199a7f79
+  data.tar.gz: 10c98f8dbb827cfeca28f59b9857d86bb5e6f3f0122e4f1b5dc64c4b29b663b2d01520893d41a18af94bf6cc6cc6e5d83e476be5554f27b08450f382e3f7a16e

data/.gitignore

@@ -2,6 +2,7 @@
 .byebug_history
 log/*.log
 pkg/
+*.gem
 
 test/dummy/db/*.sqlite3
 test/dummy/db/*.sqlite3-journal

data/.travis.yml

@@ -2,14 +2,12 @@ language: ruby
 sudo: false
 cache: bundler
 
-# Bundler/RubyGems incompat on Ruby 2.5.0
-before_install: gem install bundler
+# Bundler/RubyGems incompat on Ruby 2.5.0 and 2.6.1
+before_install: gem update --system && gem install bundler -v 1.17.3
 
 rvm:
-  - 2.2
-  - 2.3
-  - 2.4
   - 2.5
+  - 2.6
   - ruby-head
 
 matrix:

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+# Changelog
+
+Please see [our GitHub "Releases" page](https://github.com/basecamp/google_sign_in/releases).

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    google_sign_in (1.1.0)
+    google_sign_in (1.2.0)
       google-id-token (>= 1.4.0)
       oauth2 (>= 1.4.0)
       rails (>= 5.2.0)
@@ -9,121 +9,140 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.1)
-      actionpack (= 5.2.1)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.1)
-      actionpack (= 5.2.1)
-      actionview (= 5.2.1)
-      activejob (= 5.2.1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
+      mail (>= 2.7.1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.1)
-      actionview (= 5.2.1)
-      activesupport (= 5.2.1)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.1)
-      activesupport (= 5.2.1)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.1)
-      activesupport (= 5.2.1)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (5.2.1)
-      activesupport (= 5.2.1)
-    activerecord (5.2.1)
-      activemodel (= 5.2.1)
-      activesupport (= 5.2.1)
-      arel (>= 9.0)
-    activestorage (5.2.1)
-      actionpack (= 5.2.1)
-      activerecord (= 5.2.1)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
       marcel (~> 0.3.1)
-    activesupport (5.2.1)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    arel (9.0.0)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    addressable (2.8.0)
+      public_suffix (>= 2.0.2, < 5.0)
     builder (3.2.3)
-    byebug (9.1.0)
-    concurrent-ruby (1.0.5)
+    byebug (11.0.1)
+    concurrent-ruby (1.1.5)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     crass (1.0.4)
-    erubi (1.7.1)
-    faraday (0.12.2)
+    erubi (1.9.0)
+    faraday (0.16.2)
       multipart-post (>= 1.2, < 3)
-    globalid (0.4.1)
+    globalid (0.4.2)
       activesupport (>= 4.2.0)
     google-id-token (1.4.2)
       jwt (>= 1)
-    hashdiff (0.3.7)
-    i18n (1.1.0)
+    hashdiff (1.0.0)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
-    jwt (1.5.6)
-    loofah (2.2.2)
+    jwt (2.2.1)
+    loofah (2.3.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.0)
+    mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.2)
+    marcel (0.3.3)
       mimemagic (~> 0.3.2)
-    method_source (0.9.0)
-    mimemagic (0.3.2)
-    mini_mime (1.0.1)
-    mini_portile2 (2.3.0)
-    minitest (5.11.3)
+    method_source (0.9.2)
+    mimemagic (0.3.10)
+      nokogiri (~> 1)
+      rake
+    mini_mime (1.0.2)
+    mini_portile2 (2.6.1)
+    minitest (5.14.4)
     multi_json (1.13.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    nio4r (2.3.1)
-    nokogiri (1.8.4)
-      mini_portile2 (~> 2.3.0)
-    oauth2 (1.4.0)
-      faraday (>= 0.8, < 0.13)
-      jwt (~> 1.0)
+    multipart-post (2.1.1)
+    nio4r (2.5.2)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
+      racc (~> 1.4)
+    oauth2 (1.4.2)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    public_suffix (3.0.3)
-    rack (2.0.5)
+    public_suffix (4.0.1)
+    racc (1.5.2)
+    rack (2.0.7)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.1)
-      actioncable (= 5.2.1)
-      actionmailer (= 5.2.1)
-      actionpack (= 5.2.1)
-      actionview (= 5.2.1)
-      activejob (= 5.2.1)
-      activemodel (= 5.2.1)
-      activerecord (= 5.2.1)
-      activestorage (= 5.2.1)
-      activesupport (= 5.2.1)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 5.2.1)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
+    rails-html-sanitizer (1.2.0)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.1)
-      actionpack (= 5.2.1)
-      activesupport (= 5.2.1)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.19.0, < 2.0)
-    rake (12.0.0)
-    safe_yaml (1.0.4)
+      thor (>= 0.20.3, < 2.0)
+    rake (13.0.0)
+    safe_yaml (1.0.5)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -131,17 +150,18 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (0.20.0)
+    thor (0.20.3)
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    webmock (3.4.2)
+    webmock (3.7.6)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
-      hashdiff
-    websocket-driver (0.7.0)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.1.10)
 
 PLATFORMS
   ruby
@@ -150,9 +170,9 @@ DEPENDENCIES
   bundler (~> 1.15)
   byebug
   google_sign_in!
-  jwt
+  jwt (>= 1.5.6)
   rake
-  webmock
+  webmock (>= 3.4.2)
 
 BUNDLED WITH
-   1.16.4
+   1.17.3

data/README.md

@@ -64,6 +64,16 @@ end
 
 **⚠️ Important:** Take care to protect your client secret from disclosure to third parties.
 
+9. (Optional) The callback route can be configured using:
+
+```ruby
+# config/initializers/google_sign_in.rb
+Rails.application.configure do
+  config.google_sign_in.root = "my_own/google_sign_in_route"
+end
+```
+
+Which would make the callback `/my_own/google_sign_in_route/callback`.
 
 ## Usage
 
@@ -80,7 +90,8 @@ This gem provides a `google_sign_in_button` helper. It generates a button which
 ```
 
 The `proceed_to` argument is required. After authenticating with Google, the gem redirects to `proceed_to`, providing
-a Google ID token in `flash[:google_sign_in_token]`. Your application decides what to do with it:
+a Google ID token in `flash[:google_sign_in][:id_token]` or an [OAuth authorizaton code grant error](https://tools.ietf.org/html/rfc6749#section-4.1.2.1)
+in `flash[:google_sign_in][:error]`. Your application decides what to do with it:
 
 ```ruby
 # config/routes.rb
@@ -108,8 +119,11 @@ class LoginsController < ApplicationController
 
   private
     def authenticate_with_google
-      if flash[:google_sign_in_token].present?
-        User.find_by google_id: GoogleSignIn::Identity.new(flash[:google_sign_in_token]).user_id
+      if id_token = flash[:google_sign_in][:id_token]
+        User.find_by google_id: GoogleSignIn::Identity.new(id_token).user_id
+      elsif error = flash[:google_sign_in][:error]
+        logger.error "Google authentication error: #{error}"
+        nil
       end
     end
 end
@@ -143,11 +157,18 @@ information contained in the token via the following instance methods:
 
 * `hosted_domain`: The user’s hosted G Suite domain, provided only if they belong to a G Suite.
 
+* `given_name`: The user's given name.
+
+* `family_name`: The user's last name.
+
 
 ## Security
 
 For information on our security response procedure, see [SECURITY.md](SECURITY.md).
 
+## Maintenance
+
+Short of patching critical security issues, this gem is now considered done, and will not see any further feature development or minor bug fixes. Feel free to fork this work under the MIT license and continue the feature development under a different name.
 
 ## License
 

data/app/controllers/google_sign_in/authorizations_controller.rb

@@ -1,9 +1,11 @@
 require 'securerandom'
 
 class GoogleSignIn::AuthorizationsController < GoogleSignIn::BaseController
+  skip_forgery_protection only: :create
+
   def create
     redirect_to login_url(scope: 'openid profile email', state: state),
-      flash: { proceed_to: params.require(:proceed_to), state: state }
+      allow_other_host: true, flash: { proceed_to: params.require(:proceed_to), state: state }
   end
 
   private

data/app/controllers/google_sign_in/base_controller.rb

@@ -9,7 +9,7 @@ class GoogleSignIn::BaseController < ActionController::Base
         GoogleSignIn.client_id,
         GoogleSignIn.client_secret,
         authorize_url: 'https://accounts.google.com/o/oauth2/auth',
-        token_url: 'https://www.googleapis.com/oauth2/v3/token',
+        token_url: 'https://oauth2.googleapis.com/token',
         redirect_uri: callback_url
     end
 end

data/app/controllers/google_sign_in/callbacks_controller.rb

@@ -1,27 +1,37 @@
-require_dependency 'google_sign_in/redirect_protector'
+require 'google_sign_in/redirect_protector'
 
 class GoogleSignIn::CallbacksController < GoogleSignIn::BaseController
   def show
-    if valid_request?
-      redirect_to proceed_to_url, flash: { google_sign_in_token: id_token }
-    else
-      head :unprocessable_entity
-    end
+    redirect_to proceed_to_url, flash: { google_sign_in: google_sign_in_response }
   rescue GoogleSignIn::RedirectProtector::Violation => error
     logger.error error.message
     head :bad_request
   end
 
   private
-    def valid_request?
-      flash[:state].present? && params.require(:state) == flash[:state]
-    end
-
     def proceed_to_url
       flash[:proceed_to].tap { |url| GoogleSignIn::RedirectProtector.ensure_same_origin(url, request.url) }
     end
 
+    def google_sign_in_response
+      if valid_request? && params[:code].present?
+        { id_token: id_token }
+      else
+        { error: error_message_for(params[:error]) }
+      end
+    rescue OAuth2::Error => error
+      { error: error_message_for(error.code) }
+    end
+
+    def valid_request?
+      flash[:state].present? && params[:state] == flash[:state]
+    end
+
     def id_token
-      client.auth_code.get_token(params.require(:code))['id_token']
+      client.auth_code.get_token(params[:code])['id_token']
+    end
+
+    def error_message_for(error_code)
+      error_code.presence_in(GoogleSignIn::OAUTH2_ERRORS) || "invalid_request"
     end
 end

data/bin/rails

@@ -3,7 +3,7 @@
 # installed from the root of your application.
 
 ENGINE_ROOT = File.expand_path('..', __dir__)
-ENGINE_PATH = File.expand_path('../lib/blorgh/engine', __dir__)
+ENGINE_PATH = File.expand_path('../lib/google_sign_in/engine', __dir__)
 APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
 
 # Set up gems listed in the Gemfile.

data/google_sign_in.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name     = 'google_sign_in'
-  s.version  = '1.1.0'
+  s.version  = '1.2.1'
   s.authors  = ['David Heinemeier Hansson', 'George Claghorn']
   s.email    = ['david@basecamp.com', 'george@basecamp.com']
   s.summary  = 'Sign in (or up) with Google for Rails applications'
@@ -14,8 +14,8 @@ Gem::Specification.new do |s|
   s.add_dependency 'oauth2', '>= 1.4.0'
 
   s.add_development_dependency 'bundler', '~> 1.15'
-  s.add_development_dependency 'jwt'
-  s.add_development_dependency 'webmock'
+  s.add_development_dependency 'jwt', '>= 1.5.6'
+  s.add_development_dependency 'webmock', '>= 3.4.2'
 
   s.files      = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- test/*`.split("\n")

data/lib/google_sign_in/engine.rb

@@ -13,14 +13,12 @@ module GoogleSignIn
       end
     end
 
-    initializer 'google_sign_in.helpers' do
-      ActiveSupport.on_load :action_controller_base do
-        helper GoogleSignIn::Engine.helpers
-      end
+    config.to_prepare do
+      ActionController::Base.helper GoogleSignIn::Engine.helpers
     end
 
     initializer 'google_sign_in.mount' do |app|
-      app.routes.append do
+      app.routes.prepend do
         mount GoogleSignIn::Engine, at: app.config.google_sign_in.root || 'google_sign_in'
       end
     end

data/lib/google_sign_in/identity.rb

@@ -40,6 +40,14 @@ module GoogleSignIn
       @payload["hd"]
     end
 
+    def given_name
+      @payload["given_name"]
+    end
+
+    def family_name
+      @payload["family_name"]
+    end
+
     private
       delegate :client_id, to: GoogleSignIn
 

data/lib/google_sign_in/redirect_protector.rb

@@ -9,8 +9,8 @@ module GoogleSignIn
     QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
 
     def ensure_same_origin(target, source)
-      if target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source)
-        raise Violation, "Redirect target #{target} does not have same origin as request (expected #{origin_of(source)})"
+      if target.blank? || (target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source))
+        raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
       end
     end
 

