RubyGems - heroku-bouncer - Versions diffs - 0.4.0.pre2 → 0.4.0.pre3 - Mend

heroku-bouncer 0.4.0.pre2 → 0.4.0.pre3

Files changed (6) hide show

checksums.yaml +4 -4
data/Gemfile.lock +16 -5
data/README.md +45 -17
data/Rakefile +9 -0
data/lib/heroku/bouncer/middleware.rb +43 -4
metadata +63 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 251889f5d6ea897a0ff12014d09e83ecc1daec83
-  data.tar.gz: 35458dfffc28c61a9b1ec3391a38039308a81840
+  metadata.gz: e309a66ada0259f78b01d8524259250a0cbba5ab
+  data.tar.gz: 66b98fb8a1fa87093aa6b632c1097077a3d13792
 SHA512:
-  metadata.gz: c8f8233a0789b6be629ed528ff9d7e6b0529bf6c3a93ae16b673ba54538383655f793989d785a4dadf1b8c25052a7ba9dabb9cdcd662a9129d2c8cdc5eef6271
-  data.tar.gz: cda090b0f6ce0803f1981d318f0ca02bd2dbf04362c18ee6603523d864efeccf696268a9db59c673867306585bb24038412dff9b7da81f1f49b0bd90cfa06629
+  metadata.gz: c334ee9efd1af0e1c6e9e9d9ea72c3c26f63b514179cb6a163cd7bb58859b3b6497811f7fada20ff59ae571f963ec430d4f4929d5d9c99d282e81c9d65cd4143
+  data.tar.gz: dd1ce965ccea7181e62189b361b5125d730a0cb30c5fdf3cbb543d07cae42b5bd8604b546ca7cc70d3f6c04e1a4c1747316664cd018396e4d1268963385fa77c

data/Gemfile.lock CHANGED Viewed

@@ -1,10 +1,10 @@
 PATH
   remote: .
   specs:
-    heroku-bouncer (0.3.3)
+    heroku-bouncer (0.4.0.pre2)
       faraday (~> 0.8)
-      multi_json (~> 1.0)
       omniauth-heroku (>= 0.1.0)
+      rack (~> 1.0)
       sinatra (~> 1.0)
 GEM
@@ -12,12 +12,16 @@ GEM
   specs:
     faraday (0.8.8)
       multipart-post (~> 1.2.0)
-    hashie (2.0.5)
+    hashie (1.2.0)
     httpauth (0.2.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
+    metaclass (0.0.1)
     minitest (5.0.8)
-    multi_json (1.8.0)
+    minitest-spec-context (0.0.3)
+    mocha (0.14.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.8.2)
     multipart-post (1.2.0)
     oauth2 (0.8.1)
       faraday (~> 0.8)
@@ -37,7 +41,10 @@ GEM
     rack (1.5.2)
     rack-protection (1.5.0)
       rack
-    sinatra (1.4.3)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rake (10.1.0)
+    sinatra (1.4.4)
       rack (~> 1.4)
       rack-protection (~> 1.4)
       tilt (~> 1.3, >= 1.3.4)
@@ -49,3 +56,7 @@ PLATFORMS
 DEPENDENCIES
   heroku-bouncer!
   minitest (~> 5.0)
+  minitest-spec-context
+  mocha
+  rack-test
+  rake

