RubyGems - omniauth-google-oauth2 - Versions diffs - 0.1.13 → 0.1.15 - Mend

omniauth-google-oauth2 0.1.13 → 0.1.15

Files changed (6) hide show

data/README.md +89 -3
data/examples/config.ru +2 -0
data/lib/omniauth/google_oauth2/version.rb +1 -1
data/lib/omniauth/strategies/google_oauth2.rb +26 -7
data/spec/omniauth/strategies/google_oauth2_spec.rb +72 -2
metadata +4 -4

data/README.md CHANGED Viewed

@@ -1,8 +1,94 @@
 # OmniAuth Google OAuth2 Strategy
-Strategy to auth with Google via OAuth2 in OmniAuth.
+Strategy to authenticate with Google via OAuth2 in OmniAuth.
-Get your API key at https://code.google.com/apis/console/
+Get your API key at: https://code.google.com/apis/console/
+For more details, read the Google docs: https://developers.google.com/accounts/docs/OAuth2
+## Installation
+Add to your `Gemfile`:
+```ruby
+gem "omniauth-google-oauth2"
+```
+Then `bundle install`.
+## Usage
+Here's an example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :google_oauth2, ENV["GOOGLE_KEY"], ENV["GOOGLE_SECRET"]
+end
+```
+You can now access the OmniAuth Google OAuth2 URL: `/auth/google_oauth2`
+## Configuration
+You can configure several options, which you pass in to the `provider` method via a hash:
+* `scope`: A comma-separated list, without spaces, of permissions you want to request from the user. See the [Google OAuth 2.0 Playground](https://developers.google.com/oauthplayground/) for a full list of available permissions. Caveats:
+  * The `userinfo.email` and `userinfo.profile` scopes are used by default. By defining your own `scope`, you override these defaults. If you need these scopes, don't forget to add them yourself!
+  * Scopes starting with `https://www.googleapis.com/auth/` do not need that prefix specified. So while you should use the smaller scope `books` since that permission starts with the mentioned prefix, you should use the full scope URL `https://docs.google.com/feeds/` to access a user's docs, for example.
+* `approval_prompt`: Determines whether the user is always re-prompted for consent. It's set to `force` by default so a user sees a consent page even if he has previously allowed access a given set of scopes. Set this value to `auto` so that the user only sees the consent page the first time he authorizes a given set of scopes.
+* `access_type`: Defaults to `offline`, so a refresh token is sent to be used when the user is not present at the browser. Can be set to `online`.
+Here's an example of a possible configuration where the user is asked for extra permissions and is only prompted once for such permissions:
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :google_oauth2, ENV["GOOGLE_KEY"], ENV["GOOGLE_SECRET"],
+           {
+             :scope => "userinfo.email,userinfo.profile,plus.me,http://gdata.youtube.com",
+             :approval_prompt => "auto"
+           }
+end
+```
+## Auth Hash
+Here's an example of an authentication hash available in the callback by accessing `request.env["omniauth.auth"]`:
+```ruby
+{
+    :provider => "google_oauth2",
+    :uid => "123456789",
+    :info => {
+        :name => "John Doe",
+        :email => "john@company_name.com",
+        :first_name => "John",
+        :last_name => "Doe",
+        :image => "https://lh3.googleusercontent.com/url/photo.jpg"
+    },
+    :credentials => {
+        :token => "token",
+        :refresh_token => "another_token",
+        :expires_at => 1354920555,
+        :expires => true
+    },
+    :extra => {
+        :raw_info => {
+            :id => "123456789",
+            :email => "user@domain.example.com",
+            :verified_email => true,
+            :name => "John Doe",
+            :given_name => "John",
+            :family_name => "Doe",
+            :link => "https://plus.google.com/123456789",
+            :picture => "https://lh3.googleusercontent.com/url/photo.jpg",
+            :gender => "male",
+            :birthday => "0000-06-25",
+            :locale => "en",
+            :hd => "company_name.com"
+        }
+    }
+}
+```
 ## License
@@ -12,4 +98,4 @@ Permission is hereby granted, free of charge, to any person obtaining a copy of
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/examples/config.ru CHANGED Viewed

@@ -8,6 +8,8 @@ require 'sinatra'
 require 'omniauth'
 require 'omniauth-google-oauth2'
+# Do not use for production code.
+# This is only to make setup easier when running through the sample.
 OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
 class App < Sinatra::Base

data/lib/omniauth/google_oauth2/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module GoogleOauth2
-    VERSION = "0.1.13"
+    VERSION = "0.1.15"
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb CHANGED Viewed

@@ -20,8 +20,8 @@ module OmniAuth
         base_scope_url = "https://www.googleapis.com/auth/"
         super.tap do |params|
           # Read the params if passed directly to omniauth_authorize_path
-          %w(scope approval_prompt access_type state hd).each do |k|
-            params[k.to_sym] = request.params[k] unless [nil, ''].include?(request.params[k])
+          options[:authorize_options].each do |k|
+            params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
           end
           scopes = (params[:scope] || DEFAULT_SCOPE).split(",")
           scopes.map! { |s| s =~ /^https?:\/\// ? s : "#{base_scope_url}#{s}" }
@@ -43,7 +43,10 @@ module OmniAuth
           :email      => verified_email,
           :first_name => raw_info['given_name'],
           :last_name  => raw_info['family_name'],
-          :image      => raw_info['picture']
+          :image      => raw_info['picture'],
+          :urls => {
+            'Google' => raw_info['link']
+          }
         })
       end
@@ -57,11 +60,19 @@ module OmniAuth
         @raw_info ||= access_token.get('https://www.googleapis.com/oauth2/v1/userinfo').parsed
       end
-      private
-      def request_has_approval_prompt
-        request.env && request.params && request.params['approval_prompt']
+      def build_access_token_with_access_token
+        if !request.params['id_token'].nil? &&
+            !request.params['access_token'].nil? &&
+            verify_token(request.params['id_token'], request.params['access_token'])
+          ::OAuth2::AccessToken.from_hash(client, request.params.dup)
+        else
+          build_access_token_without_access_token
+        end
       end
+      alias_method :build_access_token_without_access_token, :build_access_token
+      alias :build_access_token :build_access_token_with_access_token
+      private
       def prune!(hash)
         hash.delete_if do |_, value|
@@ -74,6 +85,14 @@ module OmniAuth
         raw_info['verified_email'] ? raw_info['email'] : nil
       end
+      def verify_token(id_token, access_token)
+        # Verify id_token as well
+        # request fails and raises error when id_token or access_token is invalid
+        raw_response = client.request(:get, 'https://www.googleapis.com/oauth2/v2/tokeninfo',
+            params: {id_token: id_token, access_token: access_token}).parsed
+        raw_response['issued_to'] == options.client_id
+      end
     end
   end
 end

data/spec/omniauth/strategies/google_oauth2_spec.rb CHANGED Viewed

@@ -46,9 +46,9 @@ describe OmniAuth::Strategies::GoogleOauth2 do
   end
   describe '#authorize_params' do
-    %w(approval_prompt access_type state hd).each do |k|
+    %w(approval_prompt access_type state hd any_other).each do |k|
       it "should set the #{k} authorize option dynamically in the request" do
-        @options = {k.to_sym => ''}
+        @options = {:authorize_options => [k.to_sym], k.to_sym => ''}
         subject.stub(:request) { double('Request', {:params => { k => 'something' }, :env => {}}) }
         subject.authorize_params[k].should eq('something')
       end
@@ -139,4 +139,74 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       subject.extra.should_not have_key(:raw_info)
     end
   end
+  describe 'populate auth hash url' do
+    it 'should populate url map in auth hash if link present in raw_info' do
+      subject.stub(:raw_info) { { 'name' => 'Foo', 'link' => 'https://plus.google.com/123456' } }
+      subject.info[:urls]['Google'].should eq('https://plus.google.com/123456')
+    end
+    it 'should not populate url map in auth hash if no link present in raw_info' do
+      subject.stub(:raw_info) { { 'name' => 'Foo' } }
+      subject.info.should_not have_key(:urls)
+    end
+  end
+  describe 'build_access_token' do
+    it 'should read access_token from hash' do
+      @request.stub(:params).and_return('id_token' => 'valid_id_token', 'access_token' => 'valid_access_token')
+      subject.should_receive(:verify_token).with('valid_id_token', 'valid_access_token').and_return true
+      subject.should_receive(:client).and_return(:client)
+      token = subject.build_access_token
+      token.should be_instance_of(::OAuth2::AccessToken)
+      token.token.should eq('valid_access_token')
+      token.client.should eq(:client)
+    end
+    it 'should call super' do
+      subject.should_receive(:build_access_token_without_access_token)
+      subject.build_access_token
+    end
+  end
+  describe 'verify_token' do
+    before(:each) do
+      subject.options.client_options[:connection_build] = proc do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v2/tokeninfo?id_token=valid_id_token&access_token=valid_access_token') do |env|
+            [200, {'Content-Type' => 'application/json; charset=UTF-8'}, MultiJson.encode(
+              :issued_to => '000000000000.apps.googleusercontent.com',
+              :audience => '000000000000.apps.googleusercontent.com',
+              :user_id => '000000000000000000000',
+              :scope => 'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email',
+              :expires_in => 3514,
+              :email => 'me@example.com',
+              :verified_email => true,
+              :access_type => 'online'
+            )]
+          end
+          stub.get('/oauth2/v2/tokeninfo?id_token=invalid_id_token&access_token=invalid_access_token') do |env|
+            [400, {'Content-Type' => 'application/json; charset=UTF-8'}, MultiJson.encode(:error_description => 'Invalid Value')]
+          end
+        end
+      end
+    end
+    it 'should verify token if access_token and id_token are valid and app_id equals' do
+      subject.options.client_id =  '000000000000.apps.googleusercontent.com'
+      subject.send(:verify_token, 'valid_id_token', 'valid_access_token').should == true
+    end
+    it 'should not verify token if access_token and id_token are valid but app_id is false' do
+      subject.send(:verify_token, 'valid_id_token', 'valid_access_token').should == false
+    end
+    it 'should raise error if access_token or id_token is invalid' do
+      expect {
+        subject.send(:verify_token, 'invalid_id_token', 'invalid_access_token')
+      }.to raise_error(OAuth2::Error)
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 0.1.13
+  version: 0.1.15
   prerelease:
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-07-15 00:00:00.000000000 Z
+date: 2013-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -112,7 +112,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1263356288876244939
+      hash: -4040101131185532486
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -121,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1263356288876244939
+      hash: -4040101131185532486
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.24