heroku-bouncer 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 85c6929c3208eb743c042d9dbef6f9d43db08987
-  data.tar.gz: b08dd7bac4866f854c050a65011ec6403936cb93
+SHA256:
+  metadata.gz: c50847511ce57c696fca30c5a7cfa9c6bf8f70d16ee66130b9f83f81c612c252
+  data.tar.gz: 0ace5e96d9dc4dd373b670fddcf7dccc23db906166ccefeeda5761b70a037c67
 SHA512:
-  metadata.gz: 5370531c477251b6247116d86597c9cc4d35ade54fa1dd5bb513e2c51a5db3f09b926a99cf573a5b1674c5dcc0980887c41db12598d9f9459c8f93ae011e17c2
-  data.tar.gz: a748a855a7be7e07e9756c5e9407f2db0a08d12dedff83f0fe4473a53ecc205058a6b1eb2113f7ff524bb5fae25d642dc83fcc1dc18e23d3bb1218319dbf671b
+  metadata.gz: 341161c33386f2db7f369ad4dfa68e54046e4a2d794ae785d883a3925cb2c10a3ba178beeae65b8197ac9e8571248c7949a17d5ba6d020cb0763c7f1f72906eb
+  data.tar.gz: a79e4c4d4866135fd34d88fb9d4f66096fc20941d306f8bf343eee57f2c007af1672ea9604ea1548f3b99e46424d208fe0dad93ab5cf0aa1698663591f830c1a

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+# 0.9.0
+
+* #68: Loosen `omniauth-heroku` constraint, allowing `>= 0.1, < 2`,
+  enabling support of OmniAuth 2. This also adds the new [`:login_path`
+  option](README#prompt-to-login). @stevenharman
+* #66: Loosen Faraday constraints, allowing `>= 0.8", < 2`. @stevenharman
+
 # 0.8.0
 
 * #55: Ruby >= 2.4 support and Ruby <2.2 deprecation. Thanks @maxbeizer!

data/README.md

@@ -1,5 +1,4 @@
-[![Build Status](https://travis-ci.org/heroku/heroku-bouncer.png)](https://travis-ci.org/heroku/heroku-bouncer)
-[![Dependency Status](https://gemnasium.com/heroku/heroku-bouncer.png)](https://gemnasium.com/heroku/heroku-bouncer)
+[![Build Status](https://github.com/sharpstone/heroku-bouncer/actions/workflows/ci.yml/badge.svg)](https://github.com/sharpstone/heroku-bouncer/actions)
 
 # Heroku Bouncer
 
@@ -8,9 +7,9 @@ requires Heroku OAuth on all requests.
 
 ## Ruby and Rack compatibility
 
-* **Ruby**: Versions >= 0.8.0 require Ruby >= 2.2. If you need a version
-  that works with prior versions of Ruby, please use version `~> 0.7.1`.
-  Note, however, that 0.7.1 does not support Rack 2 (Rails 5).
+* **Ruby**: Versions `>= 0.8.0` require Ruby >= 2.2.
+  If you need a version that works with prior versions of Ruby, please use version `~> 0.7.1`.
+  Note, however, that `0.7.1` does not support Rack 2 (Rails 5+).
 
 * **Rack**: Rack 1 and 2 are supported.
 
@@ -23,7 +22,7 @@ Sinatra app that uses heroku-bouncer.
 
 1. Install the Heroku OAuth CLI plugin.
 
-    ```sh
+    ```console
     heroku plugins:install heroku-cli-oauth
     ```
 
@@ -31,7 +30,7 @@ Sinatra app that uses heroku-bouncer.
    callback endpoint. Use `http://localhost:5000/auth/heroku/callback`
    for local development with Foreman.
 
-    ```sh
+    ```console
     heroku clients:create localhost http://localhost:5000/auth/heroku/callback
     heroku clients:create myapp https://myapp.herokuapp.com/auth/heroku/callback
     ```
@@ -113,8 +112,8 @@ Here are the supported options you can pass to the middleware:
   representing the user. If the lambda evaluates to true, allow the user
   through. If false, redirects to `redirect_url`. By default, all users are
   allowed through after authenticating.
-* `redirect_url`: Where unauthorized users are redirected to. Defaults to
-  `www.heroku.com`.
+* `login_path`: Where unauthorized users are redirected so they can be [prompted to login](#prompt-to-login). Defaults to `heroku-bouncer`'s own `/auth/login` path.
+* `redirect_url`: Where unauthorized users are redirected during the OAuth callback phase. Defaults to `www.heroku.com`.
 * `expose_token`: Expose the OAuth token in the session, allowing you to
   make API calls as the user. Default: `false`
 * `expose_email`: Expose the user's email address in the session.
@@ -138,7 +137,6 @@ Here are the supported options you can pass to the middleware:
 
