omniauth-google-oauth2 0.8.0 → 0.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a035e3c9635a9e588b756e9b2dfe2004ea1b83c49f9860d68e8250e7d93e4459
-  data.tar.gz: 20e8ba4d7f4b9fb20b139c8d4b9c51d8d1d598de1cada5d989640f01eee0df3a
+  metadata.gz: fcec58e2424446306a5ff766699234f2d6c171da2b709112769b99e72a203eaf
+  data.tar.gz: fcf68a4790a7309cd50d7c0b0e13bb53f0229fcc051fad60166d8d14b927d9f6
 SHA512:
-  metadata.gz: 5b06e6a3ffd03ff81fe6e04bbc94c9154e26c59dc17a7c834361bf2fdd80197661434679e8174196f4dd8ed13e4b2b81ff4b223fb366238f48648ea452fcf1ce
-  data.tar.gz: 4734f0d6f92b57cebfccbbd0b833a7da9674d04e9058b76ef43d96cd94520a48bd540f57c9f804f6b16f2bad76483aefb3ef7357a99186acfc4dcb1603fa3a28
+  metadata.gz: 99cd674b184a20ee2ff2c5da1a98e4a692aad4c0e739882da60338c9519d72828d440c0a375fd6c248651b7dd365f35800dabe3be28282e8e11ea425274dc0d1
+  data.tar.gz: d06b35c2f70c7680a9963edff13cc9e3e417ffca216dc7b46d6074ff01ec4207f41ae59b9251e5f91213ad39c0065b1f049450688b8cabdbc709acabc405090c

data/.rubocop.yml

@@ -1,11 +1,9 @@
-ClassLength:
-  Enabled: false
-Layout/IndentHeredoc:
+Metrics/ClassLength:
   Enabled: false
 Metrics/AbcSize:
   Enabled: false
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context']
+  ExcludedMethods: ['describe', 'context', 'shared_examples']
 Metrics/CyclomaticComplexity:
   Enabled: false
 Metrics/LineLength:
@@ -20,4 +18,3 @@ Style/MutableConstant:
   Enabled: false
 Gemspec/RequiredRubyVersion:
   Enabled: false
-

data/.travis.yml

@@ -1,6 +1,5 @@
 language: ruby
 rvm:
-  - '2.2.7'
   - '2.3.4'
   - '2.4.1'
   - '2.5.0'

data/CHANGELOG.md

@@ -1,6 +1,20 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 0.8.1 - 2020-12-12
+
+### Added
+- Support reading the access token from a json request body.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- No longer verify the iat claim for JWT.
+
+### Fixed
+- A few minor issues with .rubocop.yml.
+
 ## 0.8.0 - 2019-08-21
 
 ### Added

data/README.md

@@ -81,7 +81,9 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `include_granted_scopes`: If this is provided with the value true, and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes. See Google's [Incremental Authorization](https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth) for additional details.
 
-* `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID based authentication to OAuth 2 based authentication. When this is set correctly an `openid_id` value will be set in `[:extra][:id_info]` in the authentication hash with the value of the user's OpenID ID URL.
+* `openid_realm`: Set the OpenID realm value, to allow upgrading from OpenID based authentication to OAuth 2 based authentication. When this is set correctly an `openid_id` value will be set in `['extra']['id_info']` in the authentication hash with the value of the user's OpenID ID URL.
+
+* `provider_ignores_state`: You will need to set this to `true` when using the `One-time Code Flow` below. In this flow there is no server side redirect that would set the state.
 
 Here's an example of a possible configuration where the strategy name is changed, the user is asked for extra permissions, the user is always prompted to select their account when logging in and the user's profile picture is returned as a thumbnail:
 
