omniauth-rpi 1.1.0 → 1.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c5b02d8e9d7d9c3c2cfd05e4101beb1cf020f4179fd60df438158e28e4b55fd
-  data.tar.gz: a900c630e232d93a8a9285215020dd9f11455d7c53e03d0682eefd59079cc588
+  metadata.gz: cac46043e419722d2bc271fe0c7f1c2598564e9152c1924276375f975bf0245a
+  data.tar.gz: e6bd7a55d9733ad063e0ade779e7fd9d4e8ac761040b788e7a0896e5fb2f3ff0
 SHA512:
-  metadata.gz: 11e427ee349802267163fb769c6359f1229e31fc3478fe279d2b3cd6bb372d25ef739b5b0788aae0743e518f9f5358d9655addac56e8c60b2342b66da193abd5
-  data.tar.gz: 7a00f600a2b83a4cd90dcd6d3424d53412ce8422d480cd49dfecb62a6d99946d832bb47b3be31afdca14379f5307fa7764640c5b77562def9cc61ff19ebe623b
+  metadata.gz: f75ab8d0e83b4cfad930614611472151c0db44409819f6cc11b6990a3384a4dc36e9337fe82e7bcc50eb6b6007c44952f8e3820dd287319c4988b6ec5878acf8
+  data.tar.gz: e61a9bcaa2df572b40006a1ecac62620d035b9f49e9f05410fe0b8baab5bd74b6d08a8f53a5bbf08165024aae6f21587bfbd8c426630e503c7b96638bf11772b

data/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.2] - 2023-02-02
+### Changed
+- Fixes setting of uid from raw_info (uid was previously blank)
+
+## [1.3.1] - 2021-10-14
+### Changed
+- Removed Hydra v0 strategy, which is better handled in the `hydra-v0` branch and `v0.x.x` releases
+
+## [1.3.0] - 2021-10-14
+### Changed
+- Replaced force_signup param with a more extensible login_options param
+
+## [1.2.0] - 2021-09-30
+### Added
+- Added force_signup param to enable passing of custom param to the identity provider
+
 ## [1.1.0] - 2021-09-10
 ### Added
 - Changelog in preparation for publishing app to rubygems.org

data/README.md

@@ -1,87 +1,138 @@
 # OmniAuth Raspberry Pi
 
-This is the official OmniAuth strategy for authenticating to Raspberry pi.
+This is the official OmniAuth strategy for authenticating to Raspberry Pi Accounts using Hydra v1 (for Hydra v0 see the `hydra-v0` branch and `v0.x.x` releases).
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'omniauth-rpi', '~> 1.1.0'
+gem 'omniauth-rpi',
+    git: 'https://github.com/RaspberryPiFoundation/omniauth-rpi.git',
+    tag: 'v1.3.2'
 ```
 
 And then execute:
 
     $ bundle
 
-## Basic Usage
+## Usage with OmniAuth
 
 - [Integrating with OmniAuth](https://github.com/omniauth/omniauth/wiki)
-- [Integrating with Devise](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
 
+In `config/initializers/omniauth.rb`:
 
 ```ruby
-use OmniAuth::Builder do
-  provider OmniAuth::Strategies::Hydra1, ENV['RASPBERRY_KEY'], ENV['RASPBERRY_SECRET']
+OmniAuth.config.logger = Rails.logger
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider(
+    OmniAuth::Strategies::Rpi, ENV['AUTH_CLIENT_ID'], ENV['AUTH_CLIENT_SECRET'],
+    scope: 'openid email profile force-consent',
+    callback_path: '/auth/callback',
+    client_options: {
+      site: ENV['AUTH_URL'],
+      authorize_url: "#{ENV['AUTH_URL']}/oauth2/auth",
+      token_url: "#{ENV['AUTH_URL']}/oauth2/token"
+    },
+    authorize_params: {
+      brand: '<brand>'
+    }
+  )
+
+  OmniAuth.config.on_failure = AuthController.action(:failure)
 end
 ```
 
+(the `Rpi` strategy extends the `Hydra1` strategy)
+
+## Usage with Devise
+
+- [Integrating with Devise](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
+
 ## Use in development
 
 In development it is sometimes useful to point at a staging/local version of the authentication
-server (ie Hydra).
+server (ie. Hydra).
 
 ```ruby
-use OmniAuth::Builder do
-  provider OmniAuth::Strategies::Hydra1, ENV['RASPBERRY_KEY'], ENV['RASPBERRY_SECRET'],
-    :scope           => 'openid email profile',
-    :client_options  => {
-      :site          => 'http://localhost:9000',
-      :authorize_url => 'http://localhost:9000/oauth2/auth',
-      :token_url     => 'http://localhost:9000/oauth2/token'
-    }
- )
+:client_options  => {
+  :site          => 'http://localhost:9000',
+  :authorize_url => 'http://localhost:9000/oauth2/auth',
+  :token_url     => 'http://localhost:9000/oauth2/token'
+}
 ```
 
 ## Bypassing OmniAuth/OAuth
 
-It is also possible to bypass OmniAuth (and OAuth) **entirely**, which can be useful in circumstances where hostnames are dynamic, e.g. in review deployments.  To do this add the following code to your OmniAuth initializer.
+It is also possible to bypass OmniAuth (and OAuth) entirely which can be useful in circumstances where hostnames are dynamic, e.g. in review deployments, as well as in development. To do this add the following code to your OmniAuth initializer:
 
 ```ruby
-# We've usually used an environment variable set outside the app to trigger the
-# auth bypass.
-if ENV.has_key? 'BYPASS_OAUTH'
+# Use an environment variable set outside the app to trigger the auth bypass
+if ENV['BYPASS_OAUTH'].present?
   using RpiAuthBypass
   OmniAuth.config.enable_rpi_auth_bypass
 end
 ```
 
 This will log you in with the following details:
-  * uid: `b6301f34-b970-4d4f-8314-f877bad8b150`
+  * uuid: `b6301f34-b970-4d4f-8314-f877bad8b150`
   * email: `web@raspberrypi.org`
   * name: `Web Team`
   * nickname: `Web`
 
-If you wish to specify your user's details, you can add the info manually with the following method call.
+If you wish to specify your user's details, you can add the info manually:
+
+```ruby
+if ENV['BYPASS_OAUTH'].present?
+  using RpiAuthBypass
+  OmniAuth.config.add_rpi_mock(
+    uid: 'b6301f34-b970-4d4f-8314-f877bad8b150',
+    info: {
+      email: 'web@raspberrypi.org',
+      name: 'Digital Products Team',
+      nickname: 'DP',
+      image: 'https://static.raspberrypi.org/files/accounts/default-avatar.jpg'
+    },
+    extra: {
+      raw_info: {
+        name: 'Digital Products Team',
+        nickname: 'DP',
+        email: 'web@raspberrypi.org',
+        country: 'United Kingdom',
+        country_code: 'GB',
+        postcode: 'CB1 1AA',
+        picture: 'https://static.raspberrypi.org/files/accounts/default-avatar.jpg',
+        profile: 'https://my.raspberrypi.org/not/a/real/path'
+      }
+    }
+  )
+  OmniAuth.config.enable_rpi_auth_bypass
+end
+```
+
+## Forcing sign up flow
+
+It's possible to force a redirect to the Pi Accounts sign up page (rather than the default log in page) through:
+
 ```
-OmniAuth.config.add_rpi_mock(uid: '1234', info: {name: 'Example', nickname: 'Ex', email: 'ex@example.com' } )
+POST /auth/rpi?login_options=force_signup
 ```
 
-All this could also be done inside the `OmniAuth::Builder` block too.
+For the full documentation see: https://github.com/RaspberryPiFoundation/documentation/blob/main/accounts/force-signup.md
+
+## Testing
+
+Run:
 
-```ruby
-using RpiAuthBypass
-
-use OmniAuth::Builder do
-  configure do |c|
-    if ENV.has_key? 'BYPASS_OAUTH'
-      c.enable_rpi_auth_bypass
-      c.add_rpi_mock(uid: 'foo', info: {name: ... } )
-    end
-  end
-end
+```
+rspec
 ```
 
 ## Publishing changes
 
-When publishing changes to the provider, don't forget to bump the version number in `lib/omniauth-rpi/version.rb`
+https://rubygems.org/gems/omniauth-rpi
+
+When publishing changes to the provider, don't forget to bump the version number in `lib/omniauth-rpi/version.rb` and update `CHANGELOG.md` accordingly.
+
+How to publish to Rubygems: https://guides.rubygems.org/publishing/#publishing-to-rubygemsorg

data/lib/omniauth/strategies/hydra1.rb

@@ -11,10 +11,10 @@ module OmniAuth
         authorize_url:'https://auth-v1.raspberrypi.org/oauth2/auth',
         token_url:    'https://auth-v1.raspberrypi.org/oauth2/token'
       }
-
+  
       def authorize_params
         super.tap do |params|
-          %w[scope client_options].each do |v|
+          %w[scope client_options login_options].each do |v|
             params[v.to_sym] = request.params[v] if request.params[v]
           end
         end
@@ -24,7 +24,7 @@ module OmniAuth
         full_host + callback_path
       end
 
-      uid { raw_info['user'].to_s }
+      uid { raw_info['uuid'].to_s }
 
       info do
         {

data/lib/omniauth-rpi/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Rpi
-    VERSION = '1.1.0'.freeze
+    VERSION = '1.3.2'.freeze
   end
 end

data/lib/omniauth-rpi.rb

@@ -1,5 +1,4 @@
 require 'omniauth-rpi/version' # rubocop:disable Naming/FileName
-require 'omniauth/strategies/hydra0'
 require 'omniauth/strategies/hydra1'
 require 'omniauth/strategies/rpi'
 require 'rpi_auth_bypass'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-rpi
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.2
 platform: ruby
 authors:
 - Raspberry Pi Foundation
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-13 00:00:00.000000000 Z
+date: 2023-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -159,7 +159,6 @@ files:
 - bin/setup
 - lib/omniauth-rpi.rb
 - lib/omniauth-rpi/version.rb
-- lib/omniauth/strategies/hydra0.rb
 - lib/omniauth/strategies/hydra1.rb
 - lib/omniauth/strategies/rpi.rb
 - lib/rpi_auth_bypass.rb
@@ -168,7 +167,7 @@ homepage: https://www.raspberrypi.org
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -184,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.4
-signing_key:
+signing_key: 
 specification_version: 4
 summary: Official OmniAuth strategy for Raspberry Pi.
 test_files: []

data/lib/omniauth/strategies/hydra0.rb

@@ -1,79 +0,0 @@
-require 'omniauth-oauth2'
-require 'jwt'
-
-module OmniAuth::Strategies
-  class Hydra0 < OmniAuth::Strategies::OAuth2
-    option :client_options,
-           :site          => 'https://auth.raspberrypi.org',
-           :authorize_url => 'https://auth.raspberrypi.org/oauth2/auth',
-           :token_url     => 'https://auth.raspberrypi.org/oauth2/token'
-
-    def authorize_params
-      super.tap do |params|
-        %w[scope client_options].each do |v|
-          params[v.to_sym] = request.params[v] if request.params[v]
-        end
-      end
-    end
-
-    def build_access_token
-       options.token_params[:headers] = { 'Authorization' => basic_auth_header }
-       super
-     end
-
-    def basic_auth_header
-     'Basic ' + Base64.strict_encode64("#{options[:client_id]}:#{options[:client_secret]}")
-    end
-
-    def callback_url
-      full_host + callback_path
-    end
-
-    uid { raw_info['uuid'].to_s }
-
-    info do
-      {
-        'email'    => email,
-        'username' => username,
-        'name'     => fullname,
-        'nickname' => nickname,
-        'image'    => image,
-      }
-    end
-
-    extra do
-      {
-        'raw_info' => raw_info
-      }
-    end
-
-    def raw_info
-      @raw_info ||= (JWT.decode access_token.params['id_token'], nil, false)[0]
-    end
-
-    def email
-      raw_info['email']
-    end
-
-    # <13 accounts have username instead of email
-    def username
-      raw_info['username']
-    end
-
-    def nickname
-      raw_info['nickname']
-    end
-
-    # use fullname to avoid clash with 'name'
-    def fullname
-      raw_info['name']
-    end
-
-    def image
-      # deserialise openid claim into auth schema
-      raw_info['picture']
-    end
-  end
-end
-
-OmniAuth.config.add_camelization 'hydra0', 'Hydra0'