omniauth 1.2.2 → 2.1.0

data/lib/omniauth/auth_hash.rb

@@ -1,11 +1,11 @@
-require 'hashie/mash'
+require 'omniauth/key_store'
 
 module OmniAuth
   # The AuthHash is a normalized schema returned by all OmniAuth
   # strategies. It maps as much user information as the provider
   # is able to provide into the InfoHash (stored as the `'info'`
   # key).
-  class AuthHash < Hashie::Mash
+  class AuthHash < OmniAuth::KeyStore
     def self.subkey_class
       Hashie::Mash
     end
@@ -20,13 +20,11 @@ module OmniAuth
     end
 
     def regular_writer(key, value)
-      if key.to_s == 'info' && !value.is_a?(InfoHash)
-        value = InfoHash.new(value)
-      end
+      value = InfoHash.new(value) if key.to_s == 'info' && value.is_a?(::Hash) && !value.is_a?(InfoHash)
       super
     end
 
-    class InfoHash < Hashie::Mash
+    class InfoHash < OmniAuth::KeyStore
       def self.subkey_class
         Hashie::Mash
       end
@@ -36,13 +34,14 @@ module OmniAuth
         return "#{first_name} #{last_name}".strip if first_name? || last_name?
         return nickname if nickname?
         return email if email?
+
         nil
       end
 
       def name?
-        !!name # rubocop:disable DoubleNegation
+        !!name
       end
-      alias_method :valid?, :name?
+      alias valid? name?
 
       def to_hash
         hash = super

data/lib/omniauth/authenticity_token_protection.rb

@@ -0,0 +1,32 @@
+require 'rack-protection'
+
+module OmniAuth
+  class AuthenticityError < StandardError; end
+  class AuthenticityTokenProtection < Rack::Protection::AuthenticityToken
+    def initialize(options = {})
+      @options = default_options.merge(options)
+    end
+
+    def self.call(env)
+      new.call!(env)
+    end
+
+    def call!(env)
+      return if accepts?(env)
+
+      instrument env
+      react env
+    end
+
+    alias_method :call, :call!
+
+  private
+
+    def deny(_env)
+      OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")
+      raise AuthenticityError.new(options[:message])
+    end
+
+    alias default_reaction deny
+  end
+end

data/lib/omniauth/builder.rb

@@ -1,20 +1,5 @@
 module OmniAuth
   class Builder < ::Rack::Builder
-    def initialize(app, &block)
-      @options = nil
-      if rack14?
-        super
-      else
-        @app = app
-        super(&block)
-        @ins << @app
-      end
-    end
-
-    def rack14?
-      Rack.release.split('.')[1].to_i >= 4
-    end
-
     def on_failure(&block)
       OmniAuth.config.on_failure = block
     end
@@ -36,23 +21,23 @@ module OmniAuth
     end
 
     def options(options = false)
-      return @options || {} if options == false
+      return @options ||= {} if options == false
+
       @options = options
     end
 
-    def provider(klass, *args, &block)
+    def provider(klass, *args, **opts, &block)
       if klass.is_a?(Class)
         middleware = klass
       else
         begin
-          middleware = OmniAuth::Strategies.const_get("#{OmniAuth::Utils.camelize(klass.to_s)}")
+          middleware = OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s, false)
         rescue NameError
           raise(LoadError.new("Could not find matching strategy for #{klass.inspect}. You may need to install an additional gem (such as omniauth-#{klass})."))
         end
       end
 
-      args.last.is_a?(Hash) ? args.push(options.merge(args.pop)) : args.push(options)
-      use middleware, *args, &block
+      use middleware, *args, **options.merge(opts), &block
     end
 
     def call(env)

data/lib/omniauth/failure_endpoint.rb

@@ -22,22 +22,33 @@ module OmniAuth
     end
 
     def raise_out!
-      fail(env['omniauth.error'] || OmniAuth::Error.new(env['omniauth.error.type']))
+      raise(env['omniauth.error'] || OmniAuth::Error.new(env['omniauth.error.type']))
     end
 
     def redirect_to_failure
       message_key = env['omniauth.error.type']
-      new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}"
+
+      new_path = "#{env['SCRIPT_NAME']}#{strategy_path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
       Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
     end
 
