omniauth-google-oauth2 1.2.1 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb04de5f033f4c247c0cd004619d2e8cbb9f54b29a1861c5810d539608c278c0
-  data.tar.gz: a0a71c285455501e4904ea4c184db32298907be93f1def96d3a180ca60df9684
+  metadata.gz: 2bbffd3ded3fae87a753e2111d08282928af98cbd5cf2f478e0995b438d578dd
+  data.tar.gz: 937f939cb313ebe581318183d452bc62379a430f7b5f5e52331ef066bf3f77eb
 SHA512:
-  metadata.gz: 3cd913d3979e3c3e9dd93f76ed40aeff42bc95a8841db4b4287e92d28a00fe85a4bbc14483b25478fbdde0552877617d4b32c57eb03c67472e43fd857c1e9180
-  data.tar.gz: '0078d9d52c2661b12895509ce17320818360aa968904742d45665158334af0a219064999cabe71e1af9ce93cddd45481b7aee263d729d582f99d088b68242905'
+  metadata.gz: d96c30940663274f66294fb6ad29c121f413dec3f95b3707af84d47713a52b21e51ac4d11fa4f8bfd8cb9b16f62fb74115a5fb841d8598714f1f8f530427ef2c
+  data.tar.gz: 2dc76d7caf6b605347236be49750ad28ec64ba81a001f19216a9748cc986b9ffb8c7afa88081c3e7403a1ed239f7820d6252267ca7defa5f40348f1290dafa4d

data/.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: CI 
+name: CI
 
 on: [push, pull_request]
 
@@ -6,16 +6,17 @@ jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
-        ruby-version: ['2.5', '2.6', '2.7', '3.0', '3.1', '3.2', truffleruby-head]
+        ruby-version: ['2.5', '2.6', '2.7', '3.0', '3.1', '3.2', '3.3', '3.4', '4.0', truffleruby-head]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v6
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # 'bundle install' and cache
-    - name: Run specs 
+    - name: Run specs
       run: |
         bundle exec rake

data/.github/workflows/rubocop.yml

@@ -0,0 +1,19 @@
+name: rubocop
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Ruby 3.4
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+      - name: Lint Ruby code with RuboCop
+        run: |
+          bundle install
+          bundle exec rubocop --parallel

data/.rubocop.yml

@@ -1,9 +1,14 @@
+AllCops:
+  NewCops: disable
+  SuggestExtensions: false
+  TargetRubyVersion: 2.5
+
 Metrics/ClassLength:
   Enabled: false
 Metrics/AbcSize:
   Enabled: false
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context', 'shared_examples']
+  AllowedMethods: ['describe', 'context', 'shared_examples']
 Metrics/CyclomaticComplexity:
   Enabled: false
 Layout/LineLength:
@@ -18,6 +23,8 @@ Style/MutableConstant:
   Enabled: false
 Gemspec/RequiredRubyVersion:
   Enabled: false
+Gemspec/RequireMFA:
+  Enabled: false
 Lint/RaiseException:
   Enabled: false
 Lint/StructNewOverride:
@@ -28,5 +35,5 @@ Style/HashTransformKeys:
   Enabled: false
 Style/HashTransformValues:
   Enabled: false
-AllCops:
-  NewCops: enable
+Style/FetchEnvVar:
+  Enabled: false

data/CHANGELOG.md

@@ -1,6 +1,23 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 1.2.2 - Unreleased
+
+### Added
+- Ruby 4.0 support in CI.
+
+### Deprecated
+- Nothing.
+
+### Removed
+- Unused `IMAGE_SIZE_REGEXP` constant.
+- Dead `skip_friends` and `skip_image_info` options (Google+ was shut down in 2019).
+- `CGI.parse` dependency replaced with `URI.decode_www_form` for Ruby 4.0 compatibility.
+
+### Fixed
+- Updated gemspec description to reference OmniAuth instead of OmniAuth 1.x.
+- Modernized CI: bumped actions/checkout to v6, rake to 13.3, and rubocop to latest.
+
 ## 1.2.1 - 2025-01-18
 
 ### Added

data/Gemfile

@@ -3,3 +3,5 @@
 source 'https://rubygems.org'
 
 gemspec
+
+gem 'rubocop'

data/README.md

@@ -4,9 +4,9 @@
 
 Strategy to authenticate with Google via OAuth2 in OmniAuth.
 
-Get your API key at: https://code.google.com/apis/console/  Note the Client ID and the Client Secret.
+Get your API key at: https://console.cloud.google.com  Note the Client ID and the Client Secret.
 
-For more details, read the Google docs: https://developers.google.com/accounts/docs/OAuth2
+For more details, read the Google docs: https://developers.google.com/identity/protocols/oauth2
 
 ## Installation
 
@@ -20,7 +20,7 @@ Then `bundle install`.
 
 ## Google API Setup
 
-* Go to 'https://console.developers.google.com'
+* Go to 'https://console.cloud.google.com'
 * Select your project.
 * Go to Credentials, then select the "OAuth consent screen" tab on top, and provide an 'EMAIL ADDRESS' and a 'PRODUCT NAME'
 * Wait 10 minutes for changes to take effect.
@@ -76,11 +76,11 @@ You can configure several options, which you pass in to the `provider` method vi
 
 * `hd`: (Optional) Limit sign-in to a particular Google Apps hosted domain. This can be simply string `'domain.com'` or an array `%w(domain.com domain.co)`. More information at: https://developers.google.com/accounts/docs/OpenIDConnect#hd-param
 
-* `jwt_leeway`: Number of seconds passed to the JWT library as leeway. Defaults to 60 seconds. Note this only works if you use jwt 2.1, as the leeway option was removed in later versions.
+* `jwt_leeway`: Number of seconds passed to the JWT library as leeway. Defaults to 60 seconds.
 
 * `skip_jwt`: Skip JWT processing. This is for users who are seeing JWT decoding errors with the `iat` field. Always try adjusting the leeway before disabling JWT processing.
 
-* `login_hint`: When your app knows which user it is trying to authenticate, it can provide this parameter as a hint to the authentication server. Passing this hint suppresses the account chooser and either pre-fill the email box on the sign-in form, or select the proper session (if the user is using multiple sign-in), which can help you avoid problems that occur if your app logs in the wrong user account. The value can be either an email address or the sub string, which is equivalent to the user's Google+ ID.
+* `login_hint`: When your app knows which user it is trying to authenticate, it can provide this parameter as a hint to the authentication server. Passing this hint suppresses the account chooser and either pre-fill the email box on the sign-in form, or select the proper session (if the user is using multiple sign-in), which can help you avoid problems that occur if your app logs in the wrong user account. The value can be either an email address or the `sub` string (the user's unique Google ID).
 
 * `include_granted_scopes`: If this is provided with the value true, and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes. See Google's [Incremental Authorization](https://developers.google.com/accounts/docs/OAuth2WebServer#incrementalAuth) for additional details.
 
