oauth2 2.0.18 → 2.0.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/CHANGELOG.md +163 -5
- data/CITATION.cff +6 -6
- data/CONTRIBUTING.md +82 -31
- data/FUNDING.md +1 -1
- data/LICENSE.md +111 -0
- data/README.md +341 -733
- data/SECURITY.md +1 -4
- data/certs/pboling.pem +27 -0
- data/lib/oauth2/access_token.rb +32 -29
- data/lib/oauth2/auth_sanitizer.rb +36 -0
- data/lib/oauth2/authenticator.rb +9 -7
- data/lib/oauth2/client.rb +74 -17
- data/lib/oauth2/error.rb +10 -6
- data/lib/oauth2/filtered_attributes.rb +7 -49
- data/lib/oauth2/response.rb +30 -24
- data/lib/oauth2/version.rb +2 -1
- data/lib/oauth2.rb +39 -17
- data/sig/oauth2/filtered_attributes.rbs +6 -1
- data/sig/oauth2/sanitized_logger.rbs +32 -0
- data/sig/oauth2/thing_filter.rbs +10 -0
- data/sig/oauth2/version.rbs +1 -0
- data.tar.gz.sig +0 -0
- metadata +125 -107
- metadata.gz.sig +0 -0
- data/IRP.md +0 -107
- data/LICENSE.txt +0 -22
- data/OIDC.md +0 -167
- data/REEK +0 -0
- data/THREAT_MODEL.md +0 -85
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
module OAuth2
|
|
2
2
|
module FilteredAttributes
|
|
3
|
+
module InitializerMethods
|
|
4
|
+
def initialize: (*untyped args) { () -> untyped } -> untyped
|
|
5
|
+
end
|
|
6
|
+
|
|
3
7
|
def self.included: (untyped) -> untyped
|
|
4
|
-
def filtered_attributes: (*String) -> void
|
|
8
|
+
def filtered_attributes: (*(String | Symbol)) -> void
|
|
9
|
+
def thing_filter: () -> OAuth2::ThingFilter
|
|
5
10
|
end
|
|
6
11
|
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module OAuth2
|
|
2
|
+
class SanitizedLogger
|
|
3
|
+
def initialize: (untyped logger) -> void
|
|
4
|
+
|
|
5
|
+
def add: (untyped severity, ?untyped message, ?untyped progname) { () -> untyped } -> untyped
|
|
6
|
+
def <<: (String message) -> untyped
|
|
7
|
+
def debug: (?untyped progname) { () -> untyped } -> untyped
|
|
8
|
+
def info: (?untyped progname) { () -> untyped } -> untyped
|
|
9
|
+
def warn: (?untyped progname) { () -> untyped } -> untyped
|
|
10
|
+
def error: (?untyped progname) { () -> untyped } -> untyped
|
|
11
|
+
def fatal: (?untyped progname) { () -> untyped } -> untyped
|
|
12
|
+
def unknown: (?untyped progname) { () -> untyped } -> untyped
|
|
13
|
+
def close: () -> void
|
|
14
|
+
def formatter: () -> untyped
|
|
15
|
+
def formatter=: (untyped formatter) -> void
|
|
16
|
+
def level: () -> untyped
|
|
17
|
+
def level=: (untyped level) -> void
|
|
18
|
+
def progname: () -> untyped
|
|
19
|
+
def progname=: (untyped progname) -> void
|
|
20
|
+
def respond_to_missing?: (Symbol method_name, ?bool include_private) -> bool
|
|
21
|
+
def method_missing: (Symbol method_name, *untyped args) { () -> untyped } -> untyped
|
|
22
|
+
|
|
23
|
+
private
|
|
24
|
+
|
|
25
|
+
def log: (Symbol level, ?untyped progname) { () -> untyped } -> untyped
|
|
26
|
+
def sanitize: (untyped message) -> untyped
|
|
27
|
+
def thing_filter: () -> OAuth2::ThingFilter
|
|
28
|
+
def sanitize_authorization_header: (String message) -> String
|
|
29
|
+
def sanitize_json_pairs: (String message) -> String
|
|
30
|
+
def sanitize_form_and_query_pairs: (String message) -> String
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
module OAuth2
|
|
2
|
+
class ThingFilter
|
|
3
|
+
attr_reader things: Array[String]
|
|
4
|
+
attr_reader label: String
|
|
5
|
+
|
|
6
|
+
def initialize: (Enumerable[untyped] things, label: String) -> void
|
|
7
|
+
def filtered?: (untyped thing_name) -> bool
|
|
8
|
+
def pattern_source: () -> String
|
|
9
|
+
end
|
|
10
|
+
end
|
data/sig/oauth2/version.rbs
CHANGED
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,12 +1,10 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: oauth2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.23
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
- Peter Boling
|
|
8
|
-
- Erik Michaels-Ober
|
|
9
|
-
- Michael Bleigh
|
|
7
|
+
- Peter H. Boling
|
|
10
8
|
bindir: exe
|
|
11
9
|
cert_chain:
|
|
12
10
|
- |
|
|
@@ -39,6 +37,26 @@ cert_chain:
|
|
|
39
37
|
-----END CERTIFICATE-----
|
|
40
38
|
date: 1980-01-02 00:00:00.000000000 Z
|
|
41
39
|
dependencies:
|
|
40
|
+
- !ruby/object:Gem::Dependency
|
|
41
|
+
name: auth-sanitizer
|
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
|
43
|
+
requirements:
|
|
44
|
+
- - "~>"
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: '0.2'
|
|
47
|
+
- - ">="
|
|
48
|
+
- !ruby/object:Gem::Version
|
|
49
|
+
version: 0.2.1
|
|
50
|
+
type: :runtime
|
|
51
|
+
prerelease: false
|
|
52
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
53
|
+
requirements:
|
|
54
|
+
- - "~>"
|
|
55
|
+
- !ruby/object:Gem::Version
|
|
56
|
+
version: '0.2'
|
|
57
|
+
- - ">="
|
|
58
|
+
- !ruby/object:Gem::Version
|
|
59
|
+
version: 0.2.1
|
|
42
60
|
- !ruby/object:Gem::Dependency
|
|
43
61
|
name: faraday
|
|
44
62
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -136,7 +154,7 @@ dependencies:
|
|
|
136
154
|
version: '2.0'
|
|
137
155
|
- - ">="
|
|
138
156
|
- !ruby/object:Gem::Version
|
|
139
|
-
version: 2.0.
|
|
157
|
+
version: 2.0.6
|
|
140
158
|
type: :runtime
|
|
141
159
|
prerelease: false
|
|
142
160
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -146,7 +164,7 @@ dependencies:
|
|
|
146
164
|
version: '2.0'
|
|
147
165
|
- - ">="
|
|
148
166
|
- !ruby/object:Gem::Version
|
|
149
|
-
version: 2.0.
|
|
167
|
+
version: 2.0.6
|
|
150
168
|
- !ruby/object:Gem::Dependency
|
|
151
169
|
name: version_gem
|
|
152
170
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -156,7 +174,7 @@ dependencies:
|
|
|
156
174
|
version: '1.1'
|
|
157
175
|
- - ">="
|
|
158
176
|
- !ruby/object:Gem::Version
|
|
159
|
-
version: 1.1.
|
|
177
|
+
version: 1.1.11
|
|
160
178
|
type: :runtime
|
|
161
179
|
prerelease: false
|
|
162
180
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -166,139 +184,151 @@ dependencies:
|
|
|
166
184
|
version: '1.1'
|
|
167
185
|
- - ">="
|
|
168
186
|
- !ruby/object:Gem::Version
|
|
169
|
-
version: 1.1.
|
|
187
|
+
version: 1.1.11
|
|
170
188
|
- !ruby/object:Gem::Dependency
|
|
171
|
-
name:
|
|
189
|
+
name: kettle-dev
|
|
172
190
|
requirement: !ruby/object:Gem::Requirement
|
|
173
191
|
requirements:
|
|
174
192
|
- - "~>"
|
|
175
193
|
- !ruby/object:Gem::Version
|
|
176
|
-
version: '2.
|
|
194
|
+
version: '2.2'
|
|
177
195
|
- - ">="
|
|
178
196
|
- !ruby/object:Gem::Version
|
|
179
|
-
version: 2.
|
|
197
|
+
version: 2.2.5
|
|
180
198
|
type: :development
|
|
181
199
|
prerelease: false
|
|
182
200
|
version_requirements: !ruby/object:Gem::Requirement
|
|
183
201
|
requirements:
|
|
184
202
|
- - "~>"
|
|
185
203
|
- !ruby/object:Gem::Version
|
|
186
|
-
version: '2.
|
|
204
|
+
version: '2.2'
|
|
187
205
|
- - ">="
|
|
188
206
|
- !ruby/object:Gem::Version
|
|
189
|
-
version: 2.
|
|
207
|
+
version: 2.2.5
|
|
190
208
|
- !ruby/object:Gem::Dependency
|
|
191
|
-
name:
|
|
209
|
+
name: bundler-audit
|
|
192
210
|
requirement: !ruby/object:Gem::Requirement
|
|
193
211
|
requirements:
|
|
194
212
|
- - "~>"
|
|
195
213
|
- !ruby/object:Gem::Version
|
|
196
|
-
version:
|
|
214
|
+
version: 0.9.3
|
|
197
215
|
type: :development
|
|
198
216
|
prerelease: false
|
|
199
217
|
version_requirements: !ruby/object:Gem::Requirement
|
|
200
218
|
requirements:
|
|
201
219
|
- - "~>"
|
|
202
220
|
- !ruby/object:Gem::Version
|
|
203
|
-
version:
|
|
221
|
+
version: 0.9.3
|
|
204
222
|
- !ruby/object:Gem::Dependency
|
|
205
|
-
name:
|
|
223
|
+
name: rake
|
|
206
224
|
requirement: !ruby/object:Gem::Requirement
|
|
207
225
|
requirements:
|
|
208
226
|
- - "~>"
|
|
209
227
|
- !ruby/object:Gem::Version
|
|
210
|
-
version: '
|
|
211
|
-
- - ">="
|
|
212
|
-
- !ruby/object:Gem::Version
|
|
213
|
-
version: 3.2.5
|
|
228
|
+
version: '13.0'
|
|
214
229
|
type: :development
|
|
215
230
|
prerelease: false
|
|
216
231
|
version_requirements: !ruby/object:Gem::Requirement
|
|
217
232
|
requirements:
|
|
218
233
|
- - "~>"
|
|
219
234
|
- !ruby/object:Gem::Version
|
|
220
|
-
version: '
|
|
221
|
-
- - ">="
|
|
222
|
-
- !ruby/object:Gem::Version
|
|
223
|
-
version: 3.2.5
|
|
235
|
+
version: '13.0'
|
|
224
236
|
- !ruby/object:Gem::Dependency
|
|
225
|
-
name:
|
|
237
|
+
name: require_bench
|
|
226
238
|
requirement: !ruby/object:Gem::Requirement
|
|
227
239
|
requirements:
|
|
228
240
|
- - "~>"
|
|
229
241
|
- !ruby/object:Gem::Version
|
|
230
|
-
version: '1.
|
|
242
|
+
version: '1.0'
|
|
243
|
+
- - ">="
|
|
244
|
+
- !ruby/object:Gem::Version
|
|
245
|
+
version: 1.0.4
|
|
231
246
|
type: :development
|
|
232
247
|
prerelease: false
|
|
233
248
|
version_requirements: !ruby/object:Gem::Requirement
|
|
234
249
|
requirements:
|
|
235
250
|
- - "~>"
|
|
236
251
|
- !ruby/object:Gem::Version
|
|
237
|
-
version: '1.
|
|
252
|
+
version: '1.0'
|
|
253
|
+
- - ">="
|
|
254
|
+
- !ruby/object:Gem::Version
|
|
255
|
+
version: 1.0.4
|
|
238
256
|
- !ruby/object:Gem::Dependency
|
|
239
|
-
name:
|
|
257
|
+
name: appraisal2
|
|
240
258
|
requirement: !ruby/object:Gem::Requirement
|
|
241
259
|
requirements:
|
|
242
260
|
- - "~>"
|
|
243
261
|
- !ruby/object:Gem::Version
|
|
244
|
-
version:
|
|
262
|
+
version: '3.1'
|
|
263
|
+
- - ">="
|
|
264
|
+
- !ruby/object:Gem::Version
|
|
265
|
+
version: 3.1.2
|
|
245
266
|
type: :development
|
|
246
267
|
prerelease: false
|
|
247
268
|
version_requirements: !ruby/object:Gem::Requirement
|
|
248
269
|
requirements:
|
|
249
270
|
- - "~>"
|
|
250
271
|
- !ruby/object:Gem::Version
|
|
251
|
-
version:
|
|
272
|
+
version: '3.1'
|
|
273
|
+
- - ">="
|
|
274
|
+
- !ruby/object:Gem::Version
|
|
275
|
+
version: 3.1.2
|
|
252
276
|
- !ruby/object:Gem::Dependency
|
|
253
|
-
name:
|
|
277
|
+
name: kettle-test
|
|
254
278
|
requirement: !ruby/object:Gem::Requirement
|
|
255
279
|
requirements:
|
|
256
280
|
- - "~>"
|
|
257
281
|
- !ruby/object:Gem::Version
|
|
258
|
-
version: '
|
|
282
|
+
version: '2.0'
|
|
283
|
+
- - ">="
|
|
284
|
+
- !ruby/object:Gem::Version
|
|
285
|
+
version: 2.0.5
|
|
259
286
|
type: :development
|
|
260
287
|
prerelease: false
|
|
261
288
|
version_requirements: !ruby/object:Gem::Requirement
|
|
262
289
|
requirements:
|
|
263
290
|
- - "~>"
|
|
264
291
|
- !ruby/object:Gem::Version
|
|
265
|
-
version: '
|
|
292
|
+
version: '2.0'
|
|
293
|
+
- - ">="
|
|
294
|
+
- !ruby/object:Gem::Version
|
|
295
|
+
version: 2.0.5
|
|
266
296
|
- !ruby/object:Gem::Dependency
|
|
267
|
-
name:
|
|
297
|
+
name: turbo_tests2
|
|
268
298
|
requirement: !ruby/object:Gem::Requirement
|
|
269
299
|
requirements:
|
|
270
300
|
- - "~>"
|
|
271
301
|
- !ruby/object:Gem::Version
|
|
272
|
-
version: '1
|
|
302
|
+
version: '3.1'
|
|
273
303
|
- - ">="
|
|
274
304
|
- !ruby/object:Gem::Version
|
|
275
|
-
version: 1.
|
|
305
|
+
version: 3.1.2
|
|
276
306
|
type: :development
|
|
277
307
|
prerelease: false
|
|
278
308
|
version_requirements: !ruby/object:Gem::Requirement
|
|
279
309
|
requirements:
|
|
280
310
|
- - "~>"
|
|
281
311
|
- !ruby/object:Gem::Version
|
|
282
|
-
version: '1
|
|
312
|
+
version: '3.1'
|
|
283
313
|
- - ">="
|
|
284
314
|
- !ruby/object:Gem::Version
|
|
285
|
-
version: 1.
|
|
315
|
+
version: 3.1.2
|
|
286
316
|
- !ruby/object:Gem::Dependency
|
|
287
|
-
name:
|
|
317
|
+
name: ruby-progressbar
|
|
288
318
|
requirement: !ruby/object:Gem::Requirement
|
|
289
319
|
requirements:
|
|
290
320
|
- - "~>"
|
|
291
321
|
- !ruby/object:Gem::Version
|
|
292
|
-
version: '
|
|
322
|
+
version: '1.13'
|
|
293
323
|
type: :development
|
|
294
324
|
prerelease: false
|
|
295
325
|
version_requirements: !ruby/object:Gem::Requirement
|
|
296
326
|
requirements:
|
|
297
327
|
- - "~>"
|
|
298
328
|
- !ruby/object:Gem::Version
|
|
299
|
-
version: '
|
|
329
|
+
version: '1.13'
|
|
300
330
|
- !ruby/object:Gem::Dependency
|
|
301
|
-
name:
|
|
331
|
+
name: stone_checksums
|
|
302
332
|
requirement: !ruby/object:Gem::Requirement
|
|
303
333
|
requirements:
|
|
304
334
|
- - "~>"
|
|
@@ -306,7 +336,7 @@ dependencies:
|
|
|
306
336
|
version: '1.0'
|
|
307
337
|
- - ">="
|
|
308
338
|
- !ruby/object:Gem::Version
|
|
309
|
-
version: 1.0.
|
|
339
|
+
version: 1.0.3
|
|
310
340
|
type: :development
|
|
311
341
|
prerelease: false
|
|
312
342
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -316,86 +346,105 @@ dependencies:
|
|
|
316
346
|
version: '1.0'
|
|
317
347
|
- - ">="
|
|
318
348
|
- !ruby/object:Gem::Version
|
|
319
|
-
version: 1.0.
|
|
349
|
+
version: 1.0.3
|
|
320
350
|
- !ruby/object:Gem::Dependency
|
|
321
|
-
name:
|
|
351
|
+
name: gitmoji-regex
|
|
322
352
|
requirement: !ruby/object:Gem::Requirement
|
|
323
353
|
requirements:
|
|
324
354
|
- - "~>"
|
|
325
355
|
- !ruby/object:Gem::Version
|
|
326
|
-
version: '
|
|
356
|
+
version: '2.0'
|
|
357
|
+
- - ">="
|
|
358
|
+
- !ruby/object:Gem::Version
|
|
359
|
+
version: 2.0.1
|
|
327
360
|
type: :development
|
|
328
361
|
prerelease: false
|
|
329
362
|
version_requirements: !ruby/object:Gem::Requirement
|
|
330
363
|
requirements:
|
|
331
364
|
- - "~>"
|
|
332
365
|
- !ruby/object:Gem::Version
|
|
333
|
-
version: '
|
|
366
|
+
version: '2.0'
|
|
367
|
+
- - ">="
|
|
368
|
+
- !ruby/object:Gem::Version
|
|
369
|
+
version: 2.0.1
|
|
334
370
|
- !ruby/object:Gem::Dependency
|
|
335
|
-
name:
|
|
371
|
+
name: addressable
|
|
336
372
|
requirement: !ruby/object:Gem::Requirement
|
|
337
373
|
requirements:
|
|
338
374
|
- - "~>"
|
|
339
375
|
- !ruby/object:Gem::Version
|
|
340
|
-
version: '
|
|
376
|
+
version: '2.8'
|
|
341
377
|
- - ">="
|
|
342
378
|
- !ruby/object:Gem::Version
|
|
343
|
-
version:
|
|
379
|
+
version: 2.8.7
|
|
344
380
|
type: :development
|
|
345
381
|
prerelease: false
|
|
346
382
|
version_requirements: !ruby/object:Gem::Requirement
|
|
347
383
|
requirements:
|
|
348
384
|
- - "~>"
|
|
349
385
|
- !ruby/object:Gem::Version
|
|
350
|
-
version: '
|
|
386
|
+
version: '2.8'
|
|
351
387
|
- - ">="
|
|
352
388
|
- !ruby/object:Gem::Version
|
|
353
|
-
version:
|
|
389
|
+
version: 2.8.7
|
|
354
390
|
- !ruby/object:Gem::Dependency
|
|
355
|
-
name:
|
|
391
|
+
name: backports
|
|
356
392
|
requirement: !ruby/object:Gem::Requirement
|
|
357
393
|
requirements:
|
|
358
394
|
- - "~>"
|
|
359
395
|
- !ruby/object:Gem::Version
|
|
360
|
-
version: '
|
|
396
|
+
version: '3.25'
|
|
361
397
|
- - ">="
|
|
362
398
|
- !ruby/object:Gem::Version
|
|
363
|
-
version:
|
|
399
|
+
version: 3.25.1
|
|
364
400
|
type: :development
|
|
365
401
|
prerelease: false
|
|
366
402
|
version_requirements: !ruby/object:Gem::Requirement
|
|
367
403
|
requirements:
|
|
368
404
|
- - "~>"
|
|
369
405
|
- !ruby/object:Gem::Version
|
|
370
|
-
version: '
|
|
406
|
+
version: '3.25'
|
|
371
407
|
- - ">="
|
|
372
408
|
- !ruby/object:Gem::Version
|
|
373
|
-
version:
|
|
409
|
+
version: 3.25.1
|
|
374
410
|
- !ruby/object:Gem::Dependency
|
|
375
|
-
name:
|
|
411
|
+
name: nkf
|
|
376
412
|
requirement: !ruby/object:Gem::Requirement
|
|
377
413
|
requirements:
|
|
378
414
|
- - "~>"
|
|
379
415
|
- !ruby/object:Gem::Version
|
|
380
|
-
version: '
|
|
416
|
+
version: '0.2'
|
|
417
|
+
type: :development
|
|
418
|
+
prerelease: false
|
|
419
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
420
|
+
requirements:
|
|
421
|
+
- - "~>"
|
|
422
|
+
- !ruby/object:Gem::Version
|
|
423
|
+
version: '0.2'
|
|
424
|
+
- !ruby/object:Gem::Dependency
|
|
425
|
+
name: rexml
|
|
426
|
+
requirement: !ruby/object:Gem::Requirement
|
|
427
|
+
requirements:
|
|
428
|
+
- - "~>"
|
|
429
|
+
- !ruby/object:Gem::Version
|
|
430
|
+
version: '3.2'
|
|
381
431
|
- - ">="
|
|
382
432
|
- !ruby/object:Gem::Version
|
|
383
|
-
version: 3.
|
|
433
|
+
version: 3.2.5
|
|
384
434
|
type: :development
|
|
385
435
|
prerelease: false
|
|
386
436
|
version_requirements: !ruby/object:Gem::Requirement
|
|
387
437
|
requirements:
|
|
388
438
|
- - "~>"
|
|
389
439
|
- !ruby/object:Gem::Version
|
|
390
|
-
version: '3.
|
|
440
|
+
version: '3.2'
|
|
391
441
|
- - ">="
|
|
392
442
|
- !ruby/object:Gem::Version
|
|
393
|
-
version: 3.
