omniauth-oauthio 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 70606edfa2af2716b721133a36072b165f60c210
-  data.tar.gz: 4be6085639515da6d8d873369b6af0b6f838a55a
+  metadata.gz: 85de5297b7f10782bbce0a665f8df6f003ad5afe
+  data.tar.gz: c668479205001d0c020c641a091f6a5b061f7c73
 SHA512:
-  metadata.gz: 321dd9cb4655504e3c663bef40d2858aba636f6b61e9b67223e836795191fe2c8ba28f9f75a0734a65071e65532efc53acea399eaea1b479e112287c5f61a911
-  data.tar.gz: 6b44d837670e892a6e89e854e1f6433f98145a3ead21250af3c61972aedbb581cad8cad0f97f97d41db77ef16bc9139f2d3e68559d95ffa4a5e4dece865fc8a4
+  metadata.gz: 703a22270af1da099820efa42921217c017127f3477784fb187981046cb2c2d814294f1051547b8ac1450472caef7b615e8dbd1ea1556862017e7a3e9cd4375b
+  data.tar.gz: 4df2d565d0fbb3aeb65a11eba012f304a84daf6b585a92aeebba3ab629d679ebbb2a61c36b12cef009c0e42e039d3ea82769eebb1458c8569e41812d81c06ea6

data/README.md

@@ -3,12 +3,14 @@ omniauth-oauthio
 
 [OAuth.io](https://oauth.io/) Strategy for OmniAuth
 
+[![Gem Version](https://badge.fury.io/rb/omniauth-oauthio.svg)](http://badge.fury.io/rb/omniauth-oauthio)
+
 ## Installing
 
 Add to your `Gemfile`:
 
 ```ruby
-gem 'omniauth-oauthio', '~> 0.2.1'
+gem 'omniauth-oauthio', '~> 0.2.2'
 ```
 
 Then `bundle install`.
@@ -77,7 +79,14 @@ end
 To use with [Devise](https://github.com/plataformatec/devise), in `config/initializers/devise.rb`
 
 ```ruby
-config.omniauth :oauthio, ENV['OAUTHIO_PUBLIC_KEY'], ENV['OAUTHIO_SECRET_KEY']
+config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key
+```
+
+Optionally, to use JWT instead of sessions, include a :jwt_secret option:
+
+```ruby
+config.omniauth :oauthio, Rails.application.secrets.oauthio_public_key, Rails.application.secrets.oauthio_private_key,
+              :jwt_secret => Rails.application.secrets.oauthio_jwt_secret
 ```
 
 Add your Devise routes in `config/routes.rb`:

data/lib/oauthio/client.rb

@@ -23,6 +23,7 @@ module Oauthio
       @secret = client_secret
       @site = _opts.delete(:site)
       @state = _opts.delete(:state)
+      @jwt_secret = _opts.delete(:jwt_secret)
       ssl = _opts.delete(:ssl)
       @options = {:authorize_url    => '/auth/:provider',
                   :token_url        => '/auth/access_token',
@@ -122,10 +123,17 @@ module Oauthio
       end
       response = request(options[:token_method], token_url, opts)
 
-      # Verify state in the response matches the one in the session
-      if response.state != @state
-        raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
-                                                                :csrf_detected)
+      if @jwt_secret.nil?
+        # Verify state in the response matches the one in the session
+        if response.state != @state
+          raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
+                                                                  :csrf_detected)
+        end
+      else
+        if JWT.decode(response.state, @jwt_secret)[0]['state'].nil?
+          raise ::OmniAuth::Strategies::OAuth2::CallbackError.new(nil,
+                                                                  :csrf_detected)
+        end
       end
 
       # error = Error.new(response)

data/lib/oauthio/strategy/auth_code.rb

@@ -19,7 +19,6 @@ module Oauthio
         params.merge('k' => @client.id)
       end
 
-      #TODO: Put this in base.rb
       # The OAuth client_id and client_secret
       #
       # @return [Hash]

data/lib/omniauth/oauthio/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Oauthio
-    VERSION = '0.2.1'
+    VERSION = '0.2.2'
   end
 end

data/lib/omniauth/strategies/oauthio.rb

@@ -10,6 +10,16 @@ module OmniAuth
     class Oauthio < OmniAuth::Strategies::OAuth2
       include OmniAuth::Strategy
 
+      def call(env)
+        unless options.jwt_secret.nil?
+          # This is kinda hacky but omniauth expects the rack.session to be set. Since we are using jwt we will not
+          # be using a session. We will just set it to an empty hash to avoid the error.
+          env['rack.session'] = {}
+        end
+
+        dup.call!(env)
+      end
+
       args [:client_id, :client_secret]
 
       # Give your strategy a name.
@@ -21,6 +31,7 @@ module OmniAuth
 
       option :client_id, nil
       option :client_secret, nil
+      option :jwt_secret, nil
 
       def current_path
         # This might not be completely safe. I want to ensure that the
@@ -56,6 +67,22 @@ module OmniAuth
         path
       end
 
+      def authorize_params
+        options.authorize_params[:state] = SecureRandom.hex(24)
+        params = options.authorize_params.merge(options_for('authorize'))
+        if options.jwt_secret.nil?
+          if OmniAuth.config.test_mode
+            @env ||= {}
+            @env['rack.session'] ||= {}
+          end
+          session['omniauth.state'] = params[:state]
+        else
+          jwt = JWT.encode({state: params[:state]}, options.jwt_secret)
+          params[:state] = jwt
+        end
+        params
+      end
+
       def request_phase
         params = authorize_params
         provider = sub_provider
@@ -135,10 +162,12 @@ module OmniAuth
         else
           self.access_token = build_access_token
           self.access_token = access_token.refresh! if access_token.expired?
-          env['omniauth.auth'] = auth_hash
 
-          # Delete the omniauth.state after we have verified all requests
-          session.delete('omniauth.state')
+          env['omniauth.auth'] = auth_hash
+          if options.jwt_secret.nil?
+            # Delete the omniauth.state after we have verified all requests
+            session.delete('omniauth.state')
+          end
 
           call_app!
         end
@@ -155,8 +184,13 @@ module OmniAuth
       protected
 
       def client
-        state = session['omniauth.state']
-        options.client_options[:state] = state
+        if options.jwt_secret.nil?
+          state = session['omniauth.state']
+          options.client_options[:state] = state
+        else
+          options.client_options[:jwt_secret] = options.jwt_secret
+        end
+
         ::Oauthio::Client.new(options.client_id, options.client_secret,
                               deep_symbolize(options.client_options))
       end
@@ -164,7 +198,14 @@ module OmniAuth
       def verified_state?
         state = request.params['state']
         return false if state.to_s.empty?
-        state == session['omniauth.state']
+        if options.jwt_secret.nil?
+          state == session['omniauth.state']
+        else
+          # If we send a jwt that can decode a state we know it came from the server so there is nothing we need
+          # to compare against right?
+          jwt = JWT.decode(state, options.jwt_secret)
+          !jwt[0]['state'].nil?
+        end
       end
     end
   end

data/omniauth-oauthio.gemspec

@@ -16,6 +16,7 @@ Gem::Specification.new do |s|
   s.require_paths = ['lib']
 
   s.add_runtime_dependency 'omniauth-oauth2', '~> 1.2'
+  s.add_runtime_dependency 'jwt'
 
   s.add_development_dependency 'mocha'
   s.add_development_dependency 'rake'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-oauthio
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Jonathan Rowlands
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-17 00:00:00.000000000 Z
+date: 2014-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement