RubyGems - omniauth-rails - Versions diffs - 0.1.0 → 0.2.0 - Mend

omniauth-rails 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d56083f2dbbbb8598f6740095b9df4dd967269be
-  data.tar.gz: 905900d024010eee45dc8025a958e80a167ea269
+  metadata.gz: 059f75d1200dc3b91d801bd9123a59735abf41c7
+  data.tar.gz: fafa8b4b4d0a349c4af547544057b98e4653fa5b
 SHA512:
-  metadata.gz: 418f5a1cafc19fd179bd4bb78b80ec45962c410a3f9aef1f41dc5eaa6aaaddf83b65cb13d0d51234d484d6a5535df8f0c5b6a2f7ae3594f654d6e57449414d29
-  data.tar.gz: 69b3d71ee4887a09f8283c0304391901483b921384f9976805b80b10e109e6149364365cd189dce427cf5133a80a0cd529b873c8f8100ff29e437d4bfcbfc306
+  metadata.gz: 773c1f3d104401f4f59158cd9cc2d237368a3e94643e6e7bec0d56fc445e90b4bf9c619be862b758a5277e6a125c4e2ab011d2be765800fedf8a45f0fc5b72f4
+  data.tar.gz: 2ae36708dd6e522bdb7ebc20a30577bed4c53674d0fc10892ceeb78d4f66300f4fe50d1cc7a811ef5a772575d853ece0a69aba661d6712036b955c7b483ea59b

data/README.md CHANGED Viewed

@@ -1,6 +1,13 @@
 # Omniauth::Rails
+[![Gem Version](https://badge.fury.io/rb/omniauth-rails.svg)](https://badge.fury.io/rb/omniauth-rails)
+[![Code Climate](https://codeclimate.com/github/danrabinowitz/omniauth-rails/badges/gpa.svg)](https://codeclimate.com/github/danrabinowitz/omniauth-rails)
+[![Build Status](https://travis-ci.org/danrabinowitz/omniauth-rails.svg?branch=master)](https://travis-ci.org/danrabinowitz/omniauth-rails)
+[![Test Coverage](https://codeclimate.com/github/danrabinowitz/omniauth-rails/badges/coverage.svg)](https://codeclimate.com/github/danrabinowitz/omniauth-rails/coverage)
 A Rails Engine to make it as easy as possible to add oauth authentication to a Rails app.
 The canonical use case is this:
 You build a simple Rails app for your company. It is for internal use only. Your company uses Google Apps for gmail.
@@ -14,9 +21,8 @@ Authorization is handled separately.
 ## TODO
-* Add a "dev mode" override which simply skips all authentication.
-* Search for "TODO" in the code.
+* Add a new AuthorizationType for groups of email addresses
+* Run ```rake mutant``` and add all the specs.
 ## Usage
@@ -56,6 +62,33 @@ production:
 include Omniauth::Rails::RequireAuthentication
 ```
+## Additional configuration
+### Automount
+By default, Omniauth::Rails sets automount to true. You can override this in the omniauth_rails.yml configuration file.
+When automount is true (the default), the engine's routes are mounted in the host application's routes.
+When automount is false, you need to add this line to your routes.rb:
+```ruby
+mount Omniauth::Rails::Engine => OmniAuth.config.path_prefix
+```
+### path_prefix
+The default path_prefix for Omniauth is "/auth". In the unlikely event that this
+causes a conflict, it can be changed with the path_prefix configuration parameter.
+### autoload_in_application_controller
+The default value of autoload_in_application_controller is true.
+When it is true, the controller concerns are automatically included in ActionController::Base.
+If there is a conflict in having those methods in all controllers, set autoload_in_application_controller to
+false and manually add this line to any controllers which require authentication or authorization:
+```ruby
+include Omniauth::Rails::ControllersConcern
+```
 ## Logging out
 In general, there's not much point in "logging out". It wipes the Omniauth::Rails session,
@@ -64,8 +97,19 @@ but the browser is still logged in to the provider, which has granted access to
 Bottom line: There's usually no reason to have a logout button when using Omniauth::Rails
+## Mutation Testing
+Run ```rake mutant```
+The output will appear on STDOUT and also in coverage/mutant.out
+More info on reading the reports is here: https://github.com/mbj/mutant#reading-reports
 ## Contributing
 PRs are welcome!
+## Credit
+Thanks to [Paul De Goes](https://github.com/pauldegoes) for the idea for this gem. He
+built a similar gem for internal use at LivingSocial.
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile CHANGED Viewed

@@ -17,6 +17,7 @@ end
 APP_RAKEFILE = File.expand_path("../spec/test_app/Rakefile", __FILE__)
 load "rails/tasks/engine.rake"
+Rails.application.load_tasks
 load "rails/tasks/statistics.rake"

data/app/assets/stylesheets/omniauth/rails/application.css CHANGED Viewed

@@ -1,19 +1,18 @@
 form.button_to {
   display: inline;
-  margin: 0;
   padding: 0;
 }
 form.button_to div { display: inline; }
 form.button_to input[type=submit] {
-    margin: 0;
-    padding: 0;
-    -webkit-appearance: caret;
-    background: none;
-    border: none;
-    font-size: inherit;
-    font-family: inherit;
-    cursor: pointer;
-    text-decoration: underline;
-    color: #0000FF;
-  }
+  margin: 0;
+  padding: 0;
+  -webkit-appearance: caret;
+  -moz-appearance: caret;
+  background: none;
+  border: none;
+  font-size: inherit;
+  font-family: inherit;
+  cursor: pointer;
+  text-decoration: underline;
+  color: #0000FF;
 }

data/app/controllers/omniauth/rails/{require_authentication.rb → authentication_concern.rb} RENAMED Viewed

@@ -1,19 +1,29 @@
 # frozen_string_literal: true
 module Omniauth
   module Rails
-    module RequireAuthentication
+    module AuthenticationConcern
       extend ActiveSupport::Concern
       included do
         include Omniauth::Rails::ApplicationHelper
+      end
+      module ClassMethods
+        private
-        # TODO: Do not add this before_action in dev_mode
-        before_action :require_authentication
+        def require_authentication
+          before_action :require_authentication
+        end
       end
       private
       def require_authentication
+        if Configuration.dev_mode
+          ::Rails.logger.info "Omniauth::Rails: dev_mode is enabled. Skipping 'require_authentication'"
+          return
+        end
         redirect_to_sign_in_url unless authenticated?
       end

data/app/controllers/omniauth/rails/{require_authorization.rb → authorization_concern.rb} RENAMED Viewed

@@ -1,9 +1,8 @@
 # frozen_string_literal: true
 module Omniauth
   module Rails
-    module RequireAuthorization
+    module AuthorizationConcern
       def self.included(klass)
-        klass.include Omniauth::Rails::RequireAuthentication
         klass.extend ClassMethods
       end
@@ -11,7 +10,6 @@ module Omniauth
         private
         def require_authorization(params)
-          # TODO: Do not add this before_action in dev_mode
           before_action { |c| c.require_authorization(params) }
         end
       end
@@ -19,7 +17,14 @@ module Omniauth
       protected
       def require_authorization(params)
-        redirect_to_sign_in_url unless authorized?(params)
+        if Configuration.dev_mode
+          ::Rails.logger.info "Omniauth::Rails: dev_mode is enabled. Skipping 'require_authorization'"
+          return
+        end
+        require_authentication # Require authentication before authorization.
+        return if performed?
+        render_403_forbidden unless authorized?(params)
       end
       private
@@ -27,6 +32,10 @@ module Omniauth
       def authorized?(params)
         AuthorizationChecker.new(email: authenticated_email, params: params).authorized?
       end
+      def render_403_forbidden
+        render "omniauth/rails/forbidden", status: :forbidden, layout: false
+      end
     end
   end
 end

data/app/controllers/omniauth/rails/controllers_concern.rb ADDED Viewed

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module ControllersConcern
+      def self.included(klass)
+        klass.include Omniauth::Rails::AuthenticationConcern
+        klass.include Omniauth::Rails::AuthorizationConcern
+      end
+    end
+  end
+end

data/app/controllers/omniauth/rails/flash.rb CHANGED Viewed

@@ -5,39 +5,20 @@ module Omniauth
       extend ActiveSupport::Concern
       def set_url_to_return_to_after_authentication
-        # TODO: Sanitize these urls, to avoid phishing attacks
+        # Use caution when setting these urls.
+        # There are phishing risks associated with redirection, as described here:
         # See https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
         flash[:url_to_return_to_after_authentication] =
-          # url_to_return_to_after_authentication_from_params ||
           url_to_return_to_after_authentication_from_flash ||
-          # url_to_return_to_after_authentication_from_referer ||
           default_url_to_return_to_after_authentication
       end
       private
-      # def url_to_return_to_after_authentication_from_params
-      #   return nil unless allow_url_to_return_to_after_authentication_from_params?
-      #   params[:return_to]
-      # end
-      # def allow_url_to_return_to_after_authentication_from_params?
-      #   false
-      # end
       def url_to_return_to_after_authentication_from_flash
         flash[:url_to_return_to_after_authentication]
       end
-      # def url_to_return_to_after_authentication_from_referer
-      #   return nil unless allow_url_to_return_to_after_authentication_from_referer?
-      #   request.referer
-      # end
-      # def allow_url_to_return_to_after_authentication_from_referer?
-      #   false
-      # end
       def default_url_to_return_to_after_authentication
         Configuration.authenticated_root
       end

data/app/models/omniauth/rails/authentication_request.rb CHANGED Viewed

@@ -7,7 +7,6 @@ module Omniauth
       end
       def persist(authentication_session)
-        # TODO: Store the provider in the session
         authentication_session.email = email
         authentication_session.expire_in(session_duration)
       end
@@ -17,7 +16,11 @@ module Omniauth
       attr_reader :request
       def email
-        request.env["omniauth.auth"].info.email
+        info.email
+      end
+      def info
+        request.env["omniauth.auth"].info
       end
       def session_duration

data/app/views/omniauth/rails/forbidden.html ADDED Viewed

	@@ -0,0 +1 @@
1	+ ACCESS DENIED

data/app/views/omniauth/rails/sessions/destroy.html.erb CHANGED Viewed

@@ -1,6 +1,6 @@
-<div class='notification'>
-  You have been logged out.
+<p>
+  You are logged out.
   Click
   <%= link_to "here", omniauth_rails.sign_in_url, target: '_self' %>
   to log back in.
-</div>
+</p>

data/config/initializers/omniauth_rails.rb CHANGED Viewed

@@ -1,35 +1,2 @@
 # frozen_string_literal: true
-config_hash = YAML.load(ERB.new(File.read("#{Rails.root}/config/omniauth_rails.yml")).result)[Rails.env]
-OmniAuth.config.logger = Rails.logger
-# TODO
-# OmniAuth.config.path_prefix = "/auth"
-Rails.application.config.middleware.use OmniAuth::Builder do
-  if config_hash.present?
-    raise "You must provide at least one oauth provider" unless config_hash["providers"]
-    config_hash["providers"].each do |provider, provider_config|
-      case provider
-      when "google_oauth2"
-        raise "Provider #{provider} requires a client_id" unless provider_config["client_id"]
-        raise "Provider #{provider} requires a client_secret" unless provider_config["client_secret"]
-        provider(:google_oauth2, provider_config["client_id"], provider_config["client_secret"],
-                 access_type: "online", approval_prompt: "auto")
-      else
-        raise "#{provider} is not currently handled by omniauth_rails."
-      end
-    end
-  end
-end
-if config_hash["session_duration_in_seconds"].present?
-  Omniauth::Rails::Configuration.session_duration = config_hash["session_duration_in_seconds"].seconds
-end
-raise "authenticated_root is required" if config_hash["authenticated_root"].blank?
-Omniauth::Rails::Configuration.authenticated_root = config_hash["authenticated_root"]
-raise "unauthenticated_root is required" if config_hash["unauthenticated_root"].blank?
-Omniauth::Rails::Configuration.unauthenticated_root = config_hash["unauthenticated_root"]
+Omniauth::Rails::Configurator.from_default_config_file.configure

data/lib/omniauth/rails.rb CHANGED Viewed

@@ -2,6 +2,8 @@
 require "omniauth/rails/engine"
 require "omniauth/rails/configuration"
+require "omniauth/rails/configurator"
+require "omniauth/rails/provider"
 module Omniauth
   module Rails

data/lib/omniauth/rails/configuration.rb CHANGED Viewed

@@ -2,7 +2,11 @@
 module Omniauth
   module Rails
     class Configuration
-      ATTRIBUTES = %i(authenticated_root unauthenticated_root session_duration logger).freeze
+      ATTRIBUTES = %i(
+        authenticated_root include_concern_in_application_controller
+        unauthenticated_root session_duration logger
+        dev_mode automount
+      ).freeze
       @session_duration = 1.hour
       @logger = ::Rails.logger

data/lib/omniauth/rails/configurator.rb ADDED Viewed

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class Configurator
+      REQUIRED_SETTINGS = %i(providers authenticated_root unauthenticated_root).freeze
+      def self.default_config_file
+        "#{::Rails.root}/config/omniauth_rails.yml"
+      end
+      def self.from_default_config_file
+        ::Rails.logger.info "Omniauth::Rails::Configurator: Loading from " \
+                            "default_config_file=#{default_config_file}"
+        from_yaml(default_config_file)
+      end
+      def self.from_yaml(file)
+        new(YAML.load(ERB.new(File.read(file)).result)[::Rails.env])
+      end
+      def initialize(data)
+        @data = data
+      end
+      def configure
+        validate!
+        configure_omni_auth_settings
+        configure_providers
+        Configuration.automount = automount
+        Configuration.authenticated_root = authenticated_root
+        Configuration.unauthenticated_root = unauthenticated_root
+        Configuration.include_concern_in_application_controller = include_concern_in_application_controller
+        Configuration.session_duration = session_duration.seconds if session_duration.present?
+        Configuration.dev_mode = dev_mode
+      end
+      private
+      attr_reader :data
+      def configure_omni_auth_settings
+        OmniAuth.config.logger = ::Rails.logger
+        OmniAuth.config.path_prefix = path_prefix
+      end
+      def dev_mode
+        data["dev_mode"] == true
+      end
+      def validate!
+        REQUIRED_SETTINGS.each do |setting|
+          raise "#{setting} is required" unless send(setting).present?
+        end
+        if dev_mode
+          raise "dev_mode may not be used in #{::Rails.env}" unless dev_mode_allowed?
+          ::Rails.logger.info "Omniauth::Rails: dev_mode is enabled. Authentication and " \
+                              "authorization are disabled."
+        end
+      end
+      def dev_mode_allowed?
+        ::Rails.env.development?
+      end
+      def automount
+        data["automount"] != false
+      end
+      def path_prefix
+        data["path_prefix"] || "/auth"
+      end
+      def authenticated_root
+        data["authenticated_root"]
+      end
+      def unauthenticated_root
+        data["unauthenticated_root"]
+      end
+      def session_duration
+        data["session_duration_in_seconds"]
+      end
+      def providers
+        data["providers"]
+      end
+      def include_concern_in_application_controller
+        data["autoload_in_application_controller"] != false
+      end
+      def configure_providers
+        providers.each do |provider, provider_config|
+          Provider.configure(provider, provider_config)
+        end
+      end
+    end
+  end
+end