omniauth-spiffy-oauth2 1.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4f7ae17bafcf32f410fdbb57a64db532ca033478ba28f0111364b4b05ab08335
+  data.tar.gz: 190f58c4e65a3a9ae6a82b3642de68e98e609bd95f8c7fee06e7f50f39384d14
+SHA512:
+  metadata.gz: b7c34f1b05236817a9eca7ae248ebe34492e8a2b8db100295822ec37771b6eb59d88adf8eb204c50000b287e9c6af650d82da95ff80c7acb7df3dcb6dc69093e
+  data.tar.gz: 2dd4cdf83954fe9241a9ee106d74b2a92c9090d79c1b53404b9a59c07ca3c7c04a8275d79e3dc9a9cfa68c1d5daf1e3bb39f6887c973f9f94fe51320bfbdd02c

data/.gitignore

@@ -0,0 +1,2 @@
+pkg/*
+Gemfile.lock

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 2.1.10
+  - 2.2.9
+  - 2.3.6
+  - 2.4.3
+  - 2.5.0

data/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+gemspec
+
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.2")
+  gem 'rack', '~> 1.6'
+end

data/README.md

@@ -0,0 +1,75 @@
+[![Build Status](https://api.travis-ci.com/SpiffyStores/omniauth-spiffy-oauth2.png?branch=master)](https://travis-ci.com/SpiffyStores/omniauth-spiffy-oauth2)
+
+# OmniAuth Spiffy Stores
+
+Spiffy Stores OAuth2 Strategy for OmniAuth 1.0.
+
+## Installing
+
+Add to your `Gemfile`:
+
+```ruby
+gem 'omniauth-spiffy-oauth2'
+```
+
+Then `bundle install`.
+
+## Usage
+
+`OmniAuth::Strategies::Spiffy` is simply a Rack middleware. Read [the OmniAuth 1.0 docs](https://github.com/intridea/omniauth) for detailed instructions.
+
+Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :spiffy, ENV['SPIFFY_STORES_API_KEY'], ENV['SPIFFY_STORES_SHARED_SECRET']
+end
+```
+
+Authenticate the user by having them visit /auth/spiffy with a `store` query parameter of their store's spiffystores.com domain. For example, the following form could be used
+
+```html
+<form action="/auth/spiffy" method="get">
+  <label for="shop">Enter your store's URL:</label>
+  <input type="text" name="shop" placeholder="your-store-url.spiffystores.com">
+  <button type="submit">Log In</button>
+</form>
+```
+
+## Configuring
+
+You can configure the scope, which you pass in to the `provider` method via a `Hash`:
+
+* `scope`: A comma-separated list of permissions you want to request from the user. See [the SpiffyStores API docs](https://www.spiffystores.com.au/kb/tutorials_oauth) for a full list of available permissions.
+
+For example, to request `read_products`, `read_orders` and `write_content` permissions and display the authentication page:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :spiffy, ENV['SPIFFY_STORES_API_KEY'], ENV['SPIFFY_STORES_SHARED_SECRET'], :scope => 'read_products,read_orders,write_content'
+end
+```
+
+## Authentication Hash
+
+Here's an example *Authentication Hash* available in `request.env['omniauth.auth']`:
+
+```ruby
+{
+  :provider => 'spiffy',
+  :uid => 'example.spiffystores.com',
+  :credentials => {
+    :token => 'afasd923kjh0934kf', # OAuth 2.0 access_token, which you store and use to authenticate API requests
+  }
+}
+```
+
+## License
+
+Copyright (c) 2018 by Spiffy Stores
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+task :default => :test
+
+Rake::TestTask.new(:test) do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end

data/example/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org/'
+
+gem 'rack', '~> 1.6'
+
+gem 'sinatra', '~> 1.4'
+gem 'omniauth-spiffy-stores-oauth2', :path => '../'

