omniauth-oauth2 1.7.1 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '0496e01a0a03c432891358ac0bbe4ed744560f47c88c2cc32a999feafc78e576'
4
- data.tar.gz: 6196ba4a1880c328392de4e145434fccf1c4a64fdbc8f87c94ffc2e274bb509b
3
+ metadata.gz: a61f10acb3f0765bd7f4e3eea6b6fa3cf4a0a882c5e2a09e37d17417050e9ff2
4
+ data.tar.gz: c558846dc4e8313e580b5ac32705da006227287ef5a0e20df63cf30df4bb8150
5
5
  SHA512:
6
- metadata.gz: 5db83ecb687e9fe790f3c76f3c831aac7a6e2e444e97cf532b08629caf27400bbc242e474c50ba07d1d7e1a39dce6468a62e751981069e191483d5f99bd009d8
7
- data.tar.gz: 3b66b0a2813184f867646699823b7434a4d7b9ce08594c6eaded5b4b37b965bc6cbae932087fe1bfd446fb126e3245d8b5fe0ec47798ef8f81083f251933d1a9
6
+ metadata.gz: e6fe7535a2b86388f19ff959bed28ec44582e6994bca1442e775c7cdbcb61158a6133a72d2fa86a60252432f05eb12080aa4fb78f01d5de1ae2137f97f07d25a
7
+ data.tar.gz: e2aadabef58d24f214bd83bcdb15426c1a93ac3e8009823285c304467168cfbe9de3ad3a51c6756bd382dadc129d57ab0fef00d0a218d1c5c1d27b19ce958d8d
@@ -0,0 +1,2 @@
1
+ github: bobbymcwho
2
+ tidelift: rubygems/omniauth-oauth2
@@ -8,42 +8,40 @@ on:
8
8
 
9
9
  jobs:
10
10
  test:
11
- runs-on: ubuntu-18.04
11
+ runs-on: ${{ matrix.os }}
12
+ timeout-minutes: 30
12
13
  strategy:
13
14
  fail-fast: false
14
15
  matrix:
15
- os: [ubuntu, macos]
16
- ruby: [2.5, 2.6, 2.7, head, debug, truffleruby, truffleruby-head]
16
+ os: [ubuntu-latest, macos-latest]
17
+ ruby: [2.5, 2.6, 2.7, '3.0', 3.1, 3.2, head, debug, truffleruby, truffleruby-head, jruby, jruby-head]
17
18
  steps:
18
- - uses: actions/checkout@v2
19
+ - uses: actions/checkout@v3
19
20
  - name: Set up Ruby
20
21
  uses: ruby/setup-ruby@v1
21
22
  with:
22
23
  ruby-version: ${{ matrix.ruby }}
23
24
  bundler-cache: true
24
- - name: Install dependencies
25
- run: bundle install
25
+ - name: Set JRUBY_OPTS environment variable
26
+ run: echo "JRUBY_OPTS=--debug" >> "$GITHUB_ENV"
27
+ if: ${{ startsWith(matrix.ruby, 'jruby') }}
26
28
  - name: Run tests
27
29
  run: bundle exec rake
28
- test-jruby:
29
- runs-on: ubuntu-18.04
30
- strategy:
31
- fail-fast: false
32
- matrix:
33
- os: [ubuntu, macos]
34
- jruby: [jruby, jruby-head]
30
+ - uses: actions/upload-artifact@v3
31
+ if: ${{ matrix.os == 'ubuntu-latest' && matrix.ruby == '3.0' }}
32
+ with:
33
+ name: coverage
34
+ path: coverage/
35
+ retention-days: 1
36
+
37
+ coveralls:
38
+ needs: test
39
+ runs-on: ubuntu-latest
40
+ timeout-minutes: 30
35
41
  steps:
36
- - uses: actions/checkout@v2
37
- - name: Set up Ruby
38
- uses: ruby/setup-ruby@v1
42
+ - uses: actions/download-artifact@v3
39
43
  with:
40
- ruby-version: ${{ matrix.jruby }}
41
- bundler-cache: true
42
- - name: Install dependencies
43
- env:
44
- JRUBY_OPTS: --debug
45
- run: bundle install
46
- - name: Run tests
47
- env:
48
- JRUBY_OPTS: --debug
49
- run: bundle exec rake
44
+ name: coverage
45
+ path: coverage/
46
+ - name: Coveralls GitHub Action
47
+ uses: coverallsapp/github-action@v2
data/CHANGELOG.md ADDED
@@ -0,0 +1,9 @@
1
+ ## [v1.9.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.9.0)
2
+ - Prevent timing attacks [#174](https://github.com/omniauth/omniauth-oauth2/pull/174)
3
+ - Rescue OAuth2 timeouts [#169](https://github.com/omniauth/omniauth-oauth2/pull/169)
4
+
5
+ ## [v1.8.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.8.0)
6
+ - Relaxes allowed versions of the oauth2 gem. [#146](https://github.com/omniauth/omniauth-oauth2/pull/146)
7
+ - Requires omniauth `~> 2.0` [#152](https://github.com/omniauth/omniauth-oauth2/pull/152)
8
+
9
+ Please see https://github.com/omniauth/omniauth-oauth2/releases for changelog prior to 1.8.0
data/Gemfile CHANGED
@@ -1,17 +1,18 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- gem "rake", "~> 12.0"
3
+ gem "rake", "~> 13.0"
4
4
 
5
5
  group :test do
6
6
  gem "addressable", "~> 2.3.8", :platforms => %i[jruby ruby_18]
7
- gem "coveralls"
7
+ gem 'coveralls_reborn', '~> 0.19.0', require: false
8
8
  gem "json", :platforms => %i[jruby ruby_18 ruby_19]
9
9
  gem "mime-types", "~> 1.25", :platforms => %i[jruby ruby_18]
10
10
  gem "rack-test"
11
11
  gem "rest-client", "~> 1.8.0", :platforms => %i[jruby ruby_18]
12
12
  gem "rspec", "~> 3.2"
13
13
  gem "rubocop", ">= 0.51", :platforms => %i[ruby_19 ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
14
- gem "simplecov", ">= 0.9"
14
+ gem 'simplecov-lcov'
15
+ gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
15
16
  gem "webmock", "~> 3.0"
16
17
  end
17
18
 
data/README.md CHANGED
@@ -1,13 +1,11 @@
1
1
  # OmniAuth OAuth2
2
2
 
3
3
  [![Gem Version](http://img.shields.io/gem/v/omniauth-oauth2.svg)][gem]
4
- [![Build Status](http://img.shields.io/travis/omniauth/omniauth-oauth2.svg)][travis]
5
4
  [![Code Climate](http://img.shields.io/codeclimate/maintainability/intridea/omniauth-oauth2.svg)][codeclimate]
6
5
  [![Coverage Status](http://img.shields.io/coveralls/intridea/omniauth-oauth2.svg)][coveralls]
7
6
  [![Security](https://hakiri.io/github/omniauth/omniauth-oauth2/master.svg)](https://hakiri.io/github/omniauth/omniauth-oauth2/master)
8
7
 
9
8
  [gem]: https://rubygems.org/gems/omniauth-oauth2
10
- [travis]: http://travis-ci.org/omniauth/omniauth-oauth2
11
9
  [codeclimate]: https://codeclimate.com/github/intridea/omniauth-oauth2
12
10
  [coveralls]: https://coveralls.io/r/intridea/omniauth-oauth2
13
11
 
@@ -32,7 +30,7 @@ module OmniAuth
32
30
  # This is where you pass the options you would pass when
33
31
  # initializing your consumer from the OAuth gem.
34
32
  option :client_options, {:site => "https://api.somesite.com"}
35
-
33
+
36
34
  # You may specify that your strategy should use PKCE by setting
37
35
  # the pkce option to true: https://tools.ietf.org/html/rfc7636
38
36
  option :pkce, true
@@ -66,3 +64,13 @@ end
66
64
  ```
67
65
 
68
66
  That's pretty much it!
67
+
68
+ ## OmniAuth-OAuth2 for Enterprise
69
+
70
+ Available as part of the Tidelift Subscription.
71
+
72
+ The maintainers of OmniAuth-OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth-oauth2?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise)
73
+
74
+ ## Supported Ruby Versions
75
+
76
+ OmniAuth is tested under 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, truffleruby, and JRuby.
data/SECURITY.md ADDED
@@ -0,0 +1,17 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ Use this section to tell people about which versions of your project are
6
+ currently being supported with security updates.
7
+
8
+ | Version | Supported |
9
+ | ------- | ------------------ |
10
+ | 1.7.x | :white_check_mark: |
11
+ | <= 1.6.x | :x: |
12
+
13
+ ## Security contact information
14
+
15
+ To report a security vulnerability, please use the
16
+ [Tidelift security contact](https://tidelift.com/security).
17
+ Tidelift will coordinate the fix and disclosure.
@@ -83,10 +83,10 @@ module OmniAuth
83
83
 
84
84
  def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
85
85
  error = request.params["error_reason"] || request.params["error"]
86
- if error
87
- fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
88
- elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
86
+ if !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))
89
87
  fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
88
+ elsif error
89
+ fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
90
90
  else
91
91
  self.access_token = build_access_token
92
92
  self.access_token = access_token.refresh! if access_token.expired?
@@ -94,7 +94,7 @@ module OmniAuth
94
94
  end
95
95
  rescue ::OAuth2::Error, CallbackError => e
96
96
  fail!(:invalid_credentials, e)
97
- rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
97
+ rescue ::Timeout::Error, ::Errno::ETIMEDOUT, ::OAuth2::TimeoutError, ::OAuth2::ConnectionError => e
98
98
  fail!(:timeout, e)
99
99
  rescue ::SocketError => e
100
100
  fail!(:failed_to_connect, e)
@@ -144,6 +144,17 @@ module OmniAuth
144
144
  hash
145
145
  end
146
146
 
147
+ # constant-time comparison algorithm to prevent timing attacks
148
+ def secure_compare(string_a, string_b)
149
+ return false unless string_a.bytesize == string_b.bytesize
150
+
151
+ l = string_a.unpack "C#{string_a.bytesize}"
152
+
153
+ res = 0
154
+ string_b.each_byte { |byte| res |= byte ^ l.shift }
155
+ res.zero?
156
+ end
157
+
147
158
  # An error that is indicated in the OAuth 2.0 callback.
148
159
  # This could be a `redirect_uri_mismatch` or other
149
160
  class CallbackError < StandardError
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module OAuth2
3
- VERSION = "1.7.1".freeze
3
+ VERSION = "1.9.0".freeze
4
4
  end
5
5
  end
@@ -3,8 +3,8 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
3
  require "omniauth-oauth2/version"
4
4
 
5
5
  Gem::Specification.new do |gem|
6
- gem.add_dependency "oauth2", "~> 1.4"
7
- gem.add_dependency "omniauth", [">= 1.9", "< 3"]
6
+ gem.add_dependency "oauth2", [">= 2.0.2", "< 3"]
7
+ gem.add_dependency "omniauth", "~> 2.0"
8
8
 
9
9
  gem.add_development_dependency "bundler", "~> 2.0"
10
10
 
data/spec/helper.rb CHANGED
@@ -3,9 +3,16 @@ $LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
3
3
 
4
4
  if RUBY_VERSION >= "1.9"
5
5
  require "simplecov"
6
