omniauth-oauthio 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1dca97fafd16386f51832f166b84c5cf621d0bc3
-  data.tar.gz: 6a4e6e04a937c70cfcd1d80ede2ee635d6bc222d
+  metadata.gz: 8d37a4503efe522eb66a84b32a32711757aae4d2
+  data.tar.gz: e8befcc5493e673f02ab3284d74c489357206e29
 SHA512:
-  metadata.gz: 149abd7e8dbdb2a5cee853f596dc982b4ad26ced924d7b2a1852d8022bdee921aae34e6d0f237691b539d42b6b761cebfc64b712bd1abc22c909a77ad42fc9ea
-  data.tar.gz: 6db1a1e393399688ec32e1036394658d7e2554ae81805cbad6de147fa1187dd590c63676f7a35a15e9f8f09de2ad2aefa36467678022d74633499f8cb036d67a
+  metadata.gz: 72832698e7031e680ba868d66958034abafd4c202b72ff7d41c55edc5f91540baa65c7089d11bca36be7e363557c42367a786d900955c095b4333a894b416e37
+  data.tar.gz: aa6173e79c1fcf85ea5abb981bd068e3db13ad7a2d6f62ec32ba0e28b732db93463e60e9e85ff40276d28300f75a5d95913555c924ef204cd5eaa48d7fd4ee0f

data/.gitignore

@@ -2,6 +2,7 @@
 .bundle
 .rspec
 /Gemfile.lock
+example/Gemfile.lock
 pkg/*
 .powenv
 tmp

data/README.md

@@ -3,14 +3,6 @@ omniauth-oauthio
 
 OAuth.io Strategy for OmniAuth
 
-# TODO
-
-Please note this strategy is still pretty experimental and is not complete
-
-1. I am using this mainly with a pure javascript/angularjs single page application that connects to a rails api, but
-there is no reason why this potentially work with a normal rails application that takes does not require javascript.
-I believe there is some missing functionality there and requires further testing.
-
 ## Installing
 
 Add to your `Gemfile`:
@@ -79,6 +71,25 @@ To use with devise, in `config/initializers/devise.rb`
 config.omniauth :oauthio, ENV['OAUTHIO_PUBLIC_KEY'], ENV['OAUTHIO_SECRET_KEY']
 ```
 
+Add your devise routes in `config/routes.rb`
+
+```ruby
+devise_for :users, :skip => [:omniauth_callbacks]
+devise_scope :user do
+  match "/users/auth/:provider(/:sub_provider)",
+        constraints: { provider: /oauthio/ },
+        to: "users/omniauth_callbacks#passthru",
+        as: :omniauth_authorize,
+        via: [:get, :post]
+
+  match "/users/auth/:action(/:sub_provider)/callback",
+        constraints: { action: /oauthio/, sub_provider: /twitter|google/ },
+        to: "users/omniauth_callbacks",
+        as: :omniauth_callback,
+        via: [:get, :post]
+end
+```
+
 ### Omniauth
 
 Add an oauthio callback in `app/controllers/users/omniauth_callbacks_controller.rb`

data/example/Gemfile

@@ -1,4 +1,5 @@
 source 'https://rubygems.org'
 
 gem 'sinatra'
+gem 'sinatra-reloader'
 gem 'omniauth-oauthio', :path => '../'

data/example/Gemfile.lock

@@ -1,44 +1,58 @@
 PATH
   remote: ../
   specs:
-    omniauth-facebook (1.6.0.rc1)
-      omniauth-oauth2 (~> 1.1)
+    omniauth-oauthio (0.1.1)
+      omniauth-oauth2 (~> 1.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    faraday (0.8.8)
-      multipart-post (~> 1.2.0)
-    hashie (2.0.5)
-    httpauth (0.2.0)
-    jwt (0.1.8)
-      multi_json (>= 1.5)
-    multi_json (1.8.2)
-    multipart-post (1.2.0)
-    oauth2 (0.8.1)
-      faraday (~> 0.8)
-      httpauth (~> 0.1)
-      jwt (~> 0.1.4)
-      multi_json (~> 1.0)
+    backports (3.6.0)
+    faraday (0.9.0)
+      multipart-post (>= 1.2, < 3)
+    hashie (3.2.0)
+    jwt (1.0.0)
+    multi_json (1.10.1)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
       rack (~> 1.2)
-    omniauth (1.1.4)
-      hashie (>= 1.2, < 3)
-      rack
-    omniauth-oauth2 (1.1.1)
-      oauth2 (~> 0.8.0)
-      omniauth (~> 1.0)
+    omniauth (1.2.2)
+      hashie (>= 1.2, < 4)
+      rack (~> 1.0)
+    omniauth-oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
+      multi_json (~> 1.3)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     rack (1.5.2)
-    rack-protection (1.5.1)
+    rack-protection (1.5.3)
       rack
-    sinatra (1.4.4)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    sinatra (1.4.5)
       rack (~> 1.4)
       rack-protection (~> 1.4)
       tilt (~> 1.3, >= 1.3.4)
+    sinatra-contrib (1.4.2)
+      backports (>= 2.0)
+      multi_json
+      rack-protection
+      rack-test
+      sinatra (~> 1.4.0)
+      tilt (~> 1.3)
+    sinatra-reloader (1.0)
+      sinatra-contrib
     tilt (1.4.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  omniauth-facebook!
+  omniauth-oauthio!
   sinatra
+  sinatra-reloader

data/example/app.rb

@@ -0,0 +1,152 @@
+require 'sinatra'
+require "sinatra/reloader"
+require 'yaml'
+
+# configure sinatra
+set :run, false
+set :raise_errors, true
+
+# setup logging to file
+log = File.new("app.log", "a+")
+$stdout.reopen(log)
+$stderr.reopen(log)
+$stderr.sync = true
+$stdout.sync = true
+
+# server-side flow
+get '/server-side/:provider' do
+  # NOTE: You would just hit this endpoint directly from the browser in a real app. The redirect is just here to
+  #       explicit declare this server-side flow.
+  redirect "/auth/oauthio/#{params[:provider]}"
+end
+
+# client-side flow
+get '/client-side' do
+  content_type 'text/html'
+  <<-END
+    <html>
+    <head>
+      <title>Client-side Flow Example</title>
+      <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
+      <script src="https://rawgit.com/oauth-io/oauth-js/master/dist/oauth.min.js" type="text/javascript"></script>
+    </head>
+    <body>
+      <div id="oauthio-root"></div>
+
+      <script type="text/javascript">
+        var qs = (function(a) {
+            if (a == "") return {};
+            var b = {};
+            for (var i = 0; i < a.length; ++i)
+            {
+                var p=a[i].split('=');
+                if (p.length != 2) continue;
+                b[p[0]] = decodeURIComponent(p[1].replace(/\\+/g, " "));
+            }
+            return b;
+        })(window.location.search.substr(1).split('&'));
+
+        OAuth.initialize('#{ENV['OAUTHIO_PUBLIC_KEY']}');
+
+        window.onload = function(){
+          if (qs['provider'] != undefined) {
+            var promise = OAuth.callback(qs['provider']);
+
+            promise.done(function (result) {
+              result.me().done(function(me){
+                  $('#me').html(JSON.stringify(me));
+                  $.post("/auth/oauthio/" + qs['provider'] + "/callback.json", {'state': qs['state'], 'code': result.code})
+                    .done(function(r){
+                      $('#results').html(JSON.stringify(r));
+                    });
+              });
+            });
+
+            promise.fail(function (error) {
+                // handle errors
+              console.log(error);
+            });
+          }
+        }
+
+        $(function() {
+          $('p#connect a').click(function(e) {
+            e.preventDefault();
+            var selectedProvider = $('#provider').val();
+            var type = $('#type').val();
+
+            $.get("/auth/oauthio/" + selectedProvider + ".json").done(function(data){
+              var state = data.state
+              if (type == 'popup') {
+                OAuth.popup(selectedProvider, {'state': state})
+                    .done(function(result) {
+                      //use result.access_token in your API request
+                      //or use result.get|post|put|del|patch|me methods (see below)
+                      result.me().done(function(me){
+                        $('#me').html(JSON.stringify(me));
+                        $.post("/auth/oauthio/" + selectedProvider + "/callback.json", {'state': state, 'code': result.code})
+                          .done(function(r){
+                            $('#results').html(JSON.stringify(r));
+                          });
+                      });
+                    })
+                    .fail(function (err) {
+                      //handle error with err
+                      console.log(err);
+                      $('#results').html(err.message)
+                    });
+              } else if (type == 'redirect') {
+                OAuth.redirect(selectedProvider, {'state': state}, '/client-side?provider=' + selectedProvider + '&state=' + state);
+              }
+            });
+          });
+
+          $('p#no-sdk-connect a').click(function(e) {
+            e.preventDefault();
+            var selectedProvider = $('#provider').val();
+            document.location = document.location.origin + "/auth/oauthio/" + selectedProvider
+          });
+
+        });
+      </script>
+
+      <select id="provider">
+        <option value="facebook">Facebook</option>
+        <option value="twitter" selected>Twitter</option>
+        <option value="google">Google</option>
+      </select>
+
+      <select id="type">
+        <option value="popup" selected>Popup</option>
+        <option value="redirect">Redirect</option>
+      </select>
+
+      <p id="connect">
+        <a href="#">Connect!</a>
+      </p>
+
+      <p id="no-sdk-connect">
+        <a href="/auth/oauthio/twitter">Redirect w/o JS SDK!</a>
+      </p>
+
+      <p id="me" />
+      <p id="results" />
+    </body>
+    </html>
+  END
+end
+
+def self.get_or_post(url,&block)
+  get(url,&block)
+  post(url,&block)
+end
+
+get_or_post '/auth/:provider/:sub_provider/callback.?:format?' do
+  content_type 'application/json'
+  MultiJson.encode(request.env)
+end
+
+get '/auth/failure' do
+  content_type 'application/json'
+  MultiJson.encode(request.env)
+end

data/example/config.ru

@@ -1,110 +1,11 @@
 require 'bundler/setup'
-require 'sinatra/base'
 require 'omniauth-oauthio'
+require './app.rb'
 
-#SCOPE = 'email,read_stream'
-#
-#class App < Sinatra::Base
-#  # turn off sinatra default X-Frame-Options for FB canvas
-#  set :protection, :except => :frame_options
-#
-#  # server-side flow
-#  get '/' do
-#    # NOTE: you would just hit this endpoint directly from the browser
-#    #       in a real app. the redirect is just here to setup the root
-#    #       path in this example sinatra app.
-#    redirect '/auth/facebook'
-#  end
-#
-#  # client-side flow
-#  get '/client-side' do
-#    content_type 'text/html'
-#    # NOTE: when you enable cookie below in the FB.init call
-#    #       the GET request in the FB.login callback will send
-#    #       a signed request in a cookie back the OmniAuth callback
-#    #       which will parse out the authorization code and obtain
-#    #       the access_token. This will be the exact same access_token
-#    #       returned to the client in response.authResponse.accessToken.
-#    <<-END
-#      <html>
-#      <head>
-#        <title>Client-side Flow Example</title>
-#        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
-#      </head>
-#      <body>
-#        <div id="fb-root"></div>
-#
-#        <script type="text/javascript">
-#          window.fbAsyncInit = function() {
-#            FB.init({
-#              appId  : '#{ENV['APP_ID']}',
-#              status : true, // check login status
-#              cookie : true, // enable cookies to allow the server to access the session
-#              xfbml  : true  // parse XFBML
-#            });
-#          };
-#
-#          (function(d) {
-#            var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
-#            js = d.createElement('script'); js.id = id; js.async = true;
-#            js.src = "//connect.facebook.net/en_US/all.js";
-#            d.getElementsByTagName('head')[0].appendChild(js);
-#          }(document));
-#
-#          $(function() {
-#            $('a').click(function(e) {
-#              e.preventDefault();
-#
-#              FB.login(function(response) {
-#                if (response.authResponse) {
-#                  $('#connect').html('Connected! Hitting OmniAuth callback (GET /auth/facebook/callback)...');
-#
-#                  // since we have cookies enabled, this request will allow omniauth to parse
-#                  // out the auth code from the signed request in the fbsr_XXX cookie
-#                  $.getJSON('/auth/facebook/callback', function(json) {
-#                    $('#connect').html('Connected! Callback complete.');
-#                    $('#results').html(JSON.stringify(json));
-#                  });
-#                }
-#              }, { scope: '#{SCOPE}' });
-#            });
-#          });
-#        </script>
-#
-#        <p id="connect">
-#          <a href="#">Connect to FB</a>
-#        </p>
-#
-#        <p id="results" />
-#      </body>
-#      </html>
-#    END
-#  end
-#
-#  # auth via FB canvas and signed request param
-#  post '/canvas/' do
-#    # we just redirect to /auth/facebook here which will parse the
-#    # signed_request FB sends us, asking for auth if the user has
-#    # not already granted access, or simply moving straight to the
-#    # callback where they have already granted access.
-#    redirect "/auth/facebook?signed_request=#{request.params['signed_request']}"
-#  end
-#
-#  get '/auth/:provider/callback' do
-#    content_type 'application/json'
-#    MultiJson.encode(request.env)
-#  end
-#
-#  get '/auth/failure' do
-#    content_type 'application/json'
-#    MultiJson.encode(request.env)
-#  end
-#end
-#
-#use Rack::Session::Cookie
-#
-#use OmniAuth::Builder do
-#  provider :facebook, ENV['APP_ID'], ENV['APP_SECRET'], :scope => SCOPE
-#end
-#
-#run App.new
+use Rack::Session::Cookie, :secret => 'abc123'
+
+use OmniAuth::Builder do
+  provider :oauthio, ENV['OAUTHIO_PUBLIC_KEY'], ENV['OAUTHIO_PRIVATE_KEY']
+end
+
+run Sinatra::Application

data/lib/oauthio/access_token.rb

@@ -9,7 +9,6 @@ module Oauthio
       # @param [Hash] a hash of AccessToken property values
       # @return [AccessToken] the initalized AccessToken
       def from_hash(client, hash)
-        # new(client, hash.delete('access_token') || hash.delete(:access_token), hash)
         new(client,
             hash.delete('provider') || hash.delete(:provider),
             hash.delete('access_token') || hash.delete(:access_token),

data/lib/oauthio/client.rb

@@ -24,7 +24,7 @@ module Oauthio
       @site = _opts.delete(:site)
       @state = _opts.delete(:state)
       ssl = _opts.delete(:ssl)
-      @options = {:authorize_url    => '/auth',
+      @options = {:authorize_url    => '/auth/:provider',
                   :token_url        => '/auth/access_token',
                   :me_url           => '/auth/:provider/me',
                   :token_method     => :post,
@@ -36,7 +36,14 @@ module Oauthio
     end
 
     def me_url(provider, params = nil)
-      connection.build_url(options[:me_url], params).to_s.sub(/:provider/, provider)
+      connection.build_url(options[:me_url].sub(/:provider/, provider), params).to_s
+    end
+
+    # The authorize endpoint URL of the OAuth2 provider
+    #
+    # @param [Hash] params additional query parameters
+    def authorize_url(provider, params = nil)
+      connection.build_url(options[:authorize_url].sub(/:provider/, provider), params).to_s
     end
 
     # Makes a request relative to the specified site root.

data/lib/oauthio/strategy/auth_code.rb

@@ -5,6 +5,13 @@ module Oauthio
         @client = client
       end
 
+      # The authorization URL endpoint of the provider
+      #
+      # @param [Hash] params additional query parameters for the URL
+      def authorize_url(provider, params = {})
+        @client.authorize_url(provider, authorize_params.merge(params))
+      end
+
       # The required query parameters for the authorize URL
       #
       # @param [Hash] params additional query parameters

data/lib/omniauth/oauthio/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Oauthio
-    VERSION = '0.1.0'
+    VERSION = '0.2.0'
   end
 end

data/lib/omniauth/strategies/oauthio.rb

@@ -3,6 +3,7 @@ require 'base64'
 require 'openssl'
 require 'rack/utils'
 require 'uri'
+require 'json'
 
 module OmniAuth
   module Strategies
@@ -23,48 +24,16 @@ module OmniAuth
       option :client_id, nil
       option :client_secret, nil
 
-      # Returns true if the environment recognizes either the
-      # request or callback path.
-      def on_auth_path?
-        on_request_path? || on_callback_path?
-      end
-
-      def client_with_provider(provider)
-        options.client_options.merge!({authorize_url: "#{options.client_options.authorization_url}/#{provider}"})
-        client
-      end
-
       def current_path
         # This might not be completely safe. I want to ensure that the current_path does not have a format at the end
         # so the .json should be removed.
-        super.split('.').first
-      end
-
-      def on_request_path?
-        if options.request_path.respond_to?(:call)
-          options.request_path.call(env)
-        else
-          on_path?(request_path)
-        end
-      end
-
-      def on_path?(path)
-        current_path.casecmp(path) == 0
-      end
-
-      def on_callback_path?
-        on_path?(callback_path)
+        super.sub(/(\.json)$/, '');
       end
 
       def sub_provider
-        test = request.path.split("#{path_prefix}/#{name}/").last
-        slashes = test.split('/')
-        if slashes.length > 1
-          # return ''
-          return slashes.first.split('.').first
-        end
-
-        test.split('.').first
+        after_base = request.path.split("#{path_prefix}/#{name}/").last
+        slashes = after_base.split('/')
+        slashes.length > 1 ? slashes.first.split('.').first : after_base.split('.').first
       end
 
       def request_path
@@ -79,24 +48,34 @@ module OmniAuth
         path
       end
 
-      def path_prefix
-        options[:path_prefix] || OmniAuth.config.path_prefix
-      end
-
       def request_phase
         params = authorize_params
+        provider = sub_provider
+
+        opts = {
+            state: params.state
+        }.to_json
+
         # We may want to skip redirecting the user if calling from a SPA that does not want to reload the page.
-        # The json option will return a json response instead of redirecting.
-        if request.path_info.include?('.json')
-          json = {state: session['omniauth.state']}.to_json
-          return Rack::Response.new(json, 200, 'content-type' => 'application/json').finish
+        if request.path_info =~ /\.json$/
+          return Rack::Response.new(opts, 200, 'content-type' => 'application/json').finish
         end
 
-        # TODO: Check the redirect url.
-        provider = params[:provider]
-        params = params.except(:provider)
-        redirect_url = client_with_provider(provider).auth_code.authorize_url({:redirect_uri => callback_url}.merge(params))
-        redirect redirect_url
+        redirect client.auth_code.authorize_url(provider, {:redirect_uri => callback_url_with_state(params.state)}.merge({opts: opts}))
+      end
+
+
+      # note: the callback phase should be the same regardless!
+      #
+      # The request phase though needs to have multiple options
+      # 1. take care of everything the js-sdk does.
+      # 2. partial control where we can get the state to pass to the js-sdk.
+
+      def callback_url_with_state(state)
+        uri = URI.parse(callback_url)
+        new_query_ar = URI.decode_www_form(uri.query || '') << ['state', state]
+        uri.query = URI.encode_www_form(new_query_ar)
+        uri.to_s
       end
 
       def auth_hash
@@ -110,22 +89,35 @@ module OmniAuth
       end
 
       def callback_phase
-        #if request.params['error'] || request.params['error_reason']
-        #  raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
-        #end
-        if !options.provider_ignores_state && !verified_state?
-          raise CallbackError.new(nil, :csrf_detected)
+        if !request.params['code']
+          # TODO: Is there an option we can pass to OAuth.io to prevent it from putting the code in the hash part of the url?
+          # Currently we to parse the hash to get the code and then do an additional redirect.
+          html = '<!DOCTYPE html>
+                    <html><head><script>(function() {
+            "use strict";
+            var hash = document.location.hash;
+            var data = JSON.parse(decodeURIComponent(hash.split("=")[1]));
+            var code = data.data.code
+            document.location.href = document.location.origin + document.location.pathname + document.location.search + "&code=" + code
+            //document.location.href = document.location.href + "&code=" + code
+          })();</script></head><body></body></html>'
+          return Rack::Response.new(html, 200).finish
         end
 
-        self.access_token = build_access_token
-        self.access_token = access_token.refresh! if access_token.expired?
-
-        env['omniauth.auth'] = auth_hash
-        # Delete the omniauth.state after we have verified all requests
-        session.delete('omniauth.state')
-        call_app!
+        error = request.params['error_reason'] || request.params['error']
+        if error
+          fail!(error, CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri']))
+        elsif !options.provider_ignores_state && !verified_state?
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, 'CSRF detected'))
+        else
+          self.access_token = build_access_token
+          self.access_token = access_token.refresh! if access_token.expired?
 
-      #rescue ::Oauthio::Error, CallbackError => e
+          env['omniauth.auth'] = auth_hash
+          # Delete the omniauth.state after we have verified all requests
+          session.delete('omniauth.state')
+          call_app!
+        end
       rescue CallbackError => e
         fail!(:invalid_credentials, e)
       rescue ::MultiJson::DecodeError => e
@@ -137,7 +129,6 @@ module OmniAuth
       end
 
       protected
-      # Client should only be access via client_with_provider
       def client
         state = session['omniauth.state']
         options.client_options[:state] = state
@@ -153,6 +144,3 @@ module OmniAuth
   end
 end
 
-
-
-

data/omniauth-oauthio.gemspec

@@ -13,10 +13,9 @@ Gem::Specification.new do |s|
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.1'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.2'
 
   s.add_development_dependency 'minitest'
   s.add_development_dependency 'mocha'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauthio
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Jonathan Rowlands
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-11 00:00:00.000000000 Z
+date: 2014-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +80,7 @@ files:
 - Rakefile
 - example/Gemfile
 - example/Gemfile.lock
+- example/app.rb
 - example/config.ru
 - lib/oauthio/access_token.rb
 - lib/oauthio/client.rb