omniauth-v2-ynab 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e4f8a1758c2f8734a8a66884697297b4606b55db826322c6ccbd84f7d8525787
+  data.tar.gz: d503e5f74a50911cc1df6d32304b7d3bc523924dfbcbc7165a4f335e3d2b3423
+SHA512:
+  metadata.gz: 0f37fc7552b87440d60503431fc5849975bc8f914c5aeb02717fc6e57d6fd7533e8baac82224e3be09a75f5299a951d51c02c408ad5e958a4b06a1cc2b57c1ca
+  data.tar.gz: d9a6f8c551016516a8bc825b1f095ebddefee1a485e595943e55cdf48c8e66c643c63c28fca881129593682249288baf3a14008f5a7bd4e564abdae345f84dfc

data/.github/workflows/ci.yml

@@ -0,0 +1,36 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Ruby ${{ matrix.ruby }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "3.1"
+          - "3.2"
+          - "3.3"
+          - "3.4"
+          - head
+    continue-on-error: ${{ matrix.ruby == 'head' }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Run tests and lint
+        run: bundle exec rake

data/.github/workflows/release.yml

@@ -0,0 +1,116 @@
+name: Release
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    branches: [main]
+    types: [completed]
+
+# Never cancel a release mid-flight.
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  release:
+    # Only run when CI passed, and not on auto-bump commits (loop prevention).
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      !startsWith(github.event.workflow_run.head_commit.message, 'Bump version to')
+    runs-on: ubuntu-latest
+    environment: rubygems
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.workflow_run.head_sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.3"
+          bundler-cache: true
+
+      - name: Configure git
+        run: |
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+
+      - name: Resolve version
+        id: version
+        run: |
+          CURRENT=$(ruby -e "require_relative 'lib/omniauth-ynab/version'; puts OmniAuth::YNAB::VERSION")
+          LATEST_TAG=$(git tag -l "v*" --sort=-version:refname | head -1)
+          LATEST=${LATEST_TAG#v}
+          [ -z "$LATEST" ] && LATEST="0.0.0"
+
+          if git rev-parse "v$CURRENT" >/dev/null 2>&1; then
+            echo "Tag v$CURRENT already exists — nothing to release."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          elif gh release view "v$CURRENT" --repo ${{ github.repository }} >/dev/null 2>&1; then
+            echo "GitHub release v$CURRENT already exists — nothing to release."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          elif curl -sf "https://rubygems.org/api/v1/versions/omniauth-v2-ynab.json" | grep -q "\"number\":\"$CURRENT\""; then
+            echo "v$CURRENT already published on RubyGems — nothing to release."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          elif [ "$CURRENT" = "$LATEST" ]; then
+            IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT"
+            NEW="$MAJOR.$((MINOR + 1)).0"
+            sed -i "s/VERSION = \"$CURRENT\".freeze/VERSION = \"$NEW\".freeze/" lib/omniauth-ynab/version.rb
+            echo "version=$NEW" >> "$GITHUB_OUTPUT"
+            echo "bumped=true" >> "$GITHUB_OUTPUT"
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "version=$CURRENT" >> "$GITHUB_OUTPUT"
+            echo "bumped=false" >> "$GITHUB_OUTPUT"
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build gem
+        if: steps.version.outputs.skip != 'true'
+        run: gem build omniauth-v2-ynab.gemspec
+
+      - name: Debug OIDC claims
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          TOKEN=$(curl -sf -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=rubygems.org" | jq -r '.value')
+          echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq .
+
+      - name: Configure RubyGems credentials (OIDC)
+        if: steps.version.outputs.skip != 'true'
+        uses: rubygems/configure-rubygems-credentials@v1.0.0
+        with:
+          role-to-assume: rg_oidc_akr_aq2q9ba42vwb9agghxx7
+
+      - name: Push to RubyGems
+        if: steps.version.outputs.skip != 'true'
+        run: gem push omniauth-v2-ynab-*.gem
+
+      - name: Tag release
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          git tag "v${{ steps.version.outputs.version }}"
+          git push origin "v${{ steps.version.outputs.version }}"
+
+      - name: Create GitHub Release
+        if: steps.version.outputs.skip != 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "v${{ steps.version.outputs.version }}" \
+            omniauth-v2-ynab-*.gem \
+            --title "v${{ steps.version.outputs.version }}" \
+            --generate-notes
+
+      - name: Commit version bump
+        if: steps.version.outputs.bumped == 'true'
+        run: |
+          git add lib/omniauth-ynab/version.rb
+          git commit -m "Bump version to ${{ steps.version.outputs.version }}"
+          git push origin HEAD:main

data/.rspec

@@ -0,0 +1,2 @@
+--colour
+--format=progress

data/.rubocop.yml

@@ -0,0 +1,79 @@
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 3.1
+
+Layout/AccessModifierIndentation:
+  EnforcedStyle: outdent
+
+Layout/LineLength:
+  AllowURI: true
+  Enabled: false
+
+Layout/SpaceInsideHashLiteralBraces:
+  EnforcedStyle: no_space
+
+Lint/MissingSuper:
+  Enabled: false
+
+Lint/ScriptPermission:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/BlockNesting:
+  Max: 2
+
+Metrics/ClassLength:
+  Max: 150
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/MethodLength:
+  CountComments: false
+  Max: 20
+
+Metrics/ParameterLists:
+  Max: 4
+  CountKeywordArgs: true
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Naming/FileName:
+  Enabled: false
+
+Naming/PredicateMethod:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/DoubleNegation:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
+  EnforcedShorthandSyntax: never
+
+Style/StderrPuts:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma

data/CLAUDE.md

@@ -0,0 +1,61 @@
+# omniauth-v2-ynab — Claude guidance
+
+## What this repo is
+
+A single-strategy OmniAuth gem for YNAB OAuth2. It is a **direct implementation** of the OmniAuth strategy interface — it does not inherit from `omniauth-oauth2`. Everything lives in one strategy file.
+
+## Key files
+
+| File | Purpose |
+|---|---|
+| `lib/omniauth/strategies/ynab.rb` | The strategy — start here for any auth-flow changes. |
+| `lib/omniauth-ynab/version.rb` | Gem version constant. |
+| `omniauth-v2-ynab.gemspec` | Dependencies. Runtime: `omniauth ~> 2.0`, `oauth2 ~> 2.0`. |
+| `spec/omniauth/strategies/ynab_spec.rb` | Full RSpec suite. |
+| `spec/helper.rb` | RSpec config — loads `omniauth-ynab`, sets up Rack::Test and WebMock. |
+| `.rubocop.yml` | RuboCop 1.x config. Target Ruby: 3.1. |
+| `.github/workflows/ci.yml` | CI — runs `bundle exec rake` (spec + rubocop) on Ruby 3.1–3.4 + head. |
+| `.github/workflows/release.yml` | Release — triggers after CI passes on main. Auto-bumps minor version unless already bumped, tags, creates GitHub Release, pushes to RubyGems. |
+
+## Commands
+
+```sh
+bundle exec rspec          # tests only
+bundle exec rubocop        # lint only
+bundle exec rake           # both (matches CI)
+```
+
+## Architecture notes
+
+- The strategy includes `OmniAuth::Strategy` directly and implements `request_phase`, `callback_phase`, `authorize_params`, `token_params`, and `build_access_token` by hand.
+- CSRF state is stored in the Rack session under `omniauth.state` and validated in `callback_phase`.
+- PKCE is opt-in (`pkce: true`). The verifier is stored in the session under `omniauth.pkce.verifier` between request and callback phase.
+- `deep_symbolize` is a local helper because `oauth2 2.x` requires symbolized keys in `OAuth2::Client` options.
+- `omniauth-rails_csrf_protection` is a **runtime requirement** for Rails apps using omniauth 2.x — it is listed as a dev dependency in the gemspec and should be called out in app-level Gemfiles.
+
+## Dependency constraints
+
+- `omniauth ~> 2.0` — omniauth 2.x changed default allowed request methods to POST only; CSRF is handled externally by `omniauth-rails_csrf_protection`.
+- `oauth2 ~> 2.0` — `get_token` params are now fully merged in the second positional argument; the third argument is `access_token_opts`.
+- Do not re-add `simplecov`, `coveralls`, or `omniauth-oauth2` — these were in the original but are not used.
+
+## Testing conventions
+
+- Tests use `OmniAuth.config.test_mode = true` in `before`/`after` blocks — do not remove these.
+- `CallbackError` specs test exact string output from `#message`, not regex — keep assertions strict.
+- New auth-flow behaviour needs both a positive and a failure-path test.
+
+## Releasing
+
+Releases are fully automated. Push to `main` → CI runs → on success, the release workflow:
+- Compares `VERSION` in `lib/omniauth-ynab/version.rb` against the latest git tag
+- If already bumped (version > tag): tags, builds, publishes to RubyGems, creates GitHub Release
+- If not bumped (version == tag): auto-bumps the minor version, then does the above
+
+To release a specific version (e.g. a major bump), just update `version.rb` manually before pushing. The release workflow will detect the higher version and publish it without an additional bump.
+
+The `RUBYGEMS_API_KEY` secret must be set in the repository settings for gem pushes to work.
+
+## Versioning
+
+Follow semver. Published as `omniauth-v2-ynab` on RubyGems to distinguish from the unmaintained `omniauth-ynab` gem. The Ruby constant (`OmniAuth::Strategies::YNAB`) is unchanged.

data/Gemfile

@@ -0,0 +1,10 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem "omniauth-rails_csrf_protection", "~> 1.0"
+gem "rack-test",                      "~> 2.0"
+gem "rake",                           "~> 13.0"
+gem "rspec",                          "~> 3.0"
+gem "rubocop",                        "~> 1.0"
+gem "webmock",                        "~> 3.0"

data/LICENSE.md

@@ -0,0 +1,21 @@
+Copyright (C) 2014 Michael Bleigh, Erik Michaels-Ober and Intridea, Inc.
+Copyright (C) 2024 Mike Berkman
+Copyright (C) 2026 tataihono
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,178 @@
+# omniauth-v2-ynab
+
+[![Gem Version](https://img.shields.io/gem/v/omniauth-v2-ynab.svg)](https://rubygems.org/gems/omniauth-v2-ynab)
+[![CI](https://github.com/tataihono/omniauth-v2-ynab/actions/workflows/ci.yml/badge.svg)](https://github.com/tataihono/omniauth-v2-ynab/actions/workflows/ci.yml)
+
+OmniAuth strategy for [YNAB (You Need A Budget)](https://www.youneedabudget.com/) OAuth2.
+
+Compatible with **omniauth 2.x**, **oauth2 2.x**, and **omniauth-rails_csrf_protection 1.x**.
+
+> **Note:** This is a maintained fork of the original [`omniauth-ynab`](https://rubygems.org/gems/omniauth-ynab) gem, updated for the omniauth 2.x / oauth2 2.x ecosystem.
+
+---
+
+## Installation
+
+Add to your `Gemfile`:
+
+```ruby
+gem "omniauth-v2-ynab"
+gem "omniauth-rails_csrf_protection" # required for Rails with omniauth 2.x
+```
+
+Then run:
+
+```sh
+bundle install
+```
+
+---
+
+## Usage
+
+### Register a YNAB application
+
+Create an OAuth application at [app.youneedabudget.com/oauth/applications](https://app.youneedabudget.com/oauth/applications). Set the redirect URI to match your callback URL (e.g. `https://yourapp.com/auth/ynab/callback`).
+
+### Rails
+
+In `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :ynab, ENV["YNAB_CLIENT_ID"], ENV["YNAB_CLIENT_SECRET"]
+end
+```
+
+Add routes:
+
+```ruby
+# config/routes.rb
+get  "/auth/:provider/callback", to: "sessions#create"
+get  "/auth/failure",            to: "sessions#failure"
+```
+
+Trigger the flow from a view using a CSRF-protected link (provided by `omniauth-rails_csrf_protection`):
+
+```erb
+<%= link_to "Connect YNAB", "/auth/ynab", method: :post %>
+```
+
+Handle the callback in your controller:
+
+```ruby
+class SessionsController < ApplicationController
+  def create
+    auth = request.env["omniauth.auth"]
+    token      = auth.credentials.token
+    expires_at = auth.credentials.expires_at
+    # store token and create/find the user ...
+  end
+
+  def failure
+    # request.env["omniauth.error"] contains the error
+  end
+end
+```
+
+### Rack (non-Rails)
+
+```ruby
+use OmniAuth::Builder do
+  provider :ynab, ENV["YNAB_CLIENT_ID"], ENV["YNAB_CLIENT_SECRET"]
+end
+```
+
+---
+
+## Configuration options
+
+All options are passed as keyword arguments to `provider`.
+
+| Option | Default | Description |
+|---|---|---|
+| `client_options` | `{site: "https://app.youneedabudget.com"}` | Override any `OAuth2::Client` option, e.g. `authorize_url`. |
+| `authorize_params` | `{}` | Extra params appended to the authorization redirect URL. |
+| `authorize_options` | `[:scope]` | Top-level option keys that should be forwarded as authorize params. |
+| `token_params` | `{}` | Extra params sent in the token exchange request. |
+| `token_options` | `[]` | Top-level option keys forwarded as token params. |
+| `provider_ignores_state` | `false` | Skip CSRF state validation (not recommended). |
+| `pkce` | `false` | Enable PKCE (S256 code challenge). Recommended for public clients. |
+
+### PKCE
+
+```ruby
+provider :ynab, ENV["YNAB_CLIENT_ID"], ENV["YNAB_CLIENT_SECRET"], pkce: true
+```
+
+### Overriding the YNAB endpoint (e.g. for testing)
+
+```ruby
+provider :ynab, "id", "secret",
+  client_options: {site: "https://staging.example.com"}
+```
+
+---
+
+## Credentials
+
+After a successful callback, `request.env["omniauth.auth"].credentials` contains:
+
+| Key | Description |
+|---|---|
+| `token` | The OAuth2 access token. |
+| `refresh_token` | Present if the token is expiring and a refresh token was issued. |
+| `expires_at` | Unix timestamp of expiry (if applicable). |
+| `expires` | Boolean — whether the token expires. |
+
+---
+
+## Development
+
+### Prerequisites
+
+- Ruby 3.1+
+- Bundler 2.x
+
+### Setup
+
+```sh
+git clone https://github.com/tataihono/omniauth-v2-ynab.git
+cd omniauth-ynab
+bundle install
+```
+
+### Running tests
+
+```sh
+bundle exec rspec
+```
+
+### Linting
+
+```sh
+bundle exec rubocop
+```
+
+### Run both (same as CI)
+
+```sh
+bundle exec rake
+```
+
+---
+
+## Contributing
+
+1. Fork the repo and create a branch from `main`.
+2. Add tests for any new behaviour.
+3. Ensure `bundle exec rake` passes.
+4. Open a pull request.
+
+---
+
+## License
+
+MIT. See [LICENSE.md](LICENSE.md) for details.
+
+Original gem by [Mike Berkman](https://github.com/berkman/omniauth-ynab).

data/Rakefile

@@ -0,0 +1,18 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
+task :test => :spec
+
+begin
+  require "rubocop/rake_task"
+  RuboCop::RakeTask.new
+rescue LoadError
+  task :rubocop do
+    $stderr.puts "RuboCop is disabled"
+  end
+end
+
+task :default => %i[spec rubocop]

data/lib/omniauth/strategies/ynab.rb

@@ -0,0 +1,175 @@
+require "oauth2"
+require "omniauth"
+require "securerandom"
+require "socket"
+require "timeout"
+
+module OmniAuth
+  module Strategies
+    class YNAB
+      include OmniAuth::Strategy
+
+      def self.inherited(subclass)
+        OmniAuth::Strategy.included(subclass)
+      end
+
+      args %i[client_id client_secret]
+
+      option :client_id, nil
+      option :client_secret, nil
+      option :client_options, {
+        :site => "https://app.youneedabudget.com",
+      }
+      option :authorize_params, {}
+      option :authorize_options, %i[scope state]
+      option :token_params, {}
+      option :token_options, []
+      option :auth_token_params, {}
+      option :provider_ignores_state, false
+      option :pkce, false
+      option :pkce_verifier, nil
+      option :pkce_options, {
+        :code_challenge => proc { |verifier|
+          Base64.urlsafe_encode64(
+            Digest::SHA2.digest(verifier),
+            :padding => false,
+          )
+        },
+        :code_challenge_method => "S256",
+      }
+
+      attr_accessor :access_token
+
+      def client
+        ::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options))
+      end
+
+      credentials do
+        hash = {"token" => access_token.token}
+        hash["refresh_token"] = access_token.refresh_token if access_token.expires? && access_token.refresh_token
+        hash["expires_at"] = access_token.expires_at if access_token.expires?
+        hash["expires"] = access_token.expires?
+        hash
+      end
+
+      def request_phase
+        redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
+      end
+
+      def authorize_params
+        options.authorize_params[:state] = SecureRandom.hex(24)
+
+        if OmniAuth.config.test_mode
+          @env ||= {}
+          @env["rack.session"] ||= {}
+        end
+
+        params = options.authorize_params
+                        .merge(options_for("authorize"))
+                        .merge(pkce_authorize_params)
+
+        session["omniauth.pkce.verifier"] = options.pkce_verifier if options.pkce
+        session["omniauth.state"] = params[:state]
+
+        params
+      end
+
+      def token_params
+        options.token_params.merge(options_for("token")).merge(pkce_token_params)
+      end
+
+      def callback_phase
+        if !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+        else
+          error = request.params["error_reason"] || request.params["error"]
+          if error
+            fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+          else
+            self.access_token = build_access_token
+            self.access_token = access_token.refresh! if access_token.expired?
+            super
+          end
+        end
+      rescue ::OAuth2::Error, CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT, ::OAuth2::TimeoutError, ::OAuth2::ConnectionError => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+
+    protected
+
+      def pkce_authorize_params
+        return {} unless options.pkce
+
+        options.pkce_verifier = SecureRandom.hex(64)
+
+        {
+          :code_challenge => options.pkce_options[:code_challenge].call(options.pkce_verifier),
+          :code_challenge_method => options.pkce_options[:code_challenge_method],
+        }
+      end
+
+      def pkce_token_params
+        return {} unless options.pkce
+
+        {:code_verifier => session.delete("omniauth.pkce.verifier")}
+      end
+
+      def build_access_token
+        verifier = request.params["code"]
+        client.auth_code.get_token(
+          verifier,
+          {:redirect_uri => callback_url}.merge(token_params.to_hash(:symbolize_keys => true)),
+          deep_symbolize(options.auth_token_params),
+        )
+      end
+
+      def deep_symbolize(options)
+        options.each_with_object({}) do |(key, value), hash|
+          hash[key.to_sym] = value.is_a?(Hash) ? deep_symbolize(value) : value
+        end
+      end
+
+      def options_for(option)
+        hash = {}
+        options.send(:"#{option}_options").select { |key| options[key] }.each do |key|
+          hash[key.to_sym] = if options[key].respond_to?(:call)
+                               options[key].call(env)
+                             else
+                               options[key]
+                             end
+        end
+        hash
+      end
+
+      # Constant-time comparison to prevent timing attacks on state parameter.
+      def secure_compare(string_a, string_b)
+        return false unless string_a.bytesize == string_b.bytesize
+
+        l = string_a.unpack("C#{string_a.bytesize}")
+        res = 0
+        string_b.each_byte { |byte| res |= byte ^ l.shift }
+        res.zero?
+      end
+
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+
+        def initialize(error, error_reason = nil, error_uri = nil)
+          self.error = error
+          self.error_reason = error_reason
+          self.error_uri = error_uri
+        end
+
+        def message
+          [error, error_reason, error_uri].compact.join(" | ")
+        end
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "ynab", "YNAB"

data/lib/omniauth-ynab/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module YNAB
+    VERSION = "0.0.1".freeze
+  end
+end

data/lib/omniauth-ynab.rb

@@ -0,0 +1,2 @@
+require "omniauth-ynab/version"
+require "omniauth/strategies/ynab"

data/omniauth-v2-ynab.gemspec

@@ -0,0 +1,24 @@
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "omniauth-ynab/version"
+
+Gem::Specification.new do |gem|
+  gem.add_dependency "oauth2",   "~> 2.0"
+  gem.add_dependency "omniauth", "~> 2.0"
+
+  gem.authors       = ["tataihono"]
+  gem.email         = ["tataihono.nikora@gmail.com"]
+  gem.description   = "A YNAB OAuth2 strategy for OmniAuth."
+  gem.summary       = gem.description
+  gem.homepage      = "https://github.com/tataihono/omniauth-v2-ynab"
+  gem.licenses      = %w[MIT]
+  gem.metadata      = {"rubygems_mfa_required" => "true"}
+
+  gem.required_ruby_version = ">= 3.1"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").collect { |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.name          = "omniauth-v2-ynab"
+  gem.require_paths = %w[lib]
+  gem.version       = OmniAuth::YNAB::VERSION
+end