+ require "simplecov-lcov"
6
7
  require "coveralls"
7
8
 
8
- SimpleCov.formatters = [SimpleCov::Formatter::HTMLFormatter, Coveralls::SimpleCov::Formatter]
9
+ SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
10
+
11
+ SimpleCov.formatters = [
12
+ SimpleCov::Formatter::HTMLFormatter,
13
+ SimpleCov::Formatter::LcovFormatter,
14
+ Coveralls::SimpleCov::Formatter
15
+ ]
9
16
 
10
17
  SimpleCov.start do
11
18
  minimum_coverage(78.48)
@@ -97,16 +97,86 @@ describe OmniAuth::Strategies::OAuth2 do
97
97
  end
98
98
 
99
99
  describe "#callback_phase" do
100
- subject { fresh_strategy }
101
- it "calls fail with the client error received" do
102
- instance = subject.new("abc", "def")
100
+ subject(:instance) { fresh_strategy.new("abc", "def") }
101
+
102
+ let(:params) { {"error_reason" => "user_denied", "error" => "access_denied", "state" => state} }
103
+ let(:state) { "secret" }
104
+
105
+ before do
103
106
  allow(instance).to receive(:request) do
104
- double("Request", :params => {"error_reason" => "user_denied", "error" => "access_denied"})
107
+ double("Request", :params => params)
105
108
  end
106
109
 
110
+ allow(instance).to receive(:session) do
111
+ double("Session", :delete => state)
112
+ end
113
+ end
114
+
115
+ it "calls fail with the error received" do
116
+ expect(instance).to receive(:fail!).with("user_denied", anything)
117
+
118
+ instance.callback_phase
119
+ end
120
+
121
+ it "calls fail with the error received if state is missing and CSRF verification is disabled" do
122
+ params["state"] = nil
123
+ instance.options.provider_ignores_state = true
124
+
107
125
  expect(instance).to receive(:fail!).with("user_denied", anything)
126
+
127
+ instance.callback_phase
128
+ end
129
+
130
+ it "calls fail with a CSRF error if the state is missing" do
131
+ params["state"] = nil
132
+
133
+ expect(instance).to receive(:fail!).with(:csrf_detected, anything)
108
134
  instance.callback_phase
109
135
  end
136
+
137
+ it "calls fail with a CSRF error if the state is invalid" do
138
+ params["state"] = "invalid"
139
+
140
+ expect(instance).to receive(:fail!).with(:csrf_detected, anything)
141
+ instance.callback_phase
142
+ end
143
+
144
+ describe 'exception handlings' do
145
+ let(:params) do
146
+ {"code" => "code", "state" => state}
147
+ end
148
+
149
+ before do
150
+ allow_any_instance_of(OmniAuth::Strategies::OAuth2).to receive(:build_access_token).and_raise(exception)
151
+ end
152
+
153
+ {
154
+ :invalid_credentials => [OAuth2::Error, OmniAuth::Strategies::OAuth2::CallbackError],
155
+ :timeout => [Timeout::Error, Errno::ETIMEDOUT, OAuth2::TimeoutError, OAuth2::ConnectionError],
156
+ :failed_to_connect => [SocketError]
157
+ }.each do |error_type, exceptions|
158
+ exceptions.each do |klass|
159
+ context "when #{klass}" do
160
+ let(:exception) { klass.new 'error' }
161
+
162
+ it do
163
+ expect(instance).to receive(:fail!).with(error_type, exception)
164
+ instance.callback_phase
165
+ end
166
+ end
167
+ end
168
+ end
169
+ end
170
+ end
171
+
172
+ describe "#secure_compare" do
173
+ subject { fresh_strategy }
174
+
175
+ it "returns true when the two inputs are the same and false otherwise" do
176
+ instance = subject.new("abc", "def")
177
+ expect(instance.send(:secure_compare, "a", "a")).to be true
178
+ expect(instance.send(:secure_compare, "b", "a")).to be false
179
+ end
110
180
  end
111
181
  end
112
182
 
metadata CHANGED
@@ -1,51 +1,51 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-oauth2
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.1
4
+ version: 1.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Michael Bleigh
8
8
  - Erik Michaels-Ober
9
9
  - Tom Milewski
10
- autorequire:
10
+ autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2021-01-11 00:00:00.000000000 Z
13
+ date: 2025-12-11 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: oauth2
17
17
  requirement: !ruby/object:Gem::Requirement
18
18
  requirements:
19
- - - "~>"
19
+ - - ">="
20
+ - !ruby/object:Gem::Version
21
+ version: 2.0.2
22
+ - - "<"
20
23
  - !ruby/object:Gem::Version
21
- version: '1.4'
24
+ version: '3'
22
25
  type: :runtime
23
26
  prerelease: false
24
27
  version_requirements: !ruby/object:Gem::Requirement
25
28
  requirements:
26
- - - "~>"
29
+ - - ">="
30
+ - !ruby/object:Gem::Version
31
+ version: 2.0.2
32
+ - - "<"
27
33
  - !ruby/object:Gem::Version
28
- version: '1.4'
34
+ version: '3'
29
35
  - !ruby/object:Gem::Dependency
30
36
  name: omniauth
31
37
  requirement: !ruby/object:Gem::Requirement
32
38
  requirements:
33
- - - ">="
34
- - !ruby/object:Gem::Version
35
- version: '1.9'
36
- - - "<"
39
+ - - "~>"
37
40
  - !ruby/object:Gem::Version
38
- version: '3'
41
+ version: '2.0'
39
42
  type: :runtime
40
43
  prerelease: false
41
44
  version_requirements: !ruby/object:Gem::Requirement
42
45
  requirements:
43
- - - ">="
44
- - !ruby/object:Gem::Version
45
- version: '1.9'
46
- - - "<"
46
+ - - "~>"
47
47
  - !ruby/object:Gem::Version
48
- version: '3'
48
+ version: '2.0'
49
49
  - !ruby/object:Gem::Dependency
50
50
  name: bundler
51
51
  requirement: !ruby/object:Gem::Requirement
@@ -69,15 +69,17 @@ executables: []
69
69
  extensions: []
70
70
  extra_rdoc_files: []
71
71
  files:
72
+ - ".github/FUNDING.yml"
72
73
  - ".github/workflows/main.yml"
73
74
  - ".gitignore"
74
75
  - ".rspec"
75
76
  - ".rubocop.yml"
76
- - ".travis.yml"
77
+ - CHANGELOG.md
77
78
  - Gemfile
78
79
  - LICENSE.md
79
80
  - README.md
80
81
  - Rakefile
82
+ - SECURITY.md
81
83
  - lib/omniauth-oauth2.rb
82
84
  - lib/omniauth-oauth2/version.rb
83
85
  - lib/omniauth/strategies/oauth2.rb
@@ -88,7 +90,7 @@ homepage: https://github.com/omniauth/omniauth-oauth2
88
90
  licenses:
89
91
  - MIT
90
92
  metadata: {}
91
- post_install_message:
93
+ post_install_message:
92
94
  rdoc_options: []
93
95
  require_paths:
94
96
  - lib
@@ -103,8 +105,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
103
105
  - !ruby/object:Gem::Version
104
106
  version: '0'
105
107
  requirements: []
106
- rubygems_version: 3.0.3
107
- signing_key:
108
+ rubygems_version: 3.5.11
109
+ signing_key:
108
110
  specification_version: 4
109
111
  summary: An abstract OAuth2 strategy for OmniAuth.
110
112
  test_files:
data/.travis.yml DELETED
@@ -1,22 +0,0 @@
1
- bundler_args: --without development
2
- before_install:
3
- - gem update --system
4
- - gem update bundler
5
- cache: bundler
6
- env:
7
- global:
8
- - JRUBY_OPTS="$JRUBY_OPTS --debug"
9
- language: ruby
10
- rvm:
11
- - jruby-9000
12
- - 2.4.4
13
- - 2.5.3
14
- - jruby-head
15
- - ruby-head
16
- - truffleruby-head
17
- matrix:
18
- allow_failures:
19
- - rvm: jruby-head
20
- - rvm: ruby-head
21
- fast_finish: true
22
- sudo: false