heroku-bouncer 0.1.0 → 0.2.0

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    heroku-bouncer (0.0.2.pre)
+    heroku-bouncer (0.1.0)
       faraday (~> 0.8)
       multi_json (~> 1.0)
       omniauth-heroku (>= 0.1.0)
@@ -14,8 +14,8 @@ GEM
       multipart-post (~> 1.1)
     hashie (1.2.0)
     httpauth (0.2.0)
-    jwt (0.1.5)
-      multi_json (>= 1.0)
+    jwt (0.1.7)
+      multi_json (>= 1.5)
     multi_json (1.6.1)
     multipart-post (1.2.0)
     oauth2 (0.8.1)
@@ -27,20 +27,20 @@ GEM
     omniauth (1.1.3)
       hashie (~> 1.2)
       rack
-    omniauth-heroku (0.1.0)
+    omniauth-heroku (0.1.1)
       omniauth (~> 1.0)
       omniauth-oauth2 (~> 1.0)
     omniauth-oauth2 (1.1.1)
       oauth2 (~> 0.8.0)
       omniauth (~> 1.0)
     rack (1.5.2)
-    rack-protection (1.4.0)
+    rack-protection (1.5.0)
       rack
     sinatra (1.3.5)
       rack (~> 1.4)
       rack-protection (~> 1.3)
       tilt (~> 1.3, >= 1.3.3)
-    tilt (1.3.4)
+    tilt (1.3.5)
 
 PLATFORMS
   ruby

data/README.md

@@ -12,7 +12,7 @@ requires Heroku OAuth on all requests.
     heroku clients:create likeaboss https://likeaboss.herokuapp.com/auth/heroku/callback
     ```
 
-2. Set `HEROKU_ID` and `HEROKU_SECRET` in your environment.
+2. Set `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` in your environment.
 3. Use the middleware:
 
     ```ruby
@@ -54,6 +54,20 @@ the following keys to your request environment:
 
 You can access this in your Rack app by reading `request.env[key]`.
 
+## Using the Heroku API
+
+If you set `expose_token` to `true`, you'll get an API token that you
+can use to make Heroku API calls on behalf of the logged-in user using
+[heroku.rb](https://github.com/heroku/heroku.rb).
+
+```ruby
+heroku = Heroku::API.new(:api_key => request.env["bouncer.token"])
+apps = heroku.get_apps.body
+```
+
+Keep in mind that this adds substantial security risk to your
+application.
+
 ## Logging out
 
 Send users to `/auth/sso-logout` if logging out of Heroku is

data/lib/heroku/bouncer.rb

@@ -7,43 +7,39 @@ Heroku ||= Module.new
 
 class Heroku::Bouncer < Sinatra::Base
 
+  $stderr.puts "[warn] heroku-bouncer: HEROKU_ID detected, please use HEROKU_OAUTH_ID instead" if ENV.has_key?('HEROKU_ID')
+  $stderr.puts "[warn] heroku-bouncer: HEROKU_SECRET detected, please use HEROKU_OAUTH_SECRET instead" if ENV.has_key?('HEROKU_SECRET')
+
+  ID = (ENV['HEROKU_OAUTH_ID'] || ENV['HEROKU_ID']).to_s
+  SECRET = (ENV['HEROKU_OAUTH_SECRET'] ||  ENV['HEROKU_SECRET']).to_s
+
   enable :sessions
-  set :session_secret, ENV['HEROKU_ID'].to_s + ENV['HEROKU_SECRET'].to_s
+  set :session_secret, ID + SECRET
 
   # sets up the /auth/heroku endpoint
-  use OmniAuth::Builder do
-    provider :heroku, ENV['HEROKU_ID'], ENV['HEROKU_SECRET']
+  unless ID.empty? || SECRET.empty?
+    use OmniAuth::Builder do
+      provider :heroku, ID, SECRET
+    end
   end
 
   def initialize(app, options = {})
-    super(app)
-    @herokai_only = extract_option(options, :herokai_only, false)
-    @expose_token = extract_option(options, :expose_token, false)
-    @expose_email = extract_option(options, :expose_email, true)
-    @expose_user = extract_option(options, :expose_user, true)
-  end
-
-  def extract_option(options, option, default = nil)
-    options.has_key?(option) ? options[option] : default
-  end
-
-  def fetch_user(token)
-    MultiJson.decode(
-      Faraday.new(ENV["HEROKU_API_URL"] || "https://api.heroku.com/").get('/account') do |r|
-        r.headers['Accept'] = 'application/json'
-        r.headers['Authorization'] = "Bearer #{token}"
-      end.body)
-  end
-
-  def store(key, value)
-    session[:store] ||= {}
-    session[:store][key] = value
+    if ID.empty? || SECRET.empty?
+      $stderr.puts "[fatal] heroku-bouncer: HEROKU_OAUTH_ID or HEROKU_OAUTH_SECRET not set, middleware disabled"
+      @app = app
+      @disabled = true
+      # super is not called; we're not using sinatra if we're disabled
+    else
+      super(app)
+      @herokai_only = extract_option(options, :herokai_only, false)
+      @expose_token = extract_option(options, :expose_token, false)
+      @expose_email = extract_option(options, :expose_email, true)
+      @expose_user = extract_option(options, :expose_user, true)
+    end
   end
 
-  def expose_store
-    session[:store].each_pair do |key, value|
-      request.env["bouncer.#{key}"] = value
-    end
+  def call(env)
+    @disabled ? @app.call(env) : super(env)
   end
 
   before do
@@ -82,7 +78,7 @@ class Heroku::Bouncer < Sinatra::Base
   # logout, single sign-on style
   get '/auth/sso-logout' do
     session.destroy
-    auth_url = ENV["HEROKU_AUTH_URL"] || "https://api.heroku.com"
+    auth_url = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
     redirect to("#{auth_url}/logout")
   end
 
@@ -92,4 +88,29 @@ class Heroku::Bouncer < Sinatra::Base
     redirect to("/")
   end
 
+private
+
+  def extract_option(options, option, default = nil)
+    options.has_key?(option) ? options[option] : default
+  end
+
+  def fetch_user(token)
+    MultiJson.decode(
+      Faraday.new(ENV["HEROKU_API_URL"] || "https://api.heroku.com/").get('/account') do |r|
+        r.headers['Accept'] = 'application/json'
+        r.headers['Authorization'] = "Bearer #{token}"
+      end.body)
+  end
+
+  def store(key, value)
+    session[:store] ||= {}
+    session[:store][key] = value
+  end
+
+  def expose_store
+    session[:store].each_pair do |key, value|
+      request.env["bouncer.#{key}"] = value
+    end
+  end
+
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-09 00:00:00.000000000 Z
+date: 2013-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku