omniauth-google-oauth2 1.0.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 278efb11e955abf864c2d163e1f1631a271ba34660fa166a4f65b56691ccab0d
-  data.tar.gz: 574e6d6b5f3dacfa271ba24a8999e104c74db64482860b6ba095938a6dc7c1b0
+  metadata.gz: '0532842d8362fc36a8797376dc54e09b1d11fa178d462114225eecbe87274785'
+  data.tar.gz: 63b1d0a5a3a6249b77b58cbfa4e696ae18748b59280cb73f36cb98f88abd98c1
 SHA512:
-  metadata.gz: 22006de20bc8355329cdca2c9e41a15959e192dcd4c970d1ca6acc8dd149f0fb1eedc313351cc39072e51ea5b219ebb6968b2e178995397d14f58b5117b18c53
-  data.tar.gz: b54fe6ca226e39f05705837eb8a390247df3a4fc615c7aab798009b63fd830ad7c21df7536ffa9fefffc4ff6c3586c6067ba5d15ac4d192b88892b3080c753f6
+  metadata.gz: 6d6f34a8629057f1f89d613155567d0bb50917648794e64527976ba7ca4c372ed8806fd57bbe5cec55d2d60545ef2e9bd038da80e1101b96642018f1d8226951
+  data.tar.gz: b00da9be3e3f97af0cdfe9a15be3d99126176a26bc21337febb893be88949da0573b4f6a843fbedac3dc982a4fda29ca532b63d3a1272fc8544468b3a42d32aa

data/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI 
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.3', '2.4', '2.5', '2.6', '2.7', '3.0', '3.1']
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rake

data/.travis.yml

@@ -1,6 +1,9 @@
 language: ruby
 cache: bundler
 rvm:
-  - '2.3.4'
-  - '2.4.1'
-  - '2.5.0'
+  - '2.3.8'
+  - '2.4.10'
+  - '2.5.8'
+  - '2.6.6'
+  - '2.7.2'
+  - '3.0.0'

data/CHANGELOG.md

@@ -1,6 +1,50 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 1.1.1 - 2022-09-05
+
+### Added
+- Nothing.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Fixed JWT decoding issue. (Invalid segment encoding) [#431](https://github.com/zquestz/omniauth-google-oauth2/pull/431)
+
+## 1.1.0 - 2022-09-03
+
+### Added
+- `overridable_authorize_options` has been added to restrict overriding authorize_options by request params. [#423](https://github.com/zquestz/omniauth-google-oauth2/pull/423)
+- Support for oauth2 2.0.x. [#429](https://github.com/zquestz/omniauth-google-oauth2/pull/429)
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Nothing.
+
+## 1.0.1 - 2022-03-10
+
+### Added
+- Output granted scopes in credentials block of the auth hash.
+- Migrated to GitHub actions.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Nothing.
+
+### Fixed
+- Overriding the `redirect_uri` via params or JSON request body.
+
 ## 1.0.0 - 2021-03-14
 
 ### Added
@@ -10,7 +54,7 @@ All notable changes to this project will be documented in this file.
 - Nothing.
 
 ### Removed
-- Support for Omniauth 1.x
+- Support for Omniauth 1.x.
 
 ### Fixed
 - Nothing.

data/README.md

@@ -1,5 +1,4 @@
 [![Gem Version](https://badge.fury.io/rb/omniauth-google-oauth2.svg)](https://badge.fury.io/rb/omniauth-google-oauth2)
-[![Build Status](https://travis-ci.org/zquestz/omniauth-google-oauth2.svg)](https://travis-ci.org/zquestz/omniauth-google-oauth2)
 
 # OmniAuth Google OAuth2 Strategy
 
@@ -34,6 +33,7 @@ Here's an example for adding the middleware to a Rails app in `config/initialize
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET']
 end
+OmniAuth.config.allowed_request_methods = %i[get]
 ```
 
 You can now access the OmniAuth Google OAuth2 URL: `/auth/google_oauth2`
@@ -85,13 +85,15 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `provider_ignores_state`: You will need to set this to `true` when using the `One-time Code Flow` below. In this flow there is no server side redirect that would set the state.
 
+* `overridable_authorize_options`: By default, all `authorize_options` can be overridden with request parameters. You can restrict the behavior by using this option.
+
 Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select their account when logging in and the user's profile picture is returned as a thumbnail:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
     {
-      scope: 'userinfo.email, userinfo.profile, http://gdata.youtube.com',
+      scope: 'email, profile, http://gdata.youtube.com',
       prompt: 'select_account',
       image_aspect_ratio: 'square',
       image_size: 50
@@ -217,6 +219,10 @@ end
 For your views you can login using:
 
