linkedin_sign_in 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bfa7e967cbeab70c8230680b68b03b9a2dc4848619cd0d73c02b26d3bf291dd8
-  data.tar.gz: 459f6693fe5a538af91fba21f6e66a0277ec87957d4ea5a93dba464619ce5388
+  metadata.gz: 1ee16026971b50c11efcd2f1882de53f9ba5c3855fd4641d6901939571d7c277
+  data.tar.gz: 23d35a4f027293b47294757ec195ae6676c5e7809f72c4c1f3d1a71619bcf41c
 SHA512:
-  metadata.gz: 4a7ca8ae4af9d6bfc6fe2c808e5ff6fbbe74818ac610b86f60f5a8013a41e2e625a9183bee29af12ebcc2035e9689b6c05161d1224d1f0045b933069120e05b3
-  data.tar.gz: ee7c235b7a2bf01c83fdb0b7effdda88d8f561aba79f618328ec7a3affd81f1aed87f23741185e77f477de1f3973771aeb7786a74b8bdf696807b5c49d6a1f16
+  metadata.gz: 6721873e8eff33dd2b6fead2e547f138b9a987a4d71f275e59b54462a17010891a09eff4e75da15caa695aa395baef92e529dc4b4ac4b32c186d030bb133f975
+  data.tar.gz: '0845e4f905d41382d50b0d80e38ced16e8dfd6af72f3ba2e7487edb8275da7a1c0bd1b8c5be28618914b4ae0f755e5ac1b9bda790803c99bfbdcc36ba7a34773'

data/.travis.yml

@@ -2,14 +2,14 @@ language: ruby
 sudo: false
 cache: bundler
 
-# Bundler/RubyGems incompat on Ruby 2.5.0
-before_install: gem install bundler
+# Bundler/RubyGems incompat on Ruby 2.5.0 and 2.6.1
+before_install: gem update --system && gem install bundler -v 1.17.3
 
 rvm:
-  - 2.2
   - 2.3
   - 2.4
   - 2.5
+  - 2.6
   - ruby-head
 
 matrix:

