omniauth-oauth2 1.0.0 → 1.8.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f5cd52cdcb930eb0df65da3d7659a8e46f19db3426e0ecd8b3565b51e951331f
+  data.tar.gz: 6ed5b399aef49e82b265ff6175c849c44415f8b19f81ee5eb5d988ebb6c95fc8
+SHA512:
+  metadata.gz: e6bc5b97b326e37aa1e2ebb294b3459b57ba5dbb4d1e8b7e1709ed2dc9cfb8cc3b1b6f70ebbd0d5d830834af2472afe5b34762cf63f99a508334edee0d86b15a
+  data.tar.gz: 5c6cea848d8c9895495f7e931a3acfcee6e5e773824714e4de8bacfdc7aa70c3e40ad5cbce92b9a0d115f1dbd1f26aea7dc2b7a7bc02b1050cf38c501c3b7d45

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth-oauth2

data/.github/workflows/main.yml

@@ -0,0 +1,67 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, head, debug, truffleruby, truffleruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+  test-jruby:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        jruby: [jruby, jruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.jruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle install
+    - name: Run tests
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle exec rake
+  coveralls:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+    - name: Coveralls GitHub Action
+      uses: coverallsapp/github-action@v1.1.2
+      with:
+        github-token: ${{ secrets.github_token }}
+        path-to-lcov: './coverage/lcov/omniauth-oauth2.lcov'

data/.gitignore

@@ -15,3 +15,4 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+*.swp

data/.rubocop.yml

@@ -0,0 +1,80 @@
+AllCops:
+  NewCops: enable
+
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
+Layout/AccessModifierIndentation:
+  EnforcedStyle: outdent
+
+Layout/LineLength:
+  AllowURI: true
+  Enabled: false
+
+Layout/SpaceInsideHashLiteralBraces:
+  EnforcedStyle: no_space
+
+Lint/MissingSuper:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 18
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/omniauth/strategies/oauth2_spec.rb
+
+Metrics/BlockNesting:
+  Max: 2
+
+Metrics/ClassLength:
+  Max: 110
+
+Metrics/MethodLength:
+  CountComments: false
+  Max: 10
+
+Metrics/ParameterLists:
+  Max: 4
+  CountKeywordArgs: true
+
+Naming/FileName:
+  Exclude:
+    - lib/omniauth-oauth2.rb
+
+Style/CollectionMethods:
+  PreferredMethods:
+    map:      'collect'
+    reduce:   'inject'
+    find:     'detect'
+    find_all: 'select'
+
+Style/Documentation:
+  Enabled: false
+
+Style/DoubleNegation:
+  Enabled: false
+
+Style/ExpandPathArguments:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
+
+Style/StderrPuts:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [v1.8.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.7.3)
+- Relaxes allowed versions of the oauth2 gem. [#146](https://github.com/omniauth/omniauth-oauth2/pull/146)
+- Requires omniauth `~> 2.0` [#152](https://github.com/omniauth/omniauth-oauth2/pull/152) 
+
+Please see https://github.com/omniauth/omniauth-oauth2/releases for changelog prior to 1.8.0

data/Gemfile

@@ -1,12 +1,20 @@
-source 'http://rubygems.org'
+source "https://rubygems.org"
 
-# Specify your gem's dependencies in omniauth-oauth2.gemspec
-gemspec
+gem "rake", "~> 13.0"
 
-group :development, :test do
-  gem 'guard'
-  gem 'guard-rspec'
-  gem 'guard-bundler'
-  gem 'growl'
-  gem 'rb-fsevent'
+group :test do
+  gem "addressable", "~> 2.3.8", :platforms => %i[jruby ruby_18]
+  gem 'coveralls_reborn', '~> 0.19.0', require: false
+  gem "json", :platforms => %i[jruby ruby_18 ruby_19]
+  gem "mime-types", "~> 1.25", :platforms => %i[jruby ruby_18]
+  gem "rack-test"
+  gem "rest-client", "~> 1.8.0", :platforms => %i[jruby ruby_18]
+  gem "rspec", "~> 3.2"
+  gem "rubocop", ">= 0.51", :platforms => %i[ruby_19 ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
+  gem 'simplecov-lcov'
+  gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
+  gem "webmock", "~> 3.0"
 end
+
+# Specify your gem's dependencies in omniauth-oauth2.gemspec
+gemspec

data/LICENSE.md

@@ -0,0 +1,19 @@
+Copyright (C) 2014 Michael Bleigh, Erik Michaels-Ober and Intridea, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,78 +1,75 @@
 # OmniAuth OAuth2
 
