omniauth-oauthio 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1dca97fafd16386f51832f166b84c5cf621d0bc3
+  data.tar.gz: 6a4e6e04a937c70cfcd1d80ede2ee635d6bc222d
+SHA512:
+  metadata.gz: 149abd7e8dbdb2a5cee853f596dc982b4ad26ced924d7b2a1852d8022bdee921aae34e6d0f237691b539d42b6b761cebfc64b712bd1abc22c909a77ad42fc9ea
+  data.tar.gz: 6db1a1e393399688ec32e1036394658d7e2554ae81805cbad6de147fa1187dd590c63676f7a35a15e9f8f09de2ad2aefa36467678022d74633499f8cb036d67a

data/.gitignore

@@ -0,0 +1,10 @@
+*.gem
+.bundle
+.rspec
+/Gemfile.lock
+pkg/*
+.powenv
+tmp
+bin
+.idea
+*.iml

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gemspec
+
+platforms :rbx do
+  gem 'rubysl', '~> 2.0'
+end

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Jonathan Rowlands
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,118 @@
+omniauth-oauthio
+=================
+
+OAuth.io Strategy for OmniAuth
+
+# TODO
+
+Please note this strategy is still pretty experimental and is not complete
+
+1. I am using this mainly with a pure javascript/angularjs single page application that connects to a rails api, but
+there is no reason why this potentially work with a normal rails application that takes does not require javascript.
+I believe there is some missing functionality there and requires further testing.
+
+## Installing
+
+Add to your `Gemfile`:
+
+```ruby
+gem 'omniauth-oauthio', path: 'https://github.com/jgrowl/omniauth-oauthio.git'
+```
+
+Then `bundle install`.
+
+## Usage
+
+`OmniAuth::Strategies::Oauthio` is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
+
+Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  configure do |config|
+    config.path_prefix = '/users/auth'
+  end
+end
+```
+
+The following steps on the front-end need to occur:
+
+1. Initialize the OAuth public key.
+
+2. Perform get request to initiate the request_phase, using the .json option for SPA (This is to get a state string from the server).
+
+3. Use OAuth.io's javascript api to initiate a popup (Passing along the state from step 2).
+
+4. Perform get request to initiate callback_phase (Passing along the state and code received in step 3).
+
+For example:  (NOTE: I need to update this. I am currently using dart in my test app)
+
+```coffeescript
+OAuth.initialize('YOUR_PUBLIC_KEY')
+
+$.get "http://localhost:3000/users/auth/oauthio.json", (data) ->
+    @options = data
+
+OAuth.popup provider, @options, (err, res) ->
+    if (err)
+      console.log err
+    else
+      $.get "http://localhost:3000/users/auth/oauthio/twitter/callback.json?state=@options.state&code=@options.code", (data) ->
+        console.log(data)
+        # Perform additional login steps
+```
+
+## Configuring
+
+### OAuth.io
+
+Be sure to enable the Server-side (code) option on any providers you want to use with this strategy.
+
+### Custom Callback URL/Path
+
+You can set a custom `callback_url` or `callback_path` option to override the default value. See [OmniAuth::Strategy#callback_url](https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L411) for more details on the default.
+
+### Devise
+To use with devise, in `config/initializers/devise.rb`
+
+```ruby
+config.omniauth :oauthio, ENV['OAUTHIO_PUBLIC_KEY'], ENV['OAUTHIO_SECRET_KEY']
+```
+
+### Omniauth
+
+Add an oauthio callback in `app/controllers/users/omniauth_callbacks_controller.rb`
+
+```ruby
+
+class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def oauthio
+
+    # TODO: Do your login logic here! ie. look up the user by the uid or create one if it does not already exist!
+
+    respond_to do |format|
+      format.json  { render json: auth_hash}
+    end
+  end
+
+  def auth_hash
+    request.env['omniauth.auth']
+  end
+
+end
+```
+
+Create the method used in your callback in your `user.rb`
+
+# Understanding server side flow
+
+oauth.io describes how everything works in their [security](https://oauth.io/docs/security) section.
+
+![alt text](https://oauth.io/img/server-side-flow.png "Server side flow")
+
+
+## Credit
+
+https://oauth.io/
+
+https://github.com/mkdynamic/omniauth-facebook

data/Rakefile

@@ -0,0 +1,8 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |task|
+  task.libs << 'test'
+end
+
+task :default => :test

data/example/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gem 'sinatra'
+gem 'omniauth-oauthio', :path => '../'

data/example/Gemfile.lock

@@ -0,0 +1,44 @@
+PATH
+  remote: ../
+  specs:
+    omniauth-facebook (1.6.0.rc1)
+      omniauth-oauth2 (~> 1.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
+    hashie (2.0.5)
+    httpauth (0.2.0)
+    jwt (0.1.8)
+      multi_json (>= 1.5)
+    multi_json (1.8.2)
+    multipart-post (1.2.0)
+    oauth2 (0.8.1)
+      faraday (~> 0.8)
+      httpauth (~> 0.1)
+      jwt (~> 0.1.4)
+      multi_json (~> 1.0)
+      rack (~> 1.2)
+    omniauth (1.1.4)
+      hashie (>= 1.2, < 3)
+      rack
+    omniauth-oauth2 (1.1.1)
+      oauth2 (~> 0.8.0)
+      omniauth (~> 1.0)
+    rack (1.5.2)
+    rack-protection (1.5.1)
+      rack
+    sinatra (1.4.4)
+      rack (~> 1.4)
+      rack-protection (~> 1.4)
+      tilt (~> 1.3, >= 1.3.4)
+    tilt (1.4.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  omniauth-facebook!
+  sinatra

data/example/config.ru

@@ -0,0 +1,110 @@
+require 'bundler/setup'
+require 'sinatra/base'
+require 'omniauth-oauthio'
+
+#SCOPE = 'email,read_stream'
+#
+#class App < Sinatra::Base
+#  # turn off sinatra default X-Frame-Options for FB canvas
+#  set :protection, :except => :frame_options
+#
+#  # server-side flow
+#  get '/' do
+#    # NOTE: you would just hit this endpoint directly from the browser
+#    #       in a real app. the redirect is just here to setup the root
+#    #       path in this example sinatra app.
+#    redirect '/auth/facebook'
+#  end
+#
+#  # client-side flow
+#  get '/client-side' do
+#    content_type 'text/html'
+#    # NOTE: when you enable cookie below in the FB.init call
+#    #       the GET request in the FB.login callback will send
+#    #       a signed request in a cookie back the OmniAuth callback
+#    #       which will parse out the authorization code and obtain
+#    #       the access_token. This will be the exact same access_token
+#    #       returned to the client in response.authResponse.accessToken.
+#    <<-END
+#      <html>
+#      <head>
+#        <title>Client-side Flow Example</title>
+#        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
+#      </head>
+#      <body>
+#        <div id="fb-root"></div>
+#
+#        <script type="text/javascript">
+#          window.fbAsyncInit = function() {
+#            FB.init({
+#              appId  : '#{ENV['APP_ID']}',
+#              status : true, // check login status
+#              cookie : true, // enable cookies to allow the server to access the session
+#              xfbml  : true  // parse XFBML
+#            });
+#          };
+#
+#          (function(d) {
+#            var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
+#            js = d.createElement('script'); js.id = id; js.async = true;
+#            js.src = "//connect.facebook.net/en_US/all.js";
+#            d.getElementsByTagName('head')[0].appendChild(js);
+#          }(document));
+#
+#          $(function() {
+#            $('a').click(function(e) {
+#              e.preventDefault();
+#
+#              FB.login(function(response) {
+#                if (response.authResponse) {
+#                  $('#connect').html('Connected! Hitting OmniAuth callback (GET /auth/facebook/callback)...');
+#
+#                  // since we have cookies enabled, this request will allow omniauth to parse
+#                  // out the auth code from the signed request in the fbsr_XXX cookie
+#                  $.getJSON('/auth/facebook/callback', function(json) {
+#                    $('#connect').html('Connected! Callback complete.');
+#                    $('#results').html(JSON.stringify(json));
+#                  });
+#                }
+#              }, { scope: '#{SCOPE}' });
+#            });
+#          });
+#        </script>
+#
+#        <p id="connect">
+#          <a href="#">Connect to FB</a>
+#        </p>
+#
+#        <p id="results" />
+#      </body>
+#      </html>
+#    END
+#  end
+#
+#  # auth via FB canvas and signed request param
+#  post '/canvas/' do
+#    # we just redirect to /auth/facebook here which will parse the
+#    # signed_request FB sends us, asking for auth if the user has
+#    # not already granted access, or simply moving straight to the
+#    # callback where they have already granted access.
+#    redirect "/auth/facebook?signed_request=#{request.params['signed_request']}"
+#  end
+#
+#  get '/auth/:provider/callback' do
+#    content_type 'application/json'
+#    MultiJson.encode(request.env)
+#  end
+#
+#  get '/auth/failure' do
+#    content_type 'application/json'
+#    MultiJson.encode(request.env)
+#  end
+#end
+#
+#use Rack::Session::Cookie
+#
+#use OmniAuth::Builder do
+#  provider :facebook, ENV['APP_ID'], ENV['APP_SECRET'], :scope => SCOPE
+#end
+#
+#run App.new

data/lib/oauthio/access_token.rb

@@ -0,0 +1,47 @@
+module Oauthio
+  class AccessToken < OAuth2::AccessToken
+    attr_reader :provider, :oauth_token, :oauth_token_secret
+
+    class << self
+      # Initializes an AccessToken from a Hash
+      #
+      # @param [Client] the OAuth2::Client instance
+      # @param [Hash] a hash of AccessToken property values
+      # @return [AccessToken] the initalized AccessToken
+      def from_hash(client, hash)
+        # new(client, hash.delete('access_token') || hash.delete(:access_token), hash)
+        new(client,
+            hash.delete('provider') || hash.delete(:provider),
+            hash.delete('access_token') || hash.delete(:access_token),
+            hash.delete('oauth_token') || hash.delete(:oauth_token),
+            hash.delete('oauth_token_secret') || hash.delete(:oauth_token_secret),
+            hash)
+      end
+    end
+
+    def initialize(client, provider, token, oauth_token, oauth_token_secret, opts = {})
+      super client, token, opts
+      @provider = provider
+      @oauth_token = oauth_token.to_s
+      @oauth_token_secret = oauth_token_secret.to_s
+    end
+
+    def me()
+      k = @client.id
+      # oauthv = 1  # TODO: Update this
+
+      if !@token.empty?
+        # oauthv=#{oauthv}
+        oauthio_header = "k=#{k}&access_token=#{@token}"
+      elsif !@oauth_token.empty? && !@oauth_token_secret.empty?
+        # oauthv=#{oauthv}
+        oauthio_header = "k=#{k}&oauth_token=#{@oauth_token}&oauth_token_secret=#{@oauth_token_secret}"
+      else
+        # TODO: Throw error if no tokens found
+      end
+      opts = {headers: {oauthio: oauthio_header}}
+      me_url = client.me_url(provider)
+      request(:get, me_url, opts)
+    end
+  end
+end

data/lib/oauthio/client.rb

@@ -0,0 +1,158 @@
+module Oauthio
+  class Client < ::OAuth2::Client
+
+    # Instantiate a new OAuth 2.0 client using the
+    # Client ID and Client Secret registered to your
+    # application.
+    #
+    # @param [String] client_id the client_id value
+    # @param [String] client_secret the client_secret value
+    # @param [Hash] opts the options to create the client with
+    # @option opts [String] :site the OAuth2 provider site host
+    # @option opts [String] :authorize_url ('/oauth/authorize') absolute or relative URL path to the Authorization endpoint
+    # @option opts [String] :token_url ('/oauth/token') absolute or relative URL path to the Token endpoint
+    # @option opts [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
+    # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
+    # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
+    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error
+    #  on responses with 400+ status codes
+    # @yield [builder] The Faraday connection builder
+    def initialize(client_id, client_secret, opts = {}, &block)
+      _opts = opts.dup
+      @id = client_id
+      @secret = client_secret
+      @site = _opts.delete(:site)
+      @state = _opts.delete(:state)
+      ssl = _opts.delete(:ssl)
+      @options = {:authorize_url    => '/auth',
+                  :token_url        => '/auth/access_token',
+                  :me_url           => '/auth/:provider/me',
+                  :token_method     => :post,
+                  :connection_opts  => {},
+                  :connection_build => block,
+                  :max_redirects    => 5,
+                  :raise_errors     => true}.merge(_opts)
+      @options[:connection_opts][:ssl] = ssl if ssl
+    end
+
+    def me_url(provider, params = nil)
+      connection.build_url(options[:me_url], params).to_s.sub(/:provider/, provider)
+    end
+
+    # Makes a request relative to the specified site root.
+    #
+    # @param [Symbol] verb one of :get, :post, :put, :delete
+    # @param [String] url URL path of request
+    # @param [Hash] opts the options to make the request with
+    # @option opts [Hash] :params additional query parameters for the URL of the request
+    # @option opts [Hash, String] :body the body of the request
+    # @option opts [Hash] :headers http request headers
+    # @option opts [Boolean] :raise_errors whether or not to raise an OAuth2::Error on 400+ status
+    #   code response for this request.  Will default to client option
+    # @option opts [Symbol] :parse @see Response::initialize
+    # @yield [req] The Faraday request
+    def request(verb, url, opts = {}) # rubocop:disable CyclomaticComplexity, MethodLength
+      url = connection.build_url(url, opts[:params]).to_s
+
+      response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
+        yield(req) if block_given?
+      end
+
+      # Only really care about the status and the actual return body.
+      # Oauth2 strategy wraps the response in a Response object that handles parsing and whatnot. That is great when
+      # support for multiple options is needed, however we only have to conform to a single interface. We will take
+      # the easy route of always expecting a json response.
+      status = response.status
+      headers = response.headers
+      response = JSON.parse(response.body)
+      response['status'] = status
+      response['headers'] = headers
+      response = Hashie::Mash.new response
+
+      case response.status
+        when 301, 302, 303, 307
+          opts[:redirect_count] ||= 0
+          opts[:redirect_count] += 1
+          return response if opts[:redirect_count] > options[:max_redirects]
+          if response.status == 303
+            verb = :get
+            opts.delete(:body)
+          end
+          request(verb, response.headers['location'], opts)
+        when 200..299, 300..399
+          # on non-redirecting 3xx statuses, just return the response
+          response
+        when 400..599
+          error = OAuth2::Error.new(response)
+          fail(error) if opts.fetch(:raise_errors, options[:raise_errors])
+          response.error = error
+          response
+        else
+          error = OAuth2::Error.new(response)
+          fail(error, "Unhandled status code value of #{response.status}")
+      end
+    end
+
+    # Initializes an AccessToken by making a request to the token endpoint
+    #
+    # @param [Hash] params a Hash of params for the token endpoint
+    # @param [Hash] access token options, to pass to the AccessToken object
+    # @param [Class] class of access token for easier subclassing OAuth2::AccessToken
+    # @return [AccessToken] the initalized AccessToken
+    def get_token(params, access_token_opts = {}, access_token_class = AccessToken)
+      opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
+      if options[:token_method] == :post
+        headers = params.delete(:headers)
+        opts[:body] = params
+        opts[:headers] =  {'Content-Type' => 'application/x-www-form-urlencoded'}
+        opts[:headers].merge!(headers) if headers
+      else
+        opts[:params] = params
+      end
+      response = request(options[:token_method], token_url, opts)
+
+      # Verify state in the response matches the one in the session
+      if response.state != @state
+        raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil, :csrf_detected);
+      end
+
+      # error = Error.new(response)
+      # fail(error) if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+
+      provider_client = ::Oauthio::Client.new(@id, @secret, { :site => @site })
+      access_token_class.from_hash(provider_client, response.merge(access_token_opts))
+    end
+
+    # The Authorization Code strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+    def auth_code
+      @auth_code ||= Oauthio::Strategy::AuthCode.new(self)
+    end
+
+    # The Implicit strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2
+    def implicit
+      @implicit ||= OAuth2::Strategy::Implicit.new(self)
+    end
+
+    # The Resource Owner Password Credentials strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    def password
+      @password ||= OAuth2::Strategy::Password.new(self)
+    end
+
+    # The Client Credentials strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+    def client_credentials
+      @client_credentials ||= OAuth2::Strategy::ClientCredentials.new(self)
+    end
+
+    def assertion
+      @assertion ||= OAuth2::Strategy::Assertion.new(self)
+    end
+  end
+end

data/lib/oauthio/providers/oauthio.rb

@@ -0,0 +1,84 @@
+module Oauthio
+  module Providers
+    class Oauthio
+      def initialize(access_token, secret, options)
+        @access_token = access_token
+        @secret = secret
+        @options = options
+      end
+
+      def uid
+        # This might not be uniform across all providers. Need to talk to oauthd guys to see if we can get the id
+        # in the list of things parsed out of the raw data.
+        raw_info['id']
+      end
+
+      def skip_info?
+        false
+      end
+
+      def info
+        prune!({
+                   'name' => _raw_info['name'],
+                   'alias' => _raw_info['alias'],
+                   'bio' => _raw_info['bio'],
+                   'avatar' => _raw_info['avatar'],
+                   'firstname' => _raw_info['firstname'],
+                   'lastname' => _raw_info['lastname'],
+                   'gender' => _raw_info['gender'],
+                   'location' => _raw_info['location'],
+                   'local' => _raw_info['local'],
+                   'company' => _raw_info['company'],
+                   'occupation' => _raw_info['occupation'],
+                   'language' => _raw_info['language'],
+                   'birthdate' => _raw_info['birthdate'],
+               })
+      end
+
+      def extra
+        hash = {}
+        hash['raw_info'] = raw_info unless skip_info?
+        prune! hash
+      end
+
+      def _raw_info
+        @_raw_info ||= @access_token.me()['data'] || {}
+        @_raw_info
+      end
+
+      def raw_info
+        @raw_info ||= _raw_info['raw']  || {}
+      end
+
+      def info_options
+        # params = {:appsecret_proof => appsecret_proof}
+        # params.merge!({:fields => @options[:info_fields]}) if @options[:info_fields]
+        # params.merge!({:locale => @options[:locale]}) if @options[:locale]
+        #
+        # {:params => params}
+      end
+
+      def appsecret_proof
+        # @appsecret_proof ||= OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @secret, @access_token.token)
+      end
+
+      def credentials
+        hash = {}
+        hash.merge!('token' => @access_token.token) if !@access_token.token.empty?
+        hash.merge!('oauth_token' => @access_token.oauth_token,
+                    'oauth_token_secret' => @access_token.oauth_token_secret) if !@access_token.oauth_token.empty? && !@access_token.oauth_token_secret.empty?
+        hash.merge!('refresh_token' => @access_token.refresh_token) if @access_token.expires? && @access_token.refresh_token
+        hash.merge!('expires_at' => @access_token.expires_at) if @access_token.expires?
+        hash.merge!('expires' => @access_token.expires?)
+        hash
+      end
+
+      def prune!(hash)
+        hash.delete_if do |_, v|
+          prune!(v) if v.is_a?(Hash)
+          v.nil? || (v.respond_to?(:empty?) && v.empty?)
+        end
+      end
+    end
+  end
+end

data/lib/oauthio/strategy/auth_code.rb

@@ -0,0 +1,36 @@
+module Oauthio
+  module Strategy
+    class AuthCode < OAuth2::Strategy::AuthCode
+      def initialize(client)
+        @client = client
+      end
+
+      # The required query parameters for the authorize URL
+      #
+      # @param [Hash] params additional query parameters
+      def authorize_params(params={})
+        params.merge('k' => @client.id)
+      end
+
+      #TODO: Put this in base.rb
+      # The OAuth client_id and client_secret
+      #
+      # @return [Hash]
+      def client_params
+        {'key' => @client.id, 'secret' => @client.secret}
+      end
+
+      # Retrieve an access token given the specified validation code.
+      #
+      # @param [String] code The Authorization Code value
+      # @param [Hash] params additional params
+      # @param [Hash] opts options
+      # @note that you must also provide a :redirect_uri with most OAuth 2.0 providers
+      def get_token(code, params = {}, opts = {})
+        params = {'code' => code}.merge(client_params).merge(params)
+        @client.get_token(params, opts)
+      end
+
+    end
+  end
+end

data/lib/omniauth/oauthio/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Oauthio
+    VERSION = '0.1.0'
+  end
+end

data/lib/omniauth/oauthio.rb

@@ -0,0 +1,9 @@
+require 'omniauth/oauthio/version'
+require 'omniauth/strategies/oauthio'
+
+require 'oauthio/access_token'
+require 'oauthio/client'
+require 'oauthio/strategy/auth_code'
+require 'oauthio/providers/oauthio'
+
+