oauth 1.1.0 → 1.1.1

data/RUBOCOP.md

@@ -0,0 +1,71 @@
+# RuboCop Usage Guide
+
+## Overview
+
+A tale of two RuboCop plugin gems.
+
+### RuboCop Gradual
+
+This project uses `rubocop_gradual` instead of vanilla RuboCop for code style checking. The `rubocop_gradual` tool allows for gradual adoption of RuboCop rules by tracking violations in a lock file.
+
+### RuboCop LTS
+
+This project uses `rubocop-lts` to ensure, on a best-effort basis, compatibility with Ruby >= 1.9.2.
+RuboCop rules are meticulously configured by the `rubocop-lts` family of gems to ensure that a project is compatible with a specific version of Ruby. See: https://rubocop-lts.gitlab.io for more.
+
+## Checking RuboCop Violations
+
+To check for RuboCop violations in this project, always use:
+
+```bash
+bundle exec rake rubocop_gradual:check
+```
+
+**Do not use** the standard RuboCop commands like:
+- `bundle exec rubocop`
+- `rubocop`
+
+## Understanding the Lock File
+
+The `.rubocop_gradual.lock` file tracks all current RuboCop violations in the project. This allows the team to:
+
+1. Prevent new violations while gradually fixing existing ones
+2. Track progress on code style improvements
+3. Ensure CI builds don't fail due to pre-existing violations
+
+## Common Commands
+
+- **Check violations**
+    - `bundle exec rake rubocop_gradual`
+    - `bundle exec rake rubocop_gradual:check`
+- **(Safe) Autocorrect violations, and update lockfile if no new violations**
+  - `bundle exec rake rubocop_gradual:autocorrect`
+- **Force update the lock file (w/o autocorrect) to match violations present in code**
+  - `bundle exec rake rubocop_gradual:force_update`
+
+## Workflow
+
+1. Before submitting a PR, run `bundle exec rake rubocop_gradual:autocorrect`
+   a. or just the default `bundle exec rake`, as autocorrection is a pre-requisite of the default task.
+2. If there are new violations, either:
+   - Fix them in your code
+   - Run `bundle exec rake rubocop_gradual:force_update` to update the lock file (only for violations you can't fix immediately)
+3. Commit the updated `.rubocop_gradual.lock` file along with your changes
+
+## Never add inline RuboCop disables
+
+Do not add inline `rubocop:disable` / `rubocop:enable` comments anywhere in the codebase (including specs, except when following the few existing `rubocop:disable` patterns for a rule already being disabled elsewhere in the code). We handle exceptions in two supported ways:
+
+- Permanent/structural exceptions: prefer adjusting the RuboCop configuration (e.g., in `.rubocop.yml`) to exclude a rule for a path or file pattern when it makes sense project-wide.
+- Temporary exceptions while improving code: record the current violations in `.rubocop_gradual.lock` via the gradual workflow:
+  - `bundle exec rake rubocop_gradual:autocorrect` (preferred; will autocorrect what it can and update the lock only if no new violations were introduced)
+  - If needed, `bundle exec rake rubocop_gradual:force_update` (as a last resort when you cannot fix the newly reported violations immediately)
+
+In general, treat the rules as guidance to follow; fix violations rather than ignore them. For example, RSpec conventions in this project expect `described_class` to be used in specs that target a specific class under test.
+
+## Benefits of rubocop_gradual
+
+- Allows incremental adoption of code style rules
+- Prevents CI failures due to pre-existing violations
+- Provides a clear record of code style debt
+- Enables focused efforts on improving code quality over time

data/SECURITY.md

@@ -2,25 +2,41 @@
 
 ## Supported Versions
 
-| Version | Supported          | EOL     |
-|---------|--------------------|---------|
-| 1.1.x   | :white_check_mark: | 04/2025 |
-| 1.0.x   | :white_check_mark: | 04/2025 |
-| 0.6.x   | :white_check_mark: | 04/2024 |
-| 0.5.x   | :white_check_mark: | 04/2023 |
-| <= 0.5  | :x:                | :x:     |
+| Version | Supported | Post-EOL / Enterprise                 |
+|---------|-----------|---------------------------------------|
+| 1.1.x   | ✅         | [Tidelift Subscription][tidelift-ref] |
+| 1.0.x   | ✅         | [Tidelift Subscription][tidelift-ref] |
+| 0.6.x   | 🚨        | [Tidelift Subscription][tidelift-ref] |
+| 0.5.x   | 🚨        | [Tidelift Subscription][tidelift-ref] |
+| <= 0.5  | ⛔         | ⛔                                     |
+
+LEGEND:
+✅ - Supported
+🚨 - Will only receive critical bug and security updates.
+⛔ - No Support
 
