RubyGems - omniauth-heroku - Versions diffs - 0.2.0 → 0.3.0 - Mend

omniauth-heroku 0.2.0 → 0.3.0

Files changed (12) hide show

checksums.yaml +5 -13
data/README.md +77 -25
data/lib/omniauth/strategies/heroku.rb +9 -0
metadata +9 -17
data/.gitignore +0 -17
data/.rspec +0 -1
data/.travis.yml +0 -14
data/Gemfile +0 -12
data/Rakefile +0 -10
data/omniauth-heroku.gemspec +0 -17
data/spec/omniauth_heroku_spec.rb +0 -89
data/spec/spec_helper.rb +0 -56

checksums.yaml CHANGED Viewed

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    NzQ0NTZiYTZlYTcxNDc0MzYzNDBmM2Y0NmM4M2Q1OTYwYWM2ZjM4NQ==
-  data.tar.gz: !binary |-
-    YmNiZTI4ZTkzZGMyMTI3YTIxMmE2MTJlNWIxMDZhOGRlY2MyOGY3MQ==
+SHA1:
+  metadata.gz: 964daffc75b3ca8125e9cd80e31d0e96ffa1cb46
+  data.tar.gz: a317e2dea50412a8fd74540561eb5b3a7172403c
 SHA512:
-  metadata.gz: !binary |-
-    NWFhMDBmNDQwZDZmOTgzNTY2OTIwZjdhNmU5NWYxN2ZiN2YyZDliM2MyMWMx
-    Zjg1NzE2ZTI2OGIzZDE0OTRmODQwZTRkMjZmODg3MWRjZTY0YTAyN2UyNzQx
-    Zjg0YTQ0Njg4MzJmYjJmNGJmYjdiMDg3ZTk5NTc3YjdkMTgxMmQ=
-  data.tar.gz: !binary |-
-    NTJhOTBjOTE5ZGQxYjhkMzM4Y2FhNDJiOTgwYzQ3OTIzMTU5MzBhYzk5Y2Q2
-    YzVkNDJiNGI0MzVmOWJhY2Q0ZmIwOGMwMGU0MmJmY2FhMjdjOTA5YTNlN2Rm
-    NGFiZjk5MDg3OTRmYTNlZDc2OThkMjQzYTFiNDJhYThlODViNDE=
+  metadata.gz: fd660369c9518967643d91bc036445fd66c098d8ddf8737c46dae4413a829991d66287989a7c04f8fd24d8753ddc817d7a4fbd958141f6df4b7a9d5b529b2d9a
+  data.tar.gz: 4d6ba13e6ce6a42bc57514623c7c3d5149665b0ff915c1dd046e11b9704216ef01a0128b2dfb40846b21b72bbf3ac522841d114eb70694e699c381fed66485ab

data/README.md CHANGED Viewed

@@ -1,12 +1,20 @@
 # OmniAuth Heroku
-[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating Heroku users.
 [![Build Status](https://travis-ci.org/heroku/omniauth-heroku.svg?branch=master)](https://travis-ci.org/heroku/omniauth-heroku)
-Mount this with your Rack application (be it Rails or Sinatra) to simplify the [OAuth flow with Heroku](https://devcenter.heroku.com/articles/oauth).
-This is intended for apps already using OmniAuth, for apps that authenticate against more than one service (eg: Heroku and GitHub), or apps that have specific needs on session management. If your app doesn't fall in any of these you should consider using [Heroku Bouncer](https://github.com/heroku/heroku-bouncer) instead.
+[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
+Heroku users.
+Mount this with your Rack application (be it Rails or Sinatra) to simplify the
+[OAuth flow with Heroku](https://devcenter.heroku.com/articles/oauth).
+This is intended for apps already using OmniAuth, for apps that authenticate
+against more than one service (eg: Heroku and GitHub), or apps that have
+specific needs on session management. If your app doesn't fall in any of these
+you should consider using [Heroku Bouncer][heroku-bouncer] instead.
+[heroku-bouncer]: https://github.com/heroku/heroku-bouncer
 ## Configuration
@@ -15,67 +23,96 @@ OmniAuth works as a Rack middleware. Mount this Heroku adapter with:
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET']
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
 end
 ```
-Obtain a `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` by creating a client with the [Heroku OAuth CLI plugin](https://github.com/heroku/heroku-oauth).
+Obtain a `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` by creating a client with
+the [Heroku OAuth CLI plugin](https://github.com/heroku/heroku-oauth).
-Your Heroku OAuth client should be set to receive callbacks on `/auth/heroku/callback`.
+Your Heroku OAuth client should be set to receive callbacks on
+`/auth/heroku/callback`.
 ## Usage
 Initiate the OAuth flow sending users to `/auth/heroku`.
-Once the authorization flow is complete and the user is bounced back to your application, check `env["omniauth.auth"]["credentials"]`. It contains both a refresh token and an access token (identified just as `"token"`) to the account.
+Once the authorization flow is complete and the user is bounced back to your
+application, check `env["omniauth.auth"]["credentials"]`. It contains both a
+refresh token and an access token (identified just as `"token"`) to the
+account.
+We recommend using this access token together with
+[Heroku.rb][heroku-ruby-client] to make API calls on behalf of the user.
-We recommend using this access token together with [Heroku.rb](https://github.com/heroku/heroku.rb) to make API calls on behalf of the user.
+[heroku-ruby-client]: https://github.com/heroku/heroku.rb
 Refer to the examples below to see how these work.
 ### Basic account information
-If you want this middleware to fetch additional Heroku account information like the user email address and name, use the `fetch_info` option, like:
+If you want this middleware to fetch additional Heroku account information like
+the user email address and name, use the `fetch_info` option, like:
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET'],
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
     fetch_info: true
 end
 ```
-This sets name and email in the [omniauth auth hash](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema). You can access it from your app via `env["omniauth.auth"]["info"]`.
+This sets name and email in the [omniauth auth hash][auth-hash]. You can access
+it from your app via `env["omniauth.auth"]["info"]`.
-It will also add [additional Heroku account info](https://devcenter.heroku.com/articles/platform-api-reference#account) to `env["omniauth.auth"]["extra"]`.
+[auth-hash]: https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+It will also add [additional Heroku account info][platform-api] to
+`env["omniauth.auth"]["extra"]`.
+[platform-api]: https://devcenter.heroku.com/articles/platform-api-reference#account
 ### OAuth scopes
-[Heroku supports different OAuth scopes](https://devcenter.heroku.com/articles/oauth#scopes). By default this strategy will request global access to the account, but you're encouraged to request for less permissions when possible.
+[Heroku supports different OAuth scopes][oauth-scopes]. By default this
+strategy will request global access to the account, but you're encouraged to
+request for less permissions when possible.
+[oauth-scopes]: https://devcenter.heroku.com/articles/oauth#scopes
 To do so, configure it like:
 ```ruby
 use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET'],
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
     scope: "identity"
 end
 ```
-This will trim down the permissions associated to the access token given back to you.
+This will trim down the permissions associated to the access token given back
+to you.
+The Oauth scope can also be decided dynamically at runtime. For example, you
+could use a `scope` GET parameter if it exists, and revert to a default `scope`
+if it does not:
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(request) { request.params["scope"] || "identity" }
+end
+```
 ## Example - Sinatra
 ```ruby
 class Myapp < Sinatra::Application
-  configure do
-    enable :sessions
-  end
+  use Rack::Session::Cookie, secret: ENV.fetch("SESSION_SECRET")
   use OmniAuth::Builder do
-    provider :heroku, ENV["HEROKU_OAUTH_ID"], ENV["HEROKU_OAUTH_SECRET"]
+    provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
   end
   get "/" do
@@ -83,20 +120,28 @@ class Myapp < Sinatra::Application
   end
   get "/auth/heroku/callback" do
-    access_token = env['omniauth.auth']['credentials']['token']
+    access_token = env["omniauth.auth"]["credentials"]["token"]
+    # DO NOT store this token in an unencrypted cookie session
+    # Please read "A note on security" below!
     heroku_api = Heroku::API.new(api_key: access_token)
     "You have #{heroku_api.get_apps.body.size} apps"
   end
 end
 ```
+Note that we're explicitly calling `Rack::Session::Cookie` with a secret. Using
+`enable :sessions` is not recommended because the secret is generated randomly,
+and not reused across processes – so your users can lose their session whenever
+your app restarts.
 ## Example - Rails
 Under `config/initializers/omniauth.rb`:
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET']
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET")
 end
 ```
@@ -119,6 +164,8 @@ class SessionsController < ApplicationController
   def create
     access_token = request.env['omniauth.auth']['credentials']['token']
+    # DO NOT store this token in an unencrypted cookie session
+    # Please read "A note on security" below!
     heroku_api = Heroku::API.new(api_key: access_token)
     @apps = heroku_api.get_apps.body
   end
@@ -139,11 +186,16 @@ And view:
 ## A note on security
-Be careful if you intend to store access tokens in cookie-based sessions.
+**Make sure your cookie session is encrypted before storing sensitive
+information on it, like access tokens**. [encrypted_cookie][encrypted-cookie]
+is a popular gem to do that in Ruby.
-Many web frameworks offer protection against session tampering, but still store sessions with no encryption. This allows attackers with some access to the user session to obtain valuable information from cookies.
+[encrypted-cookie]: https://github.com/cvonkleist/encrypted_cookie
-Rails, Sinatra and others can be configured to encrypt cookies, but don't do it by default. So make sure to encrypt cookie-based sessions before storing confidential data on it!
+Both Rails and Sinatra take a cookie secret, but that is only used to protect
+against tampering; any information stored on standard cookie sessions can
+easily be read from the client side, which can be further exploited to leak
+credentials off your app.
 ## Meta

data/lib/omniauth/strategies/heroku.rb CHANGED Viewed

@@ -56,6 +56,15 @@ module OmniAuth
         end
       end
+      def authorize_params
+        super.tap do |params|
+          # Allow the scope to be determined dynamically based on the request.
+          if params.scope.respond_to?(:call)
+            params.scope = params.scope.call(request)
+          end
+        end
+      end
       def account_info
         @account_info ||= MultiJson.decode(heroku_api.get("/account").body)
       end

metadata CHANGED Viewed

@@ -1,41 +1,41 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Pedro Belo
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-11-05 00:00:00.000000000 Z
+date: 2016-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
 description: OmniAuth strategy for Heroku.
@@ -45,18 +45,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
-- Gemfile
 - LICENSE
 - README.md
-- Rakefile
 - lib/omniauth-heroku.rb
 - lib/omniauth/strategies/heroku.rb
-- omniauth-heroku.gemspec
-- spec/omniauth_heroku_spec.rb
-- spec/spec_helper.rb
 homepage: https://github.com/heroku/omniauth-heroku
 licenses:
 - MIT
@@ -67,17 +59,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.6.4
 signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Heroku.

data/.gitignore DELETED Viewed

@@ -1,17 +0,0 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-/pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp

data/.rspec DELETED Viewed

	@@ -1 +0,0 @@
1	- --colour

data/.travis.yml DELETED Viewed

@@ -1,14 +0,0 @@
-language: ruby
-rvm:
-  - 2.1.4
-  - 2.0.0
-  - 1.9.3
-cache: bundler
-notifications:
-  hipchat:
-    rooms:
-      - 5bc7785d2feb4f25901124279daede@API
-    template:
-      - '%{repository}#%{build_number} (%{branch} - %{commit} : %{author}): %{message} (<a href="%{build_url}">Details</a> | <a href="%{compare_url}">Change view</a>)'
-    format: html
-script: bundle exec rake

data/Gemfile DELETED Viewed

@@ -1,12 +0,0 @@
-source "https://www.rubygems.org"
-gemspec
-group :test do
-  gem "multi_json"
-  gem "rake"
-  gem "rack-test"
-  gem "rspec"
-  gem "sinatra"
-  gem "webmock"
-end

data/Rakefile DELETED Viewed

@@ -1,10 +0,0 @@
-#!/usr/bin/env rake
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
-task default: :spec
-desc "Run the specs"
-RSpec::Core::RakeTask.new do |t|
-  t.pattern = "spec/**/*_spec.rb"
-end

data/omniauth-heroku.gemspec DELETED Viewed

@@ -1,17 +0,0 @@
-Gem::Specification.new do |gem|
-  gem.authors       = ["Pedro Belo"]
-  gem.email         = ["pedro@heroku.com"]
-  gem.description   = %q{OmniAuth strategy for Heroku.}
-  gem.summary       = %q{OmniAuth strategy for Heroku.}
-  gem.homepage      = "https://github.com/heroku/omniauth-heroku"
-  gem.license       = "MIT"
-  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  gem.files         = `git ls-files`.split("\n")
-  gem.name          = "omniauth-heroku"
-  gem.require_paths = ["lib"]
-  gem.version       = "0.2.0"
-  gem.add_dependency 'omniauth', '~> 1.2'
-  gem.add_dependency 'omniauth-oauth2', '~> 1.2'
-end

data/spec/omniauth_heroku_spec.rb DELETED Viewed

@@ -1,89 +0,0 @@
-require "spec_helper"
-describe OmniAuth::Strategies::Heroku do
-  before do
-    @token = "6e441b93-4c6d-4613-abed-b9976e7cff6c"
-    @user_id = "ddc4beff-f08f-4856-99d2-ba5ac63c3eb9"
-    # stub the API call made by the strategy to start the oauth dance
-    stub_request(:post, "https://id.heroku.com/oauth/token").
-      to_return(
-        headers: { "Content-Type" => "application/json" },
-        body: MultiJson.encode(
-          access_token: @token,
-          expires_in:   3600,
-          user_id:      @user_id))
-  end
-  it "redirects to start the OAuth flow" do
-    get "/auth/heroku"
-    assert_equal 302, last_response.status
-    redirect = URI.parse(last_response.headers["Location"])
-    redirect_params = CGI::parse(redirect.query)
-    assert_equal "https", redirect.scheme
-    assert_equal "id.heroku.com", redirect.host
-    assert_equal [ENV["HEROKU_OAUTH_ID"]], redirect_params["client_id"]
-    assert_equal ["code"], redirect_params["response_type"]
-    assert_equal ["http://example.org/auth/heroku/callback"],
-      redirect_params["redirect_uri"]
-  end
-  it "receives the callback" do
-    # trigger the callback setting the state as a param and in the session
-    state = SecureRandom.hex(8)
-    get "/auth/heroku/callback", { "state" => state },
-      { "rack.session" => { "omniauth.state" => state }}
-    assert_equal 200, last_response.status
-    omniauth_env = MultiJson.decode(last_response.body)
-    assert_equal "heroku", omniauth_env["provider"]
-    assert_equal @user_id, omniauth_env["uid"]
-    assert_equal "Heroku user", omniauth_env["info"]["name"]
-  end
-  it "fetches additional info when requested" do
-    # change the app being tested:
-    @app = make_app(fetch_info: true)
-    # stub the API call to heroku
-    account_info = {
-      "email" => "john@example.org",
-      "name"  =>  "John"
-    }
-    stub_request(:get, "https://api.heroku.com/account").
-      with(headers: { "Authorization" => "Bearer #{@token}" }).
-      to_return(body: MultiJson.encode(account_info))
-    # hit the OAuth callback
-    state = SecureRandom.hex(8)
-    get "/auth/heroku/callback", { "state" => state },
-      { "rack.session" => { "omniauth.state" => state }}
-    assert_equal 200, last_response.status
-    # now make sure there's additional info in the omniauth env
-    omniauth_env = MultiJson.decode(last_response.body)
-    assert_equal "heroku", omniauth_env["provider"]
-    assert_equal @user_id, omniauth_env["uid"]
-    assert_equal "john@example.org", omniauth_env["info"]["email"]
-    assert_equal "John", omniauth_env["info"]["name"]
-    assert_equal account_info, omniauth_env["extra"]
-  end
-  describe "error handling" do
-    it "renders an error when client_id is not informed" do
-      @app = make_app(client_id: nil)
-      get "/auth/heroku"
-      assert_equal 302, last_response.status
-      redirect = URI.parse(last_response.headers["Location"])
-      assert_equal "/auth/failure", redirect.path
-    end
-    it "renders an error when client_secret is not informed" do
-      @app = make_app(client_secret: "") # should also handle empty strings
-      get "/auth/heroku"
-      assert_equal 302, last_response.status
-      redirect = URI.parse(last_response.headers["Location"])
-      assert_equal "/auth/failure", redirect.path
-    end
-  end
-end

data/spec/spec_helper.rb DELETED Viewed

@@ -1,56 +0,0 @@
-ENV["SESSION_SECRET"] = "abcdefghjij"
-ENV["HEROKU_OAUTH_ID"] = "12345"
-ENV["HEROKU_OAUTH_SECRET"] = "klmnopqrstu"
-require "rubygems"
-require "bundler"
-Bundler.setup(:default, :test)
-require "omniauth/strategies/heroku"
-require "cgi"
-require "rspec"
-require "rack/test"
-require "sinatra"
-require "webmock/rspec"
-Dir["./spec/support/*.rb"].each { |f| require f }
-WebMock.disable_net_connect!
-OmniAuth.config.logger = Logger.new(StringIO.new)
-RSpec.configure do |config|
-  config.include Rack::Test::Methods
-  config.expect_with :minitest
-  def app
-    @app || make_app
-  end
-  def make_app(omniauth_heroku_options={})
-    client_id     = ENV["HEROKU_OAUTH_ID"]
-    client_secret = ENV["HEROKU_OAUTH_SECRET"]
-    if omniauth_heroku_options.has_key?(:client_id)
-      client_id = omniauth_heroku_options.delete(:client_id)
-    end
-    if omniauth_heroku_options.has_key?(:client_secret)
-      client_secret = omniauth_heroku_options.delete(:client_secret)
-    end
-    Sinatra.new do
-      configure do
-        enable :sessions
-        set :show_exceptions, false
-        set :session_secret, ENV["SESSION_SECRET"]
-      end
-      use OmniAuth::Builder do
-        provider :heroku, client_id, client_secret, omniauth_heroku_options
-      end
-      get "/auth/heroku/callback" do
-        MultiJson.encode(env['omniauth.auth'])
-      end
-    end
-  end
-end