omniauth-duodealer-oauth2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7ff6856a264f3b30185124b802f35d4b48a305455ec9cc0346c5cb52e809fd05
+  data.tar.gz: d7d8d48b5f7055c0c680ee73ddfd6416fff76e76f9b45ec01bd1a5297ab74c72
+SHA512:
+  metadata.gz: 680c5d8f690f20e308479c16741f58dcb7c99a840ce4b97a0f0d125dd62bad985d494c306f599e450359f52a2716aa73e0b1caec6f9f44dccb57b89a451449d8
+  data.tar.gz: df3498079be1c82c0f76742be0beae204f784e7736aa31be3d1469f5a042ca6534619e639d7cda66c22b1746b0096ca8f698440bf88116f6ae3d6b4e88af807e

data/.github/probots.yml

@@ -0,0 +1,2 @@
+enabled:
+  - cla

data/.gitignore

@@ -0,0 +1,2 @@
+pkg/*
+Gemfile.lock

data/.ruby-version

@@ -0,0 +1 @@
+2.6.4

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.1.9
+  - 2.2.2

data/Gemfile

@@ -0,0 +1,9 @@
+source "https://rubygems.org"
+
+gemspec
+
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.2")
+  gem 'rack', '~> 1.6'
+end
+
+gem 'fakeweb', github: 'junaruga/fakeweb'

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+task :default => :test
+
+Rake::TestTask.new(:test) do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end

data/example/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org/'
+
+gem 'rack', '~> 1.6'
+
+gem 'omniauth-duodealer-oauth2', path: '../'
+gem 'sinatra', '~> 1.4'

data/example/config.ru

@@ -0,0 +1,67 @@
+require 'bundler/setup'
+require 'sinatra/base'
+require 'omniauth-duodealer-oauth2'
+
+SCOPE = 'read_products,read_orders,read_customers,write_shipping'
+DUODEALER_API_KEY = ENV['DUODEALER_API_KEY']
+DUODEALER_SHARED_SECRET = ENV['DUODEALER_SHARED_SECRET']
+
+unless DUODEALER_API_KEY && DUODEALER_SHARED_SECRET
+  abort("DUODEALER_API_KEY and DUODEALER_SHARED_SECRET environment variables must be set")
+end
+
+class App < Sinatra::Base
+  get '/' do
+    <<-HTML
+    <html>
+    <head>
+      <title>DuoDealer Oauth2</title>
+    </head>
+    <body>
+      <form action="/auth/duodealer" method="get">
+      <label for="shop">Enter your store's URL:</label>
+      <input type="text" name="shop" placeholder="your-shop-url.duodealer.com">
+      <button type="submit">Log In</button>
+      </form>
+    </body>
+    </html>
+    HTML
+  end
+
+  get '/auth/:provider/callback' do
+    <<-HTML
+    <html>
+    <head>
+      <title>DuoDealer Oauth2</title>
+    </head>
+    <body>
+      <h3>Authorized</h3>
+      <p>Shop: #{request.env['omniauth.auth'].uid}</p>
+      <p>Token: #{request.env['omniauth.auth']['credentials']['token']}</p>
+    </body>
+    </html>
+    HTML
+  end
+
+  get '/auth/failure' do
+    <<-HTML
+    <html>
+    <head>
+      <title>DuoDealer Oauth2</title>
+    </head>
+    <body>
+      <h3>Failed Authorization</h3>
+      <p>Message: #{params[:message]}</p>
+    </body>
+    </html>
+    HTML
+  end
+end
+
+use Rack::Session::Cookie, secret: SecureRandom.hex(64)
+
+use OmniAuth::Builder do
+  provider :duodealer, DUODEALER_API_KEY, DUODEALER_SHARED_SECRET, :scope => SCOPE
+end
+
+run App.new

data/lib/omniauth-duodealer-oauth2.rb

@@ -0,0 +1 @@
+require 'omniauth/duodealer'

data/lib/omniauth/duodealer.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/duodealer/version'
+require 'omniauth/strategies/duodealer'

data/lib/omniauth/duodealer/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Duodealer
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth/strategies/duodealer.rb

@@ -0,0 +1,160 @@
+require 'omniauth/strategies/oauth2'
+
+module OmniAuth
+  module Strategies
+    class Duodealer < OmniAuth::Strategies::OAuth2
+      # Available scopes: content themes products customers orders script_tags shipping
+      # read_*  or write_*
+      DEFAULT_SCOPE = 'read_products'
+      SCOPE_DELIMITER = ','
+      MINUTE = 60
+      CODE_EXPIRES_AFTER = 10 * MINUTE
+
+      option :name, "duodealer"
+
+      option :client_options, {
+        :authorize_url => '/admin/oauth/authorize',
+        :token_url => '/admin/oauth/access_token'
+      }
+
+      option :callback_url
+      option :duodealer_domain, 'duodealer.com'
+      option :old_client_secret
+
+      # When `true`, the user's permission level will apply (in addition to
+      # the requested access scope) when making API requests to duodealer.
+      option :per_user_permissions, false
+
+      option :setup, proc { |env|
+        strategy = env['omniauth.strategy']
+
+        duodealer_auth_params = strategy.session['duodealer.omniauth_params'] && strategy.session['duodealer.omniauth_params'].with_indifferent_access
+        shop = if duodealer_auth_params && duodealer_auth_params['shop']
+          "https://#{duodealer_auth_params['shop']}"
+        else
+          ''
+        end
+
+        strategy.options[:client_options][:site] = shop
+      }
+
+      uid { URI.parse(options[:client_options][:site]).host }
+
+      extra do
+        if access_token
+          {
+            'associated_user' => access_token['associated_user'],
+            'associated_user_scope' => access_token['associated_user_scope'],
+            'scope' => access_token['scope'],
+            'session' => access_token['session']
+          }
+        end
+      end
+
+      def valid_site?
+        !!(/\A(https|http)\:\/\/[a-zA-Z0-9][a-zA-Z0-9\-]*\.#{Regexp.quote(options[:duodealer_domain])}[\/]?\z/ =~ options[:client_options][:site])
+      end
+
+      def valid_signature?
+        return false unless request.POST.empty?
+
+        params = request.GET
+        signature = params['hmac']
+        timestamp = params['timestamp']
+        return false unless signature && timestamp
+
+        return false unless timestamp.to_i > Time.now.to_i - CODE_EXPIRES_AFTER
+
+        new_secret = options.client_secret
+        old_secret = options.old_client_secret
+
+        validate_signature(new_secret) || (old_secret && validate_signature(old_secret))
+      end
+
+      def valid_scope?(token)
+        params = options.authorize_params.merge(options_for("authorize"))
+        return false unless token && params[:scope] && token['scope']
+        expected_scope = normalized_scopes(params[:scope]).sort
+        (expected_scope == token['scope'].split(SCOPE_DELIMITER).sort)
+      end
+
+      def normalized_scopes(scopes)
+        scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
+        ignore_scopes = scope_list.map { |scope| scope =~ /\Awrite_(.*)\z/ && "read_#{$1}" }.compact
+        scope_list - ignore_scopes
+      end
+
+      def self.encoded_params_for_signature(params)
+        params = params.dup
+        params.delete('hmac')
+        params.delete('signature') # deprecated signature
+        Rack::Utils.build_query(params.sort)
+      end
+
+      def self.hmac_sign(encoded_params, secret)
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, secret, encoded_params)
+      end
+
+      def valid_permissions?(token)
+        token && (options[:per_user_permissions] == !token['associated_user'].nil?)
+      end
+
+      def fix_https
+        options[:client_options][:site] = options[:client_options][:site].gsub(/\Ahttp\:/, 'https:')
+      end
+
+      def setup_phase
+        super
+        fix_https
+      end
+
+      def request_phase
+        if valid_site?
+          super
+        else
+          fail!(:invalid_site)
+        end
+      end
+
+      def callback_phase
+        return fail!(:invalid_site, CallbackError.new(:invalid_site, "OAuth endpoint is not a duodealer site.")) unless valid_site?
+        return fail!(:invalid_signature, CallbackError.new(:invalid_signature, "Signature does not match, it may have been tampered with.")) unless valid_signature?
+
+        token = build_access_token
+        unless valid_scope?(token)
+          return fail!(:invalid_scope, CallbackError.new(:invalid_scope, "Scope does not match, it may have been tampered with."))
+        end
+        unless valid_permissions?(token)
+          return fail!(:invalid_permissions, CallbackError.new(:invalid_permissions, "Requested API access mode does not match."))
+        end
+
+        super
+      rescue ::OAuth2::Error => e
+        fail!(:invalid_credentials, e)
+      end
+
+      def build_access_token
+        @built_access_token ||= super
+      end
+
+      def authorize_params
+        super.tap do |params|
+          params[:scope] = normalized_scopes(params[:scope] || DEFAULT_SCOPE).join(SCOPE_DELIMITER)
+          params[:grant_options] = ['per-user'] if options[:per_user_permissions]
+        end
+      end
+
+      def callback_url
+        options[:callback_url] || full_host + script_name + callback_path
+      end
+
+      private
+
+      def validate_signature(secret)
+        params = request.GET
+        calculated_signature = self.class.hmac_sign(self.class.encoded_params_for_signature(params), secret)
+        Rack::Utils.secure_compare(calculated_signature, params['hmac'])
+      end
+    end
+  end
+end

data/omniauth-duodealer-oauth2.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.push File.expand_path('lib', __dir__)
+require 'omniauth/duodealer/version'
+
+Gem::Specification.new do |s|
+  s.name     = 'omniauth-duodealer-oauth2'
+  s.version  = OmniAuth::Duodealer::VERSION
+  s.authors  = ['Eric Raio']
+  s.email    = ['eric@duodealer.com']
+  s.summary  = 'duodealer strategy for OmniAuth'
+  s.homepage = 'https://gitlab.com/duodealer/omniauth-duodealer-oauth2'
+  s.license = 'MIT'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = ['lib']
+  s.required_ruby_version = '>= 2.1.9'
+
+  s.add_runtime_dependency 'activesupport'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.5.0'
+
+  s.add_development_dependency 'minitest', '~> 5.6'
+  s.add_development_dependency 'rake'
+end

data/shipit.rubygems.yml

@@ -0,0 +1 @@
+# using the default shipit config

data/spec/omniauth/strategies/duodealer_spec.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'omniauth-duodealer-oauth2'
+require 'base64'
+
+describe OmniAuth::Strategies::Duodealer do
+  before :each do
+    @request = double('Request',
+                      env: {})
+    @request.stub(:params) { {} }
+    @request.stub(:cookies) { {} }
+
+    @client_id = '123'
+    @client_secret = '53cr3tz'
+    @options = { client_options: { site: 'https://example.duodealer.com' } }
+  end
+
+  subject do
+    args = [@client_id, @client_secret, @options].compact
+    OmniAuth::Strategies::Duodealer.new(nil, *args).tap do |strategy|
+      strategy.stub(:request) { @request }
+      strategy.stub(:session) { {} }
+    end
+  end
+
+  describe '#fix_https' do
+    it 'replaces http scheme by https' do
+      @options = { client_options: { site: 'http://foo.bar/' } }
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+
+    it 'replaces http scheme by https with an immutable string' do
+      @options = { client_options: { site: 'http://foo.bar/' } }
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+
+    it 'does not replace https scheme' do
+      @options = { client_options: { site: 'https://foo.bar/' } }
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+  end
+
+  describe '#client' do
+    it 'has correct duodealer site' do
+      subject.client.site.should eq('https://example.duodealer.com')
+    end
+
+    it 'has correct authorize url' do
+      subject.client.options[:authorize_url].should eq('/admin/oauth/authorize')
+    end
+
+    it 'has correct token url' do
+      subject.client.options[:token_url].should eq('/admin/oauth/access_token')
+    end
+  end
+
+  describe '#callback_url' do
+    it 'returns value from #callback_url' do
+      url = 'http://auth.myapp.com/auth/callback'
+      @options = { callback_url: url }
+      subject.callback_url.should eq(url)
+    end
+
+    it 'defaults to callback' do
+      url_base = 'http://auth.request.com'
+      @request.stub(:url) { "#{url_base}/page/path" }
+      @request.stub(:scheme) { 'http' }
+      subject.stub(:script_name) { '' } # to not depend from Rack env
+      subject.callback_url.should eq("#{url_base}/auth/duodealer/callback")
+    end
+  end
+
+  describe '#authorize_params' do
+    it 'includes default scope for read_products' do
+      subject.authorize_params.should be_a(Hash)
+      subject.authorize_params[:scope].should eq('read_products')
+    end
+
+    it 'includes custom scope' do
+      @options = { scope: 'write_products' }
+      subject.authorize_params.should be_a(Hash)
+      subject.authorize_params[:scope].should eq('write_products')
+    end
+  end
+
+  describe '#uid' do
+    it 'returns the shop' do
+      subject.uid.should eq('example.duodealer.com')
+    end
+  end
+
+  describe '#credentials' do
+    before :each do
+      @access_token = double('OAuth2::AccessToken')
+      @access_token.stub(:token)
+      @access_token.stub(:expires?)
+      @access_token.stub(:expires_at)
+      @access_token.stub(:refresh_token)
+      subject.stub(:access_token) { @access_token }
+    end
+
+    it 'returns a Hash' do
+      subject.credentials.should be_a(Hash)
+    end
+
+    it 'returns the token' do
+      @access_token.stub(:token) { '123' }
+      subject.credentials['token'].should eq('123')
+    end
+
+    it 'returns the expiry status' do
+      @access_token.stub(:expires?) { true }
+      subject.credentials['expires'].should eq(true)
+
+      @access_token.stub(:expires?) { false }
+      subject.credentials['expires'].should eq(false)
+    end
+  end
+
+  describe '#valid_site?' do
+    it 'returns true if the site contains .duodealer.com' do
+      @options = { client_options: { site: 'http://foo.duodealer.com/' } }
+      subject.valid_site?.should eq(true)
+    end
+
+    it 'returns false if the site does not contain .duodealer.com' do
+      @options = { client_options: { site: 'http://foo.example.com/' } }
+      subject.valid_site?.should eq(false)
+    end
+
+    it 'uses configurable option for duodealer_domain' do
+      @options = { client_options: { site: 'http://foo.example.com/' }, duodealer_domain: 'example.com' }
+      subject.valid_site?.should eq(true)
+    end
+
+    it 'allows custom port for duodealer_domain' do
+      @options = { client_options: { site: 'http://foo.example.com:3456/' }, duodealer_domain: 'example.com:3456' }
+      subject.valid_site?.should eq(true)
+    end
+  end
+end

data/test/integration_test.rb

@@ -0,0 +1,454 @@
+require_relative 'test_helper'
+
+class IntegrationTest < Minitest::Test
+  def setup
+    build_app(scope: OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE)
+  end
+
+  def teardown
+    FakeWeb.clean_registry
+    FakeWeb.last_request = nil
+  end
+
+  def test_authorize
+    response = authorize('snowdevil.duodealer.com')
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote(duodealer_authorize_url)}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal "123", redirect_params['client_id']
+    assert_equal "https://app.example.com/auth/duodealer/callback", redirect_params['redirect_uri']
+    assert_equal "read_products", redirect_params['scope']
+    assert_nil redirect_params['grant_options']
+  end
+
+  def test_authorize_includes_auth_type_when_per_user_permissions_are_requested
+    build_app(per_user_permissions: true)
+    response = authorize('snowdevil.duodealer.com')
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'per-user', redirect_params['grant_options[]']
+  end
+
+  def test_authorize_overrides_site_with_https_scheme
+    build_app setup: lambda { |env|
+      params = Rack::Utils.parse_query(env['QUERY_STRING'])
+      env['omniauth.strategy'].options[:client_options][:site] = "http://#{params['shop']}"
+    }
+
+    response = request.get('https://app.example.com/auth/duodealer?shop=snowdevil.duodealer.com')
+    assert_match %r{\A#{Regexp.quote(duodealer_authorize_url)}}, response.location
+  end
+
+  def test_site_validation
+    code = SecureRandom.hex(16)
+
+    [
+      'foo.example.com',                # shop doesn't end with .duodealer.com
+      'http://snowdevil.duodealer.com', # shop contains protocol
+      'snowdevil.duodealer.com/path',   # shop contains path
+      'user@snowdevil.duodealer.com',   # shop contains user
+      'snowdevil.duodealer.com:22',     # shop contains port
+    ].each do |shop, valid|
+      @shop = shop
+      response = authorize(shop)
+      assert_auth_failure(response, 'invalid_site')
+
+      response = callback(sign_with_new_secret(shop: shop, code: code))
+      assert_auth_failure(response, 'invalid_site')
+    end
+  end
+
+  def test_callback
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_legacy_signature
+    build_app scope: OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]).merge(signature: 'ignored'))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_custom_params
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+
+    expect_access_token_request(access_token, OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE)
+
+    now = Time.now.to_i
+    params = { shop: 'snowdevil.duodealer.com', code: code, timestamp: now, next: '/products?page=2&q=red%20shirt', state: opts["rack.session"]["omniauth.state"] }
+    encoded_params = "code=#{code}&next=%2Fproducts%3Fpage%3D2%26q%3Dred%2520shirt&shop=snowdevil.duodealer.com&state=#{opts["rack.session"]["omniauth.state"]}&timestamp=#{now}"
+    params[:hmac] = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @secret, encoded_params)
+
+    response = callback(params)
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_spaces_in_scope
+    build_app scope: 'write_products, read_orders'
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'read_orders,write_products')
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_rejects_invalid_hmac
+    @secret = 'wrong_secret'
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: SecureRandom.hex(16)))
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_callback_rejects_old_timestamps
+    expired_timestamp = Time.now.to_i - OmniAuth::Strategies::Duodealer::CODE_EXPIRES_AFTER - 1
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: SecureRandom.hex(16), timestamp: expired_timestamp))
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_callback_rejects_missing_hmac
+    code = SecureRandom.hex(16)
+
+    response = callback(shop: 'snowdevil.duodealer.com', code: code, timestamp: Time.now.to_i)
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_callback_rejects_body_params
+    code = SecureRandom.hex(16)
+    params = sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code)
+    body = Rack::Utils.build_nested_query(unsigned: 'value')
+
+    response = request.get("https://app.example.com/auth/duodealer/callback?#{Rack::Utils.build_query(params)}",
+                           input: body,
+                           "CONTENT_TYPE" => 'application/x-www-form-urlencoded',
+                           'rack.session' => {
+                              'duodealer.omniauth_params' => { shop: 'snowdevil.duodealer.com' }
+                            })
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_provider_options
+    build_app scope: 'read_products,read_orders,write_content',
+              callback_path: '/admin/auth/legacy/callback',
+              duodealer_domain: 'duodealer.dev:3000',
+              setup: lambda { |env|
+                shop = Rack::Request.new(env).GET['shop']
+                shop += ".duodealer.dev:3000" unless shop.include?(".")
+                env['omniauth.strategy'].options[:client_options][:site] = "https://#{shop}"
+              }
+
+    response = request.get("https://app.example.com/auth/duodealer?shop=snowdevil.duodealer.dev:3000")
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("https://snowdevil.duodealer.dev:3000/admin/oauth/authorize?")}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'read_products,read_orders,write_content', redirect_params['scope']
+    assert_equal 'https://app.example.com/admin/auth/legacy/callback', redirect_params['redirect_uri']
+  end
+
+  def test_default_setup_reads_shop_from_session
+    build_app
+    response = authorize('snowdevil.duodealer.com')
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("https://snowdevil.duodealer.com/admin/oauth/authorize?")}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'https://app.example.com/auth/duodealer/callback', redirect_params['redirect_uri']
+  end
+
+  def test_unnecessary_read_scopes_are_removed
+    build_app scope: 'read_content,read_products,write_products',
+              callback_path: '/admin/auth/legacy/callback',
+              duodealer_domain: 'duodealer.dev:3000',
+              setup: lambda { |env|
+                shop = Rack::Request.new(env).GET['shop']
+                env['omniauth.strategy'].options[:client_options][:site] = "https://#{shop}"
+              }
+
+    response = request.get("https://app.example.com/auth/duodealer?shop=snowdevil.duodealer.dev:3000")
+    assert_equal 302, response.status
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'read_content,write_products', redirect_params['scope']
+  end
+
+  def test_callback_with_invalid_state_fails
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: 'invalid'))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=csrf_detected&strategy=duodealer', response.location
+  end
+
+  def test_callback_with_mismatching_scope_fails
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'some_invalid_scope', nil)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=duodealer', response.location
+  end
+
+  def test_callback_with_no_scope_fails
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, nil)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=duodealer', response.location
+  end
+
+  def test_callback_with_missing_access_scope_fails
+    build_app scope: 'first_scope,second_scope'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'first_scope')
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=duodealer', response.location
+  end
+
+  def test_callback_with_extra_access_scope_fails
+    build_app scope: 'first_scope,second_scope'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'second_scope,first_scope,third_scope')
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=duodealer', response.location
+  end
+
+  def test_callback_with_scopes_out_of_order_works
+    build_app scope: 'first_scope,second_scope'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'second_scope,first_scope')
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_extra_coma_works
+    build_app scope: 'read_content,,write_products,'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'read_content,write_products')
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_when_per_user_permissions_are_present_but_not_requested
+    build_app(scope: 'scope', per_user_permissions: false)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'})
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_permissions&strategy=duodealer', response.location
+  end
+
+  def test_callback_when_per_user_permissions_are_not_present_but_requested
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', nil)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_permissions&strategy=duodealer', response.location
+  end
+
+  def test_callback_works_when_per_user_permissions_are_present_and_requested
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'})
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 200, response.status
+  end
+
+  def test_callback_when_a_session_is_present
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    session = SecureRandom.hex
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'}, session)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.duodealer.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 200, response.status
+  end
+
+  def test_callback_works_with_old_secret
+    build_app scope: OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE)
+
+    signed_params = sign_with_old_secret(
+      shop: 'snowdevil.duodealer.com',
+      code: code,
+      state: opts["rack.session"]["omniauth.state"]
+    )
+
+    response = callback(signed_params)
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_when_creds_are_invalid
+    build_app scope: OmniAuth::Strategies::Duodealer::DEFAULT_SCOPE
+
+    FakeWeb.register_uri(
+      :post,
+      "https://snowdevil.duodealer.com/admin/oauth/access_token",
+      status: [ "401", "Invalid token" ],
+      body: "Token is invalid or has already been requested"
+    )
+
+    signed_params = sign_with_new_secret(
+      shop: 'snowdevil.duodealer.com',
+      code: SecureRandom.hex(16),
+      state: opts["rack.session"]["omniauth.state"]
+    )
+
+    response = callback(signed_params)
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_credentials&strategy=duodealer', response.location
+  end
+
+  private
+
+  def sign_with_old_secret(params)
+    params = add_time(params)
+    encoded_params = OmniAuth::Strategies::Duodealer.encoded_params_for_signature(params)
+    params['hmac'] = OmniAuth::Strategies::Duodealer.hmac_sign(encoded_params, @old_secret)
+    params
+  end
+
+  def add_time(params)
+    params = params.dup
+    params[:timestamp] ||= Time.now.to_i
+    params
+  end
+
+  def sign_with_new_secret(params)
+    params = add_time(params)
+    encoded_params = OmniAuth::Strategies::Duodealer.encoded_params_for_signature(params)
+    params['hmac'] = OmniAuth::Strategies::Duodealer.hmac_sign(encoded_params, @secret)
+    params
+  end
+
+  def expect_access_token_request(access_token, scope, associated_user=nil, session=nil)
+    FakeWeb.register_uri(:post, "https://snowdevil.duodealer.com/admin/oauth/access_token",
+                         body: JSON.dump(
+                           access_token: access_token,
+                           scope: scope,
+                           associated_user: associated_user,
+                           session: session,
+    ),
+    content_type: 'application/json')
+  end
+
+  def assert_callback_success(response, access_token, code)
+    token_request_params = Rack::Utils.parse_query(FakeWeb.last_request.body)
+    assert_equal token_request_params['client_id'], '123'
+    assert_equal token_request_params['client_secret'], @secret
+    assert_equal token_request_params['code'], code
+
+    assert_equal 'snowdevil.duodealer.com', @omniauth_result.uid
+    assert_equal access_token, @omniauth_result.credentials.token
+    assert_equal false, @omniauth_result.credentials.expires
+
+    assert_equal 200, response.status
+    assert_equal "OK", response.body
+  end
+
+  def assert_auth_failure(response, reason)
+    assert_nil FakeWeb.last_request
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("/auth/failure?message=#{reason}")}}, response.location
+  end
+
+  def build_app(options={})
+    @old_secret = '12d34s1'
+    @secret = '53cr3tz'
+    options.merge!(old_client_secret: @old_secret)
+    app = proc { |env|
+      @omniauth_result = env['omniauth.auth']
+      [200, {Rack::CONTENT_TYPE => "text/plain"}, "OK"]
+    }
+
+    opts["rack.session"]["omniauth.state"] = SecureRandom.hex(32)
+    app = OmniAuth::Builder.new(app) do
+      provider :duodealer, '123', '53cr3tz' , options
+    end
+    @app = Rack::Session::Cookie.new(app, secret: SecureRandom.hex(64))
+  end
+
+  def shop
+    @shop ||= 'snowdevil.duodealer.com'
+  end
+
+  def authorize(shop)
+    @opts['rack.session']['duodealer.omniauth_params'] = { shop: shop }
+    request.get('https://app.example.com/auth/duodealer', opts)
+  end
+
+  def callback(params)
+    @opts['rack.session']['duodealer.omniauth_params'] = { shop: shop }
+    request.get("https://app.example.com/auth/duodealer/callback?#{Rack::Utils.build_query(params)}", opts)
+  end
+
+  def opts
+    @opts ||= { "rack.session" => {} }
+  end
+
+  def request
+    Rack::MockRequest.new(@app)
+  end
+
+  def duodealer_authorize_url
+    "https://snowdevil.duodealer.com/admin/oauth/authorize?"
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,11 @@
+$: << File.expand_path("../../lib", __FILE__)
+require 'bundler/setup'
+require 'omniauth-duodealer-oauth2'
+
+require 'minitest/autorun'
+require 'fakeweb'
+require 'json'
+require 'active_support/core_ext/hash'
+
+OmniAuth.config.logger = Logger.new(nil)
+FakeWeb.allow_net_connect = false

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-duodealer-oauth2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Eric Raio
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-02-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- eric@duodealer.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/probots.yml"
+- ".gitignore"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- Rakefile
+- example/Gemfile
+- example/config.ru
+- lib/omniauth-duodealer-oauth2.rb
+- lib/omniauth/duodealer.rb
+- lib/omniauth/duodealer/version.rb
+- lib/omniauth/strategies/duodealer.rb
+- omniauth-duodealer-oauth2.gemspec
+- shipit.rubygems.yml
+- spec/omniauth/strategies/duodealer_spec.rb
+- test/integration_test.rb
+- test/test_helper.rb
+homepage: https://gitlab.com/duodealer/omniauth-duodealer-oauth2
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.9
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: duodealer strategy for OmniAuth
+test_files:
+- spec/omniauth/strategies/duodealer_spec.rb
+- test/integration_test.rb
+- test/test_helper.rb