omniauth-heroku 0.4.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7114a261c4657b1093fa15c002dc0c5dc501c3a147670c99b31bb82bb2173290
-  data.tar.gz: 409fe3bd640e82ec72fc30f92ef9a0fd383bb95260b4f1d8d7d9d070b6d325b4
+  metadata.gz: 5e748c5250cbb5edbba46f40b0f38d4a8cf54cd5c266b6df4deaebc57637e9d1
+  data.tar.gz: 4a5af940242e0cfb0a51ba7d73983303264846bb9278839cabadaaa890cf0227
 SHA512:
-  metadata.gz: 36e9c08495d7941cf3a19b8e2b972ec2d70fd992c326f88586141892c5bc445ab4ee9ff28927062d6a5babd58351f7b16fda97fcea9e5933750bc73178f5d6fd
-  data.tar.gz: 6d8bcd09cd0847c01f870ad2d955a90b21ac449b56ba0aafcd275790a9fc8efbca5aae86252a80f3ec916583780d352516b4065e275a9b9450c6201d034c4703
+  metadata.gz: a623e6356f151b83eb7e370f8039e51012c9a76adf17187fe279aff23c10744b03514c46195198fd6261b9bcc206639ab7a15ea48875f6c06b300e3d8c72e45c
+  data.tar.gz: 61a1c1b3114cbf737de9de020572c98db82d3c29a180e0b135f3188ec6938123dc29766685475eff28e833d4d58ae600435411392b0a84579396757edccf5e19

data/.github/workflows/ci.yml

@@ -0,0 +1,29 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [ 2.3, 2.4, 2.5, 2.6, 2.7, 3.0 ]
+        gemfile: ["omniauth1", "omniauth2"]
+
+    env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
+      BUNDLE_GEMFILE: Gemfile-${{ matrix.gemfile }}
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Setup Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+    - name: Build and test
+      run: bin/rspec
+

data/.gitignore

@@ -0,0 +1,17 @@
+# Ignore all logfiles and tempfiles
+/coverage/
+/log/
+/spec/reports
+/spec/rspec-status.txt
+/tmp/
+/tags
+
+# Package and dependency caches
+/.bundle
+/Gemfile.lock
+/pkg/
+
+# Generated documentation
+/doc/
+/.yardoc
+/_yardoc/

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format progress

data/CHANGELOG.md

@@ -0,0 +1,43 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.0.0] 2021-07-14
+
+### Changed
+
+- Support `omniauth` versions `>= 1.9` but `< 3`.
+  i.e., support version `2` which addresses some CVEs.
+- Standardize syntax and style via [Standard.rb](https://github.com/testdouble/standard)
+
+### Breaking
+
+- Loosen `omniauth-oauth2` requirement to allow `>= 1.7.0`.
+  With this change, blocks give to dynamically determine the `:scope` argument will be passed the Rack `env`, rather than an instance of the `Rack::Request`.
+  See the [Upgrading to 1.0 docs](README.md#upgrading-to-10) for more.
+- Remove `AuthUrl` and `ApiUrl` constants from `OmniAuth::Strategies::Heroku`. 
+  These were internal details, not meant to be part of the public API.
+- Require Ruby `>= 2.3.0`.
+  We were only supporting that anyway, but now it's explicit.
+  However, we do recommend only running on [actively supported Rubies](https://www.ruby-lang.org/en/downloads/branches/).
+
+## [0.4.1] 2021-07-06
+
+### Changed
+- Lock to `omniauth-oauth2 ~> 1.6.0` to fix regression in dynamic `:scope` option.
+  With `omniauth-oauth2 >= 1.7.0`, the block is passed the Rack `env` as the parameter.
+  This breaks our expectation the will receive a `Rack::Request` instance as the argument to dynamically determine the `:scope` option.
+  i.e., this broken:
+
+  ```ruby
+  use OmniAuth::Builder do
+    provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+      scope: ->(request) { request.params["scope"] || "identity" }
+  end
+  ```
+
+  See [PR #22](https://github.com/heroku/omniauth-heroku/pull/22) for more context, workaround, etc...

