google_sign_in 0.1.4 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97c5ef43841bbc4901283ef218bd5bafcd321fbca2cbe51b991dce9c3943a656
-  data.tar.gz: f644ef5388eda41ae7181c68c53ce10843f8b862946305075023d3c79a91c0cd
+  metadata.gz: 557cffa6305ceb683fbba3ea3564c57fa8cf11d0669efe32b424c1ea87cc8958
+  data.tar.gz: 3b71e313292efb16cae4ed263fd17618b0873e0e52f7c07a75a5ffb941506b3c
 SHA512:
-  metadata.gz: 7a8116d55e09e785113aa8591a2ea3827f45bbe566413b323f3d8712a43dc84a7e21f1c0987c06b4ef5199a5ebf569d9237674ac949011e63aaad527bf725c2a
-  data.tar.gz: e4e034189b5e8307d5454a2a59a7e5c50e8ebf33813163f9eb241e9f9e4ede44e3f31364cf912a4e2992f156df4ac99de75a401a7ed8112cfbce4d7b89157215
+  metadata.gz: 8ef94bd31647bcf663272796d8eba7567c8482c420532329c7bd3f2a8ace1b765638676dd70d6fa81162359fe660dfe26d3050b8f54b3cf4b35e76e224b5bdf5
+  data.tar.gz: aa72a39e77567372213df2173ba802cacf1bcb3fc91517ed660c251a96faf0d33baeeaaf84e653e63d91e84abca5b616ce58aeec086bb799fe67a8439bdf26b5

data/.gitignore

@@ -0,0 +1,12 @@
+.bundle/
+.byebug_history
+log/*.log
+pkg/
+
+test/dummy/db/*.sqlite3
+test/dummy/db/*.sqlite3-journal
+test/dummy/log/*.log
+test/dummy/node_modules/
+test/dummy/yarn-error.log
+test/dummy/storage/
+test/dummy/tmp/

data/.travis.yml

@@ -0,0 +1,18 @@
+language: ruby
+sudo: false
+cache: bundler
+
+# Bundler/RubyGems incompat on Ruby 2.5.0
+before_install: gem install bundler
+
+rvm:
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - ruby-head
+
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+  fast_finish: true

data/Gemfile.lock

@@ -1,29 +1,147 @@
 PATH
   remote: .
   specs:
-    google_sign_in (0.1.2)
-      activesupport (>= 5.1)
+    google_sign_in (1.0.0)
       google-id-token (>= 1.4.0)
+      oauth2 (>= 1.4.0)
+      rails (>= 5.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (5.1.3)
+    actioncable (5.2.1)
+      actionpack (= 5.2.1)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.1)
+      actionview (= 5.2.1)
+      activesupport (= 5.2.1)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.1)
+      activesupport (= 5.2.1)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.1)
+      activesupport (= 5.2.1)
+      globalid (>= 0.3.6)
+    activemodel (5.2.1)
+      activesupport (= 5.2.1)
+    activerecord (5.2.1)
+      activemodel (= 5.2.1)
+      activesupport (= 5.2.1)
+      arel (>= 9.0)
+    activestorage (5.2.1)
+      actionpack (= 5.2.1)
+      activerecord (= 5.2.1)
+      marcel (~> 0.3.1)
+    activesupport (5.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    arel (9.0.0)
+    builder (3.2.3)
     byebug (9.1.0)
     concurrent-ruby (1.0.5)
-    google-id-token (1.4.0)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    crass (1.0.4)
+    erubi (1.7.1)
+    faraday (0.12.2)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    google-id-token (1.4.2)
       jwt (>= 1)
-    i18n (0.8.6)
-    jwt (2.0.0)
-    minitest (5.10.3)
+    hashdiff (0.3.7)
+    i18n (1.1.0)
+      concurrent-ruby (~> 1.0)
+    jwt (1.5.6)
+    loofah (2.2.2)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.2)
+      mimemagic (~> 0.3.2)
+    method_source (0.9.0)
+    mimemagic (0.3.2)
+    mini_mime (1.0.1)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    multi_json (1.13.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
+    nio4r (2.3.1)
+    nokogiri (1.8.4)
+      mini_portile2 (~> 2.3.0)
+    oauth2 (1.4.0)
+      faraday (>= 0.8, < 0.13)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    public_suffix (3.0.3)
+    rack (2.0.5)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (5.2.1)
+      actioncable (= 5.2.1)
+      actionmailer (= 5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      activemodel (= 5.2.1)
+      activerecord (= 5.2.1)
+      activestorage (= 5.2.1)
+      activesupport (= 5.2.1)
+      bundler (>= 1.3.0)
+      railties (= 5.2.1)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.1)
+      actionpack (= 5.2.1)
+      activesupport (= 5.2.1)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.19.0, < 2.0)
     rake (12.0.0)
+    safe_yaml (1.0.4)
+    sprockets (3.7.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (0.20.0)
     thread_safe (0.3.6)
-    tzinfo (1.2.3)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
+    webmock (3.4.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+    websocket-driver (0.7.0)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
 
