omniauth-oauth2 1.6.0 → 1.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0e32b47809789079fefb676477c2068c5847c8c9
-  data.tar.gz: 8bff0bfc6b4a45c5da7cb3a9eb93d3c20cacd4f2
+SHA256:
+  metadata.gz: 1cfccae8e5d95ff37c5a88596fc3464bfdc10471b94d25be1276b47588307e63
+  data.tar.gz: 260bb7870be94104e5c40508efccbc0553f6bd10a73f9181638f4879e8e7c4be
 SHA512:
-  metadata.gz: b5ffee16532d167a95ad5cf152cdddb219365da8ef87c6ff34c943cc999e02e25b0db2fb43a9067ec11659ad39108ebd1930aa44f55a94bcb5aba05befd3e427
-  data.tar.gz: 4417d7eedb1880ba3af05f2cddedcfc894dc1f286b0760d98433dfffcbf51eff8725c371e6fd1f82ddb7a73d13fa87ee753e1fee03ee26a6dbed48ca6aee3884
+  metadata.gz: 16a414cb96f9b74322df084c76ee88ed97c54d881dc202df9b7d1ff63810bbe55c5b00add89d4a3230b50ecf8130f3c25c7c38ca446a6b954fcacd219c6f0c89
+  data.tar.gz: cc57ebdec3e22f48f9e8b780960152c115976ff4cc76e289b0dc37f0ced30105fb9512048e27123466c44202c8788a6786839d4f07fc71856fd87c461b5a7680

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth-oauth2

data/.github/workflows/main.yml

@@ -0,0 +1,67 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, head, debug, truffleruby, truffleruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+  test-jruby:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        jruby: [jruby, jruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.jruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle install
+    - name: Run tests
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle exec rake
+  coveralls:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+    - name: Coveralls GitHub Action
+      uses: coverallsapp/github-action@v1.1.2
+      with:
+        github-token: ${{ secrets.github_token }}
+        path-to-lcov: './coverage/lcov/omniauth-oauth2.lcov'

data/.rubocop.yml

@@ -1,15 +1,34 @@
+AllCops:
+  NewCops: enable
+
+Gemspec/RequiredRubyVersion:
+  Enabled: false
+
 Layout/AccessModifierIndentation:
   EnforcedStyle: outdent
 
+Layout/LineLength:
+  AllowURI: true
+  Enabled: false
+
 Layout/SpaceInsideHashLiteralBraces:
   EnforcedStyle: no_space
 
+Lint/MissingSuper:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 18
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/omniauth/strategies/oauth2_spec.rb
+
 Metrics/BlockNesting:
   Max: 2
 
-Metrics/LineLength:
-  AllowURI: true
-  Enabled: false
+Metrics/ClassLength:
+  Max: 110
 
 Metrics/MethodLength:
   CountComments: false
@@ -19,6 +38,10 @@ Metrics/ParameterLists:
   Max: 4
   CountKeywordArgs: true
 
+Naming/FileName:
+  Exclude:
+    - lib/omniauth-oauth2.rb
+
 Style/CollectionMethods:
   PreferredMethods:
     map:      'collect'
@@ -35,6 +58,9 @@ Style/DoubleNegation:
 Style/ExpandPathArguments:
   Enabled: false
 
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
 Style/HashSyntax:
   EnforcedStyle: hash_rockets
 
@@ -52,4 +78,3 @@ Style/TrailingCommaInHashLiteral:
 
 Style/TrailingCommaInArrayLiteral:
   EnforcedStyleForMultiline: comma
-  

data/Gemfile

@@ -1,17 +1,18 @@
 source "https://rubygems.org"
 
-gem "rake", "~> 12.0"
+gem "rake", "~> 13.0"
 
 group :test do
   gem "addressable", "~> 2.3.8", :platforms => %i[jruby ruby_18]
-  gem "coveralls"
+  gem 'coveralls_reborn', '~> 0.19.0', require: false
   gem "json", :platforms => %i[jruby ruby_18 ruby_19]
   gem "mime-types", "~> 1.25", :platforms => %i[jruby ruby_18]
   gem "rack-test"
   gem "rest-client", "~> 1.8.0", :platforms => %i[jruby ruby_18]
   gem "rspec", "~> 3.2"
   gem "rubocop", ">= 0.51", :platforms => %i[ruby_19 ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
-  gem "simplecov", ">= 0.9"
+  gem 'simplecov-lcov'
+  gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
   gem "webmock", "~> 3.0"
 end
 

data/README.md

@@ -1,17 +1,13 @@
 # OmniAuth OAuth2
 
 [![Gem Version](http://img.shields.io/gem/v/omniauth-oauth2.svg)][gem]
-[![Build Status](http://img.shields.io/travis/omniauth/omniauth-oauth2.svg)][travis]
-[![Dependency Status](http://img.shields.io/gemnasium/omniauth/omniauth-oauth2.svg)][gemnasium]
-[![Code Climate](http://img.shields.io/codeclimate/github/intridea/omniauth-oauth2.svg)][codeclimate]
+[![Code Climate](http://img.shields.io/codeclimate/maintainability/intridea/omniauth-oauth2.svg)][codeclimate]
 [![Coverage Status](http://img.shields.io/coveralls/intridea/omniauth-oauth2.svg)][coveralls]
 [![Security](https://hakiri.io/github/omniauth/omniauth-oauth2/master.svg)](https://hakiri.io/github/omniauth/omniauth-oauth2/master)
 
 [gem]: https://rubygems.org/gems/omniauth-oauth2
-[travis]: http://travis-ci.org/omniauth/omniauth-oauth2
-[gemnasium]: https://gemnasium.com/github.com/omniauth/omniauth-oauth2
-[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-oauth2
-[coveralls]: https://coveralls.io/r/omniauth/omniauth-oauth2
+[codeclimate]: https://codeclimate.com/github/intridea/omniauth-oauth2
+[coveralls]: https://coveralls.io/r/intridea/omniauth-oauth2
 
 This gem contains a generic OAuth2 strategy for OmniAuth. It is meant to serve
 as a building block strategy for other strategies and not to be used
@@ -35,6 +31,10 @@ module OmniAuth
       # initializing your consumer from the OAuth gem.
       option :client_options, {:site => "https://api.somesite.com"}
 
+      # You may specify that your strategy should use PKCE by setting
+      # the pkce option to true: https://tools.ietf.org/html/rfc7636
+      option :pkce, true
+
       # These are called after authentication has succeeded. If
       # possible, you should try to set the UID without making
       # additional calls (if the user id is returned with the token
@@ -65,3 +65,11 @@ end
 
 That's pretty much it!
 
+## OmniAuth-OAuth2 for Enterprise
+
+Available as part of the Tidelift Subscription.
+
+The maintainers of OmniAuth-OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth-oauth2?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise)
+
+## Supported Ruby Versions
+OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.

data/Rakefile

@@ -1,4 +1,5 @@
 #!/usr/bin/env rake
+
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 

data/SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version  | Supported          |
+| -------  | ------------------ |
+| 1.7.x    | :white_check_mark: |
+| <= 1.6.x | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

data/lib/omniauth/strategies/oauth2.rb

@@ -24,11 +24,22 @@ module OmniAuth
       option :client_secret, nil
       option :client_options, {}
       option :authorize_params, {}
-      option :authorize_options, [:scope]
+      option :authorize_options, %i[scope state]
       option :token_params, {}
       option :token_options, []
       option :auth_token_params, {}
       option :provider_ignores_state, false
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        :code_challenge => proc { |verifier|
+          Base64.urlsafe_encode64(
+            Digest::SHA2.digest(verifier),
+            :padding => false,
+          )
+        },
+        :code_challenge_method => "S256",
+      }
 
       attr_accessor :access_token
 
@@ -48,27 +59,34 @@ module OmniAuth
         redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
       end
 
-      def authorize_params
+      def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
         options.authorize_params[:state] = SecureRandom.hex(24)
-        params = options.authorize_params.merge(options_for("authorize"))
+
         if OmniAuth.config.test_mode
           @env ||= {}
           @env["rack.session"] ||= {}
         end
+
+        params = options.authorize_params
+                        .merge(options_for("authorize"))
+                        .merge(pkce_authorize_params)
+
+        session["omniauth.pkce.verifier"] = options.pkce_verifier if options.pkce
         session["omniauth.state"] = params[:state]
+
         params
       end
 
       def token_params
-        options.token_params.merge(options_for("token"))
+        options.token_params.merge(options_for("token")).merge(pkce_token_params)
       end
 
-      def callback_phase # rubocop:disable AbcSize, CyclomaticComplexity, MethodLength, PerceivedComplexity
+      def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
         error = request.params["error_reason"] || request.params["error"]
-        if error
-          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
-        elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
           fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+        elsif error
+          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
         else
           self.access_token = build_access_token
           self.access_token = access_token.refresh! if access_token.expired?
@@ -84,23 +102,44 @@ module OmniAuth
 
     protected
 
+      def pkce_authorize_params
+        return {} unless options.pkce
+
+        options.pkce_verifier = SecureRandom.hex(64)
+
+        # NOTE: see https://tools.ietf.org/html/rfc7636#appendix-A
+        {
+          :code_challenge => options.pkce_options[:code_challenge]
+                                    .call(options.pkce_verifier),
+          :code_challenge_method => options.pkce_options[:code_challenge_method],
+        }
+      end
+
+      def pkce_token_params
+        return {} unless options.pkce
+
+        {:code_verifier => session.delete("omniauth.pkce.verifier")}
+      end
+
       def build_access_token
         verifier = request.params["code"]
         client.auth_code.get_token(verifier, {:redirect_uri => callback_url}.merge(token_params.to_hash(:symbolize_keys => true)), deep_symbolize(options.auth_token_params))
       end
 
       def deep_symbolize(options)
-        hash = {}
-        options.each do |key, value|
+        options.each_with_object({}) do |(key, value), hash|
           hash[key.to_sym] = value.is_a?(Hash) ? deep_symbolize(value) : value
         end
-        hash
       end
 
       def options_for(option)
         hash = {}
         options.send(:"#{option}_options").select { |key| options[key] }.each do |key|
-          hash[key.to_sym] = options[key]
+          hash[key.to_sym] = if options[key].respond_to?(:call)
+                               options[key].call(env)
+                             else
+                               options[key]
+                             end
         end
         hash
       end

data/lib/omniauth-oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OAuth2
-    VERSION = "1.6.0".freeze
+    VERSION = "1.7.3".freeze
   end
 end

data/lib/omniauth-oauth2.rb

@@ -1,2 +1,2 @@
-require "omniauth-oauth2/version" # rubocop:disable FileName
+require "omniauth-oauth2/version"
 require "omniauth/strategies/oauth2"

data/omniauth-oauth2.gemspec

@@ -3,10 +3,10 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "omniauth-oauth2/version"
 
 Gem::Specification.new do |gem|
-  gem.add_dependency "oauth2",     "~> 1.1"
-  gem.add_dependency "omniauth",   "~> 1.9"
+  gem.add_dependency "oauth2",     [">= 1.4", "< 3"]
+  gem.add_dependency "omniauth",   [">= 1.9", "< 3"]
 
-  gem.add_development_dependency "bundler", "~> 1.0"
+  gem.add_development_dependency "bundler", "~> 2.0"
 
   gem.authors       = ["Michael Bleigh", "Erik Michaels-Ober", "Tom Milewski"]
   gem.email         = ["michael@intridea.com", "sferik@gmail.com", "tmilewski@gmail.com"]

data/spec/helper.rb

@@ -3,9 +3,16 @@ $LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
 
 if RUBY_VERSION >= "1.9"
   require "simplecov"
+  require "simplecov-lcov"
   require "coveralls"
 
-  SimpleCov.formatters = [SimpleCov::Formatter::HTMLFormatter, Coveralls::SimpleCov::Formatter]
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+
+  SimpleCov.formatters = [
+    SimpleCov::Formatter::HTMLFormatter,
+    SimpleCov::Formatter::LcovFormatter,
+    Coveralls::SimpleCov::Formatter
+  ]
 
   SimpleCov.start do
     minimum_coverage(78.48)

data/spec/omniauth/strategies/oauth2_spec.rb

@@ -1,6 +1,6 @@
 require "helper"
 
-describe OmniAuth::Strategies::OAuth2 do # rubocop:disable Metrics/BlockLength
+describe OmniAuth::Strategies::OAuth2 do
   def app
     lambda do |_env|
       [200, {}, ["Hello."]]
@@ -52,6 +52,7 @@ describe OmniAuth::Strategies::OAuth2 do # rubocop:disable Metrics/BlockLength
       instance = subject.new("abc", "def", :authorize_options => %i[scope foo state], :scope => "bar", :foo => "baz")
       expect(instance.authorize_params["scope"]).to eq("bar")
       expect(instance.authorize_params["foo"]).to eq("baz")
+      expect(instance.authorize_params["state"]).not_to be_empty
     end
 
     it "includes random state in the authorize params" do
@@ -59,6 +60,19 @@ describe OmniAuth::Strategies::OAuth2 do # rubocop:disable Metrics/BlockLength
       expect(instance.authorize_params.keys).to eq(["state"])
       expect(instance.session["omniauth.state"]).not_to be_empty
     end
+
+    it "includes custom state in the authorize params" do
+      instance = subject.new("abc", "def", :state => proc { "qux" })
+      expect(instance.authorize_params.keys).to eq(["state"])
+      expect(instance.session["omniauth.state"]).to eq("qux")
+    end
+
+    it "includes PKCE parameters if enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      expect(instance.authorize_params[:code_challenge]).to be_a(String)
+      expect(instance.authorize_params[:code_challenge_method]).to eq("S256")
+      expect(instance.session["omniauth.pkce.verifier"]).to be_a(String)
+    end
   end
 
   describe "#token_params" do
@@ -73,17 +87,57 @@ describe OmniAuth::Strategies::OAuth2 do # rubocop:disable Metrics/BlockLength
       instance = subject.new("abc", "def", :token_options => %i[scope foo], :scope => "bar", :foo => "baz")
       expect(instance.token_params).to eq("scope" => "bar", "foo" => "baz")
     end
+
+    it "includes the PKCE code_verifier if enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      # setup session
+      instance.authorize_params
+      expect(instance.token_params[:code_verifier]).to be_a(String)
+    end
   end
 
   describe "#callback_phase" do
-    subject { fresh_strategy }
-    it "calls fail with the client error received" do
-      instance = subject.new("abc", "def")
+    subject(:instance) { fresh_strategy.new("abc", "def") }
+
+    let(:params) { {"error_reason" => "user_denied", "error" => "access_denied", "state" => state} }
+    let(:state) { "secret" }
+
+    before do
       allow(instance).to receive(:request) do
-        double("Request", :params => {"error_reason" => "user_denied", "error" => "access_denied"})
+        double("Request", :params => params)
       end
 
+      allow(instance).to receive(:session) do
+        double("Session", :delete => state)
+      end
+    end
+
+    it "calls fail with the error received" do
       expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with the error received if state is missing and CSRF verification is disabled" do
+      params["state"] = nil
+      instance.options.provider_ignores_state = true
+
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is missing" do
+      params["state"] = nil
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is invalid" do
+      params["state"] = "invalid"
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
       instance.callback_phase
     end
   end

metadata

@@ -1,59 +1,71 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.3
 platform: ruby
 authors:
 - Michael Bleigh
 - Erik Michaels-Ober
 - Tom Milewski
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-12-14 00:00:00.000000000 Z
+date: 2022-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 description: An abstract OAuth2 strategy for OmniAuth.
 email:
 - michael@intridea.com
@@ -63,14 +75,16 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/main.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - Gemfile
 - LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/omniauth-oauth2.rb
 - lib/omniauth-oauth2/version.rb
 - lib/omniauth/strategies/oauth2.rb
@@ -81,7 +95,7 @@ homepage: https://github.com/omniauth/omniauth-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -96,9 +110,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.11
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: An abstract OAuth2 strategy for OmniAuth.
 test_files:

data/.travis.yml

@@ -1,23 +0,0 @@
-bundler_args: --without development
-before_install:
-  - gem update --system
-  - gem update bundler
-cache: bundler
-env:
-  global:
-    - JRUBY_OPTS="$JRUBY_OPTS --debug"
-language: ruby
-rvm:
-  - jruby-9000
-  - 2.2.9
-  - 2.3.5
-  - 2.4.4
-  - 2.5.3
-  - jruby-head
-  - ruby-head
-matrix:
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-  fast_finish: true
-sudo: false