omniauth-heroku 0.4.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7114a261c4657b1093fa15c002dc0c5dc501c3a147670c99b31bb82bb2173290
-  data.tar.gz: 409fe3bd640e82ec72fc30f92ef9a0fd383bb95260b4f1d8d7d9d070b6d325b4
+  metadata.gz: 00dcae64b48a77f71debc3e5066b07645e33021cea95668ae787b4684759e5cb
+  data.tar.gz: 1c4434bd4bf82e887142e8d917e527e1e45c8697ea7dfd9b9ef93d0bfeb052f4
 SHA512:
-  metadata.gz: 36e9c08495d7941cf3a19b8e2b972ec2d70fd992c326f88586141892c5bc445ab4ee9ff28927062d6a5babd58351f7b16fda97fcea9e5933750bc73178f5d6fd
-  data.tar.gz: 6d8bcd09cd0847c01f870ad2d955a90b21ac449b56ba0aafcd275790a9fc8efbca5aae86252a80f3ec916583780d352516b4065e275a9b9450c6201d034c4703
+  metadata.gz: ece7398034fdd0dc42c856e564ca5065cc644fc8f0e00b0beeae00c7db08d7926188bef8986ebb565e3ee51e341a9fd963d01c392bdd06d903be66908e482376
+  data.tar.gz: 38434e1e7f241223bf3530e7fbe743146380d2ceab5af67cb059023a7282b6c7239fa8d56407640ff536ca4837d7626752b3721234e69a1397b43affa42a964d

data/.github/workflows/ci.yml

@@ -0,0 +1,31 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ['head', '4.0', '3.4', '3.3']
+        gemfile: ["omniauth1", "omniauth2"]
+
+    continue-on-error: ${{ matrix.ruby == 'head' }}
+
+    env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
+      BUNDLE_GEMFILE: Gemfile-${{ matrix.gemfile }}
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Setup Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+    - name: Build and test
+      run: bin/rspec
+

data/.gitignore

@@ -0,0 +1,17 @@
+# Ignore all logfiles and tempfiles
+/coverage/
+/log/
+/spec/reports
+/spec/rspec-status.txt
+/tmp/
+/tags
+
+# Package and dependency caches
+/.bundle
+/Gemfile.lock
+/pkg/
+
+# Generated documentation
+/doc/
+/.yardoc
+/_yardoc/

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format progress

data/CHANGELOG.md

@@ -0,0 +1,53 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+### Added
+### Changed
+### Removed
+
+## [1.1.0] 2026-04-29
+
+### Changed
+
+- house keeping: update GitHub Actions
+- replace MultiJson with JSON (built-in)
+
+## [1.0.0] 2021-07-14
+
+### Changed
+
+- Support `omniauth` versions `>= 1.9` but `< 3`.
+  i.e., support version `2` which addresses some CVEs.
+- Standardize syntax and style via [Standard.rb](https://github.com/testdouble/standard)
+
+### Breaking
+
+- Loosen `omniauth-oauth2` requirement to allow `>= 1.7.0`.
+  With this change, blocks give to dynamically determine the `:scope` argument will be passed the Rack `env`, rather than an instance of the `Rack::Request`.
+  See the [Upgrading to 1.0 docs](README.md#upgrading-to-10) for more.
+- Remove `AuthUrl` and `ApiUrl` constants from `OmniAuth::Strategies::Heroku`. 
+  These were internal details, not meant to be part of the public API.
+- Require Ruby `>= 2.3.0`.
+  We were only supporting that anyway, but now it's explicit.
+  However, we do recommend only running on [actively supported Rubies](https://www.ruby-lang.org/en/downloads/branches/).
+
+## [0.4.1] 2021-07-06
+
+### Changed
+- Lock to `omniauth-oauth2 ~> 1.6.0` to fix regression in dynamic `:scope` option.
+  With `omniauth-oauth2 >= 1.7.0`, the block is passed the Rack `env` as the parameter.
+  This breaks our expectation the will receive a `Rack::Request` instance as the argument to dynamically determine the `:scope` option.
+  i.e., this broken:
+
+  ```ruby
+  use OmniAuth::Builder do
+    provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+      scope: ->(request) { request.params["scope"] || "identity" }
+  end
+  ```
+
+  See [PR #22](https://github.com/heroku/omniauth-heroku/pull/22) for more context, workaround, etc...

data/CODEOWNERS

@@ -0,0 +1,2 @@
+# Comment line immediately above ownership line is reserved for related gus information. Please be careful while editing.
+#ECCN:Open Source

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://www.rubygems.org"
+
+gemspec

data/Gemfile-omniauth1

@@ -0,0 +1,5 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+gem "omniauth", "~> 1.9"

data/Gemfile-omniauth2

@@ -0,0 +1,5 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+gem "omniauth", "~> 2.0"

data/README.md

@@ -1,6 +1,7 @@
 # OmniAuth Heroku
 
 [![Build Status](https://github.com/heroku/omniauth-heroku/actions/workflows/ci.yml/badge.svg)](https://github.com/heroku/omniauth-heroku/actions)
+[![Gem Version](https://badge.fury.io/rb/omniauth-heroku.svg)](https://badge.fury.io/rb/omniauth-heroku)
 
 [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
 Heroku users.
@@ -89,20 +90,41 @@ use OmniAuth::Builder do
 end
 ```
 
-This will trim down the permissions associated to the access token given back
-to you.
+This will trim down the permissions associated to the access token given back to you.
 
-The Oauth scope can also be decided dynamically at runtime. For example, you
-could use a `scope` GET parameter if it exists, and revert to a default `scope`
-if it does not:
+The OAuth scope can also be decided dynamically at runtime.
+For example, you could use a `scope` parameter from the request, if it exists, with a default value if it does not:
 
 ```ruby
 use OmniAuth::Builder do
   provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
-    scope: ->(request) { request.params["scope"] || "identity" }
+    scope: ->(env) { Rack::Request.new(env).params["scope"] || "identity" }
 end
 ```
 
+#### Upgrading to 1.0+
+
+Versions before `1.0` allowed you to pass `:scope` option as a block, just as today.
+However, that block received a `Rack::Request` instance, rather than the `Rack` `env`.
+If you used the `Rack::Request` argument in your `:scope` block you can update your code to create a new instance, from the `env`.
+
+For example, `< 1.0` code that looked like this:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(request) { request.params["scope"] }
+end
+```
+
+need to be updated to something like this:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(env) { Rack::Request.new(env).params["scope"] }
+end
+```
 
 ## Example - Sinatra
 
@@ -162,7 +184,7 @@ class SessionsController < ApplicationController
   end
 
   def create
-    access_token = request.env['omniauth.auth']['credentials']['token']
+    access_token = request.env["omniauth.auth"]["credentials"]["token"]
     # DO NOT store this token in an unencrypted cookie session
     # Please read "A note on security" below!
     heroku = PlatformAPI.connect_oauth(access_token)

data/Rakefile

@@ -0,0 +1,10 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+desc "Run the specs"
+RSpec::Core::RakeTask.new do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end

data/bin/rake

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rake' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rake", "rake")

data/bin/rspec

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/lib/omniauth/heroku/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Heroku
+    VERSION = "1.1.0"
+  end
+end

data/lib/omniauth/strategies/heroku.rb

@@ -1,20 +1,25 @@
-require 'omniauth-oauth2'
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
 
 module OmniAuth
   module Strategies
     class Heroku < OmniAuth::Strategies::OAuth2
-      AuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
-      ApiUrl  = ENV["HEROKU_API_URL"]  || "https://api.heroku.com"
+      # This style of overriding the default means it can only be done when the class is loaded.
+      # Which is problematic for testing, and a bit against the grain of how the base class
+      # expects this to work, where consumers would explicitly override by passing in the option.
+      AUTH_URL = ENV.fetch("HEROKU_AUTH_URL", "https://id.heroku.com")
+      private_constant :AUTH_URL
 
-      option :client_options, {
-        site:          AuthUrl,
-        authorize_url: "#{AuthUrl}/oauth/authorize",
-        token_url:     "#{AuthUrl}/oauth/token"
-      }
+      option(:client_options, {
+        site: AUTH_URL,
+        authorize_url: "#{AUTH_URL}/oauth/authorize",
+        token_url: "#{AUTH_URL}/oauth/token"
+      })
 
-      # whether we should make another API call to Heroku to fetch
+      # Configure whether we make another API call to Heroku to fetch
       # additional account info like the real user name and email
-      option :fetch_info
+      option :fetch_info, false
 
       uid do
         access_token.params["user_id"]
@@ -22,17 +27,16 @@ module OmniAuth
 
       info do
         if options.fetch_info
-          email_hash        = Digest::MD5.hexdigest(account_info['email'].to_s)
-          default_image_url = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
