RubyGems - omniauth-shopify-oauth2 - Versions diffs - 2.3.2 → 2.4.0 - Mend

omniauth-shopify-oauth2 2.3.2 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/.github/workflows/cla.yml +22 -0
data/lib/omniauth/shopify/version.rb +1 -1
data/lib/omniauth/strategies/shopify.rb +0 -10
data/omniauth-shopify-oauth2.gemspec +1 -0
data/test/integration_test.rb +14 -17
data/test/test_helper.rb +1 -0
metadata +18 -4
data/.github/probots.yml +0 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 56ba61ca0360e6355277b3ef8d07e3014af91c6a2f0367029ad85c398d0c4d71
-  data.tar.gz: 739537485b2fa781786ec76d7f6ed31a6a926f8985c70c87e8fca3bcfff01c23
+  metadata.gz: 54de0b5a3ad4038eb3f6a177b2f28fb84c290eea3a0f93b54ea7d69508cef842
+  data.tar.gz: 0d0ac92de98c0bea72679be7d4e50bb66091fb9b03743eb355b2dc03888234eb
 SHA512:
-  metadata.gz: 4c947f136bedc9f7bdbf70c16f1af70a918f813992ba159f4c9a644c1775d93aa71d0faf67791faac6cd54403723d2a0e89303ed2a900ebee66ec0f32599ee65
-  data.tar.gz: 48258842cfac090f993d60e65d9db9067ada0d18b449f36d0313452540680b013e1f10eddda257b0447c7e5e74cb08850024a11c355b3c428cfd90d4eb6c39c5
+  metadata.gz: be2ce4be2845b55b5c72660362e7ed970000ab7cca3e2be6a360b4c6d1951f4392bbfc4ded53f5de52179499a0db9962c01984c11c8c93c43cdc2366a4a68ef3
+  data.tar.gz: e3b210c2b1d14d5f05ca2f8d64d03e7b7297ead9fd6193956a5a20e843dac72bc1be97c8f9e7c411750604093c1c49faef0052223fafe7ab0f0d5fa2e04e14aa

data/.github/workflows/cla.yml ADDED Viewed

@@ -0,0 +1,22 @@
+name: Contributor License Agreement (CLA)
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+  issue_comment:
+    types: [created]
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    if: |
+      (github.event.issue.pull_request
+        && !github.event.issue.pull_request.merged_at
+        && contains(github.event.comment.body, 'signed')
+      )
+      || (github.event.pull_request && !github.event.pull_request.merged)
+    steps:
+      - uses: Shopify/shopify-cla-action@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          cla-token: ${{ secrets.CLA_TOKEN }}

data/lib/omniauth/shopify/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module Shopify
-    VERSION = "2.3.2"
+    VERSION = "2.4.0"
   end
 end

data/lib/omniauth/strategies/shopify.rb CHANGED Viewed

@@ -73,13 +73,6 @@ module OmniAuth
         validate_signature(new_secret) || (old_secret && validate_signature(old_secret))
       end
-      def valid_scope?(token)
-        params = options.authorize_params.merge(options_for("authorize"))
-        return false unless token && params[:scope] && token['scope']
-        expected_scope = normalized_scopes(params[:scope]).sort
-        (expected_scope == token['scope'].split(SCOPE_DELIMITER).sort)
-      end
       def normalized_scopes(scopes)
         scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
         ignore_scopes = scope_list.map { |scope| scope =~ /\A(unauthenticated_)?write_(.*)\z/ && "#{$1}read_#{$2}" }.compact
@@ -128,9 +121,6 @@ module OmniAuth
         return fail!(:invalid_signature, CallbackError.new(:invalid_signature, "Signature does not match, it may have been tampered with.")) unless valid_signature?
         token = build_access_token
-        unless valid_scope?(token)
-          return fail!(:invalid_scope, CallbackError.new(:invalid_scope, "Scope does not match, it may have been tampered with."))
-        end
         unless valid_permissions?(token)
           return fail!(:invalid_permissions, CallbackError.new(:invalid_permissions, "Requested API access mode does not match."))
         end

data/omniauth-shopify-oauth2.gemspec CHANGED Viewed

@@ -25,5 +25,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'minitest', '~> 5.6'
   s.add_development_dependency 'rspec', '~> 3.9.0'
   s.add_development_dependency 'fakeweb', '~> 1.3'
+  s.add_development_dependency 'rack-session', '~> 2.0'
   s.add_development_dependency 'rake'
 end

