omniauth-ldap 2.3.2 → 2.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64fced98d7ab577e6c9abc446ace5678b829670e9d241f0a759c61efc47ecf5e
-  data.tar.gz: 7fda93687c96509833b9d72f277995f53eb2368ebe44740180ceadd3afac6ebe
+  metadata.gz: cfb42b529db19042a0140d9bdb39698b177710df48bc80eb9c1470bfebda0ae2
+  data.tar.gz: 411ba1e8817fc5814c248cbf096471ebe2f4a013a69dff3b6771143526a73f8b
 SHA512:
-  metadata.gz: 8750eeed19ed13d89d041b14123b68cc459e7f5595d04d6d0fe67227c06c312f7952264f6fdd19a8f57957ce98c9ea3620d125fd01c445446c8848400a668e12
-  data.tar.gz: ed9dc416b2eba5c6e9d9cc5e889f50bd70347ff4a6ce9261cb8703e77d010c7834a5a566ef8ed7f93f5fbaf4baba0afa9965191decebdf84ed8ffd8b79590a8d
+  metadata.gz: e5cd173bb9dd917627ba9d96d3fe3a5e713bb74e3623d8ab1247fe71da0243e0e66658f64dd356247e060fbddda4a9031e76242dd8b0ea0575d9233bfcee1b0d
+  data.tar.gz: 70d8dd160e9793037bb4564cde716dfc8cd98c3805b73c65f49c5ecd2383b13c920828affab59e458b224b8f1eebfd4a127d9bd06a55d967e1d397f21f01a1da

data/CHANGELOG.md

@@ -32,6 +32,47 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [2.3.4] - 2026-05-18
+
+- TAG: [v2.3.4][2.3.4t]
+- COVERAGE: 97.44% -- 304/312 lines in 4 files
+- BRANCH COVERAGE: 79.58% -- 113/142 branches in 4 files
+- 94.44% documented
+
+### Added
+
+- Add `header_auth_source` to require explicit selection of trusted header identity source (`:env` or `:http_header`)
+- Add `header_auth_require_tls` to require TLS for trusted header SSO by default
+- Log a prominent security warning when `header_auth` is enabled
+
+### Changed
+
+- Trusted header SSO now defaults to trusting only server-set env variables and no longer checks Rack `HTTP_` header variants unless `header_auth_source: :http_header` is configured
+
+### Fixed
+
+- Fix OpenSSL 3/Ruby 4 compatibility in the TLS options adaptor spec
+
+### Security
+
+- Harden trusted header SSO against spoofing by removing automatic fallback from `REMOTE_USER` to `HTTP_REMOTE_USER`
+
+## [2.3.3] - 2025-11-10
+
+- TAG: [v2.3.3][2.3.3t]
+- COVERAGE: 97.61% -- 286/293 lines in 4 files
+- BRANCH COVERAGE: 79.69% -- 102/128 branches in 4 files
+- 94.44% documented
+
+### Added
+
+- Documentation cleanup & updates
+- YARD documentation covering 94% of the code
+
+### Changed
+
+- kettle-dev v1.1.54
+
 ## [2.3.2] - 2025-11-06
 
 - TAG: [v2.3.2][2.3.2t]
@@ -50,14 +91,14 @@ Please file a bug if you notice a violation of semantic versioning.
   - https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11
 - Support for JSON bodies
 - Support custom LDAP attributes mapping
-- Raise a distinct error when LDAP server is unreachable
-  - Previously raised an invalid credentials authentication failure error, which is technically incorrect
 - Documentation of TLS verification options
 
 ### Changed
 
 - Make support for OmniAuth v1.2+ explicit
   - Versions < 1.2 do not support SCRIPT_NAME properly, and may cause other issues
+- Raise a distinct error when LDAP server is unreachable
+    - Previously raised an invalid credentials authentication failure error, which is technically incorrect
 
 ## [2.3.1] - 2025-11-05
 
@@ -224,7 +265,11 @@ Please file a bug if you notice a violation of semantic versioning.
 [1.0.0]: https://github.com/omniauth/omniauth-ldap/compare/5656da80d4193e0d0584f44bac493a87695e580f...v1.0.0
 [1.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v1.0.0
 
-[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.2...HEAD
+[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.4...HEAD
+[2.3.4]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.3...v2.3.4
+[2.3.4t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.4
+[2.3.3]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.2...v2.3.3
+[2.3.3t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.3
 [2.3.2]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.1...v2.3.2
 [2.3.2t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.2
 [2.3.1]: https://github.com/omniauth/omniauth-ldap/compare/v2.0.0...v2.3.1

data/CONTRIBUTING.md

@@ -24,13 +24,13 @@ Follow these instructions:
 
 ## Executables vs Rake tasks
 
-Executables shipped by dependencies, such as omniauth-ldap, and stone_checksums, are available
+Executables shipped by dependencies, such as kettle-dev, and stone_checksums, are available
 after running `bin/setup`. These include:
 
 - gem_checksums
 - kettle-changelog
 - kettle-commit-msg
-- omniauth-ldap-setup
+- kettle-dev-setup
 - kettle-dvcs
 - kettle-pre-release
 - kettle-readme-backers
@@ -68,7 +68,9 @@ GitHub API and CI helpers
 Releasing and signing
 - SKIP_GEM_SIGNING: If set, skip gem signing during build/release
 - GEM_CERT_USER: Username for selecting your public cert in `certs/<USER>.pem` (defaults to $USER)
-- SOURCE_DATE_EPOCH: Reproducible build timestamp. `kettle-release` will set this automatically for the session.
+- SOURCE_DATE_EPOCH: Reproducible build timestamp.
+  - `kettle-release` will set this automatically for the session.
+  - Not needed on bundler >= 2.7.0, as reproducible builds have become the default.
 
 Git hooks and commit message helpers (exe/kettle-commit-msg)
 - GIT_HOOK_BRANCH_VALIDATE: Branch name validation mode (e.g., `jira`) or `false` to disable
@@ -166,6 +168,7 @@ NOTE: To build without signing the gem set `SKIP_GEM_SIGNING` to any value in th
 1. Update version.rb to contain the correct version-to-be-released.
 2. Run `bundle exec kettle-changelog`.
 3. Run `bundle exec kettle-release`.
+4. Stay awake and monitor the release process for any errors, and answer any prompts.
 
 #### Manual process
 

data/FUNDING.md

@@ -6,7 +6,7 @@ Many paths lead to being a sponsor or a backer of this project. Are you on such
 
 [![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal]
 
-[![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate to my FLOSS or refugee efforts at ko-fi.com][🖇kofi-img]][🖇kofi] [![Donate to my FLOSS or refugee efforts using Patreon][🖇patreon-img]][🖇patreon]
+[![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate to my FLOSS efforts at ko-fi.com][🖇kofi-img]][🖇kofi] [![Donate to my FLOSS efforts using Patreon][🖇patreon-img]][🖇patreon]
 
 [⛳liberapay-img]: https://img.shields.io/liberapay/goal/pboling.svg?logo=liberapay&color=a51611&style=flat
 [⛳liberapay]: https://liberapay.com/pboling/donate
@@ -27,11 +27,11 @@ Many paths lead to being a sponsor or a backer of this project. Are you on such
 
 <!-- RELEASE-NOTES-FOOTER-END -->
 
-# 🤑 Request for Help
+# 🤑 A request for help
 
 Maintainers have teeth and need to pay their dentists.
-After getting laid off in an RIF in March and filled with many dozens of rejections,
-I'm now spending ~60+ hours a week building open source tools.
+After getting laid off in an RIF in March, and encountering difficulty finding a new one,
+I began spending most of my time building open source tools.
 I'm hoping to be able to pay for my kids' health insurance this month,
 so if you value the work I am doing, I need your support.
 Please consider sponsoring me or the project.
@@ -40,16 +40,13 @@ To join the community or get help 👇️ Join the Discord.
 
 [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite]
 
-To say "thanks for maintaining such a great tool" ☝️ Join the Discord or 👇️ send money.
+To say "thanks!" ☝️ Join the Discord or 👇️ send money.
 
-[![Sponsor me on GitHub Sponsors][🖇sponsor-bottom-img]][🖇sponsor] 💌 [![Sponsor me on Liberapay][⛳liberapay-bottom-img]][⛳liberapay-img] 💌 [![Donate on PayPal][🖇paypal-bottom-img]][🖇paypal-img]
+[![Sponsor me on GitHub Sponsors][🖇sponsor-bottom-img]][🖇sponsor] 💌 [![Sponsor me on Liberapay][⛳liberapay-bottom-img]][⛳liberapay] 💌 [![Donate on PayPal][🖇paypal-bottom-img]][🖇paypal]
 
 # Another Way to Support Open Source Software
 
-> How wonderful it is that nobody need wait a single moment before starting to improve the world.<br/>
->—Anne Frank
-
-I’m driven by a passion to foster a thriving open-source community – a space where people can tackle complex problems, no matter how small.  Revitalizing libraries that have fallen into disrepair, and building new libraries focused on solving real-world challenges, are my passions — totaling 79 hours of FLOSS coding over just the past seven days, a pretty regular week for me.  I was recently affected by layoffs, and the tech jobs market is unwelcoming. I’m reaching out here because your support would significantly aid my efforts to provide for my family, and my farm (11 🐔 chickens, 2 🐶 dogs, 3 🐰 rabbits, 8 🐈‍ cats).
+I’m driven by a passion to foster a thriving open-source community – a space where people can tackle complex problems, no matter how small.  Revitalizing libraries that have fallen into disrepair, and building new libraries focused on solving real-world challenges, are my passions.  I was recently affected by layoffs, and the tech jobs market is unwelcoming. I’m reaching out here because your support would significantly aid my efforts to provide for my family, and my farm (11 🐔 chickens, 2 🐶 dogs, 3 🐰 rabbits, 8 🐈‍ cats).
 
 If you work at a company that uses my work, please encourage them to support me as a corporate sponsor. My work on gems you use might show up in `bundle fund`.
 

data/LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Peter H. Boling, and omniauth-ldap contributors
+Copyright (c) 2025 - 2026 Peter H. Boling, and omniauth-ldap contributors
 Copyright (c) 2014 David Benko
 Copyright (c) 2011 by Ping Yu and Intridea, Inc.
 

data/README.md

@@ -1,32 +1,3 @@
-| 📍 NOTE                                                                                                                                                           |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| RubyGems (the [GitHub org][rubygems-org], not the website) [suffered][draper-security] a [hostile takeover][ellen-takeover] in September 2025.                    |
-| Ultimately [4 maintainers][simi-removed] were [hard removed][martin-removed] and a reason has been given for only 1 of those, while 2 others resigned in protest. |
-| It is a [complicated story][draper-takeover] which is difficult to [parse quickly][draper-lies].                                                                  |
-| I'm adding notes like this to gems because I [don't condone theft][draper-theft] of repositories or gems from their rightful owners.                              |
-| If a similar theft happened with my repos/gems, I'd hope some would stand up for me.                                                                              |
-| Disenfranchised former-maintainers have started [gem.coop][gem-coop].                                                                                             |
-| Once available I will publish there exclusively; unless RubyCentral makes amends with the community.                                                              |
-| The ["Technology for Humans: Joel Draper"][reinteractive-podcast] podcast episode by [reinteractive][reinteractive] is the most cogent summary I'm aware of.      |
-| See [here][gem-naming], [here][gem-coop] and [here][martin-ann] for more info on what comes next.                                                                 |
-| What I'm doing: A (WIP) proposal for [bundler/gem scopes][gem-scopes], and a (WIP) proposal for a federated [gem server][gem-server].                             |
-
-[rubygems-org]: https://github.com/rubygems/
-[draper-security]: https://joel.drapper.me/p/ruby-central-security-measures/
-[draper-takeover]: https://joel.drapper.me/p/ruby-central-takeover/
-[ellen-takeover]: https://pup-e.com/blog/goodbye-rubygems/
-[simi-removed]: https://www.reddit.com/r/ruby/s/gOk42POCaV
-[martin-removed]: https://bsky.app/profile/martinemde.com/post/3m3occezxxs2q
-[draper-lies]: https://joel.drapper.me/p/ruby-central-fact-check/
-[draper-theft]: https://joel.drapper.me/p/ruby-central/
-[reinteractive]: https://reinteractive.com/ruby-on-rails
-[gem-coop]: https://gem.coop
-[gem-naming]: https://github.com/gem-coop/gem.coop/issues/12
-[martin-ann]: https://martinemde.com/2025/10/05/announcing-gem-coop.html
-[gem-scopes]: https://github.com/galtzo-floss/bundle-namespace
-[gem-server]: https://github.com/galtzo-floss/gem-server
-[reinteractive-podcast]: https://youtu.be/_H4qbtC5qzU?si=BvuBU90R2wAqD2E6
-
 [![Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0][🖼️galtzo-i]][🖼️galtzo-discord] [![ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5][🖼️ruby-lang-i]][🖼️ruby-lang] [![omniauth Logo (presumed to be) by tomeara, (presumed to be) MIT License][🖼️omniauth-i]][🖼️omniauth]
 
 [🖼️galtzo-i]: https://logos.galtzo.com/assets/images/galtzo-floss/avatar-192px.svg
@@ -48,6 +19,13 @@
 
 [![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate at ko-fi.com][🖇kofi-img]][🖇kofi]
 
+<details>
+    <summary>👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️</summary>
+
+I've summarized my thoughts in [this blog post](https://dev.to/galtzo/hostile-takeover-of-rubygems-my-thoughts-5hlo).
+
+</details>
+
 ## 🌻 Synopsis
 
 Use the LDAP strategy as a middleware in your application:
@@ -79,9 +57,11 @@ use OmniAuth::Strategies::LDAP,
 # use OmniAuth::Strategies::LDAP, filter: '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
 ```
 
-All of the listed options are required, with the exception of `:title`, `:name_proc`, `:bind_dn`, and `:password`.
+At minimum you normally configure `:host`, `:base`, and either `:uid` or `:filter`. The other options shown above customize connection behavior, TLS, username normalization, timeouts, and returned auth info.
 
-## TLS certificate verification
+For trusted header SSO, enable `header_auth: true` and explicitly choose the trusted identity source with `header_auth_source: :env` or `header_auth_source: :http_header`. See [Trusted header SSO](#trusted-header-sso-remote_user-and-friends) for the security requirements.
+
+### TLS certificate verification
 
 This gem enables TLS certificate verification by default when you use `encryption: "ssl"` (LDAPS / simple TLS) or `encryption: "tls"` (STARTTLS). We always pass `tls_options` to Net::LDAP based on `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS`, which includes `verify_mode: OpenSSL::SSL::VERIFY_PEER` and sane defaults.
 
@@ -153,7 +133,7 @@ Compatible with MRI Ruby 2.0+, and concordant releases of JRuby, and TruffleRuby
 
 Available as part of the Tidelift Subscription.
 
-<details>
+<details markdown="1">
   <summary>Need enterprise-level guarantees?</summary>
 
 The maintainers of this and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.
@@ -188,7 +168,7 @@ gem install omniauth-ldap
 
 ### 🔒 Secure Installation
 
-<details>
+<details markdown="1">
   <summary>For Medium or High Security Installations</summary>
 
 This gem is cryptographically signed, and has verifiable [SHA-256 and SHA-512][💎SHA_checksums] checksums by
@@ -228,14 +208,14 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 ### Required Options
 
 - `:host` - The hostname or IP address of the LDAP server.
-- `:port` - The port number of the LDAP server (default: 389).
-- `:method` - The connection method. Allowed values: `:plain`, `:ssl`, `:tls` (default: `:plain`).
 - `:base` - The base DN for the LDAP search.
 - `:uid` or `:filter` - Either `:uid` (the LDAP attribute for username, default: "sAMAccountName") or `:filter` (LDAP filter for searching user entries). If `:filter` is provided, `:uid` is not required. Note: This `:uid` option is the search attribute, not the top-level `auth.uid` in the OmniAuth result.
 
 ### Optional Options
 
 - `:title` - The title for the authentication form (default: "LDAP Authentication").
+- `:port` - The port number of the LDAP server (default: 389).
+- `:encryption` - The connection method. Allowed values: `:plain`, `:ssl`, `:tls` (default: `:plain`). `:method` is still accepted for compatibility, but is deprecated.
 - `:bind_dn` - The DN to bind with for searching users (required if anonymous access is not allowed).
 - `:password` - The password for the bind DN.
 - `:name_proc` - A proc to process the username before using it in the search (default: identity proc that returns the username unchanged).
@@ -249,6 +229,10 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 - `:connect_timeout` - Maximum time in seconds to wait when establishing the TCP connection to the LDAP server. Forwarded to `Net::LDAP`.
 - `:read_timeout` - Maximum time in seconds to wait for reads during LDAP operations (search/bind). Forwarded to `Net::LDAP`.
 - `:mapping` - Customize how LDAP attributes map to the returned `auth.info` hash. A sensible default mapping is built into the strategy and will be merged with your overrides. See `lib/omniauth/strategies/ldap.rb` for the default keys and behavior; values can be a String (single attribute), an Array (first present attribute wins), or a Hash (string pattern with placeholders like `%0` combined from multiple attributes).
+- `:header_auth` - Enable trusted upstream identity SSO (default: false). When enabled, the strategy trusts the configured header/env key, performs an LDAP lookup, and skips the user password bind.
+- `:header_name` - Header/env key used for trusted header SSO (default: "REMOTE_USER").
+- `:header_auth_source` - Trusted identity source for header SSO (default: `:env`). Use `:env` to read only `env["REMOTE_USER"]`-style server variables. Use `:http_header` to read only Rack `HTTP_` header keys such as `env["HTTP_REMOTE_USER"]`; only configure this behind a proxy that strips client-supplied copies.
+- `:header_auth_require_tls` - Require TLS for trusted header SSO requests (default: true).
 
 Example enabling password policy:
 
@@ -284,7 +268,7 @@ Where to find the "username"-style value
 - You can also read the raw attribute from `auth.extra.raw_info` (a `Net::LDAP::Entry`):
 
 ```ruby
-get "/auth/ldap/callback" do
+post "/auth/ldap/callback" do
   auth = request.env["omniauth.auth"]
   dn = auth.uid                                # => "cn=alice,ou=users,dc=example,dc=com"
   username = auth.info.nickname                # => "alice" (from uid/sAMAccountName)
@@ -300,7 +284,7 @@ If you need top-level `auth.uid` to be something other than the DN (for example,
 ## 🔧 Basic Usage
 
 The strategy exposes a simple Rack middleware and can be used in plain Rack apps, Sinatra, or Rails.
-Direct users to `/auth/ldap` to start authentication and handle the callback at `/auth/ldap/callback`.
+With OmniAuth 2.x, initiate authentication with `POST /auth/ldap`; `GET /auth/ldap` returns 404 by default. Older OmniAuth 1.x deployments may still render the form on `GET /auth/ldap`. Handle the callback at `/auth/ldap/callback`.
 
 Below are several concrete examples to get you started.
 
@@ -316,7 +300,7 @@ use OmniAuth::Builder do
   provider :ldap,
     host: "ldap.example.com",
     port: 389,
-    method: :plain,
+    encryption: :plain,
     base: "dc=example,dc=com",
     uid: "uid",
     title: "Example LDAP"
@@ -325,7 +309,7 @@ end
 run lambda { |env| [404, {"Content-Type" => "text/plain"}, [env.key?("omniauth.auth").to_s]] }
 ```
 
-Visit `GET /auth/ldap` to initiate authentication (the middleware will render a login form unless you POST to `/auth/ldap`).
+Submit `POST /auth/ldap` to initiate authentication. With OmniAuth 2.x, the middleware renders the login form on POST when credentials are not already present; with OmniAuth 1.x, `GET /auth/ldap` can also render the form.
 
 ### Sinatra example
 
@@ -344,10 +328,10 @@ use OmniAuth::Builder do
 end
 
 get "/" do
-  '<a href="/auth/ldap">Sign in with LDAP</a>'
+  '<form action="/auth/ldap" method="post"><button type="submit">Sign in with LDAP</button></form>'
 end
 
-get "/auth/ldap/callback" do
+post "/auth/ldap/callback" do
   auth = request.env["omniauth.auth"]
   "Hello, #{auth.info["name"]}"
 end
@@ -371,7 +355,7 @@ Rails.application.config.middleware.use(OmniAuth::Builder) do
 end
 ```
 
-Then link users to `/auth/ldap` in your app (for example, in a Devise sign-in page).
+Then submit users to `/auth/ldap` with POST in your app (for example, from a Devise sign-in page).
 