 ```erb
+<%# omniauth-google-oauth2 1.0.x uses OmniAuth 2 and requires using HTTP Post to initiate authentication: %>
+<%= link_to "Sign in with Google", user_google_oauth2_omniauth_authorize_path, method: :post %>
+
+<%# omniauth-google-oauth2 prior 1.0.0: %>
 <%= link_to "Sign in with Google", user_google_oauth2_omniauth_authorize_path %>
 
 <%# Devise prior 4.1.0: %>

data/examples/Gemfile

@@ -2,6 +2,7 @@
 
 source 'https://rubygems.org'
 
-gem 'omniauth-google-oauth2', '~> 0.8.1'
+gem 'omniauth-google-oauth2', '~> 1.1.1'
 gem 'rubocop'
 gem 'sinatra', '~> 1.4'
+gem 'webrick'

data/examples/config.ru

@@ -19,6 +19,19 @@ OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
 
 # Main example app for omniauth-google-oauth2
 class App < Sinatra::Base
+  configure do
+    set :sessions, true
+    set :inline_templates, true
+  end
+
+  use Rack::Session::Cookie, secret: ENV['RACK_COOKIE_SECRET']
+
+  use OmniAuth::Builder do
+    # For additional provider examples please look at 'omni_auth.rb'
+    # The key provider_ignores_state is only for AJAX flows. It is not recommended for normal logins.
+    provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile,calendar'
+  end
+
   get '/' do
     <<-HTML
     <!DOCTYPE html>
@@ -73,7 +86,12 @@ class App < Sinatra::Base
       </head>
       <body>
       <ul>
-        <li><a href='/auth/google_oauth2'>Sign in with Google</a></li>
+        <li>
+          <form method='post' action='/auth/google_oauth2'>
+            <input type="hidden" name="authenticity_token" value="#{request.env['rack.session']['csrf']}">
+            <button type='submit'>Login with Google</button>
+          </form>
+        </li>
         <li><a href='#' class="googleplus-login">Sign in with Google via AJAX</a></li>
       </ul>
       </body>
@@ -109,12 +127,4 @@ class App < Sinatra::Base
   end
 end
 
-use Rack::Session::Cookie, secret: ENV['RACK_COOKIE_SECRET']
-
-use OmniAuth::Builder do
-  # For additional provider examples please look at 'omni_auth.rb'
-  # The key provider_ignores_state is only for AJAX flows. It is not recommended for normal logins.
-  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile,calendar'
-end
-
 run App.new

data/lib/omniauth/google_oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module GoogleOauth2
-    VERSION = '1.0.0'
+    VERSION = '1.1.1'
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb

@@ -15,13 +15,15 @@ module OmniAuth
       DEFAULT_SCOPE = 'email,profile'
       USER_INFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
       IMAGE_SIZE_REGEXP = /(s\d+(-c)?)|(w\d+-h\d+(-c)?)|(w\d+(-c)?)|(h\d+(-c)?)|c/
+      AUTHORIZE_OPTIONS = %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
 
       option :name, 'google_oauth2'
       option :skip_friends, true
       option :skip_image_info, true
       option :skip_jwt, false
       option :jwt_leeway, 60
-      option :authorize_options, %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
+      option :authorize_options, AUTHORIZE_OPTIONS
+      option :overridable_authorize_options, AUTHORIZE_OPTIONS
       option :authorized_client_ids, []
 
       option :client_options,
@@ -31,7 +33,7 @@ module OmniAuth
 
       def authorize_params
         super.tap do |params|
-          options[:authorize_options].each do |k|
+          (options[:authorize_options] & options[:overridable_authorize_options]).each do |k|
             params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
           end
 
@@ -60,11 +62,17 @@ module OmniAuth
         )
       end
 
+      credentials do
+        # Tokens and expiration will be used from OAuth2 strategy credentials block
+        prune!({ 'scope' => token_info(access_token.token)['scope'] })
+      end
+
       extra do
         hash = {}
-        hash[:id_token] = access_token['id_token']
-        if !options[:skip_jwt] && !access_token['id_token'].nil?
-          decoded = ::JWT.decode(access_token['id_token'], nil, false).first
+        token = nil_or_empty?(access_token['id_token']) ? access_token.token : access_token['id_token']
+        hash[:id_token] = token
+        if !options[:skip_jwt] && !nil_or_empty?(token)
+          decoded = ::JWT.decode(token, nil, false).first
 
           # We have to manually verify the claims because the third parameter to
           # JWT.decode is false since no verification key is provided.
@@ -101,6 +109,10 @@ module OmniAuth
 
       private
 
+      def nil_or_empty?(obj)
+        obj.is_a?(String) ? obj.empty? : obj.nil?
+      end
+
       def callback_url
         options[:redirect_uri] || (full_host + callback_path)
       end
@@ -121,8 +133,9 @@ module OmniAuth
             request.body.rewind # rewind request body for downstream middlewares
             verifier = body && body['code']
             access_token = body && body['access_token']
+            redirect_uri ||= body && body['redirect_uri']
             if verifier
-              client_get_token(verifier, 'postmessage')
+              client_get_token(verifier, redirect_uri || 'postmessage')
             elsif verify_token(access_token)
               ::OAuth2::AccessToken.from_hash(client, body.dup)
             end
@@ -214,12 +227,21 @@ module OmniAuth
         URI.encode_www_form(stripped_params)
       end
 
+      def token_info(access_token)
+        return nil unless access_token
+
+        @token_info ||= Hash.new do |h, k|
+          h[k] = client.request(:get, 'https://www.googleapis.com/oauth2/v3/tokeninfo', params: { access_token: access_token }).parsed
+        end
+
+        @token_info[access_token]
+      end
+
       def verify_token(access_token)
         return false unless access_token
 
-        raw_response = client.request(:get, 'https://www.googleapis.com/oauth2/v3/tokeninfo',
-                                      params: { access_token: access_token }).parsed
-        raw_response['aud'] == options.client_id || options.authorized_client_ids.include?(raw_response['aud'])
+        token_info = token_info(access_token)
+        token_info['aud'] == options.client_id || options.authorized_client_ids.include?(token_info['aud'])
       end
 
       def verify_hd(access_token)

data/omniauth-google-oauth2.gemspec

@@ -21,9 +21,9 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 2.2'
 
   gem.add_runtime_dependency 'jwt', '>= 2.0'
-  gem.add_runtime_dependency 'oauth2', '~> 1.1'
+  gem.add_runtime_dependency 'oauth2', '~> 2.0.6'
   gem.add_runtime_dependency 'omniauth', '~> 2.0'
-  gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.7.1'
+  gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.8.0'
 
   gem.add_development_dependency 'rake', '~> 12.0'
   gem.add_development_dependency 'rspec', '~> 3.6'

data/spec/omniauth/strategies/google_oauth2_spec.rb

@@ -242,9 +242,18 @@ describe OmniAuth::Strategies::GoogleOauth2 do
           context "authorize option #{k}" do
             let(:request) { double('Request', params: { k.to_s => 'http://example.com' }, cookies: {}, env: {}) }
 
-            it "should set the #{k} authorize option dynamically in the request" do
-              @options = { k: '' }
-              expect(subject.authorize_params[k.to_s]).to eq('http://example.com')
+            context 'when overridable_authorize_options is default' do
+              it "should set the #{k} authorize option dynamically in the request" do
+                @options = { k: '' }
+                expect(subject.authorize_params[k.to_s]).to eq('http://example.com')
+              end
+            end
+
+            context 'when overridable_authorize_options is empty' do
+              it "should not set the #{k} authorize option dynamically in the request" do
+                @options = { k: '', overridable_authorize_options: [] }
+                expect(subject.authorize_params[k.to_s]).not_to eq('http://example.com')
+              end
             end
           end
         end
@@ -252,9 +261,18 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         describe 'custom authorize_options' do
           let(:request) { double('Request', params: { 'foo' => 'something' }, cookies: {}, env: {}) }
 
-          it 'should support request overrides from custom authorize_options' do
-            @options = { authorize_options: [:foo], foo: '' }
-            expect(subject.authorize_params['foo']).to eq('something')
+          context 'when overridable_authorize_options is default' do
+            it 'should not support request overrides from custom authorize_options' do
+              @options = { authorize_options: [:foo], foo: '' }
+              expect(subject.authorize_params['foo']).not_to eq('something')
+            end
+          end
+
+          context 'when overridable_authorize_options is customized' do
+            it 'should support request overrides from custom authorize_options' do
+              @options = { authorize_options: [:foo], overridable_authorize_options: [:foo], foo: '' }
+              expect(subject.authorize_params['foo']).to eq('something')
+            end
           end
         end
       end
@@ -321,7 +339,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
     end
-    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, { 'access_token' => 'a' }) }
     before { allow(subject).to receive(:access_token).and_return(access_token) }
 
     context 'with verified email' do
@@ -347,6 +365,37 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
   end
 
