omniauth-yahoojp-v2 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 960e2e247113e1b9ad3674056555041c980ba52e2caec7f27440ba72f233b040
+  data.tar.gz: 9125b715b45c246433f4345843dabcce6b25dffe962e60056372f1a9a5f47ced
+SHA512:
+  metadata.gz: f43de86f89e07a6391ad681da98b2b28e95627ad71e6d24cc0eda7064336b2628a69982cd0d10044e018985a48d887b44bf34f05da89b5cb39bd4ccfcd2d6ed7
+  data.tar.gz: b0ad5955ef0c7d5adb0ff6dd9515cd41da0d490876577c92bb8eaefd3a54904a75661f1bba878b98ae42271b9190e45b57e5c8667f9bbece7c904f40189320cc

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format documentation

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+## [0.0.0] - 2025-11-09
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Masahiro
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,189 @@
+# OmniauthYahoojpV2
+
+[![License](https://img.shields.io/github/license/cadenza-tech/omniauth-yahoojp-v2?label=License&labelColor=343B42&color=blue)](https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/main/LICENSE.txt) [![Tag](https://img.shields.io/github/tag/cadenza-tech/omniauth-yahoojp-v2?label=Tag&logo=github&labelColor=343B42&color=2EBC4F)](https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/main/CHANGELOG.md) [![Release](https://github.com/cadenza-tech/omniauth-yahoojp-v2/actions/workflows/release.yml/badge.svg)](https://github.com/cadenza-tech/omniauth-yahoojp-v2/actions?query=workflow%3Arelease) [![Test](https://github.com/cadenza-tech/omniauth-yahoojp-v2/actions/workflows/test.yml/badge.svg)](https://github.com/cadenza-tech/omniauth-yahoojp-v2/actions?query=workflow%3Atest) [![Lint](https://github.com/cadenza-tech/omniauth-yahoojp-v2/actions/workflows/lint.yml/badge.svg)](https://github.com/cadenza-tech/omniauth-yahoojp-v2/actions?query=workflow%3Alint)
+
+Yahoo! JAPAN strategy for OmniAuth.
+
+- [Installation](#installation)
+- [Usage](#usage)
+  - [Rails Configuration with Devise](#rails-configuration-with-devise)
+  - [Configuration Options](#configuration-options)
+  - [Auth Hash](#auth-hash)
+- [Changelog](#changelog)
+- [Contributing](#contributing)
+- [License](#license)
+- [Code of Conduct](#code-of-conduct)
+- [Sponsor](#sponsor)
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+```bash
+bundle add omniauth-yahoojp-v2
+```
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+```bash
+gem install omniauth-yahoojp-v2
+```
+
+## Usage
+
+### Rails Configuration with Devise
+
+Add the following to `config/initializers/devise.rb`:
+
+```ruby
+# config/initializers/devise.rb
+Devise.setup do |config|
+  config.omniauth :yahoojp_v2, ENV['YAHOOJP_CLIENT_ID'], ENV['YAHOOJP_CLIENT_SECRET']
+end
+```
+
+Add the OmniAuth callbacks routes to `config/routes.rb`:
+
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+end
+```
+
+Add the OmniAuth configuration to your Devise model:
+
+```ruby
+class User < ApplicationRecord
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable,
+         :omniauthable, omniauth_providers: [:yahoojp_v2]
+end
+```
+
+### Configuration Options
+
+You can configure several options:
+
+```ruby
+# config/initializers/devise.rb
+Devise.setup do |config|
+  config.omniauth :yahoojp_v2, ENV['YAHOOJP_CLIENT_ID'], ENV['YAHOOJP_CLIENT_SECRET'],
+    {
+      scope: 'openid profile email address', # Specify OAuth scopes
+      callback_path: '/custom/yahoojp_v2/callback', # Custom callback path
+      prompt: 'consent', # Optional: force consent screen
+      display: 'popup', # Optional: auth page display mode
+      max_age: 600, # Optional: max seconds since last auth
+      bail: true # Optional: redirect to app on consent denial instead of Yahoo! top
+    }
+end
+```
+
+Available scopes:
+
+- `openid` - Required for ID token (includes user identifier)
+- `profile` - Access to user's profile
+- `email` - Access to user's email address
+- `address` - Access to user's address
+
+### Auth Hash
+
+After successful authentication, the auth hash will be available in `request.env['omniauth.auth']`:
+
+```ruby
+{
+  provider: 'yahoojp_v2',
+  uid: 'FQBSQOIDGW5PV4NHAAUY7BWAMU',
+  info: {
+    name: '矢風太郎',
+    nickname: 'やふうたろう',
+    first_name: '太郎',
+    first_name_kana: 'タロウ',
+    first_name_hani: '太郎',
+    last_name: '矢風',
+    last_name_kana: 'ヤフウ',
+    last_name_hani: '矢風',
+    gender: 'male',
+    zoneinfo: 'Asia/Tokyo',
+    locale: 'ja-JP',
+    birth_year: 1986,
+    image: 'https://dummy.img.yahoo.co.jp/example.png',
+    email: 'yconnect@example.com',
+    email_verified: true,
+    address: {
+      country: 'JP',
+      postal_code: '1028282',
+      region: '東京都',
+      locality: '千代田区',
+      formatted: '東京都千代田区'
+    }
+  },
+  credentials: {
+    token: 'SlAV32hkKG',
+    expires: true,
+    expires_at: 1453618036,
+    refresh_token: '8xLOxBtZp8'
+  },
+  extra: {
+    raw_info: {
+      sub: 'FQBSQOIDGW5PV4NHAAUY7BWAMU',
+      name: '矢風太郎',
+      given_name: '太郎',
+      'given_name#ja-Kana-JP': 'タロウ',
+      'given_name#ja-Hani-JP': '太郎',
+      family_name: '矢風',
+      'family_name#ja-Kana-JP': 'ヤフウ',
+      'family_name#ja-Hani-JP': '矢風',
+      gender: 'male',
+      zoneinfo: 'Asia/Tokyo',
+      locale: 'ja-JP',
+      birthdate: '1986',
+      nickname: 'やふうたろう',
+      picture: 'https://dummy.img.yahoo.co.jp/example.png',
+      email: 'yconnect@example.com',
+      email_verified: 'true',
+      address: {
+        country: 'JP',
+        postal_code: '1028282',
+        region: '東京都',
+        locality: '千代田区',
+        formatted: '東京都千代田区'
+      }
+    },
+    id_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg',
+    id_info: {
+      iss: 'https://auth.login.yahoo.co.jp/yconnect/v2',
+      sub: 'KVNE5DZLWIY4Y57TRDLURJOOEU',
+      aud: ['dj0zaiZpPWxCUTczV01KazczNSZzPWNvbnN1bWVyc2VjcmV0Jng9NDc-'],
+      exp: 1453618036,
+      iat: 1453272436,
+      auth_time: 1453271436,
+      nonce: 'n-0S6_WzA2Mj',
+      amr: ['pwd'],
+      at_hash: 'SjjfaAWSdWEvSDfASCmonm',
+      c_hash: 'LDktKdoQak3Pk0cnXxCltA'
+    }
+  }
+}
+```
+
+## Changelog
+
+See [CHANGELOG.md](https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/main/CHANGELOG.md).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/cadenza-tech/omniauth-yahoojp-v2. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/main/CODE_OF_CONDUCT.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/main/LICENSE.txt).
+
+## Code of Conduct
+
+Everyone interacting in the OmniauthYahoojpV2 project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/main/CODE_OF_CONDUCT.md).
+
+## Sponsor
+
+You can sponsor this project on [Patreon](https://patreon.com/CadenzaTech).

