linkedin_sign_in 0.3

data/lib/linkedin-id-token.rb

@@ -0,0 +1,190 @@
+# encoding: utf-8
+# Copyright 2012 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##
+# Validates strings alleged to be ID Tokens issued by Google; if validation
+#  succeeds, returns the decoded ID Token as a hash.
+# It's a good idea to keep an instance of this class around for a long time,
+#  because it caches the keys, performs validation statically, and only
+#  refreshes from Google when required (once per day by default)
+#
+# @author Tim Bray, adapted from code by Bob Aman
+
+require 'json'
+require 'jwt'
+require 'monitor'
+require 'net/http'
+require 'openssl'
+
+module LinkedinIDToken
+  class CertificateError < StandardError; end
+  class ValidationError < StandardError; end
+  class ExpiredTokenError < ValidationError; end
+  class SignatureError < ValidationError; end
+  class InvalidIssuerError < ValidationError; end
+  class AudienceMismatchError < ValidationError; end
+  class ClientIDMismatchError < ValidationError; end
+
+  class Validator
+    include MonitorMixin
+
+    LINKEDIN_CERTS_URI = 'https://www.googleapis.com/oauth2/v1/certs'
+    LINKEDIN_CERTS_EXPIRY = 3600 # 1 hour
+
+    # https://developers.google.com/identity/sign-in/web/backend-auth
+    LINKEDIN_ISSUERS = ['accounts.google.com', 'https://accounts.google.com']
+
+    def initialize(options = {})
+      super()
+
+      if options[:x509_cert]
+        @certs_mode = :literal
+        @certs = { :_ => options[:x509_cert] }
+      # elsif options[:jwk_uri]  # TODO
+      #   @certs_mode = :jwk
+      #   @certs = {}
+      else
+        @certs_mode = :old_skool
+        @certs = {}
+      end
+
+      @certs_expiry = options.fetch(:expiry, LINKEDIN_CERTS_EXPIRY)
+    end
+
+    ##
+    # If it validates, returns a hash with the JWT payload from the ID Token.
+    #  You have to provide an "aud" value, which must match the
+    #  token's field with that name, and will similarly check cid if provided.
+    #
+    # If something fails, raises an error
+    #
+    # @param [String] token
+    #   The string form of the token
+    # @param [String] aud
+    #   The required audience value
+    # @param [String] cid
+    #   The optional client-id ("azp" field) value
+    #
+    # @return [Hash] The decoded ID token
+    def check(token, aud, cid = nil)
+      synchronize do
+        payload = check_cached_certs(token, aud, cid)
+
+        unless payload
+          # no certs worked, might've expired, refresh
+          if refresh_certs
+            payload = check_cached_certs(token, aud, cid)
+
+            unless payload
+              raise SignatureError, 'Token not verified as issued by Google'
+            end
+          else
+            raise CertificateError, 'Unable to retrieve Google public keys'
+          end
+        end
+
+        payload
+      end
+    end
+
+    private
+
+    # tries to validate the token against each cached cert.
+    # Returns the token payload or raises a ValidationError or
+    #  nil, which means none of the certs validated.
+    def check_cached_certs(token, aud, cid)
+      payload = nil
+
+      # find first public key that validates this token
+      @certs.detect do |key, cert|
+        begin
+          public_key = cert.public_key
+          decoded_token = JWT.decode(token, public_key, !!public_key, { :algorithm => 'RS256' })
+          payload = decoded_token.first
+
+          # in Feb 2013, the 'cid' claim became the 'azp' claim per changes
+          #  in the OIDC draft. At some future point we can go all-azp, but
+          #  this should keep everything running for a while
+          if payload['azp']
+            payload['cid'] = payload['azp']
+          elsif payload['cid']
+            payload['azp'] = payload['cid']
+          end
+          payload
+        rescue JWT::ExpiredSignature
+          raise ExpiredTokenError, 'Token signature is expired'
+        rescue JWT::DecodeError
+          nil # go on, try the next cert
+        end
+      end
+
+      if payload
+        if !(payload.has_key?('aud') && payload['aud'] == aud)
+          raise AudienceMismatchError, 'Token audience mismatch'
+        end
+        if cid && payload['cid'] != cid
+          raise ClientIDMismatchError, 'Token client-id mismatch'
+        end
+        if !LINKEDIN_ISSUERS.include?(payload['iss'])
+          raise InvalidIssuerError, 'Token issuer mismatch'
+        end
+        payload
+      else
+        nil
+      end
+    end
+
+    # returns false if there was a problem
+    def refresh_certs
+      case @certs_mode
+      when :literal
+        true # no-op
+      when :old_skool
+        old_skool_refresh_certs
+      # when :jwk          # TODO
+      #  jwk_refresh_certs
+      end
+    end
+
+    def old_skool_refresh_certs
+      return true unless certs_cache_expired?
+
+      uri = URI(LINKEDIN_CERTS_URI)
+      get = Net::HTTP::Get.new uri.request_uri
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      res = http.request(get)
+
+      if res.is_a?(Net::HTTPSuccess)
+        new_certs = Hash[JSON.load(res.body).map do |key, cert|
+          [key, OpenSSL::X509::Certificate.new(cert)]
+        end]
+        @certs.merge! new_certs
+        @certs_last_refresh = Time.now
+        true
+      else
+        false
+      end
+    end
+
+    def certs_cache_expired?
+      if defined? @certs_last_refresh
+        Time.now > @certs_last_refresh + @certs_expiry
+      else
+        true
+      end
+    end
+  end
+end