@@ -176,6 +178,8 @@ devise :omniauthable, omniauth_providers: [:google_oauth2]
 Then make sure your callbacks controller is setup.
 
 ```ruby
+# app/controllers/users/omniauth_callbacks_controller.rb:
+
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def google_oauth2
       # You need to implement the method below in your model (e.g. app/models/user.rb)
@@ -185,7 +189,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
         flash[:notice] = I18n.t 'devise.omniauth_callbacks.success', kind: 'Google'
         sign_in_and_redirect @user, event: :authentication
       else
-        session['devise.google_data'] = request.env['omniauth.auth'].except(:extra) # Removing extra as it can overflow some session stores
+        session['devise.google_data'] = request.env['omniauth.auth'].except('extra') # Removing extra as it can overflow some session stores
         redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n")
       end
   end
@@ -223,7 +227,7 @@ An overview is available at https://github.com/plataformatec/devise/wiki/OmniAut
 
 ### One-time Code Flow (Hybrid Authentication)
 
-Google describes the One-time Code Flow [here](https://developers.google.com/+/web/signin/server-side-flow).  This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow.  The following steps occur in this flow:
+Google describes the One-time Code Flow [here](https://developers.google.com/identity/sign-in/web/server-side-flow).  This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow.  The following steps occur in this flow:
 
 1. The client (web browser) authenticates the user directly via Google's JS API.  During this process assorted modals may be rendered by Google.
 2. On successful authentication, Google returns a one-time use code, which requires the Google client secret (which is only available server-side).
@@ -232,7 +236,7 @@ Google describes the One-time Code Flow [here](https://developers.google.com/+/w
 
 This flow is immune to replay attacks, and conveys no useful information to a man in the middle.
 
-The omniauth-google-oauth2 gem supports this mode of operation out of the box.  Implementors simply need to add the appropriate JavaScript to their web page, and they can take advantage of this flow.  An example JavaScript snippet follows.
+The omniauth-google-oauth2 gem supports this mode of operation when `provider_ignores_state` is set to `true`.  Implementors simply need to add the appropriate JavaScript to their web page, and they can take advantage of this flow.  An example JavaScript snippet follows.
 
 ```javascript
 // Basic hybrid auth example following the pattern at:
@@ -247,7 +251,7 @@ function init() {
     // Ready.
     $('.google-login-button').click(function(e) {
       e.preventDefault();
-      
+
       gapi.auth2.authorize({
         client_id: 'YOUR_CLIENT_ID',
         cookie_policy: 'single_host_origin',
@@ -260,7 +264,7 @@ function init() {
             success: function(data) {
               // response from server
             }
-          });        
+          });
         } else {
           // google authentication failed
         }
@@ -280,6 +284,66 @@ In that case, ensure to send an additional parameter `redirect_uri=` (empty stri
 
 If you're making POST requests to `/auth/google_oauth2/callback` from another domain, then you need to make sure `'X-Requested-With': 'XMLHttpRequest'` header is included with your request, otherwise your server might respond with `OAuth2::Error, : Invalid Value` error.
 
+#### Getting around the `redirect_uri_mismatch` error (See [Issue #365](https://github.com/zquestz/omniauth-google-oauth2/issues/365))
+
+If you are struggling with a persistent `redirect_uri_mismatch`, you can instead pass the `access_token` from [`getAuthResponse`](https://developers.google.com/identity/sign-in/web/reference#googleusergetauthresponseincludeauthorizationdata) directly to the `auth/google_oauth2/callback` endpoint, like so:
+
+```javascript
+// Initialize the GoogleAuth object
+let googleAuth;
+gapi.load('client:auth2', async () => {
+  await gapi.client.init({ scope: '...', client_id: '...' });
+  googleAuth = gapi.auth2.getAuthInstance();
+});
+
+// Call this when the Google Sign In button is clicked
+async function signInGoogle() {
+  const googleUser = await googleAuth.signIn(); // wait for the user to authorize through the modal
+  const { access_token } = googleUser.getAuthResponse();
+
+  const data = new FormData();
+  data.append('access_token', access_token);
+
+  const response = await api.post('/auth/google_oauth2/callback', data)
+  console.log(response);
+}
+```
+
+#### Using Axios
+If you're making a GET resquests from another domain using `access_token`.
+```
+axios
+  .get(
+    'url(path to your callback}',
+    { params: { access_token: 'token' } },
+    headers....
+    )
+```
+
+If you're making a POST resquests from another domain using `access_token`.
+```
+axios
+  .post(
+    'url(path to your callback}',
+    { access_token: 'token' },
+    headers....
+    )
+
+--OR--
+
+axios
+  .post(
+    'url(path to your callback}',
+    null,
+      {
+        params: {
+          access_token: 'token'
+        },
+        headers....
+      }
+    )
+```
+
 ## Fixing Protocol Mismatch for `redirect_uri` in Rails
 
 Just set the `full_host` in OmniAuth based on the Rails.env.

data/examples/Gemfile

@@ -2,6 +2,6 @@
 
 source 'https://rubygems.org'
 
-gem 'omniauth-google-oauth2', '~> 0.8.0'
+gem 'omniauth-google-oauth2', '~> 0.8.1'
 gem 'rubocop'
 gem 'sinatra', '~> 1.4'

data/examples/omni_auth.rb

@@ -10,6 +10,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
   #
   provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'email,profile'
 
+  # Custom redirect_uri
+  #
+  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'email,profile', redirect_uri: 'https://localhost:3000/redirect'
+
   # Manual setup for offline access with a refresh token.
   #
   # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline'

data/lib/omniauth/google_oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module GoogleOauth2
-    VERSION = '0.8.0'
+    VERSION = '0.8.1'
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'jwt'
+require 'oauth2'
 require 'omniauth/strategies/oauth2'
 require 'uri'
 
@@ -13,6 +14,7 @@ module OmniAuth
       BASE_SCOPES = %w[profile email openid].freeze
       DEFAULT_SCOPE = 'email,profile'
       USER_INFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
+      IMAGE_SIZE_REGEXP = /(s\d+(-c)?)|(w\d+-h\d+(-c)?)|(w\d+(-c)?)|(h\d+(-c)?)|c/
 
       option :name, 'google_oauth2'
       option :skip_friends, true
@@ -74,7 +76,7 @@ module OmniAuth
                                       verify_sub: false,
                                       verify_expiration: true,
                                       verify_not_before: true,
-                                      verify_iat: true,
+                                      verify_iat: false,
                                       verify_jti: false,
                                       leeway: options[:jwt_leeway])
 
@@ -106,18 +108,24 @@ module OmniAuth
       def get_access_token(request)
         verifier = request.params['code']
         redirect_uri = request.params['redirect_uri']
+        access_token = request.params['access_token']
         if verifier && request.xhr?
           client_get_token(verifier, redirect_uri || 'postmessage')
         elsif verifier
           client_get_token(verifier, redirect_uri || callback_url)
-        elsif verify_token(request.params['access_token'])
+        elsif access_token && verify_token(access_token)
           ::OAuth2::AccessToken.from_hash(client, request.params.dup)
         elsif request.content_type =~ /json/i
           begin
             body = JSON.parse(request.body.read)
             request.body.rewind # rewind request body for downstream middlewares
             verifier = body && body['code']
-            client_get_token(verifier, 'postmessage') if verifier
+            access_token = body && body['access_token']
+            if verifier
+              client_get_token(verifier, 'postmessage')
+            elsif verify_token(access_token)
+              ::OAuth2::AccessToken.from_hash(client, body.dup)
+            end
           rescue JSON::ParserError => e
             warn "[omniauth google-oauth2] JSON parse error=#{e}"
           end
@@ -164,6 +172,10 @@ module OmniAuth
         if path_index && image_size_opts_passed?
           u.path.insert(path_index, image_params)
           u.path = u.path.gsub('//', '/')
+
+          # Check if the image is already sized!
+          split_path = u.path.split('/')
+          u.path = u.path.sub("/#{split_path[-3]}", '') if split_path[-3] =~ IMAGE_SIZE_REGEXP
         end
 
         u.query = strip_unnecessary_query_parameters(u.query)

data/omniauth-google-oauth2.gemspec

@@ -21,6 +21,7 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 2.2'
 
   gem.add_runtime_dependency 'jwt', '>= 2.0'
+  gem.add_runtime_dependency 'oauth2', '~> 1.1'
   gem.add_runtime_dependency 'omniauth', '>= 1.1.1'
   gem.add_runtime_dependency 'omniauth-oauth2', '>= 1.6'
 

data/spec/omniauth/strategies/google_oauth2_spec.rb

@@ -349,7 +349,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     before { allow(subject).to receive(:access_token).and_return(access_token) }
 
     describe 'id_token' do
-      shared_examples 'id_token issued by valid issuer' do |issuer| # rubocop:disable Metrics/BlockLength
+      shared_examples 'id_token issued by valid issuer' do |issuer|
         context 'when the id_token is passed into the access token' do
           let(:token_info) do
             {
@@ -462,6 +462,12 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50/photo.jpg')
       end
 
+      it 'should return the image with size specified in the `image_size` option when sizing is in the picture' do
+        @options = { image_size: 50 }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh4.googleusercontent.com/url/s96-c/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh4.googleusercontent.com/url/s50/photo.jpg')
+      end
+
       it 'should handle a picture with too many slashes correctly' do
         @options = { image_size: 50 }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url//photo.jpg' } }
@@ -492,24 +498,48 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40/photo.jpg')
       end
 
+      it 'should return the image with width and height specified in the `image_size` option when sizing is in the picture' do
+        @options = { image_size: { width: 50, height: 40 } }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/w100-h80-c/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40/photo.jpg')
+      end
+
       it 'should return square image when `image_aspect_ratio` is specified' do
         @options = { image_aspect_ratio: 'square' }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg' } }
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/c/photo.jpg')
       end
 
+      it 'should return square image when `image_aspect_ratio` is specified and sizing is in the picture' do
+        @options = { image_aspect_ratio: 'square' }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/c/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/c/photo.jpg')
+      end
+
       it 'should return square sized image when `image_aspect_ratio` and `image_size` is set' do
         @options = { image_aspect_ratio: 'square', image_size: 50 }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg' } }
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50-c/photo.jpg')
       end
 
+      it 'should return square sized image when `image_aspect_ratio` and `image_size` is set and sizing is in the picture' do
+        @options = { image_aspect_ratio: 'square', image_size: 50 }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/s90/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/s50-c/photo.jpg')
+      end
+
       it 'should return square sized image when `image_aspect_ratio` and `image_size` has height and width' do
         @options = { image_aspect_ratio: 'square', image_size: { width: 50, height: 40 } }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photo.jpg' } }
         expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40-c/photo.jpg')
       end
 
+      it 'should return square sized image when `image_aspect_ratio` and `image_size` has height and width and sizing is in the picture' do
+        @options = { image_aspect_ratio: 'square', image_size: { width: 50, height: 40 } }
+        allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/w100-h80/photo.jpg' } }
+        expect(subject.info[:image]).to eq('https://lh3.googleusercontent.com/url/w50-h40-c/photo.jpg')
+      end
+
       it 'should return original image if image url does not end in `photo.jpg`' do
         @options = { image_size: 50 }
         allow(subject).to receive(:raw_info) { { 'picture' => 'https://lh3.googleusercontent.com/url/photograph.jpg' } }
@@ -599,6 +629,22 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       subject.build_access_token
     end
 
+    it 'reads the access token from a json request body' do
+      body = StringIO.new(%({"access_token":"valid_access_token"}))
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      expect(subject).to receive(:client).and_return(:client)
+
+      expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
+
+      token = subject.build_access_token
+      expect(token).to be_instance_of(::OAuth2::AccessToken)
+      expect(token.token).to eq('valid_access_token')
+      expect(token.client).to eq(:client)
+    end
+
     it 'should use callback_url without query_string if this is not an AJAX request' do
       allow(request).to receive(:xhr?).and_return(false)
       allow(request).to receive(:params).and_return('code' => 'valid_code')

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.8.1
 platform: ruby
 authors:
 - Josh Ellithorpe
 - Yury Korolev
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-08-22 00:00:00.000000000 Z
+date: 2020-12-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -25,6 +25,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -125,7 +139,7 @@ homepage: https://github.com/zquestz/omniauth-google-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -140,9 +154,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
+rubyforge_project:
 rubygems_version: 2.7.9
-signing_key: 
+signing_key:
 specification_version: 4
 summary: A Google OAuth2 strategy for OmniAuth 1.x
 test_files: []