omniauth-oauthio 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +11 -2
- data/lib/oauthio/client.rb +12 -4
- data/lib/oauthio/strategy/auth_code.rb +0 -1
- data/lib/omniauth/oauthio/version.rb +1 -1
- data/lib/omniauth/strategies/oauthio.rb +47 -6
- data/omniauth-oauthio.gemspec +1 -0
- metadata +16 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 85de5297b7f10782bbce0a665f8df6f003ad5afe
|
4
|
+
data.tar.gz: c668479205001d0c020c641a091f6a5b061f7c73
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 703a22270af1da099820efa42921217c017127f3477784fb187981046cb2c2d814294f1051547b8ac1450472caef7b615e8dbd1ea1556862017e7a3e9cd4375b
|
7
|
+
data.tar.gz: 4df2d565d0fbb3aeb65a11eba012f304a84daf6b585a92aeebba3ab629d679ebbb2a61c36b12cef009c0e42e039d3ea82769eebb1458c8569e41812d81c06ea6
|
data/README.md
CHANGED
@@ -3,12 +3,14 @@ omniauth-oauthio
|
|
3
3
|
|
4
4
|
[OAuth.io](https://oauth.io/) Strategy for OmniAuth
|
5
5
|
|
6
|
+
[![Gem Version](https://badge.fury.io/rb/omniauth-oauthio.svg)](http://badge.fury.io/rb/omniauth-oauthio)
|
7
|
+
|
6
8
|
## Installing
|
7
9
|
|
8
10
|
Add to your `Gemfile`:
|
9
11
|
|
10
12
|
```ruby
|
11
|
-
gem 'omniauth-oauthio', '~> 0.2.
|
13
|
+
gem 'omniauth-oauthio', '~> 0.2.2'
|
12
14
|
```
|
13
15
|
|
14
16
|
Then `bundle install`.
|
@@ -77,7 +79,14 @@ end
|
|
77
79
|
To use with [Devise](https://github.com/plataformatec/devise), in `config/initializers/devise.rb`
|
78
80
|
|
79
81
|
```ruby
|
80
|
-
config.omniauth :oauthio,
|
82
|
+
config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key
|
83
|
+
```
|
84
|
+
|
85
|
+
Optionally, to use JWT instead of sessions, include a :jwt_secret option:
|
86
|
+
|
87
|
+
```ruby
|
88
|
+
config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key,
|
89
|
+
:jwt_secret => Rails.application.secrets.oauthio_jwt_secret
|
81
90
|
```
|
82
91
|
|
83
92
|
Add your Devise routes in `config/routes.rb`:
|
data/lib/oauthio/client.rb
CHANGED
@@ -23,6 +23,7 @@ module Oauthio
|
|
23
23
|
@secret = client_secret
|
24
24
|
@site = _opts.delete(:site)
|
25
25
|
@state = _opts.delete(:state)
|
26
|
+
@jwt_secret = _opts.delete(:jwt_secret)
|
26
27
|
ssl = _opts.delete(:ssl)
|
27
28
|
@options = {:authorize_url => '/auth/:provider',
|
28
29
|
:token_url => '/auth/access_token',
|
@@ -122,10 +123,17 @@ module Oauthio
|
|
122
123
|
end
|
123
124
|
response = request(options[:token_method], token_url, opts)
|
124
125
|
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
126
|
+
if @jwt_secret.nil?
|
127
|
+
# Verify state in the response matches the one in the session
|
128
|
+
if response.state != @state
|
129
|
+
raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
|
130
|
+
:csrf_detected)
|
131
|
+
end
|
132
|
+
else
|
133
|
+
if JWT.decode(response.state, @jwt_secret)[0]['state'].nil?
|
134
|
+
raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
|
135
|
+
:csrf_detected)
|
136
|
+
end
|
129
137
|
end
|
130
138
|
|
131
139
|
# error = Error.new(response)
|
@@ -10,6 +10,16 @@ module OmniAuth
|
|
10
10
|
class Oauthio < OmniAuth::Strategies::OAuth2
|
11
11
|
include OmniAuth::Strategy
|
12
12
|
|
13
|
+
def call(env)
|
14
|
+
unless options.jwt_secret.nil?
|
15
|
+
# This is kinda hacky but omniauth expects the rack.session to be set. Since we are using jwt we will not
|
16
|
+
# be using a session. We will just set it to an empty hash to avoid the error.
|
17
|
+
env['rack.session'] = {}
|
18
|
+
end
|
19
|
+
|
20
|
+
dup.call!(env)
|
21
|
+
end
|
22
|
+
|
13
23
|
args [:client_id, :client_secret]
|
14
24
|
|
15
25
|
# Give your strategy a name.
|
@@ -21,6 +31,7 @@ module OmniAuth
|
|
21
31
|
|
22
32
|
option :client_id, nil
|
23
33
|
option :client_secret, nil
|
34
|
+
option :jwt_secret, nil
|
24
35
|
|
25
36
|
def current_path
|
26
37
|
# This might not be completely safe. I want to ensure that the
|
@@ -56,6 +67,22 @@ module OmniAuth
|
|
56
67
|
path
|
57
68
|
end
|
58
69
|
|
70
|
+
def authorize_params
|
71
|
+
options.authorize_params[:state] = SecureRandom.hex(24)
|
72
|
+
params = options.authorize_params.merge(options_for('authorize'))
|
73
|
+
if options.jwt_secret.nil?
|
74
|
+
if OmniAuth.config.test_mode
|
75
|
+
@env ||= {}
|
76
|
+
@env['rack.session'] ||= {}
|
77
|
+
end
|
78
|
+
session['omniauth.state'] = params[:state]
|
79
|
+
else
|
80
|
+
jwt = JWT.encode({state: params[:state]}, options.jwt_secret)
|
81
|
+
params[:state] = jwt
|
82
|
+
end
|
83
|
+
params
|
84
|
+
end
|
85
|
+
|
59
86
|
def request_phase
|
60
87
|
params = authorize_params
|
61
88
|
provider = sub_provider
|
@@ -135,10 +162,12 @@ module OmniAuth
|
|
135
162
|
else
|
136
163
|
self.access_token = build_access_token
|
137
164
|
self.access_token = access_token.refresh! if access_token.expired?
|
138
|
-
env['omniauth.auth'] = auth_hash
|
139
165
|
|
140
|
-
|
141
|
-
|
166
|
+
env['omniauth.auth'] = auth_hash
|
167
|
+
if options.jwt_secret.nil?
|
168
|
+
# Delete the omniauth.state after we have verified all requests
|
169
|
+
session.delete('omniauth.state')
|
170
|
+
end
|
142
171
|
|
143
172
|
call_app!
|
144
173
|
end
|
@@ -155,8 +184,13 @@ module OmniAuth
|
|
155
184
|
protected
|
156
185
|
|
157
186
|
def client
|
158
|
-
|
159
|
-
|
187
|
+
if options.jwt_secret.nil?
|
188
|
+
state = session['omniauth.state']
|
189
|
+
options.client_options[:state] = state
|
190
|
+
else
|
191
|
+
options.client_options[:jwt_secret] = options.jwt_secret
|
192
|
+
end
|
193
|
+
|
160
194
|
::Oauthio::Client.new(options.client_id, options.client_secret,
|
161
195
|
deep_symbolize(options.client_options))
|
162
196
|
end
|
@@ -164,7 +198,14 @@ module OmniAuth
|
|
164
198
|
def verified_state?
|
165
199
|
state = request.params['state']
|
166
200
|
return false if state.to_s.empty?
|
167
|
-
|
201
|
+
if options.jwt_secret.nil?
|
202
|
+
state == session['omniauth.state']
|
203
|
+
else
|
204
|
+
# If we send a jwt that can decode a state we know it came from the server so there is nothing we need
|
205
|
+
# to compare against right?
|
206
|
+
jwt = JWT.decode(state, options.jwt_secret)
|
207
|
+
!jwt[0]['state'].nil?
|
208
|
+
end
|
168
209
|
end
|
169
210
|
end
|
170
211
|
end
|
data/omniauth-oauthio.gemspec
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-oauthio
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonathan Rowlands
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-09-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth-oauth2
|
@@ -24,6 +24,20 @@ dependencies:
|
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: '1.2'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: jwt
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
27
41
|
- !ruby/object:Gem::Dependency
|
28
42
|
name: mocha
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|