data/Gemfile.lock

@@ -1,70 +1,70 @@
 PATH
   remote: .
   specs:
-    linkedin_sign_in (0.3.1)
+    linkedin_sign_in (0.4.0)
       oauth2 (>= 1.4.0)
       rails (>= 5.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.1.1)
-      actionpack (= 5.2.1.1)
+    actioncable (5.2.2.1)
+      actionpack (= 5.2.2.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.1.1)
-      actionpack (= 5.2.1.1)
-      actionview (= 5.2.1.1)
-      activejob (= 5.2.1.1)
+    actionmailer (5.2.2.1)
+      actionpack (= 5.2.2.1)
+      actionview (= 5.2.2.1)
+      activejob (= 5.2.2.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.1.1)
-      actionview (= 5.2.1.1)
-      activesupport (= 5.2.1.1)
+    actionpack (5.2.2.1)
+      actionview (= 5.2.2.1)
+      activesupport (= 5.2.2.1)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.1.1)
-      activesupport (= 5.2.1.1)
+    actionview (5.2.2.1)
+      activesupport (= 5.2.2.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.1.1)
-      activesupport (= 5.2.1.1)
+    activejob (5.2.2.1)
+      activesupport (= 5.2.2.1)
       globalid (>= 0.3.6)
-    activemodel (5.2.1.1)
-      activesupport (= 5.2.1.1)
-    activerecord (5.2.1.1)
-      activemodel (= 5.2.1.1)
-      activesupport (= 5.2.1.1)
+    activemodel (5.2.2.1)
+      activesupport (= 5.2.2.1)
+    activerecord (5.2.2.1)
+      activemodel (= 5.2.2.1)
+      activesupport (= 5.2.2.1)
       arel (>= 9.0)
-    activestorage (5.2.1.1)
-      actionpack (= 5.2.1.1)
-      activerecord (= 5.2.1.1)
+    activestorage (5.2.2.1)
+      actionpack (= 5.2.2.1)
+      activerecord (= 5.2.2.1)
       marcel (~> 0.3.1)
-    activesupport (5.2.1.1)
+    activesupport (5.2.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    addressable (2.5.2)
+    addressable (2.6.0)
       public_suffix (>= 2.0.2, < 4.0)
     arel (9.0.0)
     builder (3.2.3)
-    byebug (10.0.2)
-    concurrent-ruby (1.1.3)
+    byebug (11.0.1)
+    concurrent-ruby (1.1.5)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     crass (1.0.4)
-    erubi (1.7.1)
+    erubi (1.8.0)
     faraday (0.15.4)
       multipart-post (>= 1.2, < 3)
-    globalid (0.4.1)
+    globalid (0.4.2)
       activesupport (>= 4.2.0)
-    hashdiff (0.3.7)
-    i18n (1.1.1)
+    hashdiff (0.3.8)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
     jwt (2.1.0)
     loofah (2.2.3)
@@ -75,16 +75,16 @@ GEM
     marcel (0.3.3)
       mimemagic (~> 0.3.2)
     method_source (0.9.2)
-    mimemagic (0.3.2)
+    mimemagic (0.3.3)
     mini_mime (1.0.1)
-    mini_portile2 (2.3.0)
+    mini_portile2 (2.4.0)
     minitest (5.11.3)
     multi_json (1.13.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
     nio4r (2.3.1)
-    nokogiri (1.8.5)
-      mini_portile2 (~> 2.3.0)
+    nokogiri (1.10.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.4.1)
       faraday (>= 0.8, < 0.16.0)
       jwt (>= 1.0, < 3.0)
@@ -95,32 +95,32 @@ GEM
     rack (2.0.6)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.1.1)
-      actioncable (= 5.2.1.1)
-      actionmailer (= 5.2.1.1)
-      actionpack (= 5.2.1.1)
-      actionview (= 5.2.1.1)
-      activejob (= 5.2.1.1)
-      activemodel (= 5.2.1.1)
-      activerecord (= 5.2.1.1)
-      activestorage (= 5.2.1.1)
-      activesupport (= 5.2.1.1)
+    rails (5.2.2.1)
+      actioncable (= 5.2.2.1)
+      actionmailer (= 5.2.2.1)
+      actionpack (= 5.2.2.1)
+      actionview (= 5.2.2.1)
+      activejob (= 5.2.2.1)
+      activemodel (= 5.2.2.1)
+      activerecord (= 5.2.2.1)
+      activestorage (= 5.2.2.1)
+      activesupport (= 5.2.2.1)
       bundler (>= 1.3.0)
-      railties (= 5.2.1.1)
+      railties (= 5.2.2.1)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.1.1)
-      actionpack (= 5.2.1.1)
-      activesupport (= 5.2.1.1)
+    railties (5.2.2.1)
+      actionpack (= 5.2.2.1)
+      activesupport (= 5.2.2.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (12.3.1)
-    safe_yaml (1.0.4)
+    rake (12.3.2)
+    safe_yaml (1.0.5)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -132,7 +132,7 @@ GEM
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    webmock (3.4.2)
+    webmock (3.5.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff
@@ -144,7 +144,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.15)
+  bundler (~> 1.17.2)
   byebug
   jwt (>= 1.5.6)
   linkedin_sign_in!
@@ -152,4 +152,4 @@ DEPENDENCIES
   webmock (>= 3.4.2)
 
 BUNDLED WITH
-   1.16.4
+   1.17.2

data/README.md

@@ -78,7 +78,8 @@ This gem provides a `linkedin_sign_in_button` helper. It generates a button whic
 ```
 
 The `proceed_to` argument is required. After authenticating with Linkedin, the gem redirects to `proceed_to`, providing
-a Linkedin ID token in `flash[:linkedin_sign_in_token]`. Your application decides what to do with it:
+a LinkedIn ID token in `flash[:linkedin_sign_in][:token]` or an [OAuth authorizaton code grant error](https://tools.ietf.org/html/rfc6749#section-4.1.2.1)
+in `flash[:linkedin_sign_in][:error]`. Your application decides what to do with it:
 
 ```ruby
 # config/routes.rb
@@ -106,9 +107,12 @@ class LoginsController < ApplicationController
 
   private
     def authenticate_with_linkedin
-      if flash[:linkedin_sign_in_token].present?
-        User.find_by linkedin_id: LinkedinSignIn::Identity.new(flash[:linkedin_sign_in_token]).user_id
-      end
+      if id_token = flash[:linkedin_sign_in][:token]
+        User.find_by linkedin_id: LinkedIn::Identity.new(id_token).user_id
+      elsif error = flash[:linkedin_sign_in][:error]
+        logger.error "LinkedIn authentication error: #{error}"
+        nil
+	    end
     end
 end
 ```
@@ -126,20 +130,18 @@ origin as your application. This means it must have the same protocol, host, and
 The `LinkedinSignIn::Identity` class decodes and verifies the integrity of a Linkedin ID token. It exposes the profile
 information contained in the token via the following instance methods:
 
-* `name`
+* `first_name`
+
+* `last_name`
 
 * `email_address`
 
 * `user_id`: A string that uniquely identifies a single Linkedin user. Use this, not `email_address`, to associate a
   Linkedin user with an application user. A Linkedin user’s email address may change, but their `user_id` will remain constant.
 
-* `email_verified?`
-
 * `avatar_url`
 
-* `locale`
-
-* `hosted_domain`: The user’s hosted G Suite domain, provided only if they belong to a G Suite.
+* `current_company_name`: name of the current company the user is working at
 
 
 ## Security

data/app/controllers/linkedin_sign_in/callbacks_controller.rb

@@ -2,26 +2,36 @@ require_dependency 'linkedin_sign_in/redirect_protector'
 
 class LinkedinSignIn::CallbacksController < LinkedinSignIn::BaseController
   def show
-    if valid_request?
-      redirect_to proceed_to_url, flash: { linkedin_sign_in_token: token }
-    else
-      head :unprocessable_entity
-    end
+    redirect_to proceed_to_url, flash: { linkedin_sign_in: linkedin_sign_in_response }
   rescue LinkedinSignIn::RedirectProtector::Violation => error
     logger.error error.message
     head :bad_request
   end
 
   private
-    def valid_request?
-      flash[:state].present? && params.require(:state) == flash[:state] && params[:error].blank?
-    end
-
     def proceed_to_url
       flash[:proceed_to].tap { |url| LinkedinSignIn::RedirectProtector.ensure_same_origin(url, request.url) }
     end
 
+    def linkedin_sign_in_response
+      if valid_request? && params[:code].present?
+        { token: token }
+      else
+        { error: error_message_for(params[:error]) }
+      end
+    rescue OAuth2::Error => error
+      { error: error_message_for(error.code) }
+    end
+
+    def valid_request?
+      flash[:state].present? && params[:state] == flash[:state]
+    end
+
     def token
-      client.auth_code.get_token(params.require(:code)).token
+      client.auth_code.get_token(params[:code]).token
+    end
+
+    def error_message_for(error_code)
+      error_code.presence_in(LinkedinSignIn::OAUTH2_ERRORS) || "invalid_request"
     end
 end

data/bin/rails

@@ -3,7 +3,7 @@
 # installed from the root of your application.
 
 ENGINE_ROOT = File.expand_path('..', __dir__)
-ENGINE_PATH = File.expand_path('../lib/blorgh/engine', __dir__)
+ENGINE_PATH = File.expand_path('../lib/linkedin_sign_in/engine', __dir__)
 APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
 
 # Set up gems listed in the Gemfile.

data/lib/linkedin_sign_in.rb

@@ -4,6 +4,31 @@ require 'active_support/rails'
 module LinkedinSignIn
   mattr_accessor :client_id
   mattr_accessor :client_secret
+
+  # https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  authorization_request_errors = %w[
+    invalid_request
+    unauthorized_client
+    access_denied
+    unsupported_response_type
+    invalid_scope
+    server_error
+    temporarily_unavailable
+  ]
+
+  # https://tools.ietf.org/html/rfc6749#section-5.2
+  access_token_request_errors = %w[
+    invalid_request
+    invalid_client
+    invalid_grant
+    unauthorized_client
+    unsupported_grant_type
+    invalid_scope
+  ]
+
+  # Authorization Code Grant errors from both authorization requests
+  # and access token requests.
+  OAUTH2_ERRORS = authorization_request_errors | access_token_request_errors
 end
 
 require 'linkedin_sign_in/identity'

data/lib/linkedin_sign_in/identity.rb

@@ -1,4 +1,3 @@
-require 'linkedin-id-token'
 require 'active_support/core_ext/module/delegation'
 
 module LinkedinSignIn
@@ -30,9 +29,9 @@ module LinkedinSignIn
     end
 
     def current_company_name
-      positions = @payload["positions"]["values"]
+      positions = @payload.dig("positions", "values")
       current_position = positions.find { |position| position["isCurrent"] }
-      current_position["company"]["name"]