data/test/integration_test.rb CHANGED Viewed

@@ -206,29 +206,27 @@ class IntegrationTest < Minitest::Test
     assert_equal '/auth/failure?message=csrf_detected&strategy=shopify', response.location
   end
-  def test_callback_with_mismatching_scope_fails
+  def test_callback_with_mismatching_scope_succeeds
     access_token = SecureRandom.hex(16)
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, 'some_invalid_scope', nil)
     response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
-    assert_equal 302, response.status
-    assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
+    assert_callback_success(response, access_token, code)
   end
-  def test_callback_with_no_scope_fails
+  def test_callback_with_no_scope_succeeds
     access_token = SecureRandom.hex(16)
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, nil)
     response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
-    assert_equal 302, response.status
-    assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
+    assert_callback_success(response, access_token, code)
   end
-  def test_callback_with_missing_access_scope_fails
+  def test_callback_with_missing_access_scope_succeeds
     build_app scope: 'first_scope,second_scope'
     access_token = SecureRandom.hex(16)
@@ -237,11 +235,10 @@ class IntegrationTest < Minitest::Test
     response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
-    assert_equal 302, response.status
-    assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
+    assert_callback_success(response, access_token, code)
   end
-  def test_callback_with_extra_access_scope_fails
+  def test_callback_with_extra_access_scope_succeeds
     build_app scope: 'first_scope,second_scope'
     access_token = SecureRandom.hex(16)
@@ -250,8 +247,7 @@ class IntegrationTest < Minitest::Test
     response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
-    assert_equal 302, response.status
-    assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
+    assert_callback_success(response, access_token, code)
   end
   def test_callback_with_scopes_out_of_order_works
@@ -375,7 +371,7 @@ class IntegrationTest < Minitest::Test
     FakeWeb.register_uri(
       :post,
-      "https://snowdevil.myshopify.com/admin/oauth/access_token",
+      %r{snowdevil.myshopify.com/admin/oauth/access_token},
       status: [ "401", "Invalid token" ],
       body: "Token is invalid or has already been requested"
     )
@@ -415,7 +411,7 @@ class IntegrationTest < Minitest::Test
   end
   def expect_access_token_request(access_token, scope, associated_user=nil, session=nil)
-    FakeWeb.register_uri(:post, "https://snowdevil.myshopify.com/admin/oauth/access_token",
+    FakeWeb.register_uri(:post, %r{snowdevil.myshopify.com/admin/oauth/access_token},
                          body: JSON.dump(
                            access_token: access_token,
                            scope: scope,
@@ -426,10 +422,11 @@ class IntegrationTest < Minitest::Test
   end
   def assert_callback_success(response, access_token, code)
+    credentials = ::Base64.decode64(FakeWeb.last_request['authorization'].split(" ", 2)[1] || "")
+    assert_equal "123:#{@secret}", credentials
     token_request_params = Rack::Utils.parse_query(FakeWeb.last_request.body)
-    assert_equal token_request_params['client_id'], '123'
-    assert_equal token_request_params['client_secret'], @secret
-    assert_equal token_request_params['code'], code
+    assert_equal code, token_request_params['code']
     assert_equal 'snowdevil.myshopify.com', @omniauth_result.uid
     assert_equal access_token, @omniauth_result.credentials.token

data/test/test_helper.rb CHANGED Viewed

@@ -3,6 +3,7 @@ require 'bundler/setup'
 require 'omniauth-shopify-oauth2'
 require 'minitest/autorun'
+require 'rack/session'
 require 'fakeweb'
 require 'json'
 require 'active_support/core_ext/hash'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-shopify-oauth2
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: 2.4.0
 platform: ruby
 authors:
 - Denis Odorcic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-02 00:00:00.000000000 Z
+date: 2023-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rack-session
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -101,8 +115,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/probots.yml"
 - ".github/workflows/build.yml"
+- ".github/workflows/cla.yml"
 - ".gitignore"
 - Gemfile
 - README.md
@@ -139,7 +153,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.4.14
 signing_key:
 specification_version: 4
 summary: Shopify strategy for OmniAuth

data/.github/probots.yml DELETED Viewed

	@@ -1,2 +0,0 @@
1	- enabled:
2	- - cla