oauth2 2.0.5 → 2.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b016b4a0d35d5e6b17d60c9417f7a456b78a38462120fff7d68021235dee6f6d
-  data.tar.gz: 5627dc50a7dfc395f226a1209606aa63d1c8c9642ba6aba390f5ba3605567b33
+  metadata.gz: 71b8f6f9abb6afbd1cdeffbdb50b84906b0f8b44e35f9db1ebbb8c6e7acd50ba
+  data.tar.gz: a1e958b150f5909cf05734724371df99121e24d1c6581b64fa83d6326e448a6d
 SHA512:
-  metadata.gz: cbbfb987df74ec80833a13f2d7ae5fc090af533cfe3e0ce7146ed3f1dcec45159a8ac4447c0aacbc5ad2c9e8490d76a9c227dcb857b9fc2cc4a5b6b6634d1b41
-  data.tar.gz: ebf819a7fcfb1c66041bb01b46f023fcfd8cb06f1762ff938795faab71e4871d00986899c592465e8424ebd40eff1e90c6a85a77e4717f4211a07ec41a148144
+  metadata.gz: 5d3f859ea2a0b1ab53de9fda075f44b23c6c0426ba9af339b7cccadd9a613c44b252182819cd0221bac2cd97a9a21e91873af32d4e9bdbe0c5414f0ab0b5563f
+  data.tar.gz: 1802ba5465d719b80fc99f0802d0e1531288e3e4449e08b76abf070de0e26ebbf92a027fe468bfe4ba768293a6cda5f4b7458cfcb6d2d59cf297e269691ed22c

data/CHANGELOG.md

@@ -4,6 +4,32 @@ All notable changes to this project will be documented in this file.
 The format (since v2) is based on [Keep a Changelog v1](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning v2](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+### Added
+### Changed
+### Fixed
+### Removed
+
+## [2.0.8] - 2022-09-01
+### Changed
+- [!630](https://gitlab.com/oauth-xx/oauth2/-/merge_requests/630) - Extract snaky_hash to external dependency (@pboling)
+
+### Added
+- [!631](https://gitlab.com/oauth-xx/oauth2/-/merge_requests/631) - New global configuration option OAuth2.config.silence_extra_tokens_warning (default: false) fixes [#628](https://gitlab.com/oauth-xx/oauth2/-/issues/628)
+
+## [2.0.7] - 2022-08-22
+### Added
+- [#629](https://github.com/oauth-xx/oauth2/pull/629) - Allow POST of JSON to get token (@pboling, @terracatta)
+
+### Fixed
+- [#626](https://github.com/oauth-xx/oauth2/pull/626) - Fixes a regression in 2.0.6. Will now prefer the key order from the lookup, not the hash keys (@rickselby)
+  - Note: This fixes compatibility with `omniauth-oauth2` and AWS
+- [#625](https://github.com/oauth-xx/oauth2/pull/625) - Fixes the printed version in the post install message (@hasghari)
+
+## [2.0.6] - 2022-07-13
+### Fixed
+- [#624](https://github.com/oauth-xx/oauth2/pull/624) - Fixes a [regression](https://github.com/oauth-xx/oauth2/pull/623) in v2.0.5, where an error would be raised in refresh_token flows due to (legitimate) lack of access_token (@pboling)
+
 ## [2.0.5] - 2022-07-07
 ### Fixed
 - [#620](https://github.com/oauth-xx/oauth2/pull/620) - Documentation improvements, to help with upgrading (@swanson)
@@ -292,5 +318,7 @@ and this project adheres to [Semantic Versioning v2](https://semver.org/spec/v2.
 [2.0.3]: https://github.com/oauth-xx/oauth2/compare/v2.0.2...v2.0.3
 [2.0.4]: https://github.com/oauth-xx/oauth2/compare/v2.0.3...v2.0.4
 [2.0.5]: https://github.com/oauth-xx/oauth2/compare/v2.0.4...v2.0.5
-[Unreleased]: https://github.com/oauth-xx/oauth2/compare/v2.0.5...HEAD
+[2.0.6]: https://github.com/oauth-xx/oauth2/compare/v2.0.5...v2.0.6
+[2.0.7]: https://github.com/oauth-xx/oauth2/compare/v2.0.6...v2.0.7
+[Unreleased]: https://github.com/oauth-xx/oauth2/compare/v2.0.7...HEAD
 [gemfiles/readme]: gemfiles/README.md

data/README.md

@@ -32,6 +32,9 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 
 | Version | Release Date | Readme                                                   |
 |---------|--------------|----------------------------------------------------------|
+| 2.0.7   | 2022-08-22   | https://github.com/oauth-xx/oauth2/blob/v2.0.7/README.md |
+| 2.0.6   | 2022-07-13   | https://github.com/oauth-xx/oauth2/blob/v2.0.6/README.md |
+| 2.0.5   | 2022-07-07   | https://github.com/oauth-xx/oauth2/blob/v2.0.5/README.md |
 | 2.0.4   | 2022-07-01   | https://github.com/oauth-xx/oauth2/blob/v2.0.4/README.md |
 | 2.0.3   | 2022-06-28   | https://github.com/oauth-xx/oauth2/blob/v2.0.3/README.md |
 | 2.0.2   | 2022-06-24   | https://github.com/oauth-xx/oauth2/blob/v2.0.2/README.md |
@@ -143,8 +146,8 @@ The link tokens in the following sections should be kept ordered by the row and
 [🖐prs-o-img]: https://img.shields.io/github/issues-pr/oauth-xx/oauth2
 [🧮prs-c]: https://github.com/oauth-xx/oauth2/pulls?q=is%3Apr+is%3Aclosed
 [🧮prs-c-img]: https://img.shields.io/github/issues-pr-closed/oauth-xx/oauth2
-[📗next♻️]: https://github.com/oauth-xx/oauth2/milestone/15
-[📗next-img♻️]: https://img.shields.io/github/milestones/progress/oauth-xx/oauth2/15?label=Next%20Version
+[📗next♻️]: https://github.com/oauth-xx/oauth2/milestone/2
+[📗next-img♻️]: https://img.shields.io/github/milestones/progress/oauth-xx/oauth2/2?label=Next%20Version
 
 <!-- 3️⃣ maintenance & linting -->
 [⛳cclim-maint]: https://codeclimate.com/github/oauth-xx/oauth2/maintainability

data/SECURITY.md

@@ -2,11 +2,15 @@
 
 ## Supported Versions
 
-| Version  | Supported                 |
-|----------|---------------------------|
-| 2.latest | ✅                         |
-| 1.latest | ✅ (security updates only) |
-| older    | ⛔️                        |
+| Version  | Supported | EOL     | Post-EOL / Enterprise                 |
+|----------|-----------|---------|---------------------------------------|
+| 2.latest | ✅         | 04/2024 | [Tidelift Subscription][tidelift-ref] |
+| 1.latest | ✅         | 04/2023 | [Tidelift Subscription][tidelift-ref] |
+| <= 1     | ⛔         | ⛔       | ⛔                                     |
+
+### EOL Policy
+
+Non-commercial support for the oldest version of Ruby (which itself is going EOL) will be dropped each year in April.
 
 ## Reporting a Vulnerability
 
@@ -17,4 +21,6 @@ Tidelift will coordinate the fix and disclosure.
 
 Available as part of the Tidelift Subscription.
 
-The maintainers of oauth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+The maintainers of oauth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.][tidelift-ref]
+
+[tidelift-ref]: https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise&utm_term=repo

data/lib/oauth2/access_token.rb

@@ -2,6 +2,10 @@
 
 module OAuth2
   class AccessToken # rubocop:disable Metrics/ClassLength
+    TOKEN_KEYS_STR = %w[access_token id_token token accessToken idToken].freeze
+    TOKEN_KEYS_SYM = %i[access_token id_token token accessToken idToken].freeze
+    TOKEN_KEY_LOOKUP = TOKEN_KEYS_STR + TOKEN_KEYS_SYM
+
     attr_reader :client, :token, :expires_in, :expires_at, :expires_latency, :params
     attr_accessor :options, :refresh_token, :response
 
@@ -13,13 +17,12 @@ module OAuth2
       # @option hash [String] 'access_token', 'id_token', 'token', :access_token, :id_token, or :token the access token
       # @return [AccessToken] the initialized AccessToken
       def from_hash(client, hash)
-        hash = hash.dup
-        token = hash.delete('access_token') || hash.delete(:access_token) ||
-                hash.delete('id_token') || hash.delete(:id_token) ||
-                hash.delete('token') || hash.delete(:token) ||
-                hash.delete('accessToken') || hash.delete(:accessToken) ||
-                hash.delete('idToken') || hash.delete(:idToken)
-        new(client, token, hash)
+        fresh = hash.dup
+        supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
+        key = supported_keys[0]
+        extra_tokens_warning(supported_keys, key)
+        token = fresh.delete(key)
+        new(client, token, fresh)
       end
 
       # Initializes an AccessToken from a key/value application/x-www-form-urlencoded string
@@ -30,12 +33,22 @@ module OAuth2
       def from_kvform(client, kvform)
         from_hash(client, Rack::Utils.parse_query(kvform))
       end
+
+    private
+
+      # Having too many is sus, and may lead to bugs. Having none is fine (e.g. refresh flow doesn't need a token).
+      def extra_tokens_warning(supported_keys, key)
+        return if OAuth2.config.silence_extra_tokens_warning
+        return if supported_keys.length <= 1
+
+        warn("OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key (#{supported_keys}); using #{key.inspect}.")
+      end
     end
 
     # Initialize an AccessToken
     #
     # @param [Client] client the OAuth2::Client instance
-    # @param [String] token the Access Token value
+    # @param [String] token the Access Token value (optional, may not be used in refresh flows)
     # @param [Hash] opts the options to create the Access Token with
     # @option opts [String] :refresh_token (nil) the refresh_token value
     # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
@@ -50,14 +63,19 @@ module OAuth2
       @client = client
       @token = token.to_s
 
-      if @client.options[:raise_errors] && (@token.nil? || @token.empty?)
-        error = Error.new(opts)
-        raise(error)
-      end
       opts = opts.dup
       %i[refresh_token expires_in expires_at expires_latency].each do |arg|
         instance_variable_set("@#{arg}", opts.delete(arg) || opts.delete(arg.to_s))
       end
+      no_tokens = (@token.nil? || @token.empty?) && (@refresh_token.nil? || @refresh_token.empty?)
+      if no_tokens
+        if @client.options[:raise_errors]
+          error = Error.new(opts)
+          raise(error)
+        else
+          warn('OAuth2::AccessToken has no token')
+        end
+      end
       @expires_in ||= opts.delete('expires')
       @expires_in &&= @expires_in.to_i
       @expires_at &&= convert_expires_at(@expires_at)

data/lib/oauth2/client.rb

@@ -157,46 +157,50 @@ module OAuth2
     def get_token(params, access_token_opts = {}, extract_access_token = nil, &block)
       warn('OAuth2::Client#get_token argument `extract_access_token` will be removed in oauth2 v3. Refactor to use `access_token_class` on #initialize.') if extract_access_token
       extract_access_token ||= options[:extract_access_token]
-      params = params.map do |key, value|
-        if RESERVED_PARAM_KEYS.include?(key)
-          [key.to_sym, value]
-        else
-          [key, value]
-        end
-      end.to_h
-
-      parse = params.key?(:parse) ? params.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
-      snaky = params.key?(:snaky) ? params.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+      parse, snaky, params, headers = parse_snaky_params_headers(params)
 
       request_opts = {
         raise_errors: options[:raise_errors],
         parse: parse,
         snaky: snaky,
       }
-      params = authenticator.apply(params)
-      headers = params.delete(:headers) || {}
       if options[:token_method] == :post
-        request_opts[:body] = params
+
+        # NOTE: If proliferation of request types continues we should implement a parser solution for Request,
+        #       just like we have with Response.
+        request_opts[:body] = if headers['Content-Type'] == 'application/json'
+                                params.to_json
+                              else
+                                params
+                              end
+
         request_opts[:headers] = {'Content-Type' => 'application/x-www-form-urlencoded'}
       else
         request_opts[:params] = params
         request_opts[:headers] = {}
       end
       request_opts[:headers].merge!(headers)
-      http_method = options[:token_method]
-      http_method = :post if http_method == :post_with_query_string
       response = request(http_method, token_url, request_opts, &block)
 
       # In v1.4.x, the deprecated extract_access_token option retrieves the token from the response.
       # We preserve this behavior here, but a custom access_token_class that implements #from_hash
       # should be used instead.
       if extract_access_token
-        parse_response_with_legacy_extract(response, access_token_opts, extract_access_token)
+        parse_response_legacy(response, access_token_opts, extract_access_token)
       else
         parse_response(response, access_token_opts)
       end
     end
 
+    # The HTTP Method of the request
+    # @return [Symbol] HTTP verb, one of :get, :post, :put, :delete
+    def http_method
+      http_meth = options[:token_method].to_sym
+      return :post if http_meth == :post_with_query_string
+
+      http_meth
+    end
+
     # The Authorization Code strategy
     #
     # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.1
@@ -255,6 +259,22 @@ module OAuth2
 
   private
 
+    def parse_snaky_params_headers(params)
+      params = params.map do |key, value|
+        if RESERVED_PARAM_KEYS.include?(key)
+          [key.to_sym, value]
+        else
+          [key, value]
+        end
+      end.to_h
+      parse = params.key?(:parse) ? params.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = params.key?(:snaky) ? params.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+      params = authenticator.apply(params)
+      # authenticator may add :headers, and we remove them here
+      headers = params.delete(:headers) || {}
+      [parse, snaky, params, headers]
+    end
+
     def execute_request(verb, url, opts = {})
       url = connection.build_url(url).to_s
 
@@ -282,8 +302,8 @@ module OAuth2
       Authenticator.new(id, secret, options[:auth_scheme])
     end
 
-    def parse_response_with_legacy_extract(response, access_token_opts, extract_access_token)
-      access_token = build_access_token_legacy_extract(response, access_token_opts, extract_access_token)
+    def parse_response_legacy(response, access_token_opts, extract_access_token)
+      access_token = build_access_token_legacy(response, access_token_opts, extract_access_token)
 
       return access_token if access_token
 
@@ -321,7 +341,7 @@ module OAuth2
     # Builds the access token from the response of the HTTP call with legacy extract_access_token
     #
     # @return [AccessToken] the initialized AccessToken
-    def build_access_token_legacy_extract(response, access_token_opts, extract_access_token)
+    def build_access_token_legacy(response, access_token_opts, extract_access_token)
       extract_access_token.call(self, response.parsed.merge(access_token_opts))
     rescue StandardError
       nil

data/lib/oauth2/response.rb

@@ -46,7 +46,7 @@ module OAuth2
     # @param [Symbol] parse (:automatic) how to parse the response body.  one of :query (for x-www-form-urlencoded),
     #   :json, or :automatic (determined by Content-Type response header)
     # @param [true, false] snaky (true) Convert @parsed to a snake-case,
-    #   indifferent-access OAuth2::SnakyHash, which is a subclass of Hashie::Mash::Rash (from rash_alt gem)?
+    #   indifferent-access SnakyHash::StringKeyed, which is a subclass of Hashie::Mash (from hashie gem)?
     # @param [Hash] options all other options for initializing the instance
     def initialize(response, parse: :automatic, snaky: true, **options)
       @response = response
@@ -90,7 +90,7 @@ module OAuth2
           end
         end
 
-      @parsed = OAuth2::SnakyHash.new(@parsed) if options[:snaky] && @parsed.is_a?(Hash)
+      @parsed = SnakyHash::StringKeyed.new(@parsed) if options[:snaky] && @parsed.is_a?(Hash)
 
       @parsed
     end

data/lib/oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OAuth2
   module Version
-    VERSION = '2.0.5'.freeze
+    VERSION = '2.0.8'.freeze
   end
 end

data/lib/oauth2.rb

@@ -5,13 +5,12 @@ require 'cgi'
 require 'time'
 
 # third party gems
-require 'rash'
+require 'snaky_hash'
 require 'version_gem'
 
 # includes gem files
 require 'oauth2/version'
 require 'oauth2/error'
-require 'oauth2/snaky_hash'
 require 'oauth2/authenticator'
 require 'oauth2/client'
 require 'oauth2/strategy/base'
@@ -25,6 +24,15 @@ require 'oauth2/response'
 
 # The namespace of this library
 module OAuth2
+  DEFAULT_CONFIG = SnakyHash::SymbolKeyed.new(silence_extra_tokens_warning: false)
+  @config = DEFAULT_CONFIG.dup
+  class << self
+    attr_accessor :config
+  end
+  def configure
+    yield @config
+  end
+  module_function :configure
 end
 
 OAuth2::Version.class_eval do

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.5
+  version: 2.0.8
 platform: ruby
 authors:
 - Peter Boling
 - Erik Michaels-Ober
 - Michael Bleigh
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-07-07 00:00:00.000000000 Z
+date: 2022-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -87,25 +87,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3'
 - !ruby/object:Gem::Dependency
-  name: rash_alt
+  name: snaky_hash
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0.4'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0.4'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: version_gem
   requirement: !ruby/object:Gem::Requirement
@@ -294,7 +288,6 @@ files:
 - lib/oauth2/client.rb
 - lib/oauth2/error.rb
 - lib/oauth2/response.rb
-- lib/oauth2/snaky_hash.rb
 - lib/oauth2/strategy/assertion.rb
 - lib/oauth2/strategy/auth_code.rb
 - lib/oauth2/strategy/base.rb
@@ -307,15 +300,15 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/oauth-xx/oauth2
-  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v2.0.5
-  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v2.0.5/CHANGELOG.md
+  source_code_uri: https://github.com/oauth-xx/oauth2/tree/v2.0.8
+  changelog_uri: https://github.com/oauth-xx/oauth2/blob/v2.0.8/CHANGELOG.md
   bug_tracker_uri: https://github.com/oauth-xx/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.5
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.8
   wiki_uri: https://github.com/oauth-xx/oauth2/wiki
   rubygems_mfa_required: 'true'
 post_install_message: |2+
 
-  You have installed oauth2 version OAuth2::Version, congratulations!
+  You have installed oauth2 version 2.0.8, congratulations!
 
   There are BREAKING changes, but most will not encounter them, and updating your code should be easy!
 
@@ -339,8 +332,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.16
-signing_key: 
+rubygems_version: 3.3.21
+signing_key:
 specification_version: 4
 summary: A Ruby wrapper for the OAuth 2.0 protocol.
 test_files: []
+...

data/lib/oauth2/snaky_hash.rb

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-module OAuth2
-  # Hash which allow assign string key in camel case
-  # and query on both camel and snake case
-  class SnakyHash < ::Hashie::Mash::Rash
-  end
-end