 ### Use JSON Body
 
@@ -422,7 +406,7 @@ Examples
 
 Notes
 
-- You can still initiate authentication by visiting `GET /auth/ldap` to render the HTML form and then submitting it (form-encoded). JSON is an additional option, not a replacement.
+- You can still initiate authentication with a regular form POST and then submit credentials as form-encoded data. JSON is an additional option, not a replacement.
 - In the callback phase (`POST /auth/ldap/callback`), the strategy reads JSON credentials the same way; Rails exposes them via `action_dispatch.request.request_parameters` and non-Rails apps should use a JSON parser middleware.
 
 ### Using a custom filter
@@ -607,15 +591,19 @@ Note: You generally do not need this override. Prefer configuring your proxy to
 
 ### Trusted header SSO (REMOTE_USER and friends)
 
-Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via an HTTP header such as `REMOTE_USER`.
+Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via a server-set environment variable or HTTP header such as `REMOTE_USER`.
 When you enable this mode, the LDAP strategy will trust the upstream header, perform a directory lookup for that user, and complete OmniAuth without asking the user for a password.
 
-Important: Only enable this behind a trusted front-end that strips and sets the header itself. Never enable on a public endpoint without such a gateway, or an attacker could spoof the header.
+Important: Only enable this behind a trusted front-end that authenticates users before they can reach the OmniAuth endpoint. When `header_auth` is enabled the strategy logs a prominent security warning because it trusts the upstream identity completely.
 
 Configuration options:
 
 - `:header_auth` (Boolean, default: false) — Enable trusted header SSO.
-- `:header_name` (String, default: "REMOTE_USER") — The env/header key to read. The strategy checks both `env["REMOTE_USER"]` and the Rack variant `env["HTTP_REMOTE_USER"]`.
+- `:header_name` (String, default: "REMOTE_USER") — The env/header key to read.
+- `:header_auth_source` (`:env` or `:http_header`, default: `:env`) — Which Rack env key form to trust.
+  - `:env` reads only the exact server-set environment key, such as `env["REMOTE_USER"]`.
+  - `:http_header` reads only the Rack HTTP header key, such as `env["HTTP_REMOTE_USER"]`. Only use this behind a proxy that strips client-sent copies of the header before setting its trusted value.
+- `:header_auth_require_tls` (Boolean, default: true) — Raise an error if trusted header SSO is used on a non-TLS request.
 - `:name_proc` is applied to the header value before search (e.g., to strip a domain part).
 - Search is done using your configured `:uid` or `:filter` and the service bind (`:bind_dn`/`:password`) or anonymous bind if allowed.
 
@@ -629,8 +617,9 @@ use OmniAuth::Builder do
     uid: "uid",
     bind_dn: "cn=search,dc=example,dc=com",
     password: ENV["LDAP_SEARCH_PASSWORD"],
-    header_auth: true,                 # trust REMOTE_USER
-    header_name: "REMOTE_USER",       # default
+    header_auth: true,                  # trust the configured upstream identity
+    header_name: "REMOTE_USER",        # default
+    header_auth_source: :env,           # default; reads env["REMOTE_USER"]
     name_proc: proc { |n| n.split("@").first }
 end
 ```
@@ -648,6 +637,7 @@ Rails.application.config.middleware.use(OmniAuth::Builder) do
     password: ENV["LDAP_SEARCH_PASSWORD"],
     header_auth: true,
     header_name: "REMOTE_USER",
+    header_auth_source: :env,
     # Optionally restrict with a group filter while using the header value
     filter: "(&(sAMAccountName=%{username})(memberOf=cn=myapp-users,ou=groups,dc=acme,dc=corp))",
     name_proc: proc { |n| n.gsub(/@.*$/, "") }
@@ -662,13 +652,14 @@ Flow:
 
 Security checklist:
 
-- Ensure your reverse proxy strips user-controlled copies of the header and sets the canonical `REMOTE_USER` itself.
-- Prefer TLS-secured internal links between the proxy and your app.
+- Prefer `header_auth_source: :env` for server-set variables such as `REMOTE_USER`.
+- Use `header_auth_source: :http_header` only when your reverse proxy strips user-controlled copies of the header and sets the canonical value itself.
+- Keep `header_auth_require_tls` enabled unless a separate trusted channel protects traffic between the proxy and your app.
 - Consider also restricting with a group-based `:filter` so only authorized users can sign in.
 
 ## 🦷 FLOSS Funding
 
-While these tools are free software and will always be, the project would benefit immensely from some funding.
+While omniauth tools are free software and will always be, the project would benefit immensely from some funding.
 Raising a monthly budget of... "dollars" would make the project more sustainable.
 
 We welcome both individual and corporate sponsors! We also offer a
@@ -678,7 +669,7 @@ Currently, [GitHub Sponsors][🖇sponsor], and [Liberapay][⛳liberapay] are our
 **If you're working in a company that's making significant use of omniauth tools we'd
 appreciate it if you suggest to your company to become a omniauth sponsor.**
 
-You can support me in development of OmniAuth tools via
+You can support the development of omniauth tools via
 [GitHub Sponsors][🖇sponsor],
 [Liberapay][⛳liberapay],
 [PayPal][🖇paypal],
@@ -698,7 +689,7 @@ I’m developing a new library, [floss_funding][🖇floss-funding-gem], designed
 
 **[Floss-Funding.dev][🖇floss-funding.dev]: 👉️ No network calls. 👉️ No tracking. 👉️ No oversight. 👉️ Minimal crypto hashing. 💡 Easily disabled nags**
 
-[![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate to my FLOSS or refugee efforts at ko-fi.com][🖇kofi-img]][🖇kofi] [![Donate to my FLOSS or refugee efforts using Patreon][🖇patreon-img]][🖇patreon]
+[![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate to my FLOSS efforts at ko-fi.com][🖇kofi-img]][🖇kofi] [![Donate to my FLOSS efforts using Patreon][🖇patreon-img]][🖇patreon]
 
 ## 🔐 Security
 
@@ -770,12 +761,11 @@ For example:
 spec.add_dependency("omniauth-ldap", "~> 1.0")
 ```
 
-<details>
+<details markdown="1">
 <summary>📌 Is "Platform Support" part of the public API? More details inside.</summary>
 
 SemVer should, IMO, but doesn't explicitly, say that dropping support for specific Platforms
-is a *breaking change* to an API.
-It is obvious to many, but not all, and since the spec is silent, the bike shedding is endless.
+is a *breaking change* to an API, and for that reason the bike shedding is endless.
 
