omniauth-heroku 0.1.2.pre → 0.2.0.pre

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    M2ZlY2IwZjQ5NmNhN2QyMjRhODI0MGE4MmQ5ODFkNzIxZDZiNThlYg==
+  data.tar.gz: !binary |-
+    MDEyNDQ1MjUzMThjMzQzYjU4NDFmMjQzNjYxYzBkZDVlOTE0OGU4Mw==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    MDJkMTc0MTBiNTIzZGU4ZDI4Y2YwYWRkOGEwNDJkNWFlYTczNzJiNzJmODRk
+    YjJjNmNiZTk5NjU0MTNhNWE4ZDcyNTAyZGQwNWJjMGU5NTIzNjI0ZDIwYjVk
+    YmRjODNlZGZlZDY5YjU1OGQ0ZTAzYWMxMTk2NGNlMGM3Njg4MTU=
+  data.tar.gz: !binary |-
+    NDFiYjc5NzNmMzE0MWZhYWFjYTdlZWE5MDdlM2ViOGU5MDNkNGFiZThjYmQz
+    NTQ1NjczYzg2MDQ1MjMxNzU0OGIzNGNkMDUzMTMyZDI0ZWI0NGViOWFlNzJi
+    YzI2NWNiNTViMTAwYzU1ZDBmMzRiYTE3YTc2MzNlMWYyNTQ4MzE=

data/.travis.yml

@@ -0,0 +1,14 @@
+language: ruby
+rvm:
+  - 2.1.2
+  - 2.1.0
+  - 1.9.3
+cache: bundler
+notifications:
+  hipchat:
+    rooms:
+      - 5bc7785d2feb4f25901124279daede@API
+    template:
+      - '%{repository}#%{build_number} (%{branch} - %{commit} : %{author}): %{message} (<a href="%{build_url}">Details</a> | <a href="%{compare_url}">Change view</a>)'
+    format: html
+script: bundle exec rake

data/Gemfile

@@ -0,0 +1,12 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+group :test do
+  gem "multi_json"
+  gem "rake"
+  gem "rack-test"
+  gem "rspec"
+  gem "sinatra"
+  gem "webmock"
+end

data/README.md

@@ -1,6 +1,12 @@
 # OmniAuth Heroku
 
-[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating to Heroku.
+[OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating Heroku users.
+
+[![Build Status](https://travis-ci.org/heroku/omniauth-heroku.svg?branch=master)](https://travis-ci.org/heroku/omniauth-heroku)
+
+Mount this with your Rack application (be it Rails or Sinatra) to simplify the [OAuth flow with Heroku](https://devcenter.heroku.com/articles/oauth).
+
+This is intended for apps already using OmniAuth, for apps that authenticate against more than one service (eg: Heroku and GitHub), or apps that have specific needs on session management. If your app doesn't fall in any of these you should consider using [Heroku Bouncer](https://github.com/heroku/heroku-bouncer) instead.
 
 
 ## Configuration
@@ -13,6 +19,8 @@ use OmniAuth::Builder do
 end
 ```
 
+Obtain a `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` by creating a client with the [Heroku OAuth CLI plugin](https://github.com/heroku/heroku-oauth).
+
 Your Heroku OAuth client should be set to receive callbacks on `/auth/heroku/callback`.
 
 
@@ -24,6 +32,63 @@ Once the authorization flow is complete and the user is bounced back to your app
 
 We recommend using this access token together with [Heroku.rb](https://github.com/heroku/heroku.rb) to make API calls on behalf of the user.
 
+Refer to the examples below to see how these work.
+
+
+### Basic account information
+
+If you want this middleware to fetch additional Heroku account information like the user email address and name, use the `fetch_info` option, like:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET'],
+    fetch_info: true
+end
+```
+
+This sets name and email in the [omniauth auth hash](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema). You can access it from your app via `env["omniauth.auth"]["info"]`.
+
+It will also add [additional Heroku account info](https://devcenter.heroku.com/articles/platform-api-reference#account) to `env["omniauth.auth"]["extra"]`.
+
+### OAuth scopes
+
+[Heroku supports different OAuth scopes](https://devcenter.heroku.com/articles/oauth#scopes). By default this strategy will request global access to the account, but you're encouraged to request for less permissions when possible.
+
+To do so, configure it like:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV['HEROKU_OAUTH_ID'], ENV['HEROKU_OAUTH_SECRET'],
+    scope: "identity"
+end
+```
+
+This will trim down the permissions associated to the access token given back to you.
+
+
+## Example - Sinatra
+
+```ruby
+class Myapp < Sinatra::Application
+  configure do
+    enable :sessions
+  end
+
+  use OmniAuth::Builder do
+    provider :heroku, ENV["HEROKU_OAUTH_ID"], ENV["HEROKU_OAUTH_SECRET"]
+  end
+
+  get "/" do
+    redirect "/auth/heroku"
+  end
+
+  get "/auth/heroku/callback" do
+    access_token = env['omniauth.auth']['credentials']['token']
+    heroku_api = Heroku::API.new(api_key: access_token)
+    "You have #{heroku_api.get_apps.body.size} apps"
+  end
+end
+```
 
 ## Example - Rails
 
@@ -54,8 +119,8 @@ class SessionsController < ApplicationController
 
   def create
     access_token = request.env['omniauth.auth']['credentials']['token']
-    heroku_api = Heroku::API.new(:api_key => access_token)
-    @apps = api.get_apps.body
+    heroku_api = Heroku::API.new(api_key: access_token)
+    @apps = heroku_api.get_apps.body
   end
 end
 ```

data/Rakefile

@@ -1,2 +1,10 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+desc "Run the specs"
+RSpec::Core::RakeTask.new do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end

data/lib/omniauth/strategies/heroku.rb

@@ -1,13 +1,61 @@
+require 'omniauth-oauth2'
+
 module OmniAuth
   module Strategies
-    class Heroku < OmniAuth::Strategies::HerokuOAuth2
-      BaseAuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
+    class Heroku < OmniAuth::Strategies::OAuth2
+      AuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
+      ApiUrl  = ENV["HEROKU_API_URL"]  || "https://api.heroku.com"
 
       option :client_options, {
-        :site => BaseAuthUrl,
-        :authorize_url => "#{BaseAuthUrl}/oauth/authorize",
-        :token_url => "#{BaseAuthUrl}/oauth/token"
+        site:          AuthUrl,
+        authorize_url: "#{AuthUrl}/oauth/authorize",
+        token_url:     "#{AuthUrl}/oauth/token"
       }
+
+      # whether we should make another API call to Heroku to fetch
+      # additional account info like the real user name and email
+      option :fetch_info
+
+      uid do
+        access_token.params["user_id"]
+      end
+
+      info do
+        if options.fetch_info
+          email_hash        = Digest::MD5.hexdigest(account_info['email'].to_s)
+          default_image_url = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
+          image_url         = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{default_image_url}"
+
+          {
+            name:  account_info["name"],
+            email: account_info["email"],
+            image: image_url,
+          }
+        else
+          { name: "Heroku user" } # only mandatory field
+        end
+      end
+
+      extra do
+        if options.fetch_info
+          account_info
+        else
+          {}
+        end
+      end
+
+      def account_info
+        @account_info ||= MultiJson.decode(heroku_api.get("/account").body)
+      end
+
+      def heroku_api
+        @heroku_api ||= Faraday.new(
+          url: ApiUrl,
+          headers: {
+            "Accept" => "application/vnd.heroku+json; version=3",
+            "Authorization" => "Bearer #{access_token.token}",
+          })
+      end
     end
   end
 end

data/lib/omniauth-heroku.rb

@@ -1,2 +1 @@
-require 'omniauth/strategies/heroku_oauth2'
 require 'omniauth/strategies/heroku'

data/omniauth-heroku.gemspec

@@ -9,8 +9,8 @@ Gem::Specification.new do |gem|
   gem.files         = `git ls-files`.split("\n")
   gem.name          = "omniauth-heroku"
   gem.require_paths = ["lib"]
-  gem.version       = "0.1.2.pre"
+  gem.version       = "0.2.0.pre"
 
-  gem.add_dependency 'oauth2', '~> 0.8.0'
-  gem.add_dependency 'omniauth', '~> 1.0'
+  gem.add_dependency 'omniauth', '~> 1.2'
+  gem.add_dependency 'omniauth-oauth2', '~> 1.2'
 end