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://www.rubygems.org"
+
+gemspec

data/Gemfile-omniauth1

@@ -0,0 +1,5 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+gem "omniauth", "~> 1.9"

data/Gemfile-omniauth2

@@ -0,0 +1,5 @@
+source "https://www.rubygems.org"
+
+gemspec
+
+gem "omniauth", "~> 2.0"

data/README.md

@@ -1,6 +1,7 @@
 # OmniAuth Heroku
 
 [![Build Status](https://github.com/heroku/omniauth-heroku/actions/workflows/ci.yml/badge.svg)](https://github.com/heroku/omniauth-heroku/actions)
+[![Gem Version](https://badge.fury.io/rb/omniauth-heroku.svg)](https://badge.fury.io/rb/omniauth-heroku)
 
 [OmniAuth](https://github.com/intridea/omniauth) strategy for authenticating
 Heroku users.
@@ -89,20 +90,41 @@ use OmniAuth::Builder do
 end
 ```
 
-This will trim down the permissions associated to the access token given back
-to you.
+This will trim down the permissions associated to the access token given back to you.
 
-The Oauth scope can also be decided dynamically at runtime. For example, you
-could use a `scope` GET parameter if it exists, and revert to a default `scope`
-if it does not:
+The OAuth scope can also be decided dynamically at runtime.
+For example, you could use a `scope` parameter from the request, if it exists, with a default value if it does not:
 
 ```ruby
 use OmniAuth::Builder do
   provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
-    scope: ->(request) { request.params["scope"] || "identity" }
+    scope: ->(env) { Rack::Request.new(env).params["scope"] || "identity" }
 end
 ```
 
+#### Upgrading to 1.0+
+
+Versions before `1.0` allowed you to pass `:scope` option as a block, just as today.
+However, that block received a `Rack::Request` instance, rather than the `Rack` `env`.
+If you used the `Rack::Request` argument in your `:scope` block you can update your code to create a new instance, from the `env`.
+
+For example, `< 1.0` code that looked like this:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(request) { request.params["scope"] }
+end
+```
+
+need to be updated to something like this:
+
+```ruby
+use OmniAuth::Builder do
+  provider :heroku, ENV.fetch("HEROKU_OAUTH_ID"), ENV.fetch("HEROKU_OAUTH_SECRET"),
+    scope: ->(env) { Rack::Request.new(env).params["scope"] }
+end
+```
 
 ## Example - Sinatra
 
@@ -162,7 +184,7 @@ class SessionsController < ApplicationController
   end
 
   def create
-    access_token = request.env['omniauth.auth']['credentials']['token']
+    access_token = request.env["omniauth.auth"]["credentials"]["token"]
     # DO NOT store this token in an unencrypted cookie session
     # Please read "A note on security" below!
     heroku = PlatformAPI.connect_oauth(access_token)

data/Rakefile

@@ -0,0 +1,10 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+desc "Run the specs"
+RSpec::Core::RakeTask.new do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end

data/bin/rake

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rake' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rake", "rake")

data/bin/rspec

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require "pathname"
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
+
+bundle_binstub = File.expand_path("../bundle", __FILE__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/lib/omniauth-heroku.rb

@@ -1 +1,2 @@
-require 'omniauth/strategies/heroku'
+require "omniauth/heroku/version"
+require "omniauth/strategies/heroku"

data/lib/omniauth/heroku/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Heroku
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth/strategies/heroku.rb

@@ -1,20 +1,25 @@
-require 'omniauth-oauth2'
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
 
 module OmniAuth
   module Strategies
     class Heroku < OmniAuth::Strategies::OAuth2
-      AuthUrl = ENV["HEROKU_AUTH_URL"] || "https://id.heroku.com"
-      ApiUrl  = ENV["HEROKU_API_URL"]  || "https://api.heroku.com"
+      # This style of overriding the default means it can only be done when the class is loaded.
+      # Which is problematic for testing, and a bit against the grain of how the base class
+      # expects this to work, where consumers would explicitly override by passing in the option.
+      AUTH_URL = ENV.fetch("HEROKU_AUTH_URL", "https://id.heroku.com")
+      private_constant :AUTH_URL
 
-      option :client_options, {
-        site:          AuthUrl,
-        authorize_url: "#{AuthUrl}/oauth/authorize",
-        token_url:     "#{AuthUrl}/oauth/token"
-      }
+      option(:client_options, {
+        site: AUTH_URL,
+        authorize_url: "#{AUTH_URL}/oauth/authorize",
+        token_url: "#{AUTH_URL}/oauth/token"
+      })
 
-      # whether we should make another API call to Heroku to fetch
+      # Configure whether we make another API call to Heroku to fetch
       # additional account info like the real user name and email
-      option :fetch_info
+      option :fetch_info, false
 
       uid do
         access_token.params["user_id"]
@@ -22,17 +27,16 @@ module OmniAuth
 
       info do
         if options.fetch_info
-          email_hash        = Digest::MD5.hexdigest(account_info['email'].to_s)
-          default_image_url = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
-          image_url         = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{default_image_url}"
+          email_hash = Digest::MD5.hexdigest(account_info["email"].to_s)
+          image_url = "https://secure.gravatar.com/avatar/#{email_hash}.png?d=#{DEFAULT_IMAGE_URL}"
 
           {
-            name:  account_info["name"],
+            name: account_info["name"],
             email: account_info["email"],
-            image: image_url,
+            image: image_url
           }
         else
-          { name: "Heroku user" } # only mandatory field
+          {name: "Heroku user"} # only mandatory field
         end
       end
 
@@ -56,26 +60,30 @@ module OmniAuth
         end
       end
 
-      def authorize_params
-        super.tap do |params|
-          # Allow the scope to be determined dynamically based on the request.
-          if params.scope.respond_to?(:call)
-            params.scope = params.scope.call(request)
-          end
-        end
-      end
+      private
+
+      DEFAULT_API_URL = "https://api.heroku.com"
+      private_constant :DEFAULT_API_URL
+
+      DEFAULT_IMAGE_URL = "https://dashboard.heroku.com/ninja-avatar-48x48.png"
+      private_constant :DEFAULT_IMAGE_URL
 
       def account_info
         @account_info ||= MultiJson.decode(heroku_api.get("/account").body)
       end
 
+      def api_url
+        @api_url ||= ENV.fetch("HEROKU_API_URL", DEFAULT_API_URL)
+      end
+
       def heroku_api
         @heroku_api ||= Faraday.new(
-          url: ApiUrl,
+          url: api_url,
           headers: {
             "Accept" => "application/vnd.heroku+json; version=3",
-            "Authorization" => "Bearer #{access_token.token}",
-          })
+            "Authorization" => "Bearer #{access_token.token}"
+          }
+        )
       end
 
       def missing_client_id?

data/omniauth-heroku.gemspec

@@ -0,0 +1,39 @@
+require File.expand_path("lib/omniauth/heroku/version", __dir__)
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-heroku"
+  spec.version = OmniAuth::Heroku::VERSION
+  spec.authors = ["Pedro Belo"]
+  spec.email = ["pedro@heroku.com"]
+
+  spec.summary = "OmniAuth strategy for Heroku."
+  spec.description = "OmniAuth strategy for Heroku, for apps already using OmniAuth that authenticate against more than one service (eg: Heroku and GitHub), or apps that have specific needs on session management."
+  spec.homepage = "https://github.com/heroku/omniauth-heroku"
+  spec.license = "MIT"
+
+  spec.metadata = {
+    "homepage_uri" => spec.homepage,
+    "source_code_uri" => spec.homepage,
+    "bug_tracker_uri" => "#{spec.homepage}/issues",
+    "changelog_uri" => "#{spec.homepage}/blob/master/CHANGELOG.md"
+  }
+
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir = "exe"
+  spec.executables = []
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency("omniauth", [">= 1.9", "< 3"])
+  spec.add_runtime_dependency("omniauth-oauth2", "~> 1.7")
+
+  spec.add_development_dependency("multi_json", "~> 1.12")
+  spec.add_development_dependency("rake", "~> 13.0")
+  spec.add_development_dependency("rspec", "~> 3.4")
+  spec.add_development_dependency("webmock", "~> 3.13")
+end

metadata

@@ -1,58 +1,138 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-heroku
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Pedro Belo
 autorequire:
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2021-07-09 00:00:00.000000000 Z
+date: 2021-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.0
+        version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '1.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
-description: OmniAuth strategy for Heroku.
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+description: 'OmniAuth strategy for Heroku, for apps already using OmniAuth that authenticate
+  against more than one service (eg: Heroku and GitHub), or apps that have specific
+  needs on session management.'
 email:
 - pedro@heroku.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- Gemfile-omniauth1
+- Gemfile-omniauth2
 - LICENSE
 - README.md
+- Rakefile
+- bin/rake
+- bin/rspec
 - lib/omniauth-heroku.rb
+- lib/omniauth/heroku/version.rb
 - lib/omniauth/strategies/heroku.rb
+- omniauth-heroku.gemspec
 homepage: https://github.com/heroku/omniauth-heroku
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://github.com/heroku/omniauth-heroku
+  source_code_uri: https://github.com/heroku/omniauth-heroku
+  bug_tracker_uri: https://github.com/heroku/omniauth-heroku/issues
+  changelog_uri: https://github.com/heroku/omniauth-heroku/blob/master/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -61,7 +141,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="