omniauth-rails_csrf_protection 2.0.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3846d12e29003349aab3262355ab3caa8202537194bf6f46be894f616d17a723
-  data.tar.gz: c6458df501c2ca900d58cd1d5d87c10189e2c27a887f91c4de3c47d1ee7eae6c
+  metadata.gz: 156f0458f77fc7be417f9d4080ef3ca1c078b3ec97d2f5a260331f0ca7117ac8
+  data.tar.gz: 545b29f8d28c47803f9367bfcaccdcd412afd2d7e78bb571f46ef87b53ef6f14
 SHA512:
-  metadata.gz: 62351dc511a547b5f9983a3860e32be7e4ab66fd564f1d21533a5f97a60b6f31752823194342e5c37f4149ac93ef7ab99103330f3adef76e11c0dfc09e3cc49e
-  data.tar.gz: c2e6963ce81d58797117f512734eada4a98ec6b9fdeb8d124d239f8159b8341d9dba174e3e9d58b74fd96efd9aeb99ba5143b2c1b63364aaba14263058c68175
+  metadata.gz: e23fceeb38d067b51e3a6751b194f9c47bcbb706919aa16024bf4e5f568c2168403c9346f0e4202c3c1dd54db6b4f46e20c70aaa3ac45e74852f5d4e2aaedf53
+  data.tar.gz: c4daf8660e73c639a123e8246c3e86583b951d6f6b546590b4467981fc52952e014e08f7092c3a2c3c164f88fdc218c52f2d77331f7d5fd0182f1375a5f2d94c

data/lib/omniauth/rails_csrf_protection/token_verifier.rb

@@ -29,9 +29,16 @@ module OmniAuth
         def config
           self.class.config
         end
+
+        # For Rails 8.1+, includes this module after `config` is setup.
+        include ActionController::RequestForgeryProtection
       else
         include ActiveSupport::Configurable
 
+        # For Rails < 8.1, includes this module before delegation setup.
+        # Otherwise, `config` will be empty, and the delegation will fail.
+        include ActionController::RequestForgeryProtection
+
         # `ActionController::RequestForgeryProtection` contains a few
         # configurable options. As we want to make sure that our configuration is
         # the same as what being set in `ActionController::Base`, we should make
@@ -44,9 +51,6 @@ module OmniAuth
         end
       end
 
-      # Include this module only after we've prepared the configuration
-      include ActionController::RequestForgeryProtection
-
       def call(env)
         dup._call(env)
       end

data/lib/omniauth/rails_csrf_protection/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module RailsCsrfProtection
-    VERSION = "2.0.0".freeze
+    VERSION = "2.0.1".freeze
   end
 end

data/test/application_test.rb

@@ -13,14 +13,14 @@ class ApplicationTest < Minitest::Test
     post "/auth/developer"
     follow_redirect!
 
-    assert last_response.not_found?
+    assert_equal "ActionController::InvalidAuthenticityToken", last_response.body
   end
 
   def test_request_phrase_with_bad_token_via_post
     post "/auth/developer", authenticity_token: "BAD_TOKEN"
     follow_redirect!
 
-    assert last_response.not_found?
+    assert_equal "ActionController::InvalidAuthenticityToken", last_response.body
   end
 
   def test_request_phrase_with_correct_token_via_post

data/test/integration_test.rb

@@ -0,0 +1,38 @@
+require "test_helper"
+require "capybara/rails"
+require "capybara/minitest"
+
+class IntegrationTest < ActionDispatch::IntegrationTest
+  include Capybara::DSL
+  include Capybara::Minitest::Assertions
+
+  # We are using this `:per_form_csrf_tokens` as a way to test that we have
+  # setup method delegation properly to prevent regression, as Railtie sets
+  # this configuration to true afterward and causes them to be out-of-sync.
+  setup do
+    @original_per_form_csrf_tokens = \
+      ActionController::Base.config[:per_form_csrf_tokens]
+    ActionController::Base.config[:per_form_csrf_tokens] = true
+  end
+
+  teardown do
+    ActionController::Base.config[:per_form_csrf_tokens] = \
+      @original_per_form_csrf_tokens
+
+    Capybara.reset_sessions!
+    Capybara.use_default_driver
+  end
+
+  def test_request_phrase
+    visit sign_in_path
+    click_on "Sign in"
+
+    refute page.has_content?("ActionController::InvalidAuthenticityToken")
+
+    fill_in "Name", with: "Kagari Mimi"
+    fill_in "Email", with: "mimi@example.com"
+    click_on "Sign In"
+
+    assert page.has_content?("Hello Kagari Mimi (mimi@example.com)!")
+  end
+end

data/test/test_helper.rb

@@ -1,7 +1,7 @@
 $LOAD_PATH.unshift File.expand_path("../lib", __dir__)
 
 # Simple Rails application template, based on Rails issue template
-# https://github.com/rails/rails/blob/master/guides/bug_report_templates/action_controller_gem.rb
+# https://github.com/rails/rails/blob/main/guides/bug_report_templates/action_controller.rb
 
 # Helper method to silence warnings from bundler/inline
 def silence_warnings
@@ -27,9 +27,11 @@ silence_warnings do
 
     if RUBY_VERSION >= "3.4"
       gem "bigdecimal"
+      gem "drb"
       gem "mutex_m"
     end
 
+    gem "capybara"
     gem "omniauth"
     gem "omniauth-rails_csrf_protection", path: File.expand_path("..", __dir__)
   end
@@ -64,9 +66,7 @@ class TestApp < Rails::Application
   end
 
   # Silence the deprecation warning in Rails 8.0.x
-  if Rails.version.is_a?(Gem::Version) &&
-      Rails.version >= Gem::Version.new("8.0.x") &&
-      Rails.version < Gem::Version.new("8.1")
+  if Gem::Requirement.new("~> 8.0.x").satisfied_by?(Rails.gem_version)
     config.active_support.to_time_preserves_timezone = :zone
   end
 
@@ -75,7 +75,10 @@ class TestApp < Rails::Application
 
   # Define our custom routes. This needs to be called after initialize!
   routes.draw do
+    get "sign_in" => "application#sign_in"
     get "token" => "application#token"
+    get "auth/failure" => "application#failure"
+    match "auth/developer/callback" => "application#callback", :via => [:get, :post]
   end
 end
 
@@ -84,4 +87,18 @@ class ApplicationController < ActionController::Base
   def token
     render plain: form_authenticity_token
   end
+
+  def sign_in
+    render inline: <<~ERB
+      <%= button_to "Sign in", "/auth/developer", method: :post %>
+    ERB
+  end
+
+  def failure
+    render plain: params[:message]
+  end
+
+  def callback
+    render plain: "Hello #{params[:name]} (#{params[:email]})!"
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-rails_csrf_protection
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Cookpad Inc.
@@ -52,7 +52,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -66,7 +66,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -79,6 +79,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -111,6 +125,7 @@ files:
 - lib/omniauth/rails_csrf_protection/token_verifier.rb
 - lib/omniauth/rails_csrf_protection/version.rb
 - test/application_test.rb
+- test/integration_test.rb
 - test/test_helper.rb
 homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
 licenses:
@@ -135,4 +150,5 @@ specification_version: 4
 summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
 test_files:
 - test/application_test.rb
+- test/integration_test.rb
 - test/test_helper.rb