omniauth-yahoojp 1.0.0 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16ae4d397a52eca91f5a45f36770e3ec1162bda6f607a1c2bbd5142ee9799b9c
-  data.tar.gz: 7989bc85f42e4ae4e6b2420e5d3a6c94355a87db5ba0997b1a1a8a62249ae088
+  metadata.gz: 3e2e5091640143dd38a711507353562df857f8f78a58c533515b8f16cc498ea5
+  data.tar.gz: 8017e5b101087d514d661455e6a51e40d17397a3642aa2863183863ee37c4ba4
 SHA512:
-  metadata.gz: c6f857f7d5604801d3aff235992b49d925a889e6ca6458400ceb746abe617594a8fa5ab229312f332f34df6fae83d3af508b33f39fd5d3c93bf4a611884395d9
-  data.tar.gz: 8c2a1ca936c8c89adbd4655d01021e14a7e669965be3015fd028df1bcb0c82164a66b90f116056c9d21963f6d5b22ae0ca3329ea9e13001336149f921f344be0
+  metadata.gz: 3768a8277939e04cb7bfaa0802b4e419f25df351d99a15d7f50ea2d710134b00179914eeb030c42af12370a6d815b8281cd8f0474dc32f325a0400b572f43e76
+  data.tar.gz: e7565557e3f45447be3c612a4aeb66cad363112a395a96ecbfbf73fb420e8ce2a7af9116624961a383ca2522f07e60a98f87781d1abfd4e741c1b7e509980d8f

data/CLAUDE.md

@@ -44,6 +44,6 @@ This is a Ruby gem that implements an OmniAuth strategy for Yahoo! JAPAN's YConn
 
 ## Downstream Test Project
 
-- [`omniauth-yahoojp-tester-rails5`](https://github.com/mikanmarusan/omniauth-yahoojp-tester-rails5) is a Rails 5 app that consumes this gem for integration testing.
+- [`omniauth-yahoojp-tester-containers`](https://github.com/mikanmarusan/omniauth-yahoojp-tester-containers) is an app that consumes this gem for integration testing.
 - Its CLAUDE.md documents the exact API surface used and cross-project update rules.
-- Use `/add-dir ../omniauth-yahoojp-tester-rails5` to add it for cross-project awareness when making API changes.
+- Use `/add-dir ../omniauth-yahoojp-tester-containers` to add it for cross-project awareness when making API changes.

data/README.md

@@ -65,9 +65,16 @@ Controls how user profile information is retrieved.
 When the `openid` scope is requested, the strategy automatically captures the `id_token` returned by Yahoo! JAPAN's token endpoint.
 
 - `credentials.id_token` — The raw JWT string as returned from the token endpoint.
-- `extra.id_token_claims` — The decoded claims hash from the `id_token`.
+- `extra.id_token_claims` — The decoded and verified claims hash from the `id_token`.
 
-The `id_token` signature verification is skipped because the token is received directly from Yahoo! JAPAN's token endpoint over TLS in the Authorization Code Flow, which guarantees its authenticity.
+The `id_token` is verified as follows:
+
+1. **RS256 signature verification** — The token signature is verified using the public key fetched from Yahoo! JAPAN's [JWKS endpoint](https://auth.login.yahoo.co.jp/yconnect/v2/jwks), matched by the `kid` header claim.
+2. **Issuer (`iss`) validation** — Must be `https://auth.login.yahoo.co.jp/yconnect/v2`.
+3. **Audience (`aud`) validation** — Must include your application's client ID.
+4. **Expiration (`exp`) validation** — The token must not be expired (with a 30-second leeway for clock skew).
+
+If any verification step fails, an `OmniAuth::Strategies::YahooJp::IdTokenValidationError` is raised, which is handled by OmniAuth's standard error flow.
 
 ### API Version
 

data/lib/omniauth/strategies/yahoojp.rb

@@ -5,6 +5,10 @@ require 'json/jwt'
 module OmniAuth
   module Strategies
     class YahooJp < OmniAuth::Strategies::OAuth2
+      class IdTokenValidationError < StandardError; end
+
+      JWKS_URI = 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks'.freeze
+      ISSUER   = 'https://auth.login.yahoo.co.jp/yconnect/v2'.freeze
 
       option :name, 'yahoojp'
       option :client_options, {
@@ -63,7 +67,7 @@ module OmniAuth
           access_token.options[:mode] = :header
           access_token.get('https://userinfo.yahooapis.jp/yconnect/v2/attribute').parsed
         elsif id_token
-          id_token_claims
+          id_token_claims || {}
         else
           {}
         end
@@ -75,9 +79,9 @@ module OmniAuth
 
       def id_token_claims
         return nil unless id_token
-        # Signature verification is skipped because the id_token was received
-        # directly from Yahoo's token endpoint over TLS (Authorization Code Flow).
-        @id_token_claims ||= JSON::JWT.decode(id_token, :skip_verification)
+        @id_token_claims ||= verify_id_token!
+      rescue JSON::JWT::InvalidFormat
+        nil
       end
 
       def prune!(hash)
@@ -102,6 +106,28 @@ module OmniAuth
         full_host + script_name + callback_path
       end
 
+      private
+
+      def verify_id_token!
+        header = JSON::JWT.decode(id_token, :skip_verification).header
+        jwk = JSON::JWK::Set::Fetcher.fetch(JWKS_URI, kid: header['kid'])
+        claims = JSON::JWT.decode(id_token, jwk, [:RS256])
+        validate_id_token_claims!(claims)
+        claims
+      end
+
+      def validate_id_token_claims!(claims)
+        unless claims['iss'] == ISSUER
+          raise IdTokenValidationError, "Invalid issuer: #{claims['iss']}"
+        end
+        unless Array(claims['aud']).include?(client.id)
+          raise IdTokenValidationError, "Invalid audience: #{claims['aud']}"
+        end
+        if claims['exp'].nil? || Time.now.to_i > claims['exp'].to_i + 30
+          raise IdTokenValidationError, 'id_token has expired'
+        end
+      end
+
     end
   end
 end

data/lib/omniauth-yahoojp/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module YahooJp
-    VERSION = "1.0.0"
+    VERSION = "1.0.2"
   end
 end

data/spec/omniauth/strategies/yahoojp_spec.rb

@@ -26,9 +26,34 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
     end
   end
 
+  describe 'constants' do
+    it 'has correct JWKS_URI' do
+      expect(described_class::JWKS_URI).to eq('https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+    end
+
+    it 'has correct ISSUER' do
+      expect(described_class::ISSUER).to eq('https://auth.login.yahoo.co.jp/yconnect/v2')
+    end
+  end
+
   context 'with access_token' do
-    let(:jwt_payload) { { 'sub' => 'test123', 'name' => 'Test User', 'email' => 'test@example.com' } }
-    let(:jwt_string) { JSON::JWT.new(jwt_payload).to_s }
+    let(:rsa_key) { OpenSSL::PKey::RSA.generate(2048) }
+    let(:kid) { 'test-kid-1' }
+    let(:jwt_payload) do
+      {
+        'sub' => 'test123',
+        'name' => 'Test User',
+        'email' => 'test@example.com',
+        'iss' => 'https://auth.login.yahoo.co.jp/yconnect/v2',
+        'aud' => 'client_id',
+        'exp' => Time.now.to_i + 3600
+      }
+    end
+    let(:jwt_string) do
+      jwt = JSON::JWT.new(jwt_payload)
+      jwt.kid = kid
+      jwt.sign(rsa_key, :RS256).to_s
+    end
     let(:access_token) do
       instance_double(
         OAuth2::AccessToken,
@@ -43,6 +68,13 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
 
     before do
       allow(strategy).to receive(:access_token).and_return(access_token)
+      jwk = JSON::JWK.new(rsa_key, kid: kid)
+      stub_request(:get, 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+        .to_return(
+          status: 200,
+          body: { keys: [jwk] }.to_json,
+          headers: { 'Content-Type' => 'application/json' }
+        )
     end
 
     describe '#id_token' do
@@ -62,7 +94,7 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
     end
 
     describe '#id_token_claims' do
-      it 'decodes the JWT without verification' do
+      it 'decodes and verifies the JWT' do
         claims = strategy.id_token_claims
         expect(claims['sub']).to eq('test123')
         expect(claims['name']).to eq('Test User')
@@ -80,9 +112,158 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
         expect(strategy.id_token_claims).to be_nil
       end
 
-      it 'raises on malformed id_token' do
+      it 'returns nil without fetching JWKS when id_token is nil' do
+        allow(access_token).to receive(:params).and_return({})
+        strategy.id_token_claims
+        expect(WebMock).not_to have_requested(:get, 'https://auth.login.yahoo.co.jp/yconnect/v2/jwks')
+      end
+
+      it 'returns nil on malformed id_token' do
         allow(access_token).to receive(:params).and_return({ 'id_token' => 'not-a-jwt' })
-        expect { strategy.id_token_claims }.to raise_error(JSON::JWT::InvalidFormat)
+        expect(strategy.id_token_claims).to be_nil
+      end
+
+      context 'with invalid signature' do
+        let(:wrong_key) { OpenSSL::PKey::RSA.generate(2048) }
+        let(:bad_jwt_string) do
+          jwt = JSON::JWT.new(jwt_payload)
+          jwt.kid = kid
+          jwt.sign(wrong_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_jwt_string })
+        end
+
+        it 'raises an error' do
+          expect { strategy.id_token_claims }.to raise_error(JSON::JWS::VerificationFailed)
+        end
+      end
+
+      context 'with invalid issuer' do
+        let(:jwt_payload_bad_iss) { jwt_payload.merge('iss' => 'https://evil.example.com') }
+        let(:bad_iss_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_bad_iss)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_iss_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid issuer/
+          )
+        end
+      end
+
+      context 'with issuer missing /yconnect/v2 suffix' do
+        let(:jwt_payload_wrong_iss) { jwt_payload.merge('iss' => 'https://auth.login.yahoo.co.jp') }
+        let(:wrong_iss_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_wrong_iss)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => wrong_iss_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid issuer/
+          )
+        end
+      end
+
+      context 'with invalid audience' do
+        let(:jwt_payload_bad_aud) { jwt_payload.merge('aud' => 'wrong_client_id') }
+        let(:bad_aud_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_bad_aud)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => bad_aud_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /Invalid audience/
+          )
+        end
+      end
+
+      context 'with audience as array including client_id' do
+        let(:jwt_payload_array_aud) { jwt_payload.merge('aud' => ['other_client', 'client_id']) }
+        let(:array_aud_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_array_aud)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => array_aud_jwt })
+        end
+
+        it 'accepts the token' do
+          expect { strategy.id_token_claims }.not_to raise_error
+        end
+      end
+
+      context 'with expired token' do
+        let(:jwt_payload_expired) { jwt_payload.merge('exp' => Time.now.to_i - 60) }
+        let(:expired_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_expired)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => expired_jwt })
+        end
+
+        it 'raises IdTokenValidationError' do
+          expect { strategy.id_token_claims }.to raise_error(
+            described_class::IdTokenValidationError, /expired/
+          )
+        end
+      end
+
+      context 'with token within 30-second leeway' do
+        let(:jwt_payload_just_expired) { jwt_payload.merge('exp' => Time.now.to_i - 10) }
+        let(:leeway_jwt) do
+          jwt = JSON::JWT.new(jwt_payload_just_expired)
+          jwt.kid = kid
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => leeway_jwt })
+        end
+
+        it 'accepts the token' do
+          expect { strategy.id_token_claims }.not_to raise_error
+        end
+      end
+
+      context 'with kid not found in JWKS' do
+        let(:jwt_with_unknown_kid) do
+          jwt = JSON::JWT.new(jwt_payload)
+          jwt.kid = 'unknown-kid'
+          jwt.sign(rsa_key, :RS256).to_s
+        end
+
+        before do
+          allow(access_token).to receive(:params).and_return({ 'id_token' => jwt_with_unknown_kid })
+        end
+
+        it 'raises an error' do
+          expect { strategy.id_token_claims }.to raise_error(StandardError)
+        end
       end
     end
 
