omniauth 1.9.2 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 35d19268ad77477704f29c8bb7aa989bc4fd087dfc75cad3757f0dba77615ab0
-  data.tar.gz: 7d6405feca4e14d010330e2c577aa815b7593de7ebc2591e9b45c266af3e05b5
+  metadata.gz: 0de71776aec3f0b016291d25d87fed25bbfa49f5fcd0abcf0f7463be97111e92
+  data.tar.gz: dd52494efab1533e54f3a85ceab332db16e02ff6d633a00c99f52d7f089303ef
 SHA512:
-  metadata.gz: f2f0a59be54f42f5c6747e9601599eee747d0220c8cfbfd3037e713840453c29598b325beae1e0ca8c41db8581d02cd1adada18d1dcfb5afe8cab2fb8c5c7e61
-  data.tar.gz: 945998eec68b09718830c23c75ca2cd1ad23da58f9541d38c39ec0c4c08b587cb35827390a003c3c1fb551793d2b5a1ade0cf354236035c6489b229fa66a699f
+  metadata.gz: 16de198d83402c9613961994c0fe1f1c9fc709de6a546168830248c237e2fe61f0847e129f94a4bf51570cbb8beffa4e20b6542e23a342a17aa41bd8c2738200
+  data.tar.gz: f703bef08321f981909d950dba902989b5efb5d4c820b9f6b03c5695bbe56620e2656bfd75d527101ed3d7cdc78dd4c886f2e4991f12c01ea170e1ad900b3245

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth

data/.github/dependabot.yml

@@ -0,0 +1,18 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: '/'
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 99
+
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 99

data/.github/workflows/jruby.yml

@@ -0,0 +1,28 @@
+name: JRuby
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        jruby: [jruby, jruby-head]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.jruby }}
+        bundler-cache: true
+      env:
+        JRUBY_OPTS: --debug
+    - name: Run tests
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle exec rake

data/.github/workflows/main.yml

@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, 3.2, head, debug]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake
+  frozen-string-compat:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+        bundler-cache: true
+    - name: Run tests
+      env:
+        RUBYOPT: "--enable-frozen-string-literal"
+      run: bundle exec rake
+  coveralls:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake
+    - name: Coveralls GitHub Action
+      uses: coverallsapp/github-action@v2
+      with:
+        github-token: ${{ secrets.github_token }}
+        path-to-lcov: './coverage/lcov/omniauth.lcov'

data/.github/workflows/truffle_ruby.yml

@@ -0,0 +1,24 @@
+name: TruffleRuby
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        ruby: [truffleruby, truffleruby-head]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake

data/.gitignore

@@ -10,3 +10,5 @@ doc/*
 log/*
 measurement/*
 pkg/*
+.DS_Store
+.tool-versions

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'jruby-openssl', '~> 0.9.19', :platforms => :jruby
+gem 'jruby-openssl', '~> 0.10.5', platforms: :jruby
 gem 'rake', '>= 12.0'
 gem 'yard', '>= 0.9.11'
 
@@ -12,16 +12,12 @@ group :development do
 end
 
 group :test do
-  gem 'coveralls', :require => false
-  gem 'hashie', '>= 3.4.6', '~> 4.0.0', :platforms => [:jruby_18]
-  gem 'json', '~> 2.0.3', :platforms => %i[jruby_18 jruby_19 ruby_19]
-  gem 'mime-types', '~> 3.1', :platforms => [:jruby_18]
-  gem 'rack', '>= 2.0.6', :platforms => %i[jruby_18 jruby_19 ruby_19 ruby_20 ruby_21]
+  gem 'coveralls_reborn', '~> 0.19.0', require: false
   gem 'rack-test'
-  gem 'rest-client', '~> 2.0.0', :platforms => [:jruby_18]
-  gem 'rspec', '~> 3.5.0'
-  gem 'rubocop', '>= 0.58.2', '< 0.69.0', :platforms => %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
-  gem 'tins', '~> 1.13.0', :platforms => %i[jruby_18 jruby_19 ruby_19]
+  gem 'rspec', '~> 3.5'
+  gem 'rack-freeze'
+  gem 'rubocop', '>= 0.58.2', '< 0.69.0', platforms: %i[ruby_22 ruby_23 ruby_24]
+  gem 'simplecov-lcov'
 end
 
