oauth2 2.0.22 → 2.0.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7964123b20cd2a456b4207c27b2695bbe8e46b30efdafc01731bdf97038fd58e
-  data.tar.gz: 908001fb4aa70279ee6384a0de5fefb43bf3c8b64466e5df248f244b353a270c
+  metadata.gz: 01151dc8f48c49a5a925098de896b74bca26c0791d4667f9f87edd6329a5c8ab
+  data.tar.gz: d49ddb0357387cf39b3cd961e4c4747328f8b8495081efc9f65389bb7187cc79
 SHA512:
-  metadata.gz: 772d189a481bf1329bcbb0443f98ce2feefefcc77387dad7d8f6128ebd2139a29fc0c2410721394aec5bcece3f786b980c33eba6acc0fe6ecd1c4366308dc0fb
-  data.tar.gz: 959412178a6d2b37902c1b91a7e3b8c688dc1142dc118e56752ddaf0fdc99c06017d297d96ccfd0b37bca1dc2308c441050b40b64f06d31a815c6f5df7c91d0d
+  metadata.gz: 45cab4b58795551fd1e0b827b5ee8e155ae741a5af983f1f777926cac677eeeea89f9220d1fd478e2529632e01d27291da0c37e6ef6c7e88771dc8f4a1affefd
+  data.tar.gz: 981305491fe56a81552efcc9d9719313e159f8d4f2251fe3a0753637c0958509fdb99bdbc46f2202b7b938f1bb7e6b827bb08213eb467d0fb2e8704435e0c647

data/CHANGELOG.md

@@ -30,6 +30,27 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [2.0.23] - 2026-06-13
+
+- TAG: [v2.0.23][2.0.23t]
+- COVERAGE: 100.00% -- 562/562 lines in 15 files
+- BRANCH COVERAGE: 97.89% -- 186/190 branches in 15 files
+- 88.35% documented
+
+### Changed
+
+- Upgraded to snaky_hash v2.0.6 by @pboling
+- Refreshed generated GHA workflow action SHA pins by @pboling
+
+### Fixed
+
+- Addressed Reek code-quality checks with targeted cleanup and documented compatibility exclusions by @pboling
+- Fixed deprecation warning from MultiXML by @robzolkos
+
+[gh!733]: https://github.com/ruby-oauth/oauth2/pull/733
+
+- Fixed head appraisal dependency conflicts and Ruby 2.4 protocol-relative redirect handling by @pboling
+
 ## [2.0.22] - 2026-06-07
 
 - TAG: [v2.0.22][2.0.22t]
@@ -45,7 +66,9 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
-- [GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect `Location` values from changing request authority, and strip `Authorization` headers from cross-origin redirects.
+- [GHSA-pp92-crg2-gfv9][GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect `Location` values from changing request authority, and strip `Authorization` headers from cross-origin redirects by @tonghuaroot and @pboling
+
+[GHSA-pp92-crg2-gfv9]: https://github.com/ruby-oauth/oauth2/security/advisories/GHSA-pp92-crg2-gfv9
 
 ## [2.0.21] - 2026-06-06
 
@@ -863,7 +886,9 @@ Please file a bug if you notice a violation of semantic versioning.
 
 [gemfiles/readme]: gemfiles/README.md
 
-[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.22...HEAD
+[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.23...HEAD
+[2.0.23]: https://github.com/ruby-oauth/oauth2/compare/v2.0.22...v2.0.23
+[2.0.23t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.23
 [2.0.22]: https://github.com/ruby-oauth/oauth2/compare/v2.0.21...v2.0.22
 [2.0.22t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.22
 [2.0.21]: https://github.com/ruby-oauth/oauth2/compare/v2.0.20...v2.0.21

data/LICENSE.md

@@ -107,4 +107,5 @@ Choose the option that best fits your use case:
 - Copyright (c) 2025 Sasa Rosic
 - Copyright (c) 2026 Jonathan Grinstead
 - Copyright (c) 2026 kain
+- Copyright (c) 2026 Rob Zolkos
 - Copyright (c) 2026 StepSecurity Bot

data/README.md

@@ -871,6 +871,7 @@ See [LICENSE.md][📄license] for the official copyright notice.
 - Copyright (c) 2025 Sasa Rosic
 - Copyright (c) 2026 Jonathan Grinstead
 - Copyright (c) 2026 kain
+- Copyright (c) 2026 Rob Zolkos
 - Copyright (c) 2026 StepSecurity Bot
 
 </details>
@@ -1086,7 +1087,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.542-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.562-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: https://github.com/ruby-oauth/oauth2/blob/main/SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year
@@ -1094,7 +1095,7 @@ Thanks for RTFM. ☺️
 [📄license-ref]: MIT.md
 [📄license-img]: https://img.shields.io/badge/License-MIT-259D6C.svg
 [📄license-compat]: https://www.apache.org/legal/resolved.html#category-a
-[📄license-compat-img]: https://img.shields.io/badge/Apache_Compatible:_Category_A-✓-259D6C.svg?style=flat&logo=Apache
+[📄license-compat-img]: https://img.shields.io/badge/Apache_Compatible:_Category_A-%E2%9C%93-259D6C.svg?style=flat&logo=Apache
 
 [📄ilo-declaration]: https://www.ilo.org/declaration/lang--en/index.htm
 [📄ilo-declaration-img]: https://img.shields.io/badge/ILO_Fundamental_Principles-✓-259D6C.svg?style=flat
@@ -1114,7 +1115,7 @@ Thanks for RTFM. ☺️
 | Package | oauth2 |
 | Description | 🔐 A Ruby wrapper for the OAuth 2.0 Authorization Framework, including the OAuth 2.1 draft spec, and OpenID Connect (OIDC) |
 | Homepage | https://github.com/ruby-oauth/oauth2 |
-| Source | https://github.com/ruby-oauth/oauth2/tree/v2.0.21 |
+| Source | https://github.com/ruby-oauth/oauth2/tree/v2.0.23 |
 | License | `MIT` |
 | Funding | https://github.com/sponsors/pboling, https://issuehunt.io/u/pboling, https://ko-fi.com/pboling, https://liberapay.com/pboling/donate, https://opencollective.com/ruby-oauth, https://patreon.com/galtzo, https://polar.sh/pboling, https://thanks.dev/u/gh/pboling, https://tidelift.com/funding/github/rubygems/oauth2, https://www.buymeacoffee.com/pboling |
 <!-- kettle-jem:metadata:end -->

data/lib/oauth2/access_token.rb

@@ -68,13 +68,7 @@ module OAuth2
         end
         # :nocov:
         # TODO: Get rid of this branching logic when dropping Hashie < v3.2
-        token = if !defined?(Hashie::VERSION) # i.e. <= "1.1.0"; the first Hashie to ship with a VERSION constant
-          warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
-          # There is a bug in Hashie v0, which is accounts for.
-          fresh.delete(t_key) || fresh[t_key] || ""
-        else
-          fresh.delete(t_key) || ""
-        end
+        token = extract_token_value(fresh, t_key)
         # :nocov:
         new(client, token, fresh)
       end
@@ -108,6 +102,17 @@ Custom token_name (#{key}) is not found in (#{hash.keys})
 You may need to set `snaky: false`. See inline documentation for more info.
         ])
       end
+
+      # :nocov:
+      def extract_token_value(fresh, key)
+        token_value = fresh.delete(key)
+        return token_value || "" if defined?(Hashie::VERSION)
+
+        warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
+        # There is a bug in Hashie v0, which this accounts for.
+        token_value || fresh[key] || ""
+      end
+      # :nocov:
     end
 
     # Initialize an AccessToken
@@ -305,8 +310,8 @@ You may need to set `snaky: false`. See inline documentation for more info.
       # TODO: Switch when dropping Ruby < 2.5 support
       # params.transform_keys(&:to_sym) # Ruby 2.5 only
       # Old Ruby transform_keys alternative:
-      sheesh = @params.each_with_object({}) { |(k, v), memo|
-        memo[k.to_sym] = v
+      sheesh = @params.each_with_object({}) { |(key, value), memo|
+        memo[key.to_sym] = value
       }
       sheesh.merge(hsh)
     end
@@ -375,6 +380,7 @@ You may need to set `snaky: false`. See inline documentation for more info.
 
     def configure_authentication!(opts, verb)
       mode_opt = options[:mode]
+      param_name = options[:param_name]
       mode =
         if mode_opt.respond_to?(:call)
           mode_opt.call(verb)
@@ -388,19 +394,19 @@ You may need to set `snaky: false`. See inline documentation for more info.
 
       case mode
       when :header
-        opts[:headers] ||= {}
-        opts[:headers].merge!(headers)
+        request_headers = opts[:headers] ||= {}
+        request_headers.merge!(headers)
       when :query
         # OAuth 2.1 note: Bearer tokens in the query string are omitted from the spec due to security risks.
         # Prefer the default :header mode whenever possible.
-        opts[:params] ||= {}
-        opts[:params][options[:param_name]] = token
+        request_params = opts[:params] ||= {}
+        request_params[param_name] = token
       when :body
-        opts[:body] ||= {}
-        if opts[:body].is_a?(Hash)
-          opts[:body][options[:param_name]] = token
+        request_body = opts[:body] ||= {}
+        if request_body.is_a?(Hash)
+          request_body[param_name] = token
         else
-          opts[:body] += "&#{options[:param_name]}=#{token}"
+          opts[:body] = "#{request_body}&#{param_name}=#{token}"
         end
         # @todo support for multi-part (file uploads)
       else

data/lib/oauth2/client.rb

@@ -86,8 +86,9 @@ module OAuth2
       @connection ||=
         Faraday.new(site, options[:connection_opts]) do |builder|
           oauth_debug_logging(builder)
-          if options[:connection_build]
-            options[:connection_build].call(builder)
+          connection_build = options[:connection_build]
+          if connection_build
+            connection_build.call(builder)
           else
             builder.request(:url_encoded)             # form-encode POST params
             builder.adapter(Faraday.default_adapter)  # make requests with Net::HTTP
@@ -149,9 +150,9 @@ module OAuth2
 
       case status
       when 301, 302, 303, 307
-        req_opts[:redirect_count] ||= 0
-        req_opts[:redirect_count] += 1
-        return response if req_opts[:redirect_count] > options[:max_redirects]
+        redirect_count = (req_opts[:redirect_count] || 0).to_i + 1
+        req_opts[:redirect_count] = redirect_count
+        return response if redirect_count > options[:max_redirects]
 
         if status == 303
           verb = :get
@@ -338,8 +339,9 @@ module OAuth2
     #
     # @return [Hash] the params to add to a request or URL
     def redirection_params
-      if options[:redirect_uri]
-        {"redirect_uri" => options[:redirect_uri]}
+      redirect_uri = options[:redirect_uri]
+      if redirect_uri
+        {"redirect_uri" => redirect_uri}
       else
         {}
       end
@@ -446,7 +448,7 @@ module OAuth2
       url = connection.build_url(url).to_s
       # See: Hash#partition https://bugs.ruby-lang.org/issues/16252
       req_opts, oauth_opts = opts.
-        partition { |k, _v| RESERVED_REQ_KEYS.include?(k.to_s) }.
+        partition { |key, _value| RESERVED_REQ_KEYS.include?(key.to_s) }.
         map(&:to_h)
 
