omniauth-heroku 0.2.0.pre → 1.0.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    M2ZlY2IwZjQ5NmNhN2QyMjRhODI0MGE4MmQ5ODFkNzIxZDZiNThlYg==
-  data.tar.gz: !binary |-
-    MDEyNDQ1MjUzMThjMzQzYjU4NDFmMjQzNjYxYzBkZDVlOTE0OGU4Mw==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    MDJkMTc0MTBiNTIzZGU4ZDI4Y2YwYWRkOGEwNDJkNWFlYTczNzJiNzJmODRk
-    YjJjNmNiZTk5NjU0MTNhNWE4ZDcyNTAyZGQwNWJjMGU5NTIzNjI0ZDIwYjVk
-    YmRjODNlZGZlZDY5YjU1OGQ0ZTAzYWMxMTk2NGNlMGM3Njg4MTU=
-  data.tar.gz: !binary |-
-    NDFiYjc5NzNmMzE0MWZhYWFjYTdlZWE5MDdlM2ViOGU5MDNkNGFiZThjYmQz
-    NTQ1NjczYzg2MDQ1MjMxNzU0OGIzNGNkMDUzMTMyZDI0ZWI0NGViOWFlNzJi
-    YzI2NWNiNTViMTAwYzU1ZDBmMzRiYTE3YTc2MzNlMWYyNTQ4MzE=
+SHA256:
+  metadata.gz: 5e748c5250cbb5edbba46f40b0f38d4a8cf54cd5c266b6df4deaebc57637e9d1
+  data.tar.gz: 4a5af940242e0cfb0a51ba7d73983303264846bb9278839cabadaaa890cf0227
+SHA512:
+  metadata.gz: a623e6356f151b83eb7e370f8039e51012c9a76adf17187fe279aff23c10744b03514c46195198fd6261b9bcc206639ab7a15ea48875f6c06b300e3d8c72e45c
+  data.tar.gz: 61a1c1b3114cbf737de9de020572c98db82d3c29a180e0b135f3188ec6938123dc29766685475eff28e833d4d58ae600435411392b0a84579396757edccf5e19

data/.github/workflows/ci.yml

@@ -0,0 +1,29 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [ 2.3, 2.4, 2.5, 2.6, 2.7, 3.0 ]
+        gemfile: ["omniauth1", "omniauth2"]
+
+    env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
+      BUNDLE_GEMFILE: Gemfile-${{ matrix.gemfile }}
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Setup Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+    - name: Build and test
+      run: bin/rspec
+

data/.gitignore

@@ -1,17 +1,17 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-/pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
+# Ignore all logfiles and tempfiles
+/coverage/
+/log/
+/spec/reports
+/spec/rspec-status.txt
+/tmp/
+/tags
+
+# Package and dependency caches
+/.bundle
+/Gemfile.lock
+/pkg/
+
+# Generated documentation
+/doc/
+/.yardoc
+/_yardoc/

data/.rspec

@@ -1 +1,3 @@
---colour
+--require spec_helper
+--color
+--format progress

data/CHANGELOG.md

@@ -0,0 +1,43 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.0.0] 2021-07-14
+
+### Changed
+
+- Support `omniauth` versions `>= 1.9` but `< 3`.
+  i.e., support version `2` which addresses some CVEs.
+- Standardize syntax and style via [Standard.rb](https://github.com/testdouble/standard)
+
+### Breaking
+
+- Loosen `omniauth-oauth2` requirement to allow `>= 1.7.0`.
+  With this change, blocks give to dynamically determine the `:scope` argument will be passed the Rack `env`, rather than an instance of the `Rack::Request`.
+  See the [Upgrading to 1.0 docs](README.md#upgrading-to-10) for more.
+- Remove `AuthUrl` and `ApiUrl` constants from `OmniAuth::Strategies::Heroku`. 
+  These were internal details, not meant to be part of the public API.
+- Require Ruby `>= 2.3.0`.
+  We were only supporting that anyway, but now it's explicit.
+  However, we do recommend only running on [actively supported Rubies](https://www.ruby-lang.org/en/downloads/branches/).
+
+## [0.4.1] 2021-07-06
+
+### Changed
+- Lock to `omniauth-oauth2 ~> 1.6.0` to fix regression in dynamic `:scope` option.
+  With `omniauth-oauth2 >= 1.7.0`, the block is passed the Rack `env` as the parameter.
+  This breaks our expectation the will receive a `Rack::Request` instance as the argument to dynamically determine the `:scope` option.
+  i.e., this broken:
+
+  ```ruby
+  use OmniAuth::Builder do
+    provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+      scope: ->(request) { request.params["scope"] || "identity" }
+  end
+  ```
+
+  See [PR #22](https://github.com/heroku/omniauth-heroku/pull/22) for more context, workaround, etc...

data/Gemfile

@@ -1,12 +1,3 @@
 source "https://www.rubygems.org"
 
 gemspec
-
-group :test do
-  gem "multi_json"
-  gem "rake"
-  gem "rack-test"
-  gem "rspec"
-  gem "sinatra"
-  gem "webmock"
-end

data/Gemfile-omniauth1

@@ -0,0 +1,5 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+gem "omniauth", "~> 1.9"

data/Gemfile-omniauth2

@@ -0,0 +1,5 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+gem "omniauth", "~> 2.0"

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Pedro Belo
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,12 +1,20 @@
 # OmniAuth Heroku
 
-[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating Heroku users.
+[![Build Status](https://github.com/heroku/omniauth-heroku/actions/workflows/ci.yml/badge.svg)](https://github.com/heroku/omniauth-heroku/actions)
+[![Gem Version](https://badge.fury.io/rb/omniauth-heroku.svg)](https://badge.fury.io/rb/omniauth-heroku)
 
-[![Build Status](https://travis-ci.org/heroku/omniauth-heroku.svg?branch=master)](https://travis-ci.org/heroku/omniauth-heroku)
+[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
+Heroku users.
 
-Mount this with your Rack application (be it Rails or Sinatra) to simplify the [OAuth flow with Heroku](https://devcenter.heroku.com/articles/oauth).
+Mount this with your Rack application (be it Rails or Sinatra) to simplify the
+[OAuth flow with Heroku](https://devcenter.heroku.com/articles/oauth).
 
-This is intended for apps already using OmniAuth, for apps that authenticate against more than one service (eg: Heroku and GitHub), or apps that have specific needs on session management. If your app doesn't fall in any of these you should consider using [Heroku Bouncer](https://github.com/heroku/heroku-bouncer) instead.
+This is intended for apps already using OmniAuth, for apps that authenticate
+against more than one service (eg: Heroku and GitHub), or apps that have
+specific needs on session management. If your app doesn't fall in any of these
+you should consider using [Heroku Bouncer][heroku-bouncer] instead.
+
+[heroku-bouncer]: https://github.com/heroku/heroku-bouncer
 
 
 ## Configuration
@@ -15,67 +23,117 @@ OmniAuth works as a Rack middleware. Mount this Heroku adapter with:
 
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET']
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
 end
 ```
 
-Obtain a `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` by creating a client with the [Heroku OAuth CLI plugin](https://github.com/heroku/heroku-oauth).
+Obtain a `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` by creating a client with
+the [Heroku OAuth CLI plugin](https://github.com/heroku/heroku-oauth).
 
-Your Heroku OAuth client should be set to receive callbacks on `/auth/heroku/callback`.
+Your Heroku OAuth client should be set to receive callbacks on
+`/auth/heroku/callback`.
 
 
 ## Usage
 
 Initiate the OAuth flow sending users to `/auth/heroku`.
 
-Once the authorization flow is complete and the user is bounced back to your application, check `env["omniauth.auth"]["credentials"]`. It contains both a refresh token and an access token (identified just as `"token"`) to the account.
+Once the authorization flow is complete and the user is bounced back to your
+application, check `env["omniauth.auth"]["credentials"]`. It contains both a
+refresh token and an access token (identified just as `"token"`) to the
+account.
+
+We recommend using this access token together with
+the [Heroku Platform API gem][heroku-ruby-client] to make API calls on behalf of the user.
 
-We recommend using this access token together with [Heroku.rb](https://github.com/heroku/heroku.rb) to make API calls on behalf of the user.
+[heroku-ruby-client]: https://github.com/heroku/platform-api
 
 Refer to the examples below to see how these work.
 
 
 ### Basic account information
 
-If you want this middleware to fetch additional Heroku account information like the user email address and name, use the `fetch_info` option, like:
+If you want this middleware to fetch additional Heroku account information like
+the user email address and name, use the `fetch_info` option, like:
 
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET'],
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
     fetch_info: true
 end
 ```
 
-This sets name and email in the [omniauth auth hash](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema). You can access it from your app via `env["omniauth.auth"]["info"]`.
+This sets name and email in the [omniauth auth hash][auth-hash]. You can access
+it from your app via `env["omniauth.auth"]["info"]`.
+
+[auth-hash]: https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+
+It will also add [additional Heroku account info][platform-api] to
+`env["omniauth.auth"]["extra"]`.
 
-It will also add [additional Heroku account info](https://devcenter.heroku.com/articles/platform-api-reference#account) to `env["omniauth.auth"]["extra"]`.
+[platform-api]: https://devcenter.heroku.com/articles/platform-api-reference#account
 
 ### OAuth scopes
 
-[Heroku supports different OAuth scopes](https://devcenter.heroku.com/articles/oauth#scopes). By default this strategy will request global access to the account, but you're encouraged to request for less permissions when possible.
+[Heroku supports different OAuth scopes][oauth-scopes]. By default this
+strategy will request global access to the account, but you're encouraged to
+request for less permissions when possible.
+
+[oauth-scopes]: https://devcenter.heroku.com/articles/oauth#scopes
 
 To do so, configure it like:
 
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET'],
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
     scope: "identity"
 end
 ```
 
 This will trim down the permissions associated to the access token given back to you.
 
+The OAuth scope can also be decided dynamically at runtime.
+For example, you could use a `scope` parameter from the request, if it exists, with a default value if it does not:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(env) { Rack::Request.new(env).params["scope"] || "identity" }
+end
+```
+
+#### Upgrading to 1.0+
+
+Versions before `1.0` allowed you to pass `:scope` option as a block, just as today.
+However, that block received a `Rack::Request` instance, rather than the `Rack` `env`.
+If you used the `Rack::Request` argument in your `:scope` block you can update your code to create a new instance, from the `env`.
+
+For example, `< 1.0` code that looked like this:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(request) { request.params["scope"] }
+end
+```
+
+need to be updated to something like this:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(env) { Rack::Request.new(env).params["scope"] }
+end
+```
 
 ## Example - Sinatra
 
 ```ruby
 class Myapp < Sinatra::Application
-  configure do
-    enable :sessions
-  end
+  use Rack::Session::Cookie, secret: ENV.fetch("SESSION_SECRET")
 
   use OmniAuth::Builder do
-    provider :heroku, ENV["HEROKU_OAUTH_ID"], ENV["HEROKU_OAUTH_SECRET"]
+    provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
   end
 
   get "/" do
@@ -83,20 +141,28 @@ class Myapp < Sinatra::Application
   end
 
   get "/auth/heroku/callback" do
-    access_token = env['omniauth.auth']['credentials']['token']
-    heroku_api = Heroku::API.new(api_key: access_token)
-    "You have #{heroku_api.get_apps.body.size} apps"
+    access_token = env["omniauth.auth"]["credentials"]["token"]
+    # DO NOT store this token in an unencrypted cookie session
+    # Please read "A note on security" below!
+    heroku = PlatformAPI.connect_oauth(access_token)
+    "You have #{heroku.app.list.count} apps"
   end
 end
 ```
 
+Note that we're explicitly calling `Rack::Session::Cookie` with a secret. Using
+`enable :sessions` is not recommended because the secret is generated randomly,
+and not reused across processes – so your users can lose their session whenever
+your app restarts.
+
+
 ## Example - Rails
 
 Under `config/initializers/omniauth.rb`:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET']
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
 end
 ```
 
