heroku-bouncer 0.4.3 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +76 -0
- data/README.md +22 -9
- data/lib/heroku/bouncer/middleware.rb +24 -6
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1c2e6354ce81c7a731c46a10e0edd91c685f13d3
|
|
4
|
+
data.tar.gz: 0300b9cf964ea44056ce82053d5bf02af00c15d6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5d51fd44281f27481049a5a0b960c0c24db85f7c0f699d4c41a7b39932f205bfbc1d7aa66f4f2dc8fc9e326e3607760ee99673ce87dbb0c52fe3ec1408eda816
|
|
7
|
+
data.tar.gz: 212d42f2bf85cac32982e732c23e7d310ed2def34d800f5486b8f64f8b9f7f5823c1a18333df2c64eec21df8479564e72c4baaf5a94ffa2215c518823bfcf4b4
|
data/CHANGELOG.md
ADDED
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
# 0.5.0
|
|
2
|
+
|
|
3
|
+
Adds `allow_if` option, and deprecates `herokai_only` (#35). Thanks
|
|
4
|
+
@stillinbeta!
|
|
5
|
+
|
|
6
|
+
# 0.4.3
|
|
7
|
+
|
|
8
|
+
This release addresses options hash re-use (#34). Thanks @gregburek for
|
|
9
|
+
reporting!
|
|
10
|
+
|
|
11
|
+
# 0.4.2
|
|
12
|
+
|
|
13
|
+
This release limits the size of the URL stored in the session, which
|
|
14
|
+
could result in a cookie overflow condition
|
|
15
|
+
|
|
16
|
+
# 0.4.1
|
|
17
|
+
|
|
18
|
+
This release addresses an open redirect security vulernability
|
|
19
|
+
addressed in #31. Thanks @raul!
|
|
20
|
+
|
|
21
|
+
# 0.4.0
|
|
22
|
+
|
|
23
|
+
This is nearly 1.0 ready, but I would like to see some additional
|
|
24
|
+
changes in the following areas:
|
|
25
|
+
|
|
26
|
+
* Option refactoring. We have a huge number of options now.
|
|
27
|
+
* Extensibility. It should be easier to extend/inherit from
|
|
28
|
+
Heroku::Bouncer to tweak its behavior. This was possible under 0.3.x
|
|
29
|
+
but is no longer true in 0.4.0.
|
|
30
|
+
* Remove backwards compatibility support (i.e. ENV vars)
|
|
31
|
+
|
|
32
|
+
To those upgrading, please note that a great deal has changed. Backwards
|
|
33
|
+
compatibility with warnings has been maintained in this version, but not
|
|
34
|
+
throughly tested. Extensibility has not - you'll need to do some new
|
|
35
|
+
tricks if you have extended Heroku::Bouncer in your app.
|
|
36
|
+
|
|
37
|
+
# 0.4.0.pre\*
|
|
38
|
+
|
|
39
|
+
Pre-releases changes were not documented. See 0.4.0 for details.
|
|
40
|
+
|
|
41
|
+
# 0.3.4
|
|
42
|
+
|
|
43
|
+
Fix a redirect loop (#16).
|
|
44
|
+
|
|
45
|
+
# 0.3.3
|
|
46
|
+
|
|
47
|
+
Fix bug with `herokai_only` writing to session even if the user is not
|
|
48
|
+
Herokai.
|
|
49
|
+
|
|
50
|
+
# 0.3.2
|
|
51
|
+
|
|
52
|
+
Fix bug with creating an anonymous Module object for the `Heroku`
|
|
53
|
+
constant.
|
|
54
|
+
|
|
55
|
+
# 0.3.1
|
|
56
|
+
|
|
57
|
+
Fix a bug with session destruction.
|
|
58
|
+
|
|
59
|
+
# 0.3.0
|
|
60
|
+
|
|
61
|
+
Switch to using the encrypted cookie gem for session storage.
|
|
62
|
+
|
|
63
|
+
# 0.2.1
|
|
64
|
+
|
|
65
|
+
Don't store data in the session until after checking email address.
|
|
66
|
+
|
|
67
|
+
# 0.2.0
|
|
68
|
+
|
|
69
|
+
* Prefer `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` environment
|
|
70
|
+
variables.
|
|
71
|
+
* Check these variables for values, and disable middleware if they are
|
|
72
|
+
not present.
|
|
73
|
+
|
|
74
|
+
# 0.1.0
|
|
75
|
+
|
|
76
|
+
First "production" release.
|
data/README.md
CHANGED
|
@@ -90,22 +90,35 @@ use Heroku::Bouncer,
|
|
|
90
90
|
secret: ENV['HEROKU_BOUNCER_SECRET']
|
|
91
91
|
```
|
|
92
92
|
|
|
93
|
-
|
|
93
|
+
Here are the supported options you can pass to the middleware:
|
|
94
94
|
|
|
95
95
|
* `oauth[:scope]`: The [OAuth scope][] to use when requesting the OAuth
|
|
96
96
|
token. Default: `identity`.
|
|
97
|
-
* `
|
|
98
|
-
|
|
99
|
-
|
|
97
|
+
* `allow_if`: A lambda that takes an email address. If the lambda evaluates to
|
|
98
|
+
true, allow the user through. If false, redirects to `redirect_url`.
|
|
99
|
+
By default, all users are allowed through after authenticating.
|
|
100
|
+
* `redirect_url`: Where unauthorized users are redirected to. Defaults to
|
|
101
|
+
`www.heroku.com`.
|
|
100
102
|
* `expose_token`: Expose the OAuth token in the session, allowing you to
|
|
101
103
|
make API calls as the user. Default: `false`
|
|
102
104
|
* `expose_email`: Expose the user's email address in the session.
|
|
103
105
|
Default: `true`
|
|
104
106
|
* `expose_user`: Expose the user attributes in the session. Default:
|
|
105
107
|
`true`
|
|
106
|
-
* `session_sync_nonce`: If present, determines the name of a cookie
|
|
107
|
-
|
|
108
|
-
|
|
108
|
+
* `session_sync_nonce`: If present, determines the name of a cookie
|
|
109
|
+
shared across properties under a same domain in order to keep their
|
|
110
|
+
sessions synchronized. Default: `nil`
|
|
111
|
+
* `allow_anonymous`: Accepts a lambda that gets called with each
|
|
112
|
+
request. If the lambda evals to true, the request will not enforce
|
|
113
|
+
authentication (e.g:
|
|
114
|
+
`allow_anonymous: lambda { |req| !/\A\/admin/.match(req.fullpath) }`
|
|
115
|
+
will allow anonymous requests except those with under the `/admin`
|
|
116
|
+
path). Default: `nil`, which does not allow anonymous access to any
|
|
117
|
+
URL.
|
|
118
|
+
* `skip`: Accepts a lambda that gets called with each request's `env`.
|
|
119
|
+
If the lambda gets evaluated to true, heroku-bouncer's middleware will
|
|
120
|
+
be completely skipped. Default: 'false', which applies heroku-bouncer
|
|
121
|
+
to all requests.
|
|
109
122
|
|
|
110
123
|
You use these by passing a hash to the `use` call, for example:
|
|
111
124
|
|
|
@@ -157,8 +170,8 @@ logging in again.
|
|
|
157
170
|
> Alternatively, [use inheritance to extend the middleware to act any way
|
|
158
171
|
> you like][inheritance].
|
|
159
172
|
|
|
160
|
-
Due to changes in how the middleware stack is built, this is
|
|
161
|
-
|
|
173
|
+
Due to changes in how the middleware stack is built, this is not trivial
|
|
174
|
+
in the 0.4.x releases.
|
|
162
175
|
|
|
163
176
|
## Security Model: A Tale of Three Secrets
|
|
164
177
|
|
|
@@ -20,7 +20,20 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
|
20
20
|
else
|
|
21
21
|
super(app)
|
|
22
22
|
@cookie_secret = extract_option(options, :secret, SecureRandom.base64(32))
|
|
23
|
-
@
|
|
23
|
+
@allow_if = extract_option(options, :allow_if, nil)
|
|
24
|
+
@redirect_url = extract_option(options, :redirect_url, 'https://www.heroku.com')
|
|
25
|
+
|
|
26
|
+
# backwards-compatibilty for `herokai_only`:
|
|
27
|
+
# * check email for ending with `@heroku.com`
|
|
28
|
+
# * The redirect URL can be passed as a string value to `herokai_only`
|
|
29
|
+
herokai_only = extract_deprecated_option("please use `allow_if` instead", options, :herokai_only, false)
|
|
30
|
+
if herokai_only
|
|
31
|
+
if herokai_only.is_a?(String) && !options[:redirect_url]
|
|
32
|
+
@redirect_url = herokai_only
|
|
33
|
+
end
|
|
34
|
+
@allow_if ||= lambda { |email| email.end_with?("@heroku.com") }
|
|
35
|
+
end
|
|
36
|
+
|
|
24
37
|
@expose_token = extract_option(options, :expose_token, false)
|
|
25
38
|
@expose_email = extract_option(options, :expose_email, true)
|
|
26
39
|
@expose_user = extract_option(options, :expose_user, true)
|
|
@@ -64,11 +77,11 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
|
64
77
|
# callback when successful, time to save data
|
|
65
78
|
get '/auth/heroku/callback' do
|
|
66
79
|
token = request.env['omniauth.auth']['credentials']['token']
|
|
67
|
-
if @expose_email || @expose_user ||
|
|
80
|
+
if @expose_email || @expose_user || !@allow_if.nil?
|
|
68
81
|
user = fetch_user(token)
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
redirect to(
|
|
82
|
+
# Wrapping lambda to prevent short-circut proc return
|
|
83
|
+
if @allow_if.respond_to?(:call) && !lambda{ @allow_if.call(user['email'])}.call
|
|
84
|
+
redirect to(@redirect_url) and return
|
|
72
85
|
end
|
|
73
86
|
@expose_user ? store_write(:user, user) : store_write(:user, true)
|
|
74
87
|
store_write(:email, user['email']) if @expose_email
|
|
@@ -155,7 +168,12 @@ private
|
|
|
155
168
|
end
|
|
156
169
|
|
|
157
170
|
def extract_option(options, option, default = nil)
|
|
158
|
-
options.
|
|
171
|
+
options.fetch(option, default)
|
|
172
|
+
end
|
|
173
|
+
|
|
174
|
+
def extract_deprecated_option(warning, options, option, default = nil)
|
|
175
|
+
$stderr.puts "[warn] heroku-bouncer: `#{option}` option is deprecated: #{warning}"
|
|
176
|
+
extract_option(options, option, default)
|
|
159
177
|
end
|
|
160
178
|
|
|
161
179
|
def fetch_user(token)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: heroku-bouncer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jonathan Dance
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-09-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth-heroku
|
|
@@ -157,7 +157,9 @@ executables: []
|
|
|
157
157
|
extensions: []
|
|
158
158
|
extra_rdoc_files:
|
|
159
159
|
- README.md
|
|
160
|
+
- CHANGELOG.md
|
|
160
161
|
files:
|
|
162
|
+
- CHANGELOG.md
|
|
161
163
|
- Gemfile
|
|
162
164
|
- README.md
|
|
163
165
|
- Rakefile
|