oauth2 1.4.10 → 2.0.8

data/lib/oauth2/client.rb

@@ -5,9 +5,11 @@ require 'logger'
 
 module OAuth2
   ConnectionError = Class.new(Faraday::ConnectionFailed)
+  TimeoutError = Class.new(Faraday::TimeoutError)
+
   # The OAuth2::Client class
   class Client # rubocop:disable Metrics/ClassLength
-    RESERVED_PARAM_KEYS = %w[headers parse].freeze
+    RESERVED_PARAM_KEYS = %w[body headers params parse snaky].freeze
 
     attr_reader :id, :secret, :site
     attr_accessor :options
@@ -22,15 +24,16 @@ module OAuth2
     # @param [Hash] options the options to create the client with
     # @option options [String] :site the OAuth2 provider site host
     # @option options [String] :redirect_uri the absolute URI to the Redirection Endpoint for use in authorization grants and token exchange
-    # @option options [String] :authorize_url ('oauth/authorize') absolute or relative URL path to the Authorization endpoint
-    # @option options [String] :token_url ('oauth/token') absolute or relative URL path to the Token endpoint
-    # @option options [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
+    # @option options [String] :authorize_url ('/oauth/authorize') absolute or relative URL path to the Authorization endpoint
+    # @option options [String] :token_url ('/oauth/token') absolute or relative URL path to the Token endpoint
+    # @option options [Symbol] :token_method (:post) HTTP method to use to request token (:get, :post, :post_with_query_string)
     # @option options [Symbol] :auth_scheme (:basic_auth) HTTP method to use to authorize request (:basic_auth or :request_body)
     # @option options [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
     # @option options [FixNum] :max_redirects (5) maximum number of redirects to follow
     # @option options [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error on responses with 400+ status codes
     # @option options [Logger] :logger (::Logger.new($stdout)) which logger to use when OAUTH_DEBUG is enabled
-    # @option options [Proc] (DEPRECATED) :extract_access_token  proc that extracts the access token from the response
+    # @option options [Proc] :extract_access_token proc that takes the client and the response Hash and extracts the access token from the response (DEPRECATED)
+    # @option options [Class] :access_token_class [Class] class of access token for easier subclassing OAuth2::AccessToken, @version 2.0+
     # @yield [builder] The Faraday connection builder
     def initialize(client_id, client_secret, options = {}, &block)
       opts = options.dup
@@ -38,16 +41,19 @@ module OAuth2
       @secret = client_secret
       @site = opts.delete(:site)
       ssl = opts.delete(:ssl)
-      @options = {:authorize_url => 'oauth/authorize',
-                  :token_url => 'oauth/token',
-                  :token_method => :post,
-                  :auth_scheme => :request_body,
-                  :connection_opts => {},
-                  :connection_build => block,
-                  :max_redirects => 5,
-                  :raise_errors => true,
-                  :extract_access_token => DEFAULT_EXTRACT_ACCESS_TOKEN, # DEPRECATED
-                  :logger => ::Logger.new($stdout)}.merge(opts)
+      warn('OAuth2::Client#initialize argument `extract_access_token` will be removed in oauth2 v3. Refactor to use `access_token_class`.') if opts[:extract_access_token]
+      @options = {
+        authorize_url: 'oauth/authorize',
+        token_url: 'oauth/token',
+        token_method: :post,
+        auth_scheme: :basic_auth,
+        connection_opts: {},
+        connection_build: block,
+        max_redirects: 5,
+        raise_errors: true,
+        logger: ::Logger.new($stdout),
+        access_token_class: AccessToken,
+      }.merge(opts)
       @options[:connection_opts][:ssl] = ssl if ssl
     end
 
@@ -89,6 +95,9 @@ module OAuth2
     end
 
     # Makes a request relative to the specified site root.
+    # Updated HTTP 1.1 specification (IETF RFC 7231) relaxed the original constraint (IETF RFC 2616),
+    #   allowing the use of relative URLs in Location headers.
+    # @see https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.2
     #
     # @param [Symbol] verb one of :get, :post, :put, :delete
     # @param [String] url URL path of request
@@ -99,20 +108,10 @@ module OAuth2
     # @option opts [Boolean] :raise_errors whether or not to raise an OAuth2::Error on 400+ status
     #   code response for this request.  Will default to client option
     # @option opts [Symbol] :parse @see Response::initialize
-    # @yield [req] The Faraday request
-    def request(verb, url, opts = {}) # rubocop:disable Metrics/AbcSize
-      url = connection.build_url(url).to_s
-
-      begin
-        response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
-          req.params.update(opts[:params]) if opts[:params]
-          yield(req) if block_given?
-        end
-      rescue Faraday::ConnectionFailed => e
-        raise ConnectionError, e
-      end
-
-      response = Response.new(response, :parse => opts[:parse])
+    # @option opts [true, false] :snaky (true) @see Response::initialize
+    # @yield [req] @see Faraday::Connection#run_request
+    def request(verb, url, opts = {}, &block)
+      response = execute_request(verb, url, opts, &block)
 
       case response.status
       when 301, 302, 303, 307
@@ -126,7 +125,8 @@ module OAuth2
         end
         location = response.headers['location']
         if location
-          request(verb, location, opts)
+          full_location = response.response.env.url.merge(location)
+          request(verb, full_location, opts)
         else
           error = Error.new(response)
           raise(error, "Got #{response.status} status code, but no Location header was present")
@@ -138,7 +138,6 @@ module OAuth2
         error = Error.new(response)
         raise(error) if opts.fetch(:raise_errors, options[:raise_errors])
 
-        response.error = error
         response
       else
         error = Error.new(response)
@@ -148,53 +147,58 @@ module OAuth2
 
     # Initializes an AccessToken by making a request to the token endpoint
     #
-    # @param params [Hash] a Hash of params for the token endpoint
+    # @param params [Hash] a Hash of params for the token endpoint, except:
+    #   @option params [Symbol] :parse @see Response#initialize
+    #   @option params [true, false] :snaky (true) @see Response#initialize
     # @param access_token_opts [Hash] access token options, to pass to the AccessToken object
-    # @param access_token_class [Class] class of access token for easier subclassing OAuth2::AccessToken
+    # @param extract_access_token [Proc] proc that extracts the access token from the response (DEPRECATED)
+    # @yield [req] @see Faraday::Connection#run_request
     # @return [AccessToken] the initialized AccessToken
-    def get_token(params, access_token_opts = {}, extract_access_token = options[:extract_access_token]) # # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity Metrics/AbcSize, Metrics/MethodLength
-      params = params.map do |key, value|
-        if RESERVED_PARAM_KEYS.include?(key)
-          [key.to_sym, value]
-        else
-          [key, value]
-        end
-      end
-      params = Hash[params]
-
-      params = authenticator.apply(params)
-      opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
-      headers = params.delete(:headers) || {}
+    def get_token(params, access_token_opts = {}, extract_access_token = nil, &block)
+      warn('OAuth2::Client#get_token argument `extract_access_token` will be removed in oauth2 v3. Refactor to use `access_token_class` on #initialize.') if extract_access_token
+      extract_access_token ||= options[:extract_access_token]
+      parse, snaky, params, headers = parse_snaky_params_headers(params)
+
+      request_opts = {
+        raise_errors: options[:raise_errors],
+        parse: parse,
+        snaky: snaky,
+      }
       if options[:token_method] == :post
-        opts[:body] = params
-        opts[:headers] = {'Content-Type' => 'application/x-www-form-urlencoded'}
+
+        # NOTE: If proliferation of request types continues we should implement a parser solution for Request,
+        #       just like we have with Response.
+        request_opts[:body] = if headers['Content-Type'] == 'application/json'
+                                params.to_json
+                              else
+                                params
+                              end
+
+        request_opts[:headers] = {'Content-Type' => 'application/x-www-form-urlencoded'}
       else
-        opts[:params] = params
-        opts[:headers] = {}
+        request_opts[:params] = params
+        request_opts[:headers] = {}
       end
-      opts[:headers] = opts[:headers].merge(headers)
-      http_method = options[:token_method]
-      response = request(http_method, token_url, opts)
-
-      access_token = begin
-        build_access_token(response, access_token_opts, extract_access_token)
-      rescue StandardError
-        nil
+      request_opts[:headers].merge!(headers)
+      response = request(http_method, token_url, request_opts, &block)
+
+      # In v1.4.x, the deprecated extract_access_token option retrieves the token from the response.
+      # We preserve this behavior here, but a custom access_token_class that implements #from_hash
+      # should be used instead.
+      if extract_access_token
+        parse_response_legacy(response, access_token_opts, extract_access_token)
+      else
+        parse_response(response, access_token_opts)
       end
+    end
 
-      response_contains_token = access_token || (
-                                  response.parsed.is_a?(Hash) &&
-                                  (response.parsed['access_token'] || response.parsed['id_token'])
-      )
-
-      if options[:raise_errors] && !response_contains_token
-        error = Error.new(response)
-        raise(error)
-      elsif !response_contains_token
-        return nil
-      end
+    # The HTTP Method of the request
+    # @return [Symbol] HTTP verb, one of :get, :post, :put, :delete
+    def http_method
+      http_meth = options[:token_method].to_sym
+      return :post if http_meth == :post_with_query_string
 
-      access_token
+      http_meth
     end
 
     # The Authorization Code strategy
@@ -253,12 +257,43 @@ module OAuth2
       end
     end
 
-    DEFAULT_EXTRACT_ACCESS_TOKEN = proc do |client, hash|
-      token = hash.delete('access_token') || hash.delete(:access_token)
-      token && AccessToken.new(client, token, hash)
+  private
+
+    def parse_snaky_params_headers(params)
+      params = params.map do |key, value|
+        if RESERVED_PARAM_KEYS.include?(key)
+          [key.to_sym, value]
+        else
+          [key, value]
+        end
+      end.to_h
+      parse = params.key?(:parse) ? params.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = params.key?(:snaky) ? params.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+      params = authenticator.apply(params)
+      # authenticator may add :headers, and we remove them here
+      headers = params.delete(:headers) || {}
+      [parse, snaky, params, headers]
     end
 
-  private
+    def execute_request(verb, url, opts = {})
+      url = connection.build_url(url).to_s
+
+      begin
+        response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
+          req.params.update(opts[:params]) if opts[:params]
+          yield(req) if block_given?
+        end
+      rescue Faraday::ConnectionFailed => e
+        raise ConnectionError, e
+      rescue Faraday::TimeoutError => e
+        raise TimeoutError, e
+      end
+
+      parse = opts.key?(:parse) ? opts.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = opts.key?(:snaky) ? opts.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+
+      Response.new(response, parse: parse, snaky: snaky)
+    end
 
     # Returns the authenticator object
     #
@@ -267,26 +302,53 @@ module OAuth2
       Authenticator.new(id, secret, options[:auth_scheme])
     end
 
+    def parse_response_legacy(response, access_token_opts, extract_access_token)
+      access_token = build_access_token_legacy(response, access_token_opts, extract_access_token)
+
+      return access_token if access_token
+
+      if options[:raise_errors]
+        error = Error.new(response)
+        raise(error)
+      end
+
+      nil
+    end
+
+    def parse_response(response, access_token_opts)
+      access_token_class = options[:access_token_class]
+      data = response.parsed
+
+      unless data.is_a?(Hash) && !data.empty?
+        return unless options[:raise_errors]
+
+        error = Error.new(response)
+        raise(error)
+      end
+
+      build_access_token(response, access_token_opts, access_token_class)
+    end
+
     # Builds the access token from the response of the HTTP call
     #
     # @return [AccessToken] the initialized AccessToken
-    def build_access_token(response, access_token_opts, extract_access_token)
-      parsed_response = response.parsed.dup
-      return unless parsed_response.is_a?(Hash)
-
-      hash = parsed_response.merge(access_token_opts)
-
-      # Provide backwards compatibility for old AccessToken.form_hash pattern
-      # Will be deprecated in 2.x
-      if extract_access_token.is_a?(Class) && extract_access_token.respond_to?(:from_hash)
-        extract_access_token.from_hash(self, hash)
-      else
-        extract_access_token.call(self, hash)
+    def build_access_token(response, access_token_opts, access_token_class)
+      access_token_class.from_hash(self, response.parsed.merge(access_token_opts)).tap do |access_token|
+        access_token.response = response if access_token.respond_to?(:response=)
       end
     end
 
+    # Builds the access token from the response of the HTTP call with legacy extract_access_token
+    #
+    # @return [AccessToken] the initialized AccessToken
+    def build_access_token_legacy(response, access_token_opts, extract_access_token)
+      extract_access_token.call(self, response.parsed.merge(access_token_opts))
+    rescue StandardError
+      nil
+    end
+
     def oauth_debug_logging(builder)
-      builder.response :logger, options[:logger], :bodies => true if ENV['OAUTH_DEBUG'] == 'true'
+      builder.response :logger, options[:logger], bodies: true if ENV['OAUTH_DEBUG'] == 'true'
     end
   end
 end

data/lib/oauth2/error.rb

@@ -2,41 +2,58 @@
 
 module OAuth2
   class Error < StandardError
-    attr_reader :response, :code, :description
+    attr_reader :response, :body, :code, :description
 
-    # standard error values include:
-    # :invalid_request, :invalid_client, :invalid_token, :invalid_grant, :unsupported_grant_type, :invalid_scope
+    # standard error codes include:
+    # 'invalid_request', 'invalid_client', 'invalid_token', 'invalid_grant', 'unsupported_grant_type', 'invalid_scope'
+    # response might be a Response object, or the response.parsed hash
     def initialize(response)
-      response.error = self
       @response = response
-
-      if response.parsed.is_a?(Hash)
-        @code = response.parsed['error']
-        @description = response.parsed['error_description']
-        error_description = "#{@code}: #{@description}"
+      if response.respond_to?(:parsed)
+        if response.parsed.is_a?(Hash)
+          @code = response.parsed['error']
+          @description = response.parsed['error_description']
+        end
+      elsif response.is_a?(Hash)
+        @code = response['error']
+        @description = response['error_description']
       end
-
-      super(error_message(response.body, :error_description => error_description))
+      @body = if response.respond_to?(:body)
+                response.body
+              else
+                @response
+              end
+      message_opts = parse_error_description(@code, @description)
+      super(error_message(@body, message_opts))
     end
 
-    # Makes a error message
-    # @param [String] response_body response body of request
-    # @param [String] opts :error_description error description to show first line
+  private
+
     def error_message(response_body, opts = {})
-      message = []
+      lines = []
+
+      lines << opts[:error_description] if opts[:error_description]
 
-      opts[:error_description] && (message << opts[:error_description])
+      error_string = if response_body.respond_to?(:encode) && opts[:error_description].respond_to?(:encoding)
+                       script_encoding = opts[:error_description].encoding
+                       response_body.encode(script_encoding, invalid: :replace, undef: :replace)
+                     else
+                       response_body
+                     end
+
+      lines << error_string
+
+      lines.join("\n")
+    end
 
-      error_message = if opts[:error_description] && opts[:error_description].respond_to?(:encoding)
-                        script_encoding = opts[:error_description].encoding
-                        response_body.encode(script_encoding, :invalid => :replace, :undef => :replace)
-                      else
-                        response_body
-                      end
+    def parse_error_description(code, description)
+      return {} unless code || description
 
-      message << error_message
+      error_description = ''
+      error_description += "#{code}: " if code
+      error_description += description if description
 
-      message.join("\n")
+      {error_description: error_description}
     end
   end
 end

data/lib/oauth2/response.rb

@@ -1,27 +1,28 @@
 # frozen_string_literal: true
 
-require 'multi_json'
+require 'json'
 require 'multi_xml'
 require 'rack'
 
 module OAuth2
   # OAuth2::Response class
   class Response
+    DEFAULT_OPTIONS = {
+      parse: :automatic,
+      snaky: true,
+    }.freeze
     attr_reader :response
-    attr_accessor :error, :options
+    attr_accessor :options
 
     # Procs that, when called, will parse a response body according
     # to the specified format.
     @@parsers = {
-      :json => lambda { |body| MultiJson.load(body) rescue body }, # rubocop:disable Style/RescueModifier
-      :query => lambda { |body| Rack::Utils.parse_query(body) },
-      :text => lambda { |body| body },
+      query: ->(body) { Rack::Utils.parse_query(body) },
+      text: ->(body) { body },
     }
 
     # Content type assignments for various potential HTTP content types.
     @@content_types = {
-      'application/json' => :json,
-      'text/javascript' => :json,
       'application/x-www-form-urlencoded' => :query,
       'text/plain' => :text,
     }
@@ -42,12 +43,17 @@ module OAuth2
     # Initializes a Response instance
     #
     # @param [Faraday::Response] response The Faraday response instance
-    # @param [Hash] opts options in which to initialize the instance
-    # @option opts [Symbol] :parse (:automatic) how to parse the response body.  one of :query (for x-www-form-urlencoded),
+    # @param [Symbol] parse (:automatic) how to parse the response body.  one of :query (for x-www-form-urlencoded),
     #   :json, or :automatic (determined by Content-Type response header)
-    def initialize(response, opts = {})
+    # @param [true, false] snaky (true) Convert @parsed to a snake-case,
+    #   indifferent-access SnakyHash::StringKeyed, which is a subclass of Hashie::Mash (from hashie gem)?
+    # @param [Hash] options all other options for initializing the instance
+    def initialize(response, parse: :automatic, snaky: true, **options)
       @response = response
-      @options = {:parse => :automatic}.merge(opts)
+      @options = {
+        parse: parse,
+        snaky: snaky,
+      }.merge(options)
     end
 
     # The HTTP response headers
@@ -65,29 +71,78 @@ module OAuth2
       response.body || ''
     end
 
-    # The parsed response body.
-    #   Will attempt to parse application/x-www-form-urlencoded and
-    #   application/json Content-Type response bodies
+    # The {#response} {#body} as parsed by {#parser}.
+    #
+    # @return [Object] As returned by {#parser} if it is #call-able.
+    # @return [nil] If the {#parser} is not #call-able.
     def parsed
-      return nil unless @@parsers.key?(parser)
+      return @parsed if defined?(@parsed)
+
+      @parsed =
+        if parser.respond_to?(:call)
+          case parser.arity
+          when 0
+            parser.call
+          when 1
+            parser.call(body)
+          else
+            parser.call(body, response)
+          end
+        end
 
-      @parsed ||= @@parsers[parser].call(body)
+      @parsed = SnakyHash::StringKeyed.new(@parsed) if options[:snaky] && @parsed.is_a?(Hash)
+
+      @parsed
     end
 
     # Attempts to determine the content type of the response.
     def content_type
-      ((response.headers.values_at('content-type', 'Content-Type').compact.first || '').split(';').first || '').strip
+      return nil unless response.headers
+
+      ((response.headers.values_at('content-type', 'Content-Type').compact.first || '').split(';').first || '').strip.downcase
     end
 
-    # Determines the parser that will be used to supply the content of #parsed
+    # Determines the parser (a Proc or other Object which responds to #call)
+    # that will be passed the {#body} (and optional {#response}) to supply
+    # {#parsed}.
+    #
+    # The parser can be supplied as the +:parse+ option in the form of a Proc
+    # (or other Object responding to #call) or a Symbol. In the latter case,
+    # the actual parser will be looked up in {@@parsers} by the supplied Symbol.
+    #
+    # If no +:parse+ option is supplied, the lookup Symbol will be determined
+    # by looking up {#content_type} in {@@content_types}.
+    #
+    # If {#parser} is a Proc, it will be called with no arguments, just
+    # {#body}, or {#body} and {#response}, depending on the Proc's arity.
+    #
+    # @return [Proc, #call] If a parser was found.
+    # @return [nil] If no parser was found.
     def parser
-      return options[:parse].to_sym if @@parsers.key?(options[:parse])
+      return @parser if defined?(@parser)
+
+      @parser =
+        if options[:parse].respond_to?(:call)
+          options[:parse]
+        elsif options[:parse]
+          @@parsers[options[:parse].to_sym]
+        end
 
-      @@content_types[content_type]
+      @parser ||= @@parsers[@@content_types[content_type]]
     end
   end
 end
 
-OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml']) do |body|
-  MultiXml.parse(body) rescue body # rubocop:disable Style/RescueModifier
+OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml', 'application/xml']) do |body|
+  next body unless body.respond_to?(:to_str)
+
+  MultiXml.parse(body)
+end
+
+OAuth2::Response.register_parser(:json, ['application/json', 'text/javascript', 'application/hal+json', 'application/vnd.collection+json', 'application/vnd.api+json', 'application/problem+json']) do |body|
+  next body unless body.respond_to?(:to_str)
+
+  body = body.dup.force_encoding(::Encoding::ASCII_8BIT) if body.respond_to?(:force_encoding)
+
+  ::JSON.parse(body)
 end