RubyGems - intra - Versions diffs - 0.1.0 → 0.1.1 - Mend

intra 0.1.0 → 0.1.1

Files changed (9) hide show

checksums.yaml +4 -4
data/Gemfile.lock +1 -1
data/README.md +2 -0
data/app/views/intra/sessions/new.html.erb +7 -11
data/lib/intra/engine.rb +4 -0
data/lib/intra/request_forgery_protection.rb +67 -0
data/lib/intra/version.rb +1 -1
data/lib/intra.rb +1 -0
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71b212549b87ebf7d644679ddb73557f7ea92c092468988ef2fd51610f0583f2
-  data.tar.gz: eaa8f0594f1827952c614c8ac157869803e2506cdc703760ef46196a5dd5c2d3
+  metadata.gz: cf985d8472b139ca940b7bc455f3d375c7b9ca77ca89fac60eaee241819ed15f
+  data.tar.gz: 415cd8474d33c5723929227b88276d5e38dc2db190f01932052d0bbd7fa8b57a
 SHA512:
-  metadata.gz: 63fc6a4fe9910999a29e7df5c81d766ce53641b148883e655438320fbf6e5cd572f2c005f729343de54e41b7b0d4bfb07cce2dfa7865062133549d91eb886ccf
-  data.tar.gz: 678e67a4427842ec8bf5d6fe5256d169cb03ccb0f445bc373cb37e6b5dfa5142d490257f1f3bdecc79e63f728ff13e14a4e574fc16d86cc9f165bc96a1efbbe2
+  metadata.gz: 9e4e394b9d3e97cdc2e51e320c4aecfb638029b4c854755f278e6e7aec9c6be3154d7541fc7ec79f5ce1650f4f2810d5da4fd997c49ec419ff826db5c4908f76
+  data.tar.gz: 40446b8b4658eac5bdf101958224d87dccc74d9b76451fe5cd16aebb2e5347bd904d34d9dcc644c6fea761a5338b6d1082fedb3c9798b923d353d3144a5928e9

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    intra (0.1.0)
+    intra (0.1.1)
       omniauth
       omniauth-google-oauth2
       rails

data/README.md CHANGED Viewed

@@ -1,3 +1,5 @@
+![travis](https://travis-ci.org/scottserok/intra.svg?branch=master)
 # Intra
 A relatively quick way to add Omniauth strategies to authenticate users on your

data/app/views/intra/sessions/new.html.erb CHANGED Viewed

@@ -1,22 +1,18 @@
-<article style="font-family: Arial; border: 1px solid #ddd; width: 600px; text-align: center; margin: auto; margin-top: 5em;">
-  <header style="border-bottom: 1px solid #ddd;">
+<article style="width: 500px; margin: auto; text-align: center; padding: 5rem;">
+  <header>
     <h1>Log in</h1>
   </header>
   <% if flash[:error] %>
     <section>
-      <p style="color: red;"><%= flash[:error] %></p>
+      <p class="alert"><%= flash[:error] %></p>
     </section>
   <% end %>
   <section>
-    <div style="padding: 3em;">
-      <%= link_to 'Log in with Developer',
-        '/auth/developer',
-        style: 'padding: 1em 2em; background-color: #44f; border-radius: 3px; color: white;' %>
+    <div>
+      <%= button_to 'Log in with Developer', '/auth/developer', method: :post %>
     </div>
-    <div style="padding: 3em;">
-      <%= link_to 'Log in with Google',
-        '/auth/google',
-        style: 'padding: 1em 2em; background-color: #f44; border-radius: 3px; color: white;' %>
+    <div>
+      <%= button_to 'Log in with Google', '/auth/google', method: :post %>
     </div>
   </section>
 </article>

data/lib/intra/engine.rb CHANGED Viewed

@@ -5,6 +5,10 @@ module Intra
     initializer 'intra.initializer' do |app|
       app.config.filter_parameters += [:uid]
       app.config.middleware.use RackSession
+      OmniAuth.config.allowed_request_methods = [:post]
+      OmniAuth.config.before_request_phase do |env|
+        ::Intra::RequestForgeryProtection.new(env).call
+      end
     end
     rake_tasks do

data/lib/intra/request_forgery_protection.rb ADDED Viewed

@@ -0,0 +1,67 @@
+require 'action_dispatch/http/request'
+module Intra
+  # Based on ActionController::RequestForgeryProtection.
+  class RequestForgeryProtection
+    def initialize(env)
+      @env = env
+    end
+    def request
+      @_request ||= ActionDispatch::Request.new(@env)
+    end
+    def session
+      request.session
+    end
+    def reset_session
+      request.reset_session
+    end
+    def params
+      @_params ||= request.parameters
+    end
+    def call
+      verify_authenticity_token
+    end
+    def verify_authenticity_token
+      return if verified_request?
+      Intra.logger.warn "Can't verify CSRF token authenticity"
+      handle_unverified_request
+    end
+  private
+    def protect_against_forgery?
+      ::ApplicationController.allow_forgery_protection
+    end
+    def request_forgery_protection_token
+      ::ApplicationController.request_forgery_protection_token
+    end
+    def forgery_protection_strategy
+      ::ApplicationController.forgery_protection_strategy
+    end
+    def verified_request?
+      !protect_against_forgery? || request.get? || request.head? ||
+        form_authenticity_token == params[request_forgery_protection_token] ||
+        form_authenticity_token == request.headers['X-CSRF-Token']
+    end
+    def handle_unverified_request
+      forgery_protection_strategy.new(self).handle_unverified_request
+    end
+    # Sets the token value for the current session.
+    def form_authenticity_token
+      session[:_csrf_token] ||= SecureRandom.base64(32)
+    end
+  end
+end

data/lib/intra/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Intra
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

data/lib/intra.rb CHANGED Viewed

@@ -9,6 +9,7 @@ require 'intra/session'
 require 'intra/rack_session'
 require 'intra/authenticatable'
 require 'intra/authentication'
+require 'intra/request_forgery_protection'
 require 'intra/engine'
 module Intra

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: intra
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Scott Serok
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-06-11 00:00:00.000000000 Z
+date: 2019-06-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -152,6 +152,7 @@ files:
 - lib/intra/engine.rb
 - lib/intra/omniauth_failure_app.rb
 - lib/intra/rack_session.rb
+- lib/intra/request_forgery_protection.rb
 - lib/intra/session.rb
 - lib/intra/tasks/install.rake
 - lib/intra/version.rb