data/example/config.ru

@@ -0,0 +1,67 @@
+require 'bundler/setup'
+require 'sinatra/base'
+require 'omniauth-spiffy-stores-oauth2'
+
+SCOPE = 'read_products,read_orders,read_customers,write_shipping'
+SPIFFY_STORES_API_KEY = ENV['SPIFFY_STORES_API_KEY']
+SPIFFY_STORES_SHARED_SECRET = ENV['SPIFFY_STORES_SHARED_SECRET']
+
+unless SPIFFY_STORES_API_KEY && SPIFFY_STORES_SHARED_SECRET
+  abort("SPIFFY_STORES_API_KEY and SPIFFY_STORES_SHARED_SECRET environment variables must be set")
+end
+
+class App < Sinatra::Base
+  get '/' do
+    <<-HTML
+    <html>
+    <head>
+      <title>Spiffy Stores Oauth2</title>
+    </head>
+    <body>
+      <form action="/auth/spiffy_stores" method="get">
+      <label for="shop">Enter your store's URL:</label>
+      <input type="text" name="shop" placeholder="your-shop-name.spiffystores.com">
+      <button type="submit">Log In</button>
+      </form>
+    </body>
+    </html>
+    HTML
+  end
+
+  get '/auth/:provider/callback' do
+    <<-HTML
+    <html>
+    <head>
+      <title>Spiffy Stores Oauth2</title>
+    </head>
+    <body>
+      <h3>Authorized</h3>
+      <p>Shop: #{request.env['omniauth.auth'].uid}</p>
+      <p>Token: #{request.env['omniauth.auth']['credentials']['token']}</p>
+    </body>
+    </html>
+    HTML
+  end
+
+  get '/auth/failure' do
+    <<-HTML
+    <html>
+    <head>
+      <title>Spiffy Stores Oauth2</title>
+    </head>
+    <body>
+      <h3>Failed Authorization</h3>
+      <p>Message: #{params[:message]}</p>
+    </body>
+    </html>
+    HTML
+  end
+end
+
+use Rack::Session::Cookie, secret: SecureRandom.hex(64)
+
+use OmniAuth::Builder do
+  provider :spiffy_stores, SPIFFY_STORES_API_KEY, SPIFFY_STORES_SHARED_SECRET, :scope => SCOPE
+end
+
+run App.new

data/lib/omniauth-spiffy-oauth2.rb

@@ -0,0 +1 @@
+require 'omniauth/spiffy'

data/lib/omniauth/spiffy.rb

@@ -0,0 +1,2 @@
+require 'omniauth/spiffy/version'
+require 'omniauth/strategies/spiffy'

data/lib/omniauth/spiffy/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Spiffy
+    VERSION = "1.2.1".freeze
+  end
+end

data/lib/omniauth/strategies/spiffy.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+# encoding: UTF-8
+
+require 'omniauth/strategies/oauth2'
+
+module OmniAuth
+  module Strategies
+    class Spiffy < OmniAuth::Strategies::OAuth2
+      # Available scopes: content themes products customers orders script_tags shipping
+      # read_*  or write_*
+      DEFAULT_SCOPE = 'read_products'
+      SCOPE_DELIMITER = ','
+      MINUTE = 60
+      CODE_EXPIRES_AFTER = 10 * MINUTE
+
+      option :client_options, {
+        :authorize_url => '/admin/oauth/authorize',
+        :token_url => '/admin/oauth/token'
+      }
+
+      option :callback_url
+      option :spiffy_stores_domain, 'spiffystores.com'
+
+      # When `true`, the user's permission level will apply (in addition to
+      # the requested access scope) when making API requests to Spiffy Stores.
+      option :per_user_permissions, false
+
+      # When `true`, the user's authorization phase will fail if the granted scopes
+      # mismatch the requested scopes.
+      option :validate_granted_scopes, true
+
+      option :setup, proc { |env|
+        request = Rack::Request.new(env)
+        env['omniauth.strategy'].options[:client_options][:site] = "https://#{request.GET['store']}"
+      }
+
+      uid { URI.parse(options[:client_options][:site]).host }
+
+      extra do
+        if access_token
+          {
+            'associated_user' => access_token['associated_user'],
+            'associated_user_scope' => access_token['associated_user_scope'],
+            'scope' => access_token['scope'],
+          }
+        end
+      end
+
+      def valid_site?
+        !!(/\A(https|http)\:\/\/[a-zA-Z0-9][a-zA-Z0-9\-]*\.#{Regexp.quote(options[:spiffy_stores_domain])}[\/]?\z/ =~ options[:client_options][:site])
+      end
+
+      def valid_signature?
+        return false unless request.POST.empty?
+
+        params = request.GET
+        signature = params['hmac']
+        timestamp = params['timestamp']
+        return false unless signature && timestamp
+
+        return false unless timestamp.to_i > Time.now.to_i - CODE_EXPIRES_AFTER
+
+        calculated_signature = self.class.hmac_sign(self.class.encoded_params_for_signature(params), options.client_secret)
+        Rack::Utils.secure_compare(calculated_signature, signature)
+      end
+
+      def valid_scope?(token)
+        params = options.authorize_params.merge(options_for("authorize"))
+        return false unless token && params[:scope] && token['scope']
+        expected_scope = normalized_scopes(params[:scope]).sort
+        (expected_scope == token['scope'].split(SCOPE_DELIMITER).sort)
+      end
+
+      def normalized_scopes(scopes)
+        scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
+        ignore_scopes = scope_list.map { |scope| scope =~ /\Awrite_(.*)\z/ && "read_#{$1}" }.compact
+        scope_list - ignore_scopes
+      end
+
+      def self.encoded_params_for_signature(params)
+        params = params.dup
+        params.delete('hmac')
+        params.delete('signature') # deprecated signature
+        params.map{|k,v| "#{URI.escape(k.to_s, '&=%')}=#{URI.escape(v.to_s, '&%')}"}.sort.join('&')
+      end
+
+      def self.hmac_sign(encoded_params, secret)
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, secret, encoded_params)
+      end
+
+      def valid_permissions?(token)
+        token && (options[:per_user_permissions] == !token['associated_user'].nil?)
+      end
+
+      def fix_https
+        options[:client_options][:site] = options[:client_options][:site].gsub(/\Ahttp\:/, 'https:')
+      end
+
+      def setup_phase
+        super
+        fix_https
+      end
+
+      def request_phase
+        if valid_site?
+          super
+        else
+          fail!(:invalid_site)
+        end
+      end
+
+      def callback_phase
+        return fail!(:invalid_site, CallbackError.new(:invalid_site, "OAuth endpoint is not a Spiffy Stores site.")) unless valid_site?
+        return fail!(:invalid_signature, CallbackError.new(:invalid_signature, "Signature does not match, it may have been tampered with.")) unless valid_signature?
+
+        error = request.params["error_reason"] || request.params["error"]
+
+        if error
+          return fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+        else
+          token = build_access_token
+          unless valid_scope?(token)
+            return fail!(:invalid_scope, CallbackError.new(:invalid_scope, "Scope does not match, it may have been tampered with."))
+          end
+          unless valid_permissions?(token)
+            return fail!(:invalid_permissions, CallbackError.new(:invalid_permissions, "Requested API access mode does not match."))
+          end
+        end
+
+        super
+      end
+
+      def build_access_token
+        @built_access_token ||= super
+      end
+
+      def authorize_params
+        super.tap do |params|
+          params[:scope] = normalized_scopes(params[:scope] || DEFAULT_SCOPE).join(SCOPE_DELIMITER)
+          params[:grant_options] = ['per-user'] if options[:per_user_permissions]
+        end
+      end
+
+      def callback_url
+        options[:callback_url] || full_host + script_name + callback_path
+      end
+    end
+  end
+end

data/omniauth-spiffy-oauth2.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path('../lib', __FILE__)
+require 'omniauth/spiffy/version'
+
+Gem::Specification.new do |s|
+  s.name     = 'omniauth-spiffy-oauth2'
+  s.version  = OmniAuth::Spiffy::VERSION
+  s.authors  = ['Spiffy Stores']
+  s.email    = ['brian@spiffy.com.au']
+  s.summary  = 'Spiffy Stores strategy for OmniAuth'
+  s.homepage = 'https://github.com/SpiffyStores/omniauth-spiffy-oauth2'
+  s.license = 'MIT'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = ['lib']
+  s.required_ruby_version = '>= 2.1.9'
+
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.5.0'
+
+  s.add_development_dependency 'minitest', '~> 5.6'
+  s.add_development_dependency 'fakeweb', '~> 1.3'
+  s.add_development_dependency 'rake'
+end

data/shipit.rubygems.yml

@@ -0,0 +1 @@
+# using the default shipit config

data/spec/omniauth/strategies/spiffy_spec.rb

@@ -0,0 +1,144 @@
+require 'spec_helper'
+require 'omniauth-spiffy-oauth2'
+require 'base64'
+
+describe OmniAuth::Strategies::Spiffy do
+  before :each do
+    @request = double('Request',
+                      :env => { })
+    @request.stub(:params) { {} }
+    @request.stub(:cookies) { {} }
+
+    @client_id = '123'
+    @client_secret = '53cr3tz'
+    @options = {:client_options => {:site => 'https://example.spiffystores.com'}}
+  end
+
+  subject do
+    args = [@client_id, @client_secret, @options].compact
+    OmniAuth::Strategies::SpiffyStores.new(nil, *args).tap do |strategy|
+      strategy.stub(:request) { @request }
+      strategy.stub(:session) { {} }
+    end
+  end
+
+  describe '#fix_https' do
+    it 'replaces http scheme by https' do
+      @options = {:client_options => {:site => 'http://foo.bar/'}}
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+
+    it 'replaces http scheme by https with an immutable string' do
+      @options = {:client_options => {:site => 'http://foo.bar/'.freeze}}
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+
+    it 'does not replace https scheme' do
+      @options = {:client_options => {:site => 'https://foo.bar/'}}
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+  end
+
+  describe '#client' do
+    it 'has correct spiffy_stores site' do
+      subject.client.site.should eq('https://example.spiffystores.com')
+    end
+
+    it 'has correct authorize url' do
+      subject.client.options[:authorize_url].should eq('/admin/oauth/authorize')
+    end
+
+    it 'has correct token url' do
+      subject.client.options[:token_url].should eq('/admin/oauth/access_token')
+    end
+  end
+
+  describe '#callback_url' do
+    it "returns value from #callback_url" do
+      url = 'http://auth.myapp.com/auth/callback'
+      @options = {:callback_url => url}
+      subject.callback_url.should eq(url)
+    end
+
+    it "defaults to callback" do
+      url_base = 'http://auth.request.com'
+      @request.stub(:url) { "#{url_base}/page/path" }
+      @request.stub(:scheme) { 'http' }
+      subject.stub(:script_name) { "" } # to not depend from Rack env
+      subject.callback_url.should eq("#{url_base}/auth/spiffy_stores/callback")
+    end
+  end
+
+  describe '#authorize_params' do
+    it 'includes default scope for read_products' do
+      subject.authorize_params.should be_a(Hash)
+      subject.authorize_params[:scope].should eq('read_products')
+    end
+
+    it 'includes custom scope' do
+      @options = {:scope => 'write_products'}
+      subject.authorize_params.should be_a(Hash)
+      subject.authorize_params[:scope].should eq('write_products')
+    end
+  end
+
+  describe '#uid' do
+    it 'returns the shop' do
+      subject.uid.should eq('example.spiffystores.com')
+    end
+  end
+
+  describe '#credentials' do
+    before :each do
+      @access_token = double('OAuth2::AccessToken')
+      @access_token.stub(:token)
+      @access_token.stub(:expires?)
+      @access_token.stub(:expires_at)
+      @access_token.stub(:refresh_token)
+      subject.stub(:access_token) { @access_token }
+    end
+
+    it 'returns a Hash' do
+      subject.credentials.should be_a(Hash)
+    end
+
+    it 'returns the token' do
+      @access_token.stub(:token) { '123' }
+      subject.credentials['token'].should eq('123')
+    end
+
+    it 'returns the expiry status' do
+      @access_token.stub(:expires?) { true }
+      subject.credentials['expires'].should eq(true)
+
+      @access_token.stub(:expires?) { false }
+      subject.credentials['expires'].should eq(false)
+    end
+
+  end
+
+  describe '#valid_site?' do
+    it 'returns true if the site contains .spiffystores.com' do
+      @options = {:client_options => {:site => 'http://foo.spiffystores.com/'}}
+      subject.valid_site?.should eq(true)
+    end
+
+    it 'returns false if the site does not contain .spiffystores.com' do
+      @options = {:client_options => {:site => 'http://foo.example.com/'}}
+      subject.valid_site?.should eq(false)
+    end
+
+    it 'uses configurable option for spiffy_stores_domain' do
+      @options = {:client_options => {:site => 'http://foo.example.com/'}, :spiffy_stores_domain => 'example.com'}
+      subject.valid_site?.should eq(true)
+    end
+
+    it 'allows custom port for spiffy_stores_domain' do
+      @options = {:client_options => {:site => 'http://foo.example.com:3456/'}, :spiffy_stores_domain => 'example.com:3456'}
+      subject.valid_site?.should eq(true)
+    end
+  end
+end