 gemspec

data/README.md

@@ -1,16 +1,22 @@
 # OmniAuth: Standardized Multi-Provider Authentication
 
 [![Gem Version](http://img.shields.io/gem/v/omniauth.svg)][gem]
-[![Build Status](http://img.shields.io/travis/omniauth/omniauth.svg)][travis]
-[![Code Climate](http://img.shields.io/codeclimate/github/omniauth/omniauth.svg)][codeclimate]
+[![Ruby](https://github.com/omniauth/omniauth/actions/workflows/main.yml/badge.svg)][githubactions]
+[![TruffleRuby](https://github.com/omniauth/omniauth/actions/workflows/truffle_ruby.yml/badge.svg)][githubactionstruffle]
+[![JRuby](https://github.com/omniauth/omniauth/actions/workflows/jruby.yml/badge.svg)][githubactionsjruby]
+[![Code Climate](https://api.codeclimate.com/v1/badges/ffd33970723587806744/maintainability)][codeclimate]
 [![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth.svg)][coveralls]
-[![Security](https://hakiri.io/github/omniauth/omniauth/master.svg)](https://hakiri.io/github/omniauth/omniauth/master)
 
 [gem]: https://rubygems.org/gems/omniauth
-[travis]: http://travis-ci.org/omniauth/omniauth
+[githubactions]: https://github.com/omniauth/omniauth/actions/workflows/main.yml
+[githubactionstruffle]: https://github.com/omniauth/omniauth/actions/workflows/truffle_ruby.yml
+[githubactionsjruby]: https://github.com/omniauth/omniauth/actions/workflows/jruby.yml
 [codeclimate]: https://codeclimate.com/github/omniauth/omniauth
 [coveralls]: https://coveralls.io/r/omniauth/omniauth
 
+This is the documentation for the in-development branch of OmniAuth.
+You can find the documentation for the latest stable release [here](https://github.com/omniauth/omniauth/tree/v2.1.2)
+
 ## An Introduction
 OmniAuth is a library that standardizes multi-provider authentication for
 web applications. It was created to be powerful, flexible, and do as
@@ -32,8 +38,8 @@ development and easily swap in other strategies later.
 ## Getting Started
 Each OmniAuth strategy is a Rack Middleware. That means that you can use
 it the same way that you use any other Rack middleware. For example, to
-use the built-in Developer strategy in a Sinatra application I might do
-this:
+use the built-in Developer strategy in a Sinatra application you might
+do this:
 
 ```ruby
 require 'sinatra'
@@ -45,7 +51,7 @@ class MyApplication < Sinatra::Base
 end
 ```
 
-Because OmniAuth is built for *multi-provider* authentication, I may
+Because OmniAuth is built for *multi-provider* authentication, you may
 want to leave room to run multiple strategies. For this, the built-in
 `OmniAuth::Builder` class gives you an easy way to specify multiple
 strategies. Note that there is **no difference** between the following
@@ -82,33 +88,9 @@ environment of a request to `/auth/:provider/callback`. This hash
 contains as much information about the user as OmniAuth was able to
 glean from the utilized strategy. You should set up an endpoint in your
 application that matches to the callback URL and then performs whatever
-steps are necessary for your application. For example, in a Rails app I
-would add a line in my `routes.rb` file like this:
-
-```ruby
-get '/auth/:provider/callback', to: 'sessions#create'
-```
-
-And I might then have a `SessionsController` with code that looks
-something like this:
-
-```ruby
-class SessionsController < ApplicationController
-  def create
-    @user = User.find_or_create_from_auth_hash(auth_hash)
-    self.current_user = @user
-    redirect_to '/'
-  end
-
-  protected
+steps are necessary for your application. 
 
-  def auth_hash
-    request.env['omniauth.auth']
-  end
-end
-```
-
-The `omniauth.auth` key in the environment hash gives me my
+The `omniauth.auth` key in the environment hash provides an
 Authentication Hash which will contain information about the just
 authenticated user including a unique id, the strategy they just used
 for authentication, and personal details such as name and email address
@@ -120,35 +102,74 @@ environment information on the callback request. It is entirely up to
 you how you want to implement the particulars of your application's
 authentication flow.
 
-**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation at the application level. More details on how to do this can be found on the [Wiki](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284).
+## rack_csrf
+
+`omniauth` is not OOTB-compatible with [rack_csrf](https://github.com/baldowl/rack_csrf). In order to do so, the following code needs to be added to the application bootstrapping code:
 
-## Configuring The `origin` Param
-The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to.
+```ruby
+OmniAuth::AuthenticityTokenProtection.default_options(key: "csrf.token", authenticity_param: "_csrf")
+```
 
-There are three possible options:
+## Rails (without Devise)
+To get started, add the following gems
 
-Default Flow:
+**Gemfile**:
 ```ruby
-# /auth/twitter/?origin=[URL]
-# No change
-# If blank, `omniauth.origin` is set to HTTP_REFERER
+gem 'omniauth'
+gem "omniauth-rails_csrf_protection"
 ```
 