data/README.md CHANGED Viewed

@@ -1,3 +1,5 @@
+[![Build Status](https://travis-ci.org/heroku/heroku-bouncer.png)](https://travis-ci.org/heroku/heroku-bouncer)
 # Heroku Bouncer
 Heroku Bouncer is a Rack middleware (implemented in Sinatra) that
@@ -40,7 +42,8 @@ Sinatra app that uses heroku-bouncer.
     # use `openssl rand -base64 32` to generate a secret
     use Rack::Session::Cookie, secret: "..."
-    use Heroku::Bouncer
+    use Heroku::Bouncer,
+      oauth: { id: "...", secret: "..." }, secret: "..."
     run MyApp
     ```
@@ -54,7 +57,8 @@ Sinatra app that uses heroku-bouncer.
     class MyApp < Sinatra::Base
       ...
       enable :sessions, secret: "..."
-      use ::Heroku::Bouncer
+      use ::Heroku::Bouncer,
+        oauth: { id: "...", secret: "..." }, secret: "..."
       ...
     ```
@@ -63,10 +67,11 @@ Sinatra app that uses heroku-bouncer.
     Add a middleware configuration line to `config/application.rb`:
     ```ruby
-    config.middleware.use ::Heroku::Bouncer
+    config.middleware.use ::Heroku::Bouncer,
+      oauth: { id: "...", secret: "..." }, secret: "..."
     ```
-4. Add the required options `:oauth` and `:secret` as explained
+4. Fill in the required settings `:oauth` and `:secret` as explained
    below.
 ## Settings
@@ -77,15 +82,15 @@ Two settings are **required**:
 * `secret`: A random string used as an encryption secret used to secure
   the user information in the session.
-For example:
+Using environment variables for these is recommended, for example:
 ```ruby
 use Heroku::Bouncer,
-  oauth: { id: "...", secret: "..." },
-  secret: "..."
+  oauth: { id: ENV['HEROKU_OAUTH_ID'], secret: ENV['HEROKU_OAUTH_SECRET'] },
+  secret: ENV['HEROKU_BOUNCER_SECRET']
 ```
-There are 5 options you can pass to the middleware:
+There are 7 additional options you can pass to the middleware:
 * `oauth[:scope]`: The [OAuth scope][] to use when requesting the OAuth
   token. Default: `identity`.
@@ -98,9 +103,13 @@ There are 5 options you can pass to the middleware:
   Default: `true`
 * `expose_user`: Expose the user attributes in the session. Default:
   `true`
+* `session_sync_nonce`: If present, determines the name of a cookie shared across properties under a same domain in order to keep their sessions synchronized. Default: `nil`
+* `allow_anonymous`: Accepts a lambda that gets called with each request. If the lambda evals to true, the request will not enforce authentication (e.g: `allow_anonymous: lambda { |req| !/\A\/admin/.match(req.fullpath) }` will allow anonymous requests except those with under the `/admin` path). Default: `nil`, which does not allow anonymous access to any URL.
 You use these by passing a hash to the `use` call, for example:
 ```ruby
 use Heroku::Bouncer,
   oauth: { id: "...", secret: "...", scope: "global" },
@@ -124,7 +133,7 @@ You can access this in Sinatra and Rails by  `request.env[key]`, e.g.
 If you set `expose_token` to `true`, you'll get an API token that you
 can use to make Heroku API calls on behalf of the logged-in user using
-[heroku.rb](https://github.com/heroku/heroku.rb).
+[heroku.rb][] .
 ```ruby
 heroku = Heroku::API.new(:api_key => request.env["bouncer.token"])
@@ -143,16 +152,35 @@ logging in again.
 ## Conditionally enable the middleware
-Don't want to OAuth on every request? Use a middleware to conditionally
-enable this middleware, like [Rack::Builder][].
-Alternatively, [use inheritance to extend the middleware to act any way
-you like][inheritance].
+> Don't want to OAuth on every request? Use a middleware to conditionally
+> enable this middleware, like [Rack::Builder][].
+> Alternatively, [use inheritance to extend the middleware to act any way
+> you like][inheritance].
-## There be dragons
+Due to changes in how the middleware stack is built, this is currently
+broken in the 0.4.0 prereleases.
-* There's no tests yet. You may encounter bugs. Please report them (or
-  fix them in a pull request).
+## Security Model: A Tale of Three Secrets
+There are three secrets in use:
+* A OAuth secret. Paired with the OAuth ID, this is how the Heroku
+  authorizes your OAuth requests with your particular OAuth client.
+* A bouncer secret. Bouncer encrypts and signs all user data placed in
+  the session. This ensures such data cannot be viewed by anyone but the
+  application.
+* A session secret. This is used to sign the session, which validates
+  the session was generated by your application. Strictly speaking,
+  however, this is outside of Bouncer and is not a part of its security
+  model.
+In totality, Heroku Bouncer ensures session data can only be generated
+and read by your application. However, they do not protect against
+replay attacks if the data is obtained in its entirety. SSL and session
+timeouts should be used to help mitigate this risk. CSRF tokens for any
+actions that modify data are also recommended.
-[OAuth scope]: https://devcenter.heroku.com/articles/oauth#scopes
 [Rack::Builder]: http://rack.rubyforge.org/doc/Rack/Builder.html
 [inheritance]: https://gist.github.com/wuputah/5534428
+[OAuth scope]: https://devcenter.heroku.com/articles/oauth#scopes
+[heroku.rb]: https://github.com/heroku/heroku.rb