data/test/integration_test.rb

@@ -0,0 +1,366 @@
+require_relative 'test_helper'
+
+class IntegrationTest < Minitest::Test
+  def setup
+    build_app(scope: OmniAuth::Strategies::Spiffy::DEFAULT_SCOPE)
+  end
+
+  def teardown
+    FakeWeb.clean_registry
+    FakeWeb.last_request = nil
+  end
+
+  def test_authorize
+    response = authorize('storedemo.spiffystores.com')
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote(spiffy_authorize_url)}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal "123", redirect_params['client_id']
+    assert_equal "https://app.example.com/auth/spiffy/callback", redirect_params['redirect_uri']
+    assert_equal "read_products", redirect_params['scope']
+    assert_nil redirect_params['grant_options']
+  end
+
+  def test_authorize_includes_auth_type_when_per_user_permissions_are_requested
+    build_app(per_user_permissions: true)
+    response = authorize('storedemo.spiffystores.com')
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'per-user', redirect_params['grant_options[]']
+  end
+
+  def test_authorize_overrides_site_with_https_scheme
+    build_app setup: lambda { |env|
+      params = Rack::Utils.parse_query(env['QUERY_STRING'])
+      env['omniauth.strategy'].options[:client_options][:site] = "http://#{params['store']}"
+    }
+
+    response = authorize('storedemo.spiffystores.com')
+    assert_match %r{\A#{Regexp.quote(spiffy_authorize_url)}}, response.location
+  end
+
+  def test_site_validation
+    code = SecureRandom.hex(16)
+
+    [
+      'foo.example.com',                   # shop doesn't end with .spiffystores.com
+      'http://storedemo.spiffystores.com', # shop contains protocol
+      'storedemo.spiffystores.com/path',   # shop contains path
+      'user@storedemo.spiffystores.com',   # shop contains user
+      'storedemo.spiffystores.com:22',     # shop contains port
+    ].each do |shop, valid|
+      response = authorize(shop)
+      assert_auth_failure(response, 'invalid_site')
+
+      response = callback(sign_params(store: shop, code: code))
+      assert_auth_failure(response, 'invalid_site')
+    end
+  end
+
+  def test_callback
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Spiffy::DEFAULT_SCOPE)
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_legacy_signature
+    build_app scope: OmniAuth::Strategies::Spiffy::DEFAULT_SCOPE
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Spiffy::DEFAULT_SCOPE)
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]).merge(signature: 'ignored'))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_custom_params
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Spiffy::DEFAULT_SCOPE)
+
+    now = Time.now.to_i
+    params = { store: 'storedemo.spiffystores.com', code: code, timestamp: now, next: '/products?page=2&q=red%20shirt', state: opts["rack.session"]["omniauth.state"] }
+    encoded_params = OmniAuth::Strategies::Spiffy.encoded_params_for_signature(params)
+    params[:hmac] = OmniAuth::Strategies::Spiffy.hmac_sign(encoded_params, @secret)
+
+    response = callback(params)
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_spaces_in_scope
+    build_app scope: 'write_products, read_orders'
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'read_orders,write_products')
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_rejects_invalid_hmac
+    @secret = 'wrong_secret'
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: SecureRandom.hex(16)))
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_callback_rejects_old_timestamps
+    expired_timestamp = Time.now.to_i - OmniAuth::Strategies::Spiffy::CODE_EXPIRES_AFTER - 1
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: SecureRandom.hex(16), timestamp: expired_timestamp))
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_callback_rejects_missing_hmac
+    code = SecureRandom.hex(16)
+
+    response = callback(store: 'storedemo.spiffystores.com', code: code, timestamp: Time.now.to_i)
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_callback_rejects_body_params
+    code = SecureRandom.hex(16)
+    params = sign_params(store: 'storedemo.spiffystores.com', code: code)
+    body = Rack::Utils.build_nested_query(unsigned: 'value')
+
+    response = request.get("https://app.example.com/auth/spiffy/callback?#{Rack::Utils.build_query(params)}",
+                           input: body,
+                           "CONTENT_TYPE" => 'application/x-www-form-urlencoded')
+
+    assert_auth_failure(response, 'invalid_signature')
+  end
+
+  def test_provider_options
+    build_app scope: 'read_products,read_orders,write_content',
+              callback_path: '/admin/auth/legacy/callback',
+              spiffy_stores_domain: 'spiffystores.dev:3000',
+              setup: lambda { |env|
+                shop = Rack::Request.new(env).GET['store']
+                shop += ".spiffystores.dev:3000" unless shop.include?(".")
+                env['omniauth.strategy'].options[:client_options][:site] = "https://#{shop}"
+              }
+
+    response = authorize('storedemo')
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("https://storedemo.spiffystores.dev:3000/admin/oauth/authorize?")}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'read_products,read_orders,write_content', redirect_params['scope']
+    assert_equal 'https://app.example.com/admin/auth/legacy/callback', redirect_params['redirect_uri']
+  end
+
+  def test_unnecessary_read_scopes_are_removed
+    build_app scope: 'read_content,read_products,write_products',
+              callback_path: '/admin/auth/legacy/callback',
+              spiffy_stores_domain: 'spiffystores.dev:3000',
+              setup: lambda { |env|
+                shop = Rack::Request.new(env).GET['store']
+                shop += ".spiffystores.dev:3000" unless shop.include?(".")
+                env['omniauth.strategy'].options[:client_options][:site] = "https://#{shop}"
+              }
+
+    response = authorize('storedemo')
+    assert_equal 302, response.status
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'read_content,write_products', redirect_params['scope']
+  end
+
+  def test_callback_with_invalid_state_fails
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Spiffy::DEFAULT_SCOPE)
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: 'invalid'))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=csrf_detected&strategy=spiffy', response.location
+  end
+
+  def test_callback_with_mismatching_scope_fails
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'some_invalid_scope', nil)
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=spiffy', response.location
+  end
+
+  def test_callback_with_no_scope_fails
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, nil)
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=spiffy', response.location
+  end
+
+  def test_callback_with_missing_access_scope_fails
+    build_app scope: 'first_scope,second_scope'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'first_scope')
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=spiffy', response.location
+  end
+
+  def test_callback_with_extra_access_scope_fails
+    build_app scope: 'first_scope,second_scope'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'second_scope,first_scope,third_scope')
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_scope&strategy=spiffy', response.location
+  end
+
+  def test_callback_with_scopes_out_of_order_works
+    build_app scope: 'first_scope,second_scope'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'second_scope,first_scope')
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_extra_comma_works
+    build_app scope: 'read_content,,write_products,'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'read_content,write_products')
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_when_per_user_permissions_are_present_but_not_requested
+    build_app(scope: 'scope', per_user_permissions: false)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'})
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_permissions&strategy=spiffy', response.location
+  end
+
+  def test_callback_when_per_user_permissions_are_not_present_but_requested
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', nil)
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_permissions&strategy=spiffy', response.location
+  end
+
+  def test_callback_works_when_per_user_permissions_are_present_and_requested
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'})
+
+    response = callback(sign_params(store: 'storedemo.spiffystores.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 200, response.status
+  end
+
+  private
+
+  def sign_params(params)
+    params = params.dup
+
+    params[:timestamp] ||= Time.now.to_i
+
+    encoded_params = OmniAuth::Strategies::Spiffy.encoded_params_for_signature(params)
+    params[:hmac] = OmniAuth::Strategies::Spiffy.hmac_sign(encoded_params, @secret)
+    params
+  end
+
+  def expect_access_token_request(access_token, scope, associated_user=nil)
+    FakeWeb.register_uri(:post, "https://storedemo.spiffystores.com/admin/oauth/token",
+                         body: JSON.dump(access_token: access_token, scope: scope, associated_user: associated_user),
+                         content_type: 'application/json')
+  end
+
+  def assert_callback_success(response, access_token, code)
+    token_request_params = Rack::Utils.parse_query(FakeWeb.last_request.body)
+    assert_equal token_request_params['client_id'], '123'
+    assert_equal token_request_params['client_secret'], @secret
+    assert_equal token_request_params['code'], code
+
+    assert_equal 'storedemo.spiffystores.com', @omniauth_result.uid
+    assert_equal access_token, @omniauth_result.credentials.token
+    assert_equal false, @omniauth_result.credentials.expires
+
+    assert_equal 200, response.status
+    assert_equal "OK", response.body
+  end
+
+  def assert_auth_failure(response, reason)
+    assert_nil FakeWeb.last_request
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("/auth/failure?message=#{reason}")}}, response.location
+  end
+
+  def build_app(options={})
+    app = proc { |env|
+      @omniauth_result = env['omniauth.auth']
+      [200, {Rack::CONTENT_TYPE => "text/plain"}, "OK"]
+    }
+
+    opts["rack.session"]["omniauth.state"] = SecureRandom.hex(32)
+    app = OmniAuth::Builder.new(app) do
+      provider :spiffy, '123', '53cr3tz', options
+    end
+    @secret = '53cr3tz'
+    @app = Rack::Session::Cookie.new(app, secret: SecureRandom.hex(64))
+  end
+
+  def authorize(shop)
+    request.get("https://app.example.com/auth/spiffy?store=#{CGI.escape(shop)}", opts)
+  end
+
+  def callback(params)
+    request.get("https://app.example.com/auth/spiffy/callback?#{Rack::Utils.build_query(params)}", opts)
+  end
+
+  def opts
+    @opts ||= { "rack.session" => {} }
+  end
+
+  def request
+    Rack::MockRequest.new(@app)
+  end
+
+  def spiffy_authorize_url
+    "https://storedemo.spiffystores.com/admin/oauth/authorize?"
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+$: << File.expand_path("../../lib", __FILE__)
+require 'bundler/setup'
+require 'omniauth-spiffy-oauth2'
+
+require 'minitest/autorun'
+require 'fakeweb'
+require 'json'
+
+OmniAuth.config.logger = Logger.new(nil)
+FakeWeb.allow_net_connect = false

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-spiffy-oauth2
+version: !ruby/object:Gem::Version
+  version: 1.2.1
+platform: ruby
+authors:
+- Spiffy Stores
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-06-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.6'
+- !ruby/object:Gem::Dependency
+  name: fakeweb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- brian@spiffy.com.au
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- example/Gemfile
+- example/config.ru
+- lib/omniauth-spiffy-oauth2.rb
+- lib/omniauth/spiffy.rb
+- lib/omniauth/spiffy/version.rb
+- lib/omniauth/strategies/spiffy.rb
+- omniauth-spiffy-oauth2.gemspec
+- shipit.rubygems.yml
+- spec/omniauth/strategies/spiffy_spec.rb
+- test/integration_test.rb
+- test/test_helper.rb
+homepage: https://github.com/SpiffyStores/omniauth-spiffy-oauth2
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.9
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.7
+signing_key: 
+specification_version: 4
+summary: Spiffy Stores strategy for OmniAuth
+test_files:
+- spec/omniauth/strategies/spiffy_spec.rb
+- test/integration_test.rb
+- test/test_helper.rb