RubyGems - omniauth-microsoft_graph - Versions diffs - 0.2.1 → 0.3.0 - Mend

omniauth-microsoft_graph 0.2.1 → 0.3.0

Potentially problematic release.

This version of omniauth-microsoft_graph might be problematic. Click here for more details.

Files changed (11) hide show

checksums.yaml +4 -4
data/.travis.yml +2 -1
data/Rakefile +5 -7
data/lib/omniauth/microsoft_graph/version.rb +1 -1
data/lib/omniauth/strategies/microsoft_graph.rb +87 -28
data/omniauth-microsoft_graph.gemspec +6 -6
data/spec/omniauth/strategies/microsoft_graph_oauth2_spec.rb +443 -0
data/spec/spec_helper.rb +4 -0
metadata +41 -21
data/test/strategy_test.rb +0 -26
data/test/test_helper.rb +0 -31

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bc7fe638d8adc7a7d35f5c16bdee73b203ac1692
-  data.tar.gz: 61003e06a1329c5da156f151293af05d9b55c34c
+  metadata.gz: d5fb7e4f89d46058d18c857dbe0935cbf720c802
+  data.tar.gz: 29291329512d0d36bad6e0ff1a3917f842a4b83c
 SHA512:
-  metadata.gz: 2a3d808f2b673c8400650aebf3e8ac942b34f378b4419f358ddbeaee3c2780081447118dc18555d9761c6d5e4ed34da687b79da685dc04deb4d9967549041bd4
-  data.tar.gz: ffe7af4f24659f74743360a51b8f67bb4e4f367c9bf1f4fe32b29bd9ca5781b24e10f0046c3ba3073d68595f071d5360840ace5f377eec3c088f8f9053a57dd8
+  metadata.gz: 339872f74676b8269b0a92c46f56bdb8b350a6fe64df495bd23a8580ed45645b258bd181bbb82ab68faa362de0a9b1823bd25e71a0ba60a629d4e517fe33cbf5
+  data.tar.gz: b562fde6e3529990b1caa343c7044f7ae3dd02d66c41065aa6332c8282290397f21a310080f109581784dbd58b91f3ea2a5662518326705e47fac38727de4ef4

data/.travis.yml CHANGED

@@ -1,4 +1,5 @@
 language: ruby
 rvm:
-  - 2.2
+  - 2.3
+  - 2.6
   - jruby

data/Rakefile CHANGED

@@ -1,10 +1,8 @@
-require "bundler/gem_tasks"
-require "rake/testtask"
+# frozen_string_literal: true
-Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.test_files = FileList['test/*_test.rb']
-end
+require File.join('bundler', 'gem_tasks')
+require File.join('rspec', 'core', 'rake_task')
-task :default => :test
+RSpec::Core::RakeTask.new(:spec)
+task default: :spec

data/lib/omniauth/microsoft_graph/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Omniauth
   module MicrosoftGraph
-    VERSION = "0.2.1"
+    VERSION = "0.3.0"
   end
 end

data/lib/omniauth/strategies/microsoft_graph.rb CHANGED

@@ -3,64 +3,123 @@ require 'omniauth-oauth2'
 module OmniAuth
   module Strategies
     class MicrosoftGraph < OmniAuth::Strategies::OAuth2
+      BASE_SCOPE_URL = 'https://graph.microsoft.com/'
+      BASE_SCOPES = %w[offline_access openid email profile].freeze
+      DEFAULT_SCOPE = 'openid email profile User.Read'.freeze
       option :name, :microsoft_graph
       option :client_options, {
-        site:          'https://login.microsoftonline.com',
-        token_url:     '/common/oauth2/v2.0/token',
-        authorize_url: '/common/oauth2/v2.0/authorize'
+        site:          'https://login.microsoftonline.com/',
+        token_url:     'common/oauth2/v2.0/token',
+        authorize_url: 'common/oauth2/v2.0/authorize'
+      }
+      option :authorize_options, %i[state callback_url access_type display score auth_type scope prompt login_hint domain_hint response_mode]
+      option :token_params, {
       }
-      option :authorize_options, %i[display score auth_type scope prompt login_hint domain_hint response_mode]
+      option :scope, DEFAULT_SCOPE
+      option :authorized_client_ids, []
       uid { raw_info["id"] }
       info do
         {
-          email:      raw_info["mail"] || raw_info["userPrincipalName"],
-          first_name: raw_info["givenName"],
-          last_name:  raw_info["surname"],
-          name:       full_name,
-          nickname:   raw_info["userPrincipalName"],
+          'email' => raw_info["mail"],
+          'first_name' => raw_info["givenName"],
+          'last_name' => raw_info["surname"],
+          'name' => [raw_info["givenName"], raw_info["surname"]].join(' '),
+          'nickname' => raw_info["displayName"],
         }
       end
       extra do
         {
           'raw_info' => raw_info,
-          'params' => access_token.params
+          'params' => access_token.params,
+          'aud' => options.client_id
         }
       end
-      def callback_url
-        options[:redirect_uri] || (full_host + script_name + callback_path)
-      end
-      def raw_info
-        @raw_info ||= access_token.get('https://graph.microsoft.com/v1.0/me').parsed
-      end
       def authorize_params
         super.tap do |params|
-          %w[display score auth_type].each do |v|
-            if request.params[v]
-              params[v.to_sym] = request.params[v]
-            end
+          options[:authorize_options].each do |k|
+            params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
           end
+          params[:scope] = get_scope(params)
+          params[:access_type] = 'offline' if params[:access_type].nil?
+          session['omniauth.state'] = params[:state] if params[:state]
         end
+      end
+      def raw_info
+        @raw_info ||= access_token.get('https://graph.microsoft.com/v1.0/me').parsed
       end
-      def full_name
-        raw_info["displayName"].presence || raw_info.values_at("givenName", "surname").compact.join(' ')
+      def callback_url
+        options[:callback_url] || full_host + script_name + callback_path
+      end
+      def custom_build_access_token
+        access_token = get_access_token(request)
+        access_token
       end
-      def build_access_token
-        if request.params['access_token']
+      alias build_access_token custom_build_access_token
+      private
+      def get_access_token(request)
+        verifier = request.params['code']
+        redirect_uri = request.params['redirect_uri'] || request.params['callback_url']
+        if verifier && request.xhr?
+          client_get_token(verifier, redirect_uri || '/auth/microsoft_graph/callback')
+        elsif verifier
+          client_get_token(verifier, redirect_uri || callback_url)
+        elsif verify_token(request.params['access_token'])
           ::OAuth2::AccessToken.from_hash(client, request.params.dup)
-        else
-          super
+        elsif request.content_type =~ /json/i
+          begin
+            body = JSON.parse(request.body.read)
+            request.body.rewind # rewind request body for downstream middlewares
+            verifier = body && body['code']
+            client_get_token(verifier, '/auth/microsoft_graph/callback') if verifier
+          rescue JSON::ParserError => e
+            warn "[omniauth google-oauth2] JSON parse error=#{e}"
+          end
         end
       end
+      def client_get_token(verifier, redirect_uri)
+        client.auth_code.get_token(verifier, get_token_options(redirect_uri), get_token_params)
+      end
+      def get_token_params
+        deep_symbolize(options.auth_token_params || {})
+      end
+      def get_token_options(redirect_uri = '')
+        { redirect_uri: redirect_uri }.merge(token_params.to_hash(symbolize_keys: true))
+      end
+      def get_scope(params)
+        raw_scope = params[:scope] || DEFAULT_SCOPE
+        scope_list = raw_scope.split(' ').map { |item| item.split(',') }.flatten
+        scope_list.map! { |s| s =~ %r{^https?://} || BASE_SCOPES.include?(s) ? s : "#{BASE_SCOPE_URL}#{s}" }
+        scope_list.join(' ')
+      end
+      def verify_token(access_token)
+        return false unless access_token
+        # access_token.get('https://graph.microsoft.com/v1.0/me').parsed
+        raw_response = client.request(:get, 'https://graph.microsoft.com/v1.0/me',
+                                      params: { access_token: access_token }).parsed
+        (raw_response['aud'] == options.client_id) || options.authorized_client_ids.include?(raw_response['aud'])
+      end
     end
   end
 end

data/omniauth-microsoft_graph.gemspec CHANGED

@@ -18,10 +18,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
-  spec.add_runtime_dependency "omniauth-oauth2"
-  spec.add_development_dependency "sinatra"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "minitest"
-  spec.add_development_dependency "mocha"
+  spec.add_runtime_dependency 'omniauth', '~> 1.1', '>= 1.1.1'
+  spec.add_runtime_dependency 'omniauth-oauth2', '~> 1.6'
+  spec.add_development_dependency "sinatra", '~> 0'
+  spec.add_development_dependency "rake", '~> 0'
+  spec.add_development_dependency 'rspec', '~> 3.6'
+  spec.add_development_dependency "mocha", '~> 0'
 end

data/spec/omniauth/strategies/microsoft_graph_oauth2_spec.rb ADDED

@@ -0,0 +1,443 @@
+# frozen_string_literal: true
+require 'spec_helper'
+require 'json'
+require 'omniauth_microsoft_graph'
+require 'stringio'
+describe OmniAuth::Strategies::MicrosoftGraph do
+  let(:request) { double('Request', params: {}, cookies: {}, env: {}) }
+  let(:app) do
+    lambda do
+      [200, {}, ['Hello.']]
+    end
+  end
+  subject do
+    OmniAuth::Strategies::MicrosoftGraph.new(app, 'appid', 'secret', @options || {}).tap do |strategy|
+      allow(strategy).to receive(:request) do
+        request
+      end
+    end
+  end
+  before do
+    OmniAuth.config.test_mode = true
+  end
+  after do
+    OmniAuth.config.test_mode = false
+  end
+  describe '#client_options' do
+    it 'has correct site' do
+      expect(subject.client.site).to eq('https://login.microsoftonline.com/')
+    end
+    it 'has correct authorize_url' do
+      expect(subject.client.options[:authorize_url]).to eq('common/oauth2/v2.0/authorize')
+    end
+    it 'has correct token_url' do
+      expect(subject.client.options[:token_url]).to eq('common/oauth2/v2.0/token')
+    end
+    describe 'overrides' do
+      context 'as strings' do
+        it 'should allow overriding the site' do
+          @options = { client_options: { 'site' => 'https://example.com' } }
+          expect(subject.client.site).to eq('https://example.com')
+        end
+        it 'should allow overriding the authorize_url' do
+          @options = { client_options: { 'authorize_url' => 'https://example.com' } }
+          expect(subject.client.options[:authorize_url]).to eq('https://example.com')
+        end
+        it 'should allow overriding the token_url' do
+          @options = { client_options: { 'token_url' => 'https://example.com' } }
+          expect(subject.client.options[:token_url]).to eq('https://example.com')
+        end
+      end
+      context 'as symbols' do
+        it 'should allow overriding the site' do
+          @options = { client_options: { site: 'https://example.com' } }
+          expect(subject.client.site).to eq('https://example.com')
+        end
+        it 'should allow overriding the authorize_url' do
+          @options = { client_options: { authorize_url: 'https://example.com' } }
+          expect(subject.client.options[:authorize_url]).to eq('https://example.com')
+        end
+        it 'should allow overriding the token_url' do
+          @options = { client_options: { token_url: 'https://example.com' } }
+          expect(subject.client.options[:token_url]).to eq('https://example.com')
+        end
+      end
+    end
+  end
+  describe '#authorize_options' do
+    %i[display score auth_type scope prompt login_hint domain_hint response_mode].each do |k|
+      it "should support #{k}" do
+        @options = { k => 'http://someval' }
+        expect(subject.authorize_params[k.to_s]).to eq('http://someval')
+      end
+    end
+    describe 'callback_url' do
+      it 'should default to nil' do
+        @options = {}
+        expect(subject.authorize_params['callback_url']).to eq(nil)
+      end
+      it 'should set the callback_url parameter if present' do
+        @options = { callback_url: 'https://example.com' }
+        expect(subject.authorize_params['callback_url']).to eq('https://example.com')
+      end
+    end
+    describe 'access_type' do
+      it 'should default to "offline"' do
+        @options = {}
+        expect(subject.authorize_params['access_type']).to eq('offline')
+      end
+      it 'should set the access_type parameter if present' do
+        @options = { access_type: 'online' }
+        expect(subject.authorize_params['access_type']).to eq('online')
+      end
+    end
+    describe 'login_hint' do
+      it 'should default to nil' do
+        expect(subject.authorize_params['login_hint']).to eq(nil)
+      end
+      it 'should set the login_hint parameter if present' do
+        @options = { login_hint: 'john@example.com' }
+        expect(subject.authorize_params['login_hint']).to eq('john@example.com')
+      end
+    end
+    describe 'prompt' do
+      it 'should default to nil' do
+        expect(subject.authorize_params['prompt']).to eq(nil)
+      end
+      it 'should set the prompt parameter if present' do
+        @options = { prompt: 'consent select_account' }
+        expect(subject.authorize_params['prompt']).to eq('consent select_account')
+      end
+    end
+    describe 'scope' do
+      it 'should leave base scopes as is' do
+        @options = { scope: 'profile' }
+        expect(subject.authorize_params['scope']).to eq('profile')
+      end
+      it 'should join scopes' do
+        @options = { scope: 'profile,email' }
+        expect(subject.authorize_params['scope']).to eq('profile email')
+      end
+      it 'should deal with whitespace when joining scopes' do
+        @options = { scope: 'profile, email' }
+        expect(subject.authorize_params['scope']).to eq('profile email')
+      end
+      it 'should set default scope to email,profile' do
+        expect(subject.authorize_params['scope']).to eq('openid email profile https://graph.microsoft.com/User.Read')
+      end
+      it 'should support space delimited scopes' do
+        @options = { scope: 'profile email' }
+        expect(subject.authorize_params['scope']).to eq('profile email')
+      end
+      it 'should support extremely badly formed scopes' do
+        @options = { scope: 'profile email,foo,steve yeah http://example.com' }
+        expect(subject.authorize_params['scope']).to eq('profile email https://graph.microsoft.com/foo https://graph.microsoft.com/steve https://graph.microsoft.com/yeah http://example.com')
+      end
+    end
+    describe 'state' do
+      it 'should set the state parameter' do
+        @options = { state: 'some_state' }
+        expect(subject.authorize_params['state']).to eq('some_state')
+        expect(subject.authorize_params[:state]).to eq('some_state')
+        expect(subject.session['omniauth.state']).to eq('some_state')
+      end
+      it 'should set the omniauth.state dynamically' do
+        allow(subject).to receive(:request) { double('Request', params: { 'state' => 'some_state' }, env: {}) }
+        expect(subject.authorize_params['state']).to eq('some_state')
+        expect(subject.authorize_params[:state]).to eq('some_state')
+        expect(subject.session['omniauth.state']).to eq('some_state')
+      end
+    end
+    describe 'overrides' do
+      it 'should include top-level options that are marked as :authorize_options' do
+        @options = { authorize_options: %i[scope foo request_visible_actions], scope: 'http://bar', foo: 'baz', hd: 'wow', request_visible_actions: 'something' }
+        expect(subject.authorize_params['scope']).to eq('http://bar')
+        expect(subject.authorize_params['foo']).to eq('baz')
+        expect(subject.authorize_params['hd']).to eq(nil)
+        expect(subject.authorize_params['request_visible_actions']).to eq('something')
+      end
+      describe 'request overrides' do
+        %i[access_type login_hint prompt scope state].each do |k|
+          context "authorize option #{k}" do
+            let(:request) { double('Request', params: { k.to_s => 'http://example.com' }, cookies: {}, env: {}) }
+            it "should set the #{k} authorize option dynamically in the request" do
+              @options = { k: '' }
+              expect(subject.authorize_params[k.to_s]).to eq('http://example.com')
+            end
+          end
+        end
+        describe 'custom authorize_options' do
+          let(:request) { double('Request', params: { 'foo' => 'something' }, cookies: {}, env: {}) }
+          it 'should support request overrides from custom authorize_options' do
+            @options = { authorize_options: [:foo], foo: '' }
+            expect(subject.authorize_params['foo']).to eq('something')
+          end
+        end
+      end
+    end
+  end
+  describe '#authorize_params' do
+    it 'should include any authorize params passed in the :authorize_params option' do
+      @options = { authorize_params: { request_visible_actions: 'something', foo: 'bar', baz: 'zip' }, hd: 'wow', bad: 'not_included' }
+      expect(subject.authorize_params['request_visible_actions']).to eq('something')
+      expect(subject.authorize_params['foo']).to eq('bar')
+      expect(subject.authorize_params['baz']).to eq('zip')
+      expect(subject.authorize_params['bad']).to eq(nil)
+    end
+  end
+  describe '#token_params' do
+    it 'should include any token params passed in the :token_params option' do
+      @options = { token_params: { foo: 'bar', baz: 'zip' } }
+      expect(subject.token_params['foo']).to eq('bar')
+      expect(subject.token_params['baz']).to eq('zip')
+    end
+  end
+  describe '#token_options' do
+    it 'should include top-level options that are marked as :token_options' do
+      @options = { token_options: %i[scope foo], scope: 'bar', foo: 'baz', bad: 'not_included' }
+      expect(subject.token_params['scope']).to eq('bar')
+      expect(subject.token_params['foo']).to eq('baz')
+      expect(subject.token_params['bad']).to eq(nil)
+    end
+  end
+  describe '#callback_path' do
+    it 'has the correct default callback path' do
+      expect(subject.callback_path).to eq('/auth/microsoft_graph/callback')
+    end
+    it 'should set the callback_path parameter if present' do
+      @options = { callback_path: '/auth/foo/callback' }
+      expect(subject.callback_path).to eq('/auth/foo/callback')
+    end
+  end
+  describe '#info' do
+    let(:client) do
+      OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/v1.0/me') { [200, { 'content-type' => 'application/json' }, response_hash.to_json] }
+        end
+      end
+    end
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
+    before { allow(subject).to receive(:access_token).and_return(access_token) }
+    context 'with verified email' do
+      let(:response_hash) do
+        { mail: 'something@domain.invalid' }
+      end
+      it 'should return equal email ' do
+        expect(subject.info['email']).to eq('something@domain.invalid')
+      end
+    end
+  end
+  describe '#extra' do
+    let(:client) do
+      OAuth2::Client.new('abc', 'def') do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/v1.0/me') { [200, { 'content-type' => 'application/json' }, '{"id": "12345"}'] }
+        end
+      end
+    end
+    let(:access_token) { OAuth2::AccessToken.from_hash(client, {}) }
+    before { allow(subject).to receive(:access_token).and_return(access_token) }
+    describe 'raw_info' do
+      it 'should include raw_info' do
+        expect(subject.extra['raw_info']).to eq('id' => '12345')
+      end
+    end
+  end
+  describe 'build_access_token' do
+    it 'should use a hybrid authorization request_uri if this is an AJAX request with a code parameter' do
+      allow(request).to receive(:scheme).and_return('https')
+      allow(request).to receive(:url).and_return('https://example.com')
+      allow(request).to receive(:xhr?).and_return(true)
+      allow(request).to receive(:params).and_return('code' => 'valid_code')
+      client = double(:client)
+      auth_code = double(:auth_code)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+      expect(auth_code).to receive(:get_token).with('valid_code', { redirect_uri: '/auth/microsoft_graph/callback' }, {})
+      expect(subject).not_to receive(:orig_build_access_token)
+      subject.instance_variable_set("@env", {})
+      subject.send(:build_access_token)
+    end
+    it 'should use a hybrid authorization request_uri if this is an AJAX request (mobile) with a code parameter' do
+      allow(request).to receive(:scheme).and_return('https')
+      allow(request).to receive(:url).and_return('https://example.com')
+      allow(request).to receive(:xhr?).and_return(true)
+      allow(request).to receive(:params).and_return('code' => 'valid_code', 'callback_url' => 'localhost')
+      client = double(:client)
+      auth_code = double(:auth_code)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+      expect(auth_code).to receive(:get_token).with('valid_code', { redirect_uri: 'localhost' }, {})
+      expect(subject).not_to receive(:orig_build_access_token)
+      subject.instance_variable_set("@env", {})
+      subject.send(:build_access_token)
+    end
+    it 'should use the request_uri from params if this not an AJAX request (request from installed app) with a code parameter' do
+      allow(request).to receive(:scheme).and_return('https')
+      allow(request).to receive(:url).and_return('https://example.com')
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:params).and_return('code' => 'valid_code', 'callback_url' => 'callback_url')
+      client = double(:client)
+      auth_code = double(:auth_code)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+      expect(auth_code).to receive(:get_token).with('valid_code', { redirect_uri: 'callback_url' }, {})
+      expect(subject).not_to receive(:orig_build_access_token)
+      subject.send(:build_access_token)
+    end
+    it 'should read access_token from hash if this is not an AJAX request with a code parameter' do
+      allow(request).to receive(:scheme).and_return('https')
+      allow(request).to receive(:url).and_return('https://example.com')
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:params).and_return('access_token' => 'valid_access_token')
+      expect(subject).to receive(:verify_token).with('valid_access_token').and_return true
+      expect(subject).to receive(:client).and_return(:client)
+      token = subject.send(:build_access_token)
+      expect(token).to be_instance_of(::OAuth2::AccessToken)
+      expect(token.token).to eq('valid_access_token')
+      expect(token.client).to eq(:client)
+    end
+    it 'reads the code from a json request body' do
+      body = StringIO.new(%({"code":"json_access_token"}))
+      client = double(:client)
+      auth_code = double(:auth_code)
+      allow(request).to receive(:scheme).and_return('https')
+      allow(request).to receive(:url).and_return('https://example.com')
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:content_type).and_return('application/json')
+      allow(request).to receive(:body).and_return(body)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      expect(subject).to receive(:client).and_return(client)
+      expect(auth_code).to receive(:get_token).with('json_access_token', { redirect_uri: '/auth/microsoft_graph/callback' }, {})
+      subject.send(:build_access_token)
+    end
+    it 'should use callback_url without query_string if this is not an AJAX request' do
+      allow(request).to receive(:scheme).and_return('https')
+      allow(request).to receive(:url).and_return('https://example.com')
+      allow(request).to receive(:xhr?).and_return(false)
+      allow(request).to receive(:params).and_return('code' => 'valid_code')
+      allow(request).to receive(:content_type).and_return('application/x-www-form-urlencoded')
+      client = double(:client)
+      auth_code = double(:auth_code)
+      allow(client).to receive(:auth_code).and_return(auth_code)
+      allow(subject).to receive(:callback_url).and_return('callback_url_without_query_string')
+      expect(subject).to receive(:client).and_return(client)
+      expect(auth_code).to receive(:get_token).with('valid_code', { redirect_uri: 'callback_url_without_query_string' }, {})
+      subject.send(:build_access_token)
+    end
+  end
+  describe 'verify_token' do
+    before(:each) do
+      subject.options.client_options[:connection_build] = proc do |builder|
+        builder.request :url_encoded
+        builder.adapter :test do |stub|
+          stub.get('/v1.0/me?access_token=valid_access_token') do
+            [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
+              aud: '000000000000.apps.googleusercontent.com',
+              id: '123456789',
+              email: 'example@example.com',
+              access_type: 'offline',
+              scope: 'profile email',
+              expires_in: 436
+            )]
+          end
+          stub.get('/v1.0/me?access_token=invalid_access_token') do
+            [400, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(error_description: 'Invalid Value')]
+          end
+        end
+      end
+    end
+    it 'should verify token if access_token is valid and app_id equals' do
+      subject.options.client_id = '000000000000.apps.googleusercontent.com'
+      expect(subject.send(:verify_token, 'valid_access_token')).to eq(true)
+    end
+    it 'should verify token if access_token is valid and app_id authorized' do
+      subject.options.authorized_client_ids = ['000000000000.apps.googleusercontent.com']
+      expect(subject.send(:verify_token, 'valid_access_token')).to eq(true)
+    end
+    it 'should not verify token if access_token is valid but app_id is false' do
+      expect(subject.send(:verify_token, 'valid_access_token')).to eq(false)
+    end
+    it 'should raise error if access_token is invalid' do
+      expect do
+        subject.send(:verify_token, 'invalid_access_token')
+      end.to raise_error(OAuth2::Error)
+    end
+  end
+end

data/spec/spec_helper.rb ADDED

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+require File.join('bundler', 'setup')
+require 'rspec'

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-microsoft_graph
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Peter Philips
@@ -9,76 +9,96 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-03-09 00:00:00.000000000 Z
+date: 2020-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: omniauth-oauth2
+  name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.1.1
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.6'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
 description: omniauth provider for new Microsoft Graph API
@@ -101,8 +121,8 @@ files:
 - lib/omniauth/strategies/microsoft_graph.rb
 - lib/omniauth_microsoft_graph.rb
 - omniauth-microsoft_graph.gemspec
-- test/strategy_test.rb
-- test/test_helper.rb
+- spec/omniauth/strategies/microsoft_graph_oauth2_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/synth/omniauth-microsoft_graph
 licenses:
 - MIT
@@ -123,10 +143,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.5.2.3
+rubygems_version: 2.5.2
 signing_key:
 specification_version: 4
 summary: omniauth provider for Microsoft Graph
 test_files:
-- test/strategy_test.rb
-- test/test_helper.rb
+- spec/omniauth/strategies/microsoft_graph_oauth2_spec.rb
+- spec/spec_helper.rb

data/test/strategy_test.rb DELETED

@@ -1,26 +0,0 @@
-require 'test_helper'
-class UidTest < StrategyTestCase
-  def setup
-    super
-    strategy.stubs(:raw_info).returns({ 'id' => '123' })
-  end
-  def test_return_id_from_raw_info
-    assert_equal '123', strategy.uid
-  end
-end
-class AccessTokenTest < StrategyTestCase
-  def setup
-    super
-    @request.stubs(:params).returns({ 'access_token' => 'valid_access_token' })
-    strategy.stubs(:client).returns(:client)
-  end
-  def test_build_access_token
-    token = strategy.build_access_token
-    assert_equal token.token, 'valid_access_token'
-    assert_equal token.client, :client
-  end
-end

data/test/test_helper.rb DELETED

@@ -1,31 +0,0 @@
-require 'bundler/setup'
-require 'minitest/autorun'
-require 'mocha/setup'
-require 'omniauth/strategies/microsoft_graph'
-OmniAuth.config.test_mode = true
-class StrategyTestCase < Minitest::Test
-  def setup
-    @request = stub('Request')
-    @request.stubs(:params).returns({})
-    @request.stubs(:cookies).returns({})
-    @request.stubs(:env).returns({})
-    @request.stubs(:scheme).returns({})
-    @request.stubs(:ssl?).returns(false)
-    @client_id = '123'
-    @client_secret = '53cr3tz'
-    @options = {}
-  end
-  def strategy
-    @strategy ||= begin
-      args = [@client_id, @client_secret, @options].compact
-      OmniAuth::Strategies::MicrosoftGraph.new(nil, *args).tap do |strategy|
-        strategy.stubs(:request).returns(@request)
-      end
-    end
-  end
-end