omniauth-rails_csrf_protection 0.1.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bbf4c1c69045d3b8841a8e002fad5367924f1d3656bb030473da95ec61681878
-  data.tar.gz: 57f056afa7f51d2722129715a074aa19afeac9acd58a340c5c063aff7b8436d7
+  metadata.gz: b7c9f0953f60f411b88e66c914509308274d46c44a5fa42e1531740fc94c0be5
+  data.tar.gz: 1420e37a8f982fded587e1960309871054fc7e4a6ae4e237d5783025983a4c31
 SHA512:
-  metadata.gz: c64a7e5a8c3252ceebe112312fa9dfa346c7c337c2ed528f72ab7d140d540333e99c580143bad2044a7fe57697360cf7be6cd36672e97224fa48f21a6d758b6d
-  data.tar.gz: 7fdf180d08eb01a57acbf61f3f2a70754a433eee0fad1c31663f0b9bffa571ef4c45ada64669475ef6391b636437e3ae590e1bc27c785756278e1524f524cbfc
+  metadata.gz: 95efbe6ce15fd93acf8e4953ffbc058e681dda33f0a129a3b0a33c1c9000faf25a4bb789de45cd89603cfa2e5702b15c51db6468bbf616754199cf54e55cf750
+  data.tar.gz: dabea2ed5fddeda77f46fd7cee2a4f1b5f79d8dc042eba02dc64fda6ef304f828cce81d63c42a2592cd059511d080a6dd77db4ceb5de8dc17740e6d58fea04fb

data/.circleci/config.yml

@@ -15,13 +15,37 @@ build_steps: &build_steps
         name: Run tests
         command: rake
 
+ruby-2-4: &ruby-2-4
+  docker:
+    - image: circleci/ruby:2.4
+
 ruby-2-5: &ruby-2-5
   docker:
-    - image: circleci/ruby:2.5
+    - image: cimg/ruby:2.5
 
 ruby-2-6: &ruby-2-6
   docker:
-    - image: circleci/ruby:2.6
+    - image: cimg/ruby:2.6
+
+ruby-2-7: &ruby-2-7
+  docker:
+    - image: cimg/ruby:2.7
+
+ruby-3-0: &ruby-3-0
+  docker:
+    - image: cimg/ruby:3.0
+
+ruby-3-1: &ruby-3-1
+  docker:
+    - image: cimg/ruby:3.1
+
+rails-4-2: &rails-4-2
+  environment:
+      RAILS_VERSION: "~> 4.2.0"
+
+rails-5-0: &rails-5-0
+  environment:
+      RAILS_VERSION: "~> 5.0.0"
 
 rails-5-1: &rails-5-1
   environment:
@@ -33,13 +57,42 @@ rails-5-2: &rails-5-2
 
 rails-6-0: &rails-6-0
   environment:
-      RAILS_VERSION: "6.0.0.rc1"
+      RAILS_VERSION: "~> 6.0.0"
+
+rails-6-1: &rails-6-1
+  environment:
+      RAILS_VERSION: "~> 6.1.0"
+
+rails-7-0: &rails-7-0
+  environment:
+      RAILS_VERSION: "~> 7.0.0"
 
 rails-edge: &rails-edge
   environment:
-      RAILS_BRANCH: "master"
+      RAILS_BRANCH: "main"
 
 jobs:
+  "ruby-2-4-rails-4-2":
+    <<: *ruby-2-4
+    <<: *rails-4-2
+    <<: *build_steps
+  "ruby-2-4-rails-5-0":
+    <<: *ruby-2-4
+    <<: *rails-5-0
+    <<: *build_steps
+  "ruby-2-4-rails-5-1":
+    <<: *ruby-2-4
+    <<: *rails-5-1
+    <<: *build_steps
+  "ruby-2-4-rails-5-2":
+    <<: *ruby-2-4
+    <<: *rails-5-2
+    <<: *build_steps
+
+  "ruby-2-5-rails-5-0":
+    <<: *ruby-2-5
+    <<: *rails-5-0
+    <<: *build_steps
   "ruby-2-5-rails-5-1":
     <<: *ruby-2-5
     <<: *rails-5-1
@@ -52,10 +105,19 @@ jobs:
     <<: *ruby-2-5
     <<: *rails-6-0
     <<: *build_steps
+  "ruby-2-5-rails-6-1":
+    <<: *ruby-2-5
+    <<: *rails-6-1
+    <<: *build_steps
   "ruby-2-5-rails-edge":
     <<: *ruby-2-5
     <<: *rails-edge
     <<: *build_steps
+
+  "ruby-2-6-rails-5-0":
+    <<: *ruby-2-6
+    <<: *rails-5-0
+    <<: *build_steps
   "ruby-2-6-rails-5-1":
     <<: *ruby-2-6
     <<: *rails-5-1
@@ -68,20 +130,112 @@ jobs:
     <<: *ruby-2-6
     <<: *rails-6-0
     <<: *build_steps
+  "ruby-2-6-rails-6-1":
+    <<: *ruby-2-6
+    <<: *rails-6-1
+    <<: *build_steps
   "ruby-2-6-rails-edge":
     <<: *ruby-2-6
     <<: *rails-edge
     <<: *build_steps
 
