linkedin_sign_in 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1ee16026971b50c11efcd2f1882de53f9ba5c3855fd4641d6901939571d7c277
-  data.tar.gz: 23d35a4f027293b47294757ec195ae6676c5e7809f72c4c1f3d1a71619bcf41c
+  metadata.gz: 3f8985d4d6e80ebff3c604f93d84431384c778f4dda5fc1eb8f4a000e9cdd85d
+  data.tar.gz: 13111de62ee932965e347d7af6ba72cb0f5f4a876324d3e27e2286c928dab29d
 SHA512:
-  metadata.gz: 6721873e8eff33dd2b6fead2e547f138b9a987a4d71f275e59b54462a17010891a09eff4e75da15caa695aa395baef92e529dc4b4ac4b32c186d030bb133f975
-  data.tar.gz: '0845e4f905d41382d50b0d80e38ced16e8dfd6af72f3ba2e7487edb8275da7a1c0bd1b8c5be28618914b4ae0f755e5ac1b9bda790803c99bfbdcc36ba7a34773'
+  metadata.gz: cdb09852791dc5819b7c6736f2425406210c5a31dee6e996d6f991d448c4e6f26155fa6c20edc5aa9f358ec8dd877e80cbfae5328e8a649c7d2a5c3bb73ab66d
+  data.tar.gz: 7baf9711c87dd68155f6fdd412a5d9c3384a2ff41743f1ec2775e168b44437230256560b1be5cb719b8dc169714c2d5a1e87dff535fe4c8ee8d3dc18f388a501

data/Gemfile.lock

@@ -1,50 +1,50 @@
 PATH
   remote: .
   specs:
-    linkedin_sign_in (0.4.0)
+    linkedin_sign_in (0.5.0)
       oauth2 (>= 1.4.0)
       rails (>= 5.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.2.1)
-      actionpack (= 5.2.2.1)
+    actioncable (5.2.3)
+      actionpack (= 5.2.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.2.1)
-      actionpack (= 5.2.2.1)
-      actionview (= 5.2.2.1)
-      activejob (= 5.2.2.1)
+    actionmailer (5.2.3)
+      actionpack (= 5.2.3)
+      actionview (= 5.2.3)
+      activejob (= 5.2.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.2.1)
-      actionview (= 5.2.2.1)
-      activesupport (= 5.2.2.1)
+    actionpack (5.2.3)
+      actionview (= 5.2.3)
+      activesupport (= 5.2.3)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.2.1)
-      activesupport (= 5.2.2.1)
+    actionview (5.2.3)
+      activesupport (= 5.2.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.2.1)
-      activesupport (= 5.2.2.1)
+    activejob (5.2.3)
+      activesupport (= 5.2.3)
       globalid (>= 0.3.6)
-    activemodel (5.2.2.1)
-      activesupport (= 5.2.2.1)
-    activerecord (5.2.2.1)
-      activemodel (= 5.2.2.1)
-      activesupport (= 5.2.2.1)
+    activemodel (5.2.3)
+      activesupport (= 5.2.3)
+    activerecord (5.2.3)
+      activemodel (= 5.2.3)
+      activesupport (= 5.2.3)
       arel (>= 9.0)
-    activestorage (5.2.2.1)
-      actionpack (= 5.2.2.1)
-      activerecord (= 5.2.2.1)
+    activestorage (5.2.3)
+      actionpack (= 5.2.3)
+      activerecord (= 5.2.3)
       marcel (~> 0.3.1)
-    activesupport (5.2.2.1)
+    activesupport (5.2.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -81,9 +81,9 @@ GEM
     minitest (5.11.3)
     multi_json (1.13.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
+    multipart-post (2.1.0)
     nio4r (2.3.1)
-    nokogiri (1.10.1)
+    nokogiri (1.10.3)
       mini_portile2 (~> 2.4.0)
     oauth2 (1.4.1)
       faraday (>= 0.8, < 0.16.0)
@@ -92,30 +92,30 @@ GEM
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
     public_suffix (3.0.3)
-    rack (2.0.6)
+    rack (2.0.7)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.2.1)
-      actioncable (= 5.2.2.1)
-      actionmailer (= 5.2.2.1)
-      actionpack (= 5.2.2.1)
-      actionview (= 5.2.2.1)
-      activejob (= 5.2.2.1)
-      activemodel (= 5.2.2.1)
-      activerecord (= 5.2.2.1)
-      activestorage (= 5.2.2.1)
-      activesupport (= 5.2.2.1)
+    rails (5.2.3)
+      actioncable (= 5.2.3)
+      actionmailer (= 5.2.3)
+      actionpack (= 5.2.3)
+      actionview (= 5.2.3)
+      activejob (= 5.2.3)
+      activemodel (= 5.2.3)
+      activerecord (= 5.2.3)
+      activestorage (= 5.2.3)
+      activesupport (= 5.2.3)
       bundler (>= 1.3.0)
-      railties (= 5.2.2.1)
+      railties (= 5.2.3)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.2.1)
-      actionpack (= 5.2.2.1)
-      activesupport (= 5.2.2.1)
+    railties (5.2.3)
+      actionpack (= 5.2.3)
+      activesupport (= 5.2.3)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)

data/README.md

@@ -1,4 +1,4 @@
-This gem is shamlessly based on [Google SignIn by Basecamp](https://github.com/basecamp/google_sign_in).
+This gem is shamelessly based on [Google SignIn by Basecamp](https://github.com/basecamp/google_sign_in).
 
 # Linkedin Sign-In for Rails
 

data/app/controllers/linkedin_sign_in/authorizations_controller.rb

@@ -1,6 +1,8 @@
 require 'securerandom'
 
 class LinkedinSignIn::AuthorizationsController < LinkedinSignIn::BaseController
+  skip_forgery_protection only: :create
+
   def create
     redirect_to login_url(scope: 'r_basicprofile r_emailaddress', state: state),
       flash: { proceed_to: params.require(:proceed_to), state: state }

data/lib/linkedin_sign_in/redirect_protector.rb

@@ -9,8 +9,8 @@ module LinkedinSignIn
     QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
 
     def ensure_same_origin(target, source)
-      if target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source)
-        raise Violation, "Redirect target #{target} does not have same origin as request (expected #{origin_of(source)})"
+      if target.blank? || (target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source))
+        raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
       end
     end
 

data/linkedin_sign_in.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name     = 'linkedin_sign_in'
-  s.version  = '0.4.0'
+  s.version  = '0.5.0'
   s.authors  = ['Vincent Robert']
   s.email    = ['vincent.robert@genezys.net']
   s.summary  = 'Sign in (or up) with Linkedin for Rails applications'

data/test/controllers/callbacks_controller_test.rb

@@ -101,6 +101,11 @@ class LinkedinSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
   end
 
+  test "receiving no proceed_to URL" do
+    get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
+    assert_response :bad_request
+  end
+
   private
     def stub_token_for(code, **response_body)
       stub_token_request(code, status: 200, response: response_body)

data/test/models/redirect_protector_test.rb

@@ -20,6 +20,13 @@ class LinkedinSignIn::RedirectProtectorTest < ActiveSupport::TestCase
     end
   end
 
+  test "disallows empty URL target" do
+    assert_raises LinkedinSignIn::RedirectProtector::Violation do
+      LinkedinSignIn::RedirectProtector.ensure_same_origin nil, 'http://genezys.net'
+    end
+  end
+
+
   test "allows URL target with same origin as source" do
     assert_nothing_raised do
       LinkedinSignIn::RedirectProtector.ensure_same_origin 'https://genezys.net', 'https://genezys.net'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: linkedin_sign_in
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Vincent Robert
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-20 00:00:00.000000000 Z
+date: 2019-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails