omniauth-gusto-oauth2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: c14d9ce5c2e497d9c34e8be6a99aa0dcf4d3915f90a31a90bff03ec3d867233d
+  data.tar.gz: b6a09041116d7635c253b1ff14173931ff49f98e894bd5bd2917c691a6718f40
+SHA512:
+  metadata.gz: cccc2bfbf89a4d9cb6fadbb0bfbf10570f119d02090324ffb167a7b8f388a4c7444cc502863895e2c9db74a0ae521be14a54029ca9e5b33246eee1966e515893
+  data.tar.gz: d9a9be050f46a2db5dea6f8b238d502dd89270b160f59c46dcabbeaf2bd305b74dfae5184f9be29e50b2f898f8dcbe9482fa1476adc5e4857a0143a50d8e0f3d

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+## [1.0.0] - 2026-03-13
+
+### Added
+- Initial release
+- OmniAuth OAuth2 strategy for Gusto
+- Token refresh client (`TokenClient`) for background token management
+- Fetches user info via `GET /v1/me`
+- Fetches token info via `GET /v1/token_info`
+- Supports Gusto API version `2024-04-01`

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 dan1d
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,329 @@
+# OmniAuth Gusto OAuth2 Strategy
+
+[![Gem Version](https://badge.fury.io/rb/omniauth-gusto-oauth2.svg)](https://badge.fury.io/rb/omniauth-gusto-oauth2)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+An OmniAuth strategy for authenticating with [Gusto](https://gusto.com/) using OAuth 2.0.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-gusto-oauth2'
+```
+
+Then execute:
+
+```bash
+$ bundle install
+```
+
+## Gusto Developer Setup
+
+1. Sign up at [Gusto Developer Portal](https://dev.gusto.com/)
+2. Create a new application
+3. Note your **Client ID** and **Client Secret**
+4. Add your **Redirect URI** (e.g., `https://yourapp.com/auth/gusto_oauth2/callback`)
+
+> **Important:** Only primary or full-access admins can authorize applications. Each company must be authorized through a separate OAuth flow.
+
+### Demo vs Production
+
+During development, use the Gusto demo environment:
+
+| Environment | API Base URL |
+|-------------|-------------|
+| Demo | `https://api.gusto-demo.com` |
+| Production | `https://api.gusto.com` |
+
+To use the demo environment, pass custom client options:
+
+```ruby
+provider :gusto_oauth2, ENV['GUSTO_CLIENT_ID'], ENV['GUSTO_CLIENT_SECRET'],
+  client_options: {
+    site: 'https://api.gusto-demo.com',
+    authorize_url: '/oauth/authorize',
+    token_url: '/oauth/token'
+  }
+```
+
+## Usage
+
+### Ruby (Rack / Sinatra)
+
+```ruby
+# config.ru
+require 'omniauth-gusto-oauth2'
+
+use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+use OmniAuth::Builder do
+  provider :gusto_oauth2, ENV['GUSTO_CLIENT_ID'], ENV['GUSTO_CLIENT_SECRET']
+end
+
+# Sinatra app
+get '/auth/gusto_oauth2/callback' do
+  auth = request.env['omniauth.auth']
+
+  # auth['uid']                    => "admin-uuid-123"
+  # auth['info']['email']          => "owner@example.com"
+  # auth['info']['name']           => "Jane Doe"
+  # auth['info']['company_uuid']   => "company-uuid-456"
+  # auth['info']['company_name']   => "Jane's Restaurant"
+  # auth['credentials']['token']   => "ACCESS_TOKEN"
+  # auth['credentials']['refresh_token'] => "REFRESH_TOKEN"
+
+  "Hello, #{auth['info']['name']}!"
+end
+
+get '/auth/failure' do
+  "Authentication failed: #{params[:message]}"
+end
+```
+
+### Rails — Standalone OmniAuth
+
+```ruby
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :gusto_oauth2, ENV['GUSTO_CLIENT_ID'], ENV['GUSTO_CLIENT_SECRET']
+end
+```
+
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  get '/auth/gusto_oauth2/callback', to: 'sessions#create'
+  get '/auth/failure', to: 'sessions#failure'
+end
+```
+
+```ruby
+# app/controllers/sessions_controller.rb
+class SessionsController < ApplicationController
+  def create
+    auth = request.env['omniauth.auth']
+
+    account = Account.find_or_initialize_by(provider: auth['provider'], uid: auth['uid'])
+    account.update!(
+      email: auth['info']['email'],
+      name: auth['info']['name'],
+      company_uuid: auth['info']['company_uuid'],
+      company_name: auth['info']['company_name'],
+      access_token: auth['credentials']['token'],
+      refresh_token: auth['credentials']['refresh_token'],
+      token_expires_at: Time.at(auth['credentials']['expires_at'])
+    )
+
+    session[:account_id] = account.id
+    redirect_to root_path, notice: "Connected to Gusto as #{account.name}"
+  end
+
+  def failure
+    redirect_to root_path, alert: "Gusto authentication failed: #{params[:message]}"
+  end
+end
+```
+
+### Rails — With Devise
+
+In `config/initializers/devise.rb`:
+
+```ruby
+config.omniauth :gusto_oauth2, ENV['GUSTO_CLIENT_ID'], ENV['GUSTO_CLIENT_SECRET']
+```
+
+Add to your routes:
+
+```ruby
+devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+```
+
+Create the callbacks controller:
+
+```ruby
+# app/controllers/users/omniauth_callbacks_controller.rb
+class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def gusto_oauth2
+    auth = request.env['omniauth.auth']
+    @user = User.from_omniauth(auth)
+
+    if @user.persisted?
+      sign_in_and_redirect @user, event: :authentication
+      set_flash_message(:notice, :success, kind: 'Gusto') if is_navigational_format?
+    else
+      session['devise.gusto_data'] = auth.except(:extra)
+      redirect_to new_user_registration_url
+    end
+  end
+
+  def failure
+    redirect_to root_path, alert: "Gusto authentication failed: #{failure_message}"
+  end
+end
+```
+
+```ruby
+# app/models/user.rb
+class User < ApplicationRecord
+  devise :database_authenticatable, :omniauthable, omniauth_providers: [:gusto_oauth2]
+
+  def self.from_omniauth(auth)
+    where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
+      user.email = auth.info.email
+      user.password = Devise.friendly_token[0, 20]
+      user.name = auth.info.name
+    end
+  end
+end
+```
+
+## Auth Hash
+
+Here's an example of the authentication hash available in `request.env['omniauth.auth']`:
+
+```ruby
+{
+  "provider" => "gusto_oauth2",
+  "uid" => "admin-uuid-abc123",
+  "info" => {
+    "email" => "owner@example.com",
+    "name" => "Jane Doe",
+    "first_name" => "Jane",
+    "last_name" => "Doe",
+    "company_uuid" => "company-uuid-xyz789",
+    "company_name" => "Jane's Restaurant"
+  },
+  "credentials" => {
+    "token" => "ACCESS_TOKEN",
+    "refresh_token" => "REFRESH_TOKEN",
+    "expires_at" => 1704067200,
+    "expires" => true
+  },
+  "extra" => {
+    "raw_info" => {
+      "uuid" => "admin-uuid-abc123",
+      "email" => "owner@example.com",
+      "first_name" => "Jane",
+      "last_name" => "Doe",
+      "name" => "Jane Doe",
+      "company_uuid" => "company-uuid-xyz789",
+      "company_name" => "Jane's Restaurant"
+    }
+  }
+}
+```
+
+## Gusto OAuth2 Specifics
+
+- **REST API**: Gusto uses a REST API. User info is fetched via `GET /v1/me` and token info via `GET /v1/token_info` after token exchange.
+- **Auth Scheme**: Gusto requires credentials in the POST body as JSON (`Content-Type: application/json`).
+- **Token Expiry**: Access tokens expire after **2 hours**. Refresh tokens **never expire** but are **single-use** — each refresh returns a new refresh token that must be stored.
+- **API Versioning**: All requests include an `X-Gusto-API-Version: 2024-04-01` header. Gusto uses date-based API versioning.
+- **UID**: The `uid` is the resource owner UUID from `/v1/token_info`. Falls back to the user UUID from `/v1/me` if unavailable.
+- **Per-Company Auth**: As of API version `v2023-05-01`, each company must be authorized individually through separate OAuth flows.
+
+## Token Refresh
+
+Gusto access tokens expire after 2 hours. Refresh tokens are **single-use** — always store the new refresh token after each refresh. This gem includes a `TokenClient` for refreshing tokens outside the OmniAuth flow:
+
+```ruby
+client = OmniAuth::GustoOauth2::TokenClient.new(
+  client_id: ENV['GUSTO_CLIENT_ID'],
+  client_secret: ENV['GUSTO_CLIENT_SECRET']
+)
+
+result = client.refresh_token(account.refresh_token)
+
+if result.success?
+  account.update!(
+    access_token: result.access_token,
+    refresh_token: result.refresh_token,  # IMPORTANT: always store the new refresh token
+    token_expires_at: Time.at(result.expires_at)
+  )
+else
+  Rails.logger.error "Gusto token refresh failed: #{result.error}"
+end
+```
+
+### Rails — Background Token Refresh Job
+
+```ruby
+# app/jobs/gusto_token_refresh_job.rb
+class GustoTokenRefreshJob < ApplicationJob
+  queue_as :default
+
+  def perform(account_id)
+    account = Account.find(account_id)
+    client = OmniAuth::GustoOauth2::TokenClient.new(
+      client_id: ENV['GUSTO_CLIENT_ID'],
+      client_secret: ENV['GUSTO_CLIENT_SECRET']
+    )
+
+    return unless client.token_expired?(account.token_expires_at)
+
+    result = client.refresh_token(account.refresh_token)
+
+    if result.success?
+      account.update!(
+        access_token: result.access_token,
+        refresh_token: result.refresh_token,
+        token_expires_at: Time.at(result.expires_at)
+      )
+    else
+      Rails.logger.error "[Gusto] Token refresh failed for account #{account_id}: #{result.error}"
+    end
+  end
+end
+```
+
+### Check Token Expiration
+
+```ruby
+# Check if token is expired (with 5-minute buffer by default)
+client.token_expired?(account.token_expires_at)
+
+# Custom buffer (e.g., refresh 10 minutes before expiry)
+client.token_expired?(account.token_expires_at, buffer_seconds: 600)
+```
+
+### TokenResult Object
+
+| Method | Description |
+|--------|-------------|
+| `success?` | Returns `true` if refresh succeeded |
+| `failure?` | Returns `true` if refresh failed |
+| `access_token` | The new access token |
+| `refresh_token` | The new refresh token (single-use — always store it) |
+| `expires_at` | Unix timestamp when token expires |
+| `expires_in` | Seconds until token expires |
+| `error` | Error message if failed |
+| `raw_response` | Full response hash from Gusto |
+
+## Development
+
+```bash
+bundle install
+bundle exec rspec       # 45 examples, 0 failures
+bundle exec rubocop     # 0 offenses
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/dan1d/omniauth-gusto-oauth2.
+
+1. Fork it
+2. Create your feature branch (`git checkout -b feature/my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin feature/my-new-feature`)
+5. Create a new Pull Request
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+Copyright (c) 2026 dan1d
+
+---
+
+Created by [dan1d.dev](https://dan1d.dev)

data/lib/omniauth/gusto_oauth2/token_client.rb

@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+require 'faraday'
+require 'json'
+
+module OmniAuth
+  module GustoOauth2
+    # Client for managing Gusto OAuth2 tokens outside the OmniAuth flow.
+    #
+    # Gusto access tokens expire after 2 hours. Refresh tokens never expire
+    # but are single-use — each refresh returns a new refresh token.
+    #
+    # @example Basic usage
+    #   client = OmniAuth::GustoOauth2::TokenClient.new(
+    #     client_id: ENV['GUSTO_CLIENT_ID'],
+    #     client_secret: ENV['GUSTO_CLIENT_SECRET']
+    #   )
+    #
+    #   result = client.refresh_token(account.refresh_token)
+    #   if result.success?
+    #     account.update!(
+    #       access_token: result.access_token,
+    #       refresh_token: result.refresh_token,
+    #       token_expires_at: Time.at(result.expires_at)
+    #     )
+    #   end
+    #
+    class TokenClient
+      class TokenResult
+        attr_reader :access_token, :refresh_token, :expires_at, :expires_in, :error, :raw_response
+
+        def initialize(success:, access_token: nil, refresh_token: nil, expires_at: nil, expires_in: nil,
+                       error: nil, raw_response: nil)
+          @success = success
+          @access_token = access_token
+          @refresh_token = refresh_token
+          @expires_at = expires_at
+          @expires_in = expires_in
+          @error = error
+          @raw_response = raw_response
+        end
+
+        def success?
+          @success
+        end
+
+        def failure?
+          !@success
+        end
+      end
+
+      TOKEN_URL = 'https://api.gusto.com/oauth/token'
+
+      attr_reader :client_id, :client_secret
+
+      def initialize(client_id:, client_secret:, redirect_uri: nil)
+        @client_id = client_id
+        @client_secret = client_secret
+        @redirect_uri = redirect_uri
+      end
+
+      # Refresh an access token using a refresh token.
+      # Gusto refresh tokens are single-use — always store the new refresh_token.
+      #
+      # @param refresh_token [String] The refresh token to use
+      # @return [TokenResult] Result object with new tokens or error
+      def refresh_token(refresh_token)
+        return TokenResult.new(success: false, error: 'Refresh token is required') if refresh_token.nil? || refresh_token.empty?
+
+        response = make_refresh_request(refresh_token)
+
+        if response.success?
+          parse_success_response(response)
+        else
+          parse_error_response(response)
+        end
+      rescue Faraday::Error => e
+        TokenResult.new(success: false, error: "Network error: #{e.message}")
+      rescue JSON::ParserError => e
+        TokenResult.new(success: false, error: "Invalid JSON response: #{e.message}")
+      rescue StandardError => e
+        TokenResult.new(success: false, error: "Unexpected error: #{e.message}")
+      end
+
+      # Check if a token is expired or about to expire
+      #
+      # @param expires_at [Time, Integer] Token expiration time
+      # @param buffer_seconds [Integer] Buffer before expiration (default: 300 = 5 minutes)
+      # @return [Boolean] True if token is expired or will expire within buffer
+      def token_expired?(expires_at, buffer_seconds: 300)
+        return true if expires_at.nil?
+
+        expires_at_time = expires_at.is_a?(Integer) ? Time.at(expires_at) : expires_at
+        Time.now >= (expires_at_time - buffer_seconds)
+      end
+
+      private
+
+      def make_refresh_request(refresh_token)
+        body = {
+          grant_type: 'refresh_token',
+          client_id: client_id,
+          client_secret: client_secret,
+          refresh_token: refresh_token
+        }
+        body[:redirect_uri] = @redirect_uri if @redirect_uri
+
+        Faraday.post(TOKEN_URL) do |req|
+          req.headers['Content-Type'] = 'application/json'
+          req.headers['Accept'] = 'application/json'
+          req.body = body.to_json
+        end
+      end
+
+      def parse_success_response(response)
+        data = JSON.parse(response.body)
+
+        expires_in = data['expires_in']&.to_i
+        expires_at = expires_in ? Time.now.to_i + expires_in : nil
+
+        TokenResult.new(
+          success: true,
+          access_token: data['access_token'],
+          refresh_token: data['refresh_token'],
+          expires_in: expires_in,
+          expires_at: expires_at,
+          raw_response: data
+        )
+      end
+
+      def parse_error_response(response)
+        error_data = begin
+          JSON.parse(response.body)
+        rescue JSON::ParserError
+          { 'message' => response.body }
+        end
+
+        error_message = error_data['error_description'] || error_data['error'] || "HTTP #{response.status}"
+
+        TokenResult.new(
+          success: false,
+          error: error_message,
+          raw_response: error_data
+        )
+      end
+    end
+  end
+end

data/lib/omniauth/gusto_oauth2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module GustoOauth2
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth/strategies/gusto_oauth2.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+require 'omniauth-oauth2'
+require 'json'
+
+module OmniAuth
+  module Strategies
+    # OmniAuth strategy for Gusto OAuth2.
+    #
+    # Gusto uses standard OAuth2 with 2-hour access tokens and single-use refresh tokens.
+    # The authorize and token endpoints are on api.gusto.com.
+    # User info is fetched via GET /v1/me.
+    #
+    # @example Basic usage
+    #   provider :gusto_oauth2, ENV['GUSTO_CLIENT_ID'], ENV['GUSTO_CLIENT_SECRET']
+    #
+    # @example With Devise
+    #   config.omniauth :gusto_oauth2, ENV['GUSTO_CLIENT_ID'], ENV['GUSTO_CLIENT_SECRET']
+    #
+    class GustoOauth2 < OmniAuth::Strategies::OAuth2
+      option :name, 'gusto_oauth2'
+
+      option :client_options, {
+        site: 'https://api.gusto.com',
+        authorize_url: '/oauth/authorize',
+        token_url: '/oauth/token',
+        auth_scheme: :request_body
+      }
+
+      # UID is the resource owner UUID from /v1/token_info
+      uid { raw_info['uuid'] }
+
+      info do
+        {
+          email: raw_info['email'],
+          name: raw_info['name'],
+          first_name: raw_info['first_name'],
+          last_name: raw_info['last_name'],
+          company_uuid: raw_info['company_uuid'],
+          company_name: raw_info['company_name']
+        }
+      end
+
+      extra do
+        { raw_info: raw_info }
+      end
+
+      def raw_info
+        @raw_info ||= fetch_user_and_company_info
+      end
+
+      # Override to strip query params from callback_url for redirect_uri matching.
+      # Gusto requires the redirect_uri to match exactly.
+      def build_access_token
+        redirect_uri = callback_url.sub(/\?.*/, '')
+        log(:info, "Token exchange — site: #{client.site}, redirect_uri: #{redirect_uri}")
+        verifier = request.params['code']
+        client.auth_code.get_token(
+          verifier,
+          { redirect_uri: redirect_uri }.merge(token_params.to_hash(symbolize_keys: true)),
+          deep_symbolize(options.auth_token_params)
+        )
+      rescue ::OAuth2::Error => e
+        log(:error, "Token exchange FAILED: status=#{e.response&.status} body=#{e.response&.body}")
+        raise
+      end
+
+      private
+
+      API_VERSION = '2024-04-01'
+
+      ME_URL = '/v1/me'
+      TOKEN_INFO_URL = '/v1/token_info'
+
+      def api_headers
+        { 'Accept' => 'application/json', 'X-Gusto-API-Version' => API_VERSION }
+      end
+
+      def fetch_user_and_company_info
+        me_data = fetch_me
+        token_data = fetch_token_info
+
+        company = me_data['companies']&.first || {}
+
+        {
+          'uuid' => token_data.dig('resource_owner', 'uuid') || me_data['uuid'],
+          'email' => me_data['email'],
+          'first_name' => me_data['first_name'],
+          'last_name' => me_data['last_name'],
+          'name' => [me_data['first_name'], me_data['last_name']].compact.join(' '),
+          'company_uuid' => company['uuid'] || token_data.dig('resource', 'uuid'),
+          'company_name' => company['name']
+        }
+      rescue StandardError => e
+        log(:warn, "Failed to fetch user/company info: #{e.message}")
+        { 'uuid' => nil }
+      end
+
+      def fetch_me
+        response = access_token.get(ME_URL, headers: api_headers)
+        JSON.parse(response.body)
+      end
+
+      def fetch_token_info
+        response = access_token.get(TOKEN_INFO_URL, headers: api_headers)
+        JSON.parse(response.body)
+      end
+
+      def log(level, message)
+        return unless defined?(OmniAuth.logger) && OmniAuth.logger
+
+        OmniAuth.logger.send(level, "[GustoOauth2] #{message}")
+      end
+    end
+  end
+end

data/lib/omniauth-gusto-oauth2.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require 'omniauth-oauth2'
+require 'omniauth/gusto_oauth2/version'
+require 'omniauth/gusto_oauth2/token_client'
+require 'omniauth/strategies/gusto_oauth2'

metadata

@@ -0,0 +1,198 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-gusto-oauth2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- dan1d
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.75'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.75'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+description: An OmniAuth strategy for authenticating with Gusto payroll using OAuth
+  2.0. Fetches user and company info via Gusto's REST API.
+email:
+- dan1d@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- lib/omniauth-gusto-oauth2.rb
+- lib/omniauth/gusto_oauth2/token_client.rb
+- lib/omniauth/gusto_oauth2/version.rb
+- lib/omniauth/strategies/gusto_oauth2.rb
+homepage: https://github.com/dan1d/omniauth-gusto-oauth2
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/dan1d/omniauth-gusto-oauth2
+  source_code_uri: https://github.com/dan1d/omniauth-gusto-oauth2
+  changelog_uri: https://github.com/dan1d/omniauth-gusto-oauth2/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: OmniAuth OAuth2 strategy for Gusto
+test_files: []