omniauth 1.7.1 → 2.0.0.pre.rc1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of omniauth might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/.github/workflows/main.yml +89 -0
- data/.gitignore +1 -0
- data/.rubocop.yml +18 -9
- data/Gemfile +11 -9
- data/README.md +16 -14
- data/Rakefile +2 -1
- data/lib/omniauth.rb +19 -7
- data/lib/omniauth/auth_hash.rb +2 -3
- data/lib/omniauth/authenticity_token_protection.rb +30 -0
- data/lib/omniauth/builder.rb +3 -21
- data/lib/omniauth/failure_endpoint.rb +12 -1
- data/lib/omniauth/form.rb +2 -1
- data/lib/omniauth/strategy.rb +74 -28
- data/lib/omniauth/version.rb +1 -1
- data/omniauth.gemspec +4 -3
- metadata +24 -16
- data/.travis.yml +0 -21
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 64c7c6198527bbc43fcb69315ecc7858a176ccbac1f0af1989c88bd8e46c7e54
|
4
|
+
data.tar.gz: 72b31deadccc89cce6a5d68ffb85fe871507ad6ae0a23773aa76e24eb480e742
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: af36281b2c7f7b529178575ad3fe5ea5855ae2a6fb6209879166a789c5d3d7a1b82c4c4f57f0d6a993be7a54de2af13c19e69e38e8186d23cf68a3f2037afd1f
|
7
|
+
data.tar.gz: 9e83a612a3db233bd03783d322448be10ab2db745b48c80651f6b370686b5e6199fefc007fbbca6bfb78ef4b400c161e51db3dc499a798008aab0d91ea85e183
|
@@ -0,0 +1,89 @@
|
|
1
|
+
# This workflow uses actions that are not certified by GitHub.
|
2
|
+
# They are provided by a third-party and are governed by
|
3
|
+
# separate terms of service, privacy policy, and support
|
4
|
+
# documentation.
|
5
|
+
# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
|
6
|
+
# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
|
7
|
+
|
8
|
+
name: Ruby
|
9
|
+
|
10
|
+
on:
|
11
|
+
push:
|
12
|
+
branches: [ master, 2_0-indev ]
|
13
|
+
pull_request:
|
14
|
+
branches: [ master, 2_0-indev ]
|
15
|
+
|
16
|
+
jobs:
|
17
|
+
test:
|
18
|
+
runs-on: ubuntu-18.04
|
19
|
+
strategy:
|
20
|
+
fail-fast: false
|
21
|
+
matrix:
|
22
|
+
os: [ubuntu, macos]
|
23
|
+
ruby: [2.5, 2.6, 2.7, head, debug, truffleruby, truffleruby-head]
|
24
|
+
steps:
|
25
|
+
- uses: actions/checkout@v2
|
26
|
+
- name: Set up Ruby
|
27
|
+
uses: ruby/setup-ruby@v1
|
28
|
+
with:
|
29
|
+
ruby-version: ${{ matrix.ruby }}
|
30
|
+
bundler-cache: true
|
31
|
+
- name: Install dependencies
|
32
|
+
run: bundle install
|
33
|
+
- name: Run tests
|
34
|
+
run: bundle exec rake
|
35
|
+
test-jruby:
|
36
|
+
runs-on: ubuntu-18.04
|
37
|
+
strategy:
|
38
|
+
fail-fast: false
|
39
|
+
matrix:
|
40
|
+
os: [ubuntu, macos]
|
41
|
+
jruby: [jruby, jruby-head]
|
42
|
+
steps:
|
43
|
+
- uses: actions/checkout@v2
|
44
|
+
- name: Set up Ruby
|
45
|
+
uses: ruby/setup-ruby@v1
|
46
|
+
with:
|
47
|
+
ruby-version: ${{ matrix.jruby }}
|
48
|
+
bundler-cache: true
|
49
|
+
- name: Install dependencies
|
50
|
+
env:
|
51
|
+
JRUBY_OPTS: --debug
|
52
|
+
run: bundle install
|
53
|
+
- name: Run tests
|
54
|
+
env:
|
55
|
+
JRUBY_OPTS: --debug
|
56
|
+
run: bundle exec rake
|
57
|
+
frozen-string-compat:
|
58
|
+
runs-on: ubuntu-18.04
|
59
|
+
steps:
|
60
|
+
- uses: actions/checkout@v2
|
61
|
+
- name: Set up Ruby
|
62
|
+
uses: ruby/setup-ruby@v1
|
63
|
+
with:
|
64
|
+
ruby-version: 2.6
|
65
|
+
bundler-cache: true
|
66
|
+
- name: Install dependencies
|
67
|
+
run: bundle install
|
68
|
+
- name: Run tests
|
69
|
+
env:
|
70
|
+
RUBYOPT: "--enable-frozen-string-literal"
|
71
|
+
run: bundle exec rake
|
72
|
+
coveralls:
|
73
|
+
runs-on: ubuntu-18.04
|
74
|
+
steps:
|
75
|
+
- uses: actions/checkout@v2
|
76
|
+
- name: Set up Ruby
|
77
|
+
uses: ruby/setup-ruby@v1
|
78
|
+
with:
|
79
|
+
ruby-version: 2.6
|
80
|
+
bundler-cache: true
|
81
|
+
- name: Install dependencies
|
82
|
+
run: bundle install
|
83
|
+
- name: Run tests
|
84
|
+
run: bundle exec rake
|
85
|
+
- name: Coveralls GitHub Action
|
86
|
+
uses: coverallsapp/github-action@v1.1.2
|
87
|
+
with:
|
88
|
+
github-token: ${{ secrets.github_token }}
|
89
|
+
path-to-lcov: './coverage/lcov/omniauth.lcov'
|
data/.gitignore
CHANGED
data/.rubocop.yml
CHANGED
@@ -1,3 +1,18 @@
|
|
1
|
+
AllCops:
|
2
|
+
TargetRubyVersion: 2.2
|
3
|
+
|
4
|
+
Layout/AccessModifierIndentation:
|
5
|
+
EnforcedStyle: outdent
|
6
|
+
|
7
|
+
Layout/AlignHash:
|
8
|
+
Enabled: false
|
9
|
+
|
10
|
+
Layout/DotPosition:
|
11
|
+
EnforcedStyle: trailing
|
12
|
+
|
13
|
+
Layout/SpaceInsideHashLiteralBraces:
|
14
|
+
EnforcedStyle: no_space
|
15
|
+
|
1
16
|
Lint/HandleExceptions:
|
2
17
|
Enabled: false
|
3
18
|
|
@@ -22,9 +37,6 @@ Metrics/ParameterLists:
|
|
22
37
|
Metrics/AbcSize:
|
23
38
|
Enabled: false
|
24
39
|
|
25
|
-
Style/AccessModifierIndentation:
|
26
|
-
EnforcedStyle: outdent
|
27
|
-
|
28
40
|
Style/CollectionMethods:
|
29
41
|
PreferredMethods:
|
30
42
|
map: 'collect'
|
@@ -35,9 +47,6 @@ Style/CollectionMethods:
|
|
35
47
|
Style/Documentation:
|
36
48
|
Enabled: false
|
37
49
|
|
38
|
-
Style/DotPosition:
|
39
|
-
EnforcedStyle: trailing
|
40
|
-
|
41
50
|
Style/DoubleNegation:
|
42
51
|
Enabled: false
|
43
52
|
|
@@ -47,6 +56,9 @@ Style/EachWithObject:
|
|
47
56
|
Style/Encoding:
|
48
57
|
Enabled: false
|
49
58
|
|
59
|
+
Style/ExpandPathArguments:
|
60
|
+
Enabled: false
|
61
|
+
|
50
62
|
Style/HashSyntax:
|
51
63
|
EnforcedStyle: hash_rockets
|
52
64
|
|
@@ -55,6 +67,3 @@ Style/Lambda:
|
|
55
67
|
|
56
68
|
Style/RaiseArgs:
|
57
69
|
EnforcedStyle: compact
|
58
|
-
|
59
|
-
Style/SpaceInsideHashLiteralBraces:
|
60
|
-
EnforcedStyle: no_space
|
data/Gemfile
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
source 'https://rubygems.org'
|
2
2
|
|
3
|
-
gem 'jruby-openssl', '~> 0.
|
3
|
+
gem 'jruby-openssl', '~> 0.10.5', :platforms => :jruby
|
4
4
|
gem 'rake', '>= 12.0'
|
5
|
-
gem 'yard', '>= 0.9'
|
5
|
+
gem 'yard', '>= 0.9.11'
|
6
6
|
|
7
7
|
group :development do
|
8
8
|
gem 'benchmark-ips'
|
@@ -12,16 +12,18 @@ group :development do
|
|
12
12
|
end
|
13
13
|
|
14
14
|
group :test do
|
15
|
-
gem '
|
16
|
-
gem 'hashie', '>= 3.4.6', '
|
17
|
-
gem 'json', '~> 2.0
|
15
|
+
gem 'coveralls_reborn', '~> 0.19.0', require: false
|
16
|
+
gem 'hashie', '>= 3.4.6', '~> 4.0.0', :platforms => [:jruby_18]
|
17
|
+
gem 'json', '~> 2.3.0', :platforms => %i[jruby_18 jruby_19 ruby_19]
|
18
18
|
gem 'mime-types', '~> 3.1', :platforms => [:jruby_18]
|
19
|
-
gem 'rack', '>=
|
19
|
+
gem 'rack', '>= 2.0.6', :platforms => %i[jruby_18 jruby_19 ruby_19 ruby_20 ruby_21]
|
20
20
|
gem 'rack-test'
|
21
21
|
gem 'rest-client', '~> 2.0.0', :platforms => [:jruby_18]
|
22
|
-
gem 'rspec', '~> 3.5
|
23
|
-
gem '
|
24
|
-
gem '
|
22
|
+
gem 'rspec', '~> 3.5'
|
23
|
+
gem 'rack-freeze'
|
24
|
+
gem 'rubocop', '>= 0.58.2', '< 0.69.0', :platforms => %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
|
25
|
+
gem 'simplecov-lcov'
|
26
|
+
gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
|
25
27
|
end
|
26
28
|
|
27
29
|
gemspec
|
data/README.md
CHANGED
@@ -2,14 +2,11 @@
|
|
2
2
|
|
3
3
|
[![Gem Version](http://img.shields.io/gem/v/omniauth.svg)][gem]
|
4
4
|
[![Build Status](http://img.shields.io/travis/omniauth/omniauth.svg)][travis]
|
5
|
-
[![
|
6
|
-
[![Code Climate](http://img.shields.io/codeclimate/github/omniauth/omniauth.svg)][codeclimate]
|
5
|
+
[![Code Climate](https://api.codeclimate.com/v1/badges/ffd33970723587806744/maintainability)][codeclimate]
|
7
6
|
[![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth.svg)][coveralls]
|
8
|
-
[![Security](https://hakiri.io/github/omniauth/omniauth/master.svg)](https://hakiri.io/github/omniauth/omniauth/master)
|
9
7
|
|
10
8
|
[gem]: https://rubygems.org/gems/omniauth
|
11
9
|
[travis]: http://travis-ci.org/omniauth/omniauth
|
12
|
-
[gemnasium]: https://gemnasium.com/omniauth/omniauth
|
13
10
|
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth
|
14
11
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth
|
15
12
|
|
@@ -34,8 +31,8 @@ development and easily swap in other strategies later.
|
|
34
31
|
## Getting Started
|
35
32
|
Each OmniAuth strategy is a Rack Middleware. That means that you can use
|
36
33
|
it the same way that you use any other Rack middleware. For example, to
|
37
|
-
use the built-in Developer strategy in a Sinatra application
|
38
|
-
this:
|
34
|
+
use the built-in Developer strategy in a Sinatra application you might
|
35
|
+
do this:
|
39
36
|
|
40
37
|
```ruby
|
41
38
|
require 'sinatra'
|
@@ -47,7 +44,7 @@ class MyApplication < Sinatra::Base
|
|
47
44
|
end
|
48
45
|
```
|
49
46
|
|
50
|
-
Because OmniAuth is built for *multi-provider* authentication,
|
47
|
+
Because OmniAuth is built for *multi-provider* authentication, you may
|
51
48
|
want to leave room to run multiple strategies. For this, the built-in
|
52
49
|
`OmniAuth::Builder` class gives you an easy way to specify multiple
|
53
50
|
strategies. Note that there is **no difference** between the following
|
@@ -84,18 +81,21 @@ environment of a request to `/auth/:provider/callback`. This hash
|
|
84
81
|
contains as much information about the user as OmniAuth was able to
|
85
82
|
glean from the utilized strategy. You should set up an endpoint in your
|
86
83
|
application that matches to the callback URL and then performs whatever
|
87
|
-
steps are necessary for your application. For example, in a Rails app
|
88
|
-
would add a line in
|
84
|
+
steps are necessary for your application. For example, in a Rails app
|
85
|
+
you would add a line in your `routes.rb` file like this:
|
89
86
|
|
90
87
|
```ruby
|
91
|
-
|
88
|
+
post '/auth/:provider/callback', to: 'sessions#create'
|
92
89
|
```
|
93
90
|
|
94
|
-
And
|
91
|
+
And you might then have a `SessionsController` with code that looks
|
95
92
|
something like this:
|
96
93
|
|
97
94
|
```ruby
|
98
95
|
class SessionsController < ApplicationController
|
96
|
+
# If you're using a strategy that POSTs during callback, you'll need to skip the authenticity token check for the callback action only.
|
97
|
+
skip_before_action :verify_authenticity_token, only: :create
|
98
|
+
|
99
99
|
def create
|
100
100
|
@user = User.find_or_create_from_auth_hash(auth_hash)
|
101
101
|
self.current_user = @user
|
@@ -110,7 +110,7 @@ class SessionsController < ApplicationController
|
|
110
110
|
end
|
111
111
|
```
|
112
112
|
|
113
|
-
The `omniauth.auth` key in the environment hash
|
113
|
+
The `omniauth.auth` key in the environment hash provides an
|
114
114
|
Authentication Hash which will contain information about the just
|
115
115
|
authenticated user including a unique id, the strategy they just used
|
116
116
|
for authentication, and personal details such as name and email address
|
@@ -122,6 +122,8 @@ environment information on the callback request. It is entirely up to
|
|
122
122
|
you how you want to implement the particulars of your application's
|
123
123
|
authentication flow.
|
124
124
|
|
125
|
+
**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation at the application level. More details on how to do this can be found on the [Wiki](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284).
|
126
|
+
|
125
127
|
## Configuring The `origin` Param
|
126
128
|
The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to.
|
127
129
|
|
@@ -163,7 +165,7 @@ a `session_store.rb` initializer, add `use ActionDispatch::Session::CookieStore`
|
|
163
165
|
and have sessions functioning as normal.
|
164
166
|
|
165
167
|
To be clear: sessions may work, but your session options will be ignored
|
166
|
-
(i.e the session key will default to `_session_id`). Instead of the
|
168
|
+
(i.e. the session key will default to `_session_id`). Instead of the
|
167
169
|
initializer, you'll have to set the relevant options somewhere
|
168
170
|
before your middleware is built (like `application.rb`) and pass them to your
|
169
171
|
preferred middleware, like this:
|
@@ -194,7 +196,7 @@ your first stop if you are wondering about a more in-depth look at
|
|
194
196
|
OmniAuth, how it works, and how to use it.
|
195
197
|
|
196
198
|
## Supported Ruby Versions
|
197
|
-
OmniAuth is tested under 2.1.10, 2.2.6, 2.3.3, 2.4.0, and JRuby.
|
199
|
+
OmniAuth is tested under 2.1.10, 2.2.6, 2.3.3, 2.4.0, 2.5.0, and JRuby.
|
198
200
|
|
199
201
|
## Versioning
|
200
202
|
This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations
|
data/Rakefile
CHANGED
@@ -10,7 +10,7 @@ begin
|
|
10
10
|
RuboCop::RakeTask.new
|
11
11
|
rescue LoadError
|
12
12
|
task :rubocop do
|
13
|
-
|
13
|
+
warn 'RuboCop is disabled'
|
14
14
|
end
|
15
15
|
end
|
16
16
|
|
@@ -30,6 +30,7 @@ namespace :perf do
|
|
30
30
|
def call_app(path = ENV['GET_PATH'] || '/')
|
31
31
|
result = @app.get(path)
|
32
32
|
raise "Did not succeed #{result.body}" unless result.status == 200
|
33
|
+
|
33
34
|
result
|
34
35
|
end
|
35
36
|
end
|
data/lib/omniauth.rb
CHANGED
@@ -15,6 +15,7 @@ module OmniAuth
|
|
15
15
|
autoload :Form, 'omniauth/form'
|
16
16
|
autoload :AuthHash, 'omniauth/auth_hash'
|
17
17
|
autoload :FailureEndpoint, 'omniauth/failure_endpoint'
|
18
|
+
autoload :AuthenticityTokenProtection, 'omniauth/authenticity_token_protection'
|
18
19
|
|
19
20
|
def self.strategies
|
20
21
|
@strategies ||= []
|
@@ -29,20 +30,22 @@ module OmniAuth
|
|
29
30
|
logger
|
30
31
|
end
|
31
32
|
|
32
|
-
def self.defaults
|
33
|
+
def self.defaults # rubocop:disable MethodLength
|
33
34
|
@defaults ||= {
|
34
35
|
:camelizations => {},
|
35
36
|
:path_prefix => '/auth',
|
36
37
|
:on_failure => OmniAuth::FailureEndpoint,
|
37
38
|
:failure_raise_out_environments => ['development'],
|
39
|
+
:request_validation_phase => OmniAuth::AuthenticityTokenProtection,
|
38
40
|
:before_request_phase => nil,
|
39
41
|
:before_callback_phase => nil,
|
40
42
|
:before_options_phase => nil,
|
41
43
|
:form_css => Form::DEFAULT_CSS,
|
42
44
|
:test_mode => false,
|
43
45
|
:logger => default_logger,
|
44
|
-
:allowed_request_methods => %i[
|
45
|
-
:mock_auth => {:default => AuthHash.new('provider' => 'default', 'uid' => '1234', 'info' => {'name' => 'Example User'})}
|
46
|
+
:allowed_request_methods => %i[post],
|
47
|
+
:mock_auth => {:default => AuthHash.new('provider' => 'default', 'uid' => '1234', 'info' => {'name' => 'Example User'})},
|
48
|
+
:silence_get_warning => false
|
46
49
|
}
|
47
50
|
end
|
48
51
|
|
@@ -74,6 +77,14 @@ module OmniAuth
|
|
74
77
|
end
|
75
78
|
end
|
76
79
|
|
80
|
+
def request_validation_phase(&block)
|
81
|
+
if block_given?
|
82
|
+
@request_validation_phase = block
|
83
|
+
else
|
84
|
+
@request_validation_phase
|
85
|
+
end
|
86
|
+
end
|
87
|
+
|
77
88
|
def before_request_phase(&block)
|
78
89
|
if block_given?
|
79
90
|
@before_request_phase = block
|
@@ -111,8 +122,9 @@ module OmniAuth
|
|
111
122
|
camelizations[name.to_s] = camelized.to_s
|
112
123
|
end
|
113
124
|
|
114
|
-
attr_writer :on_failure, :before_callback_phase, :before_options_phase, :before_request_phase
|
115
|
-
attr_accessor :failure_raise_out_environments, :path_prefix, :allowed_request_methods, :form_css,
|
125
|
+
attr_writer :on_failure, :before_callback_phase, :before_options_phase, :before_request_phase, :request_validation_phase
|
126
|
+
attr_accessor :failure_raise_out_environments, :path_prefix, :allowed_request_methods, :form_css,
|
127
|
+
:test_mode, :mock_auth, :full_host, :camelizations, :logger, :silence_get_warning
|
116
128
|
end
|
117
129
|
|
118
130
|
def self.config
|
@@ -132,7 +144,7 @@ module OmniAuth
|
|
132
144
|
end
|
133
145
|
|
134
146
|
module Utils
|
135
|
-
module_function
|
147
|
+
module_function # rubocop:disable Layout/IndentationWidth
|
136
148
|
|
137
149
|
def form_css
|
138
150
|
"<style type='text/css'>#{OmniAuth.config.form_css}</style>"
|
@@ -159,7 +171,7 @@ module OmniAuth
|
|
159
171
|
if first_letter_in_uppercase
|
160
172
|
word.to_s.gsub(%r{/(.?)}) { '::' + Regexp.last_match[1].upcase }.gsub(/(^|_)(.)/) { Regexp.last_match[2].upcase }
|
161
173
|
else
|
162
|
-
word.
|
174
|
+
camelize(word).tap { |w| w[0] = w[0].downcase }
|
163
175
|
end
|
164
176
|
end
|
165
177
|
end
|
data/lib/omniauth/auth_hash.rb
CHANGED
@@ -20,9 +20,7 @@ module OmniAuth
|
|
20
20
|
end
|
21
21
|
|
22
22
|
def regular_writer(key, value)
|
23
|
-
if key.to_s == 'info' && value.is_a?(::Hash) && !value.is_a?(InfoHash)
|
24
|
-
value = InfoHash.new(value)
|
25
|
-
end
|
23
|
+
value = InfoHash.new(value) if key.to_s == 'info' && value.is_a?(::Hash) && !value.is_a?(InfoHash)
|
26
24
|
super
|
27
25
|
end
|
28
26
|
|
@@ -36,6 +34,7 @@ module OmniAuth
|
|
36
34
|
return "#{first_name} #{last_name}".strip if first_name? || last_name?
|
37
35
|
return nickname if nickname?
|
38
36
|
return email if email?
|
37
|
+
|
39
38
|
nil
|
40
39
|
end
|
41
40
|
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'rack-protection'
|
2
|
+
|
3
|
+
module OmniAuth
|
4
|
+
class AuthenticityError < StandardError; end
|
5
|
+
class AuthenticityTokenProtection < Rack::Protection::AuthenticityToken
|
6
|
+
def initialize(options = {})
|
7
|
+
@options = default_options.merge(options)
|
8
|
+
end
|
9
|
+
|
10
|
+
def self.call(env)
|
11
|
+
new.call!(env)
|
12
|
+
end
|
13
|
+
|
14
|
+
def call!(env)
|
15
|
+
return if accepts?(env)
|
16
|
+
|
17
|
+
instrument env
|
18
|
+
react env
|
19
|
+
end
|
20
|
+
|
21
|
+
private
|
22
|
+
|
23
|
+
def deny(_env)
|
24
|
+
OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")
|
25
|
+
raise AuthenticityError.new(options[:message])
|
26
|
+
end
|
27
|
+
|
28
|
+
alias default_reaction deny
|
29
|
+
end
|
30
|
+
end
|
data/lib/omniauth/builder.rb
CHANGED
@@ -1,24 +1,5 @@
|
|
1
1
|
module OmniAuth
|
2
2
|
class Builder < ::Rack::Builder
|
3
|
-
def initialize(app, &block)
|
4
|
-
@options = nil
|
5
|
-
if rack14? || rack2?
|
6
|
-
super
|
7
|
-
else
|
8
|
-
@app = app
|
9
|
-
super(&block)
|
10
|
-
@ins << @app
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
|
-
def rack14?
|
15
|
-
Rack.release.start_with?('1.') && (Rack.release.split('.')[1].to_i >= 4)
|
16
|
-
end
|
17
|
-
|
18
|
-
def rack2?
|
19
|
-
Rack.release.start_with? '2.'
|
20
|
-
end
|
21
|
-
|
22
3
|
def on_failure(&block)
|
23
4
|
OmniAuth.config.on_failure = block
|
24
5
|
end
|
@@ -40,7 +21,8 @@ module OmniAuth
|
|
40
21
|
end
|
41
22
|
|
42
23
|
def options(options = false)
|
43
|
-
return @options
|
24
|
+
return @options ||= {} if options == false
|
25
|
+
|
44
26
|
@options = options
|
45
27
|
end
|
46
28
|
|
@@ -49,7 +31,7 @@ module OmniAuth
|
|
49
31
|
middleware = klass
|
50
32
|
else
|
51
33
|
begin
|
52
|
-
middleware = OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s)
|
34
|
+
middleware = OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s, false)
|
53
35
|
rescue NameError
|
54
36
|
raise(LoadError.new("Could not find matching strategy for #{klass.inspect}. You may need to install an additional gem (such as omniauth-#{klass})."))
|
55
37
|
end
|
@@ -27,17 +27,28 @@ module OmniAuth
|
|
27
27
|
|
28
28
|
def redirect_to_failure
|
29
29
|
message_key = env['omniauth.error.type']
|
30
|
-
|
30
|
+
|
31
|
+
new_path = "#{env['SCRIPT_NAME']}#{strategy_path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
|
31
32
|
Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
|
32
33
|
end
|
33
34
|
|
35
|
+
def strategy_path_prefix
|
36
|
+
if env['omniauth.error.strategy']
|
37
|
+
env['omniauth.error.strategy'].path_prefix
|
38
|
+
else
|
39
|
+
OmniAuth.config.path_prefix
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
34
43
|
def strategy_name_query_param
|
35
44
|
return '' unless env['omniauth.error.strategy']
|
45
|
+
|
36
46
|
"&strategy=#{env['omniauth.error.strategy'].name}"
|
37
47
|
end
|
38
48
|
|
39
49
|
def origin_query_param
|
40
50
|
return '' unless env['omniauth.origin']
|
51
|
+
|
41
52
|
"&origin=#{Rack::Utils.escape(env['omniauth.origin'])}"
|
42
53
|
end
|
43
54
|
end
|
data/lib/omniauth/form.rb
CHANGED
@@ -9,7 +9,7 @@ module OmniAuth
|
|
9
9
|
options[:header_info] ||= ''
|
10
10
|
self.options = options
|
11
11
|
|
12
|
-
@html = ''
|
12
|
+
@html = +'' # unary + string allows it to be mutable if strings are frozen
|
13
13
|
@with_custom_button = false
|
14
14
|
@footer = nil
|
15
15
|
header(options[:title], options[:header_info])
|
@@ -82,6 +82,7 @@ module OmniAuth
|
|
82
82
|
|
83
83
|
def footer
|
84
84
|
return self if @footer
|
85
|
+
|
85
86
|
@html << "\n<button type='submit'>Connect</button>" unless @with_custom_button
|
86
87
|
@html << <<-HTML
|
87
88
|
</form>
|
data/lib/omniauth/strategy.rb
CHANGED
@@ -140,6 +140,7 @@ module OmniAuth
|
|
140
140
|
|
141
141
|
self.class.args.each do |arg|
|
142
142
|
break if args.empty?
|
143
|
+
|
143
144
|
options[arg] = args.shift
|
144
145
|
end
|
145
146
|
|
@@ -179,17 +180,44 @@ module OmniAuth
|
|
179
180
|
raise(error)
|
180
181
|
end
|
181
182
|
|
183
|
+
warn_if_using_get
|
184
|
+
|
182
185
|
@env = env
|
183
186
|
@env['omniauth.strategy'] = self if on_auth_path?
|
184
187
|
|
185
188
|
return mock_call!(env) if OmniAuth.config.test_mode
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
189
|
+
|
190
|
+
begin
|
191
|
+
return options_call if on_auth_path? && options_request?
|
192
|
+
return request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
|
193
|
+
return callback_call if on_callback_path?
|
194
|
+
return other_phase if respond_to?(:other_phase)
|
195
|
+
rescue StandardError => e
|
196
|
+
return fail!(e.message, e)
|
197
|
+
end
|
198
|
+
|
190
199
|
@app.call(env)
|
191
200
|
end
|
192
201
|
|
202
|
+
def warn_if_using_get
|
203
|
+
return unless OmniAuth.config.allowed_request_methods.include?(:get)
|
204
|
+
return if OmniAuth.config.silence_get_warning
|
205
|
+
|
206
|
+
log :warn, <<-WARN
|
207
|
+
You are using GET as an allowed request method for OmniAuth. This may leave
|
208
|
+
you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
|
209
|
+
to its own routes. You should review the following resources to guide your
|
210
|
+
mitigation:
|
211
|
+
https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
|
212
|
+
https://github.com/omniauth/omniauth/issues/960
|
213
|
+
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
|
214
|
+
https://github.com/omniauth/omniauth/pull/809
|
215
|
+
|
216
|
+
You can ignore this warning by setting:
|
217
|
+
OmniAuth.config.silence_get_warning = true
|
218
|
+
WARN
|
219
|
+
end
|
220
|
+
|
193
221
|
# Responds to an OPTIONS request.
|
194
222
|
def options_call
|
195
223
|
OmniAuth.config.before_options_phase.call(env) if OmniAuth.config.before_options_phase
|
@@ -200,17 +228,19 @@ module OmniAuth
|
|
200
228
|
# Performs the steps necessary to run the request phase of a strategy.
|
201
229
|
def request_call # rubocop:disable CyclomaticComplexity, MethodLength, PerceivedComplexity
|
202
230
|
setup_phase
|
203
|
-
log :
|
231
|
+
log :debug, 'Request phase initiated.'
|
204
232
|
|
205
233
|
# store query params from the request url, extracted in the callback_phase
|
206
234
|
session['omniauth.params'] = request.GET
|
235
|
+
|
236
|
+
OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
|
207
237
|
OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
|
208
238
|
|
209
239
|
if options.form.respond_to?(:call)
|
210
|
-
log :
|
240
|
+
log :debug, 'Rendering form from supplied Rack endpoint.'
|
211
241
|
options.form.call(env)
|
212
242
|
elsif options.form
|
213
|
-
log :
|
243
|
+
log :debug, 'Rendering form from underlying application.'
|
214
244
|
call_app!
|
215
245
|
elsif !options.origin_param
|
216
246
|
request_phase
|
@@ -223,12 +253,14 @@ module OmniAuth
|
|
223
253
|
|
224
254
|
request_phase
|
225
255
|
end
|
256
|
+
rescue OmniAuth::AuthenticityError => e
|
257
|
+
fail!(:authenticity_error, e)
|
226
258
|
end
|
227
259
|
|
228
260
|
# Performs the steps necessary to run the callback phase of a strategy.
|
229
261
|
def callback_call
|
230
262
|
setup_phase
|
231
|
-
log :
|
263
|
+
log :debug, 'Callback phase initiated.'
|
232
264
|
@env['omniauth.origin'] = session.delete('omniauth.origin')
|
233
265
|
@env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
|
234
266
|
@env['omniauth.params'] = session.delete('omniauth.params') || {}
|
@@ -266,8 +298,14 @@ module OmniAuth
|
|
266
298
|
# in the event that OmniAuth has been configured to be
|
267
299
|
# in test mode.
|
268
300
|
def mock_call!(*)
|
269
|
-
|
270
|
-
|
301
|
+
begin
|
302
|
+
OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
|
303
|
+
return mock_request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
|
304
|
+
return mock_callback_call if on_callback_path?
|
305
|
+
rescue StandardError => e
|
306
|
+
return fail!(e.message, e)
|
307
|
+
end
|
308
|
+
|
271
309
|
call_app!
|
272
310
|
end
|
273
311
|
|
@@ -309,10 +347,10 @@ module OmniAuth
|
|
309
347
|
# underlying application. This will default to `/auth/:provider/setup`.
|
310
348
|
def setup_phase
|
311
349
|
if options[:setup].respond_to?(:call)
|
312
|
-
log :
|
350
|
+
log :debug, 'Setup endpoint detected, running now.'
|
313
351
|
options[:setup].call(env)
|
314
352
|
elsif options[:setup]
|
315
|
-
log :
|
353
|
+
log :debug, 'Calling through to underlying application for setup.'
|
316
354
|
setup_env = env.merge('PATH_INFO' => setup_path, 'REQUEST_METHOD' => 'GET')
|
317
355
|
call_app!(setup_env)
|
318
356
|
end
|
@@ -342,11 +380,13 @@ module OmniAuth
|
|
342
380
|
end
|
343
381
|
|
344
382
|
def auth_hash
|
345
|
-
|
346
|
-
|
347
|
-
|
348
|
-
|
349
|
-
|
383
|
+
credentials_data = credentials
|
384
|
+
extra_data = extra
|
385
|
+
AuthHash.new(:provider => name, :uid => uid).tap do |auth|
|
386
|
+
auth.info = info unless skip_info?
|
387
|
+
auth.credentials = credentials_data if credentials_data
|
388
|
+
auth.extra = extra_data if extra_data
|
389
|
+
end
|
350
390
|
end
|
351
391
|
|
352
392
|
# Determines whether or not user info should be retrieved. This
|
@@ -361,6 +401,7 @@ module OmniAuth
|
|
361
401
|
def skip_info?
|
362
402
|
return false unless options.skip_info?
|
363
403
|
return true unless options.skip_info.respond_to?(:call)
|
404
|
+
|
364
405
|
options.skip_info.call(uid)
|
365
406
|
end
|
366
407
|
|
@@ -377,6 +418,7 @@ module OmniAuth
|
|
377
418
|
if options[kind].respond_to?(:call)
|
378
419
|
result = options[kind].call(env)
|
379
420
|
return nil unless result.is_a?(String)
|
421
|
+
|
380
422
|
result
|
381
423
|
else
|
382
424
|
options[kind]
|
@@ -384,7 +426,12 @@ module OmniAuth
|
|
384
426
|
end
|
385
427
|
|
386
428
|
def request_path
|
387
|
-
@request_path ||=
|
429
|
+
@request_path ||=
|
430
|
+
if options[:request_path].is_a?(String)
|
431
|
+
options[:request_path]
|
432
|
+
else
|
433
|
+
"#{script_name}#{path_prefix}/#{name}"
|
434
|
+
end
|
388
435
|
end
|
389
436
|
|
390
437
|
def callback_path
|
@@ -392,7 +439,7 @@ module OmniAuth
|
|
392
439
|
path = options[:callback_path] if options[:callback_path].is_a?(String)
|
393
440
|
path ||= current_path if options[:callback_path].respond_to?(:call) && options[:callback_path].call(env)
|
394
441
|
path ||= custom_path(:request_path)
|
395
|
-
path ||= "#{path_prefix}/#{name}/callback"
|
442
|
+
path ||= "#{script_name}#{path_prefix}/#{name}/callback"
|
396
443
|
path
|
397
444
|
end
|
398
445
|
end
|
@@ -401,10 +448,10 @@ module OmniAuth
|
|
401
448
|
options[:setup_path] || "#{path_prefix}/#{name}/setup"
|
402
449
|
end
|
403
450
|
|
404
|
-
CURRENT_PATH_REGEX = %r{/$}
|
451
|
+
CURRENT_PATH_REGEX = %r{/$}.freeze
|
405
452
|
EMPTY_STRING = ''.freeze
|
406
453
|
def current_path
|
407
|
-
@current_path ||= request.
|
454
|
+
@current_path ||= request.path.downcase.sub(CURRENT_PATH_REGEX, EMPTY_STRING)
|
408
455
|
end
|
409
456
|
|
410
457
|
def query_string
|
@@ -436,7 +483,7 @@ module OmniAuth
|
|
436
483
|
end
|
437
484
|
|
438
485
|
def callback_url
|
439
|
-
full_host +
|
486
|
+
full_host + callback_path + query_string
|
440
487
|
end
|
441
488
|
|
442
489
|
def script_name
|
@@ -486,16 +533,15 @@ module OmniAuth
|
|
486
533
|
OmniAuth.config.on_failure.call(env)
|
487
534
|
end
|
488
535
|
|
489
|
-
def dup
|
490
|
-
super.tap do
|
491
|
-
@options = @options.dup
|
492
|
-
end
|
493
|
-
end
|
494
|
-
|
495
536
|
class Options < OmniAuth::KeyStore; end
|
496
537
|
|
497
538
|
protected
|
498
539
|
|
540
|
+
def initialize_copy(*args)
|
541
|
+
super
|
542
|
+
@options = @options.dup
|
543
|
+
end
|
544
|
+
|
499
545
|
def merge_stack(stack)
|
500
546
|
stack.inject({}) do |a, e|
|
501
547
|
a.merge!(e)
|
data/lib/omniauth/version.rb
CHANGED
data/omniauth.gemspec
CHANGED
@@ -5,9 +5,10 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
5
5
|
require 'omniauth/version'
|
6
6
|
|
7
7
|
Gem::Specification.new do |spec|
|
8
|
-
spec.add_dependency 'hashie', ['>= 3.4.6'
|
8
|
+
spec.add_dependency 'hashie', ['>= 3.4.6']
|
9
9
|
spec.add_dependency 'rack', ['>= 1.6.2', '< 3']
|
10
|
-
spec.add_development_dependency 'bundler', '~>
|
10
|
+
spec.add_development_dependency 'bundler', '~> 2.0'
|
11
|
+
spec.add_dependency 'rack-protection'
|
11
12
|
spec.add_development_dependency 'rake', '~> 12.0'
|
12
13
|
spec.authors = ['Michael Bleigh', 'Erik Michaels-Ober', 'Tom Milewski']
|
13
14
|
spec.description = 'A generalized Rack framework for multiple-provider authentication.'
|
@@ -18,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
18
19
|
spec.name = 'omniauth'
|
19
20
|
spec.require_paths = %w[lib]
|
20
21
|
spec.required_rubygems_version = '>= 1.3.5'
|
21
|
-
spec.required_ruby_version = '>= 2.