data/spec/omniauth_heroku_spec.rb

@@ -0,0 +1,78 @@
+require "spec_helper"
+
+describe OmniAuth::Strategies::Heroku do
+  before do
+    @token = "6e441b93-4c6d-4613-abed-b9976e7cff6c"
+    @user_id = "ddc4beff-f08f-4856-99d2-ba5ac63c3eb9"
+
+    # stub the API call made by the strategy to start the oauth dance
+    stub_request(:post, "https://id.heroku.com/oauth/token").
+      to_return(
+        headers: { "Content-Type" => "application/json" },
+        body: MultiJson.encode(
+          access_token: @token,
+          expires_in:   3600,
+          user_id:      @user_id))
+  end
+
+  it "redirects to start the OAuth flow" do
+    get "/auth/heroku"
+    assert_equal 302, last_response.status
+    redirect = URI.parse(last_response.headers["Location"])
+    redirect_params = CGI::parse(redirect.query)
+    assert_equal "https", redirect.scheme
+    assert_equal "id.heroku.com", redirect.host
+    assert_equal [ENV["HEROKU_OAUTH_ID"]], redirect_params["client_id"]
+    assert_equal ["code"], redirect_params["response_type"]
+    assert_equal ["http://example.org/auth/heroku/callback"],
+      redirect_params["redirect_uri"]
+  end
+
+  it "receives the callback" do
+    # start the callback, get the session state
+    get "/auth/heroku"
+    assert_equal 302, last_response.status
+    state = last_response.headers["Location"].match(/state=([\w\d]+)/)[1]
+
+    # trigger the callback setting the state as a param and in the session
+    get "/auth/heroku/callback", { "state" => state },
+      { "rack.session" => { "omniauth.state" => state }}
+    assert_equal 200, last_response.status
+
+    omniauth_env = MultiJson.decode(last_response.body)
+    assert_equal "heroku", omniauth_env["provider"]
+    assert_equal @user_id, omniauth_env["uid"]
+    assert_equal "Heroku user", omniauth_env["info"]["name"]
+  end
+
+  it "fetches additional info when requested" do
+    # change the app being tested:
+    @app = make_app(fetch_info: true)
+
+    # stub the API call to heroku
+    account_info = {
+      "email" => "john@example.org",
+      "name"  =>  "John"
+    }
+    stub_request(:get, "https://api.heroku.com/account").
+      with(headers: { "Authorization" => "Bearer #{@token}" }).
+      to_return(body: MultiJson.encode(account_info))
+
+    # do the oauth dance
+    get "/auth/heroku"
+    assert_equal 302, last_response.status
+    state = last_response.headers["Location"].match(/state=([\w\d]+)/)[1]
+
+    get "/auth/heroku/callback", { "state" => state },
+      { "rack.session" => { "omniauth.state" => state }}
+    assert_equal 200, last_response.status
+
+    # now make sure there's additional info in the omniauth env
+    omniauth_env = MultiJson.decode(last_response.body)
+    assert_equal "heroku", omniauth_env["provider"]
+    assert_equal @user_id, omniauth_env["uid"]
+    assert_equal "john@example.org", omniauth_env["info"]["email"]
+    assert_equal "John", omniauth_env["info"]["name"]
+    assert_equal account_info, omniauth_env["extra"]
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,48 @@
+ENV["SESSION_SECRET"] = "abcdefghjij"
+ENV["HEROKU_OAUTH_ID"] = "12345"
+ENV["HEROKU_OAUTH_SECRET"] = "klmnopqrstu"
+
+require "rubygems"
+require "bundler"
+Bundler.setup(:default, :test)
+require "omniauth/strategies/heroku"
+
+require "cgi"
+require "rspec"
+require "rack/test"
+require "sinatra"
+require "webmock/rspec"
+
+Dir["./spec/support/*.rb"].each { |f| require f }
+
+WebMock.disable_net_connect!
+
+OmniAuth.config.logger = Logger.new(StringIO.new)
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+  config.expect_with :minitest
+
+  def app
+    @app || make_app
+  end
+
+  def make_app(omniauth_heroku_options={})
+    Sinatra.new do
+      configure do
+        enable :sessions
+        set :show_exceptions, false
+        set :session_secret, ENV["SESSION_SECRET"]
+      end
+
+      use OmniAuth::Builder do
+        provider :heroku, ENV["HEROKU_OAUTH_ID"], ENV["HEROKU_OAUTH_SECRET"],
+          omniauth_heroku_options
+      end
+
+      get "/auth/heroku/callback" do
+        MultiJson.encode(env['omniauth.auth'])
+      end
+    end
+  end
+end

metadata

@@ -1,48 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.1.2.pre
-  prerelease: 6
+  version: 0.2.0.pre
 platform: ruby
 authors:
 - Pedro Belo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-08-23 00:00:00.000000000 Z
+date: 2014-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: oauth2
+  name: omniauth
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '1.2'
 - !ruby/object:Gem::Dependency
-  name: omniauth
+  name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.2'
 description: OmniAuth strategy for Heroku.
 email:
 - pedro@heroku.com
@@ -52,34 +47,36 @@ extra_rdoc_files: []
 files:
 - .gitignore
 - .rspec
+- .travis.yml
+- Gemfile
 - README.md
 - Rakefile
 - lib/omniauth-heroku.rb
 - lib/omniauth/strategies/heroku.rb
-- lib/omniauth/strategies/heroku_oauth2.rb
 - omniauth-heroku.gemspec
+- spec/omniauth_heroku_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/heroku/omniauth-heroku
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ! '>'
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.0.7
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: OmniAuth strategy for Heroku.
 test_files: []

data/lib/omniauth/strategies/heroku_oauth2.rb

@@ -1,124 +0,0 @@
-require 'cgi'
-require 'uri'
-require 'oauth2'
-require 'omniauth'
-require 'timeout'
-require 'securerandom'
-
-module OmniAuth
-  module Strategies
-    # Vendored in from `omniauth-oauth2`, but with slight modifications to
-    # allow request IDs to be passed through during the token phase so that the
-    # OAuth 2 dance can be more easily debugged.
-    class HerokuOAuth2
-      include OmniAuth::Strategy
-
-      args [:client_id, :client_secret]
-
-      option :client_id, nil
-      option :client_secret, nil
-      option :client_options, {}
-      option :authorize_params, {}
-      option :authorize_options, [:scope]
-      option :token_params, {}
-      option :token_options, []
-      option :provider_ignores_state, false
-      option :request_id, lambda { |env| nil }
-
-      attr_accessor :access_token
-
-      def client
-        ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
-      end
-
-      def callback_url
-        full_host + script_name + callback_path
-      end
-
-      credentials do
-        hash = {'token' => access_token.token}
-        hash.merge!('refresh_token' => access_token.refresh_token) if access_token.expires? && access_token.refresh_token
-        hash.merge!('expires_at' => access_token.expires_at) if access_token.expires?
-        hash.merge!('expires' => access_token.expires?)
-        hash
-      end
-
-      def request_phase
-        redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
-      end
-
-      def authorize_params
-        options.authorize_params[:state] = SecureRandom.hex(24)
-        params = options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
-        if OmniAuth.config.test_mode
-          @env ||= {}
-          @env['rack.session'] ||= {}
-        end
-        session['omniauth.state'] = params[:state]
-        params
-      end
-
-      def token_params
-        options.token_params.merge(options.token_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
-      end
-
-      def callback_phase
-        if request.params['error'] || request.params['error_reason']
-          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
-        end
-      # if !options.provider_ignores_state && (request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state'))
-      #   raise CallbackError.new(nil, :csrf_detected)
-      # end
-
-        self.access_token = build_access_token
-        params = {}
-        if request_id = options.request_id.call(@env)
-          params.merge!(:headers => { "Request-Id" => request_id })
-        end
-        self.access_token = access_token.refresh!(params) if access_token.expired?
-
-        super
-      rescue ::OAuth2::Error, CallbackError => e
-        fail!(:invalid_credentials, e)
-      rescue ::MultiJson::DecodeError => e
-        fail!(:invalid_response, e)
-      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
-        fail!(:timeout, e)
-      rescue ::SocketError => e
-        fail!(:failed_to_connect, e)
-      end
-
-      protected
-
-      def deep_symbolize(hash)
-        hash.inject({}) do |h, (k,v)|
-          h[k.to_sym] = v.is_a?(Hash) ? deep_symbolize(v) : v
-          h
-        end
-      end
-
-      def build_access_token
-        verifier = request.params['code']
-        params = {:redirect_uri => callback_url}.
-          merge(token_params.to_hash(:symbolize_keys => true))
-        # inject a request ID if one is available
-        if request_id = options.request_id.call(@env)
-          params.merge!(:headers => { "Request-Id" => request_id })
-        end
-        client.auth_code.get_token(verifier, params)
-      end
-
-      # An error that is indicated in the OAuth 2.0 callback.
-      # This could be a `redirect_uri_mismatch` or other
-      class CallbackError < StandardError
-        attr_accessor :error, :error_reason, :error_uri
-
-        def initialize(error, error_reason=nil, error_uri=nil)
-          self.error = error
-          self.error_reason = error_reason
-          self.error_uri = error_uri
-        end
-      end
-    end
-  end
-end