data/lib/google_sign_in.rb

@@ -4,6 +4,31 @@ require 'active_support/rails'
 module GoogleSignIn
   mattr_accessor :client_id
   mattr_accessor :client_secret
+
+  # https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  authorization_request_errors = %w[
+    invalid_request
+    unauthorized_client
+    access_denied
+    unsupported_response_type
+    invalid_scope
+    server_error
+    temporarily_unavailable
+  ]
+
+  # https://tools.ietf.org/html/rfc6749#section-5.2
+  access_token_request_errors = %w[
+    invalid_request
+    invalid_client
+    invalid_grant
+    unauthorized_client
+    unsupported_grant_type
+    invalid_scope
+  ]
+
+  # Authorization Code Grant errors from both authorization requests
+  # and access token requests.
+  OAUTH2_ERRORS = authorization_request_errors | access_token_request_errors
 end
 
 require 'google_sign_in/identity'

data/test/controllers/callbacks_controller_test.rb

@@ -5,16 +5,92 @@ class GoogleSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
     post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
     assert_response :redirect
 
-    stub_token_request code: '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
+    stub_token_for '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
 
     get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
     assert_redirected_to 'http://www.example.com/login'
-    assert_equal 'eyJhbGciOiJSUzI', flash[:google_sign_in_token]
+    assert_equal 'eyJhbGciOiJSUzI', flash[:google_sign_in][:id_token]
+    assert_nil flash[:google_sign_in][:error]
   end
 
-  test "protecting against CSRF" do
+  # Authorization request errors: https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  %w[ invalid_request unauthorized_client access_denied unsupported_response_type invalid_scope server_error temporarily_unavailable ].each do |error|
+    test "receiving an authorization code grant error: #{error}" do
+      post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+      assert_response :redirect
+
+      get google_sign_in.callback_url(error: error, state: flash[:state])
+      assert_redirected_to 'http://www.example.com/login'
+      assert_nil flash[:google_sign_in][:id_token]
+      assert_equal error, flash[:google_sign_in][:error]
+    end
+  end
+
+  test "receiving an invalid authorization error" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(error: 'unknown error code', state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal "invalid_request", flash[:google_sign_in][:error]
+  end
+
+  test "receiving neither code nor error" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
+  end
+
+  # Access token request errors: https://tools.ietf.org/html/rfc6749#section-5.2
+  %w[ invalid_request invalid_client invalid_grant unauthorized_client unsupported_grant_type invalid_scope ].each do |error|
+    test "receiving an access token request error: #{error}" do
+      post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+      assert_response :redirect
+
+      stub_token_error_for '4/SgCpHSVW5-Cy', error: error
+
+      get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+      assert_redirected_to 'http://www.example.com/login'
+      assert_nil flash[:google_sign_in][:id_token]
+      assert_equal error, flash[:google_sign_in][:error]
+    end
+  end
+
+  test "protecting against CSRF without flash state" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
+  end
+
+  test "protecting against CSRF with invalid state" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_not_nil flash[:state]
+
     get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
-    assert_response :unprocessable_entity
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
+  end
+
+  test "protecting against CSRF with missing state" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_not_nil flash[:state]
+
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy')
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
   end
 
   test "protecting against open redirects" do
@@ -25,12 +101,33 @@ class GoogleSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
   end
 
+  test "receiving no proceed_to URL" do
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_response :bad_request
+  end
+
   private
-    def stub_token_request(code:, **params)
-      stub_request(:post, 'https://www.googleapis.com/oauth2/v3/token').
-        with(body: { grant_type: 'authorization_code', code: code,
-          client_id: FAKE_GOOGLE_CLIENT_ID, client_secret: FAKE_GOOGLE_CLIENT_SECRET,
-          redirect_uri: 'http://www.example.com/google_sign_in/callback' }).
-        to_return(status: 200, headers: { 'Content-Type' => 'application/json' }, body: JSON.generate(params))
+    def stub_token_for(code, **response_body)
+      stub_token_request(code, status: 200, response: response_body)
+    end
+
+    def stub_token_error_for(code, error:)
+      stub_token_request(code, status: 418, response: { error: error })
+    end
+
+    def stub_token_request(code, status:, response:)
+      stub_request(:post, 'https://oauth2.googleapis.com/token').with(
+        body: {
+          grant_type: 'authorization_code',
+          code: code,
+          client_id: FAKE_GOOGLE_CLIENT_ID,
+          client_secret: FAKE_GOOGLE_CLIENT_SECRET,
+          redirect_uri: 'http://www.example.com/google_sign_in/callback'
+        }
+      ).to_return(
+        status: status,
+        headers: { 'Content-Type' => 'application/json' },
+        body: JSON.generate(response)
+      )
     end
 end

data/test/dummy/config/application.rb

@@ -10,7 +10,7 @@ Bundler.require(*Rails.groups)
 module Dummy
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 5.2
+    config.load_defaults 6.0
 
     # Settings in config/environments/* take precedence over those specified here.
     # Application configuration can go into files in config/initializers

data/test/helpers/button_helper_test.rb

@@ -4,7 +4,6 @@ class GoogleSignIn::ButtonHelperTest < ActionView::TestCase
   test "generating a login button with text content" do
     assert_dom_equal <<-HTML, google_sign_in_button("Log in with Google", proceed_to: "https://www.example.com/login")
       <form action="/google_sign_in/authorization" accept-charset="UTF-8" method="post">
-        <input name="utf8" type="hidden" value="&#x2713;" />
         <input name="proceed_to" type="hidden" value="https://www.example.com/login" />
         <button type="submit">Log in with Google</button>
       </form>
@@ -14,7 +13,6 @@ class GoogleSignIn::ButtonHelperTest < ActionView::TestCase
   test "generating a login button with HTML content" do
     assert_dom_equal <<-HTML, google_sign_in_button(proceed_to: "https://www.example.com/login") { image_tag("google.png") }
       <form action="/google_sign_in/authorization" accept-charset="UTF-8" method="post">
-        <input name="utf8" type="hidden" value="&#x2713;" />
         <input name="proceed_to" type="hidden" value="https://www.example.com/login" />
         <button type="submit"><img src="/images/google.png"></button>
       </form>
@@ -27,7 +25,6 @@ class GoogleSignIn::ButtonHelperTest < ActionView::TestCase
 
     assert_dom_equal <<-HTML, button
       <form action="/google_sign_in/authorization" accept-charset="UTF-8" method="post">
-        <input name="utf8" type="hidden" value="&#x2713;" />
         <input name="proceed_to" type="hidden" value="https://www.example.com/login" />
         <button type="submit" class="login-button" data-disable-with="Loading Google login…">Log in with Google</button>
       </form>

data/test/models/identity_test.rb

@@ -65,6 +65,14 @@ class GoogleSignIn::IdentityTest < ActiveSupport::TestCase
     assert_equal "basecamp.com", GoogleSignIn::Identity.new(token_with(hd: "basecamp.com")).hosted_domain
   end
 
+  test "extracting given name" do
+    assert_equal "George", GoogleSignIn::Identity.new(token_with(given_name: "George")).given_name
+  end
+
+  test "extracting family name" do
+    assert_equal "Claghorn", GoogleSignIn::Identity.new(token_with(family_name: "Claghorn")).family_name
+  end
+
   private
     def switch_client_id_to(value)
       previous_value = GoogleSignIn.client_id

data/test/models/redirect_protector_test.rb

@@ -20,6 +20,12 @@ class GoogleSignIn::RedirectProtectorTest < ActiveSupport::TestCase
     end
   end
 
+  test "disallows empty URL target" do
+    assert_raises GoogleSignIn::RedirectProtector::Violation do
+      GoogleSignIn::RedirectProtector.ensure_same_origin nil, 'https://basecamp.com'
+    end
+  end
+
   test "allows URL target with same origin as source" do
     assert_nothing_raised do
       GoogleSignIn::RedirectProtector.ensure_same_origin 'https://basecamp.com', 'https://basecamp.com'

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: google_sign_in
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 - George Claghorn
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-09-14 00:00:00.000000000 Z
+date: 2021-12-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -73,29 +73,29 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.5.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.5.6
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-description: 
+        version: 3.4.2
+description:
 email:
 - david@basecamp.com
 - george@basecamp.com
@@ -105,6 +105,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - MIT-LICENSE
@@ -196,7 +197,7 @@ homepage: https://github.com/basecamp/google_sign_in
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -211,9 +212,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
-signing_key: 
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: Sign in (or up) with Google for Rails applications
 test_files: