omniauth-oauth2 1.0.3 → 1.1.0

data/lib/omniauth/strategies/oauth2.rb

@@ -3,6 +3,7 @@ require 'uri'
 require 'oauth2'
 require 'omniauth'
 require 'timeout'
+require 'securerandom'
 
 module OmniAuth
   module Strategies
@@ -47,7 +48,16 @@ module OmniAuth
       end
 
       def authorize_params
-        options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
+        if options.authorize_params[:state].to_s.empty?
+          options.authorize_params[:state] = SecureRandom.hex(24)
+        end
+        params = options.authorize_params.merge(options.authorize_options.inject({}){|h,k| h[k.to_sym] = options[k] if options[k]; h})
+        if OmniAuth.config.test_mode
+          @env ||= {}
+          @env['rack.session'] ||= {}
+        end
+        session['omniauth.state'] = params[:state]
+        params
       end
 
       def token_params
@@ -58,6 +68,9 @@ module OmniAuth
         if request.params['error'] || request.params['error_reason']
           raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
         end
+        if request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state')
+          raise CallbackError.new(nil, :csrf_detected)
+        end
 
         self.access_token = build_access_token
         self.access_token = access_token.refresh! if access_token.expired?

data/lib/omniauth-oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OAuth2
-    VERSION = "1.0.3"
+    VERSION = "1.1.0"
   end
 end

data/spec/omniauth/strategies/oauth2_spec.rb

@@ -4,6 +4,14 @@ describe OmniAuth::Strategies::OAuth2 do
   def app; lambda{|env| [200, {}, ["Hello."]]} end
   let(:fresh_strategy){ Class.new(OmniAuth::Strategies::OAuth2) }
 
+  before do
+    OmniAuth.config.test_mode = true
+  end
+
+  after do
+    OmniAuth.config.test_mode = false
+  end
+
   describe '#client' do
     subject{ fresh_strategy }
 
@@ -22,13 +30,20 @@ describe OmniAuth::Strategies::OAuth2 do
     subject { fresh_strategy }
 
     it 'should include any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', :authorize_params => {:foo => 'bar', :baz => 'zip'})
-      instance.authorize_params.should == {'foo' => 'bar', 'baz' => 'zip'}
+      instance = subject.new('abc', 'def', :authorize_params => {:foo => 'bar', :baz => 'zip', :state => '123'})
+      instance.authorize_params.should == {'foo' => 'bar', 'baz' => 'zip', 'state' => '123'}
     end
 
     it 'should include top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', :authorize_options => [:scope, :foo], :scope => 'bar', :foo => 'baz')
-      instance.authorize_params.should == {'scope' => 'bar', 'foo' => 'baz'}
+      instance = subject.new('abc', 'def', :authorize_options => [:scope, :foo], :scope => 'bar', :foo => 'baz', :authorize_params => {:state => '123'})
+      instance.authorize_params.should == {'scope' => 'bar', 'foo' => 'baz', 'state' => '123'}
+    end
+
+    it 'should include random state in the authorize params' do
+      instance = subject.new('abc', 'def')
+      instance.authorize_params.keys.should == ['state']
+      instance.session['omniauth.state'].should_not be_empty
+      instance.session['omniauth.state'].should == instance.authorize_params['state']
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-07-05 00:00:00.000000000 Z
+date: 2012-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth