omniauth-yahoojp 0.2.1 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b7f78180ef96d2a2e46a852420a8dbb7d530da3f
-  data.tar.gz: f73968ec635fee1510aae21153ee3d862ae4186f
+SHA256:
+  metadata.gz: cef0fc73e6ad6338ec0f4a4180774ab663b9a0846ad2e7658f9a4c3fd395b454
+  data.tar.gz: 37e8e9ef4282fc449ea7d489ef4a43ea4ab0d231c7ddda5a6163b932c899d7ac
 SHA512:
-  metadata.gz: 4b785600fc24397488dbfd26c4725567480a51b0ee894140273efbb1213490c15f9009cce632224ec2e619820555125d11935fb34f97c4c6d00ebd84c6366f36
-  data.tar.gz: cb83e33ffab80a04c59e8441167b972d88e8d6f15dca4a3bb3e359e6ada394ab3593d09e79ad4c557f1dd91e33b820be17022d167b128ac4622a61de51338272
+  metadata.gz: cf6a1d9162d5855cd7ed66074b9f5d275312024602fb956a9e367e522aeaf36d3637c73856c3cd94b3dcc5f0d53ea01697aec948370689b766d0b6f6890a29c3
+  data.tar.gz: 84aa02e550b3fd6bbc286912be6181b484b2d7d1db6ab6ff8792a9819575b08b0c77e406b56045fdac3073cb4900500eb07a7ab91641de909ffb1881d8953043

data/.github/workflows/claude-code-review.yml

@@ -0,0 +1,78 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+    
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@beta
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
+          # model: "claude-opus-4-20250514"
+          
+          # Direct prompt for automated review (no @claude mention needed)
+          direct_prompt: |
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+            
+            Be constructive and helpful in your feedback.
+
+          # Optional: Use sticky comments to make Claude reuse the same comment on subsequent pushes to the same PR
+          # use_sticky_comment: true
+          
+          # Optional: Customize review based on file types
+          # direct_prompt: |
+          #   Review this PR focusing on:
+          #   - For TypeScript files: Type safety and proper interface usage
+          #   - For API endpoints: Security, input validation, and error handling
+          #   - For React components: Performance, accessibility, and best practices
+          #   - For tests: Coverage, edge cases, and test quality
+          
+          # Optional: Different prompts for different authors
+          # direct_prompt: |
+          #   ${{ github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' && 
+          #   'Welcome! Please review this PR from a first-time contributor. Be encouraging and provide detailed explanations for any suggestions.' ||
+          #   'Please provide a thorough code review focusing on our coding standards and best practices.' }}
+          
+          # Optional: Add specific tools for running tests or linting
+          # allowed_tools: "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)"
+          
+          # Optional: Skip review for certain conditions
+          # if: |
+          #   !contains(github.event.pull_request.title, '[skip-review]') &&
+          #   !contains(github.event.pull_request.title, '[WIP]')
+

data/.github/workflows/claude.yml

@@ -0,0 +1,64 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@beta
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+          
+          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
+          # model: "claude-opus-4-20250514"
+          
+          # Optional: Customize the trigger phrase (default: @claude)
+          # trigger_phrase: "/claude"
+          
+          # Optional: Trigger when specific user is assigned to an issue
+          # assignee_trigger: "claude-bot"
+          
+          # Optional: Allow Claude to run specific commands
+          # allowed_tools: "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"
+          
+          # Optional: Add custom instructions for Claude to customize its behavior for your project
+          # custom_instructions: |
+          #   Follow our coding standards
+          #   Ensure all new code has tests
+          #   Use TypeScript for new files
+          
+          # Optional: Custom environment variables for Claude
+          # claude_env: |
+          #   NODE_ENV: test
+

data/CLAUDE.md

@@ -0,0 +1,49 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Development Commands
+
+### Testing
+- `rake spec` or `rspec` - Run all tests
+- `rspec spec/omniauth/strategies/yahoojp_spec.rb` - Run specific test file
+- `rake` - Default task runs specs
+
+### Development Tools
+- `guard` - File watcher for automatic test running (configured via Guardfile)
+- `bundle install` - Install gem dependencies
+
+## Architecture
+
+This is a Ruby gem that implements an OmniAuth strategy for Yahoo! JAPAN's YConnect OAuth 2.0 service.
+
+### Core Components
+
+**Main Strategy**: `lib/omniauth/strategies/yahoojp.rb`
+- Inherits from `OmniAuth::Strategies::OAuth2`
+- Implements Yahoo! JAPAN YConnect v2 API endpoints
+- Handles OAuth 2.0 authorization code flow with basic auth for token exchange
+- Supports YConnect-specific parameters: display, prompt, scope, bail
+
+**Key Implementation Details**:
+- Uses `https://auth.login.yahoo.co.jp` as OAuth provider
+- YConnect v2 endpoints: `/yconnect/v2/authorization` and `/yconnect/v2/token`
+- User info endpoint: `https://userinfo.yahooapis.jp/yconnect/v2/attribute`
+- Custom `build_access_token` method for Yahoo-specific auth headers
+- Supports Japanese locale-specific fields (kana, kanji names)
+
+### File Structure
+- `lib/omniauth-yahoojp.rb` - Main entry point, requires the strategy
+- `lib/omniauth-yahoojp/version.rb` - Gem version
+- `lib/omniauth/strategies/yahoojp.rb` - Strategy implementation
+- `spec/` - RSpec tests
+
+### Dependencies
+- `omniauth` and `omniauth-oauth2` for OAuth framework
+- `httpauth` for HTTP basic authentication headers
+
+## Downstream Test Project
+
+- [`omniauth-yahoojp-tester-rails5`](https://github.com/mikanmarusan/omniauth-yahoojp-tester-rails5) is a Rails 5 app that consumes this gem for integration testing.
+- Its CLAUDE.md documents the exact API surface used and cross-project update rules.
+- Use `/add-dir ../omniauth-yahoojp-tester-rails5` to add it for cross-project awareness when making API changes.

data/Gemfile

@@ -1,4 +1,4 @@
-source 'http://rubygems.org'
+source 'https://rubygems.org'
 
 # Specify your gem's dependencies in omniauth-yahoojp.gemspec
 gemspec

data/README.md

@@ -2,7 +2,7 @@
 
 **These notes are based on master, please see tags for README pertaining to specific releases.**
 
-This is the official OmniAuth strategy for authenticating to Yahoo! JAPAN( [YConnect](http://developer.yahoo.co.jp/yconnect/v2/) ).
+This is the OmniAuth strategy for authenticating to Yahoo! JAPAN( [YConnect](http://developer.yahoo.co.jp/yconnect/v2/) ).
 To use it, you'll need to sign up for a YConnect Client ID and Secret
 on the [Yahoo! JAPAN Developer Network](https://e.developer.yahoo.co.jp/dashboard/).
 
@@ -22,13 +22,14 @@ Then `bundle install`.
 
 `OmniAuth::Strategies::YahooJp` is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
 
-YConnect API v2 lets you set scopes to provide granular access to different types of data: 
+YConnect API v2 lets you set scopes to provide granular access to different types of data:
 
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
-    provider :yahoojp, ENV['YAHOOJP_KEY'], ENV['YAHOOJP_SECRET'], 
+    provider :yahoojp, ENV['YAHOOJP_KEY'], ENV['YAHOOJP_SECRET'],
     {
-        scope: "openid profile email address"
+        scope: "openid profile email address",
+        userinfo_access: true  # default: true
     }
 end
 ```
@@ -50,6 +51,31 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+### `userinfo_access` Option
+
+Controls how user profile information is retrieved.
+
+- `userinfo_access: true` (default) — Calls the UserInfo API (`https://userinfo.yahooapis.jp/yconnect/v2/attribute`) to retrieve full profile information including name variants (kana, kanji), gender, locale, birthdate, nickname, picture, email, and address.
+- `userinfo_access: false` — Skips the UserInfo API call and extracts profile information from the `id_token` claims instead. This is useful when your application does not have access to the UserInfo API.
+
+> **Note:** The fields available in `id_token` claims may differ from those returned by the UserInfo API. The `id_token` typically contains a subset of profile fields depending on the requested scopes. Yahoo! JAPAN has made the UserInfo API access-restricted, so some applications may need to rely on `id_token` claims.
+
+### ID Token
+
+When the `openid` scope is requested, the strategy automatically captures the `id_token` returned by Yahoo! JAPAN's token endpoint.
+
+- `credentials.id_token` — The raw JWT string as returned from the token endpoint.
+- `extra.id_token_claims` — The decoded and verified claims hash from the `id_token`.
+
+The `id_token` is verified as follows:
+
+1. **RS256 signature verification** — The token signature is verified using the public key fetched from Yahoo! JAPAN's [JWKS endpoint](https://auth.login.yahoo.co.jp/yconnect/v2/jwks), matched by the `kid` header claim.
+2. **Issuer (`iss`) validation** — Must be `https://auth.login.yahoo.co.jp/yconnect/v2`.
+3. **Audience (`aud`) validation** — Must include your application's client ID.
+4. **Expiration (`exp`) validation** — The token must not be expired (with a 30-second leeway for clock skew).
+
+If any verification step fails, an `OmniAuth::Strategies::YahooJp::IdTokenValidationError` is raised, which is handled by OmniAuth's standard error flow.
+
 ### API Version
 
 OmniAuth YahooJp uses versioned API endpoints by default (current v2). You can configure a different version via `client_options` hash passed to `provider`, specifically you should change the version in the `site` and `authorize_url` parameters. For example, to change to v1:
@@ -67,6 +93,52 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+## Auth Hash
+
+Here is an example of the auth hash available in `request.env['omniauth.auth']`:
+
+```ruby
+{
+  provider: "yahoojp",
+  uid: "abcdefg",
+  info: {
+    sub: "abcdefg",
+    name: "山田 太郎",
+    given_name: "太郎",
+    given_name_ja_kana_jp: "タロウ",
+    given_name_ja_hani_jp: "太郎",
+    family_name: "山田",
+    family_name_ja_kana_jp: "ヤマダ",
+    family_name_ja_hani_jp: "山田",
+    gender: "male",
+    locale: "ja-JP",
+    email: "example@yahoo.co.jp",
+    email_verified: true
+  },
+  credentials: {
+    token: "ACCESS_TOKEN",
+    refresh_token: "REFRESH_TOKEN",
+    expires_at: 1496120719,
+    expires: true,
+    id_token: "eyJhbGciOiJSUzI1NiIs..."
+  },
+  extra: {
+    raw_info: { ... },           # Full response from UserInfo API (or id_token claims)
+    id_token: "eyJhbGciOiJSUzI1NiIs...",  # Raw JWT string
+    id_token_claims: {           # Decoded id_token claims
+      iss: "https://auth.login.yahoo.co.jp/yconnect/v2",
+      sub: "abcdefg",
+      aud: ["YOUR_CLIENT_ID"],
+      exp: 1496120719,
+      iat: 1496117119,
+      nonce: "..."
+    }
+  }
+}
+```
+
+> **Note:** Available fields in `info` and `extra.raw_info` depend on the requested scopes and the `userinfo_access` setting.
+
 ## License
 
 Copyright (c) 2013 by mikanmarusan

data/lib/omniauth/strategies/yahoojp.rb

@@ -1,9 +1,14 @@
 require 'omniauth-oauth2'
 require 'httpauth'
+require 'json/jwt'
 
 module OmniAuth
   module Strategies
     class YahooJp < OmniAuth::Strategies::OAuth2
+      class IdTokenValidationError < StandardError; end
+
+      JWKS_URI = 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks'.freeze
+      ISSUER   = 'https://auth.login.yahoo.co.jp/yconnect/v2'.freeze
 
       option :name, 'yahoojp'
       option :client_options, {
@@ -14,10 +19,7 @@ module OmniAuth
       }
 
       option :authorize_options, [:display, :prompt, :scope, :bail]
-
-      def request_phase
-        super
-      end
+      option :userinfo_access, true
 
       uid { raw_info['sub'] }
 
@@ -39,19 +41,45 @@ module OmniAuth
           :picture    => raw_info['picture'],
           :email      => raw_info['email'],
           :email_verified => raw_info['email_verified'],
-          :address    => raw_info['address'], 
+          :address    => raw_info['address'],
         })
       end
 
       extra do
         hash = {}
         hash[:raw_info] = raw_info unless skip_info?
+        hash[:id_token] = id_token if id_token
+        hash[:id_token_claims] = id_token_claims if id_token
         prune! hash
       end
 
+      credentials do
+        hash = {'token' => access_token.token}
+        hash['refresh_token'] = access_token.refresh_token if access_token.refresh_token
+        hash['expires_at'] = access_token.expires_at if access_token.expires?
+        hash['expires'] = access_token.expires?
+        hash['id_token'] = id_token if id_token
+        hash
+      end
+
       def raw_info
-        access_token.options[:mode] = :header
-        @raw_info ||= access_token.get('https://userinfo.yahooapis.jp/yconnect/v2/attribute').parsed
+        @raw_info ||= if options.userinfo_access
+          access_token.options[:mode] = :header
+          access_token.get('https://userinfo.yahooapis.jp/yconnect/v2/attribute').parsed
+        elsif id_token
+          id_token_claims
+        else
+          {}
+        end
+      end
+
+      def id_token
+        @id_token ||= access_token&.params&.dig('id_token').presence
+      end
+
+      def id_token_claims
+        return nil unless id_token
+        @id_token_claims ||= verify_id_token!
       end
 
       def prune!(hash)
@@ -69,13 +97,35 @@ module OmniAuth
           :headers => {'Authorization' => HTTPAuth::Basic.pack_authorization(client.id, client.secret)}
         }
 
-        client.get_token(token_params);
+        client.get_token(token_params)
       end
 
       def callback_url
         full_host + script_name + callback_path
       end
 
+      private
+
+      def verify_id_token!
+        header = JSON::JWT.decode(id_token, :skip_verification).header
+        jwk = JSON::JWK::Set::Fetcher.fetch(JWKS_URI, kid: header['kid'])
+        claims = JSON::JWT.decode(id_token, jwk, [:RS256])
+        validate_id_token_claims!(claims)
+        claims
+      end
+
+      def validate_id_token_claims!(claims)
+        unless claims['iss'] == ISSUER
+          raise IdTokenValidationError, "Invalid issuer: #{claims['iss']}"
+        end
+        unless Array(claims['aud']).include?(client.id)
+          raise IdTokenValidationError, "Invalid audience: #{claims['aud']}"
+        end
+        if claims['exp'].nil? || Time.now.to_i > claims['exp'].to_i + 30
+          raise IdTokenValidationError, 'id_token has expired'
+        end
+      end
+
     end
   end
 end

data/lib/omniauth-yahoojp/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module YahooJp
-    VERSION = "0.2.1"
+    VERSION = "1.0.1"
   end
 end

data/omniauth-yahoojp.gemspec

@@ -4,8 +4,8 @@ require File.expand_path('../lib/omniauth-yahoojp/version', __FILE__)
 Gem::Specification.new do |gem|
   gem.authors       = ["mikanmarusan"]
   gem.email         = ["chiakifujimon@gmail.com"]
-  gem.description   = %q{Official OmniAuth strategy for Yahoo! JAPAN.}
-  gem.summary       = %q{Official OmniAuth strategy for Yahoo! JAPAN.}
+  gem.description   = %q{OmniAuth strategy for Yahoo! JAPAN.}
+  gem.summary       = %q{OmniAuth strategy for Yahoo! JAPAN.}
   gem.homepage      = "https://github.com/mikanmarusan/omniauth-yahoojp"
 
   gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
@@ -14,12 +14,13 @@ Gem::Specification.new do |gem|
   gem.name          = "omniauth-yahoojp"
   gem.require_paths = ["lib"]
   gem.version       = OmniAuth::YahooJp::VERSION
-  gem.licenses      = "MIT"
+  gem.licenses      = ["MIT"]
 
   gem.add_dependency 'omniauth', '>= 1.0'
   gem.add_dependency 'omniauth-oauth2', '>= 1.1'
   gem.add_dependency 'httpauth'
-  gem.add_development_dependency 'rspec', '~> 2.7'
+  gem.add_dependency 'json-jwt', '>= 1.16.6'
+  gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'rack-test'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'webmock'

data/spec/omniauth/strategies/yahoojp_spec.rb

@@ -1,23 +1,470 @@
 require 'spec_helper'
 require 'omniauth-yahoojp'
+require 'json/jwt'
 
-describe OmniAuth::Strategies::YahooJp do
+RSpec.describe OmniAuth::Strategies::YahooJp do
+  let(:app) { lambda { |_env| [200, {}, ['Hello']] } }
+  let(:strategy) { described_class.new(app, 'client_id', 'client_secret') }
 
-  subject do
-    OmniAuth::Strategies::YahooJp.new({})
+  describe 'client options' do
+    it 'has correct site' do
+      expect(strategy.options.client_options.site).to eq('https://auth.login.yahoo.co.jp')
+    end
+
+    it 'has correct authorize url' do
+      expect(strategy.options.client_options.authorize_url).to eq('/yconnect/v2/authorization')
+    end
+
+    it 'has correct token url' do
+      expect(strategy.options.client_options.token_url).to eq('/yconnect/v2/token')
+    end
   end
 
-  context "client options" do
-    it 'should have correct site' do
-      subject.options.client_options.site.should eq("https://auth.login.yahoo.co.jp")
+  describe 'default options' do
+    it 'has userinfo_access enabled by default' do
+      expect(strategy.options.userinfo_access).to be true
     end
+  end
+
+  describe 'constants' do
+    it 'has correct JWKS_URI' do
+      expect(described_class::JWKS_URI).to eq('https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+    end
+
+    it 'has correct ISSUER' do
+      expect(described_class::ISSUER).to eq('https://auth.login.yahoo.co.jp/yconnect/v2')
+    end
+  end
 
-    it 'should have correct authorize url' do
-      subject.options.client_options.authorize_url.should eq('/yconnect/v1/authorization')
+  context 'with access_token' do
+    let(:rsa_key) { OpenSSL::PKey::RSA.generate(2048) }
+    let(:kid) { 'test-kid-1' }
+    let(:jwt_payload) do
+      {
+        'sub' => 'test123',
+        'name' => 'Test User',
+        'email' => 'test@example.com',
+        'iss' => 'https://auth.login.yahoo.co.jp/yconnect/v2',
+        'aud' => 'client_id',
+        'exp' => Time.now.to_i + 3600
+      }
     end
+    let(:jwt_string) do
+      jwt = JSON::JWT.new(jwt_payload)
+      jwt.kid = kid
+      jwt.sign(rsa_key, :RS256).to_s
+    end
+    let(:access_token) do
+      instance_double(
+        OAuth2::AccessToken,
+        token: 'mock_token',
+        refresh_token: 'mock_refresh',
+        expires?: true,
+        expires_at: 1234567890,
+        params: { 'id_token' => jwt_string },
+        options: {}
+      )
+    end
+
+    before do
+      allow(strategy).to receive(:access_token).and_return(access_token)
+      jwk = JSON::JWK.new(rsa_key, kid: kid)
+      stub_request(:get, 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+        .to_return(
+          status: 200,
+          body: { keys: [jwk] }.to_json,
+          headers: { 'Content-Type' => 'application/json' }
+        )
+    end
+
+    describe '#id_token' do
+      it 'returns the id_token from access_token params' do
+        expect(strategy.id_token).to eq(jwt_string)
+      end
+
+      it 'returns nil when no id_token in params' do
+        allow(access_token).to receive(:params).and_return({})
+        expect(strategy.id_token).to be_nil
+      end
+
+      it 'returns nil when id_token is empty string' do
+        allow(access_token).to receive(:params).and_return({ 'id_token' => '' })
+        expect(strategy.id_token).to be_nil
+      end
+    end
+
+    describe '#id_token_claims' do
+      it 'decodes and verifies the JWT' do
+        claims = strategy.id_token_claims
+        expect(claims['sub']).to eq('test123')
+        expect(claims['name']).to eq('Test User')
+        expect(claims['email']).to eq('test@example.com')
+      end
+
+      it 'memoizes the result' do
+        first_call = strategy.id_token_claims
+        second_call = strategy.id_token_claims
+        expect(first_call).to equal(second_call)
+      end
+
+      it 'returns nil when id_token is nil' do
+        allow(access_token).to receive(:params).and_return({})
+        expect(strategy.id_token_claims).to be_nil
+      end
+
+      it 'returns nil without fetching JWKS when id_token is nil' do
+        allow(access_token).to receive(:params).and_return({})
+        strategy.id_token_claims
+        expect(WebMock).not_to have_requested(:get, 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+      end
+
+      it 'raises on malformed id_token' do
+        allow(access_token).to receive(:params).and_return({ 'id_token' => 'not-a-jwt' })
+        expect { strategy.id_token_claims }.to raise_error(JSON::JWT::InvalidFormat)
+      end
+
+      context 'with invalid signature' do
+        let(:wrong_key) { OpenSSL::PKey::RSA.generate(2048) }
+        let(:bad_jwt_string) do
+          jwt = JSON::JWT.new(jwt_payload)
+          jwt.kid = kid
+          jwt.sign(wrong_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_jwt_string })
+        end
+
+        it 'raises an error' do
+          expect { strategy.id_token_claims }.to raise_error(JSON::JWS::VerificationFailed)
+        end
+      end
+
+      context 'with invalid issuer' do
+        let(:jwt_payload_bad_iss) { jwt_payload.merge('iss' => 'https://evil.example.com') }
+        let(:bad_iss_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_bad_iss)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_iss_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid issuer/
+          )
+        end
+      end
+
+      context 'with issuer missing /yconnect/v2 suffix' do
+        let(:jwt_payload_wrong_iss) { jwt_payload.merge('iss' => 'https://auth.login.yahoo.co.jp') }
+        let(:wrong_iss_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_wrong_iss)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => wrong_iss_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid issuer/
+          )
+        end
+      end
+
+      context 'with invalid audience' do
+        let(:jwt_payload_bad_aud) { jwt_payload.merge('aud' => 'wrong_client_id') }
+        let(:bad_aud_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_bad_aud)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_aud_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid audience/
+          )
+        end
+      end
+
+      context 'with audience as array including client_id' do
+        let(:jwt_payload_array_aud) { jwt_payload.merge('aud' => ['other_client', 'client_id']) }
+        let(:array_aud_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_array_aud)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => array_aud_jwt })
+        end
+
+        it 'accepts the token' do
+          expect { strategy.id_token_claims }.not_to raise_error
+        end
+      end
+
+      context 'with expired token' do
+        let(:jwt_payload_expired) { jwt_payload.merge('exp' => Time.now.to_i - 60) }
+        let(:expired_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_expired)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => expired_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /expired/
+          )
+        end
+      end
+
+      context 'with token within 30-second leeway' do
+        let(:jwt_payload_just_expired) { jwt_payload.merge('exp' => Time.now.to_i - 10) }
+        let(:leeway_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_just_expired)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => leeway_jwt })
+        end
+
+        it 'accepts the token' do
+          expect { strategy.id_token_claims }.not_to raise_error
+        end
+      end
+
+      context 'with kid not found in JWKS' do
+        let(:jwt_with_unknown_kid) do
+          jwt = JSON::JWT.new(jwt_payload)
+          jwt.kid = 'unknown-kid'
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => jwt_with_unknown_kid })
+        end
+
+        it 'raises an error' do
+          expect { strategy.id_token_claims }.to raise_error(StandardError)
+        end
+      end
+    end
+
+    describe '#raw_info' do
+      context 'with userinfo_access: true' do
+        let(:userinfo_response) do
+          instance_double(OAuth2::Response, parsed: {
+            'sub' => 'user456',
+            'name' => 'Yahoo User',
+            'email' => 'yahoo@example.com',
+            'address' => { 'country' => 'JP' }
+          })
+        end
+
+        before do
+          allow(access_token).to receive(:get)
+            .with('https://userinfo.yahooapis.jp/yconnect/v2/attribute')
+            .and_return(userinfo_response)
+        end
+
+        it 'calls the UserInfo API' do
+          strategy.raw_info
+          expect(access_token).to have_received(:get)
+            .with('https://userinfo.yahooapis.jp/yconnect/v2/attribute')
+        end
+
+        it 'sets access_token mode to header' do
+          strategy.raw_info
+          expect(access_token.options[:mode]).to eq(:header)
+        end
+
+        it 'returns parsed UserInfo response' do
+          expect(strategy.raw_info['sub']).to eq('user456')
+          expect(strategy.raw_info['name']).to eq('Yahoo User')
+        end
+      end
+
+      context 'with userinfo_access: false and id_token present' do
+        before do
+          strategy.options[:userinfo_access] = false
+        end
+
+        it 'returns id_token_claims' do
+          expect(strategy.raw_info['sub']).to eq('test123')
+          expect(strategy.raw_info['name']).to eq('Test User')
+        end
+
+        it 'does not call the UserInfo API' do
+          expect(access_token).not_to receive(:get)
+          strategy.raw_info
+        end
+      end
+
+      context 'with userinfo_access: false and no id_token' do
+        before do
+          strategy.options[:userinfo_access] = false
+          allow(access_token).to receive(:params).and_return({})
+        end
+
+        it 'returns empty hash' do
+          expect(strategy.raw_info).to eq({})
+        end
+      end
+    end
+
+    describe '#info' do
+      let(:full_profile) do
+        {
+          'sub' => 'user456',
+          'name' => 'Yahoo User',
+          'given_name' => 'Taro',
+          'given_name#ja-Kana-JP' => 'タロウ',
+          'given_name#ja-Hani-JP' => '太郎',
+          'family_name' => 'Yamada',
+          'family_name#ja-Kana-JP' => 'ヤマダ',
+          'family_name#ja-Hani-JP' => '山田',
+          'gender' => 'male',
+          'zoneinfo' => 'Asia/Tokyo',
+          'locale' => 'ja-JP',
+          'birthdate' => '1990-01-01',
+          'nickname' => 'taro',
+          'picture' => 'https://example.com/photo.jpg',
+          'email' => 'taro@example.com',
+          'email_verified' => true,
+          'address' => { 'country' => 'JP', 'region' => 'Tokyo' }
+        }
+      end
+      let(:userinfo_response) do
+        instance_double(OAuth2::Response, parsed: full_profile)
+      end
+
+      before do
+        allow(access_token).to receive(:get)
+          .with('https://userinfo.yahooapis.jp/yconnect/v2/attribute')
+          .and_return(userinfo_response)
+      end
+
+      it 'maps all standard fields' do
+        info = strategy.info
+        expect(info[:sub]).to eq('user456')
+        expect(info[:name]).to eq('Yahoo User')
+        expect(info[:given_name]).to eq('Taro')
+        expect(info[:family_name]).to eq('Yamada')
+        expect(info[:email]).to eq('taro@example.com')
+        expect(info[:nickname]).to eq('taro')
+        expect(info[:picture]).to eq('https://example.com/photo.jpg')
+      end
+
+      it 'maps Japanese locale-specific fields' do
+        info = strategy.info
+        expect(info[:given_name_ja_kana_jp]).to eq('タロウ')
+        expect(info[:given_name_ja_hani_jp]).to eq('太郎')
+        expect(info[:family_name_ja_kana_jp]).to eq('ヤマダ')
+        expect(info[:family_name_ja_hani_jp]).to eq('山田')
+      end
+
+      it 'maps address as nested hash' do
+        info = strategy.info
+        expect(info[:address]['country']).to eq('JP')
+      end
+
+      it 'prunes nil values' do
+        allow(userinfo_response).to receive(:parsed).and_return({ 'sub' => 'user456' })
+        info = strategy.info
+        expect(info).not_to have_key(:name)
+        expect(info).not_to have_key(:email)
+      end
+    end
+
+    describe '#uid' do
+      context 'with userinfo_access: true' do
+        let(:userinfo_response) do
+          instance_double(OAuth2::Response, parsed: { 'sub' => 'user456' })
+        end
+
+        before do
+          allow(access_token).to receive(:get)
+            .with('https://userinfo.yahooapis.jp/yconnect/v2/attribute')
+            .and_return(userinfo_response)
+        end
+
+        it 'returns sub from UserInfo' do
+          expect(strategy.uid).to eq('user456')
+        end
+      end
+
+      context 'with userinfo_access: false' do
+        before do
+          strategy.options[:userinfo_access] = false
+        end
+
+        it 'returns sub from id_token' do
+          expect(strategy.uid).to eq('test123')
+        end
+      end
+    end
+
+    describe '#credentials' do
+      it 'includes token' do
+        expect(strategy.credentials['token']).to eq('mock_token')
+      end
+
+      it 'includes refresh_token' do
+        expect(strategy.credentials['refresh_token']).to eq('mock_refresh')
+      end
+
+      it 'includes expires_at' do
+        expect(strategy.credentials['expires_at']).to eq(1234567890)
+      end
+
+      it 'includes expires flag' do
+        expect(strategy.credentials['expires']).to be true
+      end
+
+      it 'includes id_token' do
+        expect(strategy.credentials['id_token']).to eq(jwt_string)
+      end
+
+      it 'omits id_token when not present' do
+        allow(access_token).to receive(:params).and_return({})
+        expect(strategy.credentials).not_to have_key('id_token')
+      end
+    end
+
+    describe '#extra' do
+      before do
+        strategy.options[:userinfo_access] = false
+      end
+
+      it 'includes id_token' do
+        expect(strategy.extra[:id_token]).to eq(jwt_string)
+      end
+
+      it 'includes id_token_claims' do
+        claims = strategy.extra[:id_token_claims]
+        expect(claims['sub']).to eq('test123')
+      end
 
-    it 'should have correct token url' do
-      subject.options.client_options.token_url.should eq('/yconnect/v1/token')
+      it 'includes raw_info' do
+        expect(strategy.extra[:raw_info]).not_to be_nil
+      end
     end
   end
 end

data/spec/spec_helper.rb

@@ -11,6 +11,4 @@ require 'omniauth-yahoojp'
 RSpec.configure do |config|
   config.include WebMock::API
   config.include Rack::Test::Methods
-  config.extend  OmniAuth::Test::StrategyMacros, :type => :strategy
 end
-

metadata

@@ -1,122 +1,139 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-yahoojp
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 1.0.1
 platform: ruby
 authors:
 - mikanmarusan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-01 00:00:00.000000000 Z
+date: 2026-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.1'
 - !ruby/object:Gem::Dependency
   name: httpauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.16.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.16.6
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Official OmniAuth strategy for Yahoo! JAPAN.
+description: OmniAuth strategy for Yahoo! JAPAN.
 email:
 - chiakifujimon@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
+- ".github/workflows/claude-code-review.yml"
+- ".github/workflows/claude.yml"
+- ".gitignore"
+- ".rspec"
+- CLAUDE.md
 - Gemfile
 - Guardfile
 - README.md
@@ -137,20 +154,19 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.14.1
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
-summary: Official OmniAuth strategy for Yahoo! JAPAN.
+summary: OmniAuth strategy for Yahoo! JAPAN.
 test_files:
 - spec/omniauth/strategies/yahoojp_spec.rb
 - spec/spec_helper.rb