-**Note:** This gem is designed to work with the unreleased OmniAuth 1.0
-library. It will not be officially released on RubyGems.org until
-OmniAuth 1.0 is released.
+[![Gem Version](http://img.shields.io/gem/v/omniauth-oauth2.svg)][gem]
+[![Code Climate](http://img.shields.io/codeclimate/maintainability/intridea/omniauth-oauth2.svg)][codeclimate]
+[![Coverage Status](http://img.shields.io/coveralls/intridea/omniauth-oauth2.svg)][coveralls]
+[![Security](https://hakiri.io/github/omniauth/omniauth-oauth2/master.svg)](https://hakiri.io/github/omniauth/omniauth-oauth2/master)
 
-This gem contains a generic OAuth2 strategy for OmniAuth. It is meant to
-serve as a building block strategy for other strategies and not to be
-used independently (since it has no inherent way to gather uid and user
-info).
+[gem]: https://rubygems.org/gems/omniauth-oauth2
+[codeclimate]: https://codeclimate.com/github/intridea/omniauth-oauth2
+[coveralls]: https://coveralls.io/r/intridea/omniauth-oauth2
+
+This gem contains a generic OAuth2 strategy for OmniAuth. It is meant to serve
+as a building block strategy for other strategies and not to be used
+independently (since it has no inherent way to gather uid and user info).
 
 ## Creating an OAuth2 Strategy
 
-To create an OmniAuth OAuth2 strategy using this gem, you can simply
-subclass it and add a few extra methods like so:
-
-    require 'omniauth-oauth'
-
-    module OmniAuth
-      module Strategies
-        class SomeSite < OmniAuth::Strategies::OAuth2
-          # Give your strategy a name.
-          option :name, "some_site"
-
-          # This is where you pass the options you would pass when
-          # initializing your consumer from the OAuth gem.
-          option :client_options, {:site => "https://api.somesite.com"}
-
-          # These are called after authentication has succeeded. If
-          # possible, you should try to set the UID without making
-          # additional calls (if the user id is returned with the token
-          # or as a URI parameter). This may not be possible with all
-          # providers.
-          uid{ raw_info['id'] }
-
-          info do
-            {
-              :name => raw_info['name'],
-              :email => raw_info['email']
-            }
-          end
-
-          extra do
-            {
-              'raw_info' => raw_info
-            }
-          end
-
-          def raw_info
-            @raw_info ||= access_token.get('/me').parsed
-          end
-        end
+To create an OmniAuth OAuth2 strategy using this gem, you can simply subclass
+it and add a few extra methods like so:
+
+```ruby
+require 'omniauth-oauth2'
+
+module OmniAuth
+  module Strategies
+    class SomeSite < OmniAuth::Strategies::OAuth2
+      # Give your strategy a name.
+      option :name, "some_site"
+
+      # This is where you pass the options you would pass when
+      # initializing your consumer from the OAuth gem.
+      option :client_options, {:site => "https://api.somesite.com"}
+
+      # You may specify that your strategy should use PKCE by setting
+      # the pkce option to true: https://tools.ietf.org/html/rfc7636
+      option :pkce, true
+
+      # These are called after authentication has succeeded. If
+      # possible, you should try to set the UID without making
+      # additional calls (if the user id is returned with the token
+      # or as a URI parameter). This may not be possible with all
+      # providers.
+      uid{ raw_info['id'] }
+
+      info do
+        {
+          :name => raw_info['name'],
+          :email => raw_info['email']
+        }
+      end
+
+      extra do
+        {
+          'raw_info' => raw_info
+        }
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get('/me').parsed
       end
     end
+  end
+end
+```
 
 That's pretty much it!
 
-## License
-
-Copyright (C) 2011 by Michael Bleigh and Intridea, Inc.
+## OmniAuth-OAuth2 for Enterprise
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Available as part of the Tidelift Subscription.
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+The maintainers of OmniAuth-OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth-oauth2?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise)
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+## Supported Ruby Versions
+OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.

data/Rakefile

@@ -1,9 +1,19 @@
 #!/usr/bin/env rake
-require "bundler/gem_tasks"
-require 'rspec/core/rake_task'
 
-desc 'Default: run specs.'
-task :default => :spec
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
 
-desc "Run specs"
 RSpec::Core::RakeTask.new
+
+task :test => :spec
+
+begin
+  require "rubocop/rake_task"
+  RuboCop::RakeTask.new
+rescue LoadError
+  task :rubocop do
+    $stderr.puts "RuboCop is disabled"
+  end
+end
+
+task :default => %i[spec rubocop]

data/SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version  | Supported          |
+| -------  | ------------------ |
+| 1.7.x    | :white_check_mark: |
+| <= 1.6.x | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

data/lib/omniauth/strategies/oauth2.rb

@@ -1,7 +1,8 @@
-require 'cgi'
-require 'uri'
-require 'oauth2'
-require 'omniauth'
+require "oauth2"
+require "omniauth"
+require "securerandom"
+require "socket"       # for SocketError
+require "timeout"      # for Timeout::Error
 
 module OmniAuth
   module Strategies
@@ -13,31 +14,44 @@ module OmniAuth
     class OAuth2
       include OmniAuth::Strategy
 
-      args [:client_id, :client_secret]
+      def self.inherited(subclass)
+        OmniAuth::Strategy.included(subclass)
+      end
+
+      args %i[client_id client_secret]
 
       option :client_id, nil
       option :client_secret, nil
       option :client_options, {}
       option :authorize_params, {}
-      option :authorize_options, [:scope]
+      option :authorize_options, %i[scope state]
       option :token_params, {}
       option :token_options, []
+      option :auth_token_params, {}
+      option :provider_ignores_state, false
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        :code_challenge => proc { |verifier|
+          Base64.urlsafe_encode64(
+            Digest::SHA2.digest(verifier),
+            :padding => false,
+          )
+        },
+        :code_challenge_method => "S256",
+      }
 
       attr_accessor :access_token
 
       def client
-        ::OAuth2::Client.new(options.client_id, options.client_secret, options.client_options.inject({}){|h,(k,v)| h[k.to_sym] = v; h})
-      end
-
-      def callback_url
-        full_host + script_name + callback_path
+        ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
       end
 
       credentials do
-        hash = {'token' => access_token.token}
-        hash.merge!('refresh_token' => access_token.refresh_token) if access_token.expires? && access_token.refresh_token
-        hash.merge!('expires_at' => access_token.expires_at) if access_token.expires?
-        hash.merge!('expires' => access_token.expires?)
+        hash = {"token" => access_token.token}
+        hash["refresh_token"] = access_token.refresh_token if access_token.expires? && access_token.refresh_token
+        hash["expires_at"] = access_token.expires_at if access_token.expires?
+        hash["expires"] = access_token.expires?
         hash
       end
 
@@ -45,36 +59,89 @@ module OmniAuth
         redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
       end
 
-      def authorize_params
-        options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
+      def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        options.authorize_params[:state] = SecureRandom.hex(24)
+
+        if OmniAuth.config.test_mode
+          @env ||= {}
+          @env["rack.session"] ||= {}
+        end
+
+        params = options.authorize_params
+                        .merge(options_for("authorize"))
+                        .merge(pkce_authorize_params)
+
+        session["omniauth.pkce.verifier"] = options.pkce_verifier if options.pkce
+        session["omniauth.state"] = params[:state]
+
+        params
       end
 
       def token_params
-        options.token_params.merge(options.token_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
+        options.token_params.merge(options_for("token")).merge(pkce_token_params)
       end
 
-      def callback_phase
-        if request.params['error'] || request.params['error_reason']
-          raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
+      def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        error = request.params["error_reason"] || request.params["error"]
+        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+        elsif error
+          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+        else
+          self.access_token = build_access_token
+          self.access_token = access_token.refresh! if access_token.expired?
+          super
         end
-
-        self.access_token = build_access_token
-        self.access_token = client.auth_code.refresh_token(access_token.refresh_token) if access_token.expired?
-
-        super
       rescue ::OAuth2::Error, CallbackError => e
         fail!(:invalid_credentials, e)
-      rescue ::MultiJson::DecodeError => e
-        fail!(:invalid_response, e)
       rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
         fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+
+    protected
+
+      def pkce_authorize_params
+        return {} unless options.pkce
+
+        options.pkce_verifier = SecureRandom.hex(64)
+
+        # NOTE: see https://tools.ietf.org/html/rfc7636#appendix-A
+        {
+          :code_challenge => options.pkce_options[:code_challenge]
+                                    .call(options.pkce_verifier),
+          :code_challenge_method => options.pkce_options[:code_challenge_method],
+        }
       end
 
-      protected
+      def pkce_token_params
+        return {} unless options.pkce
+
+        {:code_verifier => session.delete("omniauth.pkce.verifier")}
+      end
 
       def build_access_token
-        verifier = request.params['code']
-        client.auth_code.get_token(verifier, {:redirect_uri => callback_url}.merge(options.token_params.to_hash(:symbolize_keys => true)))
+        verifier = request.params["code"]
+        client.auth_code.get_token(verifier, {:redirect_uri => callback_url}.merge(token_params.to_hash(:symbolize_keys => true)), deep_symbolize(options.auth_token_params))
+      end
+
+      def deep_symbolize(options)
+        options.each_with_object({}) do |(key, value), hash|
+          hash[key.to_sym] = value.is_a?(Hash) ? deep_symbolize(value) : value
+        end
+      end
+
+      def options_for(option)
+        hash = {}
+        options.send(:"#{option}_options").select { |key| options[key] }.each do |key|
+          hash[key.to_sym] = if options[key].respond_to?(:call)
+                               options[key].call(env)
+                             else
+                               options[key]
+                             end
+        end
+        hash
       end
 
       # An error that is indicated in the OAuth 2.0 callback.
@@ -82,13 +149,18 @@ module OmniAuth
       class CallbackError < StandardError
         attr_accessor :error, :error_reason, :error_uri
 
-        def initialize(error, error_reason=nil, error_uri=nil)
+        def initialize(error, error_reason = nil, error_uri = nil)
           self.error = error
           self.error_reason = error_reason
           self.error_uri = error_uri
         end
+
+        def message
+          [error, error_reason, error_uri].compact.join(" | ")
+        end
       end
     end
   end
 end
-OmniAuth.config.add_camelization 'oauth2', 'OAuth2'
+
+OmniAuth.config.add_camelization "oauth2", "OAuth2"

data/lib/omniauth-oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OAuth2
-    VERSION = "1.0.0"
+    VERSION = "1.8.0".freeze
   end
 end

data/lib/omniauth-oauth2.rb

@@ -1,2 +1,2 @@
 require "omniauth-oauth2/version"
-require 'omniauth/strategies/oauth2'
+require "omniauth/strategies/oauth2"

data/omniauth-oauth2.gemspec

@@ -1,25 +1,24 @@
-# -*- encoding: utf-8 -*-
-require File.expand_path('../lib/omniauth-oauth2/version', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "omniauth-oauth2/version"
 
 Gem::Specification.new do |gem|
-  gem.add_dependency 'omniauth', '~> 1.0'
-  gem.add_dependency 'oauth2', '~> 0.5.0'
+  gem.add_dependency "oauth2",     [">= 1.4", "< 3"]
+  gem.add_dependency "omniauth",   "~> 2.0"
 
-  gem.add_development_dependency 'rspec', '~> 2.7'
-  gem.add_development_dependency 'rack-test'
-  gem.add_development_dependency 'webmock'
-  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency "bundler", "~> 2.0"
 
-  gem.authors       = ["Michael Bleigh"]
-  gem.email         = ["michael@intridea.com"]
-  gem.description   = %q{An abstract OAuth2 strategy for OmniAuth.}
-  gem.summary       = %q{An abstract OAuth2 strategy for OmniAuth.}
-  gem.homepage      = "https://github.com/intridea/omniauth-oauth2"
+  gem.authors       = ["Michael Bleigh", "Erik Michaels-Ober", "Tom Milewski"]
+  gem.email         = ["michael@intridea.com", "sferik@gmail.com", "tmilewski@gmail.com"]
+  gem.description   = "An abstract OAuth2 strategy for OmniAuth."
+  gem.summary       = gem.description
+  gem.homepage      = "https://github.com/omniauth/omniauth-oauth2"
+  gem.licenses      = %w[MIT]
 
-  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.executables   = `git ls-files -- bin/*`.split("\n").collect { |f| File.basename(f) }
   gem.files         = `git ls-files`.split("\n")
   gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   gem.name          = "omniauth-oauth2"
-  gem.require_paths = ["lib"]
+  gem.require_paths = %w[lib]
   gem.version       = OmniAuth::OAuth2::VERSION
 end

data/spec/helper.rb

@@ -0,0 +1,35 @@
+$LOAD_PATH.unshift File.expand_path("..", __FILE__)
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+
+if RUBY_VERSION >= "1.9"
+  require "simplecov"
+  require "simplecov-lcov"
+  require "coveralls"
+
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+
+  SimpleCov.formatters = [
+    SimpleCov::Formatter::HTMLFormatter,
+    SimpleCov::Formatter::LcovFormatter,
+    Coveralls::SimpleCov::Formatter
+  ]
+
+  SimpleCov.start do
+    minimum_coverage(78.48)
+  end
+end
+
+require "rspec"
+require "rack/test"
+require "webmock/rspec"
+require "omniauth"
+require "omniauth-oauth2"
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+  config.extend OmniAuth::Test::StrategyMacros, :type => :strategy
+  config.include Rack::Test::Methods
+  config.include WebMock::API
+end

data/spec/omniauth/strategies/oauth2_spec.rb

@@ -1,43 +1,161 @@
-require 'spec_helper'
+require "helper"
 
 describe OmniAuth::Strategies::OAuth2 do
-  def app; lambda{|env| [200, {}, ["Hello."]]} end
-  let(:fresh_strategy){ Class.new(OmniAuth::Strategies::OAuth2) }
+  def app
+    lambda do |_env|
+      [200, {}, ["Hello."]]
+    end
+  end
+  let(:fresh_strategy) { Class.new(OmniAuth::Strategies::OAuth2) }
+
+  before do
+    OmniAuth.config.test_mode = true
+  end
+
+  after do
+    OmniAuth.config.test_mode = false
+  end
 
-  describe '#client' do
-    subject{ fresh_strategy }
+  describe "Subclassing Behavior" do
+    subject { fresh_strategy }
 
-    it 'should be initialized with symbolized client_options' do
-      instance = subject.new(app, :client_options => {'authorize_url' => 'https://example.com'})
-      instance.client.options[:authorize_url].should == 'https://example.com'
+    it "performs the OmniAuth::Strategy included hook" do
+      expect(OmniAuth.strategies).to include(OmniAuth::Strategies::OAuth2)
+      expect(OmniAuth.strategies).to include(subject)
     end
   end
 
-  describe '#authorize_params' do
+  describe "#client" do
     subject { fresh_strategy }
 
-    it 'should include any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', :authorize_params => {:foo => 'bar', :baz => 'zip'})
-      instance.authorize_params.should == {'foo' => 'bar', 'baz' => 'zip'}
+    it "is initialized with symbolized client_options" do
+      instance = subject.new(app, :client_options => {"authorize_url" => "https://example.com"})
+      expect(instance.client.options[:authorize_url]).to eq("https://example.com")
     end
 
-    it 'should include top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', :authorize_options => [:scope, :foo], :scope => 'bar', :foo => 'baz')
-      instance.authorize_params.should == {'scope' => 'bar', 'foo' => 'baz'}
+    it "sets ssl options as connection options" do
+      instance = subject.new(app, :client_options => {"ssl" => {"ca_path" => "foo"}})
+      expect(instance.client.options[:connection_opts][:ssl]).to eq(:ca_path => "foo")
     end
   end
 
-  describe '#token_params' do
+  describe "#authorize_params" do
     subject { fresh_strategy }
 
-    it 'should include any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', :token_params => {:foo => 'bar', :baz => 'zip'})
-      instance.token_params.should == {'foo' => 'bar', 'baz' => 'zip'}
+    it "includes any authorize params passed in the :authorize_params option" do
+      instance = subject.new("abc", "def", :authorize_params => {:foo => "bar", :baz => "zip"})
+      expect(instance.authorize_params["foo"]).to eq("bar")
+      expect(instance.authorize_params["baz"]).to eq("zip")
+    end
+
+    it "includes top-level options that are marked as :authorize_options" do
+      instance = subject.new("abc", "def", :authorize_options => %i[scope foo state], :scope => "bar", :foo => "baz")
+      expect(instance.authorize_params["scope"]).to eq("bar")
+      expect(instance.authorize_params["foo"]).to eq("baz")
+      expect(instance.authorize_params["state"]).not_to be_empty
+    end
+
+    it "includes random state in the authorize params" do
+      instance = subject.new("abc", "def")
+      expect(instance.authorize_params.keys).to eq(["state"])
+      expect(instance.session["omniauth.state"]).not_to be_empty
+    end
+
+    it "includes custom state in the authorize params" do
+      instance = subject.new("abc", "def", :state => proc { "qux" })
+      expect(instance.authorize_params.keys).to eq(["state"])
+      expect(instance.session["omniauth.state"]).to eq("qux")
+    end
+
+    it "includes PKCE parameters if enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      expect(instance.authorize_params[:code_challenge]).to be_a(String)
+      expect(instance.authorize_params[:code_challenge_method]).to eq("S256")
+      expect(instance.session["omniauth.pkce.verifier"]).to be_a(String)
+    end
+  end
+
+  describe "#token_params" do
+    subject { fresh_strategy }
+
+    it "includes any authorize params passed in the :authorize_params option" do
+      instance = subject.new("abc", "def", :token_params => {:foo => "bar", :baz => "zip"})
+      expect(instance.token_params).to eq("foo" => "bar", "baz" => "zip")
+    end
+
+    it "includes top-level options that are marked as :authorize_options" do
+      instance = subject.new("abc", "def", :token_options => %i[scope foo], :scope => "bar", :foo => "baz")
+      expect(instance.token_params).to eq("scope" => "bar", "foo" => "baz")
+    end
+
+    it "includes the PKCE code_verifier if enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      # setup session
+      instance.authorize_params
+      expect(instance.token_params[:code_verifier]).to be_a(String)
+    end
+  end
+
+  describe "#callback_phase" do
+    subject(:instance) { fresh_strategy.new("abc", "def") }
+
+    let(:params) { {"error_reason" => "user_denied", "error" => "access_denied", "state" => state} }
+    let(:state) { "secret" }
+
+    before do
+      allow(instance).to receive(:request) do
+        double("Request", :params => params)
+      end
+
+      allow(instance).to receive(:session) do
+        double("Session", :delete => state)
+      end
+    end
+
+    it "calls fail with the error received" do
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
     end
 