+  "ruby-2-7-rails-5-0":
+    <<: *ruby-2-7
+    <<: *rails-5-0
+    <<: *build_steps
+  "ruby-2-7-rails-5-1":
+    <<: *ruby-2-7
+    <<: *rails-5-1
+    <<: *build_steps
+  "ruby-2-7-rails-5-2":
+    <<: *ruby-2-7
+    <<: *rails-5-2
+    <<: *build_steps
+  "ruby-2-7-rails-6-0":
+    <<: *ruby-2-7
+    <<: *rails-6-0
+    <<: *build_steps
+  "ruby-2-7-rails-6-1":
+    <<: *ruby-2-7
+    <<: *rails-6-1
+    <<: *build_steps
+  "ruby-2-7-rails-7-0":
+    <<: *ruby-2-7
+    <<: *rails-7-0
+    <<: *build_steps
+  "ruby-2-7-rails-edge":
+    <<: *ruby-2-7
+    <<: *rails-edge
+    <<: *build_steps
+
+  "ruby-3-0-rails-6-0":
+    <<: *ruby-3-0
+    <<: *rails-6-0
+    <<: *build_steps
+  "ruby-3-0-rails-6-1":
+    <<: *ruby-3-0
+    <<: *rails-6-1
+    <<: *build_steps
+  "ruby-3-0-rails-7-0":
+    <<: *ruby-3-0
+    <<: *rails-7-0
+    <<: *build_steps
+  "ruby-3-0-rails-edge":
+    <<: *ruby-3-0
+    <<: *rails-edge
+    <<: *build_steps
+
+  "ruby-3-1-rails-6-0":
+    <<: *ruby-3-1
+    <<: *rails-6-0
+    <<: *build_steps
+  "ruby-3-1-rails-6-1":
+    <<: *ruby-3-1
+    <<: *rails-6-1
+    <<: *build_steps
+  "ruby-3-1-rails-7-0":
+    <<: *ruby-3-1
+    <<: *rails-7-0
+    <<: *build_steps
+  "ruby-3-1-rails-edge":
+    <<: *ruby-3-1
+    <<: *rails-edge
+    <<: *build_steps
+
 workflows:
   version: 2
   build:
     jobs:
+      - "ruby-2-4-rails-4-2"
+      - "ruby-2-4-rails-5-1"
+      - "ruby-2-4-rails-5-2"
+
+      - "ruby-2-5-rails-5-0"
       - "ruby-2-5-rails-5-1"
       - "ruby-2-5-rails-5-2"
       - "ruby-2-5-rails-6-0"
-      - "ruby-2-5-rails-edge"
+      - "ruby-2-5-rails-6-1"
+
+      - "ruby-2-6-rails-5-0"
       - "ruby-2-6-rails-5-1"
       - "ruby-2-6-rails-5-2"
       - "ruby-2-6-rails-6-0"
-      - "ruby-2-6-rails-edge"
+      - "ruby-2-6-rails-6-1"
+
+      - "ruby-2-7-rails-5-0"
+      - "ruby-2-7-rails-5-1"
+      - "ruby-2-7-rails-5-2"
+      - "ruby-2-7-rails-6-0"
+      - "ruby-2-7-rails-6-1"
+      - "ruby-2-7-rails-7-0"
+      - "ruby-2-7-rails-edge"
+
+      - "ruby-3-0-rails-6-0"
+      - "ruby-3-0-rails-6-1"
+      - "ruby-3-0-rails-7-0"
+      - "ruby-3-0-rails-edge"
+
+      - "ruby-3-1-rails-6-0"
+      - "ruby-3-1-rails-6-1"
+      - "ruby-3-1-rails-7-0"
+      - "ruby-3-1-rails-edge"

data/README.md

@@ -1,10 +1,14 @@
 # OmniAuth - Rails CSRF Protection
 
-This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
-Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
-application) by implementing a CSRF token verifier that directly utilize
+This gem provides a mitigation against [CVE-2015-9284] (Cross-Site Request
+Forgery on the request phase when using OmniAuth gem with a Ruby on Rails
+application) by implementing a CSRF token verifier that directly uses
 `ActionController::RequestForgeryProtection` code from Rails.
 
