omniauth-heroku 0.1.1 → 0.4.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7114a261c4657b1093fa15c002dc0c5dc501c3a147670c99b31bb82bb2173290
+  data.tar.gz: 409fe3bd640e82ec72fc30f92ef9a0fd383bb95260b4f1d8d7d9d070b6d325b4
+SHA512:
+  metadata.gz: 36e9c08495d7941cf3a19b8e2b972ec2d70fd992c326f88586141892c5bc445ab4ee9ff28927062d6a5babd58351f7b16fda97fcea9e5933750bc73178f5d6fd
+  data.tar.gz: 6d8bcd09cd0847c01f870ad2d955a90b21ac449b56ba0aafcd275790a9fc8efbca5aae86252a80f3ec916583780d352516b4065e275a9b9450c6201d034c4703

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Pedro Belo
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,8 +1,19 @@
 # OmniAuth Heroku
 
-[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating to Heroku.
+[![Build Status](https://github.com/heroku/omniauth-heroku/actions/workflows/ci.yml/badge.svg)](https://github.com/heroku/omniauth-heroku/actions)
 
-Heroku's support for OAuth is still private/experimental.
+[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
+Heroku users.
+
+Mount this with your Rack application (be it Rails or Sinatra) to simplify the
+[OAuth flow with Heroku](https://devcenter.heroku.com/articles/oauth).
+
+This is intended for apps already using OmniAuth, for apps that authenticate
+against more than one service (eg: Heroku and GitHub), or apps that have
+specific needs on session management. If your app doesn't fall in any of these
+you should consider using [Heroku Bouncer][heroku-bouncer] instead.
+
+[heroku-bouncer]: https://github.com/heroku/heroku-bouncer
 
 
 ## Configuration
@@ -11,20 +22,116 @@ OmniAuth works as a Rack middleware. Mount this Heroku adapter with:
 
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET']
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
 end
 ```
 
-Your Heroku OAuth client should be set to receive callbacks on `/auth/heroku/callback`.
+Obtain a `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` by creating a client with
+the [Heroku OAuth CLI plugin](https://github.com/heroku/heroku-oauth).
+
+Your Heroku OAuth client should be set to receive callbacks on
+`/auth/heroku/callback`.
 
 
 ## Usage
 
 Initiate the OAuth flow sending users to `/auth/heroku`.
 
-Once the authorization flow is complete and the user is bounced back to your application, check `env["omniauth.auth"]["credentials"]`. It contains both a refresh token and an access token (identified just as `"token"`) to the account.
+Once the authorization flow is complete and the user is bounced back to your
+application, check `env["omniauth.auth"]["credentials"]`. It contains both a
+refresh token and an access token (identified just as `"token"`) to the
+account.
+
+We recommend using this access token together with
+the [Heroku Platform API gem][heroku-ruby-client] to make API calls on behalf of the user.
+
+[heroku-ruby-client]: https://github.com/heroku/platform-api
+
+Refer to the examples below to see how these work.
+
+
+### Basic account information
+
+If you want this middleware to fetch additional Heroku account information like
+the user email address and name, use the `fetch_info` option, like:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    fetch_info: true
+end
+```
+
+This sets name and email in the [omniauth auth hash][auth-hash]. You can access
+it from your app via `env["omniauth.auth"]["info"]`.
+
+[auth-hash]: https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+
+It will also add [additional Heroku account info][platform-api] to
+`env["omniauth.auth"]["extra"]`.
+
+[platform-api]: https://devcenter.heroku.com/articles/platform-api-reference#account
+
+### OAuth scopes
+
+[Heroku supports different OAuth scopes][oauth-scopes]. By default this
+strategy will request global access to the account, but you're encouraged to
+request for less permissions when possible.
+
+[oauth-scopes]: https://devcenter.heroku.com/articles/oauth#scopes
+
+To do so, configure it like:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: "identity"
+end
+```
+
+This will trim down the permissions associated to the access token given back
+to you.
+
+The Oauth scope can also be decided dynamically at runtime. For example, you
+could use a `scope` GET parameter if it exists, and revert to a default `scope`
+if it does not:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(request) { request.params["scope"] || "identity" }
+end
+```
+
+
+## Example - Sinatra
+
+```ruby
+class Myapp < Sinatra::Application
+  use Rack::Session::Cookie, secret: ENV.fetch("SESSION_SECRET")
+
+  use OmniAuth::Builder do
+    provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
+  end
+
+  get "/" do
+    redirect "/auth/heroku"
+  end
 
-We recommend using this access token together with [Heroku.rb](https://github.com/heroku/heroku.rb) to make API calls on behalf of the user.
+  get "/auth/heroku/callback" do
+    access_token = env["omniauth.auth"]["credentials"]["token"]
+    # DO NOT store this token in an unencrypted cookie session
+    # Please read "A note on security" below!
+    heroku = PlatformAPI.connect_oauth(access_token)
+    "You have #{heroku.app.list.count} apps"
+  end
+end
+```
+
+Note that we're explicitly calling `Rack::Session::Cookie` with a secret. Using
+`enable :sessions` is not recommended because the secret is generated randomly,
+and not reused across processes – so your users can lose their session whenever
+your app restarts.
 
 
 ## Example - Rails
@@ -33,7 +140,7 @@ Under `config/initializers/omniauth.rb`:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET']
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
 end
 ```
 
@@ -56,8 +163,10 @@ class SessionsController < ApplicationController
 
   def create
     access_token = request.env['omniauth.auth']['credentials']['token']
-    heroku_api = Heroku::API.new(:api_key => access_token)
-    @apps = api.get_apps.body
+    # DO NOT store this token in an unencrypted cookie session
+    # Please read "A note on security" below!
+    heroku = PlatformAPI.connect_oauth(access_token)
+    @apps = heroku.app.list
   end
 end
 ```
@@ -74,6 +183,20 @@ And view:
 </ul>
 ```
 
+## A note on security
+
+**Make sure your cookie session is encrypted before storing sensitive
+information on it, like access tokens**. [encrypted_cookie][encrypted-cookie]
+is a popular gem to do that in Ruby.
+
+[encrypted-cookie]: https://github.com/cvonkleist/encrypted_cookie
+
+Both Rails and Sinatra take a cookie secret, but that is only used to protect
+against tampering; any information stored on standard cookie sessions can
+easily be read from the client side, which can be further exploited to leak
+credentials off your app.
+
+
 ## Meta
 
 Released under the MIT license.

data/lib/omniauth/strategies/heroku.rb

@@ -3,13 +3,88 @@ require 'omniauth-oauth2'
 module OmniAuth
   module Strategies
     class Heroku < OmniAuth::Strategies::OAuth2
-      BaseAuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
+      AuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
+      ApiUrl  = ENV["HEROKU_API_URL"]  || "https://api.heroku.com"
 
       option :client_options, {
-        :site => BaseAuthUrl,
-        :authorize_url => "#{BaseAuthUrl}/oauth/authorize",
-        :token_url => "#{BaseAuthUrl}/oauth/token"
+        site:          AuthUrl,
+        authorize_url: "#{AuthUrl}/oauth/authorize",
+        token_url:     "#{AuthUrl}/oauth/token"
       }
+
+      # whether we should make another API call to Heroku to fetch
+      # additional account info like the real user name and email
+      option :fetch_info
+
+      uid do
+        access_token.params["user_id"]
+      end
+
+      info do
+        if options.fetch_info
+          email_hash        = Digest::MD5.hexdigest(account_info['email'].to_s)
+          default_image_url = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
+          image_url         = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{default_image_url}"
+
+          {
+            name:  account_info["name"],
+            email: account_info["email"],
+            image: image_url,
+          }
+        else
+          { name: "Heroku user" } # only mandatory field
+        end
+      end
+
+      extra do
+        if options.fetch_info
+          account_info
+        else
+          {}
+        end
+      end
+
+      # override method in OmniAuth::Strategies::OAuth2 to error
+      # when we don't have a client_id or secret:
+      def request_phase
+        if missing_client_id?
+          fail!(:missing_client_id)
+        elsif missing_client_secret?
+          fail!(:missing_client_secret)
+        else
+          super
+        end
+      end
+
+      def authorize_params
+        super.tap do |params|
+          # Allow the scope to be determined dynamically based on the request.
+          if params.scope.respond_to?(:call)
+            params.scope = params.scope.call(request)
+          end
+        end
+      end
+
+      def account_info
+        @account_info ||= MultiJson.decode(heroku_api.get("/account").body)
+      end
+
+      def heroku_api
+        @heroku_api ||= Faraday.new(
+          url: ApiUrl,
+          headers: {
+            "Accept" => "application/vnd.heroku+json; version=3",
+            "Authorization" => "Bearer #{access_token.token}",
+          })
+      end
+
+      def missing_client_id?
+        [nil, ""].include?(options.client_id)
+      end
+
+      def missing_client_secret?
+        [nil, ""].include?(options.client_secret)
+      end
     end
   end
 end

metadata

@@ -1,48 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.1.1
-  prerelease: 
+  version: 0.4.1
 platform: ruby
 authors:
 - Pedro Belo
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-03-12 00:00:00.000000000 Z
+date: 2021-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.9.0
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 1.6.0
 description: OmniAuth strategy for Heroku.
 email:
 - pedro@heroku.com
@@ -50,35 +45,31 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
+- LICENSE
 - README.md
-- Rakefile
 - lib/omniauth-heroku.rb
 - lib/omniauth/strategies/heroku.rb
-- omniauth-heroku.gemspec
 homepage: https://github.com/heroku/omniauth-heroku
-licenses: []
-post_install_message: 
+licenses:
+- MIT
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 1.8.24
-signing_key: 
-specification_version: 3
+rubygems_version: 3.2.14
+signing_key:
+specification_version: 4
 summary: OmniAuth strategy for Heroku.
 test_files: []

data/.gitignore

@@ -1,17 +0,0 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-/pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp

data/.rspec

@@ -1 +0,0 @@
---colour

data/Rakefile

@@ -1,2 +0,0 @@
-#!/usr/bin/env rake
-require "bundler/gem_tasks"

data/omniauth-heroku.gemspec

@@ -1,16 +0,0 @@
-Gem::Specification.new do |gem|
-  gem.authors       = ["Pedro Belo"]
-  gem.email         = ["pedro@heroku.com"]
-  gem.description   = %q{OmniAuth strategy for Heroku.}
-  gem.summary       = %q{OmniAuth strategy for Heroku.}
-  gem.homepage      = "https://github.com/heroku/omniauth-heroku"
-
-  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  gem.files         = `git ls-files`.split("\n")
-  gem.name          = "omniauth-heroku"
-  gem.require_paths = ["lib"]
-  gem.version       = "0.1.1"
-
-  gem.add_dependency 'omniauth', '~> 1.0'
-  gem.add_dependency 'omniauth-oauth2', '~> 1.0'
-end