omniauth-oauth2 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f5cd52cdcb930eb0df65da3d7659a8e46f19db3426e0ecd8b3565b51e951331f
-  data.tar.gz: 6ed5b399aef49e82b265ff6175c849c44415f8b19f81ee5eb5d988ebb6c95fc8
+  metadata.gz: a61f10acb3f0765bd7f4e3eea6b6fa3cf4a0a882c5e2a09e37d17417050e9ff2
+  data.tar.gz: c558846dc4e8313e580b5ac32705da006227287ef5a0e20df63cf30df4bb8150
 SHA512:
-  metadata.gz: e6bc5b97b326e37aa1e2ebb294b3459b57ba5dbb4d1e8b7e1709ed2dc9cfb8cc3b1b6f70ebbd0d5d830834af2472afe5b34762cf63f99a508334edee0d86b15a
-  data.tar.gz: 5c6cea848d8c9895495f7e931a3acfcee6e5e773824714e4de8bacfdc7aa70c3e40ad5cbce92b9a0d115f1dbd1f26aea7dc2b7a7bc02b1050cf38c501c3b7d45
+  metadata.gz: e6fe7535a2b86388f19ff959bed28ec44582e6994bca1442e775c7cdbcb61158a6133a72d2fa86a60252432f05eb12080aa4fb78f01d5de1ae2137f97f07d25a
+  data.tar.gz: e2aadabef58d24f214bd83bcdb15426c1a93ac3e8009823285c304467168cfbe9de3ad3a51c6756bd382dadc129d57ab0fef00d0a218d1c5c1d27b19ce958d8d

data/.github/workflows/main.yml

@@ -8,60 +8,40 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu, macos]
-        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, head, debug, truffleruby, truffleruby-head]
+        os: [ubuntu-latest, macos-latest]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, 3.2, head, debug, truffleruby, truffleruby-head, jruby, jruby-head]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true
-    - name: Install dependencies
-      run: bundle install
+    - name: Set JRUBY_OPTS environment variable
+      run: echo "JRUBY_OPTS=--debug" >> "$GITHUB_ENV"
+      if: ${{ startsWith(matrix.ruby, 'jruby') }}
     - name: Run tests
       run: bundle exec rake
-  test-jruby:
-    runs-on: ubuntu-18.04
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu, macos]
-        jruby: [jruby, jruby-head]
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+    - uses: actions/upload-artifact@v3
+      if: ${{ matrix.os == 'ubuntu-latest' && matrix.ruby == '3.0' }}
       with:
-        ruby-version: ${{ matrix.jruby }}
-        bundler-cache: true
-    - name: Install dependencies
-      env:
-        JRUBY_OPTS: --debug
-      run: bundle install
-    - name: Run tests
-      env:
-        JRUBY_OPTS: --debug
-      run: bundle exec rake
+        name: coverage
+        path: coverage/
+        retention-days: 1
+
   coveralls:
-    runs-on: ubuntu-18.04
+    needs: test
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+    - uses: actions/download-artifact@v3
       with:
-        ruby-version: 2.6
-        bundler-cache: true
-    - name: Install dependencies
-      run: bundle install
-    - name: Run tests
-      run: bundle exec rake
+        name: coverage
+        path: coverage/
     - name: Coveralls GitHub Action
-      uses: coverallsapp/github-action@v1.1.2
-      with:
-        github-token: ${{ secrets.github_token }}
-        path-to-lcov: './coverage/lcov/omniauth-oauth2.lcov'
+      uses: coverallsapp/github-action@v2

data/CHANGELOG.md

@@ -1,4 +1,8 @@
-## [v1.8.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.7.3)
+## [v1.9.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.9.0)
+- Prevent timing attacks [#174](https://github.com/omniauth/omniauth-oauth2/pull/174)
+- Rescue OAuth2 timeouts [#169](https://github.com/omniauth/omniauth-oauth2/pull/169)
+
+## [v1.8.0](https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.8.0)
 - Relaxes allowed versions of the oauth2 gem. [#146](https://github.com/omniauth/omniauth-oauth2/pull/146)
 - Requires omniauth `~> 2.0` [#152](https://github.com/omniauth/omniauth-oauth2/pull/152) 
 

data/README.md

@@ -72,4 +72,5 @@ Available as part of the Tidelift Subscription.
 The maintainers of OmniAuth-OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth-oauth2?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise)
 
 ## Supported Ruby Versions
-OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.
+
+OmniAuth is tested under 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, truffleruby, and JRuby.

data/lib/omniauth/strategies/oauth2.rb

@@ -83,7 +83,7 @@ module OmniAuth
 
       def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
         error = request.params["error_reason"] || request.params["error"]
-        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))
           fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
         elsif error
           fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
@@ -94,7 +94,7 @@ module OmniAuth
         end
       rescue ::OAuth2::Error, CallbackError => e
         fail!(:invalid_credentials, e)
-      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT, ::OAuth2::TimeoutError, ::OAuth2::ConnectionError => e
         fail!(:timeout, e)
       rescue ::SocketError => e
         fail!(:failed_to_connect, e)
@@ -144,6 +144,17 @@ module OmniAuth
         hash
       end
 
+       # constant-time comparison algorithm to prevent timing attacks
+       def secure_compare(string_a, string_b)
+        return false unless string_a.bytesize == string_b.bytesize
+
+        l = string_a.unpack "C#{string_a.bytesize}"
+
+        res = 0
+        string_b.each_byte { |byte| res |= byte ^ l.shift }
+        res.zero?
+      end
+
       # An error that is indicated in the OAuth 2.0 callback.
       # This could be a `redirect_uri_mismatch` or other
       class CallbackError < StandardError

data/lib/omniauth-oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OAuth2
-    VERSION = "1.8.0".freeze
+    VERSION = "1.9.0".freeze
   end
 end

data/omniauth-oauth2.gemspec

@@ -3,8 +3,8 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "omniauth-oauth2/version"
 
 Gem::Specification.new do |gem|
-  gem.add_dependency "oauth2",     [">= 1.4", "< 3"]
-  gem.add_dependency "omniauth",   "~> 2.0"
+  gem.add_dependency "oauth2",  [">= 2.0.2", "< 3"]
+  gem.add_dependency "omniauth", "~> 2.0"
 
   gem.add_development_dependency "bundler", "~> 2.0"
 

data/spec/omniauth/strategies/oauth2_spec.rb

@@ -140,6 +140,43 @@ describe OmniAuth::Strategies::OAuth2 do
       expect(instance).to receive(:fail!).with(:csrf_detected, anything)
       instance.callback_phase
     end
+
+    describe 'exception handlings' do
+      let(:params) do
+        {"code" => "code", "state" => state}
+      end
+
+      before do
+        allow_any_instance_of(OmniAuth::Strategies::OAuth2).to receive(:build_access_token).and_raise(exception)
+      end
+
+      {
+        :invalid_credentials => [OAuth2::Error, OmniAuth::Strategies::OAuth2::CallbackError],
+        :timeout => [Timeout::Error, Errno::ETIMEDOUT, OAuth2::TimeoutError, OAuth2::ConnectionError],
+        :failed_to_connect => [SocketError]
+      }.each do |error_type, exceptions|
+        exceptions.each do |klass|
+          context "when #{klass}" do
+            let(:exception) { klass.new 'error' }
+
+            it do
+              expect(instance).to receive(:fail!).with(error_type, exception)
+              instance.callback_phase
+            end
+          end
+        end
+      end
+    end
+  end
+
+  describe "#secure_compare" do
+    subject { fresh_strategy }
+
+    it "returns true when the two inputs are the same and false otherwise" do
+      instance = subject.new("abc", "def")
+      expect(instance.send(:secure_compare, "a", "a")).to be true
+      expect(instance.send(:secure_compare, "b", "a")).to be false
+    end
   end
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Michael Bleigh
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-18 00:00:00.000000000 Z
+date: 2025-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -18,7 +18,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 2.0.2
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -28,7 +28,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 2.0.2
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: An abstract OAuth2 strategy for OmniAuth.