 PLATFORMS
   ruby
@@ -32,7 +150,9 @@ DEPENDENCIES
   bundler (~> 1.15)
   byebug
   google_sign_in!
+  jwt
   rake
+  webmock
 
 BUNDLED WITH
-   1.15.4
+   1.16.4

data/README.md

@@ -1,85 +1,152 @@
 # Google Sign-In for Rails
 
-Google Sign-In provides an easy and secure way to let users signin into and up for your service,
-without adding yet-another per-app email/password combination. Integrating it into your Rails app
-should be drop-in easy. This gem makes it so.
+This gem allows you to add Google sign-in to your Rails app. You can let users sign up for and sign in to your service
+with their Google accounts.
 
-The only configuration needed is setting the Google client id for your application. [Google has a
-tutorial on how to setup a client id](https://developers.google.com/identity/sign-in/web/server-side-flow#step_1_create_a_client_id_and_client_secret).
 
-Once you have your client id, create a `config/initializers/google_sign_in_client_id.rb` file with this:
-`GoogleSignIn::Identity.client_id = <THAT CLIENT ID YOU GOT FROM GOOGLE>`
+## Installation
 
-Now you can use the sign-in integration on your signup or signin screen.
+Add `google_sign_in` to your Rails app’s Gemfile and run `bundle install`:
 
-## Example
+```ruby
+gem 'google_sign_in'
+```
+
+Google Sign-In for Rails requires Rails 5.2 or newer.
+
+
+## Configuration
+
+First, set up an OAuth 2.0 Client ID in the Google API Console:
+
+1. Go to the [API Console](https://console.developers.google.com/apis/credentials).
+
+2. In the projects menu at the top of the page, ensure the correct project is selected or create a new one.
+
+3. In the left-side navigation menu, choose APIs & Services → Credentials.
+
+4. Click the button labeled “Create credentials.” In the menu that appears, choose to create an **OAuth client ID**.
+
+5. When prompted to select an application type, select **Web application**.
 
-Here's the most basic example:
+6. Enter your application’s name.
+
+7. This gem adds a single OAuth callback to your app at `/google_sign_in/callback`. Under **Authorized redirect URIs**,
+   add that callback for your application’s domain: for example, `https://example.com/google_sign_in/callback`.
+
+   To use Google sign-in in development, you’ll need to add another redirect URI for your local environment, like
+   `http://localhost:3000/google_sign_in/callback`. For security reasons, we recommend using a separate
+   client ID for local development. Repeat these instructions to set up a new client ID for development.
+
+8. Click the button labeled “Create.” You’ll be presented with a client ID and client secret. Save these.
+
+With your client ID set up, configure your Rails application to use it. Run `bin/rails credentials:edit` to edit your
+app’s [encrypted credentials](https://guides.rubyonrails.org/security.html#custom-credentials) and add the following:
+
+```yaml
+google_sign_in:
+  client_id: [Your client ID here]
+  client_secret: [Your client secret here]
+```
+
+You’re all set to use Google sign-in now. The gem automatically uses the client ID and client secret in your credentials.
+
+Alternatively, you can provide the client ID and client secret using ENV variables. Add a new initializer that sets
+`config.google_sign_in.client_id` and `config.google_sign_in.client_secret`:
 
 ```ruby
-# app/views/layouts/application.html.erb
-<html>
-<head>
-<% # Required for google_sign_in to add the Google JS assets and meta tags! %>
-<%= yield :head %>
-</head>
-<body>
-<%= yield %>
-</body>
-</html>
-
-# app/views/sessions/new.html.erb
-<%= google_sign_in(url: session_path) do %>
-  # You can replace this with whatever design you please for the button.
-  # You should follow Google's brand guidelines for Google Sign-In, though:
-  # https://developers.google.com/identity/branding-guidelines
-  <%= button_tag("Signin with Google") %>
+# config/initializers/google_sign_in.rb
+Rails.application.configure do
+  config.google_sign_in.client_id     = ENV['google_sign_in_client_id']
+  config.google_sign_in.client_secret = ENV['google_sign_in_client_secret']
+end
+```
+
+**⚠️ Important:** Take care to protect your client secret from disclosure to third parties.
+
+
+## Usage
+
+This gem provides a `google_sign_in_button` helper. It generates a button which initiates Google sign-in:
+
+```erb
+<%= google_sign_in_button 'Sign in with my Google account', proceed_to: create_login_url %>
+
+<%= google_sign_in_button image_tag('google_logo.png', alt: 'Google'), proceed_to: create_login_url %>
+
+<%= google_sign_in_button proceed_to: create_login_url do %>
+  Sign in with my <%= image_tag('google_logo.png', alt: 'Google') %> account
 <% end %>
 ```
 
-The `url` option is the URL that the hidden form will be submitted against along with the Google ID Token
-that's set after the user has picked the account and authenticated in the pop-up window Google provides.
+The `proceed_to` argument is required. After authenticating with Google, the gem redirects to `proceed_to`, providing
+a Google ID token in `flash[:google_sign_in_token]`. Your application decides what to do with it:
 
-You can then use that in a sessions controller like so:
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  # ...
+  get 'login', to: 'logins#new'
+  get 'login/create', to: 'logins#create', as: :create_login
+end
+```
 
 ```ruby
-class SessionsController < ApplicationController
+# app/controllers/logins_controller.rb
+class LoginsController < ApplicationController
   def new
   end
 
   def create
-    if user = authenticate_via_google
+    if user = authenticate_with_google
       cookies.signed[:user_id] = user.id
       redirect_to user
     else
-      redirect_to new_session_url, alert: "authentication_failed"
+      redirect_to new_session_url, alert: 'authentication_failed'
     end
   end
 
   private
-    def authenticate_via_google
-      if params[:google_id_token].present?
-        User.find_by google_id: GoogleSignIn::Identity.new(params[:google_id_token]).user_id
+    def authenticate_with_google
+      if flash[:google_sign_in_token].present?
+        User.find_by google_id: GoogleSignIn::Identity.new(flash[:google_sign_in_token]).user_id
       end
     end
 end
 ```
 
-(This example assumes that a user has already signed up for your service using Google Sign-In and that
-you're storing the Google user id in the `User#google_id` attribute).
+(The above example assumes the user has already signed up for your service and that you’re storing their Google user ID
+in the `User#google_id` attribute.)
 
-That's it! You can checkout the `GoogleSignIn::Identity` class for the thin wrapping it provides around
-the decoding of the Google ID Token using the google-id-token library. Interrogating this identity object
-for profile details is particularly helpful when you use Google for signup, as you can get the name, email
-address, avatar url, and locale through it.
+For security reasons, the `proceed_to` URL you provide to `google_sign_in_button` is required to reside on the same
+origin as your application. This means it must have the same protocol, host, and port as the page where
+`google_sign_in_button` is used. We enforce this before redirecting to the `proceed_to` URL to guard against
+[open redirects](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet).
 
-## Compatibility with Turbolinks
+The `GoogleSignIn::Identity` class decodes and verifies the integrity of a Google ID token. It exposes the profile
+information contained in the token via the following instance methods:
+
+* `name`
+
+* `email_address`
+
+* `user_id`: A value that uniquely identifies a single Google user. Use this, not `email_address`, to associate a
+  Google user with an application user. A Google user’s email address may change, but their `user_id` will remain constant.
+
+* `email_verified?`
+
+* `avatar_url`
+
+* `locale`
+
+
+## Security
+
+For information on our security response procedure, see [SECURITY.md](SECURITY.md).
 
-Google's JavaScript doesn't play nice with Turbolinks. We've routed around the damage by adding a [Turbolinks
-meta tag](https://github.com/turbolinks/turbolinks/blob/master/README.md#ensuring-specific-pages-trigger-a-full-reload)
-on whatever page `google_sign_in` is called to always do a full reload for that page. Note that this
-auto-compatibility feature requires Turbolinks 5.1+.
 
 ## License
 
 Google Sign-In for Rails is released under the [MIT License](https://opensource.org/licenses/MIT).
+
+Google is a registered trademark of Google LLC. This project is not operated by or in any way affiliated with Google LLC.

data/Rakefile

@@ -4,7 +4,37 @@ require "rake/testtask"
 
 Rake::TestTask.new do |test|
   test.libs << "test"
-  test.test_files = FileList["test/*_test.rb"]
+  test.test_files = FileList["test/**/*_test.rb"]
+  test.warning = false
 end
 
 task default: :test
+
+desc "Generates an X509 certificate for decoding test ID tokens"
+task "test:certificate:generate" do
+  require "openssl"
+  require "active_support"
+  require "active_support/core_ext/integer/time"
+
+  key = OpenSSL::PKey::RSA.new(File.read(File.expand_path("test/key.pem", __dir__)))
+
+  certificate = OpenSSL::X509::Certificate.new
+  certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse("/CN=google-sign-in-for-rails.example.com")
+  certificate.not_before = Time.now
+  certificate.not_after = 5.years.from_now
+  certificate.public_key = key.public_key
+  certificate.serial = 0
+  certificate.version = 1
+
+  extension_factory = OpenSSL::X509::ExtensionFactory.new
+  extension_factory.subject_certificate = certificate
+  extension_factory.issuer_certificate = certificate
+  certificate.extensions = [
+    extension_factory.create_extension("basicConstraints", "CA:FALSE", true),
+    extension_factory.create_extension("keyUsage", "digitalSignature", true),
+    extension_factory.create_extension("extendedKeyUsage", "clientAuth", true)
+  ]
+
+  certificate.sign(key, OpenSSL::Digest::SHA1.new)
+  File.write(File.expand_path("test/certificate.pem", __dir__), certificate.to_pem)
+end