omniauth-fishbrain 0.9.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 18b08b84c82f3c10704e309debd002b2a05bfba8c3f9392028325339fdab0f61
-  data.tar.gz: fc941f8c41c630491831e79f828f07621be3e1fc80ca91a7f7fe93f64cad926a
+  metadata.gz: 70b077fd97606f323245d0180a5a66e5ddb0dc92ec0670147242884bdc930319
+  data.tar.gz: e483cf58669ab9991b5f59fb5c89c918cebae4572eacec67fcf1b0a145eda569
 SHA512:
-  metadata.gz: 1ad8cff223e86137c99d924b0bdd8cf2146393738419b13163d2ae5dd69b3678967e71ce96f9cd8422b77080eaf6186edd9c1064ab9c4870e8d99dca5ff31848
-  data.tar.gz: cc450625016d5ee861732382fdf868ec42c4291f453358729f1d28c530978bd0d5bffd6e41a9e35b8c0b8fedade712a902c1f96ab4f06423f1f81c7f9a16e99d
+  metadata.gz: 4062fe761e149af6926a3757405da9769e86be530ad68f97f8b26343a518872bff85c36ca771bb0c3b9da40b67816b24e3ef1225bf3bc0e02c51bc943400dc09
+  data.tar.gz: b284b8dba51dc78102513bc6d3746c0ffac410a174f2a7700c00280610067ac6cc272edeb644e6e0500c789e3e6da88b0c696e26d5127cd4736296ea2ba11de7

data/README.markdown

@@ -0,0 +1,54 @@
+# OmniAuth Fishbrain
+
+This gem provides two OmniAuth strategies for Fishbrain.
+
+1. The `fishbrain` strategy is a standard Omniauth OAuth2 strategy for signing up and signing in
+2. The `fishbrain_id` strategy is intended for sharing a user's identity between services, typically from mobile app to 
+   server
+
+## Installation
+
+```ruby
+gem 'omniauth-fishbrain'
+```
+
+## Usage
+
+In production environments:
+
+```
+use OmniAuth::Builder do
+  provider :fishbrain, ENV.fetch('FISHBRAIN_CLIENT_ID'), ENV.fetch('FISHBRAIN_CLIENT_SECRET')
+  provider :fishbrain_id
+end
+```
+
+In development/test/staging environments:
+
+```
+use OmniAuth::Builder do
+  provider :fishbrain, ENV.fetch('FISHBRAIN_CLIENT_ID'), ENV.fetch('FISHBRAIN_CLIENT_SECRET'), 
+                       user_pool_id: 'eu-west-1_K2uP41DlP',
+                       client_options: {
+                         site: 'https://accounts-staging.fishbrain.com',
+                       }
+  provider :fishbrain_id, user_pool_id: 'eu-west-1_K2uP41DlP'
+end
+```
+
+`path_prefix` is supported too:
+
+```
+use OmniAuth::Builder do
+  ...
+
+  configure { |c| c.path_prefix = '/client/auth' }
+end
+```
+
+
+See [`/examples`](examples) for full example using Sinatra.
+
+## LICENSE
+
+[MIT](LICENSE)

data/lib/omniauth/fishbrain/verifies_id_token.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'jwt'
+
+module OmniAuth
+  module Fishbrain
+    module VerifiesIdToken
+      def id_token
+        @_id_token ||= begin
+          return {} unless raw_id_token
+
+          JWT.decode(raw_id_token, nil, true, decode_options).first
+        end
+      end
+
+      def decode_options
+        {
+          iss: iss,
+          aud: options[:client_id],
+          verify_aud: true,
+          verify_expiration: true,
+          verify_iat: true,
+          verify_iss: true,
+          verify_not_before: true,
+          leeway: options[:jwt_leeway],
+          algorithm: 'RS256',
+          jwks: jwks,
+        }
+      end
+
+      def iss
+        "https://cognito-idp.#{options[:aws_region]}.amazonaws.com/#{options[:user_pool_id]}"
+      end
+
+      def jwks
+        @_jwks ||= \
+          "#{iss}/.well-known/jwks.json"
+            .yield_self(&URI.method(:parse))
+            .yield_self(&Net::HTTP.method(:get))
+            .yield_self { |it| JSON.parse(it, symbolize_names: true) }
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/fishbrain.rb

@@ -1,84 +1,58 @@
 # frozen_string_literal: true
 
 require 'omniauth-oauth2'
-require 'jwt'
+require 'omniauth/fishbrain/verifies_id_token'
 
 module OmniAuth
   module Strategies
-    # OmniAuth Strategy for Fishbrain
     class Fishbrain < OmniAuth::Strategies::OAuth2
+      include OmniAuth::Fishbrain::VerifiesIdToken
+
       option :name, 'fishbrain'
-      option :client_options,
-             site: 'https://accounts.fishbrain.com',
-             authorize_url: '/oauth2/authorize',
-             token_url: '/oauth2/token',
-             auth_scheme: :basic_auth
+      option :client_options, site: 'https://accounts.fishbrain.com',
+                              authorize_url: '/oauth2/authorize',
+                              token_url: '/oauth2/token',
+                              auth_scheme: :basic_auth
       option :scope, 'email openid profile'
-      option :jwt_leeway, 60
       option :user_pool_id, 'eu-west-1_5r0WbR8OH'
       option :aws_region, 'eu-west-1'
+      option :jwt_leeway, 60
 
       uid do
-        parsed_id_token['sub'] if parsed_id_token
+        id_token['sub']
       end
 
       info do
-        if parsed_id_token
-          {
-            name: parsed_id_token['name'],
-            email: parsed_id_token['email'],
-            phone: parsed_id_token['phone_number']
-          }
-        end
+        {
+          given_name: id_token['given_name'],
+          email: id_token['email'],
+          phone: id_token['phone_number'],
+        }
       end
 
       credentials do
-        { token: access_token.token }.tap do |hash|
-          hash[:refresh_token] = access_token.refresh_token if access_token.expires? && access_token.refresh_token
-          hash[:expires_at] = access_token.expires_at if access_token.expires?
-          hash[:expires] = access_token.expires?
-          hash[:id_token] = id_token if id_token
+        hash = { token: access_token.token }
+        if access_token.expires?
+          hash[:refresh_token] = access_token.refresh_token if access_token.refresh_token
+          hash[:expires_at] = access_token.expires_at
         end
+        hash[:expires] = access_token.expires?
+        hash[:id_token] = access_token['id_token'] if access_token['id_token']
+        hash
       end
 
       extra do
-        { raw_info: parsed_id_token.reject { |key| %w[iss aud exp iat token_use nbf].include?(key) } }
+        { raw_info: id_token.reject { |key| %w[iss aud exp iat token_use].include?(key) } }
       end
 
       private
 
-      # Override this method to remove the query string from the callback_url because Cognito
-      # requires an exact match
-      def build_access_token
-        client.auth_code.get_token(
-          request.params['code'],
-          { redirect_uri: callback_url.split('?').first }.merge(token_params.to_hash(symbolize_keys: true)),
-          deep_symbolize(options.auth_token_params)
-        )
+      def callback_url
+        full_host + script_name + callback_path
       end
 
-      def id_token
-        access_token && access_token['id_token']
-      end
-
-      def parsed_id_token
-        return nil unless id_token
-
-        @parsed_id_token ||= JWT.decode(
-          id_token,
-          nil,
-          false,
-          verify_iss: options[:aws_region] && options[:user_pool_id],
-          iss: "https://cognito-idp.#{options[:aws_region]}.amazonaws.com/#{options[:user_pool_id]}",
-          verify_aud: true,
-          aud: options[:client_id],
-          verify_sub: true,
-          verify_expiration: true,
-          verify_not_before: true,
-          verify_iat: true,
-          verify_jti: false,
-          leeway: options[:jwt_leeway]
-        ).first
+      def raw_id_token
+        access_token['id_token']
       end
     end
   end

data/lib/omniauth/strategies/fishbrain_id.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal:true
+
+require 'omniauth/fishbrain/verifies_id_token'
+
+module OmniAuth
+  module Strategies
+    class FishbrainId
+      include OmniAuth::Strategy
+      include OmniAuth::Fishbrain::VerifiesIdToken
+
+      option :name, 'fishbrain_id'
+      option :user_pool_id, 'eu-west-1_5r0WbR8OH'
+      option :client_id, nil
+      option :aws_region, 'eu-west-1'
+      option :jwt_leeway, 60
+
+      uid do
+        id_token['sub']
+      end
+
+      info do
+        {
+          given_name: id_token['given_name'],
+          email: id_token['email'],
+          phone: id_token['phone_number'],
+        }
+      end
+
+      extra do
+        { raw_info: id_token.reject { |key| %w[iss aud exp iat token_use].include?(key) } }
+      end
+
+      def callback_phase
+        if raw_id_token
+          id_token
+          super
+        else
+          fail! :missing_id_token
+        end
+      rescue JWT::ExpiredSignature
+        fail! :invalid_id_token
+      end
+
+      def request_phase
+        redirect callback_url
+      end
+
+      private
+
+      def raw_id_token
+        request.params['id_token']
+      end
+    end
+  end
+end

data/lib/{omniauth/fishbrain → omniauth-fishbrain}/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Fishbrain
-    VERSION = '0.9.0'
+    VERSION = '0.10.0'
   end
 end

data/lib/omniauth-fishbrain.rb

@@ -1,3 +1,5 @@
 # frozen_string_literal: true
 
-require 'omniauth/fishbrain'
+require 'omniauth-fishbrain/version'
+require 'omniauth/strategies/fishbrain'
+require 'omniauth/strategies/fishbrain_id'

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-fishbrain
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Erik Dalen
+- Fishbrain AB
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-10 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -38,27 +39,21 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
-description: A Fishbrain strategy for OmniAuth 1.x. This allows you to login to Fishbrain
-  with your ruby app.
+description: 
 email:
 - erik.dalen@fishbrain.com
+- developer@fishbrain.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
 - LICENSE
-- README.md
-- examples/sinatra/Gemfile
-- examples/sinatra/fishbrain_example.rb
-- examples/sinatra/views/auth_failure.haml
-- examples/sinatra/views/callback.haml
-- examples/sinatra/views/index.haml
+- README.markdown
 - lib/omniauth-fishbrain.rb
-- lib/omniauth/fishbrain.rb
-- lib/omniauth/fishbrain/version.rb
+- lib/omniauth-fishbrain/version.rb
+- lib/omniauth/fishbrain/verifies_id_token.rb
 - lib/omniauth/strategies/fishbrain.rb
-- omniauth-fishbrain.gemspec
+- lib/omniauth/strategies/fishbrain_id.rb
 homepage: https://github.com/fishbrain/omniauth-fishbrain
 licenses:
 - MIT
@@ -71,16 +66,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: A Fishbrain strategy for OmniAuth 1.x
+summary: OmniAuth strategy for Fishbrain
 test_files: []

data/.gitignore

@@ -1,56 +0,0 @@
-*.gem
-*.rbc
-/.config
-/coverage/
-/InstalledFiles
-/pkg/
-/spec/reports/
-/spec/examples.txt
-/test/tmp/
-/test/version_tmp/
-/tmp/
-
-# Used by dotenv library to load environment variables.
-# .env
-
-# Ignore Byebug command history file.
-.byebug_history
-
-## Specific to RubyMotion:
-.dat*
-.repl_history
-build/
-*.bridgesupport
-build-iPhoneOS/
-build-iPhoneSimulator/
-
-## Specific to RubyMotion (use of CocoaPods):
-#
-# We recommend against adding the Pods directory to your .gitignore. However
-# you should judge for yourself, the pros and cons are mentioned at:
-# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
-#
-# vendor/Pods/
-
-## Documentation cache and generated files:
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-
-## Environment normalization:
-/.bundle/
-/vendor/bundle
-/lib/bundler/man/
-
-# for a library or gem, you might want to ignore these files since the code is
-# intended to run in multiple environments; otherwise, check them in:
-# Gemfile.lock
-# .ruby-version
-# .ruby-gemset
-
-# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
-.rvmrc
-
-# Used by RuboCop. Remote config files pulled in from inherit_from directive.
-# .rubocop-https?--*

data/README.md

@@ -1,25 +0,0 @@
-# omniauth-fishbrain
-
-OmniAuth strategy for authenticating with Fishbrain
-
-## Installation
-
-Add to your `Gemfile`:
-
-```ruby
-gem 'omniauth-google-oauth2'
-```
-
-Then `bundle install`.
-
-## Usage
-
-Add something like the following to add the fishbrain authentication stategy.
-
-```
-  use OmniAuth::Builder do
-    provider :fishbrain, ENV.fetch('FISHBRAIN_CLIENT_ID'), ENV.fetch('FISHBRAIN_CLIENT_SECRET')
-  end
-```
-
-See `/examples` for a full example using Sinatra & Omniauth.

data/examples/sinatra/Gemfile

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
-
-git_source(:github) {|repo_name| 'https://github.com/#{repo_name}' }
-
-gem 'sinatra'
-gem 'omniauth'
-gem 'haml'
-gem 'omniauth-fishbrain'

data/examples/sinatra/fishbrain_example.rb

@@ -1,34 +0,0 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-
-require 'sinatra/base'
-require 'omniauth'
-require 'omniauth-fishbrain'
-require 'pp'
-
-# Example Sinatra+Omniauth+Fishbrain app
-class FishbrainExample < Sinatra::Application
-  configure do
-    set :sessions, true
-    set :haml, format: :html5
-  end
-  use OmniAuth::Builder do
-    provider :fishbrain,
-             ENV.fetch('FISHBRAIN_CLIENT_ID'),
-             ENV.fetch('FISHBRAIN_CLIENT_SECRET')
-  end
-
-  get '/' do
-    haml :index
-  end
-
-  get '/auth/failure' do
-    haml :auth_failure
-  end
-
-  get '/auth/:provider/callback' do
-    haml :callback
-  end
-
-  run! if app_file == $PROGRAM_NAME
-end

data/examples/sinatra/views/auth_failure.haml

@@ -1,10 +0,0 @@
-!!!
-%html
-  %head
-    %title
-      Cognito auth example
-  %body
-    %h1
-      Authentication failure
-
-    %pre= params['message']

data/examples/sinatra/views/callback.haml

@@ -1,9 +0,0 @@
-!!!
-%html
-  %head
-    %title
-      Cognito auth example
-  %body
-    %h1= params[:provider]
-
-    %pre= request.env['omniauth.auth'].pretty_inspect

data/examples/sinatra/views/index.haml

@@ -1,14 +0,0 @@
-!!!
-%html
-  %head
-    %title
-      Cognito auth example
-  %body
-    %h1
-      Welcome
-
-    %a{ href: "/auth/fishbrain" }
-      Log in with Fishbrain
-
-    %a{ href: "/auth/cognito-idp" }
-      Log in with Cognito

data/lib/omniauth/fishbrain.rb

@@ -1,3 +0,0 @@
-# frozen_string_literal: true
-
-require 'omniauth/strategies/fishbrain'

data/omniauth-fishbrain.gemspec

@@ -1,25 +0,0 @@
-# frozen_string_literal: true
-
-require File.expand_path(
-  File.join('..', 'lib', 'omniauth', 'fishbrain', 'version'),
-  __FILE__
-)
-
-Gem::Specification.new do |gem|
-  gem.name          = 'omniauth-fishbrain'
-  gem.version       = OmniAuth::Fishbrain::VERSION
-  gem.license       = 'MIT'
-  gem.summary       = %(A Fishbrain strategy for OmniAuth 1.x)
-  gem.description   = %(A Fishbrain strategy for OmniAuth 1.x. This allows you to login to Fishbrain with your ruby app.)
-  gem.authors       = ['Erik Dalen']
-  gem.email         = ['erik.dalen@fishbrain.com']
-  gem.homepage      = 'https://github.com/fishbrain/omniauth-fishbrain'
-
-  gem.files         = `git ls-files`.split("\n")
-  gem.require_paths = ['lib']
-
-  gem.required_ruby_version = '>= 2.2'
-
-  gem.add_runtime_dependency 'jwt', '~> 2.0'
-  gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.6'
-end