omniauth-desk 0.1.7 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 78ae51cd756cb4ce1389d03aadad0ff24920bdbc
-  data.tar.gz: b5299b0606bbf76e9e888952da4732d751a1a24c
+  metadata.gz: 613f20bbbfc3140cd48a42ff218cb7c3cdf50e26
+  data.tar.gz: 7c420f92b70dd824d03e17d9c787a62e692f3f5b
 SHA512:
-  metadata.gz: 737efb1f76b076c0b84d997105b8eff2e55008be070d3972fcfaae73545d108844d8bf391afbb07199b63e5e20c989bef56b1266fa2da84a236285dd194d8abd
-  data.tar.gz: cca26acc58fa1cd48a543d2726657c5570e4ca05afa708f44ed7c46b0a1cb38f8612ac0e5906848477cd057a01a90cbebea49e125330f72e436fcb45fcb8ed02
+  metadata.gz: 20a44bfddbb942944e4c1bc4a60523a4ab1ac09d74663f053eef626864f05f2878a1a9d3d58f126be99203c5cf1574a96224de0a3b7b75129a214a34ad9265a6
+  data.tar.gz: e212d3b6c938b031f9c9da1d681cea0c30008b55728a03e59c1056fa6a2eeb6c7d039dd2a4c43f673a9cb14d9fad5cb02dc60cb7d511a72ca4161d498b42b9df

data/Gemfile

@@ -5,4 +5,5 @@ gemspec
 
 group :development, :test do
   gem 'rake'
-end
+  gem 'pry'
+end

data/Rakefile

@@ -5,4 +5,5 @@ desc "Run specs"
 RSpec::Core::RakeTask.new
 
 desc 'Default: run specs.'
-task :default => :spec
+task :default => :spec
+task :test => :spec

data/lib/omniauth-desk.rb

@@ -1,2 +1,3 @@
 require 'omniauth-desk/version'
-require 'omniauth/strategies/desk'
+require 'omniauth/desk/signed_request'
+require 'omniauth/strategies/desk'

data/lib/omniauth-desk/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Desk
-    VERSION = "0.1.7"
+    VERSION = "0.2.0"
   end
 end

data/lib/omniauth/desk/signed_request.rb

@@ -0,0 +1,56 @@
+module OmniAuth
+  module Desk
+    module SignedRequest
+      ALGORITHM = 'HMACSHA256'.freeze
+      class Error < ArgumentError; end
+
+      class << self
+        def decode(str, options = {})
+          shared_secret = options[:shared_secret] || ENV['DESK_SHARED_SECRET']
+          signature, envelope = str.split('.', 2)
+          hash = JSON.parse(base64_decode(envelope))
+
+          if hash['algorithm'] != ALGORITHM
+            raise Error.new("Invalid algorithm, use `#{ALGORITHM}`.")
+          end
+
+          if compare_time(hash['expiresAt'])
+            raise Error.new("Expired request.")
+          end
+
+          if base64_decode(signature) != hex(shared_secret, envelope).split.pack('H*')
+            raise Error.new("Invalid signature.")
+          end
+
+          hash
+        end
+
+        def encode(hash, options = {})
+          shared_secret = options[:shared_secret] || ENV['DESK_SHARED_SECRET']
+          envelope      = base64_encode(JSON.generate(hash))
+          signature     = base64_encode(hex(shared_secret, envelope).split.pack('H*'))
+          signature + '.' + envelope
+        end
+
+        private
+
+        def compare_time(str)
+          Time.parse(str).to_i < Time.now.to_i
+        end
+
+        def hex(secret, data)
+          OpenSSL::HMAC.hexdigest('sha256', secret, data)
+        end
+
+        def base64_decode(str)
+          str += '=' * (4 - str.length.modulo(4))
+          Base64.decode64(str.tr('-_', '+/'))
+        end
+
+        def base64_encode(str)
+          Base64.strict_encode64(str).tr('+/', '-_').tr('=', '')
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/desk.rb

@@ -1,5 +1,4 @@
 require 'omniauth-oauth'
-require 'multi_json'
 require 'uri'
 
 module OmniAuth
@@ -8,7 +7,8 @@ module OmniAuth
     class Desk < OmniAuth::Strategies::OAuth
       option :name, 'desk'
       option :site, nil
-      option :site_param, 'desk_site'
+      option :site_param, 'site'
+      option :shared_secret, nil
       option :client_options, {
         :authorize_path       => '/oauth/authorize',
         :request_token_path   => '/oauth/request_token',
@@ -38,7 +38,11 @@ module OmniAuth
 
       # Return info gathered from the verify_credentials API call
       def raw_info
-        @raw_info ||= MultiJson.decode(access_token.get('/api/v2/users/me').body) if access_token
+        if access_token
+          @raw_info ||= JSON.parse(access_token.get('/api/v2/users/me').body)
+        elsif signed_request
+          @raw_info ||= decode(signed_request)
+        end
       rescue ::Errno::ETIMEDOUT
         raise ::Timeout::Error
       end
@@ -48,6 +52,25 @@ module OmniAuth
         @user_info ||= raw_info.nil? ? {} : raw_info
       end
 
+      def decode(signed_request)
+        hash = OmniAuth::Desk::SignedRequest.decode(
+          signed_request, shared_secret: options.shared_secret
+        )['context']['user']
+
+        {
+          'id' => hash['userId'],
+          'name' => hash['fullName'],
+          'public_name' => hash['fullName'],
+          'email' => hash['email'],
+          'avatar' => hash['profileThumbnailUrl'],
+          'level' => hash['userType']
+        }
+      end
+
+      def signed_request
+        @signed_request ||= request.params['signed_request']
+      end
+
       def identifier
         session[:site] = options.client_options.site = options.site || validate_site(request.params[options.site_param.to_s])
         session[:site] = options.client_options.site = nil if options.client_options.site == ''
@@ -80,8 +103,18 @@ module OmniAuth
       end
 
       def callback_phase
-        options.client_options.site = session[:site] if session[:site]
-        super
+        if signed_request.nil?
+          options.client_options.site = session[:site] if session[:site]
+          super
+        else
+          env['omniauth.auth'] = AuthHash.new({
+                                    provider: name,
+                                    uid: uid,
+                                    info: info,
+                                    extra: extra
+                                  })
+          call_app!
+        end
       end
     end
   end

data/omniauth-desk.gemspec

@@ -20,7 +20,6 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency 'omniauth', '>= 1.0'
   s.add_runtime_dependency 'omniauth-oauth', '>= 1.0'
-  s.add_runtime_dependency 'multi_json', '>= 1.3.6'
 
   s.add_development_dependency 'rspec', '~> 3.5'
   s.add_development_dependency 'rack-test'

data/spec/omniauth/desk/signed_request_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper'
+require 'omniauth/desk/signed_request'
+require 'securerandom'
+
+describe OmniAuth::Desk::SignedRequest do
+  let(:shared_secret) { SecureRandom.uuid.gsub('-', '') }
+  let(:working) { { "expiresAt" => (Time.now + 10*60).iso8601, "algorithm" => "HMACSHA256" } }
+  let(:unsupported) { working.merge({ "algorithm" => "HMACSHA512" }) }
+  let(:too_old) { working.merge({ "expiresAt" => (Time.now - 1).iso8601 }) }
+
+  it 'encodes a valid request' do
+    encoded = OmniAuth::Desk::SignedRequest.encode(working, shared_secret: shared_secret)
+    decoded = OmniAuth::Desk::SignedRequest.decode(encoded, shared_secret: shared_secret)
+    expect(decoded).to eq(working)
+  end
+
+  it 'throws an unsupported algorithm error' do
+    expect do
+      encoded = OmniAuth::Desk::SignedRequest.encode(unsupported, shared_secret: shared_secret)
+      OmniAuth::Desk::SignedRequest.decode(encoded, shared_secret: shared_secret)
+    end.to raise_error(OmniAuth::Desk::SignedRequest::Error)
+  end
+
+  it 'throws a too old error' do
+    expect do
+      encoded = OmniAuth::Desk::SignedRequest.encode(too_old, shared_secret: shared_secret)
+      OmniAuth::Desk::SignedRequest.decode(encoded, shared_secret: shared_secret)
+    end.to raise_error(OmniAuth::Desk::SignedRequest::Error)
+  end
+
+  it 'throws an invalid signature error' do
+    expect do
+      encoded = OmniAuth::Desk::SignedRequest.encode(working, shared_secret: shared_secret)
+      OmniAuth::Desk::SignedRequest.decode(encoded, shared_secret: SecureRandom.uuid.gsub('-', ''))
+    end.to raise_error(OmniAuth::Desk::SignedRequest::Error)
+  end
+end

data/spec/omniauth/strategies/desk_spec.rb

@@ -2,10 +2,9 @@ require 'spec_helper'
 
 describe OmniAuth::Strategies::Desk, :type => :strategy do
   def app
-    strat = OmniAuth::Strategies::Desk
-    Rack::Builder.new {
-      use Rack::Session::Cookie, :secret => "MY_SECRET"
-      use strat
+    @app ||= Rack::Builder.new {
+      use Rack::Session::Cookie, secret: "MY_SECRET"
+      use OmniAuth::Strategies::Desk, shared_secret: SecureRandom.uuid.gsub('-', '')
       run lambda {|env| [404, {'Content-Type' => 'text/plain'}, [nil || env.key?('omniauth.auth').to_s]] }
     }.to_app
   end
@@ -24,7 +23,7 @@ describe OmniAuth::Strategies::Desk, :type => :strategy do
     end
 
     it 'should render an identifier URL input' do
-      expect(last_response.body).to match(/<input[^>]*desk_site/)
+      expect(last_response.body).to match(/<input[^>]*site/)
     end
   end
 
@@ -32,7 +31,7 @@ describe OmniAuth::Strategies::Desk, :type => :strategy do
     before do
       @stub_devel = stub_request(:post, "https://devel.desk.com/oauth/request_token")
                       .to_return(status: 200, body: 'oauth_token=&oauth_token_secret=')
-      post '/auth/desk', desk_site: 'devel'
+      post '/auth/desk', site: 'devel'
     end
 
     it 'should have been requested' do
@@ -44,7 +43,7 @@ describe OmniAuth::Strategies::Desk, :type => :strategy do
     before do
       @stub_devel = stub_request(:post, "https://devel.desk.com/oauth/request_token")
                       .to_return(status: 200, body: 'oauth_token=&oauth_token_secret=')
-      post '/auth/desk', desk_site: 'https://devel.desk.com'
+      post '/auth/desk', site: 'https://devel.desk.com'
     end
 
     it 'should have been requested' do
@@ -58,7 +57,7 @@ describe OmniAuth::Strategies::Desk, :type => :strategy do
         stub_request(:post, "https://devel.desk.com/oauth/request_token")
           .to_return(status: 200, body: 'oauth_token=&oauth_token_secret=')
 
-        post '/auth/desk', desk_site: 'https://devel.desk.com'
+        post '/auth/desk', site: 'https://devel.desk.com'
 
         @access_token = stub_request(:post, "https://devel.desk.com/oauth/access_token")
                           .to_return(status: 200, body: "oauth_token=6253282-eWudHldSbIaelX7swmsiHImEL4KinwaGloHANdrY&oauth_token_secret=2EEfA6BG3ly3sR3RjE0IBSnlQu4ZrUzPiYKmrkVU&user_id=6253282&screen_name=twitterapi")
@@ -78,6 +77,36 @@ describe OmniAuth::Strategies::Desk, :type => :strategy do
       end
     end
 
+    context 'signed request' do
+      before do
+        signed_request = OmniAuth::Desk::SignedRequest.encode({
+          "currentTime": Time.now.iso8601,
+          "expiresAt": (Time.now+3600).iso8601,
+          "algorithm": "HMACSHA256",
+          "userId": "1",
+          "context": {
+            "user": {
+              "userId": "1",
+              "userName": "agent@desk.com",
+              "email": "agent@desk.com",
+              "fullName": "Joe Agent",
+              "locale": "en_us",
+              "language": "en_us",
+              "timeZone": "Pacific Time (US & Canada)",
+              "roleId": 60,
+              "userType": "agent",
+              "profileThumbnailUrl": "http://www.gravatar.com/avatar/8a4e3154a0f99458dd1f382e72174198?default=mm&rating=PG&size=50"
+            }
+          }
+        }, shared_secret: app.instance_variable_get(:@app).options.shared_secret)
+        post '/auth/desk/callback', signed_request: signed_request
+      end
+
+      it 'should set omniauth.auth' do
+        expect(last_request.env['omniauth.auth']).not_to be_nil
+      end
+    end
+
     context 'unsuccessful' do
       before do
         get '/auth/desk/callback'
@@ -94,7 +123,7 @@ describe OmniAuth::Strategies::Desk, :type => :strategy do
     before do
       stub_request(:post, "https://thisdoesnotexist.desk.com/oauth/request_token")
         .to_return(status: 403, body: 'oauth_token=&oauth_token_secret=')
-      post '/auth/desk', desk_site: 'https://thisdoesnotexist.desk.com'
+      post '/auth/desk', site: 'https://thisdoesnotexist.desk.com'
     end
 
     it 'should be redirected to failure' do

data/spec/spec_helper.rb

@@ -8,6 +8,8 @@ require 'webmock/rspec'
 require 'omniauth'
 require 'omniauth-desk'
 
+OmniAuth.config.logger = Logger.new('/dev/null')
+
 RSpec.configure do |config|
   config.include WebMock::API
   config.include Rack::Test::Methods

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-desk
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.2.0
 platform: ruby
 authors:
 - Thomas Stachl
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-13 00:00:00.000000000 Z
+date: 2016-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -38,20 +38,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: multi_json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.3.6
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.3.6
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -124,8 +110,10 @@ files:
 - Rakefile
 - lib/omniauth-desk.rb
 - lib/omniauth-desk/version.rb
+- lib/omniauth/desk/signed_request.rb
 - lib/omniauth/strategies/desk.rb
 - omniauth-desk.gemspec
+- spec/omniauth/desk/signed_request_spec.rb
 - spec/omniauth/strategies/desk_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/tstachl/omniauth-desk
@@ -152,5 +140,6 @@ signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Desk.com
 test_files:
+- spec/omniauth/desk/signed_request_spec.rb
 - spec/omniauth/strategies/desk_spec.rb
 - spec/spec_helper.rb