@@ -146,6 +327,17 @@ RSpec.describe OmniAuth::Strategies::YahooJp do
           expect(strategy.raw_info).to eq({})
         end
       end
+
+      context 'with userinfo_access: false and malformed id_token' do
+        before do
+          strategy.options[:userinfo_access] = false
+          allow(access_token).to receive(:params).and_return({ 'id_token' => 'not-a-jwt' })
+        end
+
+        it 'returns an empty hash instead of raising' do
+          expect(strategy.raw_info).to eq({})
+        end
+      end
     end
 
     describe '#info' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-yahoojp
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.2
 platform: ruby
 authors:
 - mikanmarusan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-03-08 00:00:00.000000000 Z
+date: 2026-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -129,8 +129,6 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/claude-code-review.yml"
-- ".github/workflows/claude.yml"
 - ".gitignore"
 - ".rspec"
 - CLAUDE.md

data/.github/workflows/claude-code-review.yml

@@ -1,78 +0,0 @@
-name: Claude Code Review
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
-
-jobs:
-  claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
-    
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-    
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code Review
-        id: claude-review
-        uses: anthropics/claude-code-action@beta
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-
-          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
-          # model: "claude-opus-4-20250514"
-          
-          # Direct prompt for automated review (no @claude mention needed)
-          direct_prompt: |
-            Please review this pull request and provide feedback on:
-            - Code quality and best practices
-            - Potential bugs or issues
-            - Performance considerations
-            - Security concerns
-            - Test coverage
-            
-            Be constructive and helpful in your feedback.
-
-          # Optional: Use sticky comments to make Claude reuse the same comment on subsequent pushes to the same PR
-          # use_sticky_comment: true
-          
-          # Optional: Customize review based on file types
-          # direct_prompt: |
-          #   Review this PR focusing on:
-          #   - For TypeScript files: Type safety and proper interface usage
-          #   - For API endpoints: Security, input validation, and error handling
-          #   - For React components: Performance, accessibility, and best practices
-          #   - For tests: Coverage, edge cases, and test quality
-          
-          # Optional: Different prompts for different authors
-          # direct_prompt: |
-          #   ${{ github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' && 
-          #   'Welcome! Please review this PR from a first-time contributor. Be encouraging and provide detailed explanations for any suggestions.' ||
-          #   'Please provide a thorough code review focusing on our coding standards and best practices.' }}
-          
-          # Optional: Add specific tools for running tests or linting
-          # allowed_tools: "Bash(npm run test),Bash(npm run lint),Bash(npm run typecheck)"
-          
-          # Optional: Skip review for certain conditions
-          # if: |
-          #   !contains(github.event.pull_request.title, '[skip-review]') &&
-          #   !contains(github.event.pull_request.title, '[WIP]')
-

data/.github/workflows/claude.yml

@@ -1,64 +0,0 @@
-name: Claude Code
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code
-        id: claude
-        uses: anthropics/claude-code-action@beta
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-
-          # This is an optional setting that allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-          
-          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
-          # model: "claude-opus-4-20250514"
-          
-          # Optional: Customize the trigger phrase (default: @claude)
-          # trigger_phrase: "/claude"
-          
-          # Optional: Trigger when specific user is assigned to an issue
-          # assignee_trigger: "claude-bot"
-          
-          # Optional: Allow Claude to run specific commands
-          # allowed_tools: "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"
-          
-          # Optional: Add custom instructions for Claude to customize its behavior for your project
-          # custom_instructions: |
-          #   Follow our coding standards
-          #   Ensure all new code has tests
-          #   Use TypeScript for new files
-          
-          # Optional: Custom environment variables for Claude
-          # claude_env: |
-          #   NODE_ENV: test
-