oauth2 2.0.4 → 2.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc4158398289799f1200f2706539766ebcec6b3be4c861427d9b11fb6f6a8d8f
-  data.tar.gz: cd7bec320053ae8d114f9c3f730ce7252872b2fbf0b4c716d5447ac1642b7e7e
+  metadata.gz: fb9943fbd1a1592461b1397edb9ac16faf301da6ac1c8a2f9e441218c1a51924
+  data.tar.gz: 4435312a9b4cc0392dc49a15f9f71e8a1ed3ff3ca71ba6a7fbaf480aeede052a
 SHA512:
-  metadata.gz: 57f0ddd1d875238c5b98e358cea1114fb09847c01af8231e2d6a6e6c70e928500bd3f2b45c566302f70481d802ff7db6b649105765692f7107542e49edf06e2b
-  data.tar.gz: 13e0e6fcf0b7090bd5068c08522fc5ca52b8f719d230e7355334785e9795581c011b437b6eca4897f86d30ef7dd856f924a8a3e5b1488e7c99a7fa595973368b
+  metadata.gz: 82997d8c41529574701ef25565735fe46d7e343689e5cc07f93cd9bcb074aaa78370aa50062aa59adcfa078f432fb9d2b7ada58d17fae4ac3874a51843e881d6
+  data.tar.gz: c3ce8c8fec91b43a570392791bcab65ccf0b4e4051e3ad6c726c0d23575ae7caf600adbf2a07c27eb1363be6aa9d5019c3adb34d7c166cd5e2c9ae411af9aac9

data/CHANGELOG.md

@@ -4,6 +4,29 @@ All notable changes to this project will be documented in this file.
 The format (since v2) is based on [Keep a Changelog v1](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning v2](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.7] - 2022-08-22
+### Added
+- [#629](https://github.com/oauth-xx/oauth2/pull/629) - Allow POST of JSON to get token (@pboling, @terracatta)
+
+### Fixed
+- [#626](https://github.com/oauth-xx/oauth2/pull/626) - Fixes a regression in 2.0.6. Will now prefer the key order from the lookup, not the hash keys (@rickselby)
+  - Note: This fixes compatibility with `omniauth-oauth2` and AWS
+- [#625](https://github.com/oauth-xx/oauth2/pull/625) - Fixes the printed version in the post install message (@hasghari)
+
+## [2.0.6] - 2022-07-13
+### Fixed
+- [#624](https://github.com/oauth-xx/oauth2/pull/624) - Fixes a [regression](https://github.com/oauth-xx/oauth2/pull/623) in v2.0.5, where an error would be raised in refresh_token flows due to (legitimate) lack of access_token (@pboling)
+
+## [2.0.5] - 2022-07-07
+### Fixed
+- [#620](https://github.com/oauth-xx/oauth2/pull/620) - Documentation improvements, to help with upgrading (@swanson)
+- [#621](https://github.com/oauth-xx/oauth2/pull/621) - Fixed [#528](https://github.com/oauth-xx/oauth2/issues/528) and [#619](https://github.com/oauth-xx/oauth2/issues/619) (@pboling)
+  - All data in responses is now returned, with the access token removed and set as `token`
+    - `refresh_token` is no longer dropped
+    - **BREAKING**: Microsoft's `id_token` is no longer left as `access_token['id_token']`, but moved to the standard `access_token.token` that all other strategies use
+  - Remove `parse` and `snaky` from options so they don't get included in response
+  - There is now 100% test coverage, for lines _and_ branches, and it will stay that way.
+
 ## [2.0.4] - 2022-07-01
 ### Fixed
 - [#618](https://github.com/oauth-xx/oauth2/pull/618) - In some scenarios the `snaky` option default value was not applied (@pboling)
@@ -65,6 +88,10 @@ and this project adheres to [Semantic Versioning v2](https://semver.org/spec/v2.
 - [#414](https://github.com/oauth-xx/oauth2/pull/414) - Use Base64.strict_encode64 instead of custom internal logic (@meganemura)
 - [#489](https://github.com/oauth-xx/oauth2/pull/489) - **BREAKING**: Default value for option `OAuth2::Client` - `:authorize_url` removed leading slash to work with relative paths by default (`'oauth/authorize'`) (@ghost)
 - [#489](https://github.com/oauth-xx/oauth2/pull/489) - **BREAKING**: Default value for option `OAuth2::Client` - `:token_url` removed leading slash to work with relative paths by default (`'oauth/token'`) (@ghost)
+- [#507](https://github.com/oauth-xx/oauth2/pull/507), [#575](https://github.com/oauth-xx/oauth2/pull/575) - **BREAKING**: Transform keys to camel case, always, by default (ultimately via `rash_alt` gem)
+  - Original keys will still work as previously, in most scenarios, thanks to `rash_alt` gem.
+  - However, this is a _breaking_ change if you rely on `response.parsed.to_h`, as the keys in the result will be camel case.
+  - As of version 2.0.4 you can turn key transformation off with the `snaky: false` option.
 - [#576](https://github.com/oauth-xx/oauth2/pull/576) - **BREAKING**: Stop rescuing parsing errors (@pboling)
 - [#591](https://github.com/oauth-xx/oauth2/pull/576) - _DEPRECATION_: `OAuth2::Client` - `:extract_access_token` option is deprecated
 ### Fixed
@@ -277,5 +304,7 @@ and this project adheres to [Semantic Versioning v2](https://semver.org/spec/v2.
 [2.0.2]: https://github.com/oauth-xx/oauth2/compare/v2.0.1...v2.0.2
 [2.0.3]: https://github.com/oauth-xx/oauth2/compare/v2.0.2...v2.0.3
 [2.0.4]: https://github.com/oauth-xx/oauth2/compare/v2.0.3...v2.0.4
-[Unreleased]: https://github.com/oauth-xx/oauth2/compare/v2.0.4...HEAD
+[2.0.5]: https://github.com/oauth-xx/oauth2/compare/v2.0.4...v2.0.5
+[2.0.6]: https://github.com/oauth-xx/oauth2/compare/v2.0.5...v2.0.6
+[Unreleased]: https://github.com/oauth-xx/oauth2/compare/v2.0.6...HEAD
 [gemfiles/readme]: gemfiles/README.md

data/README.md

@@ -32,6 +32,8 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 
 | Version | Release Date | Readme                                                   |
 |---------|--------------|----------------------------------------------------------|
+| 2.0.6   | 2022-07-13   | https://github.com/oauth-xx/oauth2/blob/v2.0.6/README.md |
+| 2.0.5   | 2022-07-07   | https://github.com/oauth-xx/oauth2/blob/v2.0.5/README.md |
 | 2.0.4   | 2022-07-01   | https://github.com/oauth-xx/oauth2/blob/v2.0.4/README.md |
 | 2.0.3   | 2022-06-28   | https://github.com/oauth-xx/oauth2/blob/v2.0.3/README.md |
 | 2.0.2   | 2022-06-24   | https://github.com/oauth-xx/oauth2/blob/v2.0.2/README.md |
@@ -143,8 +145,8 @@ The link tokens in the following sections should be kept ordered by the row and
 [🖐prs-o-img]: https://img.shields.io/github/issues-pr/oauth-xx/oauth2
 [🧮prs-c]: https://github.com/oauth-xx/oauth2/pulls?q=is%3Apr+is%3Aclosed
 [🧮prs-c-img]: https://img.shields.io/github/issues-pr-closed/oauth-xx/oauth2
-[📗next♻️]: https://github.com/oauth-xx/oauth2/milestone/15
-[📗next-img♻️]: https://img.shields.io/github/milestones/progress/oauth-xx/oauth2/15?label=Next%20Version
+[📗next♻️]: https://github.com/oauth-xx/oauth2/milestone/2
+[📗next-img♻️]: https://img.shields.io/github/milestones/progress/oauth-xx/oauth2/2?label=Next%20Version
 
 <!-- 3️⃣ maintenance & linting -->
 [⛳cclim-maint]: https://codeclimate.com/github/oauth-xx/oauth2/maintainability
@@ -257,6 +259,12 @@ For more see [SECURITY.md][🚎sec-pol].
     - `:access_token_class` (`AccessToken`); user specified class to use for all calls to `get_token`
 - Adds new option to `OAuth2::AccessToken#initialize`:
     - `:expires_latency` (`nil`); number of seconds by which AccessToken validity will be reduced to offset latency
+- By default, keys are transformed to camel case.
+  - Original keys will still work as previously, in most scenarios, thanks to `rash_alt` gem.
+  - However, this is a _breaking_ change if you rely on `response.parsed.to_h`, as the keys in the result will be camel case.
+  - As of version 2.0.4 you can turn key transformation off with the `snaky: false` option.
+- By default, the `:auth_scheme` is now `:basic_auth` (instead of `:request_body`)
+  - Third-party strategies and gems may need to be updated if a provider was requiring client id/secret in the request body
 - [... A lot more](https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md#2.0.0)
 
 ## Compatibility
@@ -517,7 +525,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 See [CONTRIBUTING.md][contributing]
 
-[contributing]: https://github.com/oauth-xx/oauth2/blob/main/CONTRIBUTING.md
+[contributing]: https://github.com/oauth-xx/oauth2/blob/master/CONTRIBUTING.md
 
 ## Contributors
 

data/lib/oauth2/access_token.rb

@@ -2,18 +2,28 @@
 
 module OAuth2
   class AccessToken # rubocop:disable Metrics/ClassLength
+    TOKEN_KEYS_STR = %w[access_token id_token token accessToken idToken].freeze
+    TOKEN_KEYS_SYM = %i[access_token id_token token accessToken idToken].freeze
+    TOKEN_KEY_LOOKUP = TOKEN_KEYS_STR + TOKEN_KEYS_SYM
+
     attr_reader :client, :token, :expires_in, :expires_at, :expires_latency, :params
     attr_accessor :options, :refresh_token, :response
 
     class << self
       # Initializes an AccessToken from a Hash
       #
-      # @param client [Client] the OAuth2::Client instance
-      # @param hash [Hash] a hash of AccessToken property values
+      # @param [Client] client the OAuth2::Client instance
+      # @param [Hash] hash a hash of AccessToken property values
+      # @option hash [String] 'access_token', 'id_token', 'token', :access_token, :id_token, or :token the access token
       # @return [AccessToken] the initialized AccessToken
       def from_hash(client, hash)
-        hash = hash.dup
-        new(client, hash.delete('access_token') || hash.delete(:access_token) || hash.delete('token') || hash.delete(:token), hash)
+        fresh = hash.dup
+        supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
+        key = supported_keys[0]
+        # Having too many is sus, and may lead to bugs. Having none is fine (e.g. refresh flow doesn't need a token).
+        warn("OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key (#{supported_keys}); using #{key.inspect}.") if supported_keys.length > 1
+        token = fresh.delete(key)
+        new(client, token, fresh)
       end
 
       # Initializes an AccessToken from a key/value application/x-www-form-urlencoded string
@@ -24,16 +34,12 @@ module OAuth2
       def from_kvform(client, kvform)
         from_hash(client, Rack::Utils.parse_query(kvform))
       end
-
-      def contains_token?(hash)
-        hash.key?('access_token') || hash.key?('id_token') || hash.key?('token')
-      end
     end
 
     # Initialize an AccessToken
     #
     # @param [Client] client the OAuth2::Client instance
-    # @param [String] token the Access Token value
+    # @param [String] token the Access Token value (optional, may not be used in refresh flows)
     # @param [Hash] opts the options to create the Access Token with
     # @option opts [String] :refresh_token (nil) the refresh_token value
     # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
@@ -47,10 +53,20 @@ module OAuth2
     def initialize(client, token, opts = {})
       @client = client
       @token = token.to_s
+
       opts = opts.dup
       %i[refresh_token expires_in expires_at expires_latency].each do |arg|
         instance_variable_set("@#{arg}", opts.delete(arg) || opts.delete(arg.to_s))
       end
+      no_tokens = (@token.nil? || @token.empty?) && (@refresh_token.nil? || @refresh_token.empty?)
+      if no_tokens
+        if @client.options[:raise_errors]
+          error = Error.new(opts)
+          raise(error)
+        else
+          warn('OAuth2::AccessToken has no token')
+        end
+      end
       @expires_in ||= opts.delete('expires')
       @expires_in &&= @expires_in.to_i
       @expires_at &&= convert_expires_at(@expires_at)
@@ -95,7 +111,11 @@ module OAuth2
       params[:refresh_token] = refresh_token
       new_token = @client.get_token(params, access_token_opts)
       new_token.options = options
-      new_token.refresh_token = refresh_token unless new_token.refresh_token
+      if new_token.refresh_token
+        # Keep it, if there is one
+      else
+        new_token.refresh_token = refresh_token
+      end
       new_token
     end
     # A compatibility alias

data/lib/oauth2/client.rb

@@ -157,43 +157,50 @@ module OAuth2
     def get_token(params, access_token_opts = {}, extract_access_token = nil, &block)
       warn('OAuth2::Client#get_token argument `extract_access_token` will be removed in oauth2 v3. Refactor to use `access_token_class` on #initialize.') if extract_access_token
       extract_access_token ||= options[:extract_access_token]
-      params = params.map do |key, value|
-        if RESERVED_PARAM_KEYS.include?(key)
-          [key.to_sym, value]
-        else
-          [key, value]
-        end
-      end.to_h
+      parse, snaky, params, headers = parse_snaky_params_headers(params)
 
       request_opts = {
         raise_errors: options[:raise_errors],
-        parse: params.fetch(:parse, Response::DEFAULT_OPTIONS[:parse]),
-        snaky: params.fetch(:snaky, Response::DEFAULT_OPTIONS[:snaky]),
+        parse: parse,
+        snaky: snaky,
       }
-      params = authenticator.apply(params)
-      headers = params.delete(:headers) || {}
       if options[:token_method] == :post
-        request_opts[:body] = params
+
+        # NOTE: If proliferation of request types continues we should implement a parser solution for Request,
+        #       just like we have with Response.
+        request_opts[:body] = if headers['Content-Type'] == 'application/json'
+                                params.to_json
+                              else
+                                params
+                              end
+
         request_opts[:headers] = {'Content-Type' => 'application/x-www-form-urlencoded'}
       else
         request_opts[:params] = params
         request_opts[:headers] = {}
       end
       request_opts[:headers].merge!(headers)
-      http_method = options[:token_method]
-      http_method = :post if http_method == :post_with_query_string
       response = request(http_method, token_url, request_opts, &block)
 
       # In v1.4.x, the deprecated extract_access_token option retrieves the token from the response.
       # We preserve this behavior here, but a custom access_token_class that implements #from_hash
       # should be used instead.
       if extract_access_token
-        parse_response_with_legacy_extract(response, access_token_opts, extract_access_token)
+        parse_response_legacy(response, access_token_opts, extract_access_token)
       else
         parse_response(response, access_token_opts)
       end
     end
 
+    # The HTTP Method of the request
+    # @return [Symbol] HTTP verb, one of :get, :post, :put, :delete
+    def http_method
+      http_meth = options[:token_method].to_sym
+      return :post if http_meth == :post_with_query_string
+
+      http_meth
+    end
+
     # The Authorization Code strategy
     #
     # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.1
@@ -252,6 +259,22 @@ module OAuth2
 
   private
 
+    def parse_snaky_params_headers(params)
+      params = params.map do |key, value|
+        if RESERVED_PARAM_KEYS.include?(key)
+          [key.to_sym, value]
+        else
+          [key, value]
+        end
+      end.to_h
+      parse = params.key?(:parse) ? params.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = params.key?(:snaky) ? params.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+      params = authenticator.apply(params)
+      # authenticator may add :headers, and we remove them here
+      headers = params.delete(:headers) || {}
+      [parse, snaky, params, headers]
+    end
+
     def execute_request(verb, url, opts = {})
       url = connection.build_url(url).to_s
 
@@ -266,8 +289,8 @@ module OAuth2
         raise TimeoutError, e
       end
 
-      parse = opts.fetch(:parse, Response::DEFAULT_OPTIONS[:parse])
-      snaky = opts.fetch(:snaky, Response::DEFAULT_OPTIONS[:snaky])
+      parse = opts.key?(:parse) ? opts.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = opts.key?(:snaky) ? opts.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
 
       Response.new(response, parse: parse, snaky: snaky)
     end
@@ -279,8 +302,8 @@ module OAuth2
       Authenticator.new(id, secret, options[:auth_scheme])
     end
 
-    def parse_response_with_legacy_extract(response, access_token_opts, extract_access_token)
-      access_token = build_access_token_legacy_extract(response, access_token_opts, extract_access_token)
+    def parse_response_legacy(response, access_token_opts, extract_access_token)
+      access_token = build_access_token_legacy(response, access_token_opts, extract_access_token)
 
       return access_token if access_token
 
@@ -296,7 +319,7 @@ module OAuth2
       access_token_class = options[:access_token_class]
       data = response.parsed
 
