omniauth-oauthio 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 70606edfa2af2716b721133a36072b165f60c210
4
- data.tar.gz: 4be6085639515da6d8d873369b6af0b6f838a55a
3
+ metadata.gz: 85de5297b7f10782bbce0a665f8df6f003ad5afe
4
+ data.tar.gz: c668479205001d0c020c641a091f6a5b061f7c73
5
5
  SHA512:
6
- metadata.gz: 321dd9cb4655504e3c663bef40d2858aba636f6b61e9b67223e836795191fe2c8ba28f9f75a0734a65071e65532efc53acea399eaea1b479e112287c5f61a911
7
- data.tar.gz: 6b44d837670e892a6e89e854e1f6433f98145a3ead21250af3c61972aedbb581cad8cad0f97f97d41db77ef16bc9139f2d3e68559d95ffa4a5e4dece865fc8a4
6
+ metadata.gz: 703a22270af1da099820efa42921217c017127f3477784fb187981046cb2c2d814294f1051547b8ac1450472caef7b615e8dbd1ea1556862017e7a3e9cd4375b
7
+ data.tar.gz: 4df2d565d0fbb3aeb65a11eba012f304a84daf6b585a92aeebba3ab629d679ebbb2a61c36b12cef009c0e42e039d3ea82769eebb1458c8569e41812d81c06ea6
data/README.md CHANGED
@@ -3,12 +3,14 @@ omniauth-oauthio
3
3
 
4
4
  [OAuth.io](https://oauth.io/) Strategy for OmniAuth
5
5
 
6
+ [![Gem Version](https://badge.fury.io/rb/omniauth-oauthio.svg)](http://badge.fury.io/rb/omniauth-oauthio)
7
+
6
8
  ## Installing
7
9
 
8
10
  Add to your `Gemfile`:
9
11
 
10
12
  ```ruby
11
- gem 'omniauth-oauthio', '~> 0.2.1'
13
+ gem 'omniauth-oauthio', '~> 0.2.2'
12
14
  ```
13
15
 
14
16
  Then `bundle install`.
@@ -77,7 +79,14 @@ end
77
79
  To use with [Devise](https://github.com/plataformatec/devise), in `config/initializers/devise.rb`
78
80
 
79
81
  ```ruby
80
- config.omniauth :oauthio, ENV['OAUTHIO_PUBLIC_KEY'], ENV['OAUTHIO_SECRET_KEY']
82
+ config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key
83
+ ```
84
+
85
+ Optionally, to use JWT instead of sessions, include a :jwt_secret option:
86
+
87
+ ```ruby
88
+ config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key,
89
+ :jwt_secret => Rails.application.secrets.oauthio_jwt_secret
81
90
  ```
82
91
 
83
92
  Add your Devise routes in `config/routes.rb`:
@@ -23,6 +23,7 @@ module Oauthio
23
23
  @secret = client_secret
24
24
  @site = _opts.delete(:site)
25
25
  @state = _opts.delete(:state)
26
+ @jwt_secret = _opts.delete(:jwt_secret)
26
27
  ssl = _opts.delete(:ssl)
27
28
  @options = {:authorize_url => '/auth/:provider',
28
29
  :token_url => '/auth/access_token',
@@ -122,10 +123,17 @@ module Oauthio
122
123
  end
123
124
  response = request(options[:token_method], token_url, opts)
124
125
 
125
- # Verify state in the response matches the one in the session
126
- if response.state != @state
127
- raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
128
- :csrf_detected)
126
+ if @jwt_secret.nil?
127
+ # Verify state in the response matches the one in the session
128
+ if response.state != @state
129
+ raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
130
+ :csrf_detected)
131
+ end
132
+ else
133
+ if JWT.decode(response.state, @jwt_secret)[0]['state'].nil?
134
+ raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
135
+ :csrf_detected)
136
+ end
129
137
  end
130
138
 
131
139
  # error = Error.new(response)
@@ -19,7 +19,6 @@ module Oauthio
19
19
  params.merge('k' => @client.id)
20
20
  end
21
21
 
22
- #TODO: Put this in base.rb
23
22
  # The OAuth client_id and client_secret
24
23
  #
25
24
  # @return [Hash]
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Oauthio
3
- VERSION = '0.2.1'
3
+ VERSION = '0.2.2'
4
4
  end
5
5
  end
@@ -10,6 +10,16 @@ module OmniAuth
10
10
  class Oauthio < OmniAuth::Strategies::OAuth2
11
11
  include OmniAuth::Strategy
12
12
 
13
+ def call(env)
14
+ unless options.jwt_secret.nil?
15
+ # This is kinda hacky but omniauth expects the rack.session to be set. Since we are using jwt we will not
16
+ # be using a session. We will just set it to an empty hash to avoid the error.
17
+ env['rack.session'] = {}
18
+ end
19
+
20
+ dup.call!(env)
21
+ end
22
+
13
23
  args [:client_id, :client_secret]
14
24
 
15
25
  # Give your strategy a name.
@@ -21,6 +31,7 @@ module OmniAuth
21
31
 
22
32
  option :client_id, nil
23
33
  option :client_secret, nil
34
+ option :jwt_secret, nil
24
35
 
25
36
  def current_path
26
37
  # This might not be completely safe. I want to ensure that the
@@ -56,6 +67,22 @@ module OmniAuth
56
67
  path
57
68
  end
58
69
 
70
+ def authorize_params
71
+ options.authorize_params[:state] = SecureRandom.hex(24)
72
+ params = options.authorize_params.merge(options_for('authorize'))
73
+ if options.jwt_secret.nil?
74
+ if OmniAuth.config.test_mode
75
+ @env ||= {}
76
+ @env['rack.session'] ||= {}
77
+ end
78
+ session['omniauth.state'] = params[:state]
79
+ else
80
+ jwt = JWT.encode({state: params[:state]}, options.jwt_secret)
81
+ params[:state] = jwt
82
+ end
83
+ params
84
+ end
85
+
59
86
  def request_phase
60
87
  params = authorize_params
61
88
  provider = sub_provider
@@ -135,10 +162,12 @@ module OmniAuth
135
162
  else
136
163
  self.access_token = build_access_token
137
164
  self.access_token = access_token.refresh! if access_token.expired?
138
- env['omniauth.auth'] = auth_hash
139
165
 
140
- # Delete the omniauth.state after we have verified all requests
141
- session.delete('omniauth.state')
166
+ env['omniauth.auth'] = auth_hash
167
+ if options.jwt_secret.nil?
168
+ # Delete the omniauth.state after we have verified all requests
169
+ session.delete('omniauth.state')
170
+ end
142
171
 
143
172
  call_app!
144
173
  end
@@ -155,8 +184,13 @@ module OmniAuth
155
184
  protected
156
185
 
157
186
  def client
158
- state = session['omniauth.state']
159
- options.client_options[:state] = state
187
+ if options.jwt_secret.nil?
188
+ state = session['omniauth.state']
189
+ options.client_options[:state] = state
190
+ else
191
+ options.client_options[:jwt_secret] = options.jwt_secret
192
+ end
193
+
160
194
  ::Oauthio::Client.new(options.client_id, options.client_secret,
161
195
  deep_symbolize(options.client_options))
162
196
  end
@@ -164,7 +198,14 @@ module OmniAuth
164
198
  def verified_state?
165
199
  state = request.params['state']
166
200
  return false if state.to_s.empty?
167
- state == session['omniauth.state']
201
+ if options.jwt_secret.nil?
202
+ state == session['omniauth.state']
203
+ else
204
+ # If we send a jwt that can decode a state we know it came from the server so there is nothing we need
205
+ # to compare against right?
206
+ jwt = JWT.decode(state, options.jwt_secret)
207
+ !jwt[0]['state'].nil?
208
+ end
168
209
  end
169
210
  end
170
211
  end
@@ -16,6 +16,7 @@ Gem::Specification.new do |s|
16
16
  s.require_paths = ['lib']
17
17
 
18
18
  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.2'
19
+ s.add_runtime_dependency 'jwt'
19
20
 
20
21
  s.add_development_dependency 'mocha'
21
22
  s.add_development_dependency 'rake'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-oauthio
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonathan Rowlands
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-08-17 00:00:00.000000000 Z
11
+ date: 2014-09-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth-oauth2
@@ -24,6 +24,20 @@ dependencies:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
26
  version: '1.2'
27
+ - !ruby/object:Gem::Dependency
28
+ name: jwt
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
27
41
  - !ruby/object:Gem::Dependency
28
42
  name: mocha
29
43
  requirement: !ruby/object:Gem::Requirement