oauth2 2.0.22 → 2.0.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7964123b20cd2a456b4207c27b2695bbe8e46b30efdafc01731bdf97038fd58e
-  data.tar.gz: 908001fb4aa70279ee6384a0de5fefb43bf3c8b64466e5df248f244b353a270c
+  metadata.gz: 6a0de4e6399834238562b52bb7e5c00550453118dfd111cb4bdc58de0e9e6657
+  data.tar.gz: d61082265dbbd08a4554d475fd7b9980f2beeae912e218191911db5dc12e55d5
 SHA512:
-  metadata.gz: 772d189a481bf1329bcbb0443f98ce2feefefcc77387dad7d8f6128ebd2139a29fc0c2410721394aec5bcece3f786b980c33eba6acc0fe6ecd1c4366308dc0fb
-  data.tar.gz: 959412178a6d2b37902c1b91a7e3b8c688dc1142dc118e56752ddaf0fdc99c06017d297d96ccfd0b37bca1dc2308c441050b40b64f06d31a815c6f5df7c91d0d
+  metadata.gz: 9a8cfb81304f9337ea276cbda2741e9d808885b0b301e55dfb9f76fa0f835f636c97e9ab29a896cc4b17e3801c3b9eacca33b520f77d94fe1b67eb9f39c23751
+  data.tar.gz: 93a8e651d24279a9f13b7bc267a19210830d9ed5fb33c79dcb820d998de55b89c4b6a241667945466f7782a11fcf3b3bae00156a697f02505e5a7ac0f3ddeec4

checksums.yaml.gz.sig

@@ -1,3 +1,3 @@
-��7�[+l�����em�y*پ~�4�"N4o��R�V^צ�w^8J��n*|څG�
-�Y�Cg(G�A��ÿ�D��Y$En=��6(�w��4���Ѹ6ŷ�=��O3�Hб��������`ؠђbZ]~z�/��FB��:G^lr+\���u���4�>	��
-�ܰ�d��dS'�R��?��>繱��S|����k�/c�~�Wҗ.�B���rɵ��l��L����ݡala��9\s�=�%LJZ4D�\��0M4E�_���� ��yl�IzM�"�|4/�y~;�����0u�?��O�ۮ�g`�/��ь��b��vvH
+6t��	�����v�����?��	V75�K�:IK�	��;~,'d��\�OR���o
+�Q��W�D�μO�&�z.��V��<�r���(v��|r��!meħa��˸?"�QZ{�; �B �8�1 \� �Fb�9��ji�Z�,v'
+5�.7��`q�q���	�w��uK�S�Y���LO��u/��+�^L%�y�<�Լ�/��ӝ�_j;��K݇<�I����'�����K�/㮖�
�A������u!S�W}��&�{r�-���v��Y�f�v�ԩ��\�W�l@�{�^�<T�Ǝ��w~�зpS�]kr�
�7L6��p����>��4�+k�;\iAkc��W��?$�H��E��q�ͳ

data/CHANGELOG.md

@@ -30,6 +30,47 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [2.0.24] - 2026-06-18
+
+- TAG: [v2.0.24][2.0.24t]
+- COVERAGE: 100.00% -- 558/558 lines in 15 files
+- BRANCH COVERAGE: 97.89% -- 186/190 branches in 15 files
+- 88.35% documented
+
+### Changed
+
+- Raised the `anonymous_loader` runtime dependency floor to `>= 0.1.1`.
+- Raised the `auth-sanitizer` runtime dependency floor to `>= 0.2.2` and
+  switched isolated sanitizer loading to the released `anonymous_loader` gem,
+  including local workspace wiring for the new runtime dependency.
+
+### Fixed
+
+- Fixed isolated `auth-sanitizer` loading when Bundler standalone setup makes
+  `auth_sanitizer/loader.rb` available on `$LOAD_PATH` without adding
+  `auth-sanitizer` to `Gem.loaded_specs` or `GEM_PATH`.
+
+## [2.0.23] - 2026-06-13
+
+- TAG: [v2.0.23][2.0.23t]
+- COVERAGE: 100.00% -- 562/562 lines in 15 files
+- BRANCH COVERAGE: 97.89% -- 186/190 branches in 15 files
+- 88.35% documented
+
+### Changed
+
+- Upgraded to snaky_hash v2.0.6 by @pboling
+- Refreshed generated GHA workflow action SHA pins by @pboling
+
+### Fixed
+
+- Addressed Reek code-quality checks with targeted cleanup and documented compatibility exclusions by @pboling
+- Fixed deprecation warning from MultiXML by @robzolkos
+
+[gh!733]: https://github.com/ruby-oauth/oauth2/pull/733
+
+- Fixed head appraisal dependency conflicts and Ruby 2.4 protocol-relative redirect handling by @pboling
+
 ## [2.0.22] - 2026-06-07
 
 - TAG: [v2.0.22][2.0.22t]
@@ -45,7 +86,9 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
-- [GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect `Location` values from changing request authority, and strip `Authorization` headers from cross-origin redirects.
+- [GHSA-pp92-crg2-gfv9][GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect `Location` values from changing request authority, and strip `Authorization` headers from cross-origin redirects by @tonghuaroot and @pboling
+
+[GHSA-pp92-crg2-gfv9]: https://github.com/ruby-oauth/oauth2/security/advisories/GHSA-pp92-crg2-gfv9
 
 ## [2.0.21] - 2026-06-06
 
@@ -67,7 +110,9 @@ Please file a bug if you notice a violation of semantic versioning.
 ### Changed
 
 - Raised generated `version_gem` dependency floor to `version_gem` >= 1.1.10 - by @pboling
-- Raised the runtime dependency floor for `auth-sanitizer` to `>= 0.2.1` - by @pboling
+- Raised the runtime dependency floor for `auth-sanitizer` to `>= 0.2.1` so
+  OAuth2 consumers get hash and nested-attribute inspect redaction fixes plus
+  downstream RBS duplicate-declaration fixes - by @pboling
 - Refreshed generated package metadata, support documentation, CI workflows,
   and development dependency floors from the current kettle-jem template - by @pboling
 - Documented the current per-version Ruby, JRuby, and TruffleRuby CI matrix in
@@ -863,7 +908,11 @@ Please file a bug if you notice a violation of semantic versioning.
 
 [gemfiles/readme]: gemfiles/README.md
 
-[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.22...HEAD
+[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.24...HEAD
+[2.0.24]: https://github.com/ruby-oauth/oauth2/compare/v2.0.23...v2.0.24
+[2.0.24t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.24
+[2.0.23]: https://github.com/ruby-oauth/oauth2/compare/v2.0.22...v2.0.23
+[2.0.23t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.23
 [2.0.22]: https://github.com/ruby-oauth/oauth2/compare/v2.0.21...v2.0.22
 [2.0.22t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.22
 [2.0.21]: https://github.com/ruby-oauth/oauth2/compare/v2.0.20...v2.0.21

data/CONTRIBUTING.md

@@ -109,14 +109,14 @@ Git diff driver setup
 - Git hosting forges generally ignore external diff drivers, so pull request views may still show raw textual diffs even when local `git diff` uses semantic drivers.
 
 ```console
-K_JEM_TEMPLATING=true bundle exec kettle-jem install
+K_JEM_TEMPLATING=true kettle-jem install
 ```
 
 Troubleshooting Git diffs
 - Use `git diff --no-ext-diff` to compare against Git's built-in diff output.
 - Use `git diff --no-textconv` when a textconv projection obscures the raw file bytes you need to inspect.
 - If Git reports a missing `smorg-*` executable, rerun `bundle install` and the setup command above, then check `git config --local --get-regexp '^diff\.smorg-'`.
-- To remove managed local entries, run `K_JEM_TEMPLATING=true bundle exec kettle-jem install --undo`; remove global command registrations with `git config --global --unset-all diff.smorg-ruby.command`.
+- To remove managed local entries, run `K_JEM_TEMPLATING=true kettle-jem install --undo`; remove global command registrations with `git config --global --unset-all diff.smorg-ruby.command`.
 
 For a quick starting point, this repository’s `mise.toml` defines the shared defaults, and `.env.local` can override them locally. Copy `.env.local.example` to `.env.local`, use `KEY=value` lines, and either activate `mise` in your shell or run commands through `mise exec -C /path/to/project -- ...`.
 

data/LICENSE.md

@@ -107,4 +107,5 @@ Choose the option that best fits your use case:
 - Copyright (c) 2025 Sasa Rosic
 - Copyright (c) 2026 Jonathan Grinstead
 - Copyright (c) 2026 kain
+- Copyright (c) 2026 Rob Zolkos
 - Copyright (c) 2026 StepSecurity Bot

data/README.md

@@ -171,9 +171,22 @@ This test floor is configured by `ruby.test_minimum` in `.kettle-jem.yml` and
 may be higher than the gem's runtime compatibility floor when legacy Rubies are
 not practical for the current toolchain.
 
-| 🚚 _Amazing_ test matrix was brought to you by | 🔎 appraisal2 🔎 and the color 💚 green 💚 |
-|------------------------------------------------|--------------------------------------------------------|
-| 👟 Check it out! | ✨ [github.com/appraisal-rb/appraisal2][💎appraisal2] ✨ |
+| 🚚 _Amazing_ test matrix was brought to you by | The Kettle dev/test stack |
+|------------------------------------------------|---------------------------|
+
+<details>
+<summary>How We Manage Complexity In Tests</summary>
+
+| Gem | Source | Role | Daily download rank |
+|-----|--------|------|---------------------|
+| [appraisal2](https://bestgems.org/gems/appraisal2) | [GitHub](https://github.com/appraisal-rb/appraisal2) | multi-dependency Appraisal matrix generation | [![Daily download rank for appraisal2](https://img.shields.io/gem/rd/appraisal2.svg?style=flat-square)](https://bestgems.org/gems/appraisal2) |
+| [appraisal2-rubocop](https://bestgems.org/gems/appraisal2-rubocop) | [GitHub](https://github.com/appraisal-rb/appraisal2-rubocop) | RuboCop Appraisal generator integration | [![Daily download rank for appraisal2-rubocop](https://img.shields.io/gem/rd/appraisal2-rubocop.svg?style=flat-square)](https://bestgems.org/gems/appraisal2-rubocop) |
+| [turbo_tests2](https://bestgems.org/gems/turbo_tests2) | [GitHub](https://github.com/galtzo-floss/turbo_tests2) | parallel test execution | [![Daily download rank for turbo_tests2](https://img.shields.io/gem/rd/turbo_tests2.svg?style=flat-square)](https://bestgems.org/gems/turbo_tests2) |
+| [kettle-test](https://bestgems.org/gems/kettle-test) | [GitHub](https://github.com/kettle-dev/kettle-test) | standard test runner and coverage harness | [![Daily download rank for kettle-test](https://img.shields.io/gem/rd/kettle-test.svg?style=flat-square)](https://bestgems.org/gems/kettle-test) |
+| [kettle-soup-cover](https://bestgems.org/gems/kettle-soup-cover) | [GitHub](https://github.com/kettle-dev/kettle-soup-cover) | SimpleCov coverage policy and reporting | [![Daily download rank for kettle-soup-cover](https://img.shields.io/gem/rd/kettle-soup-cover.svg?style=flat-square)](https://bestgems.org/gems/kettle-soup-cover) |
+| [rubocop-lts](https://bestgems.org/gems/rubocop-lts) | [GitHub](https://github.com/rubocop-lts/rubocop-lts) | Ruby-version-aware linting | [![Daily download rank for rubocop-lts](https://img.shields.io/gem/rd/rubocop-lts.svg?style=flat-square)](https://bestgems.org/gems/rubocop-lts) |
+
+</details>
 
 ### Federated DVCS
 
@@ -660,9 +673,13 @@ NOTE: [kettle-readme-backers][kettle-readme-backers] updates this list every day
 
 <!-- OPENCOLLECTIVE-ORGANIZATIONS:START -->
 No sponsors yet. Be the first!
+
+### Open Collective for Donors
+
+[Bill Woika](https://opencollective.com/bill-woika) [Philipp Ebneter](https://opencollective.com/guest-e77282f7) [Grigoriy](https://opencollective.com/guest-c93e0c48)
 <!-- OPENCOLLECTIVE-ORGANIZATIONS:END -->
 
-[kettle-readme-backers]: https://github.com/ruby-oauth/oauth2/blob/main/exe/kettle-readme-backers
+[kettle-readme-backers]: https://github.com/ruby-oauth/oauth2/blob/main/bin/kettle-readme-backers
 
 ### Another way to support open-source
 
@@ -871,6 +888,7 @@ See [LICENSE.md][📄license] for the official copyright notice.
 - Copyright (c) 2025 Sasa Rosic
 - Copyright (c) 2026 Jonathan Grinstead
 - Copyright (c) 2026 kain
+- Copyright (c) 2026 Rob Zolkos
 - Copyright (c) 2026 StepSecurity Bot
 
 </details>
@@ -1086,7 +1104,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.542-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.558-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: https://github.com/ruby-oauth/oauth2/blob/main/SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year
@@ -1094,7 +1112,7 @@ Thanks for RTFM. ☺️
 [📄license-ref]: MIT.md
 [📄license-img]: https://img.shields.io/badge/License-MIT-259D6C.svg
 [📄license-compat]: https://www.apache.org/legal/resolved.html#category-a
-[📄license-compat-img]: https://img.shields.io/badge/Apache_Compatible:_Category_A-✓-259D6C.svg?style=flat&logo=Apache
+[📄license-compat-img]: https://img.shields.io/badge/Apache_Compatible:_Category_A-%E2%9C%93-259D6C.svg?style=flat&logo=Apache
 
 [📄ilo-declaration]: https://www.ilo.org/declaration/lang--en/index.htm
 [📄ilo-declaration-img]: https://img.shields.io/badge/ILO_Fundamental_Principles-✓-259D6C.svg?style=flat
@@ -1114,7 +1132,7 @@ Thanks for RTFM. ☺️
 | Package | oauth2 |
 | Description | 🔐 A Ruby wrapper for the OAuth 2.0 Authorization Framework, including the OAuth 2.1 draft spec, and OpenID Connect (OIDC) |
 | Homepage | https://github.com/ruby-oauth/oauth2 |
-| Source | https://github.com/ruby-oauth/oauth2/tree/v2.0.21 |
+| Source | https://github.com/ruby-oauth/oauth2 |
 | License | `MIT` |
 | Funding | https://github.com/sponsors/pboling, https://issuehunt.io/u/pboling, https://ko-fi.com/pboling, https://liberapay.com/pboling/donate, https://opencollective.com/ruby-oauth, https://patreon.com/galtzo, https://polar.sh/pboling, https://thanks.dev/u/gh/pboling, https://tidelift.com/funding/github/rubygems/oauth2, https://www.buymeacoffee.com/pboling |
 <!-- kettle-jem:metadata:end -->

data/lib/oauth2/access_token.rb

@@ -68,13 +68,7 @@ module OAuth2
         end
         # :nocov:
         # TODO: Get rid of this branching logic when dropping Hashie < v3.2
-        token = if !defined?(Hashie::VERSION) # i.e. <= "1.1.0"; the first Hashie to ship with a VERSION constant
-          warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
-          # There is a bug in Hashie v0, which is accounts for.
-          fresh.delete(t_key) || fresh[t_key] || ""
-        else
-          fresh.delete(t_key) || ""
-        end
+        token = extract_token_value(fresh, t_key)
         # :nocov:
         new(client, token, fresh)
       end
@@ -108,6 +102,17 @@ Custom token_name (#{key}) is not found in (#{hash.keys})
 You may need to set `snaky: false`. See inline documentation for more info.
         ])
       end
+
+      # :nocov:
+      def extract_token_value(fresh, key)
+        token_value = fresh.delete(key)
+        return token_value || "" if defined?(Hashie::VERSION)
+
+        warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
+        # There is a bug in Hashie v0, which this accounts for.
+        token_value || fresh[key] || ""
+      end
+      # :nocov:
     end
 
     # Initialize an AccessToken
@@ -305,8 +310,8 @@ You may need to set `snaky: false`. See inline documentation for more info.
       # TODO: Switch when dropping Ruby < 2.5 support
       # params.transform_keys(&:to_sym) # Ruby 2.5 only
       # Old Ruby transform_keys alternative:
-      sheesh = @params.each_with_object({}) { |(k, v), memo|
-        memo[k.to_sym] = v
+      sheesh = @params.each_with_object({}) { |(key, value), memo|
+        memo[key.to_sym] = value
       }
       sheesh.merge(hsh)
     end
@@ -375,6 +380,7 @@ You may need to set `snaky: false`. See inline documentation for more info.
 
     def configure_authentication!(opts, verb)
       mode_opt = options[:mode]
+      param_name = options[:param_name]
       mode =
         if mode_opt.respond_to?(:call)
           mode_opt.call(verb)
@@ -388,19 +394,19 @@ You may need to set `snaky: false`. See inline documentation for more info.
 
       case mode
       when :header
-        opts[:headers] ||= {}
-        opts[:headers].merge!(headers)
+        request_headers = opts[:headers] ||= {}
+        request_headers.merge!(headers)
       when :query
         # OAuth 2.1 note: Bearer tokens in the query string are omitted from the spec due to security risks.
         # Prefer the default :header mode whenever possible.
-        opts[:params] ||= {}
-        opts[:params][options[:param_name]] = token
+        request_params = opts[:params] ||= {}
+        request_params[param_name] = token
       when :body
-        opts[:body] ||= {}
-        if opts[:body].is_a?(Hash)
-          opts[:body][options[:param_name]] = token
+        request_body = opts[:body] ||= {}
+        if request_body.is_a?(Hash)
+          request_body[param_name] = token
         else
-          opts[:body] += "&#{options[:param_name]}=#{token}"
+          opts[:body] = "#{request_body}&#{param_name}=#{token}"
         end
         # @todo support for multi-part (file uploads)
       else

data/lib/oauth2/auth_sanitizer.rb

@@ -1,31 +1,15 @@
 # frozen_string_literal: true
 
+require "anonymous_loader"
+
 module OAuth2
   AUTH_SANITIZER = begin
-    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.2", ">= 0.2.1")
-    auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
-    unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
-      # :nocov:
-      auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
-      # :nocov:
-    end
-
-    auth_sanitizer_loader_path = File.join(
-      auth_sanitizer_spec.full_gem_path,
-      "lib/auth_sanitizer/loader.rb"
-    )
-    unless File.file?(auth_sanitizer_loader_path)
-      # :nocov:
-      raise LoadError, "oauth2 requires auth-sanitizer #{auth_sanitizer_requirement}; " \
-        "loader not found at #{auth_sanitizer_loader_path}"
-      # :nocov:
-    end
-
-    auth_sanitizer_loader_namespace = Module.new
-    auth_sanitizer_loader_namespace.module_eval(
-      File.read(auth_sanitizer_loader_path),
-      auth_sanitizer_loader_path,
-      1
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.2", ">= 0.2.2")
+    auth_sanitizer_loader_namespace = AnonymousLoader.load_path(
+      gem_name: "auth-sanitizer",
+      require_path: "auth_sanitizer/loader.rb",
+      version_requirement: auth_sanitizer_requirement,
+      version_file: "auth/sanitizer/version.rb"
     )
 
     auth_sanitizer_loader_namespace.

data/lib/oauth2/client.rb

@@ -86,8 +86,9 @@ module OAuth2
       @connection ||=
         Faraday.new(site, options[:connection_opts]) do |builder|
           oauth_debug_logging(builder)
-          if options[:connection_build]
-            options[:connection_build].call(builder)
+          connection_build = options[:connection_build]
+          if connection_build
+            connection_build.call(builder)
           else
             builder.request(:url_encoded)             # form-encode POST params
             builder.adapter(Faraday.default_adapter)  # make requests with Net::HTTP
@@ -149,9 +150,9 @@ module OAuth2
 
       case status
       when 301, 302, 303, 307
-        req_opts[:redirect_count] ||= 0
-        req_opts[:redirect_count] += 1
-        return response if req_opts[:redirect_count] > options[:max_redirects]
+        redirect_count = (req_opts[:redirect_count] || 0).to_i + 1
+        req_opts[:redirect_count] = redirect_count
+        return response if redirect_count > options[:max_redirects]
 