+    def strategy_path_prefix
+      if env['omniauth.error.strategy']
+        env['omniauth.error.strategy'].path_prefix
+      else
+        OmniAuth.config.path_prefix
+      end
+    end
+
     def strategy_name_query_param
       return '' unless env['omniauth.error.strategy']
+
       "&strategy=#{env['omniauth.error.strategy'].name}"
     end
 
     def origin_query_param
       return '' unless env['omniauth.origin']
+
       "&origin=#{Rack::Utils.escape(env['omniauth.origin'])}"
     end
   end

data/lib/omniauth/form.css

@@ -56,7 +56,7 @@ input {
 }
 
 input#identifier, input#openid_url {
-  background: url(http://openid.net/login-bg.gif) no-repeat;
+  background: url(https://openid.net/images/login-bg.gif) no-repeat;
   background-position: 0 50%;
   padding-left: 18px;
 }

data/lib/omniauth/form.rb

@@ -1,5 +1,5 @@
 module OmniAuth
-  class Form # rubocop:disable ClassLength
+  class Form
     DEFAULT_CSS = File.read(File.expand_path('../form.css', __FILE__))
 
     attr_accessor :options
@@ -9,7 +9,7 @@ module OmniAuth
       options[:header_info] ||= ''
       self.options = options
 
-      @html = ''
+      @html = +'' # unary + string allows it to be mutable if strings are frozen
       @with_custom_button = false
       @footer = nil
       header(options[:title], options[:header_info])
@@ -82,6 +82,7 @@ module OmniAuth
 
     def footer
       return self if @footer
+
       @html << "\n<button type='submit'>Connect</button>" unless @with_custom_button
       @html << <<-HTML
       </form>

data/lib/omniauth/key_store.rb

@@ -0,0 +1,22 @@
+require 'hashie/mash'
+
+module OmniAuth
+  # Generic helper hash that allows method access on deeply nested keys.
+  class KeyStore < ::Hashie::Mash
+    # Disables warnings on Hashie 3.5.0+ for overwritten keys
+    def self.override_logging
+      require 'hashie/version'
+      return unless Gem::Version.new(Hashie::VERSION) >= Gem::Version.new('3.5.0')
+
+      if respond_to?(:disable_warnings)
+        disable_warnings
+      else
+        define_method(:log_built_in_message) { |*| }
+        private :log_built_in_message
+      end
+    end
+
+    # Disable on loading of the class
+    override_logging
+  end
+end

data/lib/omniauth/strategies/developer.rb

@@ -31,13 +31,13 @@ module OmniAuth
     class Developer
       include OmniAuth::Strategy
 
-      option :fields, [:name, :email]
+      option :fields, %i[name email]
       option :uid_field, :email
 
       def request_phase
         form = OmniAuth::Form.new(:title => 'User Info', :url => callback_path)
         options.fields.each do |field|
-          form.text_field field.to_s.capitalize.gsub('_', ' '), field.to_s
+          form.text_field field.to_s.capitalize.tr('_', ' '), field.to_s
         end
         form.button 'Sign In'
         form.to_response

data/lib/omniauth/strategy.rb

@@ -1,4 +1,4 @@
-require 'hashie/mash'
+require 'omniauth/key_store'
 
 module OmniAuth
   class NoSessionError < StandardError; end
@@ -6,7 +6,7 @@ module OmniAuth
   # wrangle multiple providers. Each strategy provided by
   # OmniAuth includes this mixin to gain the default functionality
   # necessary to be compatible with the OmniAuth library.
-  module Strategy
+  module Strategy # rubocop:disable ModuleLength
     def self.included(base)
       OmniAuth.strategies << base
 
@@ -14,6 +14,7 @@ module OmniAuth
       base.class_eval do
         option :setup, false
         option :skip_info, false
+        option :origin_param, 'origin'
       end
     end
 
@@ -21,9 +22,9 @@ module OmniAuth
       # Returns an inherited set of default options set at the class-level
       # for each strategy.
       def default_options
-        return @default_options if instance_variable_defined?(:@default_options) && @default_options
+        # existing = superclass.default_options if superclass.respond_to?(:default_options)
         existing = superclass.respond_to?(:default_options) ? superclass.default_options : {}
-        @default_options = OmniAuth::Strategy::Options.new(existing)
+        @default_options ||= OmniAuth::Strategy::Options.new(existing)
       end
 
       # This allows for more declarative subclassing of strategies by allowing
@@ -87,10 +88,13 @@ module OmniAuth
         (instance_variable_defined?(:@args) && @args) || existing
       end
 
-      %w(uid info extra credentials).each do |fetcher|
-        class_eval <<-RUBY
+      %w[uid info extra credentials].each do |fetcher|
+        class_eval <<-RUBY, __FILE__, __LINE__ + 1
+          attr_reader :#{fetcher}_proc
+          private :#{fetcher}_proc
+
           def #{fetcher}(&block)
-            return @#{fetcher}_proc unless block_given?
+            return #{fetcher}_proc unless block_given?
             @#{fetcher}_proc = block
           end
 
@@ -132,15 +136,16 @@ module OmniAuth
       @options = self.class.default_options.dup
 
       options.deep_merge!(args.pop) if args.last.is_a?(Hash)
-      options.name ||= self.class.to_s.split('::').last.downcase
+      options[:name] ||= self.class.to_s.split('::').last.downcase
 
       self.class.args.each do |arg|
         break if args.empty?
+
         options[arg] = args.shift
       end
 
       # Make sure that all of the args have been dealt with, otherwise error out.
-      fail(ArgumentError.new("Received wrong number of arguments. #{args.inspect}")) unless args.empty?
+      raise(ArgumentError.new("Received wrong number of arguments. #{args.inspect}")) unless args.empty?
 
       yield options if block_given?
     end
@@ -169,23 +174,54 @@ module OmniAuth
     # the request path is recognized.
     #
     # @param env [Hash] The Rack environment.
-    def call!(env) # rubocop:disable CyclomaticComplexity
+    def call!(env) # rubocop:disable CyclomaticComplexity, PerceivedComplexity
       unless env['rack.session']
         error = OmniAuth::NoSessionError.new('You must provide a session to use OmniAuth.')
-        fail(error)
+        raise(error)
       end
 
       @env = env
+
+      warn_if_using_get_on_request_path
+
       @env['omniauth.strategy'] = self if on_auth_path?
 
       return mock_call!(env) if OmniAuth.config.test_mode
-      return options_call if on_auth_path? && options_request?
-      return request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
-      return callback_call if on_callback_path?
-      return other_phase if respond_to?(:other_phase)
+
+      begin
+        return options_call if on_auth_path? && options_request?
+        return request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
+        return callback_call if on_callback_path?
+        return other_phase if respond_to?(:other_phase)
+      rescue StandardError => e
+        raise e if env.delete('omniauth.error.app')
+
+        return fail!(e.message, e)
+      end
+
       @app.call(env)
     end
 
+    def warn_if_using_get_on_request_path
+      return unless on_request_path?
+      return unless OmniAuth.config.allowed_request_methods.include?(:get)
+      return if OmniAuth.config.silence_get_warning
+
+      log :warn, <<-WARN
+  You are using GET as an allowed request method for OmniAuth. This may leave
+  you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
+  to its own routes. You should review the following resources to guide your
+  mitigation:
+  https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+  https://github.com/omniauth/omniauth/issues/960
+  https://nvd.nist.gov/vuln/detail/CVE-2015-9284
+  https://github.com/omniauth/omniauth/pull/809
+
+  You can ignore this warning by setting:
+  OmniAuth.config.silence_get_warning = true
+      WARN
+    end
+
     # Responds to an OPTIONS request.
     def options_call
       OmniAuth.config.before_options_phase.call(env) if OmniAuth.config.before_options_phase
@@ -194,32 +230,41 @@ module OmniAuth
     end
 
     # Performs the steps necessary to run the request phase of a strategy.
-    def request_call # rubocop:disable CyclomaticComplexity, MethodLength
+    def request_call # rubocop:disable CyclomaticComplexity, MethodLength, PerceivedComplexity
       setup_phase
-      log :info, 'Request phase initiated.'
+      log :debug, 'Request phase initiated.'
+
       # store query params from the request url, extracted in the callback_phase
-      session['omniauth.params'] = request.params
+      session['omniauth.params'] = request.GET
+
+      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
       OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
+
       if options.form.respond_to?(:call)
-        log :info, 'Rendering form from supplied Rack endpoint.'
+        log :debug, 'Rendering form from supplied Rack endpoint.'
         options.form.call(env)
       elsif options.form
-        log :info, 'Rendering form from underlying application.'
+        log :debug, 'Rendering form from underlying application.'
         call_app!
+      elsif !options.origin_param
+        request_phase
       else
-        if request.params['origin']
-          env['rack.session']['omniauth.origin'] = request.params['origin']
+        if request.params[options.origin_param]
+          env['rack.session']['omniauth.origin'] = request.params[options.origin_param]
         elsif env['HTTP_REFERER'] && !env['HTTP_REFERER'].match(/#{request_path}$/)
           env['rack.session']['omniauth.origin'] = env['HTTP_REFERER']
         end
+
         request_phase
       end
+    rescue OmniAuth::AuthenticityError => e
+      fail!(:authenticity_error, e)
     end
 
     # Performs the steps necessary to run the callback phase of a strategy.
     def callback_call
       setup_phase
-      log :info, 'Callback phase initiated.'
+      log :debug, 'Callback phase initiated.'
       @env['omniauth.origin'] = session.delete('omniauth.origin')
       @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
       @env['omniauth.params'] = session.delete('omniauth.params') || {}
@@ -234,8 +279,8 @@ module OmniAuth
     end
 
     def on_request_path?
-      if options.request_path.respond_to?(:call)
-        options.request_path.call(env)
+      if options[:request_path].respond_to?(:call)
+        options[:request_path].call(env)
       else
         on_path?(request_path)
       end
@@ -246,7 +291,7 @@ module OmniAuth
     end
 
     def on_path?(path)
-      current_path.casecmp(path) == 0
+      current_path.casecmp(path).zero?
     end
 
     def options_request?
@@ -257,20 +302,32 @@ module OmniAuth
     # in the event that OmniAuth has been configured to be
     # in test mode.
     def mock_call!(*)
-      return mock_request_call if on_request_path?
-      return mock_callback_call if on_callback_path?
+      begin
+        return mock_request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
+        return mock_callback_call if on_callback_path?
+      rescue StandardError => e
+        raise e if env.delete('omniauth.error.app')
+
+        return fail!(e.message, e)
+      end
+
       call_app!
     end
 
     def mock_request_call
       setup_phase
 
-      session['omniauth.params'] = request.params
+      session['omniauth.params'] = request.GET
+
+      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
       OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
-      if request.params['origin']
-        @env['rack.session']['omniauth.origin'] = request.params['origin']
-      elsif env['HTTP_REFERER'] && !env['HTTP_REFERER'].match(/#{request_path}$/)
-        @env['rack.session']['omniauth.origin'] = env['HTTP_REFERER']
+
+      if options.origin_param
+        if request.params[options.origin_param]
+          session['omniauth.origin'] = request.params[options.origin_param]
+        elsif env['HTTP_REFERER'] && !env['HTTP_REFERER'].match(/#{request_path}$/)
+          session['omniauth.origin'] = env['HTTP_REFERER']
+        end
       end
 
       redirect(callback_url)
@@ -278,14 +335,15 @@ module OmniAuth
 
     def mock_callback_call
       setup_phase
+      @env['omniauth.origin'] = session.delete('omniauth.origin')
+      @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
+      @env['omniauth.params'] = session.delete('omniauth.params') || {}
+
       mocked_auth = OmniAuth.mock_auth_for(name.to_s)
       if mocked_auth.is_a?(Symbol)
         fail!(mocked_auth)
       else
         @env['omniauth.auth'] = mocked_auth
-        @env['omniauth.params'] = session.delete('omniauth.params') || {}
-        @env['omniauth.origin'] = session.delete('omniauth.origin')
-        @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
         OmniAuth.config.before_callback_phase.call(@env) if OmniAuth.config.before_callback_phase
         call_app!
       end
@@ -297,10 +355,10 @@ module OmniAuth
     # underlying application. This will default to `/auth/:provider/setup`.
     def setup_phase
       if options[:setup].respond_to?(:call)
-        log :info, 'Setup endpoint detected, running now.'
+        log :debug, 'Setup endpoint detected, running now.'
         options[:setup].call(env)
-      elsif options.setup?
-        log :info, 'Calling through to underlying application for setup.'
+      elsif options[:setup]
+        log :debug, 'Calling through to underlying application for setup.'
         setup_env = env.merge('PATH_INFO' => setup_path, 'REQUEST_METHOD' => 'GET')
         call_app!(setup_env)
       end
@@ -310,7 +368,7 @@ module OmniAuth
     # perform any information gathering you need to be able to authenticate
     # the user in this phase.
     def request_phase
-      fail(NotImplementedError)
+      raise(NotImplementedError)
     end
 
     def uid
@@ -330,11 +388,13 @@ module OmniAuth
     end
 
     def auth_hash
-      hash = AuthHash.new(:provider => name, :uid => uid)
-      hash.info = info unless skip_info?
-      hash.credentials = credentials if credentials
-      hash.extra = extra if extra
-      hash
+      credentials_data = credentials
+      extra_data = extra
+      AuthHash.new(:provider => name, :uid => uid).tap do |auth|
+        auth.info = info unless skip_info?
+        auth.credentials = credentials_data if credentials_data
+        auth.extra = extra_data if extra_data
+      end
     end
 
