RubyGems - heroku-bouncer - Versions diffs - 0.8.0 → 1.0.0 - Mend

heroku-bouncer 0.8.0 → 1.0.0

Files changed (7) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +11 -0
data/README.md +39 -17
data/lib/heroku/bouncer/builder.rb +2 -0
data/lib/heroku/bouncer/middleware.rb +35 -7
data/lib/heroku/bouncer/views/login.erb +15 -0
metadata +55 -29

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 85c6929c3208eb743c042d9dbef6f9d43db08987
-  data.tar.gz: b08dd7bac4866f854c050a65011ec6403936cb93
+SHA256:
+  metadata.gz: 37f9d4d239fa9aa8ededbab910a22f0f21b4ed3eb9a7f8c360f7b1ae1dbb0395
+  data.tar.gz: ba7c31e928e4187053469ff3ebfb73ebc32e27d82d5f7921e9e26839b382bd75
 SHA512:
-  metadata.gz: 5370531c477251b6247116d86597c9cc4d35ade54fa1dd5bb513e2c51a5db3f09b926a99cf573a5b1674c5dcc0980887c41db12598d9f9459c8f93ae011e17c2
-  data.tar.gz: a748a855a7be7e07e9756c5e9407f2db0a08d12dedff83f0fe4473a53ecc205058a6b1eb2113f7ff524bb5fae25d642dc83fcc1dc18e23d3bb1218319dbf671b
+  metadata.gz: 07b8bbb1ee393c0e001a7787b94fe1ba56fc8e40d5c7dde1cb2170e5b89a38c01ff0981161e241f1148553ef52f727079b9fa3dc496d2644b239189ec4a6743f
+  data.tar.gz: c63b4d54c69fc32a6981a23770e7db871d832851a9a467d0026ac75f12d47d814ab7c2c3b8e8ce8790a9ad2af1cd5c079994c212edd2980e5c270ba75d218cff

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,14 @@
+# 1.0.0
+* #71: Ruby >= 3.1 support and Ruby < 3 deprecation, supports Sinatra >= 3 and drops support for Sinatra 1 and 2.
+# 0.9.0
+* #68: Loosen `omniauth-heroku` constraint, allowing `>= 0.1, < 2`,
+  enabling support of OmniAuth 2. This also adds the new [`:login_path`
+  option](README#prompt-to-login). @stevenharman
+* #66: Loosen Faraday constraints, allowing `>= 0.8", < 2`. @stevenharman
 # 0.8.0
 * #55: Ruby >= 2.4 support and Ruby <2.2 deprecation. Thanks @maxbeizer!

data/README.md CHANGED Viewed

@@ -1,5 +1,4 @@
-[![Build Status](https://travis-ci.org/heroku/heroku-bouncer.png)](https://travis-ci.org/heroku/heroku-bouncer)
-[![Dependency Status](https://gemnasium.com/heroku/heroku-bouncer.png)](https://gemnasium.com/heroku/heroku-bouncer)
+[![Build Status](https://github.com/sharpstone/heroku-bouncer/actions/workflows/ci.yml/badge.svg)](https://github.com/sharpstone/heroku-bouncer/actions)
 # Heroku Bouncer
@@ -8,11 +7,11 @@ requires Heroku OAuth on all requests.
 ## Ruby and Rack compatibility
-* **Ruby**: Versions >= 0.8.0 require Ruby >= 2.2. If you need a version
-  that works with prior versions of Ruby, please use version `~> 0.7.1`.
-  Note, however, that 0.7.1 does not support Rack 2 (Rails 5).
+* **Ruby**: Versions `>= 0.8.0` require Ruby >= 2.2. Versions `>= 1.0.0` require Ruby >= 3.1.
+  If you need a version that works with prior versions of Ruby, please use version `~> 0.7.1`.
+  Note, however, that `0.7.1` does not support Rack 2 (Rails 5+).
-* **Rack**: Rack 1 and 2 are supported.
+* **Rack**: Versions `< 1.0.0` support Rack 1 and 2. Versions `>= 1.0.0` support Rack 2 and 3.
 ## Demo
@@ -23,7 +22,7 @@ Sinatra app that uses heroku-bouncer.
 1. Install the Heroku OAuth CLI plugin.
-    ```sh
+    ```console
     heroku plugins:install heroku-cli-oauth
     ```
@@ -31,7 +30,7 @@ Sinatra app that uses heroku-bouncer.
    callback endpoint. Use `http://localhost:5000/auth/heroku/callback`
    for local development with Foreman.
-    ```sh
+    ```console
     heroku clients:create localhost http://localhost:5000/auth/heroku/callback
     heroku clients:create myapp https://myapp.herokuapp.com/auth/heroku/callback
     ```
@@ -113,8 +112,8 @@ Here are the supported options you can pass to the middleware:
   representing the user. If the lambda evaluates to true, allow the user
   through. If false, redirects to `redirect_url`. By default, all users are
   allowed through after authenticating.
-* `redirect_url`: Where unauthorized users are redirected to. Defaults to
-  `www.heroku.com`.
+* `login_path`: Where unauthorized users are redirected so they can be [prompted to login](#prompt-to-login). Defaults to `heroku-bouncer`'s own `/auth/login` path.
+* `redirect_url`: Where unauthorized users are redirected during the OAuth callback phase. Defaults to `www.heroku.com`.
 * `expose_token`: Expose the OAuth token in the session, allowing you to
   make API calls as the user. Default: `false`
 * `expose_email`: Expose the user's email address in the session.
@@ -138,7 +137,6 @@ Here are the supported options you can pass to the middleware:
 You use these by passing a hash to the `use` call, for example:
 ```ruby
 use Heroku::Bouncer,
   oauth: { id: "...", secret: "...", scope: "global" },
@@ -146,6 +144,29 @@ use Heroku::Bouncer,
   expose_token: true
 ```
+### Prompt to Login
+To mitigate Cross-Site Request Forgery attacks, [OmniAuth no longer allows `GET` requests to the `/auth/heroku`](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0) path.
+To support this, `heroku-bouncer` no longer redirects unauthorized requests to the `/auth/heroku` path.
+Instead users are redirected to `/auth/login` where a simple HTML template is rendered, prompting the user to authenticate with Heroku.
+The template includes a `<form>` with a button which will `POST` to the `/auth/heroku` path.
+It also includes the Authenticity Token from `Rack::Protection`.
+The view provides no styling; it is the most basic example of what's required.
+To render your own prompt UI, provide the `:login_path` option.
+Unauthenticated users will be redirected to this path, allowing you to control the UI.
+The resulting page should render an HTML `<form>` which will `POST` to the `/auth/heroku` path.
+The form needs to include a field named `authenticity_token` with the token from `Rack::Protection`.
+An example to get you started:
+```erb
+<form method="post" action="/auth/heroku">
+  <input type="hidden" name="authenticity_token" value="<%= request.env["rack.session"]["csrf"] %>">
+<button type="submit">Sign in via Heroku</button>
+```
 ## How to get the data
 Based on your choice of the expose options above, the middleware adds
@@ -161,13 +182,13 @@ You can access this in Sinatra and Rails by  `request.env[key]`, e.g.
 ## Using the Heroku API
-If you set `expose_token` to `true`, you'll get an API token that you
+If you set `expose_token` to `true`, you'll get an OAuth token that you
 can use to make Heroku API calls on behalf of the logged-in user using
-[heroku.rb][] .
+the [platform API][platform-api].
 ```ruby
-heroku = Heroku::API.new(:api_key => request.env["bouncer.token"])
-apps = heroku.get_apps.body
+heroku = PlatformAPI.connect_oauth(request.env["bouncer.token"])
+info = heroku.app.info('sushi')
 ```
 Keep in mind that this adds substantial security risk to your
@@ -206,7 +227,8 @@ replay attacks if the data is obtained in its entirety. SSL and session
 timeouts should be used to help mitigate this risk. CSRF tokens for any
 actions that modify data are also recommended.
-[Rack::Builder]: http://rack.rubyforge.org/doc/Rack/Builder.html
+## Related Documentation
 [inheritance]: https://gist.github.com/wuputah/5534428
 [OAuth scope]: https://devcenter.heroku.com/articles/oauth#scopes
-[heroku.rb]: https://github.com/heroku/heroku.rb
+[platform-api]: https://github.com/heroku/platform-api

data/lib/heroku/bouncer/builder.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'heroku/bouncer/middleware'
 require 'rack/builder'
+require 'rack/protection'
 require 'omniauth-heroku'
 class Heroku::Bouncer::Builder
@@ -8,6 +9,7 @@ class Heroku::Bouncer::Builder
     builder = Rack::Builder.new
     id, secret, scope = extract_options!(options)
     unless options[:disabled]
+      builder.use Rack::Protection
       builder.use OmniAuth::Builder do
         provider :heroku, id, secret, :scope => scope
       end

data/lib/heroku/bouncer/middleware.rb CHANGED Viewed

@@ -6,10 +6,12 @@ require 'heroku/bouncer/json_parser'
 require 'heroku/bouncer/decrypted_hash'
 class Heroku::Bouncer::Middleware < Sinatra::Base
   DecryptedHash = ::Heroku::Bouncer::DecryptedHash
   UnableToFetchUserError = Class.new(RuntimeError)
+  DEFAULT_LOGIN_PATH = "/auth/login".freeze
+  private_constant :DEFAULT_LOGIN_PATH
   enable :raise_errors
   disable :show_exceptions
@@ -20,8 +22,10 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
       # super is not called; we're not using sinatra if we're disabled
     else
       super(app)
+      @disabled = false
       @cookie_secret = extract_option(options, :secret, SecureRandom.hex(64))
       @allow_if_user = extract_option(options, :allow_if_user, nil)
+      @login_path = extract_option(options, :login_path, DEFAULT_LOGIN_PATH)
       @redirect_url = extract_option(options, :redirect_url, 'https://www.heroku.com')
       # backwards-compatibilty for `herokai_only`:
@@ -125,7 +129,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
     auth_url = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
     logout_url = "#{auth_url}/logout"
-    # id.heroku.com whitelists this return_to param, as any auth provider should do
+    # id.heroku.com allowlists this return_to param, as any auth provider should do
     logout_url += "?url=#{params['return_to']}" if params['return_to']
     redirect to(logout_url)
@@ -138,15 +142,24 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
   end
   # login, setting the URL to return to
-  get '/auth/login' do
+  get DEFAULT_LOGIN_PATH do
     if params['return_to'] && params['return_to'].length <= 255
       store_write(:return_to, params['return_to'])
     end
-    redirect to('/auth/heroku')
+    if custom_login_path?
+      redirect to(login_path)
+    else
+      erb(:login, locals: {
+        authenticity_token: request.env["rack.session"]["csrf"]
+      })
+    end
   end
 private
+  attr_reader :login_path
   def unlock_session_data(env, &block)
     decrypt_store(env)
     yield
@@ -154,8 +167,20 @@ private
     encrypt_store(env)
   end
+  def auth_paths
+    @auth_paths ||= [
+      "/auth/heroku/callback",
+      "/auth/heroku",
+      "/auth/failure",
+      "/auth/sso-logout",
+      "/auth/logout",
+      DEFAULT_LOGIN_PATH,
+      login_path
+    ].compact.freeze
+  end
   def auth_request?
-    %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout /auth/login].include?(request.path_info)
+    auth_paths.include?(request.path_info)
   end
   def session_nonce_mismatch?
@@ -175,13 +200,17 @@ private
     ts.nil? || Time.now.to_i > ts
   end
+  def custom_login_path?
+    login_path != DEFAULT_LOGIN_PATH
+  end
   def skip?(env)
     @skip && @skip.call(env)
   end
   def require_authentication
     store_write(:return_to, request.url)
-    redirect to('/auth/heroku')
+    redirect to(login_path)
   end
   def extract_option(options, option, default = nil)
@@ -257,5 +286,4 @@ private
     return_to.port = port unless port == 80
     return_to.to_s
   end
 end

data/lib/heroku/bouncer/views/login.erb ADDED Viewed

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>Login with Heroku</title>
+    <%# Avoid extra requests for favicon.ico %>
+    <link rel="icon" href="data:;base64,iVBORw0KGgo=">
+  </head>
+  <body class="heroku_bouncer">
+    <form method="post" action="/auth/heroku" class="heroku_bouncer-login_form">
+      <input type="hidden" name="authenticity_token" value="<%= authenticity_token %>">
+      <button type="submit">Login with Heroku</button>
+    </form>
+  </body>
+</html>

metadata CHANGED Viewed

@@ -1,97 +1,109 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Jonathan Dance
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-08-07 00:00:00.000000000 Z
+date: 2024-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 2.0.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -126,28 +138,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '2.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.16.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: 1.16.4
 - !ruby/object:Gem::Dependency
   name: delorean
   requirement: !ruby/object:Gem::Requirement
@@ -164,7 +190,7 @@ dependencies:
         version: '2.1'
 description: ID please.
 email:
-- jd@heroku.com
+- jd@wuputah.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -183,11 +209,12 @@ files:
 - lib/heroku/bouncer/json_parser.rb
 - lib/heroku/bouncer/lockbox.rb
 - lib/heroku/bouncer/middleware.rb
+- lib/heroku/bouncer/views/login.erb
 homepage: https://github.com/heroku/heroku-bouncer
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -195,16 +222,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.5.1
-signing_key:
+rubygems_version: 3.5.10
+signing_key:
 specification_version: 4
 summary: Rapidly add Heroku OAuth to your Ruby app.
 test_files: