omniauth-oauth2 1.2.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 34d25ec93bea77d3d2003a6aa2072dfa427f9e37
-  data.tar.gz: 89be10c650c34a5585147ef113f20c8f562b36f6
+SHA256:
+  metadata.gz: f5cd52cdcb930eb0df65da3d7659a8e46f19db3426e0ecd8b3565b51e951331f
+  data.tar.gz: 6ed5b399aef49e82b265ff6175c849c44415f8b19f81ee5eb5d988ebb6c95fc8
 SHA512:
-  metadata.gz: 19d5f076d435e34138b5beb42214e1a2cc22e3f6145e8030d64d644a91b250de0f3b7e34dda04d49a020e0bc3347b7cfdcb5b8942910cafec095286da1dbb310
-  data.tar.gz: b997b90fa32ffa10c1e27ae5095acea1793ae9d4ecb160856de82a4a53a64cdcc60f9c352a8c114e50a50c13c3ff024174cbcdc573caa4411d18f17e95aba385
+  metadata.gz: e6bc5b97b326e37aa1e2ebb294b3459b57ba5dbb4d1e8b7e1709ed2dc9cfb8cc3b1b6f70ebbd0d5d830834af2472afe5b34762cf63f99a508334edee0d86b15a
+  data.tar.gz: 5c6cea848d8c9895495f7e931a3acfcee6e5e773824714e4de8bacfdc7aa70c3e40ad5cbce92b9a0d115f1dbd1f26aea7dc2b7a7bc02b1050cf38c501c3b7d45

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth-oauth2

data/.github/workflows/main.yml

@@ -0,0 +1,67 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, head, debug, truffleruby, truffleruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+  test-jruby:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        jruby: [jruby, jruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.jruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle install
+    - name: Run tests
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle exec rake
+  coveralls:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+    - name: Coveralls GitHub Action
+      uses: coverallsapp/github-action@v1.1.2
+      with:
+        github-token: ${{ secrets.github_token }}
+        path-to-lcov: './coverage/lcov/omniauth-oauth2.lcov'

data/.rubocop.yml

@@ -1,82 +1,80 @@
 AllCops:
-  Include:
-    - 'Gemfile'
-    - 'Rakefile'
-    - 'omniauth-oauth2.gemspec'
-
-# Avoid long parameter lists
-ParameterLists:
-  Max: 5
-  CountKeywordArgs: true
+  NewCops: enable
 
-MethodLength:
-  CountComments: false
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
+Layout/AccessModifierIndentation:
+  EnforcedStyle: outdent
+
+Layout/LineLength:
+  AllowURI: true
+  Enabled: false
+
+Layout/SpaceInsideHashLiteralBraces:
+  EnforcedStyle: no_space
+
+Lint/MissingSuper:
+  Enabled: false
+
+Metrics/AbcSize:
   Max: 18
 
-# Avoid more than `Max` levels of nesting.
-BlockNesting:
+Metrics/BlockLength:
+  Exclude:
+    - spec/omniauth/strategies/oauth2_spec.rb
+
+Metrics/BlockNesting:
   Max: 2
 
-# Align with the style guide.
-CollectionMethods:
+Metrics/ClassLength:
+  Max: 110
+
+Metrics/MethodLength:
+  CountComments: false
+  Max: 10
+
+Metrics/ParameterLists:
+  Max: 4
+  CountKeywordArgs: true
+
+Naming/FileName:
+  Exclude:
+    - lib/omniauth-oauth2.rb
+
+Style/CollectionMethods:
   PreferredMethods:
     map:      'collect'
     reduce:   'inject'
     find:     'detect'
     find_all: 'select'
 
-# Do not force public/protected/private keyword to be indented at the same
-# level as the def keyword. My personal preference is to outdent these keywords
-# because I think when scanning code it makes it easier to identify the
-# sections of code and visually separate them. When the keyword is at the same
-# level I think it sort of blends in with the def keywords and makes it harder
-# to scan the code and see where the sections are.
-AccessModifierIndentation:
-  Enabled: false
-
-# Limit line length
-LineLength:
+Style/Documentation:
   Enabled: false
 
-# Disable documentation checking until a class needs to be documented once
-Documentation:
+Style/DoubleNegation:
   Enabled: false
 