data/spec/helper.rb

@@ -0,0 +1,17 @@
+$LOAD_PATH.unshift File.expand_path(__dir__)
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
+
+require "rspec"
+require "rack/test"
+require "webmock/rspec"
+require "omniauth"
+require "omniauth-ynab"
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+  config.extend OmniAuth::Test::StrategyMacros, :type => :strategy
+  config.include Rack::Test::Methods
+  config.include WebMock::API
+end

data/spec/omniauth/strategies/ynab_spec.rb

@@ -0,0 +1,196 @@
+require "helper"
+
+describe OmniAuth::Strategies::YNAB do
+  def app
+    lambda do |_env|
+      [200, {}, ["Hello."]]
+    end
+  end
+
+  let(:fresh_strategy) { Class.new(OmniAuth::Strategies::YNAB) }
+
+  before do
+    OmniAuth.config.test_mode = true
+  end
+
+  after do
+    OmniAuth.config.test_mode = false
+  end
+
+  describe "Subclassing Behavior" do
+    subject { fresh_strategy }
+
+    it "performs the OmniAuth::Strategy included hook" do
+      expect(OmniAuth.strategies).to include(OmniAuth::Strategies::YNAB)
+      expect(OmniAuth.strategies).to include(subject)
+    end
+  end
+
+  describe "#client" do
+    subject { fresh_strategy }
+
+    it "is initialized with symbolized client_options" do
+      instance = subject.new(app, :client_options => {"authorize_url" => "https://example.com"})
+      expect(instance.client.options[:authorize_url]).to eq("https://example.com")
+    end
+
+    it "deep-symbolizes nested client_options" do
+      instance = subject.new(app, :client_options => {"connection_opts" => {"timeout" => 30}})
+      expect(instance.client.options[:connection_opts]).to eq(:timeout => 30)
+    end
+  end
+
+  describe "#authorize_params" do
+    subject { fresh_strategy }
+
+    it "includes any authorize params passed in the :authorize_params option" do
+      instance = subject.new("abc", "def", :authorize_params => {:foo => "bar", :baz => "zip"})
+      expect(instance.authorize_params["foo"]).to eq("bar")
+      expect(instance.authorize_params["baz"]).to eq("zip")
+    end
+
+    it "includes top-level options that are marked as :authorize_options" do
+      instance = subject.new("abc", "def", :authorize_options => %i[scope foo], :scope => "bar", :foo => "baz")
+      expect(instance.authorize_params["scope"]).to eq("bar")
+      expect(instance.authorize_params["foo"]).to eq("baz")
+    end
+
+    it "supports callable authorize_options values" do
+      instance = subject.new("abc", "def", :authorize_options => [:scope], :scope => proc { "dynamic" })
+      expect(instance.authorize_params[:scope]).to eq("dynamic")
+    end
+
+    it "includes a random state parameter and stores it in the session" do
+      instance = subject.new("abc", "def")
+      params = instance.authorize_params
+      expect(params.keys).to include("state")
+      expect(instance.session["omniauth.state"]).to eq(params["state"])
+      expect(instance.session["omniauth.state"]).not_to be_empty
+    end
+
+    context "when pkce is enabled" do
+      it "adds code_challenge and code_challenge_method to the params" do
+        instance = subject.new("abc", "def", :pkce => true)
+        params = instance.authorize_params
+        expect(params[:code_challenge]).not_to be_nil
+        expect(params[:code_challenge_method]).to eq("S256")
+      end
+
+      it "stores the pkce verifier in the session" do
+        instance = subject.new("abc", "def", :pkce => true)
+        instance.authorize_params
+        expect(instance.session["omniauth.pkce.verifier"]).not_to be_nil
+      end
+
+      it "supports a custom code_challenge proc" do
+        instance = subject.new("abc", "def",
+                               :pkce => true,
+                               :pkce_options => {
+                                 :code_challenge => proc { |_v| "custom_challenge" },
+                                 :code_challenge_method => "plain",
+                               })
+        params = instance.authorize_params
+        expect(params[:code_challenge]).to eq("custom_challenge")
+        expect(params[:code_challenge_method]).to eq("plain")
+      end
+    end
+  end
+
+  describe "#token_params" do
+    subject { fresh_strategy }
+
+    it "includes any token params passed in the :token_params option" do
+      instance = subject.new("abc", "def", :token_params => {:foo => "bar", :baz => "zip"})
+      expect(instance.token_params).to eq("foo" => "bar", "baz" => "zip")
+    end
+
+    it "includes top-level options that are marked as :token_options" do
+      instance = subject.new("abc", "def", :token_options => %i[scope foo], :scope => "bar", :foo => "baz")
+      expect(instance.token_params).to eq("scope" => "bar", "foo" => "baz")
+    end
+
+    it "includes pkce code_verifier when pkce is enabled" do
+      instance = subject.new("abc", "def", :pkce => true)
+      instance.authorize_params # populates session verifier
+      expect(instance.token_params[:code_verifier]).not_to be_nil
+    end
+  end
+
+  describe "#callback_phase" do
+    subject { fresh_strategy }
+
+    def stub_session(instance, data = {})
+      instance.instance_variable_set(:@env, {"rack.session" => data})
+    end
+
+    it "calls fail! with the client error when the request contains an error" do
+      instance = subject.new("abc", "def")
+      stub_session(instance, "omniauth.state" => "abc123")
+      allow(instance).to receive(:request) do
+        double("Request", :params => {"error_reason" => "user_denied", "error" => "access_denied", "state" => "abc123"})
+      end
+      expect(instance).to receive(:fail!).with("user_denied", anything)
+      instance.callback_phase
+    end
+
+    it "calls fail! with :csrf_detected when state is missing" do
+      instance = subject.new("abc", "def")
+      stub_session(instance)
+      allow(instance).to receive(:request) do
+        double("Request", :params => {"code" => "abc123", "state" => ""})
+      end
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+
+    it "calls fail! with :csrf_detected when state does not match the session" do
+      instance = subject.new("abc", "def")
+      stub_session(instance, "omniauth.state" => "correct_state")
+      allow(instance).to receive(:request) do
+        double("Request", :params => {"code" => "abc123", "state" => "wrong_state"})
+      end
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+
+    it "checks CSRF state before checking for an error param" do
+      instance = subject.new("abc", "def")
+      stub_session(instance, "omniauth.state" => "correct_state")
+      allow(instance).to receive(:request) do
+        double("Request", :params => {"error" => "access_denied", "state" => "wrong_state"})
+      end
+      expect(instance).to receive(:fail!).with(:csrf_detected, anything)
+      instance.callback_phase
+    end
+  end
+
+  describe "#secure_compare" do
+    subject { fresh_strategy.new("abc", "def") }
+
+    it "returns true for identical strings" do
+      expect(subject.send(:secure_compare, "foo", "foo")).to be true
+    end
+
+    it "returns false for strings of different length" do
+      expect(subject.send(:secure_compare, "foo", "foobar")).to be false
+    end
+
+    it "returns false for strings of equal length that differ" do
+      expect(subject.send(:secure_compare, "foo", "bar")).to be false
+    end
+  end
+end
+
+describe OmniAuth::Strategies::YNAB::CallbackError do
+  describe "#message" do
+    it "joins all non-nil attributes with ' | '" do
+      instance = described_class.new("error", "description", "uri")
+      expect(instance.message).to eq("error | description | uri")
+    end
+
+    it "omits nil attributes" do
+      instance = described_class.new(nil, :symbol)
+      expect(instance.message).to eq("symbol")
+    end
+  end
+end

metadata

@@ -0,0 +1,87 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-v2-ynab
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- tataihono
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-03-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: A YNAB OAuth2 strategy for OmniAuth.
+email:
+- tataihono.nikora@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ci.yml"
+- ".github/workflows/release.yml"
+- ".rspec"
+- ".rubocop.yml"
+- CLAUDE.md
+- Gemfile
+- LICENSE.md
+- README.md
+- Rakefile
+- lib/omniauth-ynab.rb
+- lib/omniauth-ynab/version.rb
+- lib/omniauth/strategies/ynab.rb
+- omniauth-v2-ynab.gemspec
+- spec/helper.rb
+- spec/omniauth/strategies/ynab_spec.rb
+homepage: https://github.com/tataihono/omniauth-v2-ynab
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.20
+signing_key:
+specification_version: 4
+summary: A YNAB OAuth2 strategy for OmniAuth.
+test_files: []