+      current_position.dig("company", "name")
     end
 
     private

data/linkedin_sign_in.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name     = 'linkedin_sign_in'
-  s.version  = '0.3.1'
+  s.version  = '0.4.0'
   s.authors  = ['Vincent Robert']
   s.email    = ['vincent.robert@genezys.net']
   s.summary  = 'Sign in (or up) with Linkedin for Rails applications'
@@ -12,7 +12,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'rails', '>= 5.2.0'
   s.add_dependency 'oauth2', '>= 1.4.0'
 
-  s.add_development_dependency 'bundler', '~> 1.15'
+  s.add_development_dependency 'bundler', '~> 1.17.2'
   s.add_development_dependency 'jwt', '>= 1.5.6'
   s.add_development_dependency 'webmock', '>= 3.4.2'
 

data/test/controllers/callbacks_controller_test.rb

@@ -5,16 +5,92 @@ class LinkedinSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
     post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
     assert_response :redirect
 
-    stub_token_request code: '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
+    stub_token_for '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
 
     get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
     assert_redirected_to 'http://www.example.com/login'
-    assert_equal 'ya29.GlwIBo', flash[:linkedin_sign_in_token]
+    assert_equal 'ya29.GlwIBo', flash[:linkedin_sign_in][:token]
+    assert_nil flash[:linkedin_sign_in][:error]
   end
 
-  test "protecting against CSRF" do
+  # Authorization request errors: https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  %w[ invalid_request unauthorized_client access_denied unsupported_response_type invalid_scope server_error temporarily_unavailable ].each do |error|
+    test "receiving an authorization code grant error: #{error}" do
+      post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+      assert_response :redirect
+
+      get linkedin_sign_in.callback_url(error: error, state: flash[:state])
+      assert_redirected_to 'http://www.example.com/login'
+      assert_nil flash[:linkedin_sign_in][:token]
+      assert_equal error, flash[:linkedin_sign_in][:error]
+    end
+  end
+
+  test "receiving an invalid authorization error" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get linkedin_sign_in.callback_url(error: 'unknown error code', state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:linkedin_sign_in][:token]
+    assert_equal "invalid_request", flash[:linkedin_sign_in][:error]
+  end
+
+  test "receiving neither code nor error" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    get linkedin_sign_in.callback_url(state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:linkedin_sign_in][:token]
+    assert_equal 'invalid_request', flash[:linkedin_sign_in][:error]
+  end
+
+  # Access token request errors: https://tools.ietf.org/html/rfc6749#section-5.2
+  %w[ invalid_request invalid_client invalid_grant unauthorized_client unsupported_grant_type invalid_scope ].each do |error|
+    test "receiving an access token request error: #{error}" do
+      post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+      assert_response :redirect
+
+      stub_token_error_for '4/SgCpHSVW5-Cy', error: error
+
+      get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+      assert_redirected_to 'http://www.example.com/login'
+      assert_nil flash[:linkedin_sign_in][:id_token]
+      assert_equal error, flash[:linkedin_sign_in][:error]
+    end
+  end
+
+  test "protecting against CSRF without flash state" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
     get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
-    assert_response :unprocessable_entity
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:linkedin_sign_in][:token]
+    assert_equal 'invalid_request', flash[:linkedin_sign_in][:error]
+  end
+
+  test "protecting against CSRF with invalid state" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_not_nil flash[:state]
+
+    get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:linkedin_sign_in][:token]
+    assert_equal 'invalid_request', flash[:linkedin_sign_in][:error]
+  end
+
+  test "protecting against CSRF with missing state" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_not_nil flash[:state]
+
+    get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy')
+    assert_redirected_to 'http://www.example.com/login'
+    assert_nil flash[:linkedin_sign_in][:token]
+    assert_equal 'invalid_request', flash[:linkedin_sign_in][:error]
   end
 
   test "protecting against open redirects" do
@@ -26,11 +102,27 @@ class LinkedinSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
