omniauth-protect 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b0f8ee48965b74bb3934bdb0b2fc9e1bb7944880223c36620547f0395b806f5
-  data.tar.gz: f35833309948e6e37da51fc8e3f288c961d9bd39d19b0d20d228b39c98eebc7c
+  metadata.gz: d0323e371b865fd820a86cab6d8bc9abd2eb742b89dc48a4772ae72aea28c883
+  data.tar.gz: 7522ed413432d9bfcb66fd75521821e3758b2ab197aaa6701b40561e560588ba
 SHA512:
-  metadata.gz: cf78c3c787274ac00d679295ae64f96e9ec6c84355511a90929e9cc4bc0b0e405fbcfdfe5266b4cd0ce07ecf6917f7553b7484dc38401293ed40b6d8845dc38b
-  data.tar.gz: bdc67f0584057ef2d8240e9e89d761e484040a6100b7be354fe09dbaffa9eae5b4b16d2c42c748b4edab3e9284c910a3865530b18f19e5b7719202481e3df639
+  metadata.gz: 4e0c1a60f0d1c58a183af0c896635220d8699e93dda19e25bf2839f104041d7c3e3c0898d1bf7712b22d9108986990c4bb895bf5431cebdbadfe9e4badc1fb1a
+  data.tar.gz: 0ed7d096da27e8cbe9aaafaffe34867d2fc54f15fe37fb7e0596a4c74a8aeae7ad4e1a58ec23e2da1f5fa120e0b111e168dd8d2bcddc5c1fa173ac0ca1de14a0

data/.circleci/config.yml

@@ -12,7 +12,7 @@ jobs:
 
   test:
     docker:
-      - image: circleci/ruby:2.5.1
+      - image: circleci/ruby:2.5.8
     steps:
       - checkout
       - restore_cache:
@@ -20,6 +20,7 @@ jobs:
       - run:
           name: Install Ruby gems
           command: |
+            gem install bundler
             bundle check --path=vendor/bundle || bundle install --path=vendor/bundle --jobs=4 --retry=3
       - save_cache:
           key: v1-omniauth-protect-{{ checksum "Gemfile.lock" }}
@@ -44,7 +45,7 @@ jobs:
 
   push_to_rubygems:
     docker:
-      - image: circleci/ruby:2.5.1
+      - image: circleci/ruby:2.5.8
     steps:
       - checkout
       - run:
@@ -77,4 +78,4 @@ workflows:
                 - /.*/
             tags:
               only:
-                - /^v.*/
+                - /^v.*/

data/.rubocop.yml

@@ -0,0 +1,2 @@
+inherit_gem:
+  rf-stylez: ruby/rubocop.yml

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [2.0.0] - 2020-06-16
+### Changed
+- Use Rails' 5.2.4.3 CSRF token algorithm

data/lib/omniauth/protect.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 require 'rack'
 
@@ -8,7 +10,7 @@ module Omniauth
 
     @config = {
       message: '',
-      paths: []
+      paths: [],
     }
 
     def self.config
@@ -29,4 +31,5 @@ module Omniauth
   end
 end
 
-require 'omniauth/protect/middleware'
+require 'omniauth/protect/validator'
+require 'omniauth/protect/middleware'

data/lib/omniauth/protect/middleware.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'omniauth/protect/validator'
+
 module Omniauth
   module Protect
     class Middleware
@@ -17,32 +21,9 @@ module Omniauth
 
           return access_denied if !encoded_masked_token
 
-          valid_csrf_token?(env, encoded_masked_token) ? @app.call(env) : access_denied
-        end
-      end
-      # This is mostly taken & adapted from https://github.com/rails/rails/blob/v4.2.0/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L276
-      def valid_csrf_token?(env, encoded_masked_token)
-        begin
-          masked_token = Base64.strict_decode64(encoded_masked_token)
-        rescue ArgumentError # encoded_masked_token is invalid Base64
-          return false
-        end
-
-        token_length = ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH
-        if masked_token.length == token_length * 2
-          one_time_pad = masked_token[0...token_length]
-          encrypted_csrf_token = masked_token[token_length..-1]
-          csrf_token = one_time_pad.bytes.zip(encrypted_csrf_token.bytes).map { |(c1, c2)| c1 ^ c2 }.pack('c*')
-          session = session(env)
-          session[:_csrf_token] ||= SecureRandom.base64(token_length)
-          real_csrf_token = Base64.strict_decode64(session[:_csrf_token])
-          ActiveSupport::SecurityUtils.secure_compare(csrf_token, real_csrf_token)
+          Validator.new(env, encoded_masked_token).valid_csrf_token? ? @app.call(env) : access_denied
         end
       end
-
-      def session(env)
-        env['rack.session']
-      end
     end
   end
-end
+end

data/lib/omniauth/protect/validator.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module Protect
+    class Validator
+      def initialize(env, encoded_masked_token)
+        @session = env['rack.session']
+        @encoded_masked_token = encoded_masked_token
+      end
+
+      # This is mostly taken & adapted from Rails' action_controller/metal/request_forgery_protection.rb
+      # We copy code from Rails in such a horrible manner because Rails doesn't really expose CSRF protection
+      def valid_csrf_token?
+        begin
+          masked_token = Base64.urlsafe_decode64(@encoded_masked_token)
+        rescue ArgumentError # @encoded_masked_token is invalid Base64
+          return false
+        end
+
+        token_length = ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH
+
+        if masked_token.length == token_length * 2
+          csrf_token = unmask_token(masked_token, token_length)
+
+          real_token = real_csrf_token(token_length)
+          global_token = global_csrf_token(real_token)
+
+          compare_tokens(csrf_token, real_token) || compare_tokens(csrf_token, global_token)
+        end
+      end
+
+      private
+
+      def compare_tokens(token, other)
+        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, other)
+      end
+
+      def unmask_token(masked_token, token_length)
+        one_time_pad = masked_token[0...token_length]
+        encrypted_csrf_token = masked_token[token_length..-1]
+        xor_byte_strings(one_time_pad, encrypted_csrf_token)
+      end
+
+      def xor_byte_strings(s1, s2) # :doc:
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
+      end
+
+      def real_csrf_token(token_length)
+        @session[:_csrf_token] ||= SecureRandom.urlsafe_base64(token_length, padding: false)
+        Base64.urlsafe_decode64(@session[:_csrf_token])
+      end
+
+      def global_csrf_token(real_token)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest::SHA256.new,
+          real_token,
+          '!real_csrf_token'
+        )
+      end
+    end
+  end
+end

data/lib/omniauth/protect/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Omniauth
   module Protect
-    VERSION = '1.0.0'
+    VERSION = '2.0.0'
   end
-end
+end

data/omniauth-protect.gemspec

@@ -23,10 +23,10 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency 'actionpack'
+  spec.add_runtime_dependency 'actionpack', '>= 5.2.4.3', '< 6'
   spec.add_runtime_dependency 'rack'
 
-  spec.add_development_dependency "bundler", '~> 1.10'
+  spec.add_development_dependency "bundler", '~> 2'
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency 'byebug'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-protect
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Serdar Dogruyol
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-08 00:00:00.000000000 Z
+date: 2020-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,14 +16,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.2.4.3
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.2.4.3
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -44,14 +50,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -118,7 +124,9 @@ files:
 - ".circleci/config.yml"
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -127,6 +135,7 @@ files:
 - bin/setup
 - lib/omniauth/protect.rb
 - lib/omniauth/protect/middleware.rb
+- lib/omniauth/protect/validator.rb
 - lib/omniauth/protect/version.rb
 - omniauth-protect.gemspec
 homepage: https://github.com/rainforestapp/omniauth-protect
@@ -148,8 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Protect Omniauth from request phase CSRF