-      unless data.is_a?(Hash) && access_token_class.contains_token?(data)
+      unless data.is_a?(Hash) && !data.empty?
         return unless options[:raise_errors]
 
         error = Error.new(response)
@@ -318,7 +341,7 @@ module OAuth2
     # Builds the access token from the response of the HTTP call with legacy extract_access_token
     #
     # @return [AccessToken] the initialized AccessToken
-    def build_access_token_legacy_extract(response, access_token_opts, extract_access_token)
+    def build_access_token_legacy(response, access_token_opts, extract_access_token)
       extract_access_token.call(self, response.parsed.merge(access_token_opts))
     rescue StandardError
       nil

data/lib/oauth2/error.rb

@@ -2,21 +2,29 @@
 
 module OAuth2
   class Error < StandardError
-    attr_reader :response, :code, :description
+    attr_reader :response, :body, :code, :description
 
     # standard error codes include:
     # 'invalid_request', 'invalid_client', 'invalid_token', 'invalid_grant', 'unsupported_grant_type', 'invalid_scope'
+    # response might be a Response object, or the response.parsed hash
     def initialize(response)
       @response = response
-      message_opts = {}
-
-      if response.parsed.is_a?(Hash)
-        @code = response.parsed['error']
-        @description = response.parsed['error_description']
-        message_opts = parse_error_description(@code, @description)
+      if response.respond_to?(:parsed)
+        if response.parsed.is_a?(Hash)
+          @code = response.parsed['error']
+          @description = response.parsed['error_description']
+        end
+      elsif response.is_a?(Hash)
+        @code = response['error']
+        @description = response['error_description']
       end
-
-      super(error_message(response.body, message_opts))
+      @body = if response.respond_to?(:body)
+                response.body
+              else
+                @response
+              end
+      message_opts = parse_error_description(@code, @description)
+      super(error_message(@body, message_opts))
     end
 
   private

data/lib/oauth2/strategy/assertion.rb

@@ -80,7 +80,7 @@ module OAuth2
         assertion = build_assertion(claims, encoding_opts)
         params = build_request(assertion, request_opts)
 
-        @client.get_token(params, response_opts.merge('refresh_token' => nil))
+        @client.get_token(params, response_opts)
       end
 
     private

data/lib/oauth2/strategy/auth_code.rb

@@ -25,7 +25,7 @@ module OAuth2
       #
       # @param [String] code The Authorization Code value
       # @param [Hash] params additional params
-      # @param [Hash] opts options
+      # @param [Hash] opts access_token_opts, @see Client#get_token
       # @note that you must also provide a :redirect_uri with most OAuth 2.0 providers
       def get_token(code, params = {}, opts = {})
         params = {'grant_type' => 'authorization_code', 'code' => code}.merge(@client.redirection_params).merge(params)

data/lib/oauth2/strategy/client_credentials.rb

@@ -19,7 +19,7 @@ module OAuth2
       # @param [Hash] opts options
       def get_token(params = {}, opts = {})
         params = params.merge('grant_type' => 'client_credentials')
-        @client.get_token(params, opts.merge('refresh_token' => nil))
+        @client.get_token(params, opts)
       end
     end
   end

data/lib/oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OAuth2
   module Version
-    VERSION = '2.0.4'.freeze
+    VERSION = '2.0.7'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.4
+  version: 2.0.7
 platform: ruby
 authors:
 - Peter Boling
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-07-01 00:00:00.000000000 Z
+date: 2022-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -307,15 +307,15 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/oauth-xx/oauth2
-  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v2.0.4
-  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v2.0.4/CHANGELOG.md
+  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v2.0.7
+  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v2.0.7/CHANGELOG.md
   bug_tracker_uri: https://github.com/oauth-xx/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.4
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.7
   wiki_uri: https://github.com/oauth-xx/oauth2/wiki
   rubygems_mfa_required: 'true'
 post_install_message: |2+
 
-  You have installed oauth2 version OAuth2::Version, congratulations!
+  You have installed oauth2 version 2.0.7, congratulations!
 
   There are BREAKING changes, but most will not encounter them, and updating your code should be easy!
 
@@ -339,7 +339,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.16
+rubygems_version: 3.3.18
 signing_key: 
 specification_version: 4
 summary: A Ruby wrapper for the OAuth 2.0 protocol.