         if status == 303
           verb = :get
@@ -338,8 +339,9 @@ module OAuth2
     #
     # @return [Hash] the params to add to a request or URL
     def redirection_params
-      if options[:redirect_uri]
-        {"redirect_uri" => options[:redirect_uri]}
+      redirect_uri = options[:redirect_uri]
+      if redirect_uri
+        {"redirect_uri" => redirect_uri}
       else
         {}
       end
@@ -446,7 +448,7 @@ module OAuth2
       url = connection.build_url(url).to_s
       # See: Hash#partition https://bugs.ruby-lang.org/issues/16252
       req_opts, oauth_opts = opts.
-        partition { |k, _v| RESERVED_REQ_KEYS.include?(k.to_s) }.
+        partition { |key, _value| RESERVED_REQ_KEYS.include?(key.to_s) }.
         map(&:to_h)
 
       begin
@@ -454,10 +456,10 @@ module OAuth2
           req.params.update(req_opts[:params]) if req_opts[:params]
           yield(req) if block_given?
         end
-      rescue Faraday::ConnectionFailed => e
-        raise ConnectionError, e
-      rescue Faraday::TimeoutError => e
-        raise TimeoutError, e
+      rescue Faraday::ConnectionFailed => exception
+        raise ConnectionError, exception
+      rescue Faraday::TimeoutError => exception
+        raise TimeoutError, exception
       end
 
       parse = oauth_opts.key?(:parse) ? oauth_opts.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
@@ -467,29 +469,42 @@ module OAuth2
     end
 
     def resolve_redirect_location(current_location, location)
-      safe_location =
-        if location.respond_to?(:start_with?) && location.start_with?("//")
-          "./#{location}"
-        else
-          location
-        end
+      return protocol_relative_redirect_location(current_location, location) if location.respond_to?(:start_with?) && location.start_with?("//")
 
-      current_location.merge(safe_location)
+      current_location.merge(location)
+    end
+
+    def protocol_relative_redirect_location(current_location, location)
+      protocol_relative_location = URI.parse(location)
+      authority = +""
+      authority << "#{protocol_relative_location.userinfo}@" if protocol_relative_location.userinfo
+      authority << protocol_relative_location.host.to_s
+      authority << ":#{protocol_relative_location.port}" if protocol_relative_location.port
+
+      current_location.dup.tap do |safe_location|
+        safe_location.path = "///#{authority}#{protocol_relative_location.path}"
+        safe_location.query = protocol_relative_location.query if safe_location.respond_to?(:query=)
+        safe_location.fragment = protocol_relative_location.fragment if safe_location.respond_to?(:fragment=)
+      end
     end
 
     def sanitize_redirect_options(req_opts, current_location, next_location)
       return req_opts unless cross_origin_redirect?(current_location, next_location)
 
       headers = req_opts[:headers]
-      return req_opts unless headers && headers.any? { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      return req_opts unless headers && headers.any? { |key, _value| authorization_header?(key) }
 
       safe_opts = req_opts.dup
       safe_headers = headers.dup
-      safe_headers.delete_if { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      safe_headers.delete_if { |key, _value| authorization_header?(key) }
       safe_opts[:headers] = safe_headers
       safe_opts
     end
 
+    def authorization_header?(key)
+      key.to_s.casecmp("Authorization").zero?
+    end
+
     def cross_origin_redirect?(current_location, next_location)
       current_location.scheme != next_location.scheme ||
         current_location.host != next_location.host ||
@@ -595,12 +610,13 @@ module OAuth2
 
     def oauth_debug_logging(builder)
       if OAuth2::OAUTH_DEBUG
+        config = OAuth2.config
         builder.response(
           :logger,
           OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
             options[:logger],
-            filtered_keys: OAuth2.config[:filtered_debug_keys],
-            label: OAuth2.config[:filtered_label]
+            filtered_keys: config[:filtered_debug_keys],
+            label: config[:filtered_label]
           ),
           bodies: true
         )