-Renaming Origin Param:
+Then insert OmniAuth as a middleware
+
+**config/initializers/omniauth.rb**:
 ```ruby
-# /auth/twitter/?return_to=[URL]
-# If blank, `omniauth.origin` is set to HTTP_REFERER
-provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: 'return_to'
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :developer if Rails.env.development?
+end
 ```
 
-Disabling Origin Param:
+Additional providers can be added here in the future. Next we wire it
+all up using routes, a controller and a login view.
+
+**config/routes.rb**:
+
 ```ruby
-# /auth/twitter
-# Origin handled externally, if need be. `omniauth.origin` is not set
-provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: false
+  get 'auth/:provider/callback', to: 'sessions#create'
+  get '/login', to: 'sessions#new'
+```
+
+**app/controllers/sessions_controller.rb**:
+```ruby
+class SessionsController < ApplicationController
+  def new
+    render :new
+  end
+
+  def create
+    user_info = request.env['omniauth.auth']
+    raise user_info # Your own session management should be placed here.
+  end
+end
 ```
 
-## Integrating OmniAuth Into Your Rails API
+**app/views/sessions/new.html.erb**:
+```erb
+<%= form_tag('/auth/developer', method: 'post', data: {turbo: false}) do %>
+  <button type='submit'>Login with Developer</button>
+<% end %>
+```
+
+Now if you visit `/login` and click the Login button, you should see the
+OmniAuth developer login screen. After submitting it, you are returned to your
+application at `Sessions#create`. The raise should now display all the Omniauth
+details you have available to integrate it into your own user management.
+
+If you want out of the box usermanagement, you should consider using Omniauth
+through Devise. Please visit the [Devise Github page](https://github.com/heartcombo/devise#omniauth)
+for more information.
+
+
+## Rails API
 The following middleware are (by default) included for session management in
 Rails applications. When using OmniAuth with a Rails API, you'll need to add
 one of these required middleware back in:
@@ -163,7 +184,7 @@ a `session_store.rb` initializer, add `use ActionDispatch::Session::CookieStore`
 and have sessions functioning as normal.
 
 To be clear: sessions may work, but your session options will be ignored
-(i.e the session key will default to `_session_id`).  Instead of the
+(i.e. the session key will default to `_session_id`).  Instead of the
 initializer, you'll have to set the relevant options somewhere
 before your middleware is built (like `application.rb`) and pass them to your
 preferred middleware, like this:
@@ -187,14 +208,51 @@ to `STDOUT` but you can configure this using `OmniAuth.config.logger`:
 OmniAuth.config.logger = Rails.logger
 ```
 
+## Origin Param
+The `origin` url parameter is typically used to inform where a user came from
+and where, should you choose to use it, they'd want to return to.
+Omniauth supports the following settings which can be configured on a provider level:
+
+**Default**:
+```ruby
+provider :twitter, ENV['KEY'], ENV['SECRET']
+POST /auth/twitter/?origin=[URL]
+# If the `origin` parameter is blank, `omniauth.origin` is set to HTTP_REFERER
+```
+
+**Using a differently named origin parameter**:
+```ruby
+provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: 'return_to'
+POST /auth/twitter/?return_to=[URL]
+# If the `return_to` parameter is blank, `omniauth.origin` is set to HTTP_REFERER
+```
+
+**Disabled**:
+```ruby
+provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: false
+POST /auth/twitter
+# This means the origin should be handled by your own application. 
+# Note that `omniauth.origin` will always be blank.
+```
+
 ## Resources
 The [OmniAuth Wiki](https://github.com/omniauth/omniauth/wiki) has
 actively maintained in-depth documentation for OmniAuth. It should be
 your first stop if you are wondering about a more in-depth look at
 OmniAuth, how it works, and how to use it.
 
+## OmniAuth for Enterprise
+
+Available as part of the Tidelift Subscription.
+
+The maintainers of OmniAuth and thousands of other packages are working with
+Tidelift to deliver commercial support and maintenance for the open source
+packages you use to build your applications. Save time, reduce risk, and
+improve code health, while paying the maintainers of the exact packages you use.
+[Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+
 ## Supported Ruby Versions
-OmniAuth is tested under 2.1.10, 2.2.6, 2.3.3, 2.4.0, 2.5.0, and JRuby.
+OmniAuth is tested under 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, truffleruby, and JRuby.
 
 ## Versioning
 This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations

data/SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version  | Supported          |
+| -------  | ------------------ |
+| 2.1.x    | :white_check_mark: |
+| 2.0.x    | :