+  describe '#credentials' do
+    let(:client) { OAuth2::Client.new('abc', 'def') }
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, access_token: 'valid_access_token', expires_at: 123_456_789, refresh_token: 'valid_refresh_token') }
+    before(:each) do
+      allow(subject).to receive(:access_token).and_return(access_token)
+      subject.options.client_options[:connection_build] = proc do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/tokeninfo?access_token=valid_access_token') do
+            [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
+              aud: '000000000000.apps.googleusercontent.com',
+              sub: '123456789',
+              scope: 'profile email'
+            )]
+          end
+        end
+      end
+    end
+
+    it 'should return access token and (optionally) refresh token' do
+      expect(subject.credentials.to_h).to \
+        match(hash_including(
+                'token' => 'valid_access_token',
+                'refresh_token' => 'valid_refresh_token',
+                'scope' => 'profile email',
+                'expires_at' => 123_456_789,
+                'expires' => true
+              ))
+    end
+  end
+
   describe '#extra' do
     let(:client) do
       OAuth2::Client.new('abc', 'def') do |builder|
@@ -356,8 +405,6 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
     end
-    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
-
     before { allow(subject).to receive(:access_token).and_return(access_token) }
 
     describe 'id_token' do
@@ -418,7 +465,10 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
 
-      context 'when the id_token is missing' do
+      context 'when the access token is empty or nil' do
+        let(:access_token) { OAuth2::AccessToken.new(client, nil, { 'refresh_token' => 'foo' }) }
+        before { allow(subject.extra).to receive(:access_token).and_return(access_token) }
+
         it 'should not include id_token' do
           expect(subject.extra).not_to have_key(:id_token)
         end
@@ -430,6 +480,19 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
 
     describe 'raw_info' do
+      let(:token_info) do
+        {
+          'abc' => 'xyz',
+          'exp' => Time.now.to_i + 3600,
+          'nbf' => Time.now.to_i - 60,
+          'iat' => Time.now.to_i,
+          'aud' => 'appid',
+          'iss' => 'accounts.google.com'
+        }
+      end
+      let(:id_token) { JWT.encode(token_info, 'secret') }
+      let(:access_token) { OAuth2::AccessToken.from_hash(client, 'id_token' => id_token) }
+
       context 'when skip_info is true' do
         before { subject.options[:skip_info] = true }
 
@@ -614,15 +677,22 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
 
     it 'should read access_token from hash if this is not an AJAX request with a code parameter' do
+      client = OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
+        end
+      end
+
       allow(request).to receive(:xhr?).and_return(false)
       allow(request).to receive(:params).and_return('access_token' => 'valid_access_token')
       expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
-      expect(subject).to receive(:client).and_return(:client)
+      expect(subject).to receive(:client).and_return(client)
 
       token = subject.build_access_token
       expect(token).to be_instance_of(::OAuth2::AccessToken)
       expect(token.token).to eq('valid_access_token')
-      expect(token.client).to eq(:client)
+      expect(token.client).to eq(client)
     end
 
     it 'reads the code from a json request body' do
@@ -641,20 +711,42 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       subject.build_access_token
     end
 
+    it 'reads the redirect uri from a json request body' do
+      body = StringIO.new(%({"code":"json_access_token", "redirect_uri":"sample"}))
+      client = double(:client)
+      auth_code = double(:auth_code)
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+
+      expect(auth_code).to receive(:get_token).with('json_access_token', { redirect_uri: 'sample' }, {})
+
+      subject.build_access_token
+    end
+
     it 'reads the access token from a json request body' do
       body = StringIO.new(%({"access_token":"valid_access_token"}))
+      client = OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
+        end
+      end
 
       allow(request).to receive(:xhr?).and_return(false)
       allow(request).to receive(:content_type).and_return('application/json')
       allow(request).to receive(:body).and_return(body)
-      expect(subject).to receive(:client).and_return(:client)
+      expect(subject).to receive(:client).and_return(client)
 
       expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
 
       token = subject.build_access_token
       expect(token).to be_instance_of(::OAuth2::AccessToken)
       expect(token.token).to eq('valid_access_token')
-      expect(token.client).to eq(:client)
+      expect(token.client).to eq(client)
     end
 
     it 'should use callback_url without query_string if this is not an AJAX request' do
@@ -730,7 +822,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         end
       end
     end
-    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, { 'access_token' => 'foo' }) }
 
     context 'when domain is nil' do
       let(:client) do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Josh Ellithorpe
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-15 00:00:00.000000000 Z
+date: 2022-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: 2.0.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: 2.0.6
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -59,14 +59,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.7.1
+        version: 1.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.7.1
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -117,6 +117,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -154,8 +155,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.9
+rubygems_version: 3.0.9
 signing_key:
 specification_version: 4
 summary: A Google OAuth2 strategy for OmniAuth 1.x