   end
 
   private
-    def stub_token_request(code:, **params)
-      stub_request(:post, 'https://www.linkedin.com/oauth/v2/accessToken').
-        with(body: { grant_type: 'authorization_code', code: code,
-          client_id: FAKE_LINKEDIN_CLIENT_ID, client_secret: FAKE_LINKEDIN_CLIENT_SECRET,
-          redirect_uri: 'http://www.example.com/linkedin_sign_in/callback' }).
-        to_return(status: 200, headers: { 'Content-Type' => 'application/json' }, body: JSON.generate(params))
+    def stub_token_for(code, **response_body)
+      stub_token_request(code, status: 200, response: response_body)
+    end
+
+    def stub_token_error_for(code, error:)
+      stub_token_request(code, status: 418, response: { error: error })
+    end
+
+    def stub_token_request(code, status:, response:)
+      stub_request(:post, 'https://www.linkedin.com/oauth/v2/accessToken').with(
+        body: {
+          grant_type: 'authorization_code',
+          code: code,
+          client_id: FAKE_LINKEDIN_CLIENT_ID,
+          client_secret: FAKE_LINKEDIN_CLIENT_SECRET,
+          redirect_uri: 'http://www.example.com/linkedin_sign_in/callback'
+        }
+      ).to_return(
+        status: status,
+        headers: { 'Content-Type' => 'application/json' },
+        body: JSON.generate(response)
+      )
     end
 end

data/test/test_helper.rb

@@ -17,9 +17,6 @@ if LINKEDIN_X509_CERTIFICATE.not_after <= Time.now
   raise "Test certificate is expired. Generate a new one and run the tests again: `bundle exec rake test:certificate:generate`."
 end
 
-require 'linkedin-id-token'
-# LinkedinSignIn::Identity.validator = Validator.new(x509_cert: LINKEDIN_X509_CERTIFICATE)
-
 class ActionView::TestCase
   private
     def assert_dom_equal(expected, actual, message = nil)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: linkedin_sign_in
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Vincent Robert
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-28 00:00:00.000000000 Z
+date: 2019-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.15'
+        version: 1.17.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.15'
+        version: 1.17.2
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -102,7 +102,6 @@ files:
 - app/helpers/linkedin_sign_in/button_helper.rb
 - bin/rails
 - config/routes.rb
-- lib/linkedin-id-token.rb
 - lib/linkedin_sign_in.rb
 - lib/linkedin_sign_in/engine.rb
 - lib/linkedin_sign_in/identity.rb
@@ -160,6 +159,7 @@ files:
 - test/dummy/config/routes.rb
 - test/dummy/config/spring.rb
 - test/dummy/config/storage.yml
+- test/dummy/db/test.sqlite3
 - test/dummy/lib/assets/.keep
 - test/dummy/log/.keep
 - test/dummy/package.json
@@ -169,11 +169,15 @@ files:
 - test/dummy/public/apple-touch-icon-precomposed.png
 - test/dummy/public/apple-touch-icon.png
 - test/dummy/public/favicon.ico
+- test/dummy/storage/.keep
+- test/dummy/tmp/.keep
+- test/dummy/tmp/storage/.keep
 - test/helpers/button_helper_test.rb
 - test/key.pem
 - test/models/identity_test.rb
 - test/models/redirect_protector_test.rb
 - test/test_helper.rb
+- tmp/.keep
 homepage: https://github.com/genezys/linkedin_sign_in
 licenses:
 - MIT
@@ -251,6 +255,7 @@ test_files:
 - test/dummy/config/routes.rb
 - test/dummy/config/spring.rb
 - test/dummy/config/storage.yml
+- test/dummy/db/test.sqlite3
 - test/dummy/lib/assets/.keep
 - test/dummy/log/.keep
 - test/dummy/package.json
@@ -260,6 +265,9 @@ test_files:
 - test/dummy/public/apple-touch-icon-precomposed.png
 - test/dummy/public/apple-touch-icon.png
 - test/dummy/public/favicon.ico
+- test/dummy/storage/.keep
+- test/dummy/tmp/.keep
+- test/dummy/tmp/storage/.keep
 - test/helpers/button_helper_test.rb
 - test/key.pem
 - test/models/identity_test.rb

data/lib/linkedin-id-token.rb

@@ -1,190 +0,0 @@
-# encoding: utf-8
-# Copyright 2012 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##
-# Validates strings alleged to be ID Tokens issued by Google; if validation
-#  succeeds, returns the decoded ID Token as a hash.
-# It's a good idea to keep an instance of this class around for a long time,
-#  because it caches the keys, performs validation statically, and only
-#  refreshes from Google when required (once per day by default)
-#
-# @author Tim Bray, adapted from code by Bob Aman
-
-require 'json'
-require 'jwt'
-require 'monitor'
-require 'net/http'
-require 'openssl'
-
-module LinkedinIDToken
-  class CertificateError < StandardError; end
-  class ValidationError < StandardError; end
-  class ExpiredTokenError < ValidationError; end
-  class SignatureError < ValidationError; end
-  class InvalidIssuerError < ValidationError; end
-  class AudienceMismatchError < ValidationError; end
-  class ClientIDMismatchError < ValidationError; end
-
-  class Validator
-    include MonitorMixin
-
-    LINKEDIN_CERTS_URI = 'https://www.googleapis.com/oauth2/v1/certs'
-    LINKEDIN_CERTS_EXPIRY = 3600 # 1 hour
-
-    # https://developers.google.com/identity/sign-in/web/backend-auth
-    LINKEDIN_ISSUERS = ['accounts.google.com', 'https://accounts.google.com']
-
-    def initialize(options = {})
-      super()
-
-      if options[:x509_cert]
-        @certs_mode = :literal
-        @certs = { :_ => options[:x509_cert] }
-      # elsif options[:jwk_uri]  # TODO
-      #   @certs_mode = :jwk
-      #   @certs = {}
-      else
-        @certs_mode = :old_skool
-        @certs = {}
-      end
-
-      @certs_expiry = options.fetch(:expiry, LINKEDIN_CERTS_EXPIRY)
-    end
-
-    ##
-    # If it validates, returns a hash with the JWT payload from the ID Token.
-    #  You have to provide an "aud" value, which must match the
-    #  token's field with that name, and will similarly check cid if provided.
-    #
-    # If something fails, raises an error
-    #
-    # @param [String] token
-    #   The string form of the token
-    # @param [String] aud
-    #   The required audience value
-    # @param [String] cid
-    #   The optional client-id ("azp" field) value
-    #
-    # @return [Hash] The decoded ID token
-    def check(token, aud, cid = nil)
-      synchronize do
-        payload = check_cached_certs(token, aud, cid)
-
-        unless payload
-          # no certs worked, might've expired, refresh
-          if refresh_certs
-            payload = check_cached_certs(token, aud, cid)
-
-            unless payload
-              raise SignatureError, 'Token not verified as issued by Google'
-            end
-          else
-            raise CertificateError, 'Unable to retrieve Google public keys'
-          end
-        end
-
-        payload
-      end
-    end
-
-    private
-
-    # tries to validate the token against each cached cert.
-    # Returns the token payload or raises a ValidationError or
-    #  nil, which means none of the certs validated.
-    def check_cached_certs(token, aud, cid)
-      payload = nil
-
-      # find first public key that validates this token
-      @certs.detect do |key, cert|
-        begin
-          public_key = cert.public_key
-          decoded_token = JWT.decode(token, public_key, !!public_key, { :algorithm => 'RS256' })
-          payload = decoded_token.first
-
-          # in Feb 2013, the 'cid' claim became the 'azp' claim per changes
-          #  in the OIDC draft. At some future point we can go all-azp, but
-          #  this should keep everything running for a while
-          if payload['azp']
-            payload['cid'] = payload['azp']
-          elsif payload['cid']
-            payload['azp'] = payload['cid']
-          end
-          payload
-        rescue JWT::ExpiredSignature
-          raise ExpiredTokenError, 'Token signature is expired'
-        rescue JWT::DecodeError
-          nil # go on, try the next cert
-        end
-      end
-
-      if payload
-        if !(payload.has_key?('aud') && payload['aud'] == aud)
-          raise AudienceMismatchError, 'Token audience mismatch'
-        end
-        if cid && payload['cid'] != cid
-          raise ClientIDMismatchError, 'Token client-id mismatch'
-        end
-        if !LINKEDIN_ISSUERS.include?(payload['iss'])
-          raise InvalidIssuerError, 'Token issuer mismatch'
-        end
-        payload
-      else
-        nil
-      end
-    end
-
-    # returns false if there was a problem
-    def refresh_certs
-      case @certs_mode
-      when :literal
-        true # no-op
-      when :old_skool
-        old_skool_refresh_certs
-      # when :jwk          # TODO
-      #  jwk_refresh_certs
-      end
-    end
-
-    def old_skool_refresh_certs
-      return true unless certs_cache_expired?
-
-      uri = URI(LINKEDIN_CERTS_URI)
-      get = Net::HTTP::Get.new uri.request_uri
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = true
-      res = http.request(get)
-
-      if res.is_a?(Net::HTTPSuccess)
-        new_certs = Hash[JSON.load(res.body).map do |key, cert|
-          [key, OpenSSL::X509::Certificate.new(cert)]
-        end]
-        @certs.merge! new_certs
-        @certs_last_refresh = Time.now
-        true
-      else
-        false
-      end
-    end
-
-    def certs_cache_expired?
-      if defined? @certs_last_refresh
-        Time.now > @certs_last_refresh + @certs_expiry
-      else
-        true
-      end
-    end
-  end
-end