linkedin_sign_in 0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ad7912381b74e7f64e9bae51e0a684b300b34e2f4c41c85744cb610ff17607cc
+  data.tar.gz: 244c9cff9027b336a4d6bfbdd2028bd5673c1b9f1dc401d7781cdbae5e394a97
+SHA512:
+  metadata.gz: 721a1b383a91a13737ed9ab1e01c4b9c655a1482cc61cd740ec6391004ad7021b6787a24b640a19a361cc4e73265af08062e04f60899389dc3e5b01d3cc921b9
+  data.tar.gz: 71c4e31c993787c14cd7e8ddcd2f1c27c5118e02226527adb5ef4a6a6355416768fa0ae9dccef47f49e247acd0de56ffbe867082b805b95253ba619c0fdc1b4c

data/.gitignore

@@ -0,0 +1,13 @@
+.bundle/
+.byebug_history
+log/*.log
+pkg/
+*.gem
+
+test/dummy/db/*.sqlite3
+test/dummy/db/*.sqlite3-journal
+test/dummy/log/*.log
+test/dummy/node_modules/
+test/dummy/yarn-error.log
+test/dummy/storage/
+test/dummy/tmp/

data/.travis.yml

@@ -0,0 +1,18 @@
+language: ruby
+sudo: false
+cache: bundler
+
+# Bundler/RubyGems incompat on Ruby 2.5.0
+before_install: gem install bundler
+
+rvm:
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - ruby-head
+
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+  fast_finish: true

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+# Changelog
+
+Please see [our GitHub "Releases" page](https://github.com/genezys/linkedin_sign_in/releases).

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'rake'
+gem 'byebug'

data/Gemfile.lock

@@ -0,0 +1,155 @@
+PATH
+  remote: .
+  specs:
+    linkedin_sign_in (0.3)
+      oauth2 (>= 1.4.0)
+      rails (>= 5.2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.2.1)
+      actionpack (= 5.2.1)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.1)
+      actionview (= 5.2.1)
+      activesupport (= 5.2.1)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.1)
+      activesupport (= 5.2.1)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.1)
+      activesupport (= 5.2.1)
+      globalid (>= 0.3.6)
+    activemodel (5.2.1)
+      activesupport (= 5.2.1)
+    activerecord (5.2.1)
+      activemodel (= 5.2.1)
+      activesupport (= 5.2.1)
+      arel (>= 9.0)
+    activestorage (5.2.1)
+      actionpack (= 5.2.1)
+      activerecord (= 5.2.1)
+      marcel (~> 0.3.1)
+    activesupport (5.2.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    arel (9.0.0)
+    builder (3.2.3)
+    byebug (10.0.2)
+    concurrent-ruby (1.0.5)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    crass (1.0.4)
+    erubi (1.7.1)
+    faraday (0.15.3)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    hashdiff (0.3.7)
+    i18n (1.1.1)
+      concurrent-ruby (~> 1.0)
+    jwt (2.1.0)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
+    method_source (0.9.1)
+    mimemagic (0.3.2)
+    mini_mime (1.0.1)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    multi_json (1.13.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
+    nio4r (2.3.1)
+    nokogiri (1.8.5)
+      mini_portile2 (~> 2.3.0)
+    oauth2 (1.4.1)
+      faraday (>= 0.8, < 0.16.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    public_suffix (3.0.3)
+    rack (2.0.5)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (5.2.1)
+      actioncable (= 5.2.1)
+      actionmailer (= 5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      activemodel (= 5.2.1)
+      activerecord (= 5.2.1)
+      activestorage (= 5.2.1)
+      activesupport (= 5.2.1)
+      bundler (>= 1.3.0)
+      railties (= 5.2.1)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.1)
+      actionpack (= 5.2.1)
+      activesupport (= 5.2.1)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.19.0, < 2.0)
+    rake (12.3.1)
+    safe_yaml (1.0.4)
+    sprockets (3.7.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    webmock (3.4.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+    websocket-driver (0.7.0)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.15)
+  byebug
+  jwt (>= 1.5.6)
+  linkedin_sign_in!
+  rake
+  webmock (>= 3.4.2)
+
+BUNDLED WITH
+   1.16.4

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2018 Vincent Robert
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,154 @@
+This gem is shamlessly based on [Google SignIn by Basecamp](https://github.com/basecamp/google_sign_in).
+
+# Linkedin Sign-In for Rails
+
+This gem allows you to add Linkedin sign-in to your Rails app. You can let users sign up for and sign in to your service
+with their Linkedin accounts.
+
+
+## Installation
+
+Add `linkedin_sign_in` to your Rails app’s Gemfile and run `bundle install`:
+
+```ruby
+gem 'linkedin_sign_in'
+```
+
+Linkedin Sign-In for Rails requires Rails 5.2 or newer.
+
+
+## Configuration
+
+First, set up an OAuth 2.0 Client ID in the Linkedin API Console:
+
+1. Go to the [Developer Portal](https://www.linkedin.com/developer/apps).
+
+2. Create an application.
+
+3. Submit your application information.
+
+4. You are presented with a client ID and client secret. Save these.
+
+5. This gem adds a single OAuth callback to your app at `/linkedin_sign_in/callback`. Under **Authorized Redirect URLs**,
+   add that callback for your application’s domain: for example, `https://example.com/linkedin_sign_in/callback`.
+
+   To use Linkedin sign-in in development, you’ll need to add another redirect URI for your local environment, like
+   `http://localhost:3000/linkedin_sign_in/callback`. For security reasons, we recommend using a separate
+   client ID for local development. Repeat these instructions to set up a new client ID for development.
+
+6. Click the button labeled Update.
+
+With your client ID set up, configure your Rails application to use it. Run `bin/rails credentials:edit` to edit your
+app’s [encrypted credentials](https://guides.rubyonrails.org/security.html#custom-credentials) and add the following:
+
+```yaml
+linkedin_sign_in:
+  client_id: [Your client ID here]
+  client_secret: [Your client secret here]
+```
+
+You’re all set to use Linkedin sign-in now. The gem automatically uses the client ID and client secret in your credentials.
+
+Alternatively, you can provide the client ID and client secret using ENV variables. Add a new initializer that sets
+`config.linkedin_sign_in.client_id` and `config.linkedin_sign_in.client_secret`:
+
+```ruby
+# config/initializers/linkedin_sign_in.rb
+Rails.application.configure do
+  config.linkedin_sign_in.client_id     = ENV['linkedin_sign_in_client_id']
+  config.linkedin_sign_in.client_secret = ENV['linkedin_sign_in_client_secret']
+end
+```
+
+**⚠️ Important:** Take care to protect your client secret from disclosure to third parties.
+
+
+## Usage
+
+This gem provides a `linkedin_sign_in_button` helper. It generates a button which initiates Linkedin sign-in:
+
+```erb
+<%= linkedin_sign_in_button 'Sign in with my Linkedin account', proceed_to: create_login_url %>
+
+<%= linkedin_sign_in_button image_tag('linkedin_logo.png', alt: 'Linkedin'), proceed_to: create_login_url %>
+
+<%= linkedin_sign_in_button proceed_to: create_login_url do %>
+  Sign in with my <%= image_tag('linkedin_logo.png', alt: 'Linkedin') %> account
+<% end %>
+```
+
+The `proceed_to` argument is required. After authenticating with Linkedin, the gem redirects to `proceed_to`, providing
+a Linkedin ID token in `flash[:linkedin_sign_in_token]`. Your application decides what to do with it:
+
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  # ...
+  get 'login', to: 'logins#new'
+  get 'login/create', to: 'logins#create', as: :create_login
+end
+```
+
+```ruby
+# app/controllers/logins_controller.rb
+class LoginsController < ApplicationController
+  def new
+  end
+
+  def create
+    if user = authenticate_with_linkedin
+      cookies.signed[:user_id] = user.id
+      redirect_to user
+    else
+      redirect_to new_session_url, alert: 'authentication_failed'
+    end
+  end
+
+  private
+    def authenticate_with_linkedin
+      if flash[:linkedin_sign_in_token].present?
+        User.find_by linkedin_id: LinkedinSignIn::Identity.new(flash[:linkedin_sign_in_token]).user_id
+      end
+    end
+end
+```
+
+(The above example assumes the user has already signed up for your service and that you’re storing their Linkedin user ID
+in the `User#linkedin_id` attribute.)
+
+For security reasons, the `proceed_to` URL you provide to `linkedin_sign_in_button` is required to reside on the same
+origin as your application. This means it must have the same protocol, host, and port as the page where
+`linkedin_sign_in_button` is used. We enforce this before redirecting to the `proceed_to` URL to guard against
+[open redirects](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet).
+
+### `LinkedinSignIn::Identity`
+
+The `LinkedinSignIn::Identity` class decodes and verifies the integrity of a Linkedin ID token. It exposes the profile
+information contained in the token via the following instance methods:
+
+* `name`
+
+* `email_address`
+
+* `user_id`: A string that uniquely identifies a single Linkedin user. Use this, not `email_address`, to associate a
+  Linkedin user with an application user. A Linkedin user’s email address may change, but their `user_id` will remain constant.
+
+* `email_verified?`
+
+* `avatar_url`
+
+* `locale`
+
+* `hosted_domain`: The user’s hosted G Suite domain, provided only if they belong to a G Suite.
+
+
+## Security
+
+For information on our security response procedure, see [SECURITY.md](SECURITY.md).
+
+
+## License
+
+Linkedin Sign-In for Rails is released under the [MIT License](https://opensource.org/licenses/MIT).
+
+Linkedin is a registered trademark of Linkedin LLC. This project is not operated by or in any way affiliated with Linkedin LLC.

data/Rakefile

@@ -0,0 +1,40 @@
+require "bundler/setup"
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new do |test|
+  test.libs << "test"
+  test.test_files = FileList["test/**/*_test.rb"]
+  test.warning = false
+end
+
+task default: :test
+
+desc "Generates an X509 certificate for decoding test ID tokens"
+task "test:certificate:generate" do
+  require "openssl"
+  require "active_support"
+  require "active_support/core_ext/integer/time"
+
+  key = OpenSSL::PKey::RSA.new(File.read(File.expand_path("test/key.pem", __dir__)))
+
+  certificate = OpenSSL::X509::Certificate.new
+  certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse("/CN=linkedin-sign-in-for-rails.example.com")
+  certificate.not_before = Time.now
+  certificate.not_after = 5.years.from_now
+  certificate.public_key = key.public_key
+  certificate.serial = 0
+  certificate.version = 1
+
+  extension_factory = OpenSSL::X509::ExtensionFactory.new
+  extension_factory.subject_certificate = certificate
+  extension_factory.issuer_certificate = certificate
+  certificate.extensions = [
+    extension_factory.create_extension("basicConstraints", "CA:FALSE", true),
+    extension_factory.create_extension("keyUsage", "digitalSignature", true),
+    extension_factory.create_extension("extendedKeyUsage", "clientAuth", true)
+  ]
+
+  certificate.sign(key, OpenSSL::Digest::SHA1.new)
+  File.write(File.expand_path("test/certificate.pem", __dir__), certificate.to_pem)
+end

data/SECURITY.md

@@ -0,0 +1,3 @@
+Contrary to Basecamp with the Google SignIn gem, I cannot afford the time to maintain the security of this gem.
+
+Use at your own risk!

data/app/controllers/linkedin_sign_in/authorizations_controller.rb

@@ -0,0 +1,17 @@
+require 'securerandom'
+
+class LinkedinSignIn::AuthorizationsController < LinkedinSignIn::BaseController
+  def create
+    redirect_to login_url(scope: 'r_basicprofile r_emailaddress', state: state),
+      flash: { proceed_to: params.require(:proceed_to), state: state }
+  end
+
+  private
+    def login_url(**params)
+      client.auth_code.authorize_url(prompt: 'login', **params)
+    end
+
+    def state
+      @state ||= SecureRandom.base64(24)
+    end
+end

data/app/controllers/linkedin_sign_in/base_controller.rb

@@ -0,0 +1,15 @@
+require 'oauth2'
+
+class LinkedinSignIn::BaseController < ActionController::Base
+  protect_from_forgery with: :exception
+
+  private
+    def client
+      @client ||= OAuth2::Client.new \
+        LinkedinSignIn.client_id,
+        LinkedinSignIn.client_secret,
+        authorize_url: 'https://www.linkedin.com/oauth/v2/authorization',
+        token_url: 'https://www.linkedin.com/oauth/v2/accessToken',
+        redirect_uri: callback_url
+    end
+end

data/app/controllers/linkedin_sign_in/callbacks_controller.rb

@@ -0,0 +1,27 @@
+require_dependency 'linkedin_sign_in/redirect_protector'
+
+class LinkedinSignIn::CallbacksController < LinkedinSignIn::BaseController
+  def show
+    if valid_request?
+      redirect_to proceed_to_url, flash: { linkedin_sign_in_token: token }
+    else
+      head :unprocessable_entity
+    end
+  rescue LinkedinSignIn::RedirectProtector::Violation => error
+    logger.error error.message
+    head :bad_request
+  end
+
+  private
+    def valid_request?
+      flash[:state].present? && params.require(:state) == flash[:state] && params[:error].blank?
+    end
+
+    def proceed_to_url
+      flash[:proceed_to].tap { |url| LinkedinSignIn::RedirectProtector.ensure_same_origin(url, request.url) }
+    end
+
+    def token
+      client.auth_code.get_token(params.require(:code)).token
+    end
+end

data/app/helpers/linkedin_sign_in/button_helper.rb

@@ -0,0 +1,7 @@
+module LinkedinSignIn::ButtonHelper
+  def linkedin_sign_in_button(text = nil, proceed_to:, **options, &block)
+    form_with url: linkedin_sign_in.authorization_path, local: true do
+      hidden_field_tag(:proceed_to, proceed_to, id: nil) + button_tag(text, name: nil, **options, &block)
+    end
+  end
+end

data/bin/rails

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails gems
+# installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('..', __dir__)
+ENGINE_PATH = File.expand_path('../lib/blorgh/engine', __dir__)
+APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+
+require 'rails'
+require 'action_controller/railtie'
+require 'rails/test_unit/railtie'
+require 'rails/engine/commands'

data/config/routes.rb

@@ -0,0 +1,4 @@
+LinkedinSignIn::Engine.routes.draw do
+  resource :authorization, only: :create
+  resource :callback, only: :show
+end