data/lib/oauth2/error.rb

@@ -20,9 +20,10 @@ module OAuth2
       @code = nil
       @description = nil
       if response.respond_to?(:parsed)
-        if response.parsed.is_a?(Hash)
-          @code = response.parsed["error"]
-          @description = response.parsed["error_description"]
+        parsed_response = response.parsed
+        if parsed_response.is_a?(Hash)
+          @code = parsed_response["error"]
+          @description = parsed_response["error_description"]
         end
       elsif response.is_a?(Hash)
         @code = response["error"]
@@ -46,11 +47,12 @@ module OAuth2
     # @return [String] Message suitable for StandardError
     def error_message(response_body, opts = {})
       lines = []
+      error_description = opts[:error_description]
 
-      lines << opts[:error_description] if opts[:error_description]
+      lines << error_description if error_description
 
-      error_string = if response_body.respond_to?(:encode) && opts[:error_description].respond_to?(:encoding)
-        script_encoding = opts[:error_description].encoding
+      error_string = if response_body.respond_to?(:encode) && error_description.respond_to?(:encoding)
+        script_encoding = error_description.encoding
         response_body.encode(script_encoding, invalid: :replace, undef: :replace)
       else
         response_body

data/lib/oauth2/response.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "set"
 require "multi_xml"
 require "rack"
 
@@ -108,15 +109,16 @@ module OAuth2
     def parsed
       return @parsed if defined?(@parsed)
 
+      response_parser = parser
       @parsed =
-        if parser.respond_to?(:call)
-          case parser.arity
+        if response_parser.respond_to?(:call)
+          case response_parser.arity
           when 0
-            parser.call
+            response_parser.call
           when 1
-            parser.call(body)
+            response_parser.call(body)
           else
-            parser.call(body, response)
+            response_parser.call(body, response)
           end
         end
 
@@ -132,9 +134,10 @@ module OAuth2
     #
     # @return [String, nil] The content type or nil if headers are not present
     def content_type
-      return unless response.headers
+      response_headers = response.headers
+      return unless response_headers
 
-      ((response.headers.values_at("content-type", "Content-Type").compact.first || "").split(";").first || "").strip.downcase
+      ((response_headers.values_at("content-type", "Content-Type").compact.first || "").split(";").first || "").strip.downcase
     end
 
     # Determines the parser to be used for the response body
@@ -154,11 +157,12 @@ module OAuth2
     def parser
       return @parser if defined?(@parser)
 
+      parse_option = options[:parse]
       @parser =
-        if options[:parse].respond_to?(:call)
-          options[:parse]
-        elsif options[:parse]
-          @@parsers[options[:parse].to_sym]
+        if parse_option.respond_to?(:call)
+          parse_option
+        elsif parse_option
+          @@parsers[parse_option.to_sym]
         end
 
       @parser ||= @@parsers[@@content_types[content_type]]
@@ -171,7 +175,7 @@ end
 OAuth2::Response.register_parser(:xml, ["text/xml", "application/rss+xml", "application/rdf+xml", "application/atom+xml", "application/xml"]) do |body|
   next body unless body.respond_to?(:to_str)
 
-  MultiXml.parse(body)
+  (defined?(MultiXML) ? MultiXML : MultiXml).parse(body)
 end
 
 # Register JSON parser

data/lib/oauth2/version.rb

@@ -2,7 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.22"
+    VERSION = "2.0.24"
   end
   VERSION = Version::VERSION # Traditional Constant Location
 end