-# Enforce Ruby 1.8-compatible hash syntax
-HashSyntax:
-  EnforcedStyle: hash_rockets
-
-# No spaces inside hash literals
-SpaceInsideHashLiteralBraces:
-  EnforcedStyle: no_space
-
-# Allow dots at the end of lines
-DotPosition:
+Style/ExpandPathArguments:
   Enabled: false
 
-# Don't require magic comment at the top of every file
-Encoding:
+Style/FrozenStringLiteralComment:
   Enabled: false
 
-# Enforce outdenting of access modifiers (i.e. public, private, protected)
-AccessModifierIndentation:
-  EnforcedStyle: outdent
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
 
-EmptyLinesAroundAccessModifier:
-  Enabled: true
+Style/StderrPuts:
+  Enabled: false
 
-# Align ends correctly
-EndAlignment:
-  AlignWith: variable
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
 
-# Indentation of when/else
-CaseIndentation:
-  IndentWhenRelativeTo: end
-  IndentOneStep: false
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
 
-Lambda:
-  Enabled: false
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
 
-FileName:
-  Exclude:
-    - 'lib/omniauth-oauth2.rb'
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [v1.8.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.7.3)
+- Relaxes allowed versions of the oauth2 gem. [#146](https://github.com/omniauth/omniauth-oauth2/pull/146)
+- Requires omniauth `~> 2.0` [#152](https://github.com/omniauth/omniauth-oauth2/pull/152) 
+
+Please see https://github.com/omniauth/omniauth-oauth2/releases for changelog prior to 1.8.0

data/Gemfile

@@ -1,24 +1,19 @@
-source 'http://rubygems.org'
+source "https://rubygems.org"
 
-gem 'rake'
-
-group :development do
-  platforms :ruby_19, :ruby_20, :ruby_21 do
-    gem 'guard'
-    gem 'guard-rspec'
-    gem 'guard-bundler'
-  end
-end
+gem "rake", "~> 13.0"
 
 group :test do
-  gem 'coveralls', :require => false
-  gem 'json', :platforms => [:jruby, :ruby_18, :ruby_19]
-  gem 'mime-types', '~> 1.25', :platforms => [:jruby, :ruby_18]
-  gem 'rack-test'
-  gem 'rspec', '~> 3.0.0'
-  gem 'rubocop', '>= 0.21', :platforms => [:ruby_19, :ruby_20, :ruby_21]
-  gem 'simplecov', :require => false
-  gem 'webmock'
+  gem "addressable", "~> 2.3.8", :platforms => %i[jruby ruby_18]
+  gem 'coveralls_reborn', '~> 0.19.0', require: false
+  gem "json", :platforms => %i[jruby ruby_18 ruby_19]
+  gem "mime-types", "~> 1.25", :platforms => %i[jruby ruby_18]
+  gem "rack-test"
+  gem "rest-client", "~> 1.8.0", :platforms => %i[jruby ruby_18]
+  gem "rspec", "~> 3.2"
+  gem "rubocop", ">= 0.51", :platforms => %i[ruby_19 ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
+  gem 'simplecov-lcov'
+  gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
+  gem "webmock", "~> 3.0"
 end
 
 # Specify your gem's dependencies in omniauth-oauth2.gemspec

data/README.md

@@ -1,14 +1,11 @@
 # OmniAuth OAuth2
 
 [![Gem Version](http://img.shields.io/gem/v/omniauth-oauth2.svg)][gem]
-[![Build Status](http://img.shields.io/travis/intridea/omniauth-oauth2.svg)][travis]
-[![Dependency Status](http://img.shields.io/gemnasium/intridea/omniauth-oauth2.svg)][gemnasium]
-[![Code Climate](http://img.shields.io/codeclimate/github/intridea/omniauth-oauth2.svg)][codeclimate]
+[![Code Climate](http://img.shields.io/codeclimate/maintainability/intridea/omniauth-oauth2.svg)][codeclimate]
 [![Coverage Status](http://img.shields.io/coveralls/intridea/omniauth-oauth2.svg)][coveralls]
+[![Security](https://hakiri.io/github/omniauth/omniauth-oauth2/master.svg)](https://hakiri.io/github/omniauth/omniauth-oauth2/master)
 