 To get a better understanding of how SemVer is intended to work over a project's lifetime,
 read this article from the creator of SemVer:
@@ -796,7 +786,7 @@ See [LICENSE.txt][📄license] for the official [Copyright Notice][📄copyright
 
 <ul>
     <li>
-        Copyright (c) 2025 Peter H. Boling, of
+        Copyright (c) 2025 - 2026 Peter H. Boling, of
         <a href="https://discord.gg/3qme4XHNKN">
             Galtzo.com
             <picture>
@@ -991,7 +981,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.297-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.312-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year

data/lib/omniauth/strategies/ldap.rb

@@ -1,14 +1,64 @@
+# frozen_string_literal: true
+
 require "omniauth"
 require "omniauth/version"
 
+# OmniAuth strategies namespace.
+#
+# This file implements an LDAP authentication strategy for OmniAuth.
+# It provides both an interactive request phase (login form) and a
+# callback phase which binds to an LDAP directory to authenticate the
+# user or performs a lookup for header-based SSO.
+#
+# The strategy exposes a number of options (see `option` calls below)
+# that control LDAP connection, mapping of LDAP attributes to the
+# OmniAuth `info` hash, header-based SSO behavior, and SSL/timeouts.
+#
+# @example Minimal Rack mounting
+#   use OmniAuth::Builder do
+#     provider :ldap, {
+#       host: 'ldap.example.com',
+#       base: 'dc=example,dc=com'
+#     }
+#   end
+#
 module OmniAuth
   module Strategies
+    # LDAP OmniAuth strategy
+    #
+    # This class implements the OmniAuth::Strategy interface and performs
+    # LDAP authentication using an `Adaptor` object. It supports three
+    # primary flows:
+    #
+    # - Interactive login form (request_phase) where users POST username/password
+    # - Callback binding where the strategy attempts to bind as the user
+    # - Header-based SSO (trusted upstream) where a header identifies the user
+    #
+    # The mapping from LDAP attributes to resulting `info` fields is
+    # configurable via the `:mapping` option. See `map_user` for the
+    # mapping algorithm.
+    #
+    # @see OmniAuth::Strategy
     class LDAP
+      # Whether the loaded OmniAuth version is >= 2.0.0; used to set default request methods.
+      # @return [Boolean]
       OMNIAUTH_GTE_V2 = Gem::Version.new(OmniAuth::VERSION) >= Gem::Version.new("2.0.0")
+
       include OmniAuth::Strategy
 
+      # Raised when credentials are invalid or the user cannot be authenticated.
+      # @example
+      #   raise InvalidCredentialsError, 'Invalid credentials'
       InvalidCredentialsError = Class.new(StandardError)
 
+      # Default mapping for converting LDAP attributes to OmniAuth `info` keys.
+      # Keys are the resulting `info` hash keys (strings). Values may be:
+      # - String: single LDAP attribute name
+      # - Array: list of attribute names in priority order
+      # - Hash: pattern mapping where pattern keys contain %<n> placeholders
+      #   that are substituted from a list of possible attribute names
+      #
+      # @return [Hash<String, String|Array|Hash>]
       option :mapping, {
         "name" => "cn",
         "first_name" => "givenName",
@@ -24,7 +74,11 @@ module OmniAuth
         "image" => "jpegPhoto",
         "description" => "description",
       }
-      option :title, "LDAP Authentication" # default title for authentication form
+
+      # Default title shown on the login form.
+      # @return [String]
+      option :title, "LDAP Authentication"
+
       # For OmniAuth >= 2.0 the default allowed request method is POST only.
       # Ensure the strategy follows that default so GET /auth/:provider returns 404 as expected in tests.
       if OMNIAUTH_GTE_V2
@@ -32,6 +86,8 @@ module OmniAuth
       else
         option(:request_methods, [:get, :post])
       end
+
+      # Default LDAP connection options / behavior
       option :port, 389
       option :method, :plain
       option :disable_verify_certificates, false
@@ -39,17 +95,34 @@ module OmniAuth
       option :ssl_version, nil # use OpenSSL default if nil
       option :uid, "sAMAccountName"
       option :name_proc, lambda { |n| n }
+
       # Trusted header SSO support (disabled by default)
-      # :header_auth - when true and the header is present, the strategy trusts the upstream gateway
-      #                 and searches the directory for the user without requiring a user password.
-      # :header_name - which header/env key to read (default: "REMOTE_USER"). We will also check the
-      #                 standard Rack "HTTP_" variant automatically.
+      # :header_auth - when true and the configured header/env key is present, the strategy trusts
+      #                 the upstream gateway and searches the directory for the user without
+      #                 requiring a user password.
+      # :header_name - which header/env key to read (default: "REMOTE_USER").
+      # :header_auth_source - :env trusts only server-set env variables. :http_header trusts only
+      #                       Rack HTTP header keys, and should only be used behind a proxy that
+      #                       strips client-supplied copies of the header.
+      # :header_auth_require_tls - require a TLS request for header auth.
       option :header_auth, false
       option :header_name, "REMOTE_USER"
+      option :header_auth_source, :env
+      option :header_auth_require_tls, true
+
       # Optional timeouts (forwarded to Net::LDAP when supported)
       option :connect_timeout, nil
       option :read_timeout, nil
 
+      # Request phase: Render the login form or redirect to callback for header-auth or direct POSTed credentials
+      #
+      # This will behave differently depending on OmniAuth version and request method:
+      # - For OmniAuth >= 2.0 a GET to /auth/:provider should return 404 (so we return a 404 for GET requests).
+      # - If header-based SSO is enabled and a trusted header is present we immediately redirect to the callback.
+      # - If credentials are POSTed directly to /auth/:provider we redirect to the callback so the test helpers
+      #   that populate `env['omniauth.auth']` can operate on the callback request.
+      #
+      # @return [Array] A Rack response triple from the login form or redirect.
       def request_phase
         # OmniAuth >= 2.0 expects the request phase to be POST-only for /auth/:provider.
         # Some test environments (and OmniAuth itself) enforce this by returning 404 on GET.
@@ -57,6 +130,8 @@ module OmniAuth
           return Rack::Response.new("", 404, {"Content-Type" => "text/plain"}).finish
         end
 
+        validate_header_auth_configuration!
+
         # Fast-path: if a trusted identity header is present, skip the login form
         # and jump to the callback where we will complete using directory lookup.
         if header_username
@@ -78,11 +153,26 @@ module OmniAuth
         f.to_response
       end
 
+      # Callback phase: Authenticate user or perform header-based lookup
+      #
+      # This method executes on the callback URL and implements the main
+      # authentication logic. There are two primary paths:
+      #
+      # - Header-based lookup: when `options[:header_auth]` is enabled and a header value is present,
+      #   we perform a read-only directory lookup for the user and, if found, map attributes and finish.
+      # - Password bind: when username/password are provided we attempt a bind as the user using the adaptor.
+      #
+      # Errors raised by the LDAP adaptor are captured and turned into OmniAuth failures.
+      #
+      # @raise [InvalidCredentialsError] when credentials are invalid
+      # @return [Object] result of calling `super` from the OmniAuth::Strategy chain
       def callback_phase
         @adaptor = OmniAuth::LDAP::Adaptor.new(@options)
 
         return fail!(:invalid_request_method) unless valid_request_method?
 
+        validate_header_auth_configuration!
+
         # Header-based SSO (REMOTE_USER-style) path
         if (hu = header_username)
           begin
@@ -118,6 +208,15 @@ module OmniAuth
         end
       end
 
+      # Build an LDAP filter for searching/binding the user.
+      #
+      # If the adaptor has a custom `filter` option set it will be used (with
+      # interpolation of `%{username}`). Otherwise a simple equality filter for
+      # the configured uid attribute is used.
+      #
+      # @param adaptor [OmniAuth::LDAP::Adaptor] the adaptor used to build connection/filters
+      # @param username_override [String, nil] optional username to build the filter for (defaults to request username)
+      # @return [Net::LDAP::Filter] the constructed filter object
       def filter(adaptor, username_override = nil)
         flt = adaptor.filter
         if flt && !flt.to_s.empty?
@@ -128,17 +227,37 @@ module OmniAuth
         end
       end
 
-      uid {
-        @user_info["uid"]
-      }
-      info {
-        @user_info
-      }
-      extra {
-        {raw_info: @ldap_user_info}
-      }
+      # The uid exposed to OmniAuth consumers.
+      #
+      # This block-based DSL is part of OmniAuth::Strategy; document the value
+      # returned by the block.
+      #
+      # @return [String] the user's uid as determined from the mapped info
+      uid { @user_info["uid"] }
+
+      # The `info` hash returned to OmniAuth consumers. Usually contains name, email, etc.
+      # @return [Hash<String, Object>]
+      info { @user_info }
+
+      # Extra information exposed under `extra[:raw_info]` containing the raw LDAP entry.
+      # @return [Hash{Symbol => Object}]
+      extra { {raw_info: @ldap_user_info} }
 
       class << self
+        # Map LDAP attributes from the directory entry into a simple Hash used
+        # for the OmniAuth `info` hash according to the provided `mapper`.
+        #
+        # The mapper supports three types of values:
+        # - String: a single attribute name. The method will call the attribute
+        #   reader (downcased symbol) on the `object` and take the first value.
+        # - Array: iterate values and pick the first attribute that exists on the object.
+        # - Hash: a mapping of a pattern string to an array of attribute-name lists
+        #   where each `%<n>` placeholder in the pattern will be substituted by the
+        #   first available attribute from the corresponding list.
+        #
+        # @param mapper [Hash] mapping configuration (see option :mapping)
+        # @param object [#respond_to?, #[]] directory entry (commonly a Net::LDAP::Entry or similar)
+        # @return [Hash<String, Object>] the mapped user info hash
         def map_user(mapper, object)
           user = {}
           mapper.each do |key, value|
@@ -177,33 +296,93 @@ module OmniAuth
 
       protected
 
+      # Validate that the incoming request method is allowed.
+      #
+      # For OmniAuth >= 2.0 the default is POST only. This method checks the
+      # Rack env REQUEST_METHOD directly so tests and environments that stub
+      # request.HTTP_METHOD are handled deterministically.
+      #
+      # @return [Boolean] true when the request method is POST
       def valid_request_method?
         request.env["REQUEST_METHOD"] == "POST"
       end
 
+      # Determine if the request is missing required credentials.
+      #
+      # @return [Boolean] true when username or password are nil/empty
       def missing_credentials?
         request_data["username"].nil? || request_data["username"].empty? || request_data["password"].nil? || request_data["password"].empty?
       end
 
+      # Extract request parameters in a way compatible with Rails/Rack.
+      #
+      # @return [Hash] parameters hash containing at least "username" and "password" when provided
       def request_data
         @env["action_dispatch.request.request_parameters"] || request.params
       end
 
-      # Extract a normalized username from a trusted header when enabled.
+      # Extract a normalized username from a trusted header/env key when enabled.
       # Returns nil when not configured or not present.
+      #
+      # The source is intentionally explicit: :env reads the raw env key
+      # (e.g. "REMOTE_USER"), while :http_header reads the Rack HTTP_ variant
+      # (e.g. "HTTP_REMOTE_USER" or "HTTP_X_REMOTE_USER").
+      #
+      # @return [String, nil] normalized username or nil if not present
       def header_username
         return unless options[:header_auth]
 
-        name = options[:header_name] || "REMOTE_USER"
-        # Try both the raw env var (e.g., REMOTE_USER) and the Rack HTTP_ variant (e.g., HTTP_REMOTE_USER or HTTP_X_REMOTE_USER)
-        raw = request.env[name] || request.env["HTTP_#{name.upcase.tr("-", "_")}"]
+        raw = request.env[header_auth_env_key]
         return if raw.nil? || raw.to_s.strip.empty?
 
         options[:name_proc].call(raw.to_s)
       end
 
+      # Validate trusted header auth before reading the configured identity key.
+      #
+      # @raise [ArgumentError] when the header auth options are unsafe or invalid
+      # @return [void]
+      def validate_header_auth_configuration!
+        return unless options[:header_auth]
+
+        log_header_auth_warning
+
+        source = (options[:header_auth_source] || :env).to_sym
+        unless [:env, :http_header].include?(source)
+          raise ArgumentError, "header_auth_source must be :env or :http_header"
+        end
+
+        if options[:header_auth_require_tls] && !request.ssl?
+          raise ArgumentError, "header_auth requires TLS unless header_auth_require_tls is disabled"
+        end
+      end
+
+      # Rack env key selected by the explicit header auth source option.
+      #
+      # @return [String]
+      def header_auth_env_key
+        name = options[:header_name] || "REMOTE_USER"
+        return name if (options[:header_auth_source] || :env).to_sym == :env
+
+        "HTTP_#{name.upcase.tr("-", "_")}"
+      end
+
+      # Warn operators that trusted header auth delegates authentication to the upstream gateway.
+      #
+      # @return [void]
+      def log_header_auth_warning
+        logger = OmniAuth.config.respond_to?(:logger) ? OmniAuth.config.logger : nil
+        return unless logger && logger.respond_to?(:warn)
+
+        logger.warn("[omniauth-ldap] SECURITY WARNING: header_auth is enabled. This trusts upstream authentication completely; only enable it behind a trusted proxy that strips client-supplied identity headers.")
+      end
+
       # Perform a directory lookup for the given username using the strategy configuration
       # (bind_dn/password or anonymous). Does not attempt to bind as the user.
+      #
+      # @param adaptor [OmniAuth::LDAP::Adaptor] initialized adaptor
+      # @param username [String] username to look up
+      # @return [Object, nil] first directory entry found or nil
       def directory_lookup(adaptor, username)
         entry = nil
         search_filter = filter(adaptor, username)
@@ -216,6 +395,11 @@ module OmniAuth
 
       # If the adaptor captured a Password Policy response control, expose a minimal, stable hash
       # in the Rack env for applications to inspect.
+      #
+      # The structure is available at `request.env['omniauth.ldap.password_policy']`.
+      #
+      # @param adaptor [OmniAuth::LDAP::Adaptor]
+      # @return [void]
       def attach_password_policy_env(adaptor)
         return unless adaptor.respond_to?(:password_policy) && adaptor.password_policy
         ctrl = adaptor.respond_to?(:last_password_policy_response) ? adaptor.last_password_policy_response : nil
@@ -226,6 +410,10 @@ module OmniAuth
       end
 
       # Best-effort extraction across net-ldap versions; if fields are not available, returns a raw payload.
+      #
+      # @param control [Object, nil] the password policy response control if available
+      # @param operation [Object, nil] the last operation result if available
+      # @return [Hash] normalized password policy info with keys :raw, :error, :time_before_expiration, :grace_authns_remaining, :oid, :operation
       def extract_password_policy(control, operation)
         data = {raw: control}
         if control

data/lib/omniauth-ldap/adaptor.rb

@@ -10,12 +10,36 @@ require "sasl"
 
 module OmniAuth
   module LDAP
+    # Adaptor encapsulates the behavior required to connect to an LDAP server
+    # and perform searches and binds. It maps user-provided configuration into
+    # a Net::LDAP connection and provides compatibility helpers for different
+    # net-ldap and SASL versions. The adaptor is intentionally defensive and
+    # provides a small, stable API used by the OmniAuth strategy.
+    #
+    # @example Initialize with minimal config
+    #   adaptor = OmniAuth::LDAP::Adaptor.new(base: 'dc=example,dc=com', host: 'ldap.example.com')
+    #
+    # @note Public API: {validate}, {initialize}, {bind_as}, and attr readers such as {connection}, {uid}
     class Adaptor
+      # Generic adaptor error super-class
+      # @see Error classes that inherit from this class
       class LdapError < StandardError; end
+
+      # Raised when configuration is invalid
+      # @example
+      #   raise ConfigurationError, 'missing base'
       class ConfigurationError < StandardError; end
+
+      # Raised when authentication fails
       class AuthenticationError < StandardError; end
+
+      # Raised on connection-related failures
       class ConnectionError < StandardError; end
 
+      # Valid configuration keys accepted by the adaptor. These correspond to
+      # the options supported by the gem and are used during initialization.
+      #
+      # @return [Array<Symbol>]
       VALID_ADAPTER_CONFIGURATION_KEYS = [
         :hosts,
         :host,
@@ -42,7 +66,9 @@ module OmniAuth
         :ssl_version,
       ]
 
-      # A list of needed keys. Possible alternatives are specified using sub-lists.
+      # Required configuration keys. This may include alternatives as sub-lists
+      # (e.g., [:hosts, :host] means either key is acceptable).
+      # @return [Array]
       MUST_HAVE_KEYS = [
         :base,
         [:encryption, :method], # :method is deprecated
@@ -51,6 +77,8 @@ module OmniAuth
         [:uid, :filter],
       ]
 
+      # Supported encryption method mapping for configuration readability.
+      # @return [Hash<Symbol,Symbol,nil>]
       ENCRYPTION_METHOD = {
         simple_tls: :simple_tls,
         start_tls: :start_tls,
@@ -62,21 +90,70 @@ module OmniAuth
         tls: :start_tls,
       }
 
+      # @!attribute [rw] bind_dn
+      #   The distinguished name used for binding when provided in configuration.
+      #   @return [String, nil]
+      # @!attribute [rw] password
+      #   The bind password (may be nil for anonymous binds)
+      #   @return [String, nil]
       attr_accessor :bind_dn, :password
+
+      # Read-only attributes exposing connection and configuration state.
+      # @!attribute [r] connection
+      #   The underlying Net::LDAP connection object.
+      #   @return [Net::LDAP]
+      # @!attribute [r] uid
+      #   The user id attribute used for lookups (e.g., 'sAMAccountName')
+      #   @return [String]
+      # @!attribute [r] base
+      #   The base DN for searches.
+      #   @return [String]
+      # @!attribute [r] auth
+      #   The final auth structure used by net-ldap.
+      #   @return [Hash]
+      # @!attribute [r] filter
+      #   Custom filter pattern when provided in configuration.
+      #   @return [String, nil]
+      # @!attribute [r] password_policy
+      #   Whether to request LDAP Password Policy controls.
+      #   @return [Boolean]
+      # @!attribute [r] last_operation_result
+      #   Last operation result object returned by the ldap library (if any)
+      #   @return [Object, nil]
+      # @!attribute [r] last_password_policy_response
+      #   Last extracted password policy response control (if any)
+      #   @return [Object, nil]
       attr_reader :connection, :uid, :base, :auth, :filter, :password_policy, :last_operation_result, :last_password_policy_response
 
-      def self.validate(configuration = {})
-        message = []
-        MUST_HAVE_KEYS.each do |names|
-          names = [names].flatten
-          missing_keys = names.select { |name| configuration[name].nil? }
-          if missing_keys == names
-            message << names.join(" or ")
+      # Validate that a minimal configuration is present. Raises ArgumentError when required
+      # keys are missing. This is a convenience to provide early feedback to callers.
+      #
+      # @param configuration [Hash] configuration hash passed to the adaptor
+      # @raise [ArgumentError] when required keys are missing
+      # @return [void]
+      class << self
+        def validate(configuration = {})
+          message = []
+          MUST_HAVE_KEYS.each do |names|
+            names = [names].flatten
+            missing_keys = names.select { |name| configuration[name].nil? }
+            if missing_keys == names
+              message << names.join(" or ")
+            end
           end
+          raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
         end
-        raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
       end
 
+      # Create a new adaptor instance backed by a Net::LDAP connection.
+      #
+      # The constructor does not immediately open a network connection but
+      # prepares the Net::LDAP instance according to the provided configuration.
+      # It also applies timeout settings where supported by the installed net-ldap version.
+      #
+      # @param configuration [Hash] user-provided configuration options
+      # @raise [ArgumentError, ConfigurationError] on invalid configuration
+      # @return [OmniAuth::LDAP::Adaptor]
       def initialize(configuration = {})
         Adaptor.validate(configuration)
         @configuration = configuration.dup
@@ -128,6 +205,16 @@ module OmniAuth
       #:base => "dc=yourcompany, dc=com",
       # :filter => "(mail=#{user})",
       # :password => psw
+      #
+      # Attempt to locate a user entry and bind as that entry using the supplied
+      # password. Returns the entry on success, or false/nil on failure.
+      #
+      # @param args [Hash] search and bind options forwarded to net-ldap's search
+      # @option args [Net::LDAP::Filter,String] :filter LDAP filter to use
+      # @option args [Integer] :size maximum number of results to fetch
+      # @option args [String,Proc] :password a password string or callable returning a password
+      # @return [Net::LDAP::Entry, false, nil] the found entry on successful bind, otherwise false/nil
+      # @raise [ConnectionError] if the underlying LDAP search fails
       def bind_as(args = {})
         result = false
         @last_operation_result = nil
@@ -179,6 +266,9 @@ module OmniAuth
 
       private
 
+      # Build encryption options for Net::LDAP given the configured method
+      #
+      # @return [Hash, nil] encryption options or nil for plain (no encryption)
       def encryption_options
         translated_method = translate_method
         return unless translated_method
@@ -189,6 +279,10 @@ module OmniAuth
         }
       end
 
+      # Normalize the user-provided encryption/method option and map to known values.
+      #
+      # @raise [ConfigurationError] when an unknown method is provided
+      # @return [Symbol, nil]
       def translate_method
         method = @encryption || @method
         method ||= "plain"
@@ -203,6 +297,10 @@ module OmniAuth
         ENCRYPTION_METHOD[normalized_method]
       end
 
+      # Build TLS options including backward-compatibility for deprecated keys.
+      #
+      # @param translated_method [Symbol] the normalized encryption method
+      # @return [Hash] a hash suitable for passing as :tls_options
       def tls_options(translated_method)
         return {} if translated_method.nil? # (plain)
 
@@ -223,6 +321,10 @@ module OmniAuth
         options
       end
 
+      # Build a list of SASL auth structures for each requested mechanism.
+      #
+      # @param options [Hash] options such as :username and :password
+      # @return [Array<Hash>] list of auth structures
       def sasl_auths(options = {})
         auths = []
         sasl_mechanisms = options[:sasl_mechanisms] || @sasl_mechanisms
@@ -241,6 +343,9 @@ module OmniAuth
         auths
       end
 
+      # Prepare SASL DIGEST-MD5 bind details
+      # @param options [Hash]
+      # @return [Array] initial_credential and a challenge response proc
       def sasl_bind_setup_digest_md5(options)
         bind_dn = options[:username]
         initial_credential = ""
@@ -253,6 +358,9 @@ module OmniAuth
         [initial_credential, challenge_response]
       end
 
+      # Prepare SASL GSS-SPNEGO bind details
+      # @param options [Hash]
+      # @return [Array] initial Type1 message and a nego proc
       def sasl_bind_setup_gss_spnego(options)
         bind_dn = options[:username]
         psw = options[:password]
@@ -268,8 +376,9 @@ module OmniAuth
         [Net::NTLM::Message::Type1.new.serialize, nego]
       end
 
-      private
-
+      # Default TLS/OpenSSL options used when not explicitly configured.
+      #
+      # @return [Hash]
       def default_options
         if @disable_verify_certificates
           # It is important to explicitly set verify_mode for two reasons:
@@ -286,6 +395,9 @@ module OmniAuth
       #
       # This gem may not always be in the context of Rails so we
       # do this rather than `.blank?`.
+      #
+      # @param hash [Hash]
+      # @return [Hash] sanitized hash with blank values removed
       def sanitize_hash_values(hash)
         hash.delete_if do |_, value|
           value.nil? ||
@@ -293,6 +405,10 @@ module OmniAuth
         end
       end
 
+      # Convert string keys to symbol keys for options hashes.
+      #
+      # @param hash [Hash]
+      # @return [Hash<Symbol, Object>]
       def symbolize_hash_keys(hash)
         hash.each_with_object({}) do |(key, value), result|
           result[key.to_sym] = value
@@ -300,6 +416,12 @@ module OmniAuth
       end
 
       # Capture the operation result and extract any Password Policy response control if present.
+      #
+      # This method is defensive: if the server or the installed net-ldap gem doesn't
+      # support controls, the method will swallow errors and leave policy fields nil.
+      #
+      # @param conn [Net::LDAP]
+      # @return [void]
       def capture_password_policy(conn)
         return unless @password_policy
         return unless conn.respond_to?(:get_operation_result)

data/lib/omniauth-ldap/version.rb

@@ -1,8 +1,17 @@
 module OmniAuth
   module LDAP
+    # Version namespace for the omniauth-ldap gem
+    #
+    # This module contains the version constant used by rubygems and in code
+    # consumers. It intentionally exposes VERSION both inside the Version
+    # namespace and as OmniAuth::LDAP::VERSION for compatibility.
     module Version
-      VERSION = "2.3.2"
+      # Public semantic version for the gem
+      # @return [String]
+      VERSION = "2.3.4"
     end
+    # Convenience constant for consumers that expect OmniAuth::LDAP::VERSION
+    # @return [String]
     VERSION = Version::VERSION # Make VERSION available in traditional way
   end
 end

data/lib/omniauth-ldap.rb

@@ -1,3 +1,11 @@
+# Integrate the VersionGem helper into the OmniAuth::LDAP::Version module
+# to expose common version-related helper methods. This file is the public
+# entry point required by consumers of the gem.
+#
+# @example
+#   require 'omniauth-ldap'
+#   OmniAuth::LDAP::VERSION # => "2.3.2"
+
 require "version_gem"
 
 require "omniauth-ldap/version"

data/sig/omniauth/strategies/ldap.rbs

@@ -22,6 +22,12 @@ module OmniAuth
       # Extract username from a trusted header when enabled
       def header_username: () -> (String | nil)
 
+      def validate_header_auth_configuration!: () -> void
+
+      def header_auth_env_key: () -> String
+
+      def log_header_auth_warning: () -> void
+
       # Perform a directory lookup for a given username; returns an Entry or nil
       def directory_lookup: (OmniAuth::LDAP::Adaptor, String) -> untyped
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-ldap
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: 2.3.4
 platform: ruby
 authors:
 - Peter Boling
@@ -337,34 +337,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.3
-- !ruby/object:Gem::Dependency
-  name: vcr
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4'
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3'
 description: "\U0001F4C1 LDAP strategy for OmniAuth."
 email:
 - floss@galtzo.com
@@ -408,10 +380,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://omniauth-ldap.galtzo.com/
-  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.2
-  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.2/CHANGELOG.md
+  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.4
+  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.4/CHANGELOG.md
   bug_tracker_uri: https://github.com/omniauth/omniauth-ldap/issues
-  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.2
+  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.4
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/omniauth/omniauth-ldap/wiki
   news_uri: https://www.railsbling.com/tags/omniauth-ldap
@@ -440,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 4.0.11
 specification_version: 4
 summary: "\U0001F4C1 LDAP strategy for OmniAuth."
 test_files: []