omniauth-google-oauth2 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c7d06ea95829577b987b0c3f38361bbf0d53ac9c
-  data.tar.gz: ddade281a6be78eb43318effaee6fe1eb0c748ca
+  metadata.gz: 6b57c40e8b39a0932e633667e017b25c97d3d180
+  data.tar.gz: d6f8aa07b0c1b3ca79aa00a84612952e2f353393
 SHA512:
-  metadata.gz: 8515c0e13e3eeb43fb96b53ffd989126044dddf06c3f6e510b903eee69edc49cde9915e82d547fe77004124c5dbd6eec1166a3cbe78b1e9795a56228df540c9e
-  data.tar.gz: 41c8b9757efade6cf94c50f29d564c94286f2debb2bb8ed9983923d964b3a6076debb238a02cb92488cd590d6937a8c8b583305076d88be59aa7146c86f8132f
+  metadata.gz: 7c3664503247fc376a4ec1ea968ae68f15ff6020c178fdf57b50c4320858a184fc41b30fca322f021e525e5f62a317a3c568fe02b5ec3934ef63ca26ec0e8163
+  data.tar.gz: ccbda37d179cd87d31f92a60564120d6fca75013c990ec87583155e81bd8a51ee3f163a69d86929e38e3f151970d61327c007a670df532d4c430d67dc43ee82d

data/.travis.yml

@@ -2,10 +2,11 @@ before_install:
   - gem update --system 2.1.11
 language: ruby
 rvm:
-  - "1.9.2"
   - "1.9.3"
   - "2.0.0"
   - "2.1.0"
+  - "2.2.0"
+  - "2.3.0"
   - "rbx"
   - "jruby"
 matrix:

data/CHANGELOG.md

@@ -1,6 +1,20 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 0.3.1 - 2016-01-28
+
+### Added
+- Verify Hosted Domain if hd is set in options.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Dependency on addressable.
+
+### Fixed
+- Nothing.
+
 ## 0.3.0 - 2016-01-09
 
 ### Added

data/README.md

@@ -1,3 +1,6 @@
+[![Gem Version](https://badge.fury.io/rb/omniauth-google-oauth2.svg)](https://badge.fury.io/rb/omniauth-google-oauth2)
+[![Build Status](https://travis-ci.org/zquestz/omniauth-google-oauth2.png)](https://travis-ci.org/zquestz/omniauth-google-oauth2)
+
 # OmniAuth Google OAuth2 Strategy
 
 Strategy to authenticate with Google via OAuth2 in OmniAuth.
@@ -22,7 +25,7 @@ Then `bundle install`.
 
 * Go to 'https://console.developers.google.com'
 * Select your project.
-* Click 'APIs & auth'
+* Click 'Enable and manage APIs'.
 * Make sure "Contacts API" and "Google+ API" are on.
 * Go to Credentials, then select the "OAuth consent screen" tab on top, and provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'
 * Wait 10 minutes for changes to take effect.
@@ -225,6 +228,8 @@ This flow is immune to replay attacks, and conveys no useful information to a ma
 The omniauth-google-oauth2 gem supports this mode of operation out of the box.  Implementors simply need to add the appropriate JavaScript to their web page, and they can take advantage of this flow.  An example JavaScript snippet follows.
 
 ```javascript
+// Basic hybrid auth example following the pattern at:
+// https://developers.google.com/api-client-library/javascript/features/authentication#Authexample
 jQuery(function() {
   return $.ajax({
     url: 'https://apis.google.com/js/client:plus.js?onload=gpAsyncInit',
@@ -234,18 +239,28 @@ jQuery(function() {
 });
 
 window.gpAsyncInit = function() {
+  gapi.auth.authorize({
+    immediate: true,
+    response_type: 'code',
+    cookie_policy: 'single_host_origin',
+    client_id: 'YOUR_CLIENT_ID',
+    scope: 'email profile'
+  }, function(response) {
+    return;
+  });
   $('.googleplus-login').click(function(e) {
     e.preventDefault();
     gapi.auth.authorize({
-      immediate: true,
+      immediate: false,
       response_type: 'code',
       cookie_policy: 'single_host_origin',
-      client_id: '000000000000.apps.googleusercontent.com',
+      client_id: 'YOUR_CLIENT_ID',
       scope: 'email profile'
     }, function(response) {
       if (response && !response.error) {
-        // google authentication succeed, now post data to server and handle data securely
-        jQuery.ajax({type: 'POST', url: "/auth/google_oauth2/callback", data: response,
+        // google authentication succeed, now post data to server.
+        jQuery.ajax({type: 'POST', url: "/auth/google_oauth2/callback", 
+data: response,
           success: function(data) {
             // response from server
           }
@@ -256,6 +271,7 @@ window.gpAsyncInit = function() {
     });
   });
 };
+
 ```
 
 ### Omniauth state
@@ -285,10 +301,6 @@ Just set the `full_host` in OmniAuth based on the Rails.env.
 OmniAuth.config.full_host = Rails.env.production? ? 'https://domain.com' : 'http://localhost:3000'
 ```
 
-## Build Status
-[![Build Status](https://travis-ci.org/zquestz/omniauth-google-oauth2.png)](https://travis-ci.org/zquestz/omniauth-google-oauth2)
-
-
 ## License
 
 Copyright (c) 2015 by Josh Ellithorpe

data/examples/auth.js

@@ -0,0 +1,43 @@
+// Basic hybrid auth example following the pattern at:
+// https://developers.google.com/api-client-library/javascript/features/authentication#Authexample
+jQuery(function() {
+  return $.ajax({
+    url: 'https://apis.google.com/js/client:plus.js?onload=gpAsyncInit',
+    dataType: 'script',
+    cache: true
+  });
+});
+
+window.gpAsyncInit = function() {
+  gapi.auth.authorize({
+    immediate: true,
+    response_type: 'code',
+    cookie_policy: 'single_host_origin',
+    client_id: 'YOUR_CLIENT_ID',
+    scope: 'email profile'
+  }, function(response) {
+    return;
+  });
+  $('.googleplus-login').click(function(e) {
+    e.preventDefault();
+    gapi.auth.authorize({
+      immediate: false,
+      response_type: 'code',
+      cookie_policy: 'single_host_origin',
+      client_id: 'YOUR_CLIENT_ID',
+      scope: 'email profile'
+    }, function(response) {
+      if (response && !response.error) {
+        // google authentication succeed, now post data to server. 
+        jQuery.ajax({type: 'POST', url: "/auth/google_oauth2/callback", 
+data: response,
+          success: function(data) {
+            // response from server
+          }
+        });
+      } else {
+        // google authentication failed
+      }
+    });
+  });
+};

data/lib/omniauth/google_oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module GoogleOauth2
-    VERSION = "0.3.0"
+    VERSION = "0.3.1"
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb

@@ -1,7 +1,7 @@
 require 'multi_json'
 require 'jwt'
 require 'omniauth/strategies/oauth2'
-require 'addressable/uri'
+require 'uri'
 
 module OmniAuth
   module Strategies
@@ -90,6 +90,7 @@ module OmniAuth
       end
 
       def custom_build_access_token
+        access_token =
         if request.xhr? && request.params['code']
           verifier = request.params['code']
           client.auth_code.get_token(verifier, get_token_options('postmessage'), deep_symbolize(options.auth_token_params || {}))
@@ -103,6 +104,9 @@ module OmniAuth
           verifier = request.params["code"]
           client.auth_code.get_token(verifier, get_token_options(callback_url), deep_symbolize(options.auth_token_params))
         end
+
+        verify_hd(access_token)
+        access_token
       end
       alias_method :build_access_token, :custom_build_access_token
 
@@ -130,7 +134,7 @@ module OmniAuth
       def image_url
         return nil unless raw_info['picture']
 
-        u = Addressable::URI.parse(raw_info['picture'].gsub('https:https', 'https'))
+        u = URI.parse(raw_info['picture'].gsub('https:https', 'https'))
 
         path_index = u.path.to_s.index('/photo.jpg')
 
@@ -139,7 +143,7 @@ module OmniAuth
           u.path = u.path.gsub('//', '/')
         end
 
-        u.query_values = strip_unnecessary_query_parameters(u.query_values)
+        u.query = strip_unnecessary_query_parameters(u.query)
 
         u.to_s
       end
@@ -161,16 +165,18 @@ module OmniAuth
         '/' + image_params.join('-')
       end
 
-      def strip_unnecessary_query_parameters(query_values)
+      def strip_unnecessary_query_parameters(query_parameters)
         # strip `sz` parameter (defaults to sz=50) which overrides `image_size` options
-        return nil unless query_values
+        return nil if query_parameters.nil?
 
-        query_hash = query_values.delete_if { |key, value| key == "sz" }
+        params = CGI.parse(query_parameters)
+        stripped_params = params.delete_if { |key| key == "sz" }
 
-        # an empty Hash would cause a ? character in the URL: http://image.url?
-        return nil if query_hash.empty?
+        # don't return an empty Hash since that would result
+        # in URLs with a trailing ? character: http://image.url?
+        return nil if stripped_params.empty?
 
-        query_hash
+        URI.encode_www_form(stripped_params)
       end
 
       def verify_token(access_token)
@@ -179,6 +185,13 @@ module OmniAuth
                                       params: { access_token: access_token }).parsed
         raw_response['aud'] == options.client_id
       end
+
+      def verify_hd(access_token)
+        return true unless options.hd
+        @raw_info ||= access_token.get('https://www.googleapis.com/plus/v1/people/me/openIdConnect').parsed
+        raise CallbackError.new(:invalid_hd, "Invalid Hosted Domain") unless @raw_info['hd'] == options.hd
+        true
+      end
     end
   end
 end

data/omniauth-google-oauth2.gemspec

@@ -18,7 +18,6 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'omniauth-oauth2', '>= 1.3.1'
   gem.add_runtime_dependency 'jwt', '~> 1.0'
   gem.add_runtime_dependency 'multi_json', '~> 1.3'
-  gem.add_runtime_dependency 'addressable', '~> 2.3'
 
   gem.add_development_dependency 'rspec', '>= 2.14.0'
   gem.add_development_dependency 'rake'

data/spec/omniauth/strategies/google_oauth2_spec.rb

@@ -590,4 +590,36 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       }.to raise_error(OAuth2::Error)
     end
   end
+
+  describe 'verify_hd' do
+    let(:client) do
+      OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/plus/v1/people/me/openIdConnect') do |env|
+            [200, {'Content-Type' => 'application/json; charset=UTF-8'}, MultiJson.encode(
+              :hd => 'example.com',
+            )]
+          end
+        end
+      end
+    end
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
+
+    it 'should verify hd if options hd is not set' do
+      expect(subject.send(:verify_hd, access_token)).to eq(true)
+    end
+
+    it 'should verify hd if options hd is set and correct' do
+      subject.options.hd = 'example.com'
+      expect(subject.send(:verify_hd, access_token)).to eq(true)
+    end
+
+    it 'should raise error if options hd is set and wrong' do
+      subject.options.hd = 'invalid.com'
+      expect {
+        subject.send(:verify_hd, access_token)
+      }.to raise_error(OmniAuth::Strategies::GoogleOauth2::CallbackError)
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Josh Ellithorpe
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-09 00:00:00.000000000 Z
+date: 2016-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -67,20 +67,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: addressable
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -123,6 +109,7 @@ files:
 - README.md
 - Rakefile
 - examples/Gemfile
+- examples/auth.js
 - examples/config.ru
 - examples/omni_auth.rb
 - lib/omniauth-google-oauth2.rb