omniauth-shopify-oauth2 2.2.2 → 2.2.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1f79e7c2eb47cf4f303c1f8cb850da4bd9796f5b303b0a4ef52819460d353c4f
4
- data.tar.gz: 1bb889fe7e031d419f7b11f49404ffcfbd4767f0c92295af679faed935555850
3
+ metadata.gz: 69f2b366f0b3fb5baddea99a0eb2122c2f778c160cb92c9673aa9ce0a53659f0
4
+ data.tar.gz: 893e4e0b105eed07b80c5f2074ee83109b9403d2c24dca0613bd7d6f8dfeaad5
5
5
  SHA512:
6
- metadata.gz: 0e94434e74dd9f35eb13127b5e5bf44c5471280bf9b783fc170f7168529be5bc18a2b29ef422df77622e6e879dc505b434ef0cb83f32986e3476c72c7f0cf5d8
7
- data.tar.gz: 76ae229909c8a01b1bcc6ba2832ca9b4a3cf2d3f0d1bc86fd84781b54e460e6638d59f2046a58e590fc70bf7719d5ee2a967cc1f0bd693fc598bb88d871b3e1b
6
+ metadata.gz: 97a15729f1a70b5ca5e64e685da47094f9f8a9ec63e53493464ddb72d48c615ea598bda9ade2cd95ee9d9d85cfa70013a61f5cc3aa54396e34c81ee64d0d548b
7
+ data.tar.gz: b3f98a62584b48ea29f1e61d751e516235ab2029061b4762fe441ff56833fc42a3e9fb8cbcbeea15ab720dda50861e694180d5d04f7580b8e974f8f54e339f7c
data/Gemfile CHANGED
@@ -5,3 +5,7 @@ gemspec
5
5
  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.2")
6
6
  gem 'rack', '~> 1.6'
7
7
  end
8
+
9
+ group :development, :test do
10
+ gem 'fakeweb', git: 'https://github.com/chrisk/fakeweb.git'
11
+ end
data/README.md CHANGED
@@ -36,6 +36,35 @@ Authenticate the user by having them visit /auth/shopify with a `shop` query par
36
36
  </form>
37
37
  ```
38
38
 
39
+ Or without form `/auth/shopify?shop=your-shop-url.myshopify.com`
40
+ Alternatively you can put shop parameter to session as [Shopify App](https://github.com/Shopify/shopify_app) do
41
+
42
+ ```ruby
43
+ session['shopify.omniauth_params'] = { shop: params[:shop] }
44
+ ```
45
+
46
+ And finally it's possible to use your own query parameter by overriding default setup method. For example, like below:
47
+
48
+ ```ruby
49
+ Rails.application.config.middleware.use OmniAuth::Builder do
50
+ provider :shopify,
51
+ ENV['SHOPIFY_API_KEY'],
52
+ ENV['SHOPIFY_SHARED_SECRET'],
53
+ option :setup, proc { |env|
54
+ strategy = env['omniauth.strategy']
55
+
56
+
57
+
58
+ site = if strategy.request.params['site']
59
+ "https://#{strategy.request.params['site']}"
60
+ else
61
+ ''
62
+ end
63
+
64
+ env['omniauth.strategy'].options[:client_options][:site] = site
65
+ }
66
+ ```
67
+
39
68
  ## Configuring
40
69
 
41
70
  ### Scope
@@ -0,0 +1,59 @@
1
+ # Security Policy
2
+
3
+ ## Supported versions
4
+
5
+ ### New features
6
+
7
+ New features will only be added to the master branch and will not be made available in point releases.
8
+
9
+ ### Bug fixes
10
+
11
+ Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
12
+
13
+ ### Security issues
14
+
15
+ Only the latest release series will receive patches and new versions in case of a security issue.
16
+
17
+ ### Severe security issues
18
+
19
+ For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
20
+
21
+ ### Unsupported Release Series
22
+
23
+ When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
24
+
25
+ ## Reporting a bug
26
+
27
+ All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
28
+ Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
29
+
30
+ ## Disclosure Policy
31
+
32
+ We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
33
+
34
+ - Reply to all reports within one business day and triage within two business days (if applicable)
35
+ - Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
36
+ - Award bounties within a week of resolution (excluding extenuating circumstances)
37
+ - Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
38
+
39
+ **The following rules must be followed in order for any rewards to be paid:**
40
+
41
+ - You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
42
+ - You must not attempt to gain access to, or interact with, any shops other than those created by you.
43
+ - The use of commercial scanners is prohibited (e.g., Nessus).
44
+ - Rules for reporting must be followed.
45
+ - Do not disclose any issues publicly before they have been resolved.
46
+ - Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
47
+ - Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
48
+ - You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
49
+ - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
50
+ - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
51
+ - All content submitted by you to Shopify under this program is licensed under the MIT License.
52
+ - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
53
+ - Failure to follow any of the foregoing rules will disqualify you from participating in this program.
54
+
55
+ ** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
56
+
57
+ ## Receiving Security Updates
58
+
59
+ To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)
@@ -1,5 +1,6 @@
1
1
  require 'bundler/setup'
2
2
  require 'sinatra/base'
3
+ require 'active_support/core_ext/hash'
3
4
  require 'omniauth-shopify-oauth2'
4
5
 
5
6
  SCOPE = 'read_products,read_orders,read_customers,write_shipping'
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Shopify
3
- VERSION = "2.2.2"
3
+ VERSION = "2.2.3"
4
4
  end
5
5
  end
@@ -26,7 +26,11 @@ module OmniAuth
26
26
  option :setup, proc { |env|
27
27
  strategy = env['omniauth.strategy']
28
28
 
29
- shopify_auth_params = strategy.session['shopify.omniauth_params'] && strategy.session['shopify.omniauth_params'].with_indifferent_access
29
+ shopify_auth_params = strategy.session['shopify.omniauth_params'] ||
30
+ strategy.session['omniauth.params'] ||
31
+ strategy.request.params
32
+
33
+ shopify_auth_params = shopify_auth_params && shopify_auth_params.with_indifferent_access
30
34
  shop = if shopify_auth_params && shopify_auth_params['shop']
31
35
  "https://#{shopify_auth_params['shop']}"
32
36
  else
@@ -78,7 +82,7 @@ module OmniAuth
78
82
 
79
83
  def normalized_scopes(scopes)
80
84
  scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
81
- ignore_scopes = scope_list.map { |scope| scope =~ /\Awrite_(.*)\z/ && "read_#{$1}" }.compact
85
+ ignore_scopes = scope_list.map { |scope| scope =~ /\A(unauthenticated_)?write_(.*)\z/ && "#{$1}read_#{$2}" }.compact
82
86
  scope_list - ignore_scopes
83
87
  end
84
88
 
@@ -11,6 +11,8 @@ Gem::Specification.new do |s|
11
11
  s.homepage = 'https://github.com/Shopify/omniauth-shopify-oauth2'
12
12
  s.license = 'MIT'
13
13
 
14
+ s.metadata['allowed_push_host'] = 'https://rubygems.org'
15
+
14
16
  s.files = `git ls-files`.split("\n")
15
17
  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
16
18
  s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
@@ -169,8 +169,19 @@ class IntegrationTest < Minitest::Test
169
169
  assert_equal 'https://app.example.com/auth/shopify/callback', redirect_params['redirect_uri']
170
170
  end
171
171
 
172
+ def test_default_setup_reads_shop_from_params
173
+ build_app
174
+
175
+ response = request.get('https://app.example.com/auth/shopify?shop=snowdevil.myshopify.com', opts)
176
+
177
+ assert_equal 302, response.status
178
+ assert_match %r{\A#{Regexp.quote("https://snowdevil.myshopify.com/admin/oauth/authorize?")}}, response.location
179
+ redirect_params = Rack::Utils.parse_query(URI(response.location).query)
180
+ assert_equal 'https://app.example.com/auth/shopify/callback', redirect_params['redirect_uri']
181
+ end
182
+
172
183
  def test_unnecessary_read_scopes_are_removed
173
- build_app scope: 'read_content,read_products,write_products',
184
+ build_app scope: 'read_content,read_products,write_products,unauthenticated_read_checkouts,unauthenticated_write_checkouts',
174
185
  callback_path: '/admin/auth/legacy/callback',
175
186
  myshopify_domain: 'myshopify.dev:3000',
176
187
  setup: lambda { |env|
@@ -181,7 +192,7 @@ class IntegrationTest < Minitest::Test
181
192
  response = request.get("https://app.example.com/auth/shopify?shop=snowdevil.myshopify.dev:3000")
182
193
  assert_equal 302, response.status
183
194
  redirect_params = Rack::Utils.parse_query(URI(response.location).query)
184
- assert_equal 'read_content,write_products', redirect_params['scope']
195
+ assert_equal 'read_content,write_products,unauthenticated_write_checkouts', redirect_params['scope']
185
196
  end
186
197
 
187
198
  def test_callback_with_invalid_state_fails
@@ -255,6 +266,18 @@ class IntegrationTest < Minitest::Test
255
266
  assert_callback_success(response, access_token, code)
256
267
  end
257
268
 
269
+ def test_callback_with_duplicate_read_scopes_works
270
+ build_app scope: 'read_products,write_products,unauthenticated_read_products,unauthenticated_write_products'
271
+
272
+ access_token = SecureRandom.hex(16)
273
+ code = SecureRandom.hex(16)
274
+ expect_access_token_request(access_token, 'write_products,unauthenticated_write_products')
275
+
276
+ response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
277
+
278
+ assert_callback_success(response, access_token, code)
279
+ end
280
+
258
281
  def test_callback_with_extra_coma_works
259
282
  build_app scope: 'read_content,,write_products,'
260
283
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-shopify-oauth2
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.2
4
+ version: 2.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Denis Odorcic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-10 00:00:00.000000000 Z
11
+ date: 2020-09-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth-oauth2
@@ -107,6 +107,7 @@ files:
107
107
  - Gemfile
108
108
  - README.md
109
109
  - Rakefile
110
+ - SECURITY.md
110
111
  - example/Gemfile
111
112
  - example/config.ru
112
113
  - lib/omniauth-shopify-oauth2.rb
@@ -121,7 +122,8 @@ files:
121
122
  homepage: https://github.com/Shopify/omniauth-shopify-oauth2
122
123
  licenses:
123
124
  - MIT
124
- metadata: {}
125
+ metadata:
126
+ allowed_push_host: https://rubygems.org
125
127
  post_install_message:
126
128
  rdoc_options: []
127
129
  require_paths: