googleauth 0.5.1 → 0.11.0

data/lib/googleauth/user_authorizer.rb

@@ -27,10 +27,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'uri'
-require 'multi_json'
-require 'googleauth/signet'
-require 'googleauth/user_refresh'
+require "uri"
+require "multi_json"
+require "googleauth/signet"
+require "googleauth/user_refresh"
 
 module Google
   module Auth
@@ -53,13 +53,13 @@ module Google
     #     ...
     class UserAuthorizer
       MISMATCHED_CLIENT_ID_ERROR =
-        'Token client ID of %s does not match configured client id %s'
-      NIL_CLIENT_ID_ERROR = 'Client id can not be nil.'
-      NIL_SCOPE_ERROR = 'Scope can not be nil.'
-      NIL_USER_ID_ERROR = 'User ID can not be nil.'
-      NIL_TOKEN_STORE_ERROR = 'Can not call method if token store is nil'
+        "Token client ID of %s does not match configured client id %s".freeze
+      NIL_CLIENT_ID_ERROR = "Client id can not be nil.".freeze
+      NIL_SCOPE_ERROR = "Scope can not be nil.".freeze
+      NIL_USER_ID_ERROR = "User ID can not be nil.".freeze
+      NIL_TOKEN_STORE_ERROR = "Can not call method if token store is nil".freeze
       MISSING_ABSOLUTE_URL_ERROR =
-        'Absolute base url required for relative callback url "%s"'
+        'Absolute base url required for relative callback url "%s"'.freeze
 
       # Initialize the authorizer
       #
@@ -72,14 +72,14 @@ module Google
       # @param [String] callback_uri
       #  URL (either absolute or relative) of the auth callback.
       #  Defaults to '/oauth2callback'
-      def initialize(client_id, scope, token_store, callback_uri = nil)
-        fail NIL_CLIENT_ID_ERROR if client_id.nil?
-        fail NIL_SCOPE_ERROR if scope.nil?
+      def initialize client_id, scope, token_store, callback_uri = nil
+        raise NIL_CLIENT_ID_ERROR if client_id.nil?
+        raise NIL_SCOPE_ERROR if scope.nil?
 
         @client_id = client_id
         @scope = Array(scope)
         @token_store = token_store
-        @callback_uri = callback_uri || '/oauth2callback'
+        @callback_uri = callback_uri || "/oauth2callback"
       end
 
       # Build the URL for requesting authorization.
@@ -97,19 +97,20 @@ module Google
       #  nil.
       # @return [String]
       #  Authorization url
-      def get_authorization_url(options = {})
+      def get_authorization_url options = {}
         scope = options[:scope] || @scope
         credentials = UserRefreshCredentials.new(
-          client_id: @client_id.id,
+          client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope: scope)
-        redirect_uri = redirect_uri_for(options[:base_url])
-        url = credentials.authorization_uri(access_type: 'offline',
-                                            redirect_uri: redirect_uri,
-                                            approval_prompt: 'force',
-                                            state: options[:state],
+          scope:         scope
+        )
+        redirect_uri = redirect_uri_for options[:base_url]
+        url = credentials.authorization_uri(access_type:            "offline",
+                                            redirect_uri:           redirect_uri,
+                                            approval_prompt:        "force",
+                                            state:                  options[:state],
                                             include_granted_scopes: true,
-                                            login_hint: options[:login_hint])
+                                            login_hint:             options[:login_hint])
         url.to_s
       end
 
@@ -122,31 +123,26 @@ module Google
       #  the requested scopes
       # @return [Google::Auth::UserRefreshCredentials]
       #  Stored credentials, nil if none present
-      def get_credentials(user_id, scope = nil)
-        fail NIL_USER_ID_ERROR if user_id.nil?
-        fail NIL_TOKEN_STORE_ERROR if @token_store.nil?
-
-        scope ||= @scope
-        saved_token = @token_store.load(user_id)
+      def get_credentials user_id, scope = nil
+        saved_token = stored_token user_id
         return nil if saved_token.nil?
-        data = MultiJson.load(saved_token)
+        data = MultiJson.load saved_token
 
-        if data.fetch('client_id', @client_id.id) != @client_id.id
-          fail sprintf(MISMATCHED_CLIENT_ID_ERROR,
-                       data['client_id'], @client_id.id)
+        if data.fetch("client_id", @client_id.id) != @client_id.id
+          raise format(MISMATCHED_CLIENT_ID_ERROR,
+                       data["client_id"], @client_id.id)
         end
 
         credentials = UserRefreshCredentials.new(
-          client_id: @client_id.id,
+          client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope: data['scope'] || @scope,
-          access_token: data['access_token'],
-          refresh_token: data['refresh_token'],
-          expires_at: data.fetch('expiration_time_millis', 0) / 1000)
-        if credentials.includes_scope?(scope)
-          monitor_credentials(user_id, credentials)
-          return credentials
-        end
+          scope:         data["scope"] || @scope,
+          access_token:  data["access_token"],
+          refresh_token: data["refresh_token"],
+          expires_at:    data.fetch("expiration_time_millis", 0) / 1000
+        )
+        scope ||= @scope
+        return monitor_credentials user_id, credentials if credentials.includes_scope? scope
         nil
       end
 
@@ -165,19 +161,20 @@ module Google
       #  callback uri is a relative.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
-      def get_credentials_from_code(options = {})
+      def get_credentials_from_code options = {}
         user_id = options[:user_id]
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
         credentials = UserRefreshCredentials.new(
-          client_id: @client_id.id,
+          client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          redirect_uri: redirect_uri_for(base_url),
-          scope: scope)
+          redirect_uri:  redirect_uri_for(base_url),
+          scope:         scope
+        )
         credentials.code = code
         credentials.fetch_access_token!({})
-        monitor_credentials(user_id, credentials)
+        monitor_credentials user_id, credentials
       end
 
       # Exchanges an authorization code returned in the oauth callback.
@@ -197,10 +194,9 @@ module Google
       #  callback uri is a relative.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
-      def get_and_store_credentials_from_code(options = {})
-        credentials = get_credentials_from_code(options)
-        monitor_credentials(options[:user_id], credentials)
-        store_credentials(options[:user_id], credentials)
+      def get_and_store_credentials_from_code options = {}
+        credentials = get_credentials_from_code options
+        store_credentials options[:user_id], credentials
       end
 
       # Revokes a user's credentials. This both revokes the actual
@@ -208,11 +204,11 @@ module Google
       #
       # @param [String] user_id
       #  Unique ID of the user for loading/storing credentials.
-      def revoke_authorization(user_id)
-        credentials = get_credentials(user_id)
+      def revoke_authorization user_id
+        credentials = get_credentials user_id
         if credentials
           begin
-            @token_store.delete(user_id)
+            @token_store.delete user_id
           ensure
             credentials.revoke!
           end
@@ -228,19 +224,32 @@ module Google
       #  Unique ID of the user for loading/storing credentials.
       # @param [Google::Auth::UserRefreshCredentials] credentials
       #  Credentials to store.
-      def store_credentials(user_id, credentials)
+      def store_credentials user_id, credentials
         json = MultiJson.dump(
-          client_id: credentials.client_id,
-          access_token: credentials.access_token,
-          refresh_token: credentials.refresh_token,
-          scope: credentials.scope,
-          expiration_time_millis: (credentials.expires_at.to_i) * 1000)
-        @token_store.store(user_id, json)
+          client_id:              credentials.client_id,
+          access_token:           credentials.access_token,
+          refresh_token:          credentials.refresh_token,
+          scope:                  credentials.scope,
+          expiration_time_millis: credentials.expires_at.to_i * 1000
+        )
+        @token_store.store user_id, json
         credentials
       end
 
       private
 
+      # @private Fetch stored token with given user_id
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @return [String] The saved token from @token_store
+      def stored_token user_id
+        raise NIL_USER_ID_ERROR if user_id.nil?
+        raise NIL_TOKEN_STORE_ERROR if @token_store.nil?
+
+        @token_store.load user_id
+      end
+
       # Begin watching a credential for refreshes so the access token can be
       # saved.
       #
@@ -248,9 +257,9 @@ module Google
       #  Unique ID of the user for loading/storing credentials.
       # @param [Google::Auth::UserRefreshCredentials] credentials
       #  Credentials to store.
-      def monitor_credentials(user_id, credentials)
+      def monitor_credentials user_id, credentials
         credentials.on_refresh do |cred|
-          store_credentials(user_id, cred)
+          store_credentials user_id, cred
         end
         credentials
       end
@@ -261,13 +270,16 @@ module Google
       #  Absolute URL to resolve the callback against if necessary.
       # @return [String]
       #  Redirect URI
-      def redirect_uri_for(base_url)
-        return @callback_uri unless URI(@callback_uri).scheme.nil?
-        fail sprintf(
-          MISSING_ABSOLUTE_URL_ERROR,
-          @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
+      def redirect_uri_for base_url
+        return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
+        raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
         URI.join(base_url, @callback_uri).to_s
       end
+
+      # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
+      def uri_is_postmessage? uri
+        uri.to_s.casecmp("postmessage").zero?
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -27,10 +27,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'googleauth/signet'
-require 'googleauth/credentials_loader'
-require 'googleauth/scope_util'
-require 'multi_json'
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "googleauth/scope_util"
+require "multi_json"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -44,63 +44,72 @@ module Google
     # 'gcloud auth login' saves a file with these contents in well known
     # location
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class UserRefreshCredentials < Signet::OAuth2::Client
-      TOKEN_CRED_URI = 'https://www.googleapis.com/oauth2/v3/token'
-      AUTHORIZATION_URI = 'https://accounts.google.com/o/oauth2/auth'
-      REVOKE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/revoke'
+      TOKEN_CRED_URI = "https://oauth2.googleapis.com/token".freeze
+      AUTHORIZATION_URI = "https://accounts.google.com/o/oauth2/auth".freeze
+      REVOKE_TOKEN_URI = "https://oauth2.googleapis.com/revoke".freeze
       extend CredentialsLoader
+      attr_reader :project_id
 
       # Create a UserRefreshCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
-      def self.make_creds(options = {})
-        json_key_io, scope = options.values_at(:json_key_io, :scope)
-        user_creds = read_json_key(json_key_io) if json_key_io
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        user_creds = read_json_key json_key_io if json_key_io
         user_creds ||= {
-          'client_id'     => ENV[CredentialsLoader::CLIENT_ID_VAR],
-          'client_secret' => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
-          'refresh_token' => ENV[CredentialsLoader::REFRESH_TOKEN_VAR]
+          "client_id"     => ENV[CredentialsLoader::CLIENT_ID_VAR],
+          "client_secret" => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
+          "refresh_token" => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
+          "project_id"    => ENV[CredentialsLoader::PROJECT_ID_VAR]
         }
 
         new(token_credential_uri: TOKEN_CRED_URI,
-            client_id: user_creds['client_id'],
-            client_secret: user_creds['client_secret'],
-            refresh_token: user_creds['refresh_token'],
-            scope: scope)
+            client_id:            user_creds["client_id"],
+            client_secret:        user_creds["client_secret"],
+            refresh_token:        user_creds["refresh_token"],
+            project_id:           user_creds["project_id"],
+            scope:                scope)
+          .configure_connection(options)
       end
 
       # Reads the client_id, client_secret and refresh_token fields from the
       # JSON key.
-      def self.read_json_key(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        wanted = %w(client_id client_secret refresh_token)
+      def self.read_json_key json_key_io
+        json_key = MultiJson.load json_key_io.read
+        wanted = ["client_id", "client_secret", "refresh_token"]
         wanted.each do |key|
-          fail "the json is missing the #{key} field" unless json_key.key?(key)
+          raise "the json is missing the #{key} field" unless json_key.key? key
         end
         json_key
       end
 
-      def initialize(options = {})
+      def initialize options = {}
         options ||= {}
         options[:token_credential_uri] ||= TOKEN_CRED_URI
         options[:authorization_uri] ||= AUTHORIZATION_URI
-        super(options)
+        @project_id = options[:project_id]
+        @project_id ||= CredentialsLoader.load_gcloud_project_id
+        super options
       end
 
       # Revokes the credential
-      def revoke!(options = {})
+      def revoke! options = {}
         c = options[:connection] || Faraday.default_connection
-        resp = c.get(REVOKE_TOKEN_URI, token: refresh_token || access_token)
-        case resp.status
-        when 200
-          self.access_token = nil
-          self.refresh_token = nil
-          self.expires_at = 0
-        else
-          fail(Signet::AuthorizationError,
-               "Unexpected error code #{resp.status}")
+
+        retry_with_error do
+          resp = c.post(REVOKE_TOKEN_URI, token: refresh_token || access_token)
+          case resp.status
+          when 200
+            self.access_token = nil
+            self.refresh_token = nil
+            self.expires_at = 0
+          else
+            raise(Signet::AuthorizationError,
+                  "Unexpected error code #{resp.status}")
+          end
         end
       end
 
@@ -110,7 +119,7 @@ module Google
       #  Scope to verify
       # @return [Boolean]
       #  True if scope is granted
-      def includes_scope?(required_scope)
+      def includes_scope? required_scope
         missing_scope = Google::Auth::ScopeUtil.normalize(required_scope) -
                         Google::Auth::ScopeUtil.normalize(scope)
         missing_scope.empty?

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = '0.5.1'
+    VERSION = "0.11.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -27,11 +27,11 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'multi_json'
-require 'googleauth/signet'
-require 'googleauth/user_authorizer'
-require 'googleauth/user_refresh'
-require 'securerandom'
+require "multi_json"
+require "googleauth/signet"
+require "googleauth/user_authorizer"
+require "googleauth/user_refresh"
+require "securerandom"
 
 module Google
   module Auth
@@ -66,20 +66,21 @@ module Google
     # @see {Google::Auth::ControllerHelpers}
     # @note Requires sessions are enabled
     class WebUserAuthorizer < Google::Auth::UserAuthorizer
-      STATE_PARAM = 'state'
-      AUTH_CODE_KEY = 'code'
-      ERROR_CODE_KEY = 'error'
-      SESSION_ID_KEY = 'session_id'
-      CALLBACK_STATE_KEY = 'g-auth-callback'
-      CURRENT_URI_KEY = 'current_uri'
-      XSRF_KEY = 'g-xsrf-token'
-      SCOPE_KEY = 'scope'
+      STATE_PARAM = "state".freeze
+      AUTH_CODE_KEY = "code".freeze
+      ERROR_CODE_KEY = "error".freeze
+      SESSION_ID_KEY = "session_id".freeze
+      CALLBACK_STATE_KEY = "g-auth-callback".freeze
+      CURRENT_URI_KEY = "current_uri".freeze
+      XSRF_KEY = "g-xsrf-token".freeze
+      SCOPE_KEY = "scope".freeze
 
-      NIL_REQUEST_ERROR = 'Request is required.'
-      NIL_SESSION_ERROR = 'Sessions must be enabled'
-      MISSING_AUTH_CODE_ERROR = 'Missing authorization code in request'
-      AUTHORIZATION_ERROR = 'Authorization error: %s'
-      INVALID_STATE_TOKEN_ERROR = 'State token does not match expected value'
+      NIL_REQUEST_ERROR = "Request is required.".freeze
+      NIL_SESSION_ERROR = "Sessions must be enabled".freeze
+      MISSING_AUTH_CODE_ERROR = "Missing authorization code in request".freeze
+      AUTHORIZATION_ERROR = "Authorization error: %s".freeze
+      INVALID_STATE_TOKEN_ERROR =
+        "State token does not match expected value".freeze
 
       class << self
         attr_accessor :default
@@ -96,9 +97,9 @@ module Google
       #
       # @param [Rack::Request] request
       #  Current request
-      def self.handle_auth_callback_deferred(request)
-        callback_state, redirect_uri = extract_callback_state(request)
-        request.session[CALLBACK_STATE_KEY] = MultiJson.dump(callback_state)
+      def self.handle_auth_callback_deferred request
+        callback_state, redirect_uri = extract_callback_state request
+        request.session[CALLBACK_STATE_KEY] = MultiJson.dump callback_state
         redirect_uri
       end
 
@@ -113,8 +114,8 @@ module Google
       # @param [String] callback_uri
       #  URL (either absolute or relative) of the auth callback. Defaults
       #  to '/oauth2callback'
-      def initialize(client_id, scope, token_store, callback_uri = nil)
-        super(client_id, scope, token_store, callback_uri)
+      def initialize client_id, scope, token_store, callback_uri = nil
+        super client_id, scope, token_store, callback_uri
       end
 
       # Handle the result of the oauth callback. Exchanges the authorization
@@ -126,15 +127,17 @@ module Google
       #  Current request
       # @return (Google::Auth::UserRefreshCredentials, String)
       #  credentials & next URL to redirect to
-      def handle_auth_callback(user_id, request)
+      def handle_auth_callback user_id, request
         callback_state, redirect_uri = WebUserAuthorizer.extract_callback_state(
-          request)
-        WebUserAuthorizer.validate_callback_state(callback_state, request)
+          request
+        )
+        WebUserAuthorizer.validate_callback_state callback_state, request
         credentials = get_and_store_credentials_from_code(
-          user_id: user_id,
-          code: callback_state[AUTH_CODE_KEY],
-          scope: callback_state[SCOPE_KEY],
-          base_url: request.url)
+          user_id:  user_id,
+          code:     callback_state[AUTH_CODE_KEY],
+          scope:    callback_state[SCOPE_KEY],
+          base_url: request.url
+        )
         [credentials, redirect_uri]
       end
 
@@ -151,29 +154,35 @@ module Google
       # @param [String, Array<String>] scope
       #  Authorization scope to request. Overrides the instance scopes if
       #  not nil.
+      # @param [Hash] state
+      #  Optional key-values to be returned to the oauth callback.
       # @return [String]
       #  Authorization url
-      def get_authorization_url(options = {})
+      def get_authorization_url options = {}
         options = options.dup
         request = options[:request]
-        fail NIL_REQUEST_ERROR if request.nil?
-        fail NIL_SESSION_ERROR if request.session.nil?
+        raise NIL_REQUEST_ERROR if request.nil?
+        raise NIL_SESSION_ERROR if request.session.nil?
+
+        state = options[:state] || {}
 
         redirect_to = options[:redirect_to] || request.url
         request.session[XSRF_KEY] = SecureRandom.base64
-        options[:state] = MultiJson.dump(
-          SESSION_ID_KEY => request.session[XSRF_KEY],
-          CURRENT_URI_KEY => redirect_to)
+        options[:state] = MultiJson.dump(state.merge(
+                                           SESSION_ID_KEY  => request.session[XSRF_KEY],
+                                           CURRENT_URI_KEY => redirect_to
+                                         ))
         options[:base_url] = request.url
-        super(options)
+        super options
       end
 
-      # Fetch stored credentials for the user.
+      # Fetch stored credentials for the user from the given request session.
       #
       # @param [String] user_id
       #  Unique ID of the user for loading/storing credentials.
       # @param [Rack::Request] request
-      #  Current request
+      #  Current request. Optional. If omitted, this will attempt to fall back
+      #  on the base class behavior of reading from the token store.
       # @param [Array<String>, String] scope
       #  If specified, only returns credentials that have all the \
       #  requested scopes
@@ -182,31 +191,32 @@ module Google
       # @raise [Signet::AuthorizationError]
       #  May raise an error if an authorization code is present in the session
       #  and exchange of the code fails
-      def get_credentials(user_id, request, scope = nil)
-        if request.session.key?(CALLBACK_STATE_KEY)
+      def get_credentials user_id, request = nil, scope = nil
+        if request && request.session.key?(CALLBACK_STATE_KEY)
           # Note - in theory, no need to check required scope as this is
           # expected to be called immediately after a return from authorization
-          state_json = request.session.delete(CALLBACK_STATE_KEY)
-          callback_state = MultiJson.load(state_json)
-          WebUserAuthorizer.validate_callback_state(callback_state, request)
+          state_json = request.session.delete CALLBACK_STATE_KEY
+          callback_state = MultiJson.load state_json
+          WebUserAuthorizer.validate_callback_state callback_state, request
           get_and_store_credentials_from_code(
-            user_id: user_id,
-            code: callback_state[AUTH_CODE_KEY],
-            scope: callback_state[SCOPE_KEY],
-            base_url: request.url)
+            user_id:  user_id,
+            code:     callback_state[AUTH_CODE_KEY],
+            scope:    callback_state[SCOPE_KEY],
+            base_url: request.url
+          )
         else
-          super(user_id, scope)
+          super user_id, scope
         end
       end
 
-      def self.extract_callback_state(request)
-        state = MultiJson.load(request[STATE_PARAM] || '{}')
+      def self.extract_callback_state request
+        state = MultiJson.load(request[STATE_PARAM] || "{}")
         redirect_uri = state[CURRENT_URI_KEY]
         callback_state = {
-          AUTH_CODE_KEY => request[AUTH_CODE_KEY],
-          ERROR_CODE_KEY =>  request[ERROR_CODE_KEY],
+          AUTH_CODE_KEY  => request[AUTH_CODE_KEY],
+          ERROR_CODE_KEY => request[ERROR_CODE_KEY],
           SESSION_ID_KEY => state[SESSION_ID_KEY],
-          SCOPE_KEY => request[SCOPE_KEY]
+          SCOPE_KEY      => request[SCOPE_KEY]
         }
         [callback_state, redirect_uri]
       end
@@ -221,14 +231,13 @@ module Google
       #  Error message if failed
       # @param [Rack::Request] request
       #  Current request
-      def self.validate_callback_state(state, request)
-        if state[AUTH_CODE_KEY].nil?
-          fail Signet::AuthorizationError, MISSING_AUTH_CODE_ERROR
-        elsif state[ERROR_CODE_KEY]
-          fail Signet::AuthorizationError,
-               sprintf(AUTHORIZATION_ERROR, state[ERROR_CODE_KEY])
+      def self.validate_callback_state state, request
+        raise Signet::AuthorizationError, MISSING_AUTH_CODE_ERROR if state[AUTH_CODE_KEY].nil?
+        if state[ERROR_CODE_KEY]
+          raise Signet::AuthorizationError,
+                format(AUTHORIZATION_ERROR, state[ERROR_CODE_KEY])
         elsif request.session[XSRF_KEY] != state[SESSION_ID_KEY]
-          fail Signet::AuthorizationError, INVALID_STATE_TOKEN_ERROR
+          raise Signet::AuthorizationError, INVALID_STATE_TOKEN_ERROR
         end
       end
 
@@ -254,7 +263,7 @@ module Google
       #
       # @see {Google::Auth::WebUserAuthorizer}
       class CallbackApp
-        LOCATION_HEADER = 'Location'
+        LOCATION_HEADER = "Location".freeze
         REDIR_STATUS = 302
         ERROR_STATUS = 500
 
@@ -270,18 +279,18 @@ module Google
         #  Rack environment
         # @return [Array]
         #  HTTP response
-        def self.call(env)
-          request = Rack::Request.new(env)
-          return_url = WebUserAuthorizer.handle_auth_callback_deferred(request)
+        def self.call env
+          request = Rack::Request.new env
+          return_url = WebUserAuthorizer.handle_auth_callback_deferred request
           if return_url
             [REDIR_STATUS, { LOCATION_HEADER => return_url }, []]
           else
-            [ERROR_STATUS, {}, ['No return URL is present in the request.']]
+            [ERROR_STATUS, {}, ["No return URL is present in the request."]]
           end
         end
 
-        def call(env)
-          self.class.call(env)
+        def call env
+          self.class.call env
         end
       end
     end