 ### EOL Policy
 
-Non-commercial support for the oldest version of Ruby (which itself is going EOL) will be dropped each year in April.
+Non-commercial support for the oldest version of Ruby (which itself is going EOL) may be dropped each year in April.
 
-## Reporting a Vulnerability
+## Security contact information
 
-To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
 ## OAuth for Enterprise
 
 Available as part of the Tidelift Subscription.
 
-The maintainers of oauth and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-oauth?utm_source=rubygems-oauth&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+The maintainers of oauth and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.][tidelift-ref]
+
+[tidelift-ref]: https://tidelift.com/subscription/pkg/rubygems-oauth?utm_source=rubygems-oauth&utm_medium=referral&utm_campaign=enterprise&utm_term=repo
+
+## Additional Support
+
+If you are interested in support for versions older than the latest release,
+please consider sponsoring the project / maintainer @ https://liberapay.com/pboling/donate,
+or find other sponsorship links in the [README].
+
+[README]: README.md

data/lib/oauth/client/action_controller_request.rb

@@ -35,19 +35,23 @@ module ActionController
     end
 
     def configure_oauth(consumer = nil, token = nil, options = {})
-      @oauth_options = { consumer: consumer,
-                         token: token,
-                         scheme: "header",
-                         signature_method: nil,
-                         nonce: nil,
-                         timestamp: nil }.merge(options)
+      @oauth_options = {
+        consumer: consumer,
+        token: token,
+        scheme: "header",
+        signature_method: nil,
+        nonce: nil,
+        timestamp: nil,
+      }.merge(options)
     end
 
     def apply_oauth!
       return unless ActionController::TestRequest.use_oauth? && @oauth_options
 
-      @oauth_helper = OAuth::Client::Helper.new(self,
-                                                @oauth_options.merge(request_uri: (respond_to?(:fullpath) ? fullpath : request_uri)))
+      @oauth_helper = OAuth::Client::Helper.new(
+        self,
+        @oauth_options.merge(request_uri: (respond_to?(:fullpath) ? fullpath : request_uri)),
+      )
       @oauth_helper.amend_user_agent_header(env)
 
       send("set_oauth_#{@oauth_options[:scheme]}")
@@ -62,6 +66,7 @@ module ActionController
       @query_parameters.merge!(oauth_signature: @oauth_helper.signature)
     end
 
-    def set_oauth_query_string; end
+    def set_oauth_query_string
+    end
   end
 end

data/lib/oauth/client/em_http.rb

@@ -1,119 +1,126 @@
 # frozen_string_literal: true
 
-require "em-http"
 require "oauth/helper"
-require "oauth/request_proxy/em_http_request"
+require "oauth/optional"
 
-# Extensions for em-http so that we can use consumer.sign! with an EventMachine::HttpClient
-# instance. This is purely syntactic sugar.
-module EventMachine
-  class HttpClient
-    attr_reader :oauth_helper
+if OAuth::Optional.em_http_available?
+  require "oauth/request_proxy/em_http_request"
 
-    # Add the OAuth information to an HTTP request. Depending on the <tt>options[:scheme]</tt> setting
-    # this may add a header, additional query string parameters, or additional POST body parameters.
-    # The default scheme is +header+, in which the OAuth parameters as put into the +Authorization+
-    # header.
-    #
-    # * http - Configured Net::HTTP instance, ignored in this scenario except for getting host.
-    # * consumer - OAuth::Consumer instance
-    # * token - OAuth::Token instance
-    # * options - Request-specific options (e.g. +request_uri+, +consumer+, +token+, +scheme+,
-    #   +signature_method+, +nonce+, +timestamp+)
-    #
-    # This method also modifies the <tt>User-Agent</tt> header to add the OAuth gem version.
-    #
-    # See Also: {OAuth core spec version 1.0, section 5.4.1}[http://oauth.net/core/1.0#rfc.section.5.4.1]
-    def oauth!(http, consumer = nil, token = nil, options = {})
-      options = { request_uri: normalized_oauth_uri(http),
-                  consumer: consumer,
-                  token: token,
-                  scheme: "header",
-                  signature_method: nil,
-                  nonce: nil,
-                  timestamp: nil }.merge(options)
+  # Extensions for em-http so that we can use consumer.sign! with an EventMachine::HttpClient
+  # instance. This is purely syntactic sugar.
+  module EventMachine
+    class HttpClient
+      attr_reader :oauth_helper
 
-      @oauth_helper = OAuth::Client::Helper.new(self, options)
-      __send__(:"set_oauth_#{options[:scheme]}")
-    end
+      # Add the OAuth information to an HTTP request. Depending on the <tt>options[:scheme]</tt> setting
+      # this may add a header, additional query string parameters, or additional POST body parameters.
+      # The default scheme is +header+, in which the OAuth parameters as put into the +Authorization+
+      # header.
+      #
+      # * http - Configured Net::HTTP instance, ignored in this scenario except for getting host.
+      # * consumer - OAuth::Consumer instance
+      # * token - OAuth::Token instance
+      # * options - Request-specific options (e.g. +request_uri+, +consumer+, +token+, +scheme+,
+      #   +signature_method+, +nonce+, +timestamp+)
+      #
+      # This method also modifies the <tt>User-Agent</tt> header to add the OAuth gem version.
+      #
+      # See Also: {OAuth core spec version 1.0, section 5.4.1}[http://oauth.net/core/1.0#rfc.section.5.4.1]
+      def oauth!(http, consumer = nil, token = nil, options = {})
+        options = {
+          request_uri: normalized_oauth_uri(http),
+          consumer: consumer,
+          token: token,
+          scheme: "header",
+          signature_method: nil,
+          nonce: nil,
+          timestamp: nil,
+        }.merge(options)
 
-    # Create a string suitable for signing for an HTTP request. This process involves parameter
-    # normalization as specified in the OAuth specification. The exact normalization also depends
-    # on the <tt>options[:scheme]</tt> being used so this must match what will be used for the request
-    # itself. The default scheme is +header+, in which the OAuth parameters as put into the +Authorization+
-    # header.
-    #
-    # * http - Configured Net::HTTP instance
-    # * consumer - OAuth::Consumer instance
-    # * token - OAuth::Token instance
-    # * options - Request-specific options (e.g. +request_uri+, +consumer+, +token+, +scheme+,
-    #   +signature_method+, +nonce+, +timestamp+)
-    #
-    # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
-    def signature_base_string(http, consumer = nil, token = nil, options = {})
-      options = { request_uri: normalized_oauth_uri(http),
-                  consumer: consumer,
-                  token: token,
-                  scheme: "header",
-                  signature_method: nil,
-                  nonce: nil,
-                  timestamp: nil }.merge(options)
+        @oauth_helper = OAuth::Client::Helper.new(self, options)
+        __send__(:"set_oauth_#{options[:scheme]}")
+      end
 
-      OAuth::Client::Helper.new(self, options).signature_base_string
-    end
+      # Create a string suitable for signing for an HTTP request. This process involves parameter
+      # normalization as specified in the OAuth specification. The exact normalization also depends
+      # on the <tt>options[:scheme]</tt> being used so this must match what will be used for the request
+      # itself. The default scheme is +header+, in which the OAuth parameters as put into the +Authorization+
+      # header.
+      #
+      # * http - Configured Net::HTTP instance
+      # * consumer - OAuth::Consumer instance
+      # * token - OAuth::Token instance
+      # * options - Request-specific options (e.g. +request_uri+, +consumer+, +token+, +scheme+,
+      #   +signature_method+, +nonce+, +timestamp+)
+      #
+      # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
+      def signature_base_string(http, consumer = nil, token = nil, options = {})
+        options = {
+          request_uri: normalized_oauth_uri(http),
+          consumer: consumer,
+          token: token,
+          scheme: "header",
+          signature_method: nil,
+          nonce: nil,
+          timestamp: nil,
+        }.merge(options)
 
-    # This code was lifted from the em-http-request because it was removed from
-    # the gem June 19, 2010
-    # see: http://github.com/igrigorik/em-http-request/commit/d536fc17d56dbe55c487eab01e2ff9382a62598b
-    def normalize_uri
-      @normalized_uri ||= begin
-        uri = @conn.dup
-        encoded_query = encode_query(@conn, @req[:query])
-        path, query = encoded_query.split("?", 2)
-        uri.query = query unless encoded_query.empty?
-        uri.path  = path
-        uri
+        OAuth::Client::Helper.new(self, options).signature_base_string
       end
-    end
 
-    protected
+      # This code was lifted from the em-http-request because it was removed from
+      # the gem June 19, 2010
+      # see: http://github.com/igrigorik/em-http-request/commit/d536fc17d56dbe55c487eab01e2ff9382a62598b
+      def normalize_uri
+        @normalized_uri ||= begin
+          uri = @conn.dup
+          encoded_query = encode_query(@conn, @req[:query])
+          path, query = encoded_query.split("?", 2)
+          uri.query = query unless encoded_query.empty?
+          uri.path = path
+          uri
+        end
+      end
 
-    def combine_query(path, query, uri_query)
-      combined_query = if query.is_a?(Hash)
-                         query.map { |k, v| encode_param(k, v) }.join("&")
-                       else
-                         query.to_s
-                       end
-      combined_query = [combined_query, uri_query].reject(&:empty?).join("&") unless uri_query.to_s.empty?
-      combined_query.to_s.empty? ? path : "#{path}?#{combined_query}"
-    end
+      protected
 
-    # Since we expect to get the host etc details from the http instance (...),
-    # we create a fake url here. Surely this is a horrible, horrible idea?
-    def normalized_oauth_uri(http)
-      uri = URI.parse(normalize_uri.path)
-      uri.host = http.address
-      uri.port = http.port
+      def combine_query(path, query, uri_query)
+        combined_query = if query.is_a?(Hash)
+          query.map { |k, v| encode_param(k, v) }.join("&")
+        else
+          query.to_s
+        end
+        combined_query = [combined_query, uri_query].reject(&:empty?).join("&") unless uri_query.to_s.empty?
+        combined_query.to_s.empty? ? path : "#{path}?#{combined_query}"
+      end
 
-      uri.scheme = if http.respond_to?(:use_ssl?) && http.use_ssl?
-                     "https"
-                   else
-                     "http"
-                   end
-      uri.to_s
-    end
+      # Since we expect to get the host etc details from the http instance (...),
+      # we create a fake url here. Surely this is a horrible, horrible idea?
+      def normalized_oauth_uri(http)
+        uri = URI.parse(normalize_uri.path)
+        uri.host = http.address
+        uri.port = http.port
 
-    def set_oauth_header
-      req[:head] ||= {}
-      req[:head].merge!("Authorization" => @oauth_helper.header)
-    end
+        uri.scheme = if http.respond_to?(:use_ssl?) && http.use_ssl?
+          "https"
+        else
+          "http"
+        end
+        uri.to_s
+      end
 
-    def set_oauth_body
-      raise NotImplementedError, "please use the set_oauth_header method instead"
-    end
+      def set_oauth_header
+        req[:head] ||= {}
+        req[:head].merge!("Authorization" => @oauth_helper.header)
+      end
 
-    def set_oauth_query_string
-      raise NotImplementedError, "please use the set_oauth_header method instead"
+      def set_oauth_body
+        raise NotImplementedError, "please use the set_oauth_header method instead"
+      end
+
+      def set_oauth_query_string
+        raise NotImplementedError, "please use the set_oauth_header method instead"
+      end
     end
   end
 end

data/lib/oauth/client/helper.rb

@@ -37,29 +37,33 @@ module OAuth
           "oauth_timestamp" => timestamp,
           "oauth_nonce" => nonce,
           "oauth_verifier" => options[:oauth_verifier],
-          "oauth_version" => (options[:oauth_version] || "1.0"),
-          "oauth_session_handle" => options[:oauth_session_handle]
+          "oauth_version" => options[:oauth_version] || "1.0",
+          "oauth_session_handle" => options[:oauth_session_handle],
         }
         allowed_empty_params = options[:allow_empty_params]
         if allowed_empty_params != true && !allowed_empty_params.is_a?(Array)
-          allowed_empty_params = allowed_empty_params == false ? [] : [allowed_empty_params]
+          allowed_empty_params = (allowed_empty_params == false) ? [] : [allowed_empty_params]
         end
         out.select! { |k, v| v.to_s != "" || allowed_empty_params == true || allowed_empty_params.include?(k) }
         out
       end
 
       def signature(extra_options = {})
-        OAuth::Signature.sign(@request, { uri: options[:request_uri],
-                                          consumer: options[:consumer],
-                                          token: options[:token],
-                                          unsigned_parameters: options[:unsigned_parameters] }.merge(extra_options))
+        OAuth::Signature.sign(@request, {
+          uri: options[:request_uri],
+          consumer: options[:consumer],
+          token: options[:token],
+          unsigned_parameters: options[:unsigned_parameters],
+        }.merge(extra_options))
       end
 
       def signature_base_string(extra_options = {})
-        OAuth::Signature.signature_base_string(@request, { uri: options[:request_uri],
-                                                           consumer: options[:consumer],
-                                                           token: options[:token],
-                                                           parameters: oauth_parameters }.merge(extra_options))
+        OAuth::Signature.signature_base_string(@request, {
+          uri: options[:request_uri],
+          consumer: options[:consumer],
+          token: options[:token],
+          parameters: oauth_parameters,
+        }.merge(extra_options))
       end
 
       def token_request?

data/lib/oauth/client/net_http.rb

@@ -58,20 +58,31 @@ module Net
     private
 
     def oauth_helper_options(http, consumer, token, options)
-      { request_uri: oauth_full_request_uri(http, options),
+      {
+        request_uri: oauth_full_request_uri(http, options),
         consumer: consumer,
         token: token,
         scheme: "header",
         signature_method: nil,
         nonce: nil,
         timestamp: nil,
-        body_hash_enabled: true }.merge(options)
+        body_hash_enabled: true,
+      }.merge(options)
     end
 
     def oauth_full_request_uri(http, options)
       uri = URI.parse(path)
-      uri.host = http.address
-      uri.port = http.port
+
+      # Guard against strict doubles or alternative HTTP adapters that may not
+      # expose Net::HTTP's #address/#port API. Only set host/port when available;
+      # otherwise, leave them to be filled by other options (e.g., :site) or the
+      # request itself.
+      if http.respond_to?(:address)
+        uri.host ||= http.address
+      end
+      if http.respond_to?(:port)
+        uri.port ||= http.port
+      end
 
       if options[:request_endpoint] && options[:site]
         is_https = options[:site].match(%r{^https://})
@@ -79,11 +90,26 @@ module Net
         uri.port ||= is_https ? 443 : 80
       end
 
-      uri.scheme = if http.respond_to?(:use_ssl?) && http.use_ssl?
-                     "https"
-                   else
-                     "http"
-                   end
+      # Fall back to the provided site URL if host/scheme are still missing.
+      if options[:site]
+        begin
+          site_uri = URI.parse(options[:site])
+          uri.host ||= site_uri.host
+          uri.scheme ||= site_uri.scheme
+          uri.port ||= site_uri.port
+        rescue URI::InvalidURIError
+          # ignore and use defaults below
+        end
+      end
+
+      # As a last resort, ensure scheme/host/port are present to avoid nil errors
+      uri.scheme ||= if http.respond_to?(:use_ssl?) && http.use_ssl?
+        "https"
+      else
+        "http"
+      end
+      uri.host ||= "localhost"
+      uri.port ||= ((uri.scheme == "https") ? 443 : 80)
 
       uri.to_s
     end
@@ -115,10 +141,10 @@ module Net
       oauth_params_str = @oauth_helper.oauth_parameters.map { |k, v| [escape(k), escape(v)].join("=") }.join("&")
       uri = URI.parse(path)
       uri.query = if uri.query.to_s == ""
-                    oauth_params_str
-                  else
-                    "#{uri.query}&#{oauth_params_str}"
-                  end
+        oauth_params_str
+      else
+        "#{uri.query}&#{oauth_params_str}"
+      end
 
       @path = uri.to_s