+[![CircleCI](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/main.svg?style=svg)](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/main)
+
+[CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
+
 ## Usage
 
 Add this line to your application's Gemfile:
@@ -16,7 +20,7 @@ gem "omniauth-rails_csrf_protection"
 Then run `bundle install` to install this gem.
 
 You will then need to verify that all links in your application that would
-initiate OAuth request phrase are being converted to a HTTP POST form that
+initiate OAuth request phase are being converted to a HTTP POST form that
 contains `authenticity_token` value. This might simply be done by changing all
 `link_to` to `button_to`, or use `link_to ..., method: :post`.
 
@@ -24,10 +28,10 @@ contains `authenticity_token` value. This might simply be done by changing all
 
 This gem does a few things to your application:
 
-* Disable access to the OAuth request phrase using HTTP GET method.
-* Insert a Rails CSRF token verifier at before request phrase.
+* Disable access to the OAuth request phase using HTTP GET method.
+* Insert a Rails CSRF token verifier at the before request phase.
 
-These actions mitigate you from the attack vector described in CVE-2015-9284.
+These actions mitigate you from the attack vector described in [CVE-2015-9284].
 
 ## Contributing
 
@@ -45,4 +49,4 @@ The gem is available as open source under the terms of the
 
 Everyone interacting in the this project’s codebases, issue trackers, chat
 rooms and mailing lists is expected to follow the
-[code of conduct](https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/CODE_OF_CONDUCT.md).
+[code of conduct](https://github.com/cookpad/omniauth-rails_csrf_protection/blob/main/CODE_OF_CONDUCT.md).

data/lib/omniauth/rails_csrf_protection/railtie.rb

@@ -1,11 +1,11 @@
+require "omniauth"
 require "omniauth/rails_csrf_protection/token_verifier"
 
 module OmniAuth
   module RailsCsrfProtection
     class Railtie < Rails::Railtie
       initializer "omniauth-rails_csrf_protection.initialize" do
-        OmniAuth.config.allowed_request_methods = [:post]
-        OmniAuth.config.before_request_phase = TokenVerifier.new
+        OmniAuth.config.request_validation_phase = TokenVerifier.new
       end
     end
   end

data/lib/omniauth/rails_csrf_protection/token_verifier.rb

@@ -28,7 +28,7 @@ module OmniAuth
       end
 
       def call(env)
-        @request = ActionDispatch::Request.new(env)
+        @request = ActionDispatch::Request.new(env.dup)
 
         unless verified_request?
           raise ActionController::InvalidAuthenticityToken

data/lib/omniauth/rails_csrf_protection/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module RailsCsrfProtection
-    VERSION = "0.1.0".freeze
+    VERSION = "1.0.1".freeze
   end
 end

data/omniauth-rails_csrf_protection.gemspec

@@ -27,8 +27,8 @@ Gem::Specification.new do |spec|
 
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "actionpack", ">= 5.1.0"
-  spec.add_dependency "omniauth", ">= 1.3.1"
+  spec.add_dependency "actionpack", ">= 4.2"
+  spec.add_dependency "omniauth", "~> 2.0"
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "minitest"

data/test/application_test.rb

@@ -11,14 +11,16 @@ class ApplicationTest < Minitest::Test
 
   def test_request_phrase_without_token_via_post
     post "/auth/developer"
+    follow_redirect!
 
-    assert last_response.unprocessable?
+    assert last_response.not_found?
   end
 
   def test_request_phrase_with_bad_token_via_post
     post "/auth/developer", authenticity_token: "BAD_TOKEN"
+    follow_redirect!
 
-    assert last_response.unprocessable?
+    assert last_response.not_found?
   end
 
   def test_request_phrase_with_correct_token_via_post

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-rails_csrf_protection
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Cookpad Inc.
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-30 00:00:00.000000000 Z
+date: 2022-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.1.0
+        version: '4.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.1.0
+        version: '4.2'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.1
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.1
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -124,7 +124,7 @@ homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -139,8 +139,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
 test_files: