oauth2 2.0.19 → 2.0.22

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.19
+  version: 2.0.22
 platform: ruby
 authors:
 - Peter Boling
@@ -45,14 +45,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '0.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '0.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.1
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -150,7 +156,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -160,7 +166,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
 - !ruby/object:Gem::Dependency
   name: version_gem
   requirement: !ruby/object:Gem::Requirement
@@ -170,7 +176,7 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.1.11
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -180,145 +186,151 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.1.11
 - !ruby/object:Gem::Dependency
-  name: addressable
+  name: kettle-dev
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.8'
+        version: '2.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.8.7
+        version: 2.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.8'
+        version: '2.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.8.7
+        version: 2.1.1
 - !ruby/object:Gem::Dependency
-  name: nkf
+  name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: 0.9.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: 0.9.3
 - !ruby/object:Gem::Dependency
-  name: rexml
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.2.5
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.2.5
+        version: '13.0'
 - !ruby/object:Gem::Dependency
-  name: kettle-dev
+  name: require_bench
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.4
 - !ruby/object:Gem::Dependency
-  name: bundler-audit
+  name: appraisal2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: '3.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: '3.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.1
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: kettle-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.3
 - !ruby/object:Gem::Dependency
-  name: require_bench
+  name: turbo_tests2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 3.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 3.1.1
 - !ruby/object:Gem::Dependency
-  name: appraisal2
+  name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.0.6
+        version: '1.13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.0.6
+        version: '1.13'
 - !ruby/object:Gem::Dependency
-  name: kettle-test
+  name: stone_checksums
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -326,7 +338,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.10
+        version: 1.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -336,81 +348,101 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.10
+        version: 1.0.3
 - !ruby/object:Gem::Dependency
-  name: ruby-progressbar
+  name: gitmoji-regex
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
 - !ruby/object:Gem::Dependency
-  name: stone_checksums
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.8'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 2.8.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.8'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 2.8.7
 - !ruby/object:Gem::Dependency
-  name: gitmoji-regex
+  name: backports
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3.25'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 3.25.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3.25'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 3.25.1
 - !ruby/object:Gem::Dependency
-  name: backports
+  name: nkf
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.25'
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.25.1
+        version: 3.2.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.25'
+        version: '3.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.25.1
+        version: 3.2.5
 description: "\U0001F510 A Ruby wrapper for the OAuth 2.0 Authorization Framework,
   including the OAuth 2.1 draft spec, and OpenID Connect (OIDC)"
 email:
@@ -424,30 +456,24 @@ extra_rdoc_files:
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - FUNDING.md
-- IRP.md
-- LICENSE.txt
-- OIDC.md
+- LICENSE.md
 - README.md
-- REEK
 - RUBOCOP.md
 - SECURITY.md
-- THREAT_MODEL.md
 files:
 - CHANGELOG.md
 - CITATION.cff
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - FUNDING.md
-- IRP.md
-- LICENSE.txt
-- OIDC.md
+- LICENSE.md
 - README.md
-- REEK
 - RUBOCOP.md
 - SECURITY.md
-- THREAT_MODEL.md
+- certs/pboling.pem
 - lib/oauth2.rb
 - lib/oauth2/access_token.rb
+- lib/oauth2/auth_sanitizer.rb
 - lib/oauth2/authenticator.rb
 - lib/oauth2/client.rb
 - lib/oauth2/error.rb
@@ -475,43 +501,16 @@ homepage: https://github.com/ruby-oauth/oauth2
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://oauth2.galtzo.com/
-  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.19
-  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.19/CHANGELOG.md
+  homepage_uri: https://oauth2.galtzo.com
+  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.22
+  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.22/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.19
-  mailing_list_uri: https://groups.google.com/g/oauth-ruby
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.22
   funding_uri: https://github.com/sponsors/pboling
-  wiki_uri: https://gitlab.com/ruby-oauth/oauth2/-/wiki
+  wiki_uri: https://github.com/ruby-oauth/oauth2/wiki
   news_uri: https://www.railsbling.com/tags/oauth2
   discord_uri: https://discord.gg/3qme4XHNKN
   rubygems_mfa_required: 'true'
-post_install_message: |2
-
-  ---+++--- oauth2 v2.0.19 ---+++---
-
-  (minor) ⚠️ BREAKING CHANGES ⚠️ when upgrading from < v2
-  • Summary of breaking changes: https://gitlab.com/ruby-oauth/oauth2#what-is-new-for-v20
-  • Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.19/CHANGELOG.md#2015-2025-09-08
-
-  News:
-  1. New documentation website, including for OAuth 2.1 and OIDC: https://oauth2.galtzo.com
-  2. New official Discord for discussion and support: https://discord.gg/3qme4XHNKN
-  3. New org name "ruby-oauth" on Open Source Collective, GitHub, GitLab, Codeberg (update git remotes!)
-  4. Non-commercial support for the 2.x series will end by April, 2026. Please make a plan to upgrade to the next version prior to that date.
-  Support will be dropped for Ruby 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 3.0, 3.1 and any other Ruby versions which will also have reached EOL by then.
-  5. Gem releases are cryptographically signed with a 20-year cert; SHA-256 & SHA-512 checksums by stone_checksums.
-  6. Please consider supporting this project:
-     • https://opencollective.com/ruby-oauth (new!)
-     • https://liberapay.com/pboling
-     • https://github.com/sponsors/pboling
-     • https://www.paypal.com/paypalme/peterboling
-     • https://ko-fi.com/pboling
-     • https://www.buymeacoffee.com/pboling
-     • https://tidelift.com/funding/github/rubygems/oauth
-     • Hire me - I can build anything
-     • Report issues, and star the project
-  Thanks, @pboling / @galtzo
 rdoc_options:
 - "--title"
 - "oauth2 - \U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
@@ -535,7 +534,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.11
+rubygems_version: 4.0.10
 specification_version: 4
 summary: "\U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
 test_files: []

data/IRP.md

@@ -1,107 +0,0 @@
-# Incident Response Plan (IRP)
-
-Status: Draft
-
-## Purpose
-
-This Incident Response Plan (IRP) defines the steps the project maintainer(s) will follow when handling security incidents related to the `oauth2` gem. It is written for a small project with a single primary maintainer and is intended to be practical, concise, and actionable.
-
-## Scope
-
-Applies to security incidents that affect the `oauth2` codebase, releases (gems), CI/CD infrastructure related to building and publishing the gem, repository credentials, or any compromise of project infrastructure that could impact users.
-
-## Key assumptions
-- This project is maintained primarily by a single maintainer.
-- Public vulnerability disclosure is handled via Tidelift (see `SECURITY.md`).
-- The maintainer will act as incident commander unless otherwise delegated.
-
-## Contact & Roles
-
-- Incident Commander: Primary maintainer (repo owner). Responsible for coordinating triage, remediation, and communications.
-- Secondary Contact: (optional) A trusted collaborator or organization contact if available.
-
-### If you are an external reporter
-- Do not publicly disclose details of an active vulnerability before coordination via Tidelift.
-- See `SECURITY.md` for Tidelift disclosure instructions. If the reporter has questions and cannot use Tidelift, they may open a direct encrypted report as described in `SECURITY.md` (if available) or email the maintainer contact listed in the repository.
-
-## Incident Handling Workflow (high level)
-1. Identification & Reporting
-   - Reports may arrive via Tidelift, issue tracker, direct email, or third-party advisories.
-   - Immediately acknowledge receipt (within 24-72 hours) via the reporting channel.
-
-2. Triage & Initial Assessment (first 72 hours)
-   - Confirm the report is not duplicative and gather: reproducer, affected versions, attack surface, exploitability, and CVSS-like severity estimate.
-   - Verify the issue against the codebase and reproduce locally if possible.
-   - Determine scope: which versions are affected, whether the issue is in code paths executed in common setups, and whether a workaround exists.
-
-3. Containment & Mitigation
-   - If a simple mitigation or workaround (configuration change, safe default, or recommended upgrade) exists, document it clearly in the issue/Tidelift advisory.
-   - If immediate removal of a release is required (rare), consult Tidelift for coordinated takedown and notify package hosts if applicable.
-
-4. Remediation & Patch
-   - Prepare a fix in a branch with tests and changelog entries. Prefer minimal, well-tested changes.
-   - Include tests that reproduce the faulty behavior and demonstrate the fix.
-   - Hardening: add fuzz tests, input validation, or additional checks as appropriate.
-
-5. Release & Disclosure
-   - Coordinate disclosure through Tidelift per `SECURITY.md` timelines. Aim for a coordinated disclosure and patch release to minimize risk to users.
-   - Publish a patch release (increment gem version) and an advisory via Tidelift.
-   - Update `CHANGELOG.md` and repository release notes with non-sensitive details.
-
-6. Post-Incident
-   - Produce a short postmortem: timeline, root cause, actions taken, and follow-ups.
-   - Add/adjust tests and CI checks to prevent regressions.
-   - If credentials or infrastructure were compromised, rotate secrets and audit access.
-
-## Severity classification (guidance)
-- High/Critical: Remote code execution, data exfiltration, or any vulnerability that can be exploited without user interaction. Immediate action and prioritized patching.
-- Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory.
-- Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release.
-
-## Preservation of evidence
-- Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation.
-- Do not publish evidence that would enable exploitation before coordinated disclosure.
-
-## Communication templates
-Acknowledgement (to reporter)
-
-"Thank you for reporting this issue. I've received your report and will triage it within 72 hours. If you can, please provide reproduction steps, affected versions, and any exploit PoC. I will coordinate disclosure through Tidelift per the project's security policy."
-
-Public advisory (after patch is ready)
-
-"A security advisory for oauth2 (versions X.Y.Z) has been published via Tidelift. Please upgrade to version A.B.C which patches [brief description]. See the advisory for details and recommended mitigations."
-
-## Runbook: Quick steps for a maintainer to patch and release
-1. Create a branch: `git checkout -b fix/security-brief-description`
-2. Reproduce the issue locally and add a regression spec in `spec/`.
-3. Implement the fix and run the test suite: `bundle exec rspec` (or the project's preferred test command).
-4. Bump version in `lib/oauth2/version.rb` following semantic versioning.
-5. Update `CHANGELOG.md` with an entry describing the fix (avoid exploit details).
-6. Commit and push the branch, open a PR, and merge after approvals.
-7. Build and push the gem: `gem build oauth2.gemspec && gem push pkg/...` (coordinate with Tidelift before public push if disclosure is coordinated).
-8. Publish a release on GitHub and ensure the Tidelift advisory is posted.
-
-## Operational notes
-- Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services.
-- Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place.
-
-## Legal & regulatory
-- If the incident involves user data or has legal implications, consult legal counsel or the maintainers' employer as appropriate. The maintainer should document the timeline and all communications.
-
-## Retrospective & continuous improvement
-After an incident, perform a brief post-incident review covering:
-- What happened and why
-- What was done to contain and remediate
-- What tests or process changes will prevent recurrence
-- Assign owners and deadlines for follow-up tasks
-
-## References
-- See `SECURITY.md` for the project's official disclosure channel (Tidelift).
-
-## Appendix: Example checklist for an incident
-- [ ] Acknowledge report to reporter (24-72 hours)
-- [ ] Reproduce and classify severity
-- [ ] Prepare and test a fix in a branch
-- [ ] Coordinate disclosure via Tidelift
-- [ ] Publish patch release and advisory
-- [ ] Postmortem and follow-up actions

data/LICENSE.txt

@@ -1,22 +0,0 @@
-MIT License
-
-Copyright (c) 2017-2026 Peter H. Boling, of Galtzo.com, and oauth2 contributors
-Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.