RubyGems - omniauth-rails_csrf_protection - Versions diffs - 1.0.2 → 2.0.1 - Mend

omniauth-rails_csrf_protection 1.0.2 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +15 -0
data/lib/omniauth/rails_csrf_protection/token_verifier.rb +36 -12
data/lib/omniauth/rails_csrf_protection/version.rb +1 -1
data/test/application_test.rb +2 -2
data/test/integration_test.rb +38 -0
data/test/test_helper.rb +32 -2
metadata +21 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca8b6b6b0f1b3f05b0317c4e0f629529a44158edc57497fee9eec34a1422125d
-  data.tar.gz: 640c1535d81dea4a56fac9e851dc595f351d05dfc53e11ef3a720aeba1d2b770
+  metadata.gz: 156f0458f77fc7be417f9d4080ef3ca1c078b3ec97d2f5a260331f0ca7117ac8
+  data.tar.gz: 545b29f8d28c47803f9367bfcaccdcd412afd2d7e78bb571f46ef87b53ef6f14
 SHA512:
-  metadata.gz: 9db585b6633c9a06372ed96fd2c4a59502d75f7eb39c69f25c92bd0706ad5d2f0ae03d8471fd8ff19342cf98b01159ed742251eb568b200960eb031956b3976a
-  data.tar.gz: d6ff32d88319e0072a760853da4a7dca07bfab9ad6a5243552df8eeb7a603ee133f69a38686ce3d591c29b4bb131217348c0a6bc8010c1e45aea3478235e0cb5
+  metadata.gz: e23fceeb38d067b51e3a6751b194f9c47bcbb706919aa16024bf4e5f568c2168403c9346f0e4202c3c1dd54db6b4f46e20c70aaa3ac45e74852f5d4e2aaedf53
+  data.tar.gz: c4daf8660e73c639a123e8246c3e86583b951d6f6b546590b4467981fc52952e014e08f7092c3a2c3c164f88fdc218c52f2d77331f7d5fd0182f1375a5f2d94c

data/README.md CHANGED Viewed

@@ -7,6 +7,21 @@ application) by implementing a CSRF token verifier that directly uses
 [CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
+> [!NOTE]
+> [OmniAuth] has provided a built-in solution to mitigate against
+> [CVE-2015-9284] since [version 2.0.0].
+> You should be able to mitigate against this vulnerability
+> by adding this configuration to your application:
+>
+> ```ruby
+> OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(key: :_csrf_token)
+> ```
+>
+> This gem will continued to be maintained as an alternative to the solution above.
+[OmniAuth]: https://github.com/omniauth/omniauth
+[Version 2.0.0]: https://github.com/omniauth/omniauth/releases/tag/v2.0.0
 ## Usage
 Add this line to your application's Gemfile:

data/lib/omniauth/rails_csrf_protection/token_verifier.rb CHANGED Viewed

@@ -1,6 +1,10 @@
-require "active_support/configurable"
+require "action_pack/version"
 require "action_controller"
+unless ActionPack.version >= Gem::Version.new("8.1.a")
+  require "active_support/configurable"
+end
 module OmniAuth
   module RailsCsrfProtection
     # Provides a callable method that verifies Cross-Site Request Forgery
@@ -13,17 +17,37 @@ module OmniAuth
     # authenticity token, you can find the source code at
     # https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L217-L240.
     class TokenVerifier
-      include ActiveSupport::Configurable
-      include ActionController::RequestForgeryProtection
-      # `ActionController::RequestForgeryProtection` contains a few
-      # configurable options. As we want to make sure that our configuration is
-      # the same as what being set in `ActionController::Base`, we should make
-      # all out configuration methods to delegate to `ActionController::Base`.
-      config.each_key do |configuration_name|
-        undef_method configuration_name
-        define_method configuration_name do
-          ActionController::Base.config[configuration_name]
+      if ActionPack.version >= Gem::Version.new("8.1.a")
+        # `ActiveSupport::Configurable` is deprecated in Rails 8.1 and will be
+        # removed in Rails 8.2. As `ActionController::RequestForgeryProtection`
+        # directly accesing configurations via `config`, we only need to define
+        # these methods and delegate them to `ActionController::Base.config`.
+        def self.config
+          ActionController::Base.config
+        end
+        def config
+          self.class.config
+        end
+        # For Rails 8.1+, includes this module after `config` is setup.
+        include ActionController::RequestForgeryProtection
+      else
+        include ActiveSupport::Configurable
+        # For Rails < 8.1, includes this module before delegation setup.
+        # Otherwise, `config` will be empty, and the delegation will fail.
+        include ActionController::RequestForgeryProtection
+        # `ActionController::RequestForgeryProtection` contains a few
+        # configurable options. As we want to make sure that our configuration is
+        # the same as what being set in `ActionController::Base`, we should make
+        # all out configuration methods to delegate to `ActionController::Base`.
+        config.each_key do |configuration_name|
+          undef_method configuration_name if defined?(configuration_name)
+          define_method configuration_name do
+            ActionController::Base.config[configuration_name]
+          end
         end
       end

data/lib/omniauth/rails_csrf_protection/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module RailsCsrfProtection
-    VERSION = "1.0.2".freeze
+    VERSION = "2.0.1".freeze
   end
 end

data/test/application_test.rb CHANGED Viewed

@@ -13,14 +13,14 @@ class ApplicationTest < Minitest::Test
     post "/auth/developer"
     follow_redirect!
-    assert last_response.not_found?
+    assert_equal "ActionController::InvalidAuthenticityToken", last_response.body
   end
   def test_request_phrase_with_bad_token_via_post
     post "/auth/developer", authenticity_token: "BAD_TOKEN"
     follow_redirect!
-    assert last_response.not_found?
+    assert_equal "ActionController::InvalidAuthenticityToken", last_response.body
   end
   def test_request_phrase_with_correct_token_via_post

data/test/integration_test.rb ADDED Viewed

@@ -0,0 +1,38 @@
+require "test_helper"
+require "capybara/rails"
+require "capybara/minitest"
+class IntegrationTest < ActionDispatch::IntegrationTest
+  include Capybara::DSL
+  include Capybara::Minitest::Assertions
+  # We are using this `:per_form_csrf_tokens` as a way to test that we have
+  # setup method delegation properly to prevent regression, as Railtie sets
+  # this configuration to true afterward and causes them to be out-of-sync.
+  setup do
+    @original_per_form_csrf_tokens = \
+      ActionController::Base.config[:per_form_csrf_tokens]
+    ActionController::Base.config[:per_form_csrf_tokens] = true
+  end
+  teardown do
+    ActionController::Base.config[:per_form_csrf_tokens] = \
+      @original_per_form_csrf_tokens
+    Capybara.reset_sessions!
+    Capybara.use_default_driver
+  end
+  def test_request_phrase
+    visit sign_in_path
+    click_on "Sign in"
+    refute page.has_content?("ActionController::InvalidAuthenticityToken")
+    fill_in "Name", with: "Kagari Mimi"
+    fill_in "Email", with: "mimi@example.com"
+    click_on "Sign In"
+    assert page.has_content?("Hello Kagari Mimi (mimi@example.com)!")
+  end
+end

data/test/test_helper.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 $LOAD_PATH.unshift File.expand_path("../lib", __dir__)
 # Simple Rails application template, based on Rails issue template
-# https://github.com/rails/rails/blob/master/guides/bug_report_templates/action_controller_gem.rb
+# https://github.com/rails/rails/blob/main/guides/bug_report_templates/action_controller.rb
 # Helper method to silence warnings from bundler/inline
 def silence_warnings
@@ -13,6 +13,7 @@ end
 silence_warnings do
   require "bundler/inline"
+  require "logger"
   # Define dependencies required by this test app
   gemfile do
@@ -24,12 +25,19 @@ silence_warnings do
       gem "rails"
     end
+    if RUBY_VERSION >= "3.4"
+      gem "bigdecimal"
+      gem "drb"
+      gem "mutex_m"
+    end
+    gem "capybara"
     gem "omniauth"
     gem "omniauth-rails_csrf_protection", path: File.expand_path("..", __dir__)
   end
 end
-puts "Running test against Rails #{Rails.version}"
+puts "Running test on Ruby #{RUBY_VERSION} against Rails #{Rails.version}"
 require "rack/test"
 require "action_controller/railtie"
@@ -57,12 +65,20 @@ class TestApp < Rails::Application
     provider :developer
   end
+  # Silence the deprecation warning in Rails 8.0.x
+  if Gem::Requirement.new("~> 8.0.x").satisfied_by?(Rails.gem_version)
+    config.active_support.to_time_preserves_timezone = :zone
+  end
   # We need to call initialize! to run all railties
   initialize!
   # Define our custom routes. This needs to be called after initialize!
   routes.draw do
+    get "sign_in" => "application#sign_in"
     get "token" => "application#token"
+    get "auth/failure" => "application#failure"
+    match "auth/developer/callback" => "application#callback", :via => [:get, :post]
   end
 end
@@ -71,4 +87,18 @@ class ApplicationController < ActionController::Base
   def token
     render plain: form_authenticity_token
   end
+  def sign_in
+    render inline: <<~ERB
+      <%= button_to "Sign in", "/auth/developer", method: :post %>
+    ERB
+  end
+  def failure
+    render plain: params[:message]
+  end
+  def callback
+    render plain: "Hello #{params[:name]} (#{params[:email]})!"
+  end
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-rails_csrf_protection
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 2.0.1
 platform: ruby
 authors:
 - Cookpad Inc.
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-10 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -53,7 +52,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +66,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -80,6 +79,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -112,12 +125,12 @@ files:
 - lib/omniauth/rails_csrf_protection/token_verifier.rb
 - lib/omniauth/rails_csrf_protection/version.rb
 - test/application_test.rb
+- test/integration_test.rb
 - test/test_helper.rb
 homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -132,10 +145,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
 test_files:
 - test/application_test.rb
+- test/integration_test.rb
 - test/test_helper.rb