heroku-bouncer 0.0.1

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,51 @@
+PATH
+  remote: .
+  specs:
+    heroku-bouncer (0.0.1)
+      heroku-api (>= 0.0.0)
+      omniauth-heroku (>= 0.1.0)
+      sinatra (~> 1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    excon (0.16.10)
+    faraday (0.8.6)
+      multipart-post (~> 1.1)
+    hashie (1.2.0)
+    heroku-api (0.3.8)
+      excon (~> 0.16.10)
+    httpauth (0.2.0)
+    jwt (0.1.5)
+      multi_json (>= 1.0)
+    multi_json (1.6.1)
+    multipart-post (1.2.0)
+    oauth2 (0.8.1)
+      faraday (~> 0.8)
+      httpauth (~> 0.1)
+      jwt (~> 0.1.4)
+      multi_json (~> 1.0)
+      rack (~> 1.2)
+    omniauth (1.1.3)
+      hashie (~> 1.2)
+      rack
+    omniauth-heroku (0.1.0)
+      omniauth (~> 1.0)
+      omniauth-oauth2 (~> 1.0)
+    omniauth-oauth2 (1.1.1)
+      oauth2 (~> 0.8.0)
+      omniauth (~> 1.0)
+    rack (1.5.2)
+    rack-protection (1.4.0)
+      rack
+    sinatra (1.3.5)
+      rack (~> 1.4)
+      rack-protection (~> 1.3)
+      tilt (~> 1.3, >= 1.3.3)
+    tilt (1.3.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  heroku-bouncer!

data/README.md

@@ -0,0 +1,68 @@
+# Heroku Bouncer
+
+Heroku Bounder is a Rack middleware (implemented in Sinatra) that
+requires Heroku OAuth on all requests.
+
+## Use
+
+1. Set `HEROKU_ID` and `HEROKU_SECRET` in your environment.
+2. Use the middleware:
+
+    ```ruby
+    require 'heroku/bouncer'
+    require 'your_app'
+
+    use Heroku::Bouncer
+    run YourApp
+    ```
+
+## Options
+
+There are 4 boolean options you can pass to the middleware:
+
+* `herokai_only`: Automatically redirects non-Heroku accounts to
+  `www.heroku.com`. Alternatively, pass a valid URL and non-Herokai will
+  be redirected there. Default: `false`
+* `expose_token`: Expose the OAuth token in the session, allowing you to
+  make API calls as the user. Default: `false`
+* `expose_email`: Expose the user's email address in the session.
+  Default: `true`
+* `expose_user`: Expose the user attributes in the session. Default:
+  `true`
+
+You use these by passing a hash to the `use` call, for example:
+
+```ruby
+use Heroku::Builder, expose_token: true
+```
+
+## How to get the data
+
+Based on your choice of the expose options above, the middleware adds
+the following keys to your request environment:
+
+* `bouncer.token`
+* `bouncer.email`
+* `bouncer.user`
+
+You can access this in your Rack app by reading `request.env[key]`.
+
+## Logging out
+
+Send users to `/auth/sso-logout` if logging out of Heroku is
+appropriate, or `/auth/logout` if you only wish to logout of your app.
+The latter will redirect to `/`, which may result is the user being
+logging in again.
+
+## Conditionally disabling the middleware
+
+Don't want to OAuth on every request? Use a middleware to conditionally
+enable this middleware, like
+[`Rack::Builder`](http://rack.rubyforge.org/doc/Rack/Builder.html).
+
+## There be dragons
+
+* This middleware uses a session stored in a cookie. The cookie secret
+  is `HEROKU_ID + HEROKU_SECRET`. So keep these secret.
+* There's no tests yet. You may encounter bugs. Please report them (or
+  fix them in a pull request).

data/lib/heroku/bouncer.rb

@@ -0,0 +1,87 @@
+require 'sinatra/base'
+require 'omniauth-heroku'
+require 'heroku-api'
+
+Heroku ||= Module.new
+
+class Heroku::Bouncer < Sinatra::Base
+
+  enable :sessions
+  set :session_secret, ENV['HEROKU_ID'].to_s + ENV['HEROKU_SECRET'].to_s
+
+  # sets up the /auth/heroku endpoint
+  use OmniAuth::Builder do
+    provider :heroku, ENV['HEROKU_ID'], ENV['HEROKU_SECRET']
+  end
+
+  def initialize(app, options = {})
+    super(app)
+    @herokai_only = extract_option(options, :herokai_only, false)
+    @expose_token = extract_option(options, :expose_token, false)
+    @expose_email = extract_option(options, :expose_email, true)
+    @expose_user = extract_option(options, :expose_user, true)
+  end
+
+  def extract_option(options, option, default = nil)
+    options.has_key?(option) ? options[option] : default
+  end
+
+  def store(key, value)
+    session[:store] ||= {}
+    session[:store][key] = value
+  end
+
+  def expose_store
+    session[:store].each_pair do |key, value|
+      request.env["bouncer.#{key}"] = value
+    end
+  end
+
+  before do
+    if session[:user]
+      expose_store
+    elsif ! %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout].include?(request.path)
+      session[:return_to] = request.url
+      redirect to('/auth/heroku')
+    end
+  end
+
+  # callback when successful, time to save data
+  get '/auth/heroku/callback' do
+    session[:user] = true
+    token = request.env['omniauth.auth']['credentials']['token']
+    store(:token, token) if @expose_token
+    if @expose_email || @expose_user || @herokai_only
+      api = Heroku::API.new(:api_key => token)
+      user = api.get_user.body if @expose_user
+      store(:user, user) if @expose_user
+      store(:email, user['email']) if @expose_email
+
+      if @herokai_only && user['email'] !~ /@heroku\.com$/
+        url = @herokai_only.is_a?(String) ? @herokai_only : 'https://www.heroku.com'
+        redirect to(url) and return
+      end
+    end
+    redirect to(session.delete(:return_to) || '/')
+  end
+
+  # something went wrong
+  get '/auth/failure' do
+    session.destroy
+    redirect to("/")
+  end
+
+  # logout, single sign-on style
+  get '/auth/sso-logout' do
+    session.destroy
+    auth_url = ENV["HEROKU_AUTH_URL"] || "https://api.heroku.com"
+    redirect to("#{auth_url}/logout")
+  end
+
+  # logout but only locally
+  get '/auth/logout' do
+    session.destroy
+    redirect to("/")
+  end
+
+end

metadata

@@ -0,0 +1,102 @@
+--- !ruby/object:Gem::Specification
+name: heroku-bouncer
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Jonathan Dance
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-03-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth-heroku
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: heroku-api
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.0.0
+description: ID please.
+email:
+- jd@heroku.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.md
+files:
+- lib/heroku/bouncer.rb
+- README.md
+- Gemfile
+- Gemfile.lock
+- Rakefile
+homepage: http://github.com/heroku/heroku-bouncer
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Requires Heroku OAuth on all requests.
+test_files:
+- Gemfile
+- Gemfile.lock
+- Rakefile