RubyGems - omniauth-rails - Versions diffs - 0.1.0 - Mend

omniauth-rails 0.1.0

Files changed (140) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d56083f2dbbbb8598f6740095b9df4dd967269be
+  data.tar.gz: 905900d024010eee45dc8025a958e80a167ea269
+SHA512:
+  metadata.gz: 418f5a1cafc19fd179bd4bb78b80ec45962c410a3f9aef1f41dc5eaa6aaaddf83b65cb13d0d51234d484d6a5535df8f0c5b6a2f7ae3594f654d6e57449414d29
+  data.tar.gz: 69b3d71ee4887a09f8283c0304391901483b921384f9976805b80b10e109e6149364365cd189dce427cf5133a80a0cd529b873c8f8100ff29e437d4bfcbfc306

data/MIT-LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright 2016 Dan Rabinowitz
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,71 @@
+# Omniauth::Rails
+A Rails Engine to make it as easy as possible to add oauth authentication to a Rails app.
+The canonical use case is this:
+You build a simple Rails app for your company. It is for internal use only. Your company uses Google Apps for gmail.
+Most existing authentication and authorization systems, like Devise, require a table of Users, and permissions. That requires that users maintain a separate password, and it requires someone to disable an account when an employee leaves.
+OmniAuth solves these problems, but can take some effort to configure properly. It is highly flexible and customizable. But adding it can require updates to controllers, the routes file, an initializer. The biggest challenge is that after it authenticates the user, it leaves *persisting* that user's identify as something for the developer to handle.
+OmniAuth::Rails makes it as easy as possible to create an admin site. See Usage, below.
+Authorization is handled separately.
+## TODO
+* Add a "dev mode" override which simply skips all authentication.
+* Search for "TODO" in the code.
+## Usage
+1. Add the gem to your Gemfile
+gem 'omniauth-rails'
+2. Add a config/omniauth_rails.yml with something like this:
+```yml
+development:
+  providers:
+    google_oauth2:
+      client_id: <%= ENV["CLIENT_ID"] %>
+      client_secret: <%= ENV["CLIENT_SECRET"] %>
+  authenticated_root: "/private"
+  unauthenticated_root: "/public"
+  session_duration_in_seconds: 5 # The default is 3600 (which is 1 hour)
+test:
+  providers:
+    google_oauth2:
+      client_id: 1
+      client_secret: 2
+  authenticated_root: "/private"
+  unauthenticated_root: "/public"
+  session_duration_in_seconds: 5 # The default is 3600 (which is 1 hour)
+production:
+  providers:
+    google_oauth2:
+      client_id: <%= ENV["CLIENT_ID"] %>
+      client_secret: <%= ENV["CLIENT_SECRET"] %>
+  authenticated_root: "/private"
+  unauthenticated_root: "/public"
+  session_duration_in_seconds: 3600 # The default is 3600 (which is 1 hour)
+```
+3. In any controllers which require authentication, add this line:
+```ruby
+include Omniauth::Rails::RequireAuthentication
+```
+## Logging out
+In general, there's not much point in "logging out". It wipes the Omniauth::Rails session,
+but the browser is still logged in to the provider, which has granted access to the application
+(generally) with no expiration. So logging back in requires no credentials.
+Bottom line: There's usually no reason to have a logout button when using Omniauth::Rails
+## Contributing
+PRs are welcome!
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile ADDED Viewed

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+begin
+  require "bundler/setup"
+rescue LoadError
+  puts "You must `gem install bundler` and `bundle install` to run rake tasks"
+end
+require "rdoc/task"
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "Omniauth::Rails"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("README.md")
+  rdoc.rdoc_files.include("lib/**/*.rb")
+end
+APP_RAKEFILE = File.expand_path("../spec/test_app/Rakefile", __FILE__)
+load "rails/tasks/engine.rake"
+load "rails/tasks/statistics.rake"
+require "bundler/gem_tasks"
+require "rspec/core"
+require "rspec/core/rake_task"
+desc "Run all specs in spec directory (excluding plugin specs)"
+task("spec").clear
+RSpec::Core::RakeTask.new do |t|
+  t.verbose = false
+end
+require "rubocop/rake_task"
+desc "Run RuboCop"
+RuboCop::RakeTask.new(:rubocop) do |tsk|
+  tsk.fail_on_error = true
+  tsk.options = ["-DR", "--format=html", "--out=tmp/rubocop.html", "--format=progress"]
+end
+task default: [:spec, :rubocop]

data/app/assets/config/omniauth_rails_manifest.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ //= link_directory ../stylesheets/omniauth/rails .css

data/app/assets/stylesheets/omniauth/rails/application.css ADDED Viewed

@@ -0,0 +1,19 @@
+form.button_to {
+  display: inline;
+  margin: 0;
+  padding: 0;
+}
+form.button_to div { display: inline; }
+form.button_to input[type=submit] {
+    margin: 0;
+    padding: 0;
+    -webkit-appearance: caret;
+    background: none;
+    border: none;
+    font-size: inherit;
+    font-family: inherit;
+    cursor: pointer;
+    text-decoration: underline;
+    color: #0000FF;
+  }
+}

data/app/controllers/omniauth/rails/application_controller.rb ADDED Viewed

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class ApplicationController < ActionController::Base
+      protect_from_forgery with: :exception
+    end
+  end
+end

data/app/controllers/omniauth/rails/flash.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module Flash
+      extend ActiveSupport::Concern
+      def set_url_to_return_to_after_authentication
+        # TODO: Sanitize these urls, to avoid phishing attacks
+        # See https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
+        flash[:url_to_return_to_after_authentication] =
+          # url_to_return_to_after_authentication_from_params ||
+          url_to_return_to_after_authentication_from_flash ||
+          # url_to_return_to_after_authentication_from_referer ||
+          default_url_to_return_to_after_authentication
+      end
+      private
+      # def url_to_return_to_after_authentication_from_params
+      #   return nil unless allow_url_to_return_to_after_authentication_from_params?
+      #   params[:return_to]
+      # end
+      # def allow_url_to_return_to_after_authentication_from_params?
+      #   false
+      # end
+      def url_to_return_to_after_authentication_from_flash
+        flash[:url_to_return_to_after_authentication]
+      end
+      # def url_to_return_to_after_authentication_from_referer
+      #   return nil unless allow_url_to_return_to_after_authentication_from_referer?
+      #   request.referer
+      # end
+      # def allow_url_to_return_to_after_authentication_from_referer?
+      #   false
+      # end
+      def default_url_to_return_to_after_authentication
+        Configuration.authenticated_root
+      end
+    end
+  end
+end

data/app/controllers/omniauth/rails/require_authentication.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module RequireAuthentication
+      extend ActiveSupport::Concern
+      included do
+        include Omniauth::Rails::ApplicationHelper
+        # TODO: Do not add this before_action in dev_mode
+        before_action :require_authentication
+      end
+      private
+      def require_authentication
+        redirect_to_sign_in_url unless authenticated?
+      end
+      def redirect_to_sign_in_url
+        flash[:url_to_return_to_after_authentication] = request.original_url
+        redirect_to omniauth_rails.sign_in_url
+      end
+    end
+  end
+end

data/app/controllers/omniauth/rails/require_authorization.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module RequireAuthorization
+      def self.included(klass)
+        klass.include Omniauth::Rails::RequireAuthentication
+        klass.extend ClassMethods
+      end
+      module ClassMethods
+        private
+        def require_authorization(params)
+          # TODO: Do not add this before_action in dev_mode
+          before_action { |c| c.require_authorization(params) }
+        end
+      end
+      protected
+      def require_authorization(params)
+        redirect_to_sign_in_url unless authorized?(params)
+      end
+      private
+      def authorized?(params)
+        AuthorizationChecker.new(email: authenticated_email, params: params).authorized?
+      end
+    end
+  end
+end

data/app/controllers/omniauth/rails/sessions_controller.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class SessionsController < ApplicationController
+      include Omniauth::Rails::ApplicationHelper
+      include Omniauth::Rails::Flash
+      # GET /sign_in
+      def new
+        # Set a flash variable, so we know where to go after a successful authentication.
+        set_url_to_return_to_after_authentication
+        # If we are already authenticated, do not attempt to authenticate again.
+        # Instead, redirect to where we would go after authentication
+        if authenticated?
+          redirect_to flash[:url_to_return_to_after_authentication]
+        else
+          redirect_to omniauth_route
+        end
+      end
+      # DELETE /sign_out
+      def destroy
+        authentication_session.reset
+        if Configuration.unauthenticated_root.present?
+          redirect_to Configuration.unauthenticated_root
+        else
+          render layout: false
+        end
+      end
+      # GET /:provider/callback
+      def create
+        persist_authentication_data
+        redirect_to flash[:url_to_return_to_after_authentication] ||
+                    default_url_to_return_to_after_authentication
+      end
+      private
+      def omniauth_route
+        OmniAuthRouteBuilder.new.route
+      end
+      def persist_authentication_data
+        authentication_request.persist(authentication_session)
+      end
+      def authentication_request
+        AuthenticationRequest.new(request)
+      end
+    end
+  end
+end

data/app/helpers/omniauth/rails/application_helper.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module ApplicationHelper
+      delegate :authenticated?, to: :authentication_session
+      def authenticated_email
+        authentication_session.email
+      end
+      def authentication_session
+        AuthenticationSession.new(session)
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/authentication_data_store.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class AuthenticationDataStore
+      SCOPE = "OmniauthRailsAuthData"
+      def initialize(session)
+        @session = session
+        freeze
+      end
+      def get(key)
+        return nil if session[SCOPE].nil?
+        session[SCOPE][key]
+      end
+      def set(key, value)
+        session[SCOPE] ||= {}
+        session[SCOPE][key] = value
+      end
+      def reset
+        session[SCOPE] = {}
+      end
+      private
+      attr_reader :session
+    end
+  end
+end

data/app/models/omniauth/rails/authentication_request.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class AuthenticationRequest
+      def initialize(request)
+        @request = request
+      end
+      def persist(authentication_session)
+        # TODO: Store the provider in the session
+        authentication_session.email = email
+        authentication_session.expire_in(session_duration)
+      end
+      private
+      attr_reader :request
+      def email
+        request.env["omniauth.auth"].info.email
+      end
+      def session_duration
+        Configuration.session_duration
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/authentication_session.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class AuthenticationSession
+      EMAIL_KEY = "email"
+      EXPIRE_AT_KEY = "expire_at"
+      def initialize(session)
+        @session = session
+        reset if expired?
+        freeze
+      end
+      delegate :reset, to: :data_store
+      def authenticated?
+        email.present?
+      end
+      def email
+        data_store.get(EMAIL_KEY)
+      end
+      def email=(email)
+        data_store.set(EMAIL_KEY, email)
+      end
+      def expire_in(duration)
+        self.expire_at = (Time.now.to_i + duration)
+      end
+      def expire_at
+        data_store.get(EXPIRE_AT_KEY)
+      end
+      def expire_at=(expire_at)
+        data_store.set(EXPIRE_AT_KEY, expire_at)
+      end
+      private
+      attr_reader :session
+      def data_store
+        @data_store ||= AuthenticationDataStore.new(session)
+      end
+      def expired?
+        expire_at.present? && expire_at < Time.now.to_i
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/authorization_checker.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class AuthorizationChecker
+      AUTHORIZATION_TYPES = {
+        domains: AuthorizationTypes::Domains,
+        emails: AuthorizationTypes::Emails,
+        regex: AuthorizationTypes::Regex,
+      }.freeze
+      def initialize(email:, params:)
+        @email = email
+        @params = params
+      end
+      def authorized?
+        params.map do |key, value|
+          raise "Invalid key for authorization constraint" unless AUTHORIZATION_TYPES.key?(key)
+          AUTHORIZATION_TYPES[key].new(email: email, value: value).authorized?
+        end.all?
+      end
+      private
+      attr_reader :email, :params
+    end
+  end
+end

data/app/models/omniauth/rails/authorization_types/base.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module AuthorizationTypes
+      class Base
+        def initialize(email:, value:)
+          @email = email
+          @value = value
+        end
+        private
+        attr_reader :email, :value
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/authorization_types/domains.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module AuthorizationTypes
+      class Domains < Base
+        def authorized?
+          domains.any? { |domain| email_domain.casecmp(domain).zero? }
+        end
+        private
+        def email_domain
+          @email_domain ||= email.split("@").last.to_s
+        end
+        def domains
+          value
+        end
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/authorization_types/emails.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module AuthorizationTypes
+      class Emails < Base
+        def authorized?
+          emails.any? { |allowed_email| allowed_email.to_s.casecmp(email).zero? }
+        end
+        private
+        def emails
+          value
+        end
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/authorization_types/regex.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    module AuthorizationTypes
+      class Regex < Base
+        def authorized?
+          !regex.match(email).nil?
+        end
+        private
+        def regex
+          value
+        end
+      end
+    end
+  end
+end

data/app/models/omniauth/rails/omni_auth_route_builder.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class OmniAuthRouteBuilder
+      def initialize
+        @provider = "google_oauth2"
+      end
+      def route
+        "/auth/#{provider}"
+      end
+      private
+      attr_reader :provider
+    end
+  end
+end

data/app/views/omniauth/rails/sessions/destroy.html.erb ADDED Viewed

@@ -0,0 +1,6 @@
+<div class='notification'>
+  You have been logged out.
+  Click
+  <%= link_to "here", omniauth_rails.sign_in_url, target: '_self' %>
+  to log back in.
+</div>

data/config/initializers/omniauth_rails.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+config_hash = YAML.load(ERB.new(File.read("#{Rails.root}/config/omniauth_rails.yml")).result)[Rails.env]
+OmniAuth.config.logger = Rails.logger
+# TODO
+# OmniAuth.config.path_prefix = "/auth"
+Rails.application.config.middleware.use OmniAuth::Builder do
+  if config_hash.present?
+    raise "You must provide at least one oauth provider" unless config_hash["providers"]
+    config_hash["providers"].each do |provider, provider_config|
+      case provider
+      when "google_oauth2"
+        raise "Provider #{provider} requires a client_id" unless provider_config["client_id"]
+        raise "Provider #{provider} requires a client_secret" unless provider_config["client_secret"]
+        provider(:google_oauth2, provider_config["client_id"], provider_config["client_secret"],
+                 access_type: "online", approval_prompt: "auto")
+      else
+        raise "#{provider} is not currently handled by omniauth_rails."
+      end
+    end
+  end
+end
+if config_hash["session_duration_in_seconds"].present?
+  Omniauth::Rails::Configuration.session_duration = config_hash["session_duration_in_seconds"].seconds
+end
+raise "authenticated_root is required" if config_hash["authenticated_root"].blank?
+Omniauth::Rails::Configuration.authenticated_root = config_hash["authenticated_root"]
+raise "unauthenticated_root is required" if config_hash["unauthenticated_root"].blank?
+Omniauth::Rails::Configuration.unauthenticated_root = config_hash["unauthenticated_root"]

data/config/routes.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+Omniauth::Rails::Engine.routes.draw do
+  get "/sign_in", to: "sessions#new", as: :sign_in
+  delete "/sign_out", to: "sessions#destroy", as: :sign_out
+  get "/:provider/callback", to: "sessions#create"
+end

data/lib/omniauth/rails/configuration.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module Omniauth
+  module Rails
+    class Configuration
+      ATTRIBUTES = %i(authenticated_root unauthenticated_root session_duration logger).freeze
+      @session_duration = 1.hour
+      @logger = ::Rails.logger
+      class << self
+        attr_accessor(*ATTRIBUTES)
+      end
+    end
+  end
+end