data/Rakefile CHANGED Viewed

@@ -0,0 +1,9 @@
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/**/*_test.rb']
+  t.verbose = true
+end
+task :default => :test

data/lib/heroku/bouncer/middleware.rb CHANGED Viewed

@@ -24,6 +24,8 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
       @expose_token = extract_option(options, :expose_token, false)
       @expose_email = extract_option(options, :expose_email, true)
       @expose_user = extract_option(options, :expose_user, true)
+      @session_sync_nonce = extract_option(options, :session_sync_nonce, nil)
+      @allow_anonymous = extract_option(options, :allow_anonymous, nil)
     end
   end
@@ -44,10 +46,36 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
     return_value
   end
+  def auth_request?
+    %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout /auth/login].include?(request.path)
+  end
+  def session_nonce_mismatch?
+    (store_read(@session_sync_nonce.to_sym).to_s != session_nonce_cookie.to_s) && !auth_request?
+  end
+  def session_nonce_cookie
+    @session_sync_nonce && request.cookies[@session_sync_nonce]
+  end
+  def anonymous_request_allowed?
+    auth_request? || (@allow_anonymous && @allow_anonymous.call(request))
+  end
   before do
+    if @session_sync_nonce && session_nonce_mismatch?
+      if session_nonce_cookie.to_s.empty?
+        destroy_session
+        redirect to(request.url)
+      else
+        store_write(:return_to, request.url)
+        redirect to('/auth/heroku')
+      end
+    end
     if store_read(:user)
       expose_store
-    elsif ! %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout].include?(request.path)
+    elsif !anonymous_request_allowed?
       store_write(:return_to, request.url)
       redirect to('/auth/heroku')
     end
@@ -67,7 +95,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
     else
       store_write(:user, true)
     end
+    store_write(@session_sync_nonce.to_sym, session_nonce_cookie) if @session_sync_nonce
     store_write(:token, token) if @expose_token
     redirect to(store_delete(:return_to) || '/')
   end
@@ -82,7 +110,12 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
   get '/auth/sso-logout' do
     destroy_session
     auth_url = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
-    redirect to("#{auth_url}/logout")
+    logout_url = "#{auth_url}/logout"
+    # id.heroku.com whitelists this return_to param, as any auth provider should do
+    logout_url += "?url=#{params['return_to']}" if params['return_to']
+    redirect to(logout_url)
   end
   # logout but only locally
@@ -91,6 +124,12 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
     redirect to("/")
   end
+  # login, setting the URL to return to
+  get '/auth/login' do
+    store_write(:return_to, params['return_to'])
+    redirect to('/auth/heroku')
+  end
 private
   def extract_option(options, option, default = nil)
@@ -132,7 +171,7 @@ private
   end
   def destroy_session
-    session = nil if session
+    store.keys.each { |k| store_delete(k) }
   end
   def expose_store

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.4.0.pre2
+  version: 0.4.0.pre3
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-15 00:00:00.000000000 Z
+date: 2013-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
@@ -66,6 +66,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,48 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: minitest-spec-context
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: ID please.
 email:
 - jd@heroku.com
@@ -88,12 +144,12 @@ extensions: []
 extra_rdoc_files:
 - README.md
 files:
-- lib/heroku/bouncer.rb
-- lib/heroku/bouncer/decrypted_hash.rb
 - lib/heroku/bouncer/lockbox.rb
-- lib/heroku/bouncer/json_parser.rb
+- lib/heroku/bouncer/decrypted_hash.rb
 - lib/heroku/bouncer/builder.rb
+- lib/heroku/bouncer/json_parser.rb
 - lib/heroku/bouncer/middleware.rb
+- lib/heroku/bouncer.rb
 - README.md
 - Gemfile
 - Gemfile.lock
@@ -118,10 +174,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.3
+rubygems_version: 2.0.14
 signing_key:
 specification_version: 4
-summary: Requires Heroku OAuth on all requests.
+summary: Rapidly add Heroku OAuth to your Ruby app.
 test_files:
 - Gemfile
 - Gemfile.lock