omniauth-oauth2 1.7.1 → 1.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0496e01a0a03c432891358ac0bbe4ed744560f47c88c2cc32a999feafc78e576'
-  data.tar.gz: 6196ba4a1880c328392de4e145434fccf1c4a64fdbc8f87c94ffc2e274bb509b
+  metadata.gz: eed560b878b25e1f2fa484d75ec45114ea450ff41e9b13ab4e65ba2af728a539
+  data.tar.gz: 25cb6f386671fdc7c642e87b9f3069a0da4cca234c23bbcf597cca828ad87a9f
 SHA512:
-  metadata.gz: 5db83ecb687e9fe790f3c76f3c831aac7a6e2e444e97cf532b08629caf27400bbc242e474c50ba07d1d7e1a39dce6468a62e751981069e191483d5f99bd009d8
-  data.tar.gz: 3b66b0a2813184f867646699823b7434a4d7b9ce08594c6eaded5b4b37b965bc6cbae932087fe1bfd446fb126e3245d8b5fe0ec47798ef8f81083f251933d1a9
+  metadata.gz: 872af8f8b8dade1df9186467c89e337f1328bc79714a3ce3178846ac4bfec339c0d29620e3b69ce7398aa3d61371b04a281fc6fe699f17f651b7a338b9dca9cb
+  data.tar.gz: 438d8c082691dbc31045f0be9efc650f97e1d5ff9db56c78c47b55eb55417ae0a66cfb4943717b4eaf9edceb23c4ab1ff86fb7b48301e7501f486c3c060c573b

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth-oauth2

data/.github/workflows/main.yml

@@ -47,3 +47,21 @@ jobs:
       env:
         JRUBY_OPTS: --debug
       run: bundle exec rake
+  coveralls:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+    - name: Coveralls GitHub Action
+      uses: coverallsapp/github-action@v1.1.2
+      with:
+        github-token: ${{ secrets.github_token }}
+        path-to-lcov: './coverage/lcov/omniauth-oauth2.lcov'

data/Gemfile

@@ -1,17 +1,18 @@
 source "https://rubygems.org"
 
-gem "rake", "~> 12.0"
+gem "rake", "~> 13.0"
 
 group :test do
   gem "addressable", "~> 2.3.8", :platforms => %i[jruby ruby_18]
-  gem "coveralls"
+  gem 'coveralls_reborn', '~> 0.19.0', require: false
   gem "json", :platforms => %i[jruby ruby_18 ruby_19]
   gem "mime-types", "~> 1.25", :platforms => %i[jruby ruby_18]
   gem "rack-test"
   gem "rest-client", "~> 1.8.0", :platforms => %i[jruby ruby_18]
   gem "rspec", "~> 3.2"
   gem "rubocop", ">= 0.51", :platforms => %i[ruby_19 ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
-  gem "simplecov", ">= 0.9"
+  gem 'simplecov-lcov'
+  gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
   gem "webmock", "~> 3.0"
 end
 

data/README.md

@@ -1,13 +1,11 @@
 # OmniAuth OAuth2
 
 [![Gem Version](http://img.shields.io/gem/v/omniauth-oauth2.svg)][gem]
-[![Build Status](http://img.shields.io/travis/omniauth/omniauth-oauth2.svg)][travis]
 [![Code Climate](http://img.shields.io/codeclimate/maintainability/intridea/omniauth-oauth2.svg)][codeclimate]
 [![Coverage Status](http://img.shields.io/coveralls/intridea/omniauth-oauth2.svg)][coveralls]
 [![Security](https://hakiri.io/github/omniauth/omniauth-oauth2/master.svg)](https://hakiri.io/github/omniauth/omniauth-oauth2/master)
 
 [gem]: https://rubygems.org/gems/omniauth-oauth2
-[travis]: http://travis-ci.org/omniauth/omniauth-oauth2
 [codeclimate]: https://codeclimate.com/github/intridea/omniauth-oauth2
 [coveralls]: https://coveralls.io/r/intridea/omniauth-oauth2
 
@@ -32,7 +30,7 @@ module OmniAuth
       # This is where you pass the options you would pass when
       # initializing your consumer from the OAuth gem.
       option :client_options, {:site => "https://api.somesite.com"}
-      
+
       # You may specify that your strategy should use PKCE by setting
       # the pkce option to true: https://tools.ietf.org/html/rfc7636
       option :pkce, true
@@ -66,3 +64,12 @@ end
 ```
 
 That's pretty much it!
+
+## OmniAuth-OAuth2 for Enterprise
+
+Available as part of the Tidelift Subscription.
+
+The maintainers of OmniAuth-OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth-oauth2?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise)
+
+## Supported Ruby Versions
+OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.

data/SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version  | Supported          |
+| -------  | ------------------ |
+| 1.7.x    | :white_check_mark: |
+| <= 1.6.x | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

data/lib/omniauth/strategies/oauth2.rb

@@ -83,10 +83,10 @@ module OmniAuth
 
       def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
         error = request.params["error_reason"] || request.params["error"]
-        if error
-          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
-        elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
           fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+        elsif error
+          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
         else
           self.access_token = build_access_token
           self.access_token = access_token.refresh! if access_token.expired?

data/lib/omniauth-oauth2/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module OAuth2
-    VERSION = "1.7.1".freeze
+    VERSION = "1.7.2".freeze
   end
 end

data/spec/helper.rb

@@ -3,9 +3,16 @@ $LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
 
 if RUBY_VERSION >= "1.9"
   require "simplecov"
+  require "simplecov-lcov"
   require "coveralls"
 
-  SimpleCov.formatters = [SimpleCov::Formatter::HTMLFormatter, Coveralls::SimpleCov::Formatter]
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+
+  SimpleCov.formatters = [
+    SimpleCov::Formatter::HTMLFormatter,
+    SimpleCov::Formatter::LcovFormatter,
+    Coveralls::SimpleCov::Formatter
+  ]
 
   SimpleCov.start do
     minimum_coverage(78.48)

data/spec/omniauth/strategies/oauth2_spec.rb

@@ -97,14 +97,47 @@ describe OmniAuth::Strategies::OAuth2 do
   end
 
   describe "#callback_phase" do
-    subject { fresh_strategy }
-    it "calls fail with the client error received" do
-      instance = subject.new("abc", "def")
+    subject(:instance) { fresh_strategy.new("abc", "def") }
+
+    let(:params) { {"error_reason" => "user_denied", "error" => "access_denied", "state" => state} }
+    let(:state) { "secret" }
+
+    before do
       allow(instance).to receive(:request) do
-        double("Request", :params => {"error_reason" => "user_denied", "error" => "access_denied"})
+        double("Request", :params => params)
+      end
+
+      allow(instance).to receive(:session) do
+        double("Session", :delete => state)
       end
+    end
+
+    it "calls fail with the error received" do
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with the error received if state is missing and CSRF verification is disabled" do
+      params["state"] = nil
+      instance.options.provider_ignores_state = true
 
       expect(instance).to receive(:fail!).with("user_denied", anything)
+
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is missing" do
+      params["state"] = nil
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+
+    it "calls fail with a CSRF error if the state is invalid" do
+      params["state"] = "invalid"
+
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
       instance.callback_phase
     end
   end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.7.1
+  version: 1.7.2
 platform: ruby
 authors:
 - Michael Bleigh
 - Erik Michaels-Ober
 - Tom Milewski
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-11 00:00:00.000000000 Z
+date: 2021-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -69,15 +69,16 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
 - ".github/workflows/main.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - Gemfile
 - LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/omniauth-oauth2.rb
 - lib/omniauth-oauth2/version.rb
 - lib/omniauth/strategies/oauth2.rb
@@ -88,7 +89,7 @@ homepage: https://github.com/omniauth/omniauth-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -103,8 +104,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.30
+signing_key:
 specification_version: 4
 summary: An abstract OAuth2 strategy for OmniAuth.
 test_files:

data/.travis.yml

@@ -1,22 +0,0 @@
-bundler_args: --without development
-before_install:
-  - gem update --system
-  - gem update bundler
-cache: bundler
-env:
-  global:
-    - JRUBY_OPTS="$JRUBY_OPTS --debug"
-language: ruby
-rvm:
-  - jruby-9000
-  - 2.4.4
-  - 2.5.3
-  - jruby-head
-  - ruby-head
-  - truffleruby-head
-matrix:
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-  fast_finish: true
-sudo: false