RubyGems - omniauth-heroku - Versions diffs - 0.1.1 → 0.1.2.pre - Mend

omniauth-heroku 0.1.1 → 0.1.2.pre

Files changed (6) hide show

data/README.md +9 -2
data/lib/omniauth/strategies/heroku.rb +1 -3
data/lib/omniauth/strategies/heroku_oauth2.rb +124 -0
data/lib/omniauth-heroku.rb +1 -0
data/omniauth-heroku.gemspec +2 -2
metadata +10 -9

data/README.md CHANGED Viewed

@@ -2,8 +2,6 @@
 [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating to Heroku.
-Heroku's support for OAuth is still private/experimental.
 ## Configuration
@@ -74,6 +72,15 @@ And view:
 </ul>
 ```
+## A note on security
+Be careful if you intend to store access tokens in cookie-based sessions.
+Many web frameworks offer protection against session tampering, but still store sessions with no encryption. This allows attackers with some access to the user session to obtain valuable information from cookies.
+Rails, Sinatra and others can be configured to encrypt cookies, but don't do it by default. So make sure to encrypt cookie-based sessions before storing confidential data on it!
 ## Meta
 Released under the MIT license.

data/lib/omniauth/strategies/heroku.rb CHANGED Viewed

@@ -1,8 +1,6 @@
-require 'omniauth-oauth2'
 module OmniAuth
   module Strategies
-    class Heroku < OmniAuth::Strategies::OAuth2
+    class Heroku < OmniAuth::Strategies::HerokuOAuth2
       BaseAuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
       option :client_options, {

data/lib/omniauth/strategies/heroku_oauth2.rb ADDED Viewed

@@ -0,0 +1,124 @@
+require 'cgi'
+require 'uri'
+require 'oauth2'
+require 'omniauth'
+require 'timeout'
+require 'securerandom'
+module OmniAuth
+  module Strategies
+    # Vendored in from `omniauth-oauth2`, but with slight modifications to
+    # allow request IDs to be passed through during the token phase so that the
+    # OAuth 2 dance can be more easily debugged.
+    class HerokuOAuth2
+      include OmniAuth::Strategy
+      args [:client_id, :client_secret]
+      option :client_id, nil
+      option :client_secret, nil
+      option :client_options, {}
+      option :authorize_params, {}
+      option :authorize_options, [:scope]
+      option :token_params, {}
+      option :token_options, []
+      option :provider_ignores_state, false
+      option :request_id, lambda { |env| nil }
+      attr_accessor :access_token
+      def client
+        ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
+      end
+      def callback_url
+        full_host + script_name + callback_path
+      end
+      credentials do
+        hash = {'token' => access_token.token}
+        hash.merge!('refresh_token' => access_token.refresh_token) if access_token.expires? && access_token.refresh_token
+        hash.merge!('expires_at' => access_token.expires_at) if access_token.expires?
+        hash.merge!('expires' => access_token.expires?)
+        hash
+      end
+      def request_phase
+        redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
+      end
+      def authorize_params
+        options.authorize_params[:state] = SecureRandom.hex(24)
+        params = options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
+        if OmniAuth.config.test_mode
+          @env ||= {}
+          @env['rack.session'] ||= {}
+        end
+        session['omniauth.state'] = params[:state]
+        params
+      end
+      def token_params
+        options.token_params.merge(options.token_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
+      end
+      def callback_phase
+        if request.params['error'] || request.params['error_reason']
+          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
+        end
+      # if !options.provider_ignores_state && (request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state'))
+      #   raise CallbackError.new(nil, :csrf_detected)
+      # end
+        self.access_token = build_access_token
+        params = {}
+        if request_id = options.request_id.call(@env)
+          params.merge!(:headers => { "Request-Id" => request_id })
+        end
+        self.access_token = access_token.refresh!(params) if access_token.expired?
+        super
+      rescue ::OAuth2::Error, CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::MultiJson::DecodeError => e
+        fail!(:invalid_response, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+      protected
+      def deep_symbolize(hash)
+        hash.inject({}) do |h, (k,v)|
+          h[k.to_sym] = v.is_a?(Hash) ? deep_symbolize(v) : v
+          h
+        end
+      end
+      def build_access_token
+        verifier = request.params['code']
+        params = {:redirect_uri => callback_url}.
+          merge(token_params.to_hash(:symbolize_keys => true))
+        # inject a request ID if one is available
+        if request_id = options.request_id.call(@env)
+          params.merge!(:headers => { "Request-Id" => request_id })
+        end
+        client.auth_code.get_token(verifier, params)
+      end
+      # An error that is indicated in the OAuth 2.0 callback.
+      # This could be a `redirect_uri_mismatch` or other
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+        def initialize(error, error_reason=nil, error_uri=nil)
+          self.error = error
+          self.error_reason = error_reason
+          self.error_uri = error_uri
+        end
+      end
+    end
+  end
+end

data/lib/omniauth-heroku.rb CHANGED Viewed

	@@ -1 +1,2 @@
1	+ require 'omniauth/strategies/heroku_oauth2'
1 2	require 'omniauth/strategies/heroku'

data/omniauth-heroku.gemspec CHANGED Viewed

@@ -9,8 +9,8 @@ Gem::Specification.new do |gem|
   gem.files         = `git ls-files`.split("\n")
   gem.name          = "omniauth-heroku"
   gem.require_paths = ["lib"]
-  gem.version       = "0.1.1"
+  gem.version       = "0.1.2.pre"
+  gem.add_dependency 'oauth2', '~> 0.8.0'
   gem.add_dependency 'omniauth', '~> 1.0'
-  gem.add_dependency 'omniauth-oauth2', '~> 1.0'
 end

metadata CHANGED Viewed

@@ -1,24 +1,24 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.1.1
-  prerelease:
+  version: 0.1.2.pre
+  prerelease: 6
 platform: ruby
 authors:
 - Pedro Belo
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-03-12 00:00:00.000000000 Z
+date: 2013-08-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: omniauth
+  name: oauth2
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 0.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -26,9 +26,9 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
-  name: omniauth-oauth2
+  name: omniauth
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
@@ -56,6 +56,7 @@ files:
 - Rakefile
 - lib/omniauth-heroku.rb
 - lib/omniauth/strategies/heroku.rb
+- lib/omniauth/strategies/heroku_oauth2.rb
 - omniauth-heroku.gemspec
 homepage: https://github.com/heroku/omniauth-heroku
 licenses: []
@@ -72,9 +73,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.24