 You use these by passing a hash to the `use` call, for example:
 
-
 ```ruby
 use Heroku::Bouncer,
   oauth: { id: "...", secret: "...", scope: "global" },
@@ -146,6 +144,29 @@ use Heroku::Bouncer,
   expose_token: true
 ```
 
+### Prompt to Login
+
+To mitigate Cross-Site Request Forgery attacks, [OmniAuth no longer allows `GET` requests to the `/auth/heroku`](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0) path.
+To support this, `heroku-bouncer` no longer redirects unauthorized requests to the `/auth/heroku` path.
+Instead users are redirected to `/auth/login` where a simple HTML template is rendered, prompting the user to authenticate with Heroku.
+
+The template includes a `<form>` with a button which will `POST` to the `/auth/heroku` path.
+It also includes the Authenticity Token from `Rack::Protection`.
+The view provides no styling; it is the most basic example of what's required.
+
+To render your own prompt UI, provide the `:login_path` option.
+Unauthenticated users will be redirected to this path, allowing you to control the UI.
+The resulting page should render an HTML `<form>` which will `POST` to the `/auth/heroku` path.
+The form needs to include a field named `authenticity_token` with the token from `Rack::Protection`.
+
+An example to get you started:
+
+```erb
+<form method="post" action="/auth/heroku">
+  <input type="hidden" name="authenticity_token" value="<%= request.env["rack.session"]["csrf"] %>">
+<button type="submit">Sign in via Heroku</button>
+```
+
 ## How to get the data
 
 Based on your choice of the expose options above, the middleware adds
@@ -161,13 +182,13 @@ You can access this in Sinatra and Rails by  `request.env[key]`, e.g.
 
 ## Using the Heroku API
 
-If you set `expose_token` to `true`, you'll get an API token that you
+If you set `expose_token` to `true`, you'll get an OAuth token that you
 can use to make Heroku API calls on behalf of the logged-in user using
-[heroku.rb][] .
+the [platform API][platform-api].
 
 ```ruby
-heroku = Heroku::API.new(:api_key => request.env["bouncer.token"])
-apps = heroku.get_apps.body
+heroku = PlatformAPI.connect_oauth(request.env["bouncer.token"])
+info = heroku.app.info('sushi')
 ```
 
 Keep in mind that this adds substantial security risk to your
@@ -209,4 +230,4 @@ actions that modify data are also recommended.
 [Rack::Builder]: http://rack.rubyforge.org/doc/Rack/Builder.html
 [inheritance]: https://gist.github.com/wuputah/5534428
 [OAuth scope]: https://devcenter.heroku.com/articles/oauth#scopes
-[heroku.rb]: https://github.com/heroku/heroku.rb
+[platform-api]: https://github.com/heroku/platform-api

data/lib/heroku/bouncer/builder.rb

@@ -1,5 +1,6 @@
 require 'heroku/bouncer/middleware'
 require 'rack/builder'
+require 'rack/protection'
 require 'omniauth-heroku'
 
 class Heroku::Bouncer::Builder
@@ -8,6 +9,7 @@ class Heroku::Bouncer::Builder
     builder = Rack::Builder.new
     id, secret, scope = extract_options!(options)
     unless options[:disabled]
+      builder.use Rack::Protection
       builder.use OmniAuth::Builder do
         provider :heroku, id, secret, :scope => scope
       end

data/lib/heroku/bouncer/middleware.rb

@@ -6,10 +6,12 @@ require 'heroku/bouncer/json_parser'
 require 'heroku/bouncer/decrypted_hash'
 
 class Heroku::Bouncer::Middleware < Sinatra::Base
-
   DecryptedHash = ::Heroku::Bouncer::DecryptedHash
   UnableToFetchUserError = Class.new(RuntimeError)
 
+  DEFAULT_LOGIN_PATH = "/auth/login".freeze
+  private_constant :DEFAULT_LOGIN_PATH
+
   enable :raise_errors
   disable :show_exceptions
 
@@ -20,8 +22,10 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
       # super is not called; we're not using sinatra if we're disabled
     else
       super(app)
+      @disabled = false
       @cookie_secret = extract_option(options, :secret, SecureRandom.hex(64))
       @allow_if_user = extract_option(options, :allow_if_user, nil)
+      @login_path = extract_option(options, :login_path, DEFAULT_LOGIN_PATH)
       @redirect_url = extract_option(options, :redirect_url, 'https://www.heroku.com')
 
       # backwards-compatibilty for `herokai_only`:
@@ -125,7 +129,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
     auth_url = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
     logout_url = "#{auth_url}/logout"
 
-    # id.heroku.com whitelists this return_to param, as any auth provider should do
+    # id.heroku.com allowlists this return_to param, as any auth provider should do
     logout_url += "?url=#{params['return_to']}" if params['return_to']
 
     redirect to(logout_url)
@@ -138,15 +142,24 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
   end
 
   # login, setting the URL to return to
-  get '/auth/login' do
+  get DEFAULT_LOGIN_PATH do
     if params['return_to'] && params['return_to'].length <= 255
       store_write(:return_to, params['return_to'])
     end
-    redirect to('/auth/heroku')
+
+    if custom_login_path?
+      redirect to(login_path)
+    else
+      erb(:login, locals: {
+        authenticity_token: request.env["rack.session"]["csrf"]
+      })
+    end
   end
 
 private
 
+  attr_reader :login_path
+
   def unlock_session_data(env, &block)
     decrypt_store(env)
     yield
@@ -154,8 +167,20 @@ private
     encrypt_store(env)
   end
 
+  def auth_paths
+    @auth_paths ||= [
+      "/auth/heroku/callback",
+      "/auth/heroku",
+      "/auth/failure",
+      "/auth/sso-logout",
+      "/auth/logout",
+      DEFAULT_LOGIN_PATH,
+      login_path
+    ].compact.freeze
+  end
+
   def auth_request?
-    %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout /auth/login].include?(request.path_info)
+    auth_paths.include?(request.path_info)
   end
 
   def session_nonce_mismatch?
@@ -175,13 +200,17 @@ private
     ts.nil? || Time.now.to_i > ts
   end
 
+  def custom_login_path?
+    login_path != DEFAULT_LOGIN_PATH
+  end
+
   def skip?(env)
     @skip && @skip.call(env)
   end
 
   def require_authentication
     store_write(:return_to, request.url)
-    redirect to('/auth/heroku')
+    redirect to(login_path)
   end
 
   def extract_option(options, option, default = nil)
@@ -257,5 +286,4 @@ private
     return_to.port = port unless port == 80
     return_to.to_s
   end
-
 end

data/lib/heroku/bouncer/views/login.erb

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>Login with Heroku</title>
+    <%# Avoid extra requests for favicon.ico %>
+    <link rel="icon" href="data:;base64,iVBORw0KGgo=">
+  </head>
+  <body class="heroku_bouncer">
+    <form method="post" action="/auth/heroku" class="heroku_bouncer-login_form">
+      <input type="hidden" name="authenticity_token" value="<%= authenticity_token %>">
+      <button type="submit">Login with Heroku</button>
+    </form>
+  </body>
+</html>

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-07 00:00:00.000000000 Z
+date: 2021-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
@@ -48,16 +54,22 @@ dependencies:
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -82,16 +94,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -126,14 +138,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -148,6 +160,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: delorean
   requirement: !ruby/object:Gem::Requirement
@@ -164,7 +190,7 @@ dependencies:
         version: '2.1'
 description: ID please.
 email:
-- jd@heroku.com
+- jd@wuputah.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -183,6 +209,7 @@ files:
 - lib/heroku/bouncer/json_parser.rb
 - lib/heroku/bouncer/lockbox.rb
 - lib/heroku/bouncer/middleware.rb
+- lib/heroku/bouncer/views/login.erb
 homepage: https://github.com/heroku/heroku-bouncer
 licenses:
 - MIT
@@ -202,8 +229,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Rapidly add Heroku OAuth to your Ruby app.