|
22
|
+
spec.required_ruby_version = '>= 2.2'
|
22
23
|
spec.summary = spec.description
|
23
24
|
spec.version = OmniAuth::VERSION
|
24
25
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.0.0.pre.rc1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Michael Bleigh
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date:
|
13
|
+
date: 2020-12-11 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: hashie
|
@@ -19,9 +19,6 @@ dependencies:
|
|
19
19
|
- - ">="
|
20
20
|
- !ruby/object:Gem::Version
|
21
21
|
version: 3.4.6
|
22
|
-
- - "<"
|
23
|
-
- !ruby/object:Gem::Version
|
24
|
-
version: 3.6.0
|
25
22
|
type: :runtime
|
26
23
|
prerelease: false
|
27
24
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -29,9 +26,6 @@ dependencies:
|
|
29
26
|
- - ">="
|
30
27
|
- !ruby/object:Gem::Version
|
31
28
|
version: 3.4.6
|
32
|
-
- - "<"
|
33
|
-
- !ruby/object:Gem::Version
|
34
|
-
version: 3.6.0
|
35
29
|
- !ruby/object:Gem::Dependency
|
36
30
|
name: rack
|
37
31
|
requirement: !ruby/object:Gem::Requirement
|
@@ -58,14 +52,28 @@ dependencies:
|
|
58
52
|
requirements:
|
59
53
|
- - "~>"
|
60
54
|
- !ruby/object:Gem::Version
|
61
|
-
version: '
|
55
|
+
version: '2.0'
|
62
56
|
type: :development
|
63
57
|
prerelease: false
|
64
58
|
version_requirements: !ruby/object:Gem::Requirement
|
65
59
|
requirements:
|
66
60
|
- - "~>"
|
67
61
|
- !ruby/object:Gem::Version
|
68
|
-
version: '
|
62
|
+
version: '2.0'
|
63
|
+
- !ruby/object:Gem::Dependency
|
64
|
+
name: rack-protection
|
65
|
+
requirement: !ruby/object:Gem::Requirement
|
66
|
+
requirements:
|
67
|
+
- - ">="
|
68
|
+
- !ruby/object:Gem::Version
|
69
|
+
version: '0'
|
70
|
+
type: :runtime
|
71
|
+
prerelease: false
|
72
|
+
version_requirements: !ruby/object:Gem::Requirement
|
73
|
+
requirements:
|
74
|
+
- - ">="
|
75
|
+
- !ruby/object:Gem::Version
|
76
|
+
version: '0'
|
69
77
|
- !ruby/object:Gem::Dependency
|
70
78
|
name: rake
|
71
79
|
requirement: !ruby/object:Gem::Requirement
|
@@ -90,10 +98,10 @@ extensions: []
|
|
90
98
|
extra_rdoc_files: []
|
91
99
|
files:
|
92
100
|
- ".github/ISSUE_TEMPLATE.md"
|
101
|
+
- ".github/workflows/main.yml"
|
93
102
|
- ".gitignore"
|
94
103
|
- ".rspec"
|
95
104
|
- ".rubocop.yml"
|
96
|
-
- ".travis.yml"
|
97
105
|
- ".yardopts"
|
98
106
|
- Gemfile
|
99
107
|
- LICENSE.md
|
@@ -101,6 +109,7 @@ files:
|
|
101
109
|
- Rakefile
|
102
110
|
- lib/omniauth.rb
|
103
111
|
- lib/omniauth/auth_hash.rb
|
112
|
+
- lib/omniauth/authenticity_token_protection.rb
|
104
113
|
- lib/omniauth/builder.rb
|
105
114
|
- lib/omniauth/failure_endpoint.rb
|
106
115
|
- lib/omniauth/form.css
|
@@ -126,15 +135,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
126
135
|
requirements:
|
127
136
|
- - ">="
|
128
137
|
- !ruby/object:Gem::Version
|
129
|
-
version: 2.
|
138
|
+
version: '2.2'
|
130
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
131
140
|
requirements:
|
132
|
-
- - "
|
141
|
+
- - ">"
|
133
142
|
- !ruby/object:Gem::Version
|
134
|
-
version: 1.3.
|
143
|
+
version: 1.3.1
|
135
144
|
requirements: []
|
136
|
-
|
137
|
-
rubygems_version: 2.6.11
|
145
|
+
rubygems_version: 3.0.0
|
138
146
|
signing_key:
|
139
147
|
specification_version: 4
|
140
148
|
summary: A generalized Rack framework for multiple-provider authentication.
|
data/.travis.yml
DELETED
@@ -1,21 +0,0 @@
|
|
1
|
-
bundler_args: --without development
|
2
|
-
before_install: gem update bundler
|
3
|
-
cache: bundler
|
4
|
-
env:
|
5
|
-
global:
|
6
|
-
- JRUBY_OPTS="$JRUBY_OPTS --debug"
|
7
|
-
language: ruby
|
8
|
-
rvm:
|
9
|
-
- jruby-9000
|
10
|
-
- 2.1.10 # EOL Soon
|
11
|
-
- 2.2.6
|
12
|
-
- 2.3.3
|
13
|
-
- 2.4.0
|
14
|
-
- jruby-head
|
15
|
-
- ruby-head
|
16
|
-
matrix:
|
17
|
-
allow_failures:
|
18
|
-
- rvm: jruby-head
|
19
|
-
- rvm: ruby-head
|
20
|
-
fast_finish: true
|
21
|
-
sudo: false
|