oauth2 1.4.7 → 2.0.20

data/lib/oauth2/strategy/password.rb

@@ -1,14 +1,24 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Resource Owner Password Credentials Authorization Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    # IMPORTANT (OAuth 2.1): The Resource Owner Password Credentials grant is omitted in OAuth 2.1.
+    # It remains here for backward compatibility with OAuth 2.0 providers. Prefer Authorization Code + PKCE.
+    #
+    # References:
+    # - OAuth 2.1 draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13
+    # - Okta explainer: https://developer.okta.com/blog/2019/12/13/oauth-2-1-how-many-rfcs
+    # - FusionAuth blog: https://fusionauth.io/blog/2020/04/15/whats-new-in-oauth-2-1
+    #
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.3
     class Password < Base
       # Not used for this strategy
       #
       # @raise [NotImplementedError]
       def authorize_url
-        raise(NotImplementedError, 'The authorization endpoint is not used in this strategy')
+        raise(NotImplementedError, "The authorization endpoint is not used in this strategy")
       end
 
       # Retrieve an access token given the specified End User username and password.
@@ -17,9 +27,11 @@ module OAuth2
       # @param [String] password the End User password
       # @param [Hash] params additional params
       def get_token(username, password, params = {}, opts = {})
-        params = {'grant_type' => 'password',
-                  'username' => username,
-                  'password' => password}.merge(params)
+        params = {
+          "grant_type" => "password",
+          "username" => username,
+          "password" => password,
+        }.merge(params)
         @client.get_token(params, opts)
       end
     end

data/lib/oauth2/version.rb

@@ -2,64 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = to_s
-
-  module_function
-
-    # The major version
-    #
-    # @return [Integer]
-    def major
-      1
-    end
-
-    # The minor version
-    #
-    # @return [Integer]
-    def minor
-      4
-    end
-
-    # The patch version
-    #
-    # @return [Integer]
-    def patch
-      7
-    end
-
-    # The pre-release version, if any
-    #
-    # @return [String, NilClass]
-    def pre
-      nil
-    end
-
-    # The version number as a hash
-    #
-    # @return [Hash]
-    def to_h
-      {
-        :major => major,
-        :minor => minor,
-        :patch => patch,
-        :pre => pre,
-      }
-    end
-
-    # The version number as an array
-    #
-    # @return [Array]
-    def to_a
-      [major, minor, patch, pre].compact
-    end
-
-    # The version number as a string
-    #
-    # @return [String]
-    def to_s
-      v = [major, minor, patch].compact.join('.')
-      v += "-#{pre}" if pre
-      v
-    end
+    VERSION = "2.0.20"
   end
+  VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth2.rb

@@ -1,12 +1,103 @@
-require 'oauth2/error'
-require 'oauth2/authenticator'
-require 'oauth2/client'
-require 'oauth2/strategy/base'
-require 'oauth2/strategy/auth_code'
-require 'oauth2/strategy/implicit'
-require 'oauth2/strategy/password'
-require 'oauth2/strategy/client_credentials'
-require 'oauth2/strategy/assertion'
-require 'oauth2/access_token'
-require 'oauth2/mac_token'
-require 'oauth2/response'
+# frozen_string_literal: true
+
+# includes modules from stdlib
+require "cgi/escape"
+require "time"
+
+# third party gems
+require "snaky_hash"
+require "version_gem"
+
+# includes gem files
+require_relative "oauth2/version"
+require_relative "oauth2/auth_sanitizer"
+require_relative "oauth2/filtered_attributes"
+require_relative "oauth2/error"
+require_relative "oauth2/authenticator"
+require_relative "oauth2/client"
+require_relative "oauth2/strategy/base"
+require_relative "oauth2/strategy/auth_code"
+require_relative "oauth2/strategy/implicit"
+require_relative "oauth2/strategy/password"
+require_relative "oauth2/strategy/client_credentials"
+require_relative "oauth2/strategy/assertion"
+require_relative "oauth2/access_token"
+require_relative "oauth2/response"
+
+# The namespace of this library
+#
+# This module is the entry point and top-level namespace for the oauth2 gem.
+# It exposes configuration, constants, and requires the primary public classes.
+module OAuth2
+  # When true, enables verbose HTTP logging via Faraday's logger middleware.
+  # Controlled by the OAUTH_DEBUG environment variable. Any case-insensitive
+  # value equal to "true" will enable debugging.
+  #
+  # @return [Boolean]
+  OAUTH_DEBUG = ENV.fetch("OAUTH_DEBUG", "false").casecmp("true").zero?
+
+  # Default configuration values for the oauth2 library.
+  #
+  # @example Toggle warnings
+  #   OAuth2.configure do |config|
+  #     config[:silence_extra_tokens_warning] = false
+  #     config[:silence_no_tokens_warning] = false
+  #   end
+  #
+  # @example Customize filtered output markers and debug-log value filtering by key name
+  #   OAuth2.configure do |config|
+  #     config[:filtered_label] = "[REDACTED]"
+  #     config[:filtered_debug_keys] += ["client_assertion"]
+  #   end
+  #
+  # Existing objects and logger wrappers snapshot filtering configuration during
+  # initialization. Changing these config values later affects only newly
+  # initialized objects and debug loggers.
+  #
+  # @return [SnakyHash::SymbolKeyed] A mutable Hash-like config with symbol keys
+  DEFAULT_CONFIG = SnakyHash::SymbolKeyed.new(
+    silence_extra_tokens_warning: true,
+    silence_no_tokens_warning: true,
+    filtered_label: "[FILTERED]",
+    filtered_debug_keys: %w[
+      access_token
+      refresh_token
+      id_token
+      client_secret
+      assertion
+      code_verifier
+      token
+    ],
+  )
+
+  # The current runtime configuration for the library.
+  #
+  # @return [SnakyHash::SymbolKeyed]
+  CONFIG = DEFAULT_CONFIG.dup
+
+  class << self
+    def config
+      CONFIG
+    end
+
+    # Configure global library behavior.
+    #
+    # Yields the mutable configuration object so callers can update settings.
+    #
+    # @yieldparam [SnakyHash::SymbolKeyed] config the configuration object
+    # @return [void]
+    def configure
+      yield config
+    end
+  end
+end
+
+# Wire OAuth2::AUTH_SANITIZER's label provider to read from OAuth2.config so that
+# FilteredAttributes-bearing objects and OAuth2::AUTH_SANITIZER::SanitizedLogger instances
+# pick up OAuth2.config[:filtered_label] at their initialization time.
+OAuth2::AUTH_SANITIZER.filtered_label_provider = -> { OAuth2.config[:filtered_label] }
+
+# Extend OAuth2::Version with VersionGem helpers to provide semantic version helpers.
+OAuth2::Version.class_eval do
+  extend VersionGem::Basic
+end

data/sig/oauth2/access_token.rbs

@@ -0,0 +1,25 @@
+module OAuth2
+  class AccessToken
+    def self.from_hash: (OAuth2::Client, Hash[untyped, untyped]) -> OAuth2::AccessToken
+    def self.from_kvform: (OAuth2::Client, String) -> OAuth2::AccessToken
+
+    def initialize: (OAuth2::Client, String, ?Hash[Symbol, untyped]) -> void
+    def []: (String | Symbol) -> untyped
+    def expires?: () -> bool
+    def expired?: () -> bool
+    def refresh: (?Hash[untyped, untyped], ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::AccessToken
+    def revoke: (?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def to_hash: () -> Hash[Symbol, untyped]
+    def request: (Symbol, String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def get: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def post: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def put: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def patch: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def delete: (String, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+    def headers: () -> Hash[String, String]
+    def configure_authentication!: (Hash[Symbol, untyped], Symbol) -> void
+    def convert_expires_at: (untyped) -> (Time | Integer | nil)
+
+    attr_accessor response: OAuth2::Response
+  end
+end

data/sig/oauth2/authenticator.rbs

@@ -0,0 +1,22 @@
+module OAuth2
+  class Authenticator
+    include OAuth2::FilteredAttributes
+
+    attr_reader mode: (Symbol | String)
+    attr_reader id: String?
+    attr_reader secret: String?
+
+    def initialize: (String? id, String? secret, (Symbol | String) mode) -> void
+
+    def apply: (Hash[untyped, untyped]) -> Hash[untyped, untyped]
+
+    def self.encode_basic_auth: (String, String) -> String
+
+    private
+
+    def apply_params_auth: (Hash[untyped, untyped]) -> Hash[untyped, untyped]
+    def apply_client_id: (Hash[untyped, untyped]) -> Hash[untyped, untyped]
+    def apply_basic_auth: (Hash[untyped, untyped]) -> Hash[untyped, untyped]
+    def basic_auth_header: () -> Hash[String, String]
+  end
+end

data/sig/oauth2/client.rbs

@@ -0,0 +1,52 @@
+module OAuth2
+  class Client
+    RESERVED_REQ_KEYS: Array[String]
+    RESERVED_PARAM_KEYS: Array[String]
+
+    include OAuth2::FilteredAttributes
+
+    attr_reader id: String
+    attr_reader secret: String
+    attr_reader site: String?
+    attr_accessor options: Hash[Symbol, untyped]
+    attr_writer connection: untyped
+
+    def initialize: (String client_id, String client_secret, ?Hash[Symbol, untyped]) { (untyped) -> void } -> void
+
+    def site=: (String) -> String
+
+    def connection: () -> untyped
+
+    def authorize_url: (?Hash[untyped, untyped]) -> String
+    def token_url: (?Hash[untyped, untyped]) -> String
+    def revoke_url: (?Hash[untyped, untyped]) -> String
+
+    def request: (Symbol verb, String url, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+
+    def get_token: (Hash[untyped, untyped] params, ?Hash[Symbol, untyped] access_token_opts, ?Proc) { (Hash[Symbol, untyped]) -> void } -> (OAuth2::AccessToken | nil)
+
+    def revoke_token: (String token, ?String token_type_hint, ?Hash[Symbol, untyped]) { (untyped) -> void } -> OAuth2::Response
+
+    def http_method: () -> Symbol
+
+    def auth_code: () -> OAuth2::Strategy::AuthCode
+    def implicit: () -> OAuth2::Strategy::Implicit
+    def password: () -> OAuth2::Strategy::Password
+    def client_credentials: () -> OAuth2::Strategy::ClientCredentials
+    def assertion: () -> OAuth2::Strategy::Assertion
+
+    def redirection_params: () -> Hash[String, String]
+
+    private
+
+    def params_to_req_opts: (Hash[untyped, untyped]) -> Hash[Symbol, untyped]
+    def parse_snaky_params_headers: (Hash[untyped, untyped]) -> [Symbol, bool, untyped, (Symbol | nil), Hash[untyped, untyped], Hash[String, String]]
+    def execute_request: (Symbol verb, String url, ?Hash[Symbol, untyped]) { (Faraday::Request) -> void } -> OAuth2::Response
+    def authenticator: () -> OAuth2::Authenticator
+    def parse_response_legacy: (OAuth2::Response, Hash[Symbol, untyped], Proc) -> (OAuth2::AccessToken | nil)
+    def parse_response: (OAuth2::Response, Hash[Symbol, untyped]) -> (OAuth2::AccessToken | nil)
+    def build_access_token: (OAuth2::Response, Hash[Symbol, untyped], untyped) -> OAuth2::AccessToken
+    def build_access_token_legacy: (OAuth2::Response, Hash[Symbol, untyped], Proc) -> (OAuth2::AccessToken | nil)
+    def oauth_debug_logging: (untyped) -> void
+  end
+end

data/sig/oauth2/error.rbs

@@ -0,0 +1,8 @@
+module OAuth2
+  class Error < StandardError
+    def initialize: (OAuth2::Response) -> void
+    def code: () -> (String | Integer | nil)
+    def description: () -> (String | nil)
+    def response: () -> OAuth2::Response
+  end
+end

data/sig/oauth2/filtered_attributes.rbs

@@ -0,0 +1,11 @@
+module OAuth2
+  module FilteredAttributes
+    module InitializerMethods
+      def initialize: (*untyped args) { () -> untyped } -> untyped
+    end
+
+    def self.included: (untyped) -> untyped
+    def filtered_attributes: (*(String | Symbol)) -> void
+    def thing_filter: () -> OAuth2::ThingFilter
+  end
+end

data/sig/oauth2/response.rbs

@@ -0,0 +1,18 @@
+module OAuth2
+  class Response
+    DEFAULT_OPTIONS: Hash[Symbol, untyped]
+
+    def self.register_parser: (Symbol key, (Array[String] | String) mime_types) { (String) -> untyped } -> void
+
+    def initialize: (untyped response, parse: Symbol?, snaky: bool?, snaky_hash_klass: untyped?, options: Hash[Symbol, untyped]?) -> void
+    def headers: () -> Hash[untyped, untyped]
+    def status: () -> Integer
+    def body: () -> String
+    def parsed: () -> untyped
+    def content_type: () -> (String | nil)
+    def parser: () -> (untyped | nil)
+
+    attr_reader response: untyped
+    attr_accessor options: Hash[Symbol, untyped]
+  end
+end

data/sig/oauth2/sanitized_logger.rbs

@@ -0,0 +1,32 @@
+module OAuth2
+  class SanitizedLogger
+    def initialize: (untyped logger) -> void
+
+    def add: (untyped severity, ?untyped message, ?untyped progname) { () -> untyped } -> untyped
+    def <<: (String message) -> untyped
+    def debug: (?untyped progname) { () -> untyped } -> untyped
+    def info: (?untyped progname) { () -> untyped } -> untyped
+    def warn: (?untyped progname) { () -> untyped } -> untyped
+    def error: (?untyped progname) { () -> untyped } -> untyped
+    def fatal: (?untyped progname) { () -> untyped } -> untyped
+    def unknown: (?untyped progname) { () -> untyped } -> untyped
+    def close: () -> void
+    def formatter: () -> untyped
+    def formatter=: (untyped formatter) -> void
+    def level: () -> untyped
+    def level=: (untyped level) -> void
+    def progname: () -> untyped
+    def progname=: (untyped progname) -> void
+    def respond_to_missing?: (Symbol method_name, ?bool include_private) -> bool
+    def method_missing: (Symbol method_name, *untyped args) { () -> untyped } -> untyped
+
+    private
+
+    def log: (Symbol level, ?untyped progname) { () -> untyped } -> untyped
+    def sanitize: (untyped message) -> untyped
+    def thing_filter: () -> OAuth2::ThingFilter
+    def sanitize_authorization_header: (String message) -> String
+    def sanitize_json_pairs: (String message) -> String
+    def sanitize_form_and_query_pairs: (String message) -> String
+  end
+end

data/sig/oauth2/strategy.rbs

@@ -0,0 +1,34 @@
+module OAuth2
+  module Strategy
+    class Base
+      def initialize: (OAuth2::Client) -> void
+    end
+
+    class AuthCode < Base
+      def authorize_params: (?Hash[untyped, untyped]) -> Hash[untyped, untyped]
+      def authorize_url: (?Hash[untyped, untyped]) -> String
+      def get_token: (String, ?Hash[untyped, untyped], ?Hash[Symbol, untyped]) -> OAuth2::AccessToken
+    end
+
+    class Implicit < Base
+      def authorize_params: (?Hash[untyped, untyped]) -> Hash[untyped, untyped]
+      def authorize_url: (?Hash[untyped, untyped]) -> String
+      def get_token: (*untyped) -> void
+    end
+
+    class Password < Base
+      def authorize_url: () -> void
+      def get_token: (String, String, ?Hash[untyped, untyped], ?Hash[Symbol, untyped]) -> OAuth2::AccessToken
+    end
+
+    class ClientCredentials < Base
+      def authorize_url: () -> void
+      def get_token: (?Hash[untyped, untyped], ?Hash[Symbol, untyped]) -> OAuth2::AccessToken
+    end
+
+    class Assertion < Base
+      def authorize_url: () -> void
+      def get_token: (Hash[untyped, untyped], Hash[Symbol, untyped], ?Hash[Symbol, untyped], ?Hash[Symbol, untyped]) -> OAuth2::AccessToken
+    end
+  end
+end

data/sig/oauth2/thing_filter.rbs

@@ -0,0 +1,10 @@
+module OAuth2
+  class ThingFilter
+    attr_reader things: Array[String]
+    attr_reader label: String
+
+    def initialize: (Enumerable[untyped] things, label: String) -> void
+    def filtered?: (untyped thing_name) -> bool
+    def pattern_source: () -> String
+  end
+end

data/sig/oauth2/version.rbs

@@ -0,0 +1,5 @@
+module OAuth2
+  module Version
+    VERSION: String
+  end
+end

data/sig/oauth2.rbs

@@ -0,0 +1,9 @@
+module OAuth2
+  OAUTH_DEBUG: bool
+
+  DEFAULT_CONFIG: untyped
+  @config: untyped
+
+  def self.config: () -> untyped
+  def self.configure: () { (untyped) -> void } -> void
+end