@@ -121,7 +121,7 @@ Here's an example of an authentication hash available in the callback by accessi
     "last_name" => "Smith",
     "image" => "https://lh4.googleusercontent.com/photo.jpg",
     "urls" => {
-      "google" => "https://plus.google.com/+JohnSmith"
+      "google" => "https://profiles.google.com/100000000000000000000"
     }
   },
   "credentials" => {
@@ -148,7 +148,7 @@ Here's an example of an authentication hash available in the callback by accessi
       "name" => "John Smith",
       "given_name" => "John",
       "family_name" => "Smith",
-      "profile" => "https://plus.google.com/+JohnSmith",
+      "profile" => "https://profiles.google.com/100000000000000000000",
       "picture" => "https://lh4.googleusercontent.com/photo.jpg?sz=50",
       "email" => "john@example.com",
       "email_verified" => "true",
@@ -227,26 +227,61 @@ end
 For your views you can login using:
 
 ```erb
-<%# omniauth-google-oauth2 1.0.x uses OmniAuth 2 and requires using HTTP Post to initiate authentication: %>
 <%= link_to "Sign in with Google", user_google_oauth2_omniauth_authorize_path, method: :post %>
+```
+
+An overview is available at https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview
+
+#### Note about multi-platform authentication (Web, Android, IOS, ...)
+
+If you authenticate your user from multiple different platforms with a single API you will likely have different Google `client_id` depending on the platform.
+
+This could raise errors in the callback step because the `client_id` used in the callback needs to be the same as the one used in the sign in request.
 
-<%# omniauth-google-oauth2 prior 1.0.0: %>
-<%= link_to "Sign in with Google", user_google_oauth2_omniauth_authorize_path %>
+To handle multiple `client_id` you can register multiple omniauth middlewares in your devise initializer with different names and different client ids. You can then register each middleware in your omniauthable model and add a new action in your `OmniauthCallbacksController` for each additional middleware.
 
-<%# Devise prior 4.1.0: %>
-<%= link_to "Sign in with Google", user_omniauth_authorize_path(:google_oauth2) %>
+```ruby
+# config/initializers/devise.rb
+
+config.omniauth :google_oauth2, 'GOOGLE_CLIENT_ID', 'GOOGLE_CLIENT_SECRET', { name: 'google_oauth2' }
+
+# Native mobile applications don't require a `client_secret`
+config.omniauth :google_oauth2, 'GOOGLE_CLIENT_ID_ANDROID', { name: 'google_oauth2_android' }
+config.omniauth :google_oauth2, 'GOOGLE_CLIENT_ID_IOS', { name: 'google_oauth2_ios' }
 ```
 
-An overview is available at https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview
+```ruby
+# app/models/user.rb
+
+devise :omniauthable, omniauth_providers: %i[google_oauth2 google_oauth2_android google_oauth2_ios]
+```
+
+```ruby
+# app/controllers/users/omniauth_callbacks_controller.rb:
+
+class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def google_oauth2
+    # ...
+  end
+
+  def google_oauth2_android
+    # ...
+  end
+
+  def google_oauth2_ios
+    # ...
+  end
+end
+```
 
 ### One-time Code Flow (Hybrid Authentication)
 
-Google describes the One-time Code Flow [here](https://developers.google.com/identity/sign-in/web/server-side-flow).  This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow.  The following steps occur in this flow:
+Google describes the One-time Code Flow [here](https://developers.google.com/identity/protocols/oauth2). This hybrid authentication flow has significant functional and security advantages over a pure server-side or pure client-side flow. The following steps occur in this flow:
 
-1. The client (web browser) authenticates the user directly via Google's JS API.  During this process assorted modals may be rendered by Google.
+1. The client (web browser) authenticates the user directly via Google's OAuth 2 API. During this process assorted modals may be rendered by Google.
 2. On successful authentication, Google returns a one-time use code, which requires the Google client secret (which is only available server-side).
 3. Using a AJAX request, the code is POSTed to the Omniauth Google OAuth2 callback.
-4. The Omniauth Google OAuth2 gem will validate the code via a server-side request to Google.  If the code is valid, then Google will return an access token and, if this is the first time this user is authenticating against this application, a refresh token.  Both of these should be stored on the server.  The response to the AJAX request indicates the success or failure of this process.
+4. The Omniauth Google OAuth2 gem will validate the code via a server-side request to Google. If the code is valid, then Google will return an access token and, if this is the first time this user is authenticating against this application, a refresh token.  Both of these should be stored on the server. The response to the AJAX request indicates the success or failure of this process.
 
 This flow is immune to replay attacks, and conveys no useful information to a man in the middle.
 
@@ -254,38 +289,52 @@ The omniauth-google-oauth2 gem supports this mode of operation when `provider_ig
 
 ```javascript
 // Basic hybrid auth example following the pattern at:
-// https://developers.google.com/identity/sign-in/web/reference
-
-<script src="https://apis.google.com/js/platform.js?onload=init" async defer></script>
-
-...
-
-function init() {
-  gapi.load('auth2', function() {
-    // Ready.
-    $('.google-login-button').click(function(e) {
-      e.preventDefault();
-
-      gapi.auth2.authorize({
-        client_id: 'YOUR_CLIENT_ID',
-        cookie_policy: 'single_host_origin',
-        scope: 'email profile',
-        response_type: 'code'
-      }, function(response) {
-        if (response && !response.error) {
-          // google authentication succeed, now post data to server.
-          jQuery.ajax({type: 'POST', url: '/auth/google_oauth2/callback', data: response,
-            success: function(data) {
-              // response from server
-            }
-          });
-        } else {
-          // google authentication failed
-        }
-      });
-    });
+// https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
+
+const handleGoogleOauthSignIn = () => {
+  // Google's OAuth 2.0 endpoint for requesting an access token
+  const oauth2Endpoint = 'https://accounts.google.com/o/oauth2/v2/auth';
+
+  // Parameters to pass to OAuth 2.0 endpoint.
+  const params = new URLSearchParams({
+    client_id: YOUR_CLIENT_ID,
+    prompt: 'select_account',
+    redirect_uri: YOUR_REDIRECT_URI, // This redirect_uri needs to redirect to the same domain as the one where this request is made from.
+    response_type: 'code',
+    scope: 'email openid profile',
+    state: 'google', // The state will be added in the redirect_uri's query params. Use can this if you use the same redirect_uri with different omniauth provider to know which one you're currently handling for example.
+  });
+
+  const url = `${oauth2Endpoint}?${params.toString()}`;
+
+  // Create <a> element to redirect to OAuth 2.0 endpoint.
+  const a = document.createElement('a');
+  a.href = url;
+  a.target = '_self';
+
+  // Add a to page and click it to open the OAuth 2.0 endpoint.
+  document.body.appendChild(a);
+  a.click();
+}
+
+// Call this method when redirected to your `redirect_uri`
+const handleGoogleOauthCallback = async () => {
+  // Get the query params Google included in your `redirect_uri`
+  const params = new URL(document.location.toString()).searchParams;
+  const code = params.get('code');
+  const state = params.get('state') // the `state` you added in the sign in request is here if you need it.
+
+  const response = fetch('your.api.domain/auth/google_oauth2/callback', {
+    body: JSON.stringify({
+      code,
+      redirect_uri: YOUR_REDIRECT_URI, // The `redirect_uri` used in the server needs to be the same as as initially used in the client.
+    }),
+    headers: {
+      'Content-type': 'application/json',
+    },
+    method: 'POST',
   });
-};
+}
 ```
 
 #### Note about mobile clients (iOS, Android)
@@ -298,66 +347,6 @@ In that case, ensure to send an additional parameter `redirect_uri=` (empty stri
 
 If you're making POST requests to `/auth/google_oauth2/callback` from another domain, then you need to make sure `'X-Requested-With': 'XMLHttpRequest'` header is included with your request, otherwise your server might respond with `OAuth2::Error, : Invalid Value` error.
 
-#### Getting around the `redirect_uri_mismatch` error (See [Issue #365](https://github.com/zquestz/omniauth-google-oauth2/issues/365))
-
-If you are struggling with a persistent `redirect_uri_mismatch`, you can instead pass the `access_token` from [`getAuthResponse`](https://developers.google.com/identity/sign-in/web/reference#googleusergetauthresponseincludeauthorizationdata) directly to the `auth/google_oauth2/callback` endpoint, like so:
-
-```javascript
-// Initialize the GoogleAuth object
-let googleAuth;
-gapi.load('client:auth2', async () => {
-  await gapi.client.init({ scope: '...', client_id: '...' });
-  googleAuth = gapi.auth2.getAuthInstance();
-});
-
-// Call this when the Google Sign In button is clicked
-async function signInGoogle() {
-  const googleUser = await googleAuth.signIn(); // wait for the user to authorize through the modal
-  const { access_token } = googleUser.getAuthResponse();
-
-  const data = new FormData();
-  data.append('access_token', access_token);
-
-  const response = await api.post('/auth/google_oauth2/callback', data)
-  console.log(response);
-}
-```
-
-#### Using Axios
-If you're making a GET resquests from another domain using `access_token`.
-```
-axios
-  .get(
-    'url(path to your callback}',
-    { params: { access_token: 'token' } },
-    headers....
-    )
-```
-
-If you're making a POST resquests from another domain using `access_token`.
-```
-axios
-  .post(
-    'url(path to your callback}',
-    { access_token: 'token' },
-    headers....
-    )
-
---OR--
-
-axios
-  .post(
-    'url(path to your callback}',
-    null,
-      {
-        params: {
-          access_token: 'token'
-        },
-        headers....
-      }
-    )
-```
-
 ## Fixing Protocol Mismatch for `redirect_uri` in Rails
 
 Just set the `full_host` in OmniAuth based on the Rails.env.
@@ -369,7 +358,7 @@ OmniAuth.config.full_host = Rails.env.production? ? 'https://domain.com' : 'http
 
 ## License
 
-Copyright (c) 2018 by Josh Ellithorpe
+Copyright (c) 2018-2026 by Josh Ellithorpe
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

data/_config.yml

@@ -0,0 +1,3 @@
+remote_theme: pages-themes/minimal@v0.2.0
+plugins:
+  - jekyll-remote-theme

data/examples/Gemfile

@@ -3,6 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'omniauth-google-oauth2', path: '..'
+gem 'rackup'
 gem 'rubocop'
 gem 'sinatra'
 gem 'webrick'

data/examples/config.ru

@@ -29,7 +29,7 @@ class App < Sinatra::Base
   use OmniAuth::Builder do
     # For additional provider examples please look at 'omni_auth.rb'
     # The key provider_ignores_state is only for AJAX flows. It is not recommended for normal logins.
-    provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile,calendar'
+    provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline', prompt: 'consent', provider_ignores_state: true, scope: 'email,profile'
   end
 
   get '/' do
@@ -38,62 +38,77 @@ class App < Sinatra::Base
     <html>
       <head>
         <title>Google OAuth2 Example</title>
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
+      </head>
+
+      <body>
+        <ul>
+          <li>
+            <form method="post" action="/auth/google_oauth2">
+              <input type="hidden" name="authenticity_token" value="#{request.env['rack.session']['csrf']}">
+              <button type="submit">Login with Google</button>
+            </form>
+          </li>
+
+          <li>
+            <a href="#" class="googleplus-login">Sign in with Google via AJAX</a>
+          </li>
+        </ul>
+
         <script>
-          jQuery(function() {
-            return $.ajax({
-              url: 'https://apis.google.com/js/client:plus.js?onload=gpAsyncInit',
-              dataType: 'script',
-              cache: true
-            });
-          });
+          const a = document.querySelector('.googleplus-login');
 
-          window.gpAsyncInit = function() {
-            gapi.auth.authorize({
-              immediate: true,
-              response_type: 'code',
-              cookie_policy: 'single_host_origin',
+          const handleGoogleOauthSignIn = () => {
+            const oauth2Endpoint = 'https://accounts.google.com/o/oauth2/v2/auth';
+
+            const params = new URLSearchParams({
               client_id: '#{ENV['GOOGLE_KEY']}',
-              scope: 'email profile'
-            }, function(response) {
-              return;
-            });
-            $('.googleplus-login').click(function(e) {
-              e.preventDefault();
-              gapi.auth.authorize({
-                immediate: false,
-                response_type: 'code',
-                cookie_policy: 'single_host_origin',
-                client_id: '#{ENV['GOOGLE_KEY']}',
-                scope: 'email profile'
-              }, function(response) {
-                if (response && !response.error) {
-                  // google authentication succeed, now post data to server.
-                  jQuery.ajax({type: 'POST', url: "/auth/google_oauth2/callback", data: response,
-                    success: function(data) {
-                      // Log the data returning from google.
-                      console.log(data)
-                    }
-                  });
-                } else {
-                  // google authentication failed.
-                  console.log("FAILED")
-                }
-              });
+              prompt: 'select_account',
+              redirect_uri: 'http://localhost:3000/callback',
+              response_type: 'code',
+              scope: 'email openid profile',
             });
-          };
+
+            const url = `${oauth2Endpoint}?${params.toString()}`;
+            window.location.href = url;
+          }
+
+          a.addEventListener('click', event => {
+            event.preventDefault();
+            handleGoogleOauthSignIn();
+          });
         </script>
+      </body>
+    </html>
+    HTML
+  end
+
+  get '/callback' do
+    <<-HTML
+    <!DOCTYPE html>
+    <html>
+      <head>
+        <title>Google OAuth2 Example</title>
       </head>
+
       <body>
-      <ul>
-        <li>
-          <form method='post' action='/auth/google_oauth2'>
-            <input type="hidden" name="authenticity_token" value="#{request.env['rack.session']['csrf']}">
-            <button type='submit'>Login with Google</button>
-          </form>
-        </li>
-        <li><a href='#' class="googleplus-login">Sign in with Google via AJAX</a></li>
-      </ul>
+        <p>Redirected</p>
+
+        <script>
+          const handleGoogleOauthCallback = async () => {
+            const params = new URL(document.location.toString()).searchParams;
+            const code = params.get('code');
+
+            const response = fetch('http://localhost:3000/auth/google_oauth2/callback', {
+              body: JSON.stringify({ code, redirect_uri: 'http://localhost:3000/callback' }),
+              headers: {
+                'Content-type': 'application/json',
+              },
+              method: 'POST',
+            });
+          }
+
+          handleGoogleOauthCallback();
+        </script>
       </body>
     </html>
     HTML

data/examples/omni_auth.rb

@@ -2,36 +2,28 @@
 
 # Google's OAuth2 docs. Make sure you are familiar with all the options
 # before attempting to configure this gem.
-# https://developers.google.com/accounts/docs/OAuth2Login
+# https://developers.google.com/identity/protocols/oauth2
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   # Default usage, this will give you offline access and a refresh token
   # using default scopes 'email' and 'profile'
   #
-  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'email, profile'
+  provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], scope: 'email, profile'
 
   # Custom redirect_uri
   #
-  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'email, profile', redirect_uri: 'https://localhost:3000/redirect'
+  # provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], scope: 'email, profile', redirect_uri: 'https://localhost:3000/redirect'
 
   # Manual setup for offline access with a refresh token.
   #
-  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'offline'
+  # provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], access_type: 'offline'
 
-  # Custom scope supporting youtube. If you are customizing scopes, remember
+  # Custom scope supporting YouTube. If you are customizing scopes, remember
   # to include the default scopes 'email' and 'profile'
   #
-  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], scope: 'http://gdata.youtube.com, email, profile, plus.me'
+  # provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], scope: 'https://www.googleapis.com/auth/youtube.readonly, email, profile'
 
   # Custom scope for users only using Google for account creation/auth and do not require a refresh token.
   #
-  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], access_type: 'online', prompt: ''
-
-  # To include information about people in your circles you must include the 'plus.login' scope.
-  #
-  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], skip_friends: false, scope: 'email, profile, plus.login'
-
-  # If you need to acquire whether user picture is a default one or uploaded by user.
-  #
-  # provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET'], skip_image_info: false
+  # provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], access_type: 'online', prompt: ''
 end

data/lib/omniauth/google_oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module GoogleOauth2
-    VERSION = '1.2.1'
+    VERSION = '1.2.2'
   end
 end

data/lib/omniauth/strategies/google_oauth2.rb

@@ -14,12 +14,9 @@ module OmniAuth
       BASE_SCOPES = %w[profile email openid].freeze
       DEFAULT_SCOPE = 'email,profile'
       USER_INFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo'
-      IMAGE_SIZE_REGEXP = /(s\d+(-c)?)|(w\d+-h\d+(-c)?)|(w\d+(-c)?)|(h\d+(-c)?)|c/
       AUTHORIZE_OPTIONS = %i[access_type hd login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes enable_granular_consent openid_realm device_id device_name]
 
       option :name, 'google_oauth2'
-      option :skip_friends, true
-      option :skip_image_info, true
       option :skip_jwt, false
       option :jwt_leeway, 60
       option :authorize_options, AUTHORIZE_OPTIONS
@@ -149,7 +146,7 @@ module OmniAuth
 
       def get_scope(params)
         raw_scope = params[:scope] || DEFAULT_SCOPE
-        scope_list = raw_scope.split(' ').map { |item| item.split(',') }.flatten
+        scope_list = raw_scope.split.map { |item| item.split(',') }.flatten
         scope_list.map! { |s| s =~ %r{^https?://} || BASE_SCOPES.include?(s) ? s : "#{BASE_SCOPE_URL}#{s}" }
         scope_list.join(' ')
       end
@@ -212,8 +209,8 @@ module OmniAuth
         # strip `sz` parameter (defaults to sz=50) which overrides `image_size` options
         return nil if query_parameters.nil?
 
-        params = CGI.parse(query_parameters)
-        stripped_params = params.delete_if { |key| key == 'sz' }
+        params = URI.decode_www_form(query_parameters)
+        stripped_params = params.delete_if { |key, _value| key == 'sz' }
 
         # don't return an empty Hash since that would result
         # in URLs with a trailing ? character: http://image.url?

data/omniauth-google-oauth2.gemspec

@@ -9,8 +9,8 @@ Gem::Specification.new do |gem|
   gem.name          = 'omniauth-google-oauth2'
   gem.version       = OmniAuth::GoogleOauth2::VERSION
   gem.license       = 'MIT'
-  gem.summary       = %(A Google OAuth2 strategy for OmniAuth 1.x)
-  gem.description   = %(A Google OAuth2 strategy for OmniAuth 1.x. This allows you to login to Google with your ruby app.)
+  gem.summary       = %(A Google OAuth2 strategy for OmniAuth)
+  gem.description   = %(A Google OAuth2 strategy for OmniAuth. This allows you to login to Google with your ruby app.)
   gem.authors       = ['Josh Ellithorpe', 'Yury Korolev']
   gem.email         = ['quest@mac.com']
   gem.homepage      = 'https://github.com/zquestz/omniauth-google-oauth2'
@@ -20,12 +20,11 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 2.5'
 
-  gem.add_runtime_dependency 'jwt', '>= 2.9.2'
-  gem.add_runtime_dependency 'oauth2', '~> 2.0'
-  gem.add_runtime_dependency 'omniauth', '~> 2.0'
-  gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.8'
+  gem.add_dependency 'jwt', '>= 2.9.2'
+  gem.add_dependency 'oauth2', '~> 2.0'
+  gem.add_dependency 'omniauth', '~> 2.0'
+  gem.add_dependency 'omniauth-oauth2', '~> 1.8'
 
-  gem.add_development_dependency 'rake', '~> 12.0'
+  gem.add_development_dependency 'rake', '~> 13.3'
   gem.add_development_dependency 'rspec', '~> 3.6'
-  gem.add_development_dependency 'rubocop', '~> 0.49'
 end

data/spec/omniauth/strategies/google_oauth2_spec.rb

@@ -341,6 +341,23 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
   end
 
+  describe '#uid' do
+    let(:client) do
+      OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/oauth2/v3/userinfo') { [200, { 'content-type' => 'application/json' }, '{"sub": "12345"}'] }
+        end
+      end
+    end
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, { 'access_token' => 'a' }) }
+    before { allow(subject).to receive(:access_token).and_return(access_token) }
+
+    it 'should return the sub from raw_info as uid' do
+      expect(subject.uid).to eq('12345')
+    end
+  end
+
   describe '#info' do
     let(:client) do
       OAuth2::Client.new('abc', 'def') do |builder|
@@ -687,6 +704,24 @@ describe OmniAuth::Strategies::GoogleOauth2 do
     end
   end
 
+  describe 'strip_unnecessary_query_parameters' do
+    it 'should return nil when query_parameters is nil' do
+      expect(subject.send(:strip_unnecessary_query_parameters, nil)).to be_nil
+    end
+
+    it 'should return nil when sz is the only parameter' do
+      expect(subject.send(:strip_unnecessary_query_parameters, 'sz=50')).to be_nil
+    end
+
+    it 'should strip sz and return remaining parameters' do
+      expect(subject.send(:strip_unnecessary_query_parameters, 'sz=50&hello=true&life=42')).to eq('hello=true&life=42')
+    end
+
+    it 'should return all parameters when sz is not present' do
+      expect(subject.send(:strip_unnecessary_query_parameters, 'hello=true&life=42')).to eq('hello=true&life=42')
+    end
+  end
+
   describe 'build_access_token' do
     it 'should use a hybrid authorization request_uri if this is an AJAX request with a code parameter' do
       allow(request).to receive(:xhr?).and_return(true)
@@ -744,7 +779,7 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       expect(subject).to receive(:client).and_return(client)
 
       token = subject.build_access_token
-      expect(token).to be_instance_of(::OAuth2::AccessToken)
+      expect(token).to be_instance_of(OAuth2::AccessToken)
       expect(token.token).to eq('valid_access_token')
       expect(token.client).to eq(client)
     end
@@ -798,11 +833,22 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
 
       token = subject.build_access_token
-      expect(token).to be_instance_of(::OAuth2::AccessToken)
+      expect(token).to be_instance_of(OAuth2::AccessToken)
       expect(token.token).to eq('valid_access_token')
       expect(token.client).to eq(client)
     end
 
+    it 'should handle a malformed json request body gracefully' do
+      body = StringIO.new('not valid json{{{')
+
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:params).and_return({})
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+
+      expect { subject.build_access_token }.to output(/JSON parse error/).to_stderr
+    end
+
     it 'should use callback_url without query_string if this is not an AJAX request' do
       allow(request).to receive(:xhr?).and_return(false)
       allow(request).to receive(:params).and_return('code' => 'valid_code')
@@ -856,6 +902,10 @@ describe OmniAuth::Strategies::GoogleOauth2 do
       expect(subject.send(:verify_token, 'valid_access_token')).to eq(false)
     end
 
+    it 'should return false if access_token is nil' do
+      expect(subject.send(:verify_token, nil)).to eq(false)
+    end
+
     it 'should raise error if access_token is invalid' do
       expect do
         subject.send(:verify_token, 'invalid_access_token')
@@ -945,5 +995,10 @@ describe OmniAuth::Strategies::GoogleOauth2 do
         subject.send(:verify_hd, access_token)
       end.to raise_error(OmniAuth::Strategies::GoogleOauth2::CallbackError)
     end
+
+    it 'should verify hd if options hd is set to wildcard *' do
+      subject.options.hd = '*'
+      expect(subject.send(:verify_hd, access_token)).to eq(true)
+    end
   end
 end

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-google-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.2.2
 platform: ruby
 authors:
 - Josh Ellithorpe
 - Yury Korolev
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-19 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -73,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '13.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '13.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -95,22 +94,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.6'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.49'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.49'
-description: A Google OAuth2 strategy for OmniAuth 1.x. This allows you to login to
-  Google with your ruby app.
+description: A Google OAuth2 strategy for OmniAuth. This allows you to login to Google
+  with your ruby app.
 email:
 - quest@mac.com
 executables: []
@@ -119,12 +104,14 @@ extra_rdoc_files: []
 files:
 - ".github/FUNDING.yml"
 - ".github/workflows/ci.yml"
+- ".github/workflows/rubocop.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - CHANGELOG.md
 - Gemfile
 - README.md
 - Rakefile
+- _config.yml
 - examples/Gemfile
 - examples/config.ru
 - examples/omni_auth.rb
@@ -134,13 +121,11 @@ files:
 - lib/omniauth/strategies/google_oauth2.rb
 - omniauth-google-oauth2.gemspec
 - spec/omniauth/strategies/google_oauth2_spec.rb
-- spec/rubocop_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/zquestz/omniauth-google-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -155,8 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.9
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
-summary: A Google OAuth2 strategy for OmniAuth 1.x
+summary: A Google OAuth2 strategy for OmniAuth
 test_files: []

data/spec/rubocop_spec.rb

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'spec_helper'
-
-describe 'Rubocop' do
-  it 'should pass with no offenses detected' do
-    expect(`rubocop`).to include('no offenses detected')
-  end
-end