     # Determines whether or not user info should be retrieved. This
@@ -347,14 +407,10 @@ module OmniAuth
     #
     #   use MyStrategy, :skip_info => lambda{|uid| User.find_by_uid(uid)}
     def skip_info?
-      if options.skip_info?
-        if options.skip_info.respond_to?(:call)
-          return options.skip_info.call(uid)
-        else
-          return true
-        end
-      end
-      false
+      return false unless options.skip_info?
+      return true unless options.skip_info.respond_to?(:call)
+
+      options.skip_info.call(uid)
     end
 
     def callback_phase
@@ -370,6 +426,7 @@ module OmniAuth
       if options[kind].respond_to?(:call)
         result = options[kind].call(env)
         return nil unless result.is_a?(String)
+
         result
       else
         options[kind]
@@ -377,23 +434,32 @@ module OmniAuth
     end
 
     def request_path
-      options[:request_path].is_a?(String) ? options[:request_path] : "#{path_prefix}/#{name}"
+      @request_path ||=
+        if options[:request_path].is_a?(String)
+          options[:request_path]
+        else
+          "#{script_name}#{path_prefix}/#{name}"
+        end
     end
 
     def callback_path
-      path = options[:callback_path] if options[:callback_path].is_a?(String)
-      path ||= current_path if options[:callback_path].respond_to?(:call) && options[:callback_path].call(env)
-      path ||= custom_path(:request_path)
-      path ||= "#{path_prefix}/#{name}/callback"
-      path
+      @callback_path ||= begin
+        path = options[:callback_path] if options[:callback_path].is_a?(String)
+        path ||= current_path if options[:callback_path].respond_to?(:call) && options[:callback_path].call(env)
+        path ||= custom_path(:request_path)
+        path ||= "#{script_name}#{path_prefix}/#{name}/callback"
+        path
+      end
     end
 
     def setup_path
       options[:setup_path] || "#{path_prefix}/#{name}/setup"
     end
 
+    CURRENT_PATH_REGEX = %r{/$}.freeze
+    EMPTY_STRING       = ''.freeze
     def current_path
-      request.path_info.downcase.sub(/\/$/, '')
+      @current_path ||= request.path.downcase.sub(CURRENT_PATH_REGEX, EMPTY_STRING)
     end
 
     def query_string
@@ -402,6 +468,9 @@ module OmniAuth
 
     def call_app!(env = @env)
       @app.call(env)
+    rescue StandardError => e
+      env['omniauth.error.app'] = true
+      raise e
     end
 
     def full_host
@@ -425,7 +494,7 @@ module OmniAuth
     end
 
     def callback_url
-      full_host + script_name + callback_path + query_string
+      full_host + callback_path + query_string
     end
 
     def script_name
@@ -441,7 +510,7 @@ module OmniAuth
     end
 
     def name
-      options.name
+      options[:name]
     end
 
     def redirect(uri)
@@ -475,10 +544,15 @@ module OmniAuth
       OmniAuth.config.on_failure.call(env)
     end
 
-    class Options < Hashie::Mash; end
+    class Options < OmniAuth::KeyStore; end
 
   protected
 
+    def initialize_copy(*args)
+      super
+      @options = @options.dup
+    end
+
     def merge_stack(stack)
       stack.inject({}) do |a, e|
         a.merge!(e)
@@ -488,10 +562,10 @@ module OmniAuth
 
     def ssl?
       request.env['HTTPS'] == 'on' ||
-      request.env['HTTP_X_FORWARDED_SSL'] == 'on' ||
-      request.env['HTTP_X_FORWARDED_SCHEME'] == 'https' ||
-      (request.env['HTTP_X_FORWARDED_PROTO'] && request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0] == 'https') ||
-      request.env['rack.url_scheme'] == 'https'
+        request.env['HTTP_X_FORWARDED_SSL'] == 'on' ||
+        request.env['HTTP_X_FORWARDED_SCHEME'] == 'https' ||
+        (request.env['HTTP_X_FORWARDED_PROTO'] && request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0] == 'https') ||
+        request.env['rack.url_scheme'] == 'https'
     end
   end
 end

data/lib/omniauth/test/strategy_test_case.rb

@@ -10,7 +10,7 @@ module OmniAuth
     #     include OmniAuth::Test::StrategyTestCase
     #     def strategy
     #       # return the parameters to a Rack::Builder map call:
-    #       [MyStrategy.new, :some, :configuration, :options => 'here']
+    #       [MyStrategy, :some, :configuration, :options => 'here']
     #     end
     #     setup do
     #       post '/auth/my_strategy/callback', :user => { 'name' => 'Dylan', 'id' => '445' }
@@ -37,7 +37,7 @@ module OmniAuth
 
       def strategy
         error = NotImplementedError.new('Including specs must define #strategy')
-        fail(error)
+        raise(error)
       end
     end
   end