omniauth-jwt2 0.1.0 → 1.0.0

data/RUBOCOP.md

@@ -0,0 +1,71 @@
+# RuboCop Usage Guide
+
+## Overview
+
+A tale of two RuboCop plugin gems.
+
+### RuboCop Gradual
+
+This project uses `rubocop_gradual` instead of vanilla RuboCop for code style checking. The `rubocop_gradual` tool allows for gradual adoption of RuboCop rules by tracking violations in a lock file.
+
+### RuboCop LTS
+
+This project uses `rubocop-lts` to ensure, on a best-effort basis, compatibility with Ruby >= 1.9.2.
+RuboCop rules are meticulously configured by the `rubocop-lts` family of gems to ensure that a project is compatible with a specific version of Ruby. See: https://rubocop-lts.gitlab.io for more.
+
+## Checking RuboCop Violations
+
+To check for RuboCop violations in this project, always use:
+
+```bash
+bundle exec rake rubocop_gradual:check
+```
+
+**Do not use** the standard RuboCop commands like:
+- `bundle exec rubocop`
+- `rubocop`
+
+## Understanding the Lock File
+
+The `.rubocop_gradual.lock` file tracks all current RuboCop violations in the project. This allows the team to:
+
+1. Prevent new violations while gradually fixing existing ones
+2. Track progress on code style improvements
+3. Ensure CI builds don't fail due to pre-existing violations
+
+## Common Commands
+
+- **Check violations**
+    - `bundle exec rake rubocop_gradual`
+    - `bundle exec rake rubocop_gradual:check`
+- **(Safe) Autocorrect violations, and update lockfile if no new violations**
+  - `bundle exec rake rubocop_gradual:autocorrect`
+- **Force update the lock file (w/o autocorrect) to match violations present in code**
+  - `bundle exec rake rubocop_gradual:force_update`
+
+## Workflow
+
+1. Before submitting a PR, run `bundle exec rake rubocop_gradual:autocorrect`
+   a. or just the default `bundle exec rake`, as autocorrection is a pre-requisite of the default task.
+2. If there are new violations, either:
+   - Fix them in your code
+   - Run `bundle exec rake rubocop_gradual:force_update` to update the lock file (only for violations you can't fix immediately)
+3. Commit the updated `.rubocop_gradual.lock` file along with your changes
+
+## Never add inline RuboCop disables
+
+Do not add inline `rubocop:disable` / `rubocop:enable` comments anywhere in the codebase (including specs, except when following the few existing `rubocop:disable` patterns for a rule already being disabled elsewhere in the code). We handle exceptions in two supported ways:
+
+- Permanent/structural exceptions: prefer adjusting the RuboCop configuration (e.g., in `.rubocop.yml`) to exclude a rule for a path or file pattern when it makes sense project-wide.
+- Temporary exceptions while improving code: record the current violations in `.rubocop_gradual.lock` via the gradual workflow:
+  - `bundle exec rake rubocop_gradual:autocorrect` (preferred; will autocorrect what it can and update the lock only if no new violations were introduced)
+  - If needed, `bundle exec rake rubocop_gradual:force_update` (as a last resort when you cannot fix the newly reported violations immediately)
+
+In general, treat the rules as guidance to follow; fix violations rather than ignore them. For example, RSpec conventions in this project expect `described_class` to be used in specs that target a specific class under test.
+
+## Benefits of rubocop_gradual
+
+- Allows incremental adoption of code style rules
+- Prevents CI failures due to pre-existing violations
+- Provides a clear record of code style debt
+- Enables focused efforts on improving code quality over time

data/SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version  | Supported |
+|----------|-----------|
+| 0.latest | ✅         |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## Additional Support
+
+If you are interested in support for versions older than the latest release,
+please consider sponsoring the project / maintainer @ https://liberapay.com/pboling/donate,
+or find other sponsorship links in the [README].
+
+[README]: README.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/omniauth/jwt/version.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
+require_relative "../jwt2/version"
+
 module Omniauth
   module JWT
-    module Version
-      VERSION = "0.1.0"
-    end
+    Version = JWT2::Version unless const_defined?(:Version, false)
+    VERSION = JWT2::VERSION unless const_defined?(:VERSION, false)
   end
 end

data/lib/omniauth/jwt.rb

@@ -1,10 +1,11 @@
 # External gems
 require "version_gem"
+require_relative "jwt/version"
 