-          image_url         = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{default_image_url}"
+          email_hash = Digest::MD5.hexdigest(account_info["email"].to_s)
+          image_url = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{DEFAULT_IMAGE_URL}"
 
           {
-            name:  account_info["name"],
+            name: account_info["name"],
             email: account_info["email"],
-            image: image_url,
+            image: image_url
           }
         else
-          { name: "Heroku user" } # only mandatory field
+          {name: "Heroku user"} # only mandatory field
         end
       end
 
@@ -56,26 +60,30 @@ module OmniAuth
         end
       end
 
-      def authorize_params
-        super.tap do |params|
-          # Allow the scope to be determined dynamically based on the request.
-          if params.scope.respond_to?(:call)
-            params.scope = params.scope.call(request)
-          end
-        end
-      end
+      private
+
+      DEFAULT_API_URL = "https://api.heroku.com"
+      private_constant :DEFAULT_API_URL
+
+      DEFAULT_IMAGE_URL = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
+      private_constant :DEFAULT_IMAGE_URL
 
       def account_info
-        @account_info ||= MultiJson.decode(heroku_api.get("/account").body)
+        @account_info ||= JSON.parse(heroku_api.get("/account").body)
+      end
+
+      def api_url
+        @api_url ||= ENV.fetch("HEROKU_API_URL", DEFAULT_API_URL)
       end
 
       def heroku_api
         @heroku_api ||= Faraday.new(
-          url: ApiUrl,
+          url: api_url,
           headers: {
             "Accept" => "application/vnd.heroku+json; version=3",
-            "Authorization" => "Bearer #{access_token.token}",
-          })
+            "Authorization" => "Bearer #{access_token.token}"
+          }
+        )
       end
 
       def missing_client_id?

data/lib/omniauth-heroku.rb

@@ -1 +1,2 @@
-require 'omniauth/strategies/heroku'
+require "omniauth/heroku/version"
+require "omniauth/strategies/heroku"

data/omniauth-heroku.gemspec

@@ -0,0 +1,38 @@
+require File.expand_path("lib/omniauth/heroku/version", __dir__)
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-heroku"
+  spec.version = OmniAuth::Heroku::VERSION
+  spec.authors = ["Pedro Belo"]
+  spec.email = ["pedro@heroku.com"]
+
+  spec.summary = "OmniAuth strategy for Heroku."
+  spec.description = "OmniAuth strategy for Heroku, for apps already using OmniAuth that authenticate against more than one service (eg: Heroku and GitHub), or apps that have specific needs on session management."
+  spec.homepage = "https://github.com/heroku/omniauth-heroku"
+  spec.license = "MIT"
+
+  spec.metadata = {
+    "homepage_uri" => spec.homepage,
+    "source_code_uri" => spec.homepage,
+    "bug_tracker_uri" => "#{spec.homepage}/issues",
+    "changelog_uri" => "#{spec.homepage}/blob/master/CHANGELOG.md"
+  }
+
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir = "exe"
+  spec.executables = []
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency("omniauth", [">= 1.9", "< 3"])
+  spec.add_runtime_dependency("omniauth-oauth2", "~> 1.7")
+
+  spec.add_development_dependency("rake", "~> 13.0")
+  spec.add_development_dependency("rspec", "~> 3.4")
+  spec.add_development_dependency("webmock", "~> 3.13")
+end

metadata

@@ -1,59 +1,124 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Pedro Belo
-autorequire:
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2021-07-09 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '1.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
-description: OmniAuth strategy for Heroku.
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+description: 'OmniAuth strategy for Heroku, for apps already using OmniAuth that authenticate
+  against more than one service (eg: Heroku and GitHub), or apps that have specific
+  needs on session management.'
 email:
 - pedro@heroku.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
+- CODEOWNERS
+- Gemfile
+- Gemfile-omniauth1
+- Gemfile-omniauth2
 - LICENSE
 - README.md
+- Rakefile
+- bin/rake
+- bin/rspec
 - lib/omniauth-heroku.rb
+- lib/omniauth/heroku/version.rb
 - lib/omniauth/strategies/heroku.rb
+- omniauth-heroku.gemspec
 homepage: https://github.com/heroku/omniauth-heroku
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  homepage_uri: https://github.com/heroku/omniauth-heroku
+  source_code_uri: https://github.com/heroku/omniauth-heroku
+  bug_tracker_uri: https://github.com/heroku/omniauth-heroku/issues
+  changelog_uri: https://github.com/heroku/omniauth-heroku/blob/master/CHANGELOG.md
 rdoc_options: []
 require_paths:
 - lib
@@ -61,15 +126,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.14
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: OmniAuth strategy for Heroku.
 test_files: []