metadata

@@ -1,12 +1,105 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.22
+  version: 2.0.24
 platform: ruby
 authors:
-- Peter Boling
 - Erik Michaels-Ober
+- Jeremy Kemper
 - Michael Bleigh
+- Paul Walker
+- rick
+- Tim Habermaas
+- Wynn Netherland
+- Alexander Lang
+- Greg Spurrier
+- Jay Adkisson
+- Luke Saunders
+- Simon Gate
+- Bas Vodde
+- Damian Janowski
+- Daniël van de Burgt
+- Dorren Chen
+- Igor Sales
+- Leigh Caplan
+- Michael Andrews
+- Omer Rauchwerger
+- Saverio Trioni
+- Trent Ogren
+- Vsevolod Romashov
+- Antonio Tapiador del Dujo
+- Eduardo Gurgel
+- Geostellar Developer
+- Niels Ganser
+- Rainux Luo
+- Taylor Hedberg
+- Tim Clem
+- Dave Stevens
+- Ellis Berner
+- Frank Macreery
+- Olivier Lacan
+- Peter Souter
+- Ryan Williams
+- Andrew Cantino and Jeff Moore
+- Thomas Walpole
+- Bo Jeanes
+- Cody Cutrer
+- Edward Rudd
+- Lawrence Oluyede
+- Linus Pettersson
+- Motoshi Nishihira
+- Adrian Setyadi
+- Benjamin Quorning
+- Christoph Petschnig
+- Nathaniel Bibler
+- Oleg
+- Samuel Cochran
+- tetsuya
+- Yury Velikanau
+- Alex Kowalczuk
+- asm__
+- David Christensen
+- fossabot
+- Jeff Moore
+- Jonathan del Strother
+- Joseph Page
+- Lomey
+- Markus Bengts
+- Mathias Klippinge
+- nikz
+- Peter H. Boling
+- Daniel Fockler
+- Elliot Crosby-McCullough
+- João Paulo
+- Orien Madgwick
+- Ryan T. Hosford
+- Tom Corley
+- anvox
+- Jesse Cotton
+- Olle Jonsson
+- Stephen Reid
+- Anders Carling
+- dobon
+- Jan Zaydowicz
+- Nicholas Palaniuk
+- Stan Hu
+- Bouke van der Bijl
+- nov
+- Rick Selby
+- Ryo Takahashi
+- Jessie Young
+- Карим Гимадеев
+- Aboling0
+- Elise Wood
+- Manuel van Rijn
+- Annibelle Boling
+- Mark James
+- Mridang Agarwalla
+- Sasa Rosic
+- Jonathan Grinstead
+- kain
+- Rob Zolkos
+- StepSecurity Bot
 bindir: exe
 cert_chain:
 - |
@@ -39,6 +132,26 @@ cert_chain:
   -----END CERTIFICATE-----
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: anonymous_loader
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.1
 - !ruby/object:Gem::Dependency
   name: auth-sanitizer
   requirement: !ruby/object:Gem::Requirement
@@ -48,7 +161,7 @@ dependencies:
         version: '0.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.1
+        version: 0.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -58,7 +171,7 @@ dependencies:
         version: '0.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.1
+        version: 0.2.2
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -156,7 +269,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.0.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -166,7 +279,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.0.6
 - !ruby/object:Gem::Dependency
   name: version_gem
   requirement: !ruby/object:Gem::Requirement
@@ -176,7 +289,7 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.11
+        version: 1.1.12
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -186,27 +299,27 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.11
+        version: 1.1.12
 - !ruby/object:Gem::Dependency
   name: kettle-dev
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.1
+        version: 2.2.12
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.1
+        version: 2.2.12
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
@@ -264,7 +377,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -274,7 +387,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.2
 - !ruby/object:Gem::Dependency
   name: kettle-test
   requirement: !ruby/object:Gem::Requirement
@@ -284,7 +397,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -294,7 +407,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.5
 - !ruby/object:Gem::Dependency
   name: turbo_tests2
   requirement: !ruby/object:Gem::Requirement
@@ -304,7 +417,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -314,7 +427,7 @@ dependencies:
         version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.1.1
+        version: 3.1.4
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
@@ -358,7 +471,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.1
+        version: 2.0.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -368,7 +481,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.1
+        version: 2.0.2
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
@@ -447,7 +560,6 @@ description: "\U0001F510 A Ruby wrapper for the OAuth 2.0 Authorization Framewor
   including the OAuth 2.1 draft spec, and OpenID Connect (OIDC)"
 email:
 - floss@galtzo.com
-- oauth-ruby@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -502,10 +614,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://oauth2.galtzo.com
-  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.22
-  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.22/CHANGELOG.md
+  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.24
+  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.24/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.22
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.24
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/ruby-oauth/oauth2/wiki
   news_uri: https://www.railsbling.com/tags/oauth2