data/Rakefile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.options = ['--format', ENV['RUBOCOP_FORMAT']] if ENV['RUBOCOP_FORMAT']
+end

data/lib/omniauth/strategies/yahoojp_v2.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require 'omniauth-oauth2'
+require 'json/jwt'
+require 'digest'
+require 'base64'
+
+module OmniAuth
+  module Strategies
+    class YahoojpV2 < OmniAuth::Strategies::OAuth2
+      DEFAULT_SCOPE = 'openid profile email'
+      DEFAULT_JWT_LEEWAY = 600
+      USER_INFO_URL = 'https://userinfo.yahooapis.jp/yconnect/v2/attribute'
+      JWKS_URL = 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks'
+      ID_TOKEN_ISSUER = 'https://auth.login.yahoo.co.jp/yconnect/v2'
+
+      option :name, 'yahoojp_v2'
+      option :client_options, {
+        site: 'https://auth.login.yahoo.co.jp',
+        authorize_url: '/yconnect/v2/authorization',
+        token_url: '/yconnect/v2/token'
+      }
+      option :authorize_options, [:scope, :state, :nonce, :prompt, :display, :max_age, :bail]
+      option :pkce, true
+      option :scope, DEFAULT_SCOPE
+      option :jwt_leeway, DEFAULT_JWT_LEEWAY
+      option :skip_jwt, false
+
+      uid { raw_info['sub'] }
+
+      info do
+        prune!({
+          name: raw_info['name'],
+          nickname: raw_info['nickname'],
+          first_name: raw_info['given_name'],
+          first_name_kana: raw_info['given_name#ja-Kana-JP'],
+          first_name_hani: raw_info['given_name#ja-Hani-JP'],
+          last_name: raw_info['family_name'],
+          last_name_kana: raw_info['family_name#ja-Kana-JP'],
+          last_name_hani: raw_info['family_name#ja-Hani-JP'],
+          gender: raw_info['gender'],
+          zoneinfo: raw_info['zoneinfo'],
+          locale: raw_info['locale'],
+          birth_year: raw_info['birthdate']&.to_i,
+          image: raw_info['picture'],
+          email: raw_info['email'],
+          email_verified: raw_info['email_verified'] == 'true',
+          address: raw_info['address']&.transform_keys(&:to_sym)
+        })
+      end
+
+      extra do
+        hash = {}
+        hash[:raw_info] = raw_info unless skip_info?
+        hash[:id_token] = id_token_info[:raw] if id_token_info[:raw]
+        hash[:id_info] = id_token_info[:decoded] if id_token_info[:decoded]
+        prune!(hash)
+      end
+
+      credentials do
+        hash = { token: access_token.token }
+        hash[:expires] = access_token.expires?
+        hash[:expires_at] = access_token.expires_at if access_token.expires?
+        hash[:refresh_token] = access_token.refresh_token if access_token.refresh_token
+        hash
+      end
+
+      def raw_info
+        return @raw_info if defined?(@raw_info)
+
+        if skip_info?
+          decoded_id_token = decode_id_token(access_token.params['id_token'])
+          @raw_info = { 'sub' => decoded_id_token[:sub] }
+        else
+          @raw_info = access_token.get(USER_INFO_URL, headers: { 'Authorization' => "Bearer #{access_token.token}" }).parsed
+        end
+        @raw_info
+      end
+
+      def callback_url
+        options[:redirect_uri] || (full_host + callback_path)
+      end
+
+      def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity
+        super.tap do |params|
+          options[:authorize_options].each do |key|
+            params[key] = request.params[key.to_s] unless empty?(request.params[key.to_s])
+          end
+          params[:scope] ||= DEFAULT_SCOPE
+          params[:nonce] ||= SecureRandom.hex(24)
+          params[:response_type] = 'code'
+          session['omniauth.state'] = params[:state] unless empty?(params[:state])
+          session['omniauth.nonce'] = params[:nonce] unless empty?(params[:nonce])
+          session['omniauth.max_age'] = params[:max_age] unless empty?(params[:max_age])
+        end
+      end
+
+      private
+
+      def prune!(hash)
+        hash.delete_if do |_, value|
+          prune!(value) if value.is_a?(Hash)
+          empty?(value)
+        end
+      end
+
+      def empty?(value)
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+
+      def decode_id_token(id_token)
+        JSON::JWT.decode(id_token, :skip_verification)
+      end
+
+      def id_token_info
+        return @id_token_info if defined?(@id_token_info)
+
+        @id_token_info = { raw: nil, decoded: nil }
+        return @id_token_info unless access_token.params['id_token']
+
+        @id_token_info[:raw] = access_token.params['id_token']
+        return @id_token_info if skip_info?
+
+        decoded_id_token = decode_id_token(access_token.params['id_token'])
+        verify_id_token(decoded_id_token) unless options.skip_jwt
+        @id_token_info[:decoded] = decoded_id_token
+        @id_token_info
+      end
+
+      def verify_id_token(id_token)
+        jwk = fetch_jwk(id_token.kid)
+        verify_signature(id_token, jwk)
+        verify_claims(id_token)
+      rescue StandardError => e
+        fail!(:id_token_verification_failed, e)
+      end
+
+      def fetch_jwk(kid)
+        JSON::JWK::Set::Fetcher.fetch(JWKS_URL, kid: kid)
+      rescue StandardError => e
+        fail!(:jwk_fetch_failed, e)
+      end
+
+      def verify_signature(id_token, jwk)
+        id_token.verify!(jwk)
+      rescue StandardError => e
+        fail!(:id_token_signature_invalid, e)
+      end
+
+      def verify_claims(id_token)
+        verify_iss(id_token)
+        verify_aud(id_token)
+        verify_nonce(id_token)
+        verify_at_hash(id_token)
+        verify_c_hash(id_token)
+        verify_exp(id_token)
+        verify_iat(id_token)
+        verify_auth_time(id_token)
+      end
+
+      def verify_iss(id_token)
+        fail!(:id_token_issuer_invalid) if id_token[:iss] != ID_TOKEN_ISSUER
+      end
+
+      def verify_aud(id_token)
+        fail!(:id_token_audience_invalid) if id_token[:aud] != options.client_id
+      end
+
+      def verify_nonce(id_token)
+        expected_nonce = session.delete('omniauth.nonce')
+        return unless expected_nonce
+
+        fail!(:nonce_mismatch) if id_token[:nonce] != expected_nonce
+      end
+
+      def verify_at_hash(id_token)
+        return unless id_token[:at_hash]
+
+        expected_hash = generate_hash(access_token.token)
+        fail!(:at_hash_mismatch) if id_token[:at_hash] != expected_hash
+      end
+
+      def verify_c_hash(id_token)
+        return unless id_token[:c_hash]
+
+        auth_code = request.params['code']
+        return unless auth_code
+
+        expected_hash = generate_hash(auth_code)
+        fail!(:c_hash_mismatch) if id_token[:c_hash] != expected_hash
+      end
+
+      def generate_hash(value)
+        hash = Digest::SHA256.digest(value)
+        half_of_hash = hash[0, hash.length / 2]
+        Base64.urlsafe_encode64(half_of_hash, padding: false)
+      end
+
+      def verify_exp(id_token)
+        fail!(:id_token_expired) if id_token[:exp] < Time.now.to_i
+      end
+
+      def verify_iat(id_token)
+        fail!(:id_token_issued_at_too_old) if id_token[:iat] < (Time.now.to_i - options.jwt_leeway)
+      end
+
+      def verify_auth_time(id_token)
+        return unless id_token[:auth_time]
+
+        max_age = session.delete('omniauth.max_age')
+        return unless max_age
+
+        fail!(:auth_time_too_old) if (id_token[:auth_time] + max_age.to_i) < Time.now.to_i
+      end
+    end
+  end
+end

data/lib/omniauth/yahoojp_v2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module YahoojpV2
+    VERSION = '0.0.0'
+  end
+end

data/lib/omniauth-yahoojp-v2.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/yahoojp_v2/version'
+require 'omniauth/strategies/yahoojp_v2'

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-yahoojp-v2
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+platform: ruby
+authors:
+- Masahiro
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+description: Yahoo! JAPAN strategy for OmniAuth
+email:
+- watanabe@cadenza-tech.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-yahoojp-v2.rb
+- lib/omniauth/strategies/yahoojp_v2.rb
+- lib/omniauth/yahoojp_v2/version.rb
+homepage: https://github.com/cadenza-tech/omniauth-yahoojp-v2/tree/v0.0.0
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/cadenza-tech/omniauth-yahoojp-v2/tree/v0.0.0
+  source_code_uri: https://github.com/cadenza-tech/omniauth-yahoojp-v2/tree/v0.0.0
+  changelog_uri: https://github.com/cadenza-tech/omniauth-yahoojp-v2/blob/v0.0.0/CHANGELOG.md
+  bug_tracker_uri: https://github.com/cadenza-tech/omniauth-yahoojp-v2/issues
+  documentation_uri: https://rubydoc.info/gems/omniauth-yahoojp-v2/0.0.0
+  funding_uri: https://patreon.com/CadenzaTech
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Yahoo! JAPAN strategy for OmniAuth
+test_files: []