@@ -118,9 +184,11 @@ class SessionsController < ApplicationController
   end
 
   def create
-    access_token = request.env['omniauth.auth']['credentials']['token']
-    heroku_api = Heroku::API.new(api_key: access_token)
-    @apps = heroku_api.get_apps.body
+    access_token = request.env["omniauth.auth"]["credentials"]["token"]
+    # DO NOT store this token in an unencrypted cookie session
+    # Please read "A note on security" below!
+    heroku = PlatformAPI.connect_oauth(access_token)
+    @apps = heroku.app.list
   end
 end
 ```
@@ -139,11 +207,16 @@ And view:
 
 ## A note on security
 
-Be careful if you intend to store access tokens in cookie-based sessions.
+**Make sure your cookie session is encrypted before storing sensitive
+information on it, like access tokens**. [encrypted_cookie][encrypted-cookie]
+is a popular gem to do that in Ruby.
 
-Many web frameworks offer protection against session tampering, but still store sessions with no encryption. This allows attackers with some access to the user session to obtain valuable information from cookies.
+[encrypted-cookie]: https://github.com/cvonkleist/encrypted_cookie
 
-Rails, Sinatra and others can be configured to encrypt cookies, but don't do it by default. So make sure to encrypt cookie-based sessions before storing confidential data on it!
+Both Rails and Sinatra take a cookie secret, but that is only used to protect
+against tampering; any information stored on standard cookie sessions can
+easily be read from the client side, which can be further exploited to leak
+credentials off your app.
 
 
 ## Meta

data/bin/rake

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rake' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rake", "rake")

data/bin/rspec

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/lib/omniauth-heroku.rb

@@ -1 +1,2 @@
-require 'omniauth/strategies/heroku'
+require "omniauth/heroku/version"
+require "omniauth/strategies/heroku"

data/lib/omniauth/heroku/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Heroku
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth/strategies/heroku.rb

@@ -1,20 +1,25 @@
-require 'omniauth-oauth2'
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
 
 module OmniAuth
   module Strategies
     class Heroku < OmniAuth::Strategies::OAuth2
-      AuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
-      ApiUrl  = ENV["HEROKU_API_URL"]  || "https://api.heroku.com"
+      # This style of overriding the default means it can only be done when the class is loaded.
+      # Which is problematic for testing, and a bit against the grain of how the base class
+      # expects this to work, where consumers would explicitly override by passing in the option.
+      AUTH_URL = ENV.fetch("HEROKU_AUTH_URL", "https://id.heroku.com")
+      private_constant :AUTH_URL
 
-      option :client_options, {
-        site:          AuthUrl,
-        authorize_url: "#{AuthUrl}/oauth/authorize",
-        token_url:     "#{AuthUrl}/oauth/token"
-      }
+      option(:client_options, {
+        site: AUTH_URL,
+        authorize_url: "#{AUTH_URL}/oauth/authorize",
+        token_url: "#{AUTH_URL}/oauth/token"
+      })
 
-      # whether we should make another API call to Heroku to fetch
+      # Configure whether we make another API call to Heroku to fetch
       # additional account info like the real user name and email
-      option :fetch_info
+      option :fetch_info, false
 
       uid do
         access_token.params["user_id"]
@@ -22,17 +27,16 @@ module OmniAuth
 
       info do
         if options.fetch_info
-          email_hash        = Digest::MD5.hexdigest(account_info['email'].to_s)
-          default_image_url = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
-          image_url         = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{default_image_url}"
+          email_hash = Digest::MD5.hexdigest(account_info["email"].to_s)
+          image_url = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{DEFAULT_IMAGE_URL}"
 
           {
-            name:  account_info["name"],
+            name: account_info["name"],
             email: account_info["email"],
-            image: image_url,
+            image: image_url
           }
         else
-          { name: "Heroku user" } # only mandatory field
+          {name: "Heroku user"} # only mandatory field
         end
       end
 
@@ -44,17 +48,50 @@ module OmniAuth
         end
       end
 
+      # override method in OmniAuth::Strategies::OAuth2 to error
+      # when we don't have a client_id or secret:
+      def request_phase
+        if missing_client_id?
+          fail!(:missing_client_id)
+        elsif missing_client_secret?
+          fail!(:missing_client_secret)
+        else
+          super
+        end
+      end
+
+      private
+
+      DEFAULT_API_URL = "https://api.heroku.com"
+      private_constant :DEFAULT_API_URL
+
+      DEFAULT_IMAGE_URL = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
+      private_constant :DEFAULT_IMAGE_URL
+
       def account_info
         @account_info ||= MultiJson.decode(heroku_api.get("/account").body)
       end
 
+      def api_url
+        @api_url ||= ENV.fetch("HEROKU_API_URL", DEFAULT_API_URL)
+      end
+
       def heroku_api
         @heroku_api ||= Faraday.new(
-          url: ApiUrl,
+          url: api_url,
           headers: {
             "Accept" => "application/vnd.heroku+json; version=3",
-            "Authorization" => "Bearer #{access_token.token}",
-          })
+            "Authorization" => "Bearer #{access_token.token}"
+          }
+        )
+      end
+
+      def missing_client_id?
+        [nil, ""].include?(options.client_id)
+      end
+
+      def missing_client_secret?
+        [nil, ""].include?(options.client_secret)
       end
     end
   end

data/omniauth-heroku.gemspec

@@ -1,16 +1,39 @@
-Gem::Specification.new do |gem|
-  gem.authors       = ["Pedro Belo"]
-  gem.email         = ["pedro@heroku.com"]
-  gem.description   = %q{OmniAuth strategy for Heroku.}
-  gem.summary       = %q{OmniAuth strategy for Heroku.}
-  gem.homepage      = "https://github.com/heroku/omniauth-heroku"
+require File.expand_path("lib/omniauth/heroku/version", __dir__)
 
-  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  gem.files         = `git ls-files`.split("\n")
-  gem.name          = "omniauth-heroku"
-  gem.require_paths = ["lib"]
-  gem.version       = "0.2.0.pre"
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-heroku"
+  spec.version = OmniAuth::Heroku::VERSION
+  spec.authors = ["Pedro Belo"]
+  spec.email = ["pedro@heroku.com"]
 
-  gem.add_dependency 'omniauth', '~> 1.2'
-  gem.add_dependency 'omniauth-oauth2', '~> 1.2'
+  spec.summary = "OmniAuth strategy for Heroku."
+  spec.description = "OmniAuth strategy for Heroku, for apps already using OmniAuth that authenticate against more than one service (eg: Heroku and GitHub), or apps that have specific needs on session management."
+  spec.homepage = "https://github.com/heroku/omniauth-heroku"
+  spec.license = "MIT"
+
+  spec.metadata = {
+    "homepage_uri" => spec.homepage,
+    "source_code_uri" => spec.homepage,
+    "bug_tracker_uri" => "#{spec.homepage}/issues",
+    "changelog_uri" => "#{spec.homepage}/blob/master/CHANGELOG.md"
+  }
+
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir = "exe"
+  spec.executables = []
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency("omniauth", [">= 1.9", "< 3"])
+  spec.add_runtime_dependency("omniauth-oauth2", "~> 1.7")
+
+  spec.add_development_dependency("multi_json", "~> 1.12")
+  spec.add_development_dependency("rake", "~> 13.0")
+  spec.add_development_dependency("rspec", "~> 3.4")
+  spec.add_development_dependency("webmock", "~> 3.13")
 end

metadata

@@ -1,82 +1,155 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.2.0.pre
+  version: 1.0.0
 platform: ruby
 authors:
 - Pedro Belo
-autorequire: 
-bindir: bin
+autorequire:
+bindir: exe
 cert_chain: []
-date: 2014-09-11 00:00:00.000000000 Z
+date: 2021-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: OmniAuth strategy for Heroku.
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+description: 'OmniAuth strategy for Heroku, for apps already using OmniAuth that authenticate
+  against more than one service (eg: Heroku and GitHub), or apps that have specific
+  needs on session management.'
 email:
 - pedro@heroku.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
 - Gemfile
+- Gemfile-omniauth1
+- Gemfile-omniauth2
+- LICENSE
 - README.md
 - Rakefile
+- bin/rake
+- bin/rspec
 - lib/omniauth-heroku.rb
+- lib/omniauth/heroku/version.rb
 - lib/omniauth/strategies/heroku.rb
 - omniauth-heroku.gemspec
-- spec/omniauth_heroku_spec.rb
-- spec/spec_helper.rb
 homepage: https://github.com/heroku/omniauth-heroku
-licenses: []
-metadata: {}
-post_install_message: 
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/heroku/omniauth-heroku
+  source_code_uri: https://github.com/heroku/omniauth-heroku
+  bug_tracker_uri: https://github.com/heroku/omniauth-heroku/issues
+  changelog_uri: https://github.com/heroku/omniauth-heroku/blob/master/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>'
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.7
-signing_key: 
+rubygems_version: 3.2.14
+signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Heroku.
 test_files: []

data/.travis.yml

@@ -1,14 +0,0 @@
-language: ruby
-rvm:
-  - 2.1.2
-  - 2.1.0
-  - 1.9.3
-cache: bundler
-notifications:
-  hipchat:
-    rooms:
-      - 5bc7785d2feb4f25901124279daede@API
-    template:
-      - '%{repository}#%{build_number} (%{branch} - %{commit} : %{author}): %{message} (<a href="%{build_url}">Details</a> | <a href="%{compare_url}">Change view</a>)'
-    format: html
-script: bundle exec rake

data/spec/omniauth_heroku_spec.rb

@@ -1,78 +0,0 @@
-require "spec_helper"
-
-describe OmniAuth::Strategies::Heroku do
-  before do
-    @token = "6e441b93-4c6d-4613-abed-b9976e7cff6c"
-    @user_id = "ddc4beff-f08f-4856-99d2-ba5ac63c3eb9"
-
-    # stub the API call made by the strategy to start the oauth dance
-    stub_request(:post, "https://id.heroku.com/oauth/token").
-      to_return(
-        headers: { "Content-Type" => "application/json" },
-        body: MultiJson.encode(
-          access_token: @token,
-          expires_in:   3600,
-          user_id:      @user_id))
-  end
-
-  it "redirects to start the OAuth flow" do
-    get "/auth/heroku"
-    assert_equal 302, last_response.status
-    redirect = URI.parse(last_response.headers["Location"])
-    redirect_params = CGI::parse(redirect.query)
-    assert_equal "https", redirect.scheme
-    assert_equal "id.heroku.com", redirect.host
-    assert_equal [ENV["HEROKU_OAUTH_ID"]], redirect_params["client_id"]
-    assert_equal ["code"], redirect_params["response_type"]
-    assert_equal ["http://example.org/auth/heroku/callback"],
-      redirect_params["redirect_uri"]
-  end
-
-  it "receives the callback" do
-    # start the callback, get the session state
-    get "/auth/heroku"
-    assert_equal 302, last_response.status
-    state = last_response.headers["Location"].match(/state=([\w\d]+)/)[1]
-
-    # trigger the callback setting the state as a param and in the session
-    get "/auth/heroku/callback", { "state" => state },
-      { "rack.session" => { "omniauth.state" => state }}
-    assert_equal 200, last_response.status
-
-    omniauth_env = MultiJson.decode(last_response.body)
-    assert_equal "heroku", omniauth_env["provider"]
-    assert_equal @user_id, omniauth_env["uid"]
-    assert_equal "Heroku user", omniauth_env["info"]["name"]
-  end
-
-  it "fetches additional info when requested" do
-    # change the app being tested:
-    @app = make_app(fetch_info: true)
-
-    # stub the API call to heroku
-    account_info = {
-      "email" => "john@example.org",
-      "name"  =>  "John"
-    }
-    stub_request(:get, "https://api.heroku.com/account").
-      with(headers: { "Authorization" => "Bearer #{@token}" }).
-      to_return(body: MultiJson.encode(account_info))
-
-    # do the oauth dance
-    get "/auth/heroku"
-    assert_equal 302, last_response.status
-    state = last_response.headers["Location"].match(/state=([\w\d]+)/)[1]
-
-    get "/auth/heroku/callback", { "state" => state },
-      { "rack.session" => { "omniauth.state" => state }}
-    assert_equal 200, last_response.status
-
-    # now make sure there's additional info in the omniauth env
-    omniauth_env = MultiJson.decode(last_response.body)
-    assert_equal "heroku", omniauth_env["provider"]
-    assert_equal @user_id, omniauth_env["uid"]
-    assert_equal "john@example.org", omniauth_env["info"]["email"]
-    assert_equal "John", omniauth_env["info"]["name"]
-    assert_equal account_info, omniauth_env["extra"]
-  end
-end

data/spec/spec_helper.rb

@@ -1,48 +0,0 @@
-ENV["SESSION_SECRET"] = "abcdefghjij"
-ENV["HEROKU_OAUTH_ID"] = "12345"
-ENV["HEROKU_OAUTH_SECRET"] = "klmnopqrstu"
-
-require "rubygems"
-require "bundler"
-Bundler.setup(:default, :test)
-require "omniauth/strategies/heroku"
-
-require "cgi"
-require "rspec"
-require "rack/test"
-require "sinatra"
-require "webmock/rspec"
-
-Dir["./spec/support/*.rb"].each { |f| require f }
-
-WebMock.disable_net_connect!
-
-OmniAuth.config.logger = Logger.new(StringIO.new)
-
-RSpec.configure do |config|
-  config.include Rack::Test::Methods
-  config.expect_with :minitest
-
-  def app
-    @app || make_app
-  end
-
-  def make_app(omniauth_heroku_options={})
-    Sinatra.new do
-      configure do
-        enable :sessions
-        set :show_exceptions, false
-        set :session_secret, ENV["SESSION_SECRET"]
-      end
-
-      use OmniAuth::Builder do
-        provider :heroku, ENV["HEROKU_OAUTH_ID"], ENV["HEROKU_OAUTH_SECRET"],
-          omniauth_heroku_options
-      end
-
-      get "/auth/heroku/callback" do
-        MultiJson.encode(env['omniauth.auth'])
-      end
-    end
-  end
-end