omniauth-jwt2 0.1.0 → 0.1.1

data/spec/lib/omniauth/strategies/jwt_spec.rb

@@ -1,213 +0,0 @@
-require "spec_helper"
-
-describe OmniAuth::Strategies::JWT do
-  let(:response_json) { JSON.parse(last_response.body) }
-  let(:rand_secret) { SecureRandom.hex(10) }
-  let(:args) { [rand_secret, {auth_url: "http://example.com/login"}] }
-
-  let(:app) {
-    the_args = args
-    Rack::Builder.new do |b|
-      b.use Rack::Session::Cookie, secret: SecureRandom.hex(32)
-      b.use OmniAuth::Strategies::JWT, *the_args
-      b.run lambda { |env|
-        [200, {}, [(env["omniauth.auth"] || {}).to_json]]
-      }
-    end
-  }
-
-  context "request phase" do
-    it "redirects to the configured login url" do
-      # TODO: Figure out how to write this test without using the deprecated
-      #       and unsafe, "get" method for the request phase.
-      get "/auth/jwt"
-      expect(last_response.status).to eq(302)
-      expect(last_response.headers["Location"]).to eq("http://example.com/login")
-    end
-  end
-
-  context "callback phase" do
-    it "decodes the response" do
-      encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret)
-      get "/auth/jwt/callback?jwt=" + encoded
-      expect(response_json["info"]["email"]).to eq("steve@example.com")
-    end
-
-    it "does not work without required fields" do
-      encoded = JWT.encode({name: "Steve"}, rand_secret)
-      get "/auth/jwt/callback?jwt=" + encoded
-      expect(last_response.status).to eq(302)
-    end
-
-    it "assigns the uid" do
-      encoded = JWT.encode({name: "Steve", email: "dude@awesome.com"}, rand_secret)
-      get "/auth/jwt/callback?jwt=" + encoded
-      expect(response_json["uid"]).to eq("dude@awesome.com")
-    end
-
-    context "with a non-default encoding algorithm" do
-      let(:args) { [rand_secret, {auth_url: "http://example.com/login", decode_options: {algorithms: ["HS512", "HS256"]}}] }
-
-      it "decodes the response with an allowed algorithm" do
-        encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret, "HS512")
-        get "/auth/jwt/callback?jwt=" + encoded
-        expect(JSON.parse(last_response.body)["info"]["email"]).to eq("steve@example.com")
-
-        encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret, "HS256")
-        get "/auth/jwt/callback?jwt=" + encoded
-        expect(JSON.parse(last_response.body)["info"]["email"]).to eq("steve@example.com")
-      end
-
-      it "fails decoding the response with a different algorithm" do
-        encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret, "HS384")
-        get "/auth/jwt/callback?jwt=" + encoded
-        expect(last_response.headers["Location"]).to include("/auth/failure")
-      end
-    end
-
-    context "with a :valid_within option set" do
-      let(:args) { [rand_secret, {auth_url: "http://example.com/login", valid_within: 300}] }
-
-      it "works if the iat key is within the time window" do
-        encoded = JWT.encode({name: "Ted", email: "ted@example.com", iat: Time.now.to_i}, rand_secret)
-        get "/auth/jwt/callback?jwt=" + encoded
-        expect(last_response.status).to eq(200)
-      end
-
-      it "does not work if the iat key is outside the time window" do
-        encoded = JWT.encode({name: "Ted", email: "ted@example.com", iat: Time.now.to_i + 500}, rand_secret)
-        get "/auth/jwt/callback?jwt=" + encoded
-        expect(last_response.status).to eq(302)
-      end
-
-      it "does not work if the iat key is missing" do
-        encoded = JWT.encode({name: "Ted", email: "ted@example.com"}, rand_secret)
-        get "/auth/jwt/callback?jwt=" + encoded
-        expect(last_response.status).to eq(302)
-      end
-    end
-  end
-
-  describe "#decoded" do
-    subject { described_class.new({}) }
-
-    let(:timestamp) { Time.now.to_i }
-    let(:claims) do
-      {
-        id: 123,
-        name: "user_example",
-        email: "user@example.com",
-        iat: timestamp,
-      }
-    end
-
-    let(:algorithm) { "HS256" }
-    let(:secret) { rand_secret }
-    let(:private_key) { secret }
-    let(:payload) { JWT.encode(claims, private_key, algorithm) }
-
-    before do
-      subject.options[:secret] = secret
-      subject.options[:algorithm] = algorithm
-
-      # We use Rack::Request instead of ActionDispatch::Request because
-      # Rack::Test::Methods enables testing of this module.
-      expect_next_instance_of(Rack::Request) do |rack_request|
-        expect(rack_request).to receive(:params).and_return("jwt" => payload)
-      end
-    end
-
-    ecdsa_named_curves = {
-      "ES256" => "prime256v1",
-      "ES384" => "secp384r1",
-      "ES512" => "secp521r1",
-    }.freeze
-
-    algos = {
-      OpenSSL::PKey::RSA => %w[RS256 RS384 RS512],
-      String => %w[HS256 HS384 HS512],
-    }
-    algos.merge!(OpenSSL::PKey::EC => %w[ES256 ES384 ES512]) unless ["2.2.10", "2.3.8"].include?(RubyVersion.to_s)
-    algos.each do |private_key_class, algorithms|
-      algorithms.each do |algorithm|
-        context "when the #{algorithm} algorithm is used" do
-          let(:algorithm) { algorithm }
-          let(:secret) do
-            # rubocop:disable Style/CaseLikeIf
-            if private_key_class == OpenSSL::PKey::RSA
-              private_key_class.generate(2048)
-                .to_pem
-            elsif private_key_class == OpenSSL::PKey::EC
-              private_key_class.generate(ecdsa_named_curves[algorithm])
-                .to_pem
-            else
-              private_key_class.new(rand_secret)
-            end
-            # rubocop:enable Style/CaseLikeIf
-          end
-
-          let(:private_key) { private_key_class ? private_key_class.new(secret) : secret }
-
-          it "decodes the user information" do
-            result = subject.decoded
-
-            expect(result).to eq(claims.stringify_keys)
-          end
-        end
-      end
-    end
-
-    context "required claims is missing" do
-      let(:claims) do
-        {
-          id: 123,
-          email: "user@example.com",
-          iat: timestamp,
-        }
-      end
-
-      it "raises error" do
-        expect { subject.decoded }.to raise_error(OmniAuth::Strategies::Jwt::ClaimInvalid)
-      end
-    end
-
-    context "when valid_within is specified but iat attribute is missing in response" do
-      let(:claims) do
-        {
-          id: 123,
-          name: "user_example",
-          email: "user@example.com",
-        }
-      end
-
-      before do
-        # Omniauth config values are always strings!
-        subject.options[:valid_within] = (60 * 60 * 24 * 2).to_s # 2 days
-      end
-
-      it "raises error" do
-        expect { subject.decoded }.to raise_error(OmniAuth::Strategies::Jwt::ClaimInvalid)
-      end
-    end
-
-    context "when timestamp claim is too skewed from present" do
-      let(:claims) do
-        {
-          id: 123,
-          name: "user_example",
-          email: "user@example.com",
-          iat: timestamp - (60 * 60 * 10), # minus ten minutes
-        }
-      end
-
-      before do
-        # Omniauth config values are always strings!
-        subject.options[:valid_within] = "2" # 2 seconds
-      end
-
-      it "raises error" do
-        expect { subject.decoded }.to raise_error(OmniAuth::Strategies::Jwt::ClaimInvalid)
-      end
-    end
-  end
-end

data/spec/spec_helper.rb

@@ -1,64 +0,0 @@
-# Std Lib
-require "securerandom"
-
-# 3rd party gems
-require "rspec/pending_for"
-begin
-  require "rack/session"
-rescue LoadError
-  nil # File won't exist in old rack for Ruby 2.2 & 2.3
-end
-require "rack/test"
-require "json"
-require "omniauth"
-begin
-  require "openssl"
-  require "openssl/signature_algorithm"
-  require "ed25519"
-rescue LoadError
-  nil # Gem doesn't exist for ancient Rubies 2.2 & 2.3
-end
-
-require "byebug" if ENV["DEBUG"] == "true"
-# This does not require "simplecov",
-#   because that has a side-effect of running `.simplecov`
-begin
-  require "kettle-soup-cover"
-rescue LoadError
-  puts "Not analyzing test coverage"
-end
-
-require "support/hash"
-require "support/next_instance_of"
-
-OmniAuth.config.logger = Logger.new("/dev/null")
-require "omniauth/version"
-puts "OMNIAUTH VERSION: #{OmniAuth::VERSION}"
-if Gem::Version.new(OmniAuth::VERSION) > Gem::Version.new("2.0")
-  OmniAuth.config.silence_get_warning = true
-  OmniAuth.config.allowed_request_methods |= [:get, :post]
-end
-# This file was generated by the `rspec --init` command. Conventionally, all
-# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
-# Require this file using `require "spec_helper"` to ensure that it is only
-# loaded once.
-#
-# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
-RSpec.configure do |config|
-  config.run_all_when_everything_filtered = true
-  config.filter_run :focus
-
-  include Rack::Test::Methods
-  include NextInstanceOf
-
-  # Run specs in random order to surface order dependencies. If you find an
-  # order dependency and want to debug it, you can fix the order by providing
-  # the seed, which is printed after each run.
-  #     --seed 1234
-  config.order = "random"
-end
-
-# Last thing before loading this library, load simplecov:
-require "simplecov" if defined?(Kettle::Soup::Cover) && Kettle::Soup::Cover::DO_COV
-
-require "omniauth/jwt"

data/spec/support/hash.rb

@@ -1,9 +0,0 @@
-class Hash
-  def self.stringify_keys(h)
-    h.is_a?(Hash) ? h.collect { |k, v| [k.to_s, stringify_keys(v)] }.to_h : h
-  end
-
-  def stringify_keys
-    self.class.stringify_keys(self)
-  end
-end

data/spec/support/next_instance_of.rb

@@ -1,43 +0,0 @@
-# From: https://github.com/gitlabhq/gitlabhq/blob/master/gems/gitlab-rspec/lib/gitlab/rspec/next_instance_of.rb#L4
-module NextInstanceOf
-  def expect_next_instance_of(klass, *new_args, &blk)
-    stub_new(expect(klass), nil, false, *new_args, &blk)
-  end
-
-  def expect_next_instances_of(klass, number, ordered = false, *new_args, &blk)
-    stub_new(expect(klass), number, ordered, *new_args, &blk)
-  end
-
-  def allow_next_instance_of(klass, *new_args, &blk)
-    stub_new(allow(klass), nil, false, *new_args, &blk)
-  end
-
-  def allow_next_instances_of(klass, number, ordered = false, *new_args, &blk)
-    stub_new(allow(klass), number, ordered, *new_args, &blk)
-  end
-
-  private
-
-  def stub_new(target, number, ordered = false, *new_args, &blk)
-    receive_new = receive(:new)
-    receive_new.ordered if ordered
-    receive_new.with(*new_args) if !(new_args.empty? || new_args.blank?)
-
-    if number.is_a?(Range)
-      receive_new.at_least(number.begin).times if number.begin
-      receive_new.at_most(number.end).times if number.end
-    elsif number
-      receive_new.exactly(number).times
-    end
-
-    target.to receive_new.and_wrap_original do |*original_args, **original_kwargs|
-      method, *original_args = original_args
-      begin
-        method.call(*original_args, **original_kwargs).tap(&blk)
-      rescue ArgumentError
-        # Kludge for old ruby < 2.7
-        method.call(*original_args).tap(&blk)
-      end
-    end
-  end
-end