 # This gem
 require "omniauth/jwt/version"
 require "omniauth/strategies/jwt"
 
-Omniauth::JWT::Version.class_eval do
+Omniauth::JWT2::Version.class_eval do
   extend VersionGem::Basic
 end

data/lib/omniauth/jwt2/version.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module JWT2
+    module Version
+      VERSION = "1.0.0"
+    end
+    VERSION = Version::VERSION # Traditional Constant Location
+  end
+end

data/lib/omniauth/jwt2.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "version_gem"
+require_relative "jwt2/version"
+
+require_relative "jwt"
+
+Omniauth::JWT2::Version.class_eval do
+  extend VersionGem::Basic
+end

data/lib/omniauth/strategies/jwt.rb

@@ -5,7 +5,6 @@ module OmniAuth
   module Strategies
     class JWT
       class ClaimInvalid < StandardError; end
-
       class BadJwt < StandardError; end
 
       include OmniAuth::Strategy
@@ -18,13 +17,13 @@ module OmniAuth
       option :algorithm, "HS256" # overridden by options.decode_options[:algorithms]
       option :decode_options, {}
       option :uid_claim, "email"
-      option :required_claims, %w(name email)
+      option :required_claims, %w[name email]
       option :info_map, {name: "name", email: "email"}
       option :auth_url, nil
       option :valid_within, nil
 
       def request_phase
-        redirect(options.auth_url)
+        redirect options.auth_url
       end
 
       def decoded
@@ -34,7 +33,7 @@ module OmniAuth
             when "RS256", "RS384", "RS512"
               OpenSSL::PKey::RSA.new(options.secret).public_key
             when "ES256", "ES384", "ES512"
-              OpenSSL::PKey::EC.new(options.secret)
+              ec_key(options.secret)
             when "HS256", "HS384", "HS512"
               options.secret
             else
@@ -53,9 +52,9 @@ module OmniAuth
             options.decode_options.merge(
               {
                 algorithms: default_algos,
-                jwks: options.jwks_loader,
-              }.delete_if { |_, v| v.nil? },
-            ),
+                jwks: options.jwks_loader
+              }.delete_if { |_, v| v.nil? }
+            )
           )[0]
         rescue Exception => e
           raise BadJwt.new("#{e.class}: #{e.message}")
@@ -71,12 +70,35 @@ module OmniAuth
         @decoded
       end
 
+      def ec_key(secret)
+        key = if secret.is_a?(OpenSSL::PKey::EC)
+          secret
+        elsif OpenSSL::PKey.respond_to?(:read)
+          OpenSSL::PKey.read(secret)
+        else
+          OpenSSL::PKey::EC.new(secret)
+        end
+
+        ec_public_key(key)
+      end
+
+      def ec_public_key(key)
+        return key unless key.respond_to?(:private?)
+        return key unless key.private?
+
+        public_key = OpenSSL::PKey::EC.new(key.group)
+        public_key.public_key = key.public_key
+        public_key
+      rescue OpenSSL::PKey::PKeyError
+        key
+      end
+
       def callback_phase
         super
       rescue BadJwt => e
-        fail!("bad_jwt", e)
+        fail! "bad_jwt", e
       rescue ClaimInvalid => e
-        fail!(:claim_invalid, e)
+        fail! :claim_invalid, e
       end
 
       uid { decoded[options.uid_claim] }

data/lib/omniauth-jwt2.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "omniauth/jwt2"

data/sig/omniauth/jwt/version.rbs

@@ -0,0 +1,8 @@
+module Omniauth
+  module JWT
+    module Version
+      VERSION: String
+    end
+    VERSION: String
+  end
+end

data/sig/omniauth/jwt2/version.rbs

@@ -0,0 +1,8 @@
+module Omniauth
+  module JWT2
+    module Version
+      VERSION: String
+    end
+    VERSION: String
+  end
+end

data.tar.gz.sig

@@ -0,0 +1 @@
+g*�s�M����-}��s�鲁ll6e4m{K�<�jA$"