omniauth-oauthio 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +11 -2
- data/lib/oauthio/client.rb +12 -4
- data/lib/oauthio/strategy/auth_code.rb +0 -1
- data/lib/omniauth/oauthio/version.rb +1 -1
- data/lib/omniauth/strategies/oauthio.rb +47 -6
- data/omniauth-oauthio.gemspec +1 -0
- metadata +16 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 85de5297b7f10782bbce0a665f8df6f003ad5afe
|
4
|
+
data.tar.gz: c668479205001d0c020c641a091f6a5b061f7c73
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 703a22270af1da099820efa42921217c017127f3477784fb187981046cb2c2d814294f1051547b8ac1450472caef7b615e8dbd1ea1556862017e7a3e9cd4375b
|
7
|
+
data.tar.gz: 4df2d565d0fbb3aeb65a11eba012f304a84daf6b585a92aeebba3ab629d679ebbb2a61c36b12cef009c0e42e039d3ea82769eebb1458c8569e41812d81c06ea6
|
data/README.md
CHANGED
@@ -3,12 +3,14 @@ omniauth-oauthio
|
|
3
3
|
|
4
4
|
[OAuth.io](https://oauth.io/) Strategy for OmniAuth
|
5
5
|
|
6
|
+
[](http://badge.fury.io/rb/omniauth-oauthio)
|
7
|
+
|
6
8
|
## Installing
|
7
9
|
|
8
10
|
Add to your `Gemfile`:
|
9
11
|
|
10
12
|
```ruby
|
11
|
-
gem 'omniauth-oauthio', '~> 0.2.
|
13
|
+
gem 'omniauth-oauthio', '~> 0.2.2'
|
12
14
|
```
|
13
15
|
|
14
16
|
Then `bundle install`.
|
@@ -77,7 +79,14 @@ end
|
|
77
79
|
To use with [Devise](https://github.com/plataformatec/devise), in `config/initializers/devise.rb`
|
78
80
|
|
79
81
|
```ruby
|
80
|
-
config.omniauth :oauthio,
|
82
|
+
config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key
|
83
|
+
```
|
84
|
+
|
85
|
+
Optionally, to use JWT instead of sessions, include a :jwt_secret option:
|
86
|
+
|
87
|
+
```ruby
|
88
|
+
config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key,
|
89
|
+
:jwt_secret => Rails.application.secrets.oauthio_jwt_secret
|
81
90
|
```
|
82
91
|
|
83
92
|
Add your Devise routes in `config/routes.rb`:
|
data/lib/oauthio/client.rb
CHANGED
@@ -23,6 +23,7 @@ module Oauthio
|
|
23
23
|
@secret = client_secret
|
24
24
|
@site = _opts.delete(:site)
|
25
25
|
@state = _opts.delete(:state)
|
26
|
+
@jwt_secret = _opts.delete(:jwt_secret)
|
26
27
|
ssl = _opts.delete(:ssl)
|
27
28
|
@options = {:authorize_url => '/auth/:provider',
|
28
29
|
:token_url => '/auth/access_token',
|
@@ -122,10 +123,17 @@ module Oauthio
|
|
122
123
|
end
|
123
124
|
response = request(options[:token_method], token_url, opts)
|
124
125
|
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
126
|
+
if @jwt_secret.nil?
|
127
|
+
# Verify state in the response matches the one in the session
|
128
|
+
if response.state != @state
|
129
|
+
raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
|
130
|
+
:csrf_detected)
|
131
|
+
end
|
132
|
+
else
|
133
|
+
if JWT.decode(response.state, @jwt_secret)[0]['state'].nil?
|
134
|
+
raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
|
135
|
+
:csrf_detected)
|
136
|
+
end
|
129
137
|
end
|
130
138
|
|
131
139
|
# error = Error.new(response)
|
@@ -10,6 +10,16 @@ module OmniAuth
|
|
10
10
|
class Oauthio < OmniAuth::Strategies::OAuth2
|
11
11
|
include OmniAuth::Strategy
|
12
12
|
|
13
|
+
def call(env)
|
14
|
+
unless options.jwt_secret.nil?
|
15
|
+
# This is kinda hacky but omniauth expects the rack.session to be set. Since we are using jwt we will not
|
16
|
+
# be using a session. We will just set it to an empty hash to avoid the error.
|
17
|
+
env['rack.session'] = {}
|
18
|
+
end
|
19
|
+
|
20
|
+
dup.call!(env)
|
21
|
+
end
|
22
|
+
|
13
23
|
args [:client_id, :client_secret]
|
14
24
|
|
15
25
|
# Give your strategy a name.
|
@@ -21,6 +31,7 @@ module OmniAuth
|
|
21
31
|
|
22
32
|
option :client_id, nil
|
23
33
|
option :client_secret, nil
|
34
|
+
option :jwt_secret, nil
|
24
35
|
|
25
36
|
def current_path
|
26
37
|
# This might not be completely safe. I want to ensure that the
|
@@ -56,6 +67,22 @@ module OmniAuth
|
|
56
67
|
path
|
57
68
|
end
|
58
69
|
|
70
|
+
def authorize_params
|
71
|
+
options.authorize_params[:state] = SecureRandom.hex(24)
|
72
|
+
params = options.authorize_params.merge(options_for('authorize'))
|
73
|
+
if options.jwt_secret.nil?
|
74
|
+
if OmniAuth.config.test_mode
|
75
|
+
@env ||= {}
|
76
|
+
@env['rack.session'] ||= {}
|
77
|
+
end
|
78
|
+
session['omniauth.state'] = params[:state]
|
79
|
+
else
|
80
|
+
jwt = JWT.encode({state: params[:state]}, options.jwt_secret)
|
81
|
+
params[:state] = jwt
|
82
|
+
end
|
83
|
+
params
|
84
|
+
end
|
85
|
+
|
59
86
|
def request_phase
|
60
87
|
params = authorize_params
|
61
88
|
provider = sub_provider
|
@@ -135,10 +162,12 @@ module OmniAuth
|
|
135
162
|
else
|
136
163
|
self.access_token = build_access_token
|
137
164
|
self.access_token = access_token.refresh! if access_token.expired?
|
138
|
-
env['omniauth.auth'] = auth_hash
|
139
165
|
|
140
|
-
|
141
|
-
|
166
|
+
env['omniauth.auth'] = auth_hash
|
167
|
+
if options.jwt_secret.nil?
|
168
|
+
# Delete the omniauth.state after we have verified all requests
|
169
|
+
session.delete('omniauth.state')
|
170
|
+
end
|
142
171
|
|
143
172
|
call_app!
|
144
173
|
end
|
@@ -155,8 +184,13 @@ module OmniAuth
|
|
155
184
|
protected
|
156
185
|
|
157
186
|
def client
|
158
|
-
|
159
|
-
|
187
|
+
if options.jwt_secret.nil?
|
188
|
+
state = session['omniauth.state']
|
189
|
+
options.client_options[:state] = state
|
190
|
+
else
|
191
|
+
options.client_options[:jwt_secret] = options.jwt_secret
|
192
|
+
end
|
193
|
+
|
160
194
|
::Oauthio::Client.new(options.client_id, options.client_secret,
|
161
195
|
deep_symbolize(options.client_options))
|
162
196
|
end
|
@@ -164,7 +198,14 @@ module OmniAuth
|
|
164
198
|
def verified_state?
|
165
199
|
state = request.params['state']
|
166
200
|
return false if state.to_s.empty?
|
167
|
-
|
201
|
+
if options.jwt_secret.nil?
|
202
|
+
state == session['omniauth.state']
|
203
|
+
else
|
204
|
+
# If we send a jwt that can decode a state we know it came from the server so there is nothing we need
|
205
|
+
# to compare against right?
|
206
|
+
jwt = JWT.decode(state, options.jwt_secret)
|
207
|
+
!jwt[0]['state'].nil?
|
208
|
+
end
|
168
209
|
end
|
169
210
|
end
|
170
211
|
end
|
data/omniauth-oauthio.gemspec
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-oauthio
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonathan Rowlands
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-09-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth-oauth2
|
@@ -24,6 +24,20 @@ dependencies:
|
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: '1.2'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: jwt
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
27
41
|
- !ruby/object:Gem::Dependency
|
28
42
|
name: mocha
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|