 [gem]: https://rubygems.org/gems/omniauth-oauth2
-[travis]: http://travis-ci.org/intridea/omniauth-oauth2
-[gemnasium]: https://gemnasium.com/intridea/omniauth-oauth2
 [codeclimate]: https://codeclimate.com/github/intridea/omniauth-oauth2
 [coveralls]: https://coveralls.io/r/intridea/omniauth-oauth2
 
@@ -34,6 +31,10 @@ module OmniAuth
       # initializing your consumer from the OAuth gem.
       option :client_options, {:site => "https://api.somesite.com"}
 
+      # You may specify that your strategy should use PKCE by setting
+      # the pkce option to true: https://tools.ietf.org/html/rfc7636
+      option :pkce, true
+
       # These are called after authentication has succeeded. If
       # possible, you should try to set the UID without making
       # additional calls (if the user id is returned with the token
@@ -64,4 +65,11 @@ end
 
 That's pretty much it!
 
-[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/intridea/omniauth-oauth2/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+## OmniAuth-OAuth2 for Enterprise
+
+Available as part of the Tidelift Subscription.
+
+The maintainers of OmniAuth-OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth-oauth2?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise)
+
+## Supported Ruby Versions
+OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.

data/Rakefile

@@ -1,18 +1,19 @@
 #!/usr/bin/env rake
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
 
 RSpec::Core::RakeTask.new
 
 task :test => :spec
 
 begin
-  require 'rubocop/rake_task'
+  require "rubocop/rake_task"
   RuboCop::RakeTask.new
 rescue LoadError
   task :rubocop do
-    $stderr.puts 'RuboCop is disabled'
+    $stderr.puts "RuboCop is disabled"
   end
 end
 
-task :default => [:spec, :rubocop]
+task :default => %i[spec rubocop]

data/SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version  | Supported          |
+| -------  | ------------------ |
+| 1.7.x    | :white_check_mark: |
+| <= 1.6.x | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

data/lib/omniauth/strategies/oauth2.rb

@@ -1,10 +1,8 @@
-require 'oauth2'
-require 'omniauth'
-require 'securerandom'
-require 'socket'       # for SocketError
-require 'timeout'      # for Timeout::Error
-require 'faraday'      # for Faraday::Error::TimeoutError and Faraday::Error::ConnectionFailed
-require 'multi_json'   # for MultiJson::DecodeError
+require "oauth2"
+require "omniauth"
+require "securerandom"
+require "socket"       # for SocketError
+require "timeout"      # for Timeout::Error
 
 module OmniAuth
   module Strategies
@@ -16,17 +14,32 @@ module OmniAuth
     class OAuth2
       include OmniAuth::Strategy
 
-      args [:client_id, :client_secret]
+      def self.inherited(subclass)
+        OmniAuth::Strategy.included(subclass)
+      end
+
+      args %i[client_id client_secret]
 
       option :client_id, nil
       option :client_secret, nil
       option :client_options, {}
       option :authorize_params, {}
-      option :authorize_options, [:scope]
+      option :authorize_options, %i[scope state]
       option :token_params, {}
       option :token_options, []
       option :auth_token_params, {}
       option :provider_ignores_state, false
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        :code_challenge => proc { |verifier|
+          Base64.urlsafe_encode64(
+            Digest::SHA2.digest(verifier),
+            :padding => false,
+          )
+        },
+        :code_challenge_method => "S256",
+      }
 
       attr_accessor :access_token
 
@@ -34,15 +47,11 @@ module OmniAuth
         ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
       end
 
-      def callback_url
-        full_host + script_name + callback_path
-      end
-
       credentials do
-        hash = {'token' => access_token.token}
-        hash.merge!('refresh_token' => access_token.refresh_token) if access_token.expires? && access_token.refresh_token
-        hash.merge!('expires_at' => access_token.expires_at) if access_token.expires?
-        hash.merge!('expires' => access_token.expires?)
+        hash = {"token" => access_token.token}
+        hash["refresh_token"] = access_token.refresh_token if access_token.expires? && access_token.refresh_token
+        hash["expires_at"] = access_token.expires_at if access_token.expires?
+        hash["expires"] = access_token.expires?
         hash
       end
 
@@ -50,27 +59,34 @@ module OmniAuth
         redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
       end
 
-      def authorize_params
+      def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         options.authorize_params[:state] = SecureRandom.hex(24)
-        params = options.authorize_params.merge(options_for('authorize'))
+
         if OmniAuth.config.test_mode
           @env ||= {}
-          @env['rack.session'] ||= {}
+          @env["rack.session"] ||= {}
         end
-        session['omniauth.state'] = params[:state]
+
+        params = options.authorize_params
+                        .merge(options_for("authorize"))
+                        .merge(pkce_authorize_params)
+
+        session["omniauth.pkce.verifier"] = options.pkce_verifier if options.pkce
+        session["omniauth.state"] = params[:state]
+
         params
       end
 
       def token_params
-        options.token_params.merge(options_for('token'))
+        options.token_params.merge(options_for("token")).merge(pkce_token_params)
       end
 
-      def callback_phase # rubocop:disable CyclomaticComplexity
-        error = request.params['error_reason'] || request.params['error']
-        if error
-          fail!(error, CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri']))
-        elsif !options.provider_ignores_state && (request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state'))
-          fail!(:csrf_detected, CallbackError.new(:csrf_detected, 'CSRF detected'))
+      def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        error = request.params["error_reason"] || request.params["error"]
+        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+        elsif error
+          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
         else
           self.access_token = build_access_token
           self.access_token = access_token.refresh! if access_token.expired?
@@ -78,33 +94,52 @@ module OmniAuth
         end
       rescue ::OAuth2::Error, CallbackError => e
         fail!(:invalid_credentials, e)
-      rescue ::MultiJson::DecodeError => e
-        fail!(:invalid_response, e)
-      rescue ::Timeout::Error, ::Errno::ETIMEDOUT, Faraday::Error::TimeoutError => e
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
         fail!(:timeout, e)
-      rescue ::SocketError, Faraday::Error::ConnectionFailed => e
+      rescue ::SocketError => e
         fail!(:failed_to_connect, e)
       end
 
     protected
 
+      def pkce_authorize_params
+        return {} unless options.pkce
+
+        options.pkce_verifier = SecureRandom.hex(64)
+
+        # NOTE: see https://tools.ietf.org/html/rfc7636#appendix-A
+        {
+          :code_challenge => options.pkce_options[:code_challenge]
+                                    .call(options.pkce_verifier),
+          :code_challenge_method => options.pkce_options[:code_challenge_method],
+        }
+      end
+
+      def pkce_token_params
+        return {} unless options.pkce
+
+        {:code_verifier => session.delete("omniauth.pkce.verifier")}
+      end
+
       def build_access_token
-        verifier = request.params['code']
+        verifier = request.params["code"]
         client.auth_code.get_token(verifier, {:redirect_uri => callback_url}.merge(token_params.to_hash(:symbolize_keys => true)), deep_symbolize(options.auth_token_params))
       end
 
       def deep_symbolize(options)
-        hash = {}
-        options.each do |key, value|
+        options.each_with_object({}) do |(key, value), hash|
           hash[key.to_sym] = value.is_a?(Hash) ? deep_symbolize(value) : value
         end
-        hash
       end
 
       def options_for(option)
         hash = {}
         options.send(:"#{option}_options").select { |key| options[key] }.each do |key|
-          hash[key.to_sym] = options[key]
+          hash[key.to_sym] = if options[key].respond_to?(:call)
+                               options[key].call(env)
+                             else
+                               options[key]
+                             end
         end
         hash
       end
@@ -121,11 +156,11 @@ module OmniAuth
         end
 
         def message
-          [error, error_reason, error_uri].compact.join(' | ')
+          [error, error_reason, error_uri].compact.join(" | ")
         end
       end
     end
   end
 end
 
-OmniAuth.config.add_camelization 'oauth2', 'OAuth2'
+OmniAuth.config.add_camelization "oauth2", "OAuth2"

data/lib/omniauth-oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OAuth2
-    VERSION = '1.2.0'
+    VERSION = "1.8.0".freeze
   end
 end

data/lib/omniauth-oauth2.rb

@@ -1,2 +1,2 @@
-require 'omniauth-oauth2/version'
-require 'omniauth/strategies/oauth2'
+require "omniauth-oauth2/version"
+require "omniauth/strategies/oauth2"

data/omniauth-oauth2.gemspec

@@ -1,26 +1,24 @@
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'omniauth-oauth2/version'
+require "omniauth-oauth2/version"
 
 Gem::Specification.new do |gem|
-  gem.add_dependency 'faraday',   ['>= 0.8', '< 0.10']
-  gem.add_dependency 'multi_json', '~> 1.3'
-  gem.add_dependency 'oauth2',     '~> 1.0'
-  gem.add_dependency 'omniauth',   '~> 1.2'
+  gem.add_dependency "oauth2",     [">= 1.4", "< 3"]
+  gem.add_dependency "omniauth",   "~> 2.0"
 
-  gem.add_development_dependency 'bundler', '~> 1.0'
+  gem.add_development_dependency "bundler", "~> 2.0"
 
-  gem.authors       = ['Michael Bleigh', 'Erik Michaels-Ober']
-  gem.email         = ['michael@intridea.com', 'sferik@gmail.com']
-  gem.description   = %q(An abstract OAuth2 strategy for OmniAuth.)
+  gem.authors       = ["Michael Bleigh", "Erik Michaels-Ober", "Tom Milewski"]
+  gem.email         = ["michael@intridea.com", "sferik@gmail.com", "tmilewski@gmail.com"]
+  gem.description   = "An abstract OAuth2 strategy for OmniAuth."
   gem.summary       = gem.description
-  gem.homepage      = 'https://github.com/intridea/omniauth-oauth2'
-  gem.licenses      = %w(MIT)
+  gem.homepage      = "https://github.com/omniauth/omniauth-oauth2"
+  gem.licenses      = %w[MIT]
 
   gem.executables   = `git ls-files -- bin/*`.split("\n").collect { |f| File.basename(f) }
   gem.files         = `git ls-files`.split("\n")
   gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  gem.name          = 'omniauth-oauth2'
-  gem.require_paths = %w(lib)
+  gem.name          = "omniauth-oauth2"
+  gem.require_paths = %w[lib]
   gem.version       = OmniAuth::OAuth2::VERSION
 end

data/spec/helper.rb

@@ -1,22 +1,29 @@
-$LOAD_PATH.unshift File.expand_path('..', __FILE__)
-$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+$LOAD_PATH.unshift File.expand_path("..", __FILE__)
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
 
-require 'simplecov'
-require 'coveralls'
+if RUBY_VERSION >= "1.9"
+  require "simplecov"
+  require "simplecov-lcov"
+  require "coveralls"
 
-SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
-  SimpleCov::Formatter::HTMLFormatter,
-  Coveralls::SimpleCov::Formatter
-]
-SimpleCov.start do
-  minimum_coverage(76)
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+
+  SimpleCov.formatters = [
+    SimpleCov::Formatter::HTMLFormatter,
+    SimpleCov::Formatter::LcovFormatter,
+    Coveralls::SimpleCov::Formatter
+  ]
+
+  SimpleCov.start do
+    minimum_coverage(78.48)
+  end
 end
 
-require 'rspec'
-require 'rack/test'
-require 'webmock/rspec'
-require 'omniauth'
-require 'omniauth-oauth2'
+require "rspec"
+require "rack/test"
+require "webmock/rspec"
+require "omniauth"
+require "omniauth-oauth2"
 
 RSpec.configure do |config|
   config.expect_with :rspec do |c|

data/spec/omniauth/strategies/oauth2_spec.rb

@@ -1,9 +1,9 @@
-require 'helper'
+require "helper"
 
 describe OmniAuth::Strategies::OAuth2 do
   def app
     lambda do |_env|
-      [200, {}, ['Hello.']]
+      [200, {}, ["Hello."]]
     end
   end
   let(:fresh_strategy) { Class.new(OmniAuth::Strategies::OAuth2) }
@@ -16,65 +16,128 @@ describe OmniAuth::Strategies::OAuth2 do
     OmniAuth.config.test_mode = false
   end
 
-  describe '#client' do
+  describe "Subclassing Behavior" do
     subject { fresh_strategy }
 
-    it 'is initialized with symbolized client_options' do
-      instance = subject.new(app, :client_options => {'authorize_url' => 'https://example.com'})
-      expect(instance.client.options[:authorize_url]).to eq('https://example.com')
+    it "performs the OmniAuth::Strategy included hook" do
+      expect(OmniAuth.strategies).to include(OmniAuth::Strategies::OAuth2)
+      expect(OmniAuth.strategies).to include(subject)
+    end
+  end
+
+  describe "#client" do
+    subject { fresh_strategy }
+
+    it "is initialized with symbolized client_options" do
+      instance = subject.new(app, :client_options => {"authorize_url" => "https://example.com"})
+      expect(instance.client.options[:authorize_url]).to eq("https://example.com")
     end
 
-    it 'sets ssl options as connection options' do
-      instance = subject.new(app, :client_options => {'ssl' => {'ca_path' => 'foo'}})
-      expect(instance.client.options[:connection_opts][:ssl]).to eq(:ca_path => 'foo')
+    it "sets ssl options as connection options" do
+      instance = subject.new(app, :client_options => {"ssl" => {"ca_path" => "foo"}})
+      expect(instance.client.options[:connection_opts][:ssl]).to eq(:ca_path => "foo")
     end
   end
 
-  describe '#authorize_params' do
+  describe "#authorize_params" do
     subject { fresh_strategy }
 
-    it 'includes any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', :authorize_params => {:foo => 'bar', :baz => 'zip'})
-      expect(instance.authorize_params['foo']).to eq('bar')
-      expect(instance.authorize_params['baz']).to eq('zip')
+    it "includes any authorize params passed in the :authorize_params option" do
+      instance = subject.new("abc", "def", :authorize_params => {:foo => "bar", :baz => "zip"})
+      expect(instance.authorize_params["foo"]).to eq("bar")
+      expect(instance.authorize_params["baz"]).to eq("zip")
+    end
+
+    it "includes top-level options that are marked as :authorize_options" do
+      instance = subject.new("abc", "def", :authorize_options => %i[scope foo state], :scope => "bar", :foo => "baz")
+      expect(instance.authorize_params["scope"]).to eq("bar")
+      expect(instance.authorize_params["foo"]).to eq("baz")
+      expect(instance.authorize_params["state"]).not_to be_empty
+    end
+
+    it "includes random state in the authorize params" do
+      instance = subject.new("abc", "def")
+      expect(instance.authorize_params.keys).to eq(["state"])
+      expect(instance.session["omniauth.state"]).not_to be_empty
     end
 
-    it 'includes top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', :authorize_options => [:scope, :foo, :state], :scope => 'bar', :foo => 'baz')
-      expect(instance.authorize_params['scope']).to eq('bar')
-      expect(instance.authorize_params['foo']).to eq('baz')
+    it "includes custom state in the authorize params" do
+      instance = subject.new("abc", "def", :state => proc { "qux" })
+      expect(instance.authorize_params.keys).to eq(["state"])
+      expect(instance.session["omniauth.state"]).to eq("qux")
     end
 
-    it 'includes random state in the authorize params' do
-      instance = subject.new('abc', 'def')
-      expect(instance.authorize_params.keys).to eq(['state'])
-      expect(instance.session['omniauth.state']).not_to be_empty
+    it "includes PKCE parameters if enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      expect(instance.authorize_params[:code_challenge]).to be_a(String)
+      expect(instance.authorize_params[:code_challenge_method]).to eq("S256")
+      expect(instance.session["omniauth.pkce.verifier"]).to be_a(String)
     end
   end
 
-  describe '#token_params' do
+  describe "#token_params" do
     subject { fresh_strategy }
 
-    it 'includes any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', :token_params => {:foo => 'bar', :baz => 'zip'})
-      expect(instance.token_params).to eq('foo' => 'bar', 'baz' => 'zip')
+    it "includes any authorize params passed in the :authorize_params option" do
+      instance = subject.new("abc", "def", :token_params => {:foo => "bar", :baz => "zip"})
+      expect(instance.token_params).to eq("foo" => "bar", "baz" => "zip")
+    end
+
+    it "includes top-level options that are marked as :authorize_options" do
+      instance = subject.new("abc", "def", :token_options => %i[scope foo], :scope => "bar", :foo => "baz")
+      expect(instance.token_params).to eq("scope" => "bar", "foo" => "baz")
     end
 
-    it 'includes top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', :token_options => [:scope, :foo], :scope => 'bar', :foo => 'baz')
-      expect(instance.token_params).to eq('scope' => 'bar', 'foo' => 'baz')
+    it "includes the PKCE code_verifier if enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      # setup session
+      instance.authorize_params
+      expect(instance.token_params[:code_verifier]).to be_a(String)
     end
   end
 
-  describe '#callback_phase' do
-    subject { fresh_strategy }
-    it 'calls fail with the client error received' do
-      instance = subject.new('abc', 'def')
+  describe "#callback_phase" do
+    subject(:instance) { fresh_strategy.new("abc", "def") }
+
+    let(:params) { {"error_reason" => "user_denied", "error" => "access_denied", "state" => state} }
+    let(:state) { "secret" }
+
+    before do
       allow(instance).to receive(:request) do
-        double('Request', :params => {'error_reason' => 'user_denied', 'error' => 'access_denied'})
+        double("Request", :params => params)
+      end
+
+      allow(instance).to receive(:session) do
+        double("Session", :delete => state)
       end
+    end
+
+    it "calls fail with the error received" do
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with the error received if state is missing and CSRF verification is disabled" do
+      params["state"] = nil
+      instance.options.provider_ignores_state = true
+
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is missing" do
+      params["state"] = nil
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is invalid" do
+      params["state"] = "invalid"
 
-      expect(instance).to receive(:fail!).with('user_denied', anything)
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
       instance.callback_phase
     end
   end
@@ -82,17 +145,17 @@ end
 
 describe OmniAuth::Strategies::OAuth2::CallbackError do
   let(:error) { Class.new(OmniAuth::Strategies::OAuth2::CallbackError) }
-  describe '#message' do
+  describe "#message" do
     subject { error }
-    it 'includes all of the attributes' do
-      instance = subject.new('error', 'description', 'uri')
+    it "includes all of the attributes" do
+      instance = subject.new("error", "description", "uri")
       expect(instance.message).to match(/error/)
       expect(instance.message).to match(/description/)
       expect(instance.message).to match(/uri/)
     end
-    it 'includes all of the attributes' do
+    it "includes all of the attributes" do
       instance = subject.new(nil, :symbol)
-      expect(instance.message).to eq('symbol')
+      expect(instance.message).to eq("symbol")
     end
   end
 end

metadata

@@ -1,120 +1,96 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Michael Bleigh
 - Erik Michaels-Ober
-autorequire: 
+- Tom Milewski
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-07-09 00:00:00.000000000 Z
+date: 2022-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: faraday
+  name: oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '1.4'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '1.4'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.10'
-- !ruby/object:Gem::Dependency
-  name: multi_json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: oauth2
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 description: An abstract OAuth2 strategy for OmniAuth.
 email:
 - michael@intridea.com
 - sferik@gmail.com
+- tmilewski@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/main.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
-- Guardfile
 - LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/omniauth-oauth2.rb
 - lib/omniauth-oauth2/version.rb
 - lib/omniauth/strategies/oauth2.rb
 - omniauth-oauth2.gemspec
 - spec/helper.rb
 - spec/omniauth/strategies/oauth2_spec.rb
-homepage: https://github.com/intridea/omniauth-oauth2
+homepage: https://github.com/omniauth/omniauth-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -129,9 +105,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: An abstract OAuth2 strategy for OmniAuth.
 test_files:

data/.travis.yml

@@ -1,22 +0,0 @@
-bundler_args: --without development
-language: ruby
-rvm:
-  - 1.8.7
-  - 1.9.2
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
-  - rbx-2
-  - ruby-head
-matrix:
-  include:
-    - rvm: jruby-18mode
-      env: JRUBY_OPTS="$JRUBY_OPTS --debug"
-    - rvm: jruby-19mode
-      env: JRUBY_OPTS="$JRUBY_OPTS --debug"
-    - rvm: jruby-head
-      env: JRUBY_OPTS="$JRUBY_OPTS --debug"
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-  fast_finish: true

data/Guardfile

@@ -1,11 +0,0 @@
-guard 'rspec', :version => 2 do
-  watch(%r{^spec/.+_spec\.rb$})
-  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { "spec" }
-end
-
-
-guard 'bundler' do
-  watch('Gemfile')
-  watch(/^.+\.gemspec/)
-end