google_sign_in 1.1.2 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42c961227f0c8530cf3597830303b0e4446ade4eb43fbc4ed09cc0c82b38bd0e
-  data.tar.gz: c5294b87b1b5889c89f03e59f36ea38f8e40c3c33bbe796c31420e5729e470c5
+  metadata.gz: 5831caee2b3640fd7ea360cffe55c7941066ace8c22e324ed389215c0cd7c65a
+  data.tar.gz: 548b00fa1ad0739b039bed3ee80adfa2ee938a841737b5daef5d8eb5a5e11258
 SHA512:
-  metadata.gz: 3a4bf572cb71ef2cb8b3b521ecf22d225dedc61f4da5abf6cc37a4aefb6e96b5d8a5f9879b06c3b7cf84de9b17ed786509ab70a816cbc60454dd3a8478c67161
-  data.tar.gz: 6d1a42d8b65e52eb51664fe409bd8049ad02dad27ebebeb8c9f22cfa247cbbc52ed12aed4b05e08c9645410098513de152a2f33767f8b45dbe2c789da3e30ffc
+  metadata.gz: 5f4d62b9a5b2a3ea7d56b643f53ce4f4ee14cf621c4ca54c68d8da546dd2a38f5844ba8516f63e33fab4d69e716791863b4075adedd2dbfcbd7e638c58faf26c
+  data.tar.gz: d9e6e95a67eaf3ac07fc06361ede928f9e046e04f37806e0f63d937b5ff21db2380597aa9bf438dc426053586aa51cef15e2f904b97ee0639753bcb1c818e389

data/.travis.yml

@@ -2,14 +2,14 @@ language: ruby
 sudo: false
 cache: bundler
 
-# Bundler/RubyGems incompat on Ruby 2.5.0
-before_install: gem install bundler
+# Bundler/RubyGems incompat on Ruby 2.5.0 and 2.6.1
+before_install: gem update --system && gem install bundler -v 1.17.3
 
 rvm:
-  - 2.2
   - 2.3
   - 2.4
   - 2.5
+  - 2.6
   - ruby-head
 
 matrix:

data/Gemfile.lock

@@ -80,14 +80,14 @@ GEM
     method_source (0.9.0)
     mimemagic (0.3.2)
     mini_mime (1.0.1)
-    mini_portile2 (2.3.0)
+    mini_portile2 (2.4.0)
     minitest (5.11.3)
     multi_json (1.13.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
     nio4r (2.3.1)
-    nokogiri (1.8.5)
-      mini_portile2 (~> 2.3.0)
+    nokogiri (1.10.8)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.4.1)
       faraday (>= 0.8, < 0.16.0)
       jwt (>= 1.0, < 3.0)
@@ -122,7 +122,7 @@ GEM
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (12.0.0)
+    rake (12.3.3)
     safe_yaml (1.0.4)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
@@ -155,4 +155,4 @@ DEPENDENCIES
   webmock (>= 3.4.2)
 
 BUNDLED WITH
-   1.16.6
+   1.17.2

data/README.md

@@ -64,6 +64,16 @@ end
 
 **⚠️ Important:** Take care to protect your client secret from disclosure to third parties.
 
+9. (Optional) The callback route can be configured using:
+
+```ruby
+# config/initializers/google_sign_in.rb
+Rails.application.configure do
+  config.google_sign_in.root = "my_own/google_sign_in_route"
+end
+```
+
+Which would make the callback `/my_own/google_sign_in_route/callback`.
 
 ## Usage
 
@@ -80,7 +90,8 @@ This gem provides a `google_sign_in_button` helper. It generates a button which
 ```
 
 The `proceed_to` argument is required. After authenticating with Google, the gem redirects to `proceed_to`, providing
-a Google ID token in `flash[:google_sign_in_token]`. Your application decides what to do with it:
+a Google ID token in `flash[:google_sign_in][:id_token]` or an [OAuth authorizaton code grant error](https://tools.ietf.org/html/rfc6749#section-4.1.2.1)
+in `flash[:google_sign_in][:error]`. Your application decides what to do with it:
 
 ```ruby
 # config/routes.rb
@@ -108,8 +119,11 @@ class LoginsController < ApplicationController
 
   private
     def authenticate_with_google
-      if flash[:google_sign_in_token].present?
-        User.find_by google_id: GoogleSignIn::Identity.new(flash[:google_sign_in_token]).user_id
+      if id_token = flash[:google_sign_in][:id_token]
+        User.find_by google_id: GoogleSignIn::Identity.new(id_token).user_id
+      elsif error = flash[:google_sign_in][:error]
+        logger.error "Google authentication error: #{error}"
+        nil
       end
     end
 end
@@ -143,6 +157,10 @@ information contained in the token via the following instance methods:
 
 * `hosted_domain`: The user’s hosted G Suite domain, provided only if they belong to a G Suite.
 
+* `given_name`: The user's given name.
+
+* `last_name`: The user's last name.
+
 
 ## Security
 

data/app/controllers/google_sign_in/authorizations_controller.rb

@@ -1,6 +1,8 @@
 require 'securerandom'
 
 class GoogleSignIn::AuthorizationsController < GoogleSignIn::BaseController
+  skip_forgery_protection only: :create
+
   def create
     redirect_to login_url(scope: 'openid profile email', state: state),
       flash: { proceed_to: params.require(:proceed_to), state: state }

data/app/controllers/google_sign_in/base_controller.rb

@@ -9,7 +9,7 @@ class GoogleSignIn::BaseController < ActionController::Base
         GoogleSignIn.client_id,
         GoogleSignIn.client_secret,
         authorize_url: 'https://accounts.google.com/o/oauth2/auth',
-        token_url: 'https://www.googleapis.com/oauth2/v4/token',
+        token_url: 'https://oauth2.googleapis.com/token',
         redirect_uri: callback_url
     end
 end

data/app/controllers/google_sign_in/callbacks_controller.rb

@@ -2,26 +2,36 @@ require_dependency 'google_sign_in/redirect_protector'
 
 class GoogleSignIn::CallbacksController < GoogleSignIn::BaseController
   def show
-    if valid_request?
-      redirect_to proceed_to_url, flash: { google_sign_in_token: id_token }
-    else
-      head :unprocessable_entity
-    end
+    redirect_to proceed_to_url, flash: { google_sign_in: google_sign_in_response }
   rescue GoogleSignIn::RedirectProtector::Violation => error
     logger.error error.message
     head :bad_request
   end
 
   private
-    def valid_request?
-      flash[:state].present? && params.require(:state) == flash[:state]
-    end
-
     def proceed_to_url
       flash[:proceed_to].tap { |url| GoogleSignIn::RedirectProtector.ensure_same_origin(url, request.url) }
     end
 
+    def google_sign_in_response
+      if valid_request? && params[:code].present?
+        { id_token: id_token }
+      else
+        { error: error_message_for(params[:error]) }
+      end
+    rescue OAuth2::Error => error
+      { error: error_message_for(error.code) }
+    end
+
+    def valid_request?
+      flash[:state].present? && params[:state] == flash[:state]
+    end
+
     def id_token
-      client.auth_code.get_token(params.require(:code))['id_token']
+      client.auth_code.get_token(params[:code])['id_token']
+    end
+
+    def error_message_for(error_code)
+      error_code.presence_in(GoogleSignIn::OAUTH2_ERRORS) || "invalid_request"
     end
 end

data/bin/rails

@@ -3,7 +3,7 @@
 # installed from the root of your application.
 
 ENGINE_ROOT = File.expand_path('..', __dir__)
-ENGINE_PATH = File.expand_path('../lib/blorgh/engine', __dir__)
+ENGINE_PATH = File.expand_path('../lib/google_sign_in/engine', __dir__)
 APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
 
 # Set up gems listed in the Gemfile.

data/google_sign_in.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name     = 'google_sign_in'
-  s.version  = '1.1.2'
+  s.version  = '1.2.0'
   s.authors  = ['David Heinemeier Hansson', 'George Claghorn']
   s.email    = ['david@basecamp.com', 'george@basecamp.com']
   s.summary  = 'Sign in (or up) with Google for Rails applications'

data/lib/google_sign_in.rb

@@ -4,6 +4,31 @@ require 'active_support/rails'
 module GoogleSignIn
   mattr_accessor :client_id
   mattr_accessor :client_secret
+
+  # https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  authorization_request_errors = %w[
+    invalid_request
+    unauthorized_client
+    access_denied
+    unsupported_response_type
+    invalid_scope
+    server_error
+    temporarily_unavailable
+  ]
+
+  # https://tools.ietf.org/html/rfc6749#section-5.2
+  access_token_request_errors = %w[
+    invalid_request
+    invalid_client
+    invalid_grant
+    unauthorized_client
+    unsupported_grant_type
+    invalid_scope
+  ]
+
+  # Authorization Code Grant errors from both authorization requests
+  # and access token requests.
+  OAUTH2_ERRORS = authorization_request_errors | access_token_request_errors
 end
 
 require 'google_sign_in/identity'

data/lib/google_sign_in/identity.rb

@@ -40,6 +40,14 @@ module GoogleSignIn
       @payload["hd"]
     end
 
+    def given_name
+      @payload["given_name"]
+    end
+
+    def family_name
+      @payload["family_name"]
+    end
+
     private
       delegate :client_id, to: GoogleSignIn
 

data/lib/google_sign_in/redirect_protector.rb

@@ -9,8 +9,8 @@ module GoogleSignIn
     QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
 
     def ensure_same_origin(target, source)
-      if target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source)
-        raise Violation, "Redirect target #{target} does not have same origin as request (expected #{origin_of(source)})"
+      if target.blank? || (target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source))
+        raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
       end
     end
 

data/test/controllers/callbacks_controller_test.rb

@@ -5,16 +5,92 @@ class GoogleSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
     post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
     assert_response :redirect
 
-    stub_token_request code: '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
+    stub_token_for '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
 
     get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
     assert_redirected_to 'http://www.example.com/login'
-    assert_equal 'eyJhbGciOiJSUzI', flash[:google_sign_in_token]
+    assert_equal 'eyJhbGciOiJSUzI', flash[:google_sign_in][:id_token]
+    assert_nil flash[:google_sign_in][:error]
   end
 
-  test "protecting against CSRF" do
+  # Authorization request errors: https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  %w[ invalid_request unauthorized_client access_denied unsupported_response_type invalid_scope server_error temporarily_unavailable ].each do |error|
+    test "receiving an authorization code grant error: #{error}" do
+      post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+      assert_response :redirect
+
+      get google_sign_in.callback_url(error: error, state: flash[:state])
+      assert_redirected_to 'http://www.example.com/login'
+      assert_nil flash[:google_sign_in][:id_token]
+      assert_equal error, flash[:google_sign_in][:error]
+    end
+  end
+
+  test "receiving an invalid authorization error" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(error: 'unknown error code', state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal "invalid_request", flash[:google_sign_in][:error]
+  end
+
+  test "receiving neither code nor error" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
+  end
+
+  # Access token request errors: https://tools.ietf.org/html/rfc6749#section-5.2
+  %w[ invalid_request invalid_client invalid_grant unauthorized_client unsupported_grant_type invalid_scope ].each do |error|
+    test "receiving an access token request error: #{error}" do
+      post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+      assert_response :redirect
+
+      stub_token_error_for '4/SgCpHSVW5-Cy', error: error
+
+      get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+      assert_redirected_to 'http://www.example.com/login'
+      assert_nil flash[:google_sign_in][:id_token]
+      assert_equal error, flash[:google_sign_in][:error]
+    end
+  end
+
+  test "protecting against CSRF without flash state" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
+  end
+
+  test "protecting against CSRF with invalid state" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_not_nil flash[:state]
+
     get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
-    assert_response :unprocessable_entity
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
+  end
+
+  test "protecting against CSRF with missing state" do
+    post google_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_not_nil flash[:state]
+
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy')
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:google_sign_in][:id_token]
+    assert_equal 'invalid_request', flash[:google_sign_in][:error]
   end
 
   test "protecting against open redirects" do
@@ -25,12 +101,33 @@ class GoogleSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
   end
 
+  test "receiving no proceed_to URL" do
+    get google_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_response :bad_request
+  end
+
   private
-    def stub_token_request(code:, **params)
-      stub_request(:post, 'https://www.googleapis.com/oauth2/v4/token').
-        with(body: { grant_type: 'authorization_code', code: code,
-          client_id: FAKE_GOOGLE_CLIENT_ID, client_secret: FAKE_GOOGLE_CLIENT_SECRET,
-          redirect_uri: 'http://www.example.com/google_sign_in/callback' }).
-        to_return(status: 200, headers: { 'Content-Type' => 'application/json' }, body: JSON.generate(params))
+    def stub_token_for(code, **response_body)
+      stub_token_request(code, status: 200, response: response_body)
+    end
+
+    def stub_token_error_for(code, error:)
+      stub_token_request(code, status: 418, response: { error: error })
+    end
+
+    def stub_token_request(code, status:, response:)
+      stub_request(:post, 'https://oauth2.googleapis.com/token').with(
+        body: {
+          grant_type: 'authorization_code',
+          code: code,
+          client_id: FAKE_GOOGLE_CLIENT_ID,
+          client_secret: FAKE_GOOGLE_CLIENT_SECRET,
+          redirect_uri: 'http://www.example.com/google_sign_in/callback'
+        }
+      ).to_return(
+        status: status,
+        headers: { 'Content-Type' => 'application/json' },
+        body: JSON.generate(response)
+      )
     end
 end

data/test/models/identity_test.rb

@@ -65,6 +65,14 @@ class GoogleSignIn::IdentityTest < ActiveSupport::TestCase
     assert_equal "basecamp.com", GoogleSignIn::Identity.new(token_with(hd: "basecamp.com")).hosted_domain
   end
 
+  test "extracting given name" do
+    assert_equal "George", GoogleSignIn::Identity.new(token_with(given_name: "George")).given_name
+  end
+
+  test "extracting family name" do
+    assert_equal "Claghorn", GoogleSignIn::Identity.new(token_with(family_name: "Claghorn")).family_name
+  end
+
   private
     def switch_client_id_to(value)
       previous_value = GoogleSignIn.client_id

data/test/models/redirect_protector_test.rb

@@ -20,6 +20,12 @@ class GoogleSignIn::RedirectProtectorTest < ActiveSupport::TestCase
     end
   end
 
+  test "disallows empty URL target" do
+    assert_raises GoogleSignIn::RedirectProtector::Violation do
+      GoogleSignIn::RedirectProtector.ensure_same_origin nil, 'https://basecamp.com'
+    end
+  end
+
   test "allows URL target with same origin as source" do
     assert_nothing_raised do
       GoogleSignIn::RedirectProtector.ensure_same_origin 'https://basecamp.com', 'https://basecamp.com'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google_sign_in
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-22 00:00:00.000000000 Z
+date: 2020-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -212,8 +212,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Sign in (or up) with Google for Rails applications