data/lib/linkedin_sign_in/engine.rb

@@ -0,0 +1,32 @@
+require 'rails/engine'
+
+module LinkedinSignIn
+  class Engine < ::Rails::Engine
+    isolate_namespace LinkedinSignIn
+
+    config.linkedin_sign_in = ActiveSupport::OrderedOptions.new
+
+    initializer 'linkedin_sign_in.config' do |app|
+      config.after_initialize do
+        LinkedinSignIn.client_id     = config.linkedin_sign_in.client_id || app.credentials.dig(:linkedin_sign_in, :client_id)
+        LinkedinSignIn.client_secret = config.linkedin_sign_in.client_secret || app.credentials.dig(:linkedin_sign_in, :client_secret)
+      end
+    end
+
+    initializer 'linkedin_sign_in.helpers' do
+      ActiveSupport.on_load :action_controller_base do
+        helper LinkedinSignIn::Engine.helpers
+      end
+    end
+
+    initializer 'linkedin_sign_in.mount' do |app|
+      app.routes.prepend do
+        mount LinkedinSignIn::Engine, at: app.config.linkedin_sign_in.root || 'linkedin_sign_in'
+      end
+    end
+
+    initializer 'linkedin_sign_in.parameter_filters' do |app|
+      app.config.filter_parameters << :code
+    end
+  end
+end

data/lib/linkedin_sign_in/identity.rb

@@ -0,0 +1,55 @@
+require 'linkedin-id-token'
+require 'active_support/core_ext/module/delegation'
+
+module LinkedinSignIn
+  class Identity
+    class ValidationError < StandardError; end
+
+    def initialize(token)
+      set_extracted_payload(token)
+    end
+
+    def user_id
+      @payload["id"]
+    end
+
+    def first_name
+      @payload["firstName"]
+    end
+
+    def last_name
+      @payload["lastName"]
+    end
+
+    def email_address
+      @payload["emailAddress"]
+    end
+
+    def avatar_url
+      @payload["pictureUrl"]
+    end
+
+    def current_company_name
+      positions = @payload["positions"]["values"]
+      current_position = positions.find { |position| position["isCurrent"] }
+      current_position["company"]["name"]
+    end
+
+    private
+      def set_extracted_payload(token)
+        uri = URI("https://api.linkedin.com/v1/people/~:(id,firstName,lastName,picture-url,email-address,positions)?format=json")
+        request = Net::HTTP::Get.new uri
+        request['Authorization'] = "Bearer #{token}"
+        response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
+          http.request(request)
+        end
+
+        case response
+        when Net::HTTPSuccess
+          @payload = JSON(response.body)
+        else
+          raise ValidationError, response.body
+        end
+      end
+  end
+end

data/lib/linkedin_sign_in/redirect_protector.rb

@@ -0,0 +1,25 @@
+require 'uri'
+
+module LinkedinSignIn
+  module RedirectProtector
+    extend self
+
+    class Violation < StandardError; end
+
+    QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
+
+    def ensure_same_origin(target, source)
+      if target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source)
+        raise Violation, "Redirect target #{target} does not have same origin as request (expected #{origin_of(source)})"
+      end
+    end
+
+    private
+      def origin_of(url)
+        uri = URI(url)
+        "#{uri.scheme}://#{uri.host}:#{uri.port}"
+      rescue ArgumentError
+        nil
+      end
+  end
+end

data/lib/linkedin_sign_in.rb

@@ -0,0 +1,10 @@
+require 'active_support'
+require 'active_support/rails'
+
+module LinkedinSignIn
+  mattr_accessor :client_id
+  mattr_accessor :client_secret
+end
+
+require 'linkedin_sign_in/identity'
+require 'linkedin_sign_in/engine' if defined?(Rails)

data/linkedin_sign_in.gemspec

@@ -0,0 +1,21 @@
+Gem::Specification.new do |s|
+  s.name     = 'linkedin_sign_in'
+  s.version  = '0.3'
+  s.authors  = ['Vincent Robert']
+  s.email    = ['vincent.robert@genezys.net']
+  s.summary  = 'Sign in (or up) with Linkedin for Rails applications'
+  s.homepage = 'https://github.com/genezys/linkedin_sign_in'
+  s.license  = 'MIT'
+
+  s.required_ruby_version = '>= 1.9.3'
+
+  s.add_dependency 'rails', '>= 5.2.0'
+  s.add_dependency 'oauth2', '>= 1.4.0'
+
+  s.add_development_dependency 'bundler', '~> 1.15'
+  s.add_development_dependency 'jwt', '>= 1.5.6'
+  s.add_development_dependency 'webmock', '>= 3.4.2'
+
+  s.files      = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
+end

data/test/certificate.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAQIBADANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDDCRnb29n
+bGUtc2lnbi1pbi1mb3ItcmFpbHMuZXhhbXBsZS5jb20wHhcNMTgwOTAyMjI0MTQw
+WhcNMjMwOTAyMjI0MTQwWjAvMS0wKwYDVQQDDCRnb29nbGUtc2lnbi1pbi1mb3It
+cmFpbHMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCtnO1OcLbdxj4f6I/aUMJkCJfrDNvp0v2ljUJoaq6hqWPmoZgcl92njBvt91np
+JPfGaCy0ZYLfizUNBRKkfo6u3MXvubktYqk3SVCejy0TUE11PwRx1u/x0c2rCTa6
+Y7ppAoO9Ur3yoccDmkceP8MpofHWetrdaxyhktlqy6gpM7V+kjj+anySQk4XqDJl
+F4FXHt82HMNK3xbjXJyEoyMudGUISBDn/rG8b3LxEKawUiLVCI54g3+L/Oi4nZCE
+XNCd/mvWpVFoPpFQGMoKW3S9KxFowvfkDSxWYwgYnWnsO0ueXS+WYML88KO1Qf7V
+mEZ91u7w1/EiMVxiuczxycSfAgMBAAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0P
+AQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUA
+A4IBAQCVXynTCZhpbINC4j1prGaPfY6mRkCZzcRpQFim4C6hJtYSRn57qjpmYWG3
+eVc3ElfNUAWgC3trACjN3hDqKv0/hH9TGTY9iFhc747L/VSaKWzH/uWewj1qTwsX
+dUEFxZILAWvAMBNUT060t8bt+pSFc2h4fHsftOqFLfkFUcCr22QsWyueXzWZyDeZ
+XWFGtD+WOR5SC4mIY359e75/vZsJymzZIfM+pfcaHnXtXez9SeLM81rvnRdR1b+H
+/S0LT0dPRkXSvC2HRPwzHxVctNrDoaxON+OIMgd4lHAFs6doVoYmnprzO69+IBUK
+s0LBENxbn2rd7IEl6EaC91cXCl3y
+-----END CERTIFICATE-----

data/test/controllers/authorizations_controller_test.rb

@@ -0,0 +1,26 @@
+require 'test_helper'
+
+class LinkedinSignIn::AuthorizationsControllerTest < ActionDispatch::IntegrationTest
+  test "redirecting to Linkedin for authorization" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+    assert_match 'https://www.linkedin.com/oauth/v2/authorization', response.location
+
+    params = extract_query_params_from(response.location)
+    assert_equal FAKE_LINKEDIN_CLIENT_ID, params[:client_id]
+    assert_equal 'login', params[:prompt]
+    assert_equal 'code', params[:response_type]
+    assert_equal 'http://www.example.com/linkedin_sign_in/callback', params[:redirect_uri]
+    assert_equal 'r_basicprofile r_emailaddress', params[:scope]
+    assert_match /[A-Za-z0-9+\/]{32}/, params[:state]
+
+    assert_equal 'http://www.example.com/login', flash[:proceed_to]
+    assert_equal params[:state], flash[:state]
+  end
+
+  private
+    def extract_query_params_from(url)
+      query = URI(url).query
+      Rack::Utils.parse_query(query).symbolize_keys
+    end
+end

data/test/controllers/callbacks_controller_test.rb

@@ -0,0 +1,36 @@
+require 'test_helper'
+
+class LinkedinSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
+  test "receiving an authorization code" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://www.example.com/login' }
+    assert_response :redirect
+
+    stub_token_request code: '4/SgCpHSVW5-Cy', access_token: 'ya29.GlwIBo', id_token: 'eyJhbGciOiJSUzI'
+
+    get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+    assert_redirected_to 'http://www.example.com/login'
+    assert_equal 'ya29.GlwIBo', flash[:linkedin_sign_in_token]
+  end
+
+  test "protecting against CSRF" do
+    get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_response :unprocessable_entity
+  end
+
+  test "protecting against open redirects" do
+    post linkedin_sign_in.authorization_url, params: { proceed_to: 'http://malicious.example.com/login' }
+    assert_response :redirect
+
+    get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: flash[:state])
+    assert_response :bad_request
+  end
+
+  private
+    def stub_token_request(code:, **params)
+      stub_request(:post, 'https://www.linkedin.com/oauth/v2/accessToken').
+        with(body: { grant_type: 'authorization_code', code: code,
+          client_id: FAKE_LINKEDIN_CLIENT_ID, client_secret: FAKE_LINKEDIN_CLIENT_SECRET,
+          redirect_uri: 'http://www.example.com/linkedin_sign_in/callback' }).
+        to_return(status: 200, headers: { 'Content-Type' => 'application/json' }, body: JSON.generate(params))
+    end
+end

data/test/dummy/.ruby-version

@@ -0,0 +1 @@
+2.5.0

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative 'config/application'
+
+Rails.application.load_tasks

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+//= link_tree ../images
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/test/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,15 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require rails-ujs
+//= require activestorage
+//= require_tree .

data/test/dummy/app/assets/javascripts/cable.js

@@ -0,0 +1,13 @@
+// Action Cable provides the framework to deal with WebSockets in Rails.
+// You can generate new channels where WebSocket features live using the `rails generate channel` command.
+//
+//= require action_cable
+//= require_self
+//= require_tree ./channels
+
+(function() {
+  this.App || (this.App = {});
+
+  App.cable = ActionCable.createConsumer();
+
+}).call(this);

data/test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/test/dummy/app/channels/application_cable/channel.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Channel < ActionCable::Channel::Base
+  end
+end

data/test/dummy/app/channels/application_cable/connection.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+  end
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/test/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/test/dummy/app/jobs/application_job.rb

@@ -0,0 +1,2 @@
+class ApplicationJob < ActiveJob::Base
+end

data/test/dummy/app/mailers/application_mailer.rb

@@ -0,0 +1,4 @@
+class ApplicationMailer < ActionMailer::Base
+  default from: 'from@example.com'
+  layout 'mailer'
+end

data/test/dummy/app/models/application_record.rb

@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Dummy</title>
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= stylesheet_link_tag    'application', media: 'all' %>
+    <%= javascript_include_tag 'application' %>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/test/dummy/app/views/layouts/mailer.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style>
+      /* Email styles need to be inline */
+    </style>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/test/dummy/app/views/layouts/mailer.text.erb

@@ -0,0 +1 @@
+<%= yield %>

data/test/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+load Gem.bin_path('bundler', 'bundle')

data/test/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../config/application', __dir__)
+require_relative '../config/boot'
+require 'rails/commands'

data/test/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/test/dummy/bin/setup

@@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  # This script is a starting point to setup your application.
+  # Add necessary setup steps to this file.
+
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  # Install JavaScript dependencies if using Yarn
+  # system('bin/yarn')
+
+  # puts "\n== Copying sample files =="
+  # unless File.exist?('config/database.yml')
+  #   cp 'config/database.yml.sample', 'config/database.yml'
+  # end
+
+  puts "\n== Preparing database =="
+  system! 'bin/rails db:setup'
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end

data/test/dummy/bin/update

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  # This script is a way to update your development environment automatically.
+  # Add necessary update steps to this file.
+
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  # Install JavaScript dependencies if using Yarn
+  # system('bin/yarn')
+
+  puts "\n== Updating database =="
+  system! 'bin/rails db:migrate'
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end

data/test/dummy/bin/yarn

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path('..', __dir__)
+Dir.chdir(APP_ROOT) do
+  begin
+    exec "yarnpkg", *ARGV
+  rescue Errno::ENOENT
+    $stderr.puts "Yarn executable was not detected in the system."
+    $stderr.puts "Download Yarn at https://yarnpkg.com/en/docs/install"
+    exit 1
+  end
+end