omniauth-identity 3.1.5 → 3.2.0

data/SECURITY.md

@@ -2,13 +2,9 @@
 
 ## Supported Versions
 
-| Version | Supported |
-|---------|-----------|
-| 3.1.x   | ✅         |
-| 3.0.x   | ❌         |
-| 2.x     | ❌         |
-| 1.x     | ❌         |
-| 0.x     | ❌         |
+| Version  | Supported |
+|----------|-----------|
+| 3.1.latest | ✅         |
 
 ## Security contact information
 
@@ -23,11 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-
-## Enterprise Support
-
-Available as part of the Tidelift Subscription.
-
-The maintainers of this library and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers for the exact packages you use. [Learn more.][tidelift-ref]
-
-[tidelift-ref]: https://tidelift.com/subscription/pkg/rubygems-omniauth-identity?utm_source=rubygems-omniauth-identity&utm_medium=referral&utm_campaign=enterprise&utm_term=repo

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/omniauth/identity/model.rb

@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
+require "auth_sanitizer/loader"
+
 module OmniAuth
   module Identity
+    AUTH_SANITIZER = AuthSanitizer::Loader.load_isolated unless const_defined?(:AUTH_SANITIZER, false)
+
     # This module provides an include-able interface for implementing the
     # necessary API for OmniAuth Identity to properly locate identities
     # and provide all necessary information.
@@ -30,6 +34,7 @@ module OmniAuth
       # Standard OmniAuth schema attributes that may be stored in the model.
       # @return [Array<String>] List of attribute names.
       SCHEMA_ATTRIBUTES = %w[name email nickname first_name last_name location description image phone].freeze
+      FILTERED_INSPECT_ATTRIBUTES = %i[password password_confirmation password_digest].freeze
 
       class << self
         # Called when this module is included in a model class.
@@ -40,6 +45,9 @@ module OmniAuth
         # @param base [Class] the model class including this module
         # @return [void]
         def included(base)
+          base.include(OmniAuth::Identity::AUTH_SANITIZER::FilteredAttributes)
+          base.prepend(OmniAuth::Identity::AUTH_SANITIZER::FilteredAttributes)
+          base.filtered_attributes(*FILTERED_INSPECT_ATTRIBUTES)
           base.extend(ClassMethods)
           base.extend(ClassCreateApi) unless base.respond_to?(:create)
           i_methods = base.instance_methods
@@ -50,6 +58,9 @@ module OmniAuth
 
       # Class-level methods for OmniAuth Identity models.
       module ClassMethods
+        AUTH_KEY_MUTEX = Mutex.new
+        private_constant :AUTH_KEY_MUTEX
+
         # Authenticate a user with the given key and password.
         #
         # @param [String] conditions The unique login key provided for a given identity.
@@ -62,16 +73,23 @@ module OmniAuth
           instance.authenticate(password)
         end
 
+        def inherited(subclass)
+          super if defined?(super)
+          subclass.filtered_attributes(*filtered_attribute_names) if subclass.respond_to?(:filtered_attributes)
+        end
+
         # Used to set or retrieve the method that will be used to get
         # and set the user-supplied authentication key.
         #
         # @param method [String, Symbol, false] The method name to set, or false to retrieve.
         # @return [String] The method name.
         def auth_key(method = false)
-          @auth_key = method.to_s unless method == false
-          @auth_key = nil if !defined?(@auth_key) || @auth_key == ""
+          AUTH_KEY_MUTEX.synchronize do
+            @auth_key = method.to_s unless method == false
+            @auth_key = nil if !defined?(@auth_key) || @auth_key == ""
 
-          @auth_key || "email"
+            @auth_key || "email"
+          end
         end
 
         # Locate an identity given its unique login key.
@@ -174,7 +192,7 @@ module OmniAuth
       # @param [String] value The value to which the auth key should be
       #   set.
       def auth_key=(value)
-        auth_key_setter = "#{self.class.auth_key}=".to_sym
+        auth_key_setter = :"#{self.class.auth_key}="
         if respond_to?(auth_key_setter)
           send(auth_key_setter, value)
         else

data/lib/omniauth/identity/models/active_record.rb

@@ -51,23 +51,25 @@ module OmniAuth
         #   class User < OmniAuth::Identity::Models::ActiveRecord
         #     self.auth_key = :email
         #   end
-        def self.auth_key=(key)
-          super
-          validates_uniqueness_of(key, case_sensitive: false)
-        end
+        class << self
+          def auth_key=(key)
+            super
+            validates_uniqueness_of(key, case_sensitive: false)
+          end
 
-        # @!method self.locate(search_hash)
-        # Finds a record by the given search criteria.
-        #
-        # If the model has a 'provider' column, it defaults to 'identity'.
-        #
-        # @param search_hash [Hash] the attributes to search for
-        # @return [ActiveRecord::Base, nil] the first matching record or nil
-        # @example
-        #   User.locate(email: 'user@example.com')
-        def self.locate(search_hash)
-          search_hash = search_hash.reverse_merge!("provider" => "identity") if column_names.include?("provider")
-          where(search_hash).first
+          # @!method self.locate(search_hash)
+          # Finds a record by the given search criteria.
+          #
+          # If the model has a 'provider' column, it defaults to 'identity'.
+          #
+          # @param search_hash [Hash] the attributes to search for
+          # @return [ActiveRecord::Base, nil] the first matching record or nil
+          # @example
+          #   User.locate(email: 'user@example.com')
+          def locate(search_hash)
+            search_hash = search_hash.reverse_merge!("provider" => "identity") if column_names.include?("provider")
+            where(search_hash).first
+          end
         end
       end
     end

data/lib/omniauth/identity/models/couch_potato.rb

@@ -32,56 +32,60 @@ module OmniAuth
       # @note CouchPotato::Persistence must be included before OmniAuth::Identity::Models::CouchPotatoModule.
       # @note Includes "Module" in the name for invalid legacy reasons. Rename only with a major version bump.
       module CouchPotatoModule
-        # Called when this module is included in a model class.
-        #
-        # This method extends the base class with OmniAuth Identity functionality,
-        # including secure password support and authentication key validation.
-        #
-        # @param base [Class] the model class including this module
-        # @return [void]
-        def self.included(base)
-          base.class_eval do
-            include(::OmniAuth::Identity::Model)
-            include(::OmniAuth::Identity::SecurePassword)
+        class << self
+          # Called when this module is included in a model class.
+          #
+          # This method extends the base class with OmniAuth Identity functionality,
+          # including secure password support and authentication key validation.
+          #
+          # @param base [Class] the model class including this module
+          # @return [void]
+          def included(base)
+            base.class_eval do
+              include(::OmniAuth::Identity::Model)
+              include(::OmniAuth::Identity::SecurePassword)
 
-            # validations: true (default) incurs a dependency on ActiveModel, but CouchPotato is ActiveModel based.
-            has_secure_password
+              # validations: true (default) incurs a dependency on ActiveModel, but CouchPotato is ActiveModel based.
+              has_secure_password
 
-            # @!method self.auth_key=(key)
-            # Sets the authentication key for the model and adds uniqueness validation.
-            #
-            # @param key [Symbol, String] the attribute to use as the authentication key
-            # @return [void]
-            # @example
-            #   class User
-            #     include OmniAuth::Identity::Models::CouchPotatoModule
-            #     self.auth_key = :email
-            #   end
-            def self.auth_key=(key)
-              super
-              validates_uniqueness_of(key, case_sensitive: false)
-            end
+              class << self
+                # @!method self.auth_key=(key)
+                # Sets the authentication key for the model and adds uniqueness validation.
+                #
+                # @param key [Symbol, String] the attribute to use as the authentication key
+                # @return [void]
+                # @example
+                #   class User
+                #     include OmniAuth::Identity::Models::CouchPotatoModule
+                #     self.auth_key = :email
+                #   end
+                def auth_key=(key)
+                  super
+                  validates_uniqueness_of(key, case_sensitive: false)
+                end
 
-            # @!method self.locate(search_hash)
-            # Finds a record by the given search criteria.
-            #
-            # @param search_hash [Hash] the attributes to search for
-            # @return [Object, nil] the first matching record or nil
-            # @example
-            #   User.locate(email: 'user@example.com')
-            def self.locate(search_hash)
-              where(search_hash).first
-            end
+                # @!method self.locate(search_hash)
+                # Finds a record by the given search criteria.
+                #
+                # @param search_hash [Hash] the attributes to search for
+                # @return [Object, nil] the first matching record or nil
+                # @example
+                #   User.locate(email: 'user@example.com')
+                def locate(search_hash)
+                  where(search_hash).first
+                end
+              end
 
-            # @!method save
-            # Saves the document to the CouchDB database.
-            #
-            # @return [Boolean] true if saved successfully, false otherwise
-            # @example
-            #   user = User.new(email: 'user@example.com', password: 'password')
-            #   user.save # => true
-            def save
-              CouchPotato.database.save_document(self)
+              # @!method save
+              # Saves the document to the CouchDB database.
+              #
+              # @return [Boolean] true if saved successfully, false otherwise
+              # @example
+              #   user = User.new(email: 'user@example.com', password: 'password')
+              #   user.save # => true
+              def save
+                CouchPotato.database.save_document(self)
+              end
             end
           end
         end

data/lib/omniauth/identity/models/mongoid.rb

@@ -30,45 +30,49 @@ module OmniAuth
       #
       # @note Mongoid is based on ActiveModel, so validations are enabled by default.
       module Mongoid
-        # Called when this module is included in a model class.
-        #
-        # This method extends the base class with OmniAuth Identity functionality,
-        # including secure password support and authentication key validation.
-        #
-        # @param base [Class] the model class including this module
-        # @return [void]
-        def self.included(base)
-          base.class_eval do
-            include(::OmniAuth::Identity::Model)
-            include(::OmniAuth::Identity::SecurePassword)
+        class << self
+          # Called when this module is included in a model class.
+          #
+          # This method extends the base class with OmniAuth Identity functionality,
+          # including secure password support and authentication key validation.
+          #
+          # @param base [Class] the model class including this module
+          # @return [void]
+          def included(base)
+            base.class_eval do
+              include(::OmniAuth::Identity::Model)
+              include(::OmniAuth::Identity::SecurePassword)
 
-            # validations: true (default) incurs a dependency on ActiveModel, but Mongoid is ActiveModel based.
-            has_secure_password
+              # validations: true (default) incurs a dependency on ActiveModel, but Mongoid is ActiveModel based.
+              has_secure_password
 
-            # @!method self.auth_key=(key)
-            # Sets the authentication key for the model and adds uniqueness validation.
-            #
-            # @param key [Symbol, String] the attribute to use as the authentication key
-            # @return [void]
-            # @example
-            #   class User
-            #     include OmniAuth::Identity::Models::Mongoid
-            #     self.auth_key = :email
-            #   end
-            def self.auth_key=(key)
-              super
-              validates_uniqueness_of(key, case_sensitive: false)
-            end
+              class << self
+                # @!method self.auth_key=(key)
+                # Sets the authentication key for the model and adds uniqueness validation.
+                #
+                # @param key [Symbol, String] the attribute to use as the authentication key
+                # @return [void]
+                # @example
+                #   class User
+                #     include OmniAuth::Identity::Models::Mongoid
+                #     self.auth_key = :email
+                #   end
+                def auth_key=(key)
+                  super
+                  validates_uniqueness_of(key, case_sensitive: false)
+                end
 
-            # @!method self.locate(search_hash)
-            # Finds a record by the given search criteria.
-            #
-            # @param search_hash [Hash] the attributes to search for
-            # @return [Mongoid::Document, nil] the first matching record or nil
-            # @example
-            #   User.locate(email: 'user@example.com')
-            def self.locate(search_hash)
-              where(search_hash).first
+                # @!method self.locate(search_hash)
+                # Finds a record by the given search criteria.
+                #
+                # @param search_hash [Hash] the attributes to search for
+                # @return [Mongoid::Document, nil] the first matching record or nil
+                # @example
+                #   User.locate(email: 'user@example.com')
+                def locate(search_hash)
+                  where(search_hash).first
+                end
+              end
             end
           end
         end

data/lib/omniauth/identity/models/nobrainer.rb

@@ -29,45 +29,49 @@ module OmniAuth
       #
       # @note NoBrainer is based on ActiveModel, so validations are enabled by default.
       module NoBrainer
-        # Called when this module is included in a model class.
-        #
-        # This method extends the base class with OmniAuth Identity functionality,
-        # including secure password support and authentication key validation.
-        #
-        # @param base [Class] the model class including this module
-        # @return [void]
-        def self.included(base)
-          base.class_eval do
-            include(::OmniAuth::Identity::Model)
-            include(::OmniAuth::Identity::SecurePassword)
+        class << self
+          # Called when this module is included in a model class.
+          #
+          # This method extends the base class with OmniAuth Identity functionality,
+          # including secure password support and authentication key validation.
+          #
+          # @param base [Class] the model class including this module
+          # @return [void]
+          def included(base)
+            base.class_eval do
+              include(::OmniAuth::Identity::Model)
+              include(::OmniAuth::Identity::SecurePassword)
 
-            # validations: true (default) incurs a dependency on ActiveModel, but NoBrainer is ActiveModel based.
-            has_secure_password
+              # validations: true (default) incurs a dependency on ActiveModel, but NoBrainer is ActiveModel based.
+              has_secure_password
 
-            # @!method self.auth_key=(key)
-            # Sets the authentication key for the model and adds uniqueness validation.
-            #
-            # @param key [Symbol, String] the attribute to use as the authentication key
-            # @return [void]
-            # @example
-            #   class User
-            #     include OmniAuth::Identity::Models::NoBrainer
-            #     self.auth_key = :email
-            #   end
-            def self.auth_key=(key)
-              super
-              validates_uniqueness_of(key, case_sensitive: false)
-            end
+              class << self
+                # @!method self.auth_key=(key)
+                # Sets the authentication key for the model and adds uniqueness validation.
+                #
+                # @param key [Symbol, String] the attribute to use as the authentication key
+                # @return [void]
+                # @example
+                #   class User
+                #     include OmniAuth::Identity::Models::NoBrainer
+                #     self.auth_key = :email
+                #   end
+                def auth_key=(key)
+                  super
+                  validates_uniqueness_of(key, case_sensitive: false)
+                end
 
-            # @!method self.locate(search_hash)
-            # Finds a record by the given search criteria.
-            #
-            # @param search_hash [Hash] the attributes to search for
-            # @return [Object, nil] the first matching record or nil
-            # @example
-            #   User.locate(email: 'user@example.com')
-            def self.locate(search_hash)
-              where(search_hash).first
+                # @!method self.locate(search_hash)
+                # Finds a record by the given search criteria.
+                #
+                # @param search_hash [Hash] the attributes to search for
+                # @return [Object, nil] the first matching record or nil
+                # @example
+                #   User.locate(email: 'user@example.com')
+                def locate(search_hash)
+                  where(search_hash).first
+                end
+              end
             end
           end
         end

data/lib/omniauth/identity/models/rom.rb

@@ -25,24 +25,26 @@ module OmniAuth
       #     password_field :password_digest
       #   end
       module Rom
-        def self.included(base)
-          # Align with other adapters: rely on OmniAuth::Identity::Model for API
-          base.include(::OmniAuth::Identity::Model)
-          base.extend(ClassMethods)
-
-          base.class_eval do
-            # OmniAuth::Identity required instance API
-            # Authenticates the instance with the provided password
-            # Returns self on success, false otherwise (to match Model.authenticate contract)
-            def authenticate(password)
-              digest_key = self.class.password_field
-              password_digest = @identity_data[digest_key]
-              return false unless password_digest
-
-              begin
-                BCrypt::Password.new(password_digest) == password && self
-              rescue BCrypt::Errors::InvalidHash
-                false
+        class << self
+          def included(base)
+            # Align with other adapters: rely on OmniAuth::Identity::Model for API
+            base.include(::OmniAuth::Identity::Model)
+            base.extend(ClassMethods)
+
+            base.class_eval do
+              # OmniAuth::Identity required instance API
+              # Authenticates the instance with the provided password
+              # Returns self on success, false otherwise (to match Model.authenticate contract)
+              define_method(:authenticate) do |password|
+                digest_key = self.class.password_field
+                password_digest = @identity_data[digest_key]
+                return false unless password_digest
+
+                begin
+                  BCrypt::Password.new(password_digest) == password && self
+                rescue BCrypt::Errors::InvalidHash
+                  false
+                end
               end
             end
           end
@@ -52,29 +54,40 @@ module OmniAuth
           # Default ROM relation name when none is configured
           DEFAULT_RELATION_NAME = :identities
 
+          ROM_CONFIG_MUTEX = Mutex.new
+          private_constant :ROM_CONFIG_MUTEX
+
           # Configuration DSL
           # These methods act like the DSL on `OmniAuth::Identity::Model` (e.g. `auth_key`) —
           # when called with an argument they set the configuration, and when called
           # without an argument they return the current value (with sensible defaults).
           def rom_container(value = false)
-            @rom_container = value unless value == false
-            container = @rom_container
-            container.respond_to?(:call) ? container.call : container
+            ROM_CONFIG_MUTEX.synchronize do
+              @rom_container = value unless value == false
+              container = @rom_container
+              container.respond_to?(:call) ? container.call : container
+            end
           end
 
           def rom_relation_name(value = false)
-            @rom_relation_name = value unless value == false
-            @rom_relation_name || DEFAULT_RELATION_NAME
+            ROM_CONFIG_MUTEX.synchronize do
+              @rom_relation_name = value unless value == false
+              @rom_relation_name || DEFAULT_RELATION_NAME
+            end
           end
 
           def owner_relation_name(value = false)
-            @owner_relation_name = value unless value == false
-            @owner_relation_name
+            ROM_CONFIG_MUTEX.synchronize do
+              @owner_relation_name = value unless value == false
+              @owner_relation_name
+            end
           end
 
           def password_field(value = false)
-            @password_field = value unless value == false
-            (@password_field || :password_digest).to_sym
+            ROM_CONFIG_MUTEX.synchronize do
+              @password_field = value unless value == false
+              (@password_field || :password_digest).to_sym
+            end
           end
 
           # Align with other adapters: use Model.auth_key (getter/setter) for the login attribute