|
|
443
|
+
version: 3.2.5
|
|
394
444
|
description: "\U0001F510 A Ruby wrapper for the OAuth 2.0 Authorization Framework,
|
|
395
445
|
including the OAuth 2.1 draft spec, and OpenID Connect (OIDC)"
|
|
396
446
|
email:
|
|
397
447
|
- floss@galtzo.com
|
|
398
|
-
- oauth-ruby@googlegroups.com
|
|
399
448
|
executables: []
|
|
400
449
|
extensions: []
|
|
401
450
|
extra_rdoc_files:
|
|
@@ -404,30 +453,24 @@ extra_rdoc_files:
|
|
|
404
453
|
- CODE_OF_CONDUCT.md
|
|
405
454
|
- CONTRIBUTING.md
|
|
406
455
|
- FUNDING.md
|
|
407
|
-
-
|
|
408
|
-
- LICENSE.txt
|
|
409
|
-
- OIDC.md
|
|
456
|
+
- LICENSE.md
|
|
410
457
|
- README.md
|
|
411
|
-
- REEK
|
|
412
458
|
- RUBOCOP.md
|
|
413
459
|
- SECURITY.md
|
|
414
|
-
- THREAT_MODEL.md
|
|
415
460
|
files:
|
|
416
461
|
- CHANGELOG.md
|
|
417
462
|
- CITATION.cff
|
|
418
463
|
- CODE_OF_CONDUCT.md
|
|
419
464
|
- CONTRIBUTING.md
|
|
420
465
|
- FUNDING.md
|
|
421
|
-
-
|
|
422
|
-
- LICENSE.txt
|
|
423
|
-
- OIDC.md
|
|
466
|
+
- LICENSE.md
|
|
424
467
|
- README.md
|
|
425
|
-
- REEK
|
|
426
468
|
- RUBOCOP.md
|
|
427
469
|
- SECURITY.md
|
|
428
|
-
-
|
|
470
|
+
- certs/pboling.pem
|
|
429
471
|
- lib/oauth2.rb
|
|
430
472
|
- lib/oauth2/access_token.rb
|
|
473
|
+
- lib/oauth2/auth_sanitizer.rb
|
|
431
474
|
- lib/oauth2/authenticator.rb
|
|
432
475
|
- lib/oauth2/client.rb
|
|
433
476
|
- lib/oauth2/error.rb
|
|
@@ -447,49 +490,24 @@ files:
|
|
|
447
490
|
- sig/oauth2/error.rbs
|
|
448
491
|
- sig/oauth2/filtered_attributes.rbs
|
|
449
492
|
- sig/oauth2/response.rbs
|
|
493
|
+
- sig/oauth2/sanitized_logger.rbs
|
|
450
494
|
- sig/oauth2/strategy.rbs
|
|
495
|
+
- sig/oauth2/thing_filter.rbs
|
|
451
496
|
- sig/oauth2/version.rbs
|
|
452
497
|
homepage: https://github.com/ruby-oauth/oauth2
|
|
453
498
|
licenses:
|
|
454
499
|
- MIT
|
|
455
500
|
metadata:
|
|
456
|
-
homepage_uri: https://oauth2.galtzo.com
|
|
457
|
-
source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.
|
|
458
|
-
changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.
|
|
501
|
+
homepage_uri: https://oauth2.galtzo.com
|
|
502
|
+
source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.23
|
|
503
|
+
changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.23/CHANGELOG.md
|
|
459
504
|
bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
|
|
460
|
-
documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.
|
|
461
|
-
mailing_list_uri: https://groups.google.com/g/oauth-ruby
|
|
505
|
+
documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.23
|
|
462
506
|
funding_uri: https://github.com/sponsors/pboling
|
|
463
|
-
wiki_uri: https://
|
|
507
|
+
wiki_uri: https://github.com/ruby-oauth/oauth2/wiki
|
|
464
508
|
news_uri: https://www.railsbling.com/tags/oauth2
|
|
465
509
|
discord_uri: https://discord.gg/3qme4XHNKN
|
|
466
510
|
rubygems_mfa_required: 'true'
|
|
467
|
-
post_install_message: |2
|
|
468
|
-
|
|
469
|
-
---+++--- oauth2 v2.0.18 ---+++---
|
|
470
|
-
|
|
471
|
-
(minor) ⚠️ BREAKING CHANGES ⚠️ when upgrading from < v2
|
|
472
|
-
• Summary of breaking changes: https://gitlab.com/ruby-oauth/oauth2#what-is-new-for-v20
|
|
473
|
-
• Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.18/CHANGELOG.md#2015-2025-09-08
|
|
474
|
-
|
|
475
|
-
News:
|
|
476
|
-
1. New documentation website, including for OAuth 2.1 and OIDC: https://oauth2.galtzo.com
|
|
477
|
-
2. New official Discord for discussion and support: https://discord.gg/3qme4XHNKN
|
|
478
|
-
3. New org name "ruby-oauth" on Open Source Collective, GitHub, GitLab, Codeberg (update git remotes!)
|
|
479
|
-
4. Non-commercial support for the 2.x series will end by April, 2026. Please make a plan to upgrade to the next version prior to that date.
|
|
480
|
-
Support will be dropped for Ruby 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 3.0, 3.1 and any other Ruby versions which will also have reached EOL by then.
|
|
481
|
-
5. Gem releases are cryptographically signed with a 20-year cert; SHA-256 & SHA-512 checksums by stone_checksums.
|
|
482
|
-
6. Please consider supporting this project:
|
|
483
|
-
• https://opencollective.com/ruby-oauth (new!)
|
|
484
|
-
• https://liberapay.com/pboling
|
|
485
|
-
• https://github.com/sponsors/pboling
|
|
486
|
-
• https://www.paypal.com/paypalme/peterboling
|
|
487
|
-
• https://ko-fi.com/pboling
|
|
488
|
-
• https://www.buymeacoffee.com/pboling
|
|
489
|
-
• https://tidelift.com/funding/github/rubygems/oauth
|
|
490
|
-
• Hire me - I can build anything
|
|
491
|
-
• Report issues, and star the project
|
|
492
|
-
Thanks, @pboling / @galtzo
|
|
493
511
|
rdoc_options:
|
|
494
512
|
- "--title"
|
|
495
513
|
- "oauth2 - \U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
|
|
@@ -513,7 +531,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
513
531
|
- !ruby/object:Gem::Version
|
|
514
532
|
version: '0'
|
|
515
533
|
requirements: []
|
|
516
|
-
rubygems_version:
|
|
534
|
+
rubygems_version: 4.0.10
|
|
517
535
|
specification_version: 4
|
|
518
536
|
summary: "\U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
|
|
519
537
|
test_files: []
|
metadata.gz.sig
CHANGED
|
Binary file
|
data/IRP.md
DELETED
|
@@ -1,107 +0,0 @@
|
|
|
1
|
-
# Incident Response Plan (IRP)
|
|
2
|
-
|
|
3
|
-
Status: Draft
|
|
4
|
-
|
|
5
|
-
## Purpose
|
|
6
|
-
|
|
7
|
-
This Incident Response Plan (IRP) defines the steps the project maintainer(s) will follow when handling security incidents related to the `oauth2` gem. It is written for a small project with a single primary maintainer and is intended to be practical, concise, and actionable.
|
|
8
|
-
|
|
9
|
-
## Scope
|
|
10
|
-
|
|
11
|
-
Applies to security incidents that affect the `oauth2` codebase, releases (gems), CI/CD infrastructure related to building and publishing the gem, repository credentials, or any compromise of project infrastructure that could impact users.
|
|
12
|
-
|
|
13
|
-
## Key assumptions
|
|
14
|
-
- This project is maintained primarily by a single maintainer.
|
|
15
|
-
- Public vulnerability disclosure is handled via Tidelift (see `SECURITY.md`).
|
|
16
|
-
- The maintainer will act as incident commander unless otherwise delegated.
|
|
17
|
-
|
|
18
|
-
## Contact & Roles
|
|
19
|
-
|
|
20
|
-
- Incident Commander: Primary maintainer (repo owner). Responsible for coordinating triage, remediation, and communications.
|
|
21
|
-
- Secondary Contact: (optional) A trusted collaborator or organization contact if available.
|
|
22
|
-
|
|
23
|
-
### If you are an external reporter
|
|
24
|
-
- Do not publicly disclose details of an active vulnerability before coordination via Tidelift.
|
|
25
|
-
- See `SECURITY.md` for Tidelift disclosure instructions. If the reporter has questions and cannot use Tidelift, they may open a direct encrypted report as described in `SECURITY.md` (if available) or email the maintainer contact listed in the repository.
|
|
26
|
-
|
|
27
|
-
## Incident Handling Workflow (high level)
|
|
28
|
-
1. Identification & Reporting
|
|
29
|
-
- Reports may arrive via Tidelift, issue tracker, direct email, or third-party advisories.
|
|
30
|
-
- Immediately acknowledge receipt (within 24-72 hours) via the reporting channel.
|
|
31
|
-
|
|
32
|
-
2. Triage & Initial Assessment (first 72 hours)
|
|
33
|
-
- Confirm the report is not duplicative and gather: reproducer, affected versions, attack surface, exploitability, and CVSS-like severity estimate.
|
|
34
|
-
- Verify the issue against the codebase and reproduce locally if possible.
|
|
35
|
-
- Determine scope: which versions are affected, whether the issue is in code paths executed in common setups, and whether a workaround exists.
|
|
36
|
-
|
|
37
|
-
3. Containment & Mitigation
|
|
38
|
-
- If a simple mitigation or workaround (configuration change, safe default, or recommended upgrade) exists, document it clearly in the issue/Tidelift advisory.
|
|
39
|
-
- If immediate removal of a release is required (rare), consult Tidelift for coordinated takedown and notify package hosts if applicable.
|
|
40
|
-
|
|
41
|
-
4. Remediation & Patch
|
|
42
|
-
- Prepare a fix in a branch with tests and changelog entries. Prefer minimal, well-tested changes.
|
|
43
|
-
- Include tests that reproduce the faulty behavior and demonstrate the fix.
|
|
44
|
-
- Hardening: add fuzz tests, input validation, or additional checks as appropriate.
|
|
45
|
-
|
|
46
|
-
5. Release & Disclosure
|
|
47
|
-
- Coordinate disclosure through Tidelift per `SECURITY.md` timelines. Aim for a coordinated disclosure and patch release to minimize risk to users.
|
|
48
|
-
- Publish a patch release (increment gem version) and an advisory via Tidelift.
|
|
49
|
-
- Update `CHANGELOG.md` and repository release notes with non-sensitive details.
|
|
50
|
-
|
|
51
|
-
6. Post-Incident
|
|
52
|
-
- Produce a short postmortem: timeline, root cause, actions taken, and follow-ups.
|
|
53
|
-
- Add/adjust tests and CI checks to prevent regressions.
|
|
54
|
-
- If credentials or infrastructure were compromised, rotate secrets and audit access.
|
|
55
|
-
|
|
56
|
-
## Severity classification (guidance)
|
|
57
|
-
- High/Critical: Remote code execution, data exfiltration, or any vulnerability that can be exploited without user interaction. Immediate action and prioritized patching.
|
|
58
|
-
- Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory.
|
|
59
|
-
- Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release.
|
|
60
|
-
|
|
61
|
-
## Preservation of evidence
|
|
62
|
-
- Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation.
|
|
63
|
-
- Do not publish evidence that would enable exploitation before coordinated disclosure.
|
|
64
|
-
|
|
65
|
-
## Communication templates
|
|
66
|
-
Acknowledgement (to reporter)
|
|
67
|
-
|
|
68
|
-
"Thank you for reporting this issue. I've received your report and will triage it within 72 hours. If you can, please provide reproduction steps, affected versions, and any exploit PoC. I will coordinate disclosure through Tidelift per the project's security policy."
|
|
69
|
-
|
|
70
|
-
Public advisory (after patch is ready)
|
|
71
|
-
|
|
72
|
-
"A security advisory for oauth2 (versions X.Y.Z) has been published via Tidelift. Please upgrade to version A.B.C which patches [brief description]. See the advisory for details and recommended mitigations."
|
|
73
|
-
|
|
74
|
-
## Runbook: Quick steps for a maintainer to patch and release
|
|
75
|
-
1. Create a branch: `git checkout -b fix/security-brief-description`
|
|
76
|
-
2. Reproduce the issue locally and add a regression spec in `spec/`.
|
|
77
|
-
3. Implement the fix and run the test suite: `bundle exec rspec` (or the project's preferred test command).
|
|
78
|
-
4. Bump version in `lib/oauth2/version.rb` following semantic versioning.
|
|
79
|
-
5. Update `CHANGELOG.md` with an entry describing the fix (avoid exploit details).
|
|
80
|
-
6. Commit and push the branch, open a PR, and merge after approvals.
|
|
81
|
-
7. Build and push the gem: `gem build oauth2.gemspec && gem push pkg/...` (coordinate with Tidelift before public push if disclosure is coordinated).
|
|
82
|
-
8. Publish a release on GitHub and ensure the Tidelift advisory is posted.
|
|
83
|
-
|
|
84
|
-
## Operational notes
|
|
85
|
-
- Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services.
|
|
86
|
-
- Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place.
|
|
87
|
-
|
|
88
|
-
## Legal & regulatory
|
|
89
|
-
- If the incident involves user data or has legal implications, consult legal counsel or the maintainers' employer as appropriate. The maintainer should document the timeline and all communications.
|
|
90
|
-
|
|
91
|
-
## Retrospective & continuous improvement
|
|
92
|
-
After an incident, perform a brief post-incident review covering:
|
|
93
|
-
- What happened and why
|
|
94
|
-
- What was done to contain and remediate
|
|
95
|
-
- What tests or process changes will prevent recurrence
|
|
96
|
-
- Assign owners and deadlines for follow-up tasks
|
|
97
|
-
|
|
98
|
-
## References
|
|
99
|
-
- See `SECURITY.md` for the project's official disclosure channel (Tidelift).
|
|
100
|
-
|
|
101
|
-
## Appendix: Example checklist for an incident
|
|
102
|
-
- [ ] Acknowledge report to reporter (24-72 hours)
|
|
103
|
-
- [ ] Reproduce and classify severity
|
|
104
|
-
- [ ] Prepare and test a fix in a branch
|
|
105
|
-
- [ ] Coordinate disclosure via Tidelift
|
|
106
|
-
- [ ] Publish patch release and advisory
|
|
107
|
-
- [ ] Postmortem and follow-up actions
|