-    it 'should include top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', :token_options => [:scope, :foo], :scope => 'bar', :foo => 'baz')
-      instance.token_params.should == {'scope' => 'bar', 'foo' => 'baz'}
+    it "calls fail with the error received if state is missing and CSRF verification is disabled" do
+      params["state"] = nil
+      instance.options.provider_ignores_state = true
+
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is missing" do
+      params["state"] = nil
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is invalid" do
+      params["state"] = "invalid"
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+  end
+end
+
+describe OmniAuth::Strategies::OAuth2::CallbackError do
+  let(:error) { Class.new(OmniAuth::Strategies::OAuth2::CallbackError) }
+  describe "#message" do
+    subject { error }
+    it "includes all of the attributes" do
+      instance = subject.new("error", "description", "uri")
+      expect(instance.message).to match(/error/)
+      expect(instance.message).to match(/description/)
+      expect(instance.message).to match(/uri/)
+    end
+    it "includes all of the attributes" do
+      instance = subject.new(nil, :symbol)
+      expect(instance.message).to eq("symbol")
     end
   end
 end

metadata

@@ -1,125 +1,114 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.0.0
-  prerelease: 
+  version: 1.8.0
 platform: ruby
 authors:
 - Michael Bleigh
-autorequire: 
+- Erik Michaels-Ober
+- Tom Milewski
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-11-02 00:00:00.000000000Z
+date: 2022-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: omniauth
-  requirement: &70244359505740 !ruby/object:Gem::Requirement
-    none: false
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3'
   type: :runtime
   prerelease: false
-  version_requirements: *70244359505740
-- !ruby/object:Gem::Dependency
-  name: oauth2
-  requirement: &70244359505120 !ruby/object:Gem::Requirement
-    none: false
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.5.0
-  type: :runtime
-  prerelease: false
-  version_requirements: *70244359505120
+        version: '1.4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: &70244359504360 !ruby/object:Gem::Requirement
-    none: false
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
-  type: :development
+        version: '2.0'
+  type: :runtime
   prerelease: false
-  version_requirements: *70244359504360
-- !ruby/object:Gem::Dependency
-  name: rack-test
-  requirement: &70244359503620 !ruby/object:Gem::Requirement
-    none: false
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: *70244359503620
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: &70244359502240 !ruby/object:Gem::Requirement
-    none: false
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
   type: :development
   prerelease: false
-  version_requirements: *70244359502240
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: &70244359501400 !ruby/object:Gem::Requirement
-    none: false
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: *70244359501400
+        version: '2.0'
 description: An abstract OAuth2 strategy for OmniAuth.
 email:
 - michael@intridea.com
+- sferik@gmail.com
+- tmilewski@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
+- ".github/FUNDING.yml"
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- CHANGELOG.md
 - Gemfile
-- Guardfile
+- LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/omniauth-oauth2.rb
 - lib/omniauth-oauth2/version.rb
 - lib/omniauth/strategies/oauth2.rb
 - omniauth-oauth2.gemspec
+- spec/helper.rb
 - spec/omniauth/strategies/oauth2_spec.rb
-- spec/spec_helper.rb
-homepage: https://github.com/intridea/omniauth-oauth2
-licenses: []
-post_install_message: 
+homepage: https://github.com/omniauth/omniauth-oauth2
+licenses:
+- MIT
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 1.8.10
-signing_key: 
-specification_version: 3
+rubygems_version: 3.2.32
+signing_key:
+specification_version: 4
 summary: An abstract OAuth2 strategy for OmniAuth.
 test_files:
+- spec/helper.rb
 - spec/omniauth/strategies/oauth2_spec.rb
-- spec/spec_helper.rb

data/Guardfile

@@ -1,11 +0,0 @@
-guard 'rspec', :version => 2 do
-  watch(%r{^spec/.+_spec\.rb$})
-  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { "spec" }
-end
-
-
-guard 'bundler' do
-  watch('Gemfile')
-  watch(/^.+\.gemspec/)
-end

data/spec/spec_helper.rb

@@ -1,16 +0,0 @@
-$:.unshift File.expand_path('..', __FILE__)
-$:.unshift File.expand_path('../../lib', __FILE__)
-require 'simplecov'
-SimpleCov.start
-require 'rspec'
-require 'rack/test'
-require 'webmock/rspec'
-require 'omniauth'
-require 'omniauth-oauth2'
-
-RSpec.configure do |config|
-  config.include WebMock::API
-  config.include Rack::Test::Methods
-  config.extend  OmniAuth::Test::StrategyMacros, :type => :strategy
-end
-