       begin
@@ -454,10 +456,10 @@ module OAuth2
           req.params.update(req_opts[:params]) if req_opts[:params]
           yield(req) if block_given?
         end
-      rescue Faraday::ConnectionFailed => e
-        raise ConnectionError, e
-      rescue Faraday::TimeoutError => e
-        raise TimeoutError, e
+      rescue Faraday::ConnectionFailed => exception
+        raise ConnectionError, exception
+      rescue Faraday::TimeoutError => exception
+        raise TimeoutError, exception
       end
 
       parse = oauth_opts.key?(:parse) ? oauth_opts.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
@@ -467,29 +469,42 @@ module OAuth2
     end
 
     def resolve_redirect_location(current_location, location)
-      safe_location =
-        if location.respond_to?(:start_with?) && location.start_with?("//")
-          "./#{location}"
-        else
-          location
-        end
+      return protocol_relative_redirect_location(current_location, location) if location.respond_to?(:start_with?) && location.start_with?("//")
 
-      current_location.merge(safe_location)
+      current_location.merge(location)
+    end
+
+    def protocol_relative_redirect_location(current_location, location)
+      protocol_relative_location = URI.parse(location)
+      authority = +""
+      authority << "#{protocol_relative_location.userinfo}@" if protocol_relative_location.userinfo
+      authority << protocol_relative_location.host.to_s
+      authority << ":#{protocol_relative_location.port}" if protocol_relative_location.port
+
+      current_location.dup.tap do |safe_location|
+        safe_location.path = "///#{authority}#{protocol_relative_location.path}"
+        safe_location.query = protocol_relative_location.query if safe_location.respond_to?(:query=)
+        safe_location.fragment = protocol_relative_location.fragment if safe_location.respond_to?(:fragment=)
+      end
     end
 
     def sanitize_redirect_options(req_opts, current_location, next_location)
       return req_opts unless cross_origin_redirect?(current_location, next_location)
 
       headers = req_opts[:headers]
-      return req_opts unless headers && headers.any? { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      return req_opts unless headers && headers.any? { |key, _value| authorization_header?(key) }
 
       safe_opts = req_opts.dup
       safe_headers = headers.dup
-      safe_headers.delete_if { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      safe_headers.delete_if { |key, _value| authorization_header?(key) }
       safe_opts[:headers] = safe_headers
       safe_opts
     end
 
+    def authorization_header?(key)
+      key.to_s.casecmp("Authorization").zero?
+    end
+
     def cross_origin_redirect?(current_location, next_location)
       current_location.scheme != next_location.scheme ||
         current_location.host != next_location.host ||
@@ -595,12 +610,13 @@ module OAuth2
 
     def oauth_debug_logging(builder)
       if OAuth2::OAUTH_DEBUG
+        config = OAuth2.config
         builder.response(
           :logger,
           OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
             options[:logger],
-            filtered_keys: OAuth2.config[:filtered_debug_keys],
-            label: OAuth2.config[:filtered_label]
+            filtered_keys: config[:filtered_debug_keys],
+            label: config[:filtered_label]
           ),
           bodies: true
         )

data/lib/oauth2/error.rb

@@ -20,9 +20,10 @@ module OAuth2
       @code = nil
       @description = nil
       if response.respond_to?(:parsed)
-        if response.parsed.is_a?(Hash)
-          @code = response.parsed["error"]
-          @description = response.parsed["error_description"]
+        parsed_response = response.parsed
+        if parsed_response.is_a?(Hash)
+          @code = parsed_response["error"]
+          @description = parsed_response["error_description"]
         end
       elsif response.is_a?(Hash)
         @code = response["error"]
@@ -46,11 +47,12 @@ module OAuth2
     # @return [String] Message suitable for StandardError
     def error_message(response_body, opts = {})
       lines = []
+      error_description = opts[:error_description]
 
-      lines << opts[:error_description] if opts[:error_description]
+      lines << error_description if error_description
 
-      error_string = if response_body.respond_to?(:encode) && opts[:error_description].respond_to?(:encoding)
-        script_encoding = opts[:error_description].encoding
+      error_string = if response_body.respond_to?(:encode) && error_description.respond_to?(:encoding)
+        script_encoding = error_description.encoding
         response_body.encode(script_encoding, invalid: :replace, undef: :replace)
       else
         response_body

data/lib/oauth2/response.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "set"
 require "multi_xml"
 require "rack"
 
@@ -108,15 +109,16 @@ module OAuth2
     def parsed
       return @parsed if defined?(@parsed)
 
+      response_parser = parser
       @parsed =
-        if parser.respond_to?(:call)
-          case parser.arity
+        if response_parser.respond_to?(:call)
+          case response_parser.arity
           when 0
-            parser.call
+            response_parser.call
           when 1
-            parser.call(body)
+            response_parser.call(body)
           else
-            parser.call(body, response)
+            response_parser.call(body, response)
           end
         end
 
@@ -132,9 +134,10 @@ module OAuth2
     #
     # @return [String, nil] The content type or nil if headers are not present
     def content_type
-      return unless response.headers
+      response_headers = response.headers
+      return unless response_headers
 
-      ((response.headers.values_at("content-type", "Content-Type").compact.first || "").split(";").first || "").strip.downcase
+      ((response_headers.values_at("content-type", "Content-Type").compact.first || "").split(";").first || "").strip.downcase
     end
 
     # Determines the parser to be used for the response body
@@ -154,11 +157,12 @@ module OAuth2
     def parser
       return @parser if defined?(@parser)
 
+      parse_option = options[:parse]
       @parser =
-        if options[:parse].respond_to?(:call)
-          options[:parse]
-        elsif options[:parse]
-          @@parsers[options[:parse].to_sym]
+        if parse_option.respond_to?(:call)
+          parse_option
+        elsif parse_option
+          @@parsers[parse_option.to_sym]
         end
 
       @parser ||= @@parsers[@@content_types[content_type]]
@@ -171,7 +175,7 @@ end
 OAuth2::Response.register_parser(:xml, ["text/xml", "application/rss+xml", "application/rdf+xml", "application/atom+xml", "application/xml"]) do |body|
   next body unless body.respond_to?(:to_str)
 
-  MultiXml.parse(body)
+  (defined?(MultiXML) ? MultiXML : MultiXml).parse(body)
 end
 
 # Register JSON parser

data/lib/oauth2/version.rb

@@ -2,7 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.22"
+    VERSION = "2.0.23"
   end
   VERSION = Version::VERSION # Traditional Constant Location
 end

metadata

@@ -1,12 +1,10 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.22
+  version: 2.0.23
 platform: ruby
 authors:
-- Peter Boling
-- Erik Michaels-Ober
-- Michael Bleigh
+- Peter H. Boling
 bindir: exe
 cert_chain:
 - |
@@ -156,7 +154,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.0.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -166,7 +164,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.0.6
 - !ruby/object:Gem::Dependency
   name: version_gem
   requirement: !ruby/object:Gem::Requirement
@@ -193,20 +191,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.1
+        version: 2.2.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.1
+        version: 2.2.5
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
@@ -264,7 +262,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -274,7 +272,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.2
 - !ruby/object:Gem::Dependency
   name: kettle-test
   requirement: !ruby/object:Gem::Requirement
@@ -284,7 +282,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -294,7 +292,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
 - !ruby/object:Gem::Dependency
   name: turbo_tests2
   requirement: !ruby/object:Gem::Requirement
@@ -304,7 +302,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -314,7 +312,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.2
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
@@ -447,7 +445,6 @@ description: "\U0001F510 A Ruby wrapper for the OAuth 2.0 Authorization Framewor
   including the OAuth 2.1 draft spec, and OpenID Connect (OIDC)"
 email:
 - floss@galtzo.com
-- oauth-ruby@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -502,10 +499,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://oauth2.galtzo.com
-  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.22
-  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.22/CHANGELOG.md
+  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.23
+  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.23/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.22
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.23
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/ruby-oauth/oauth2/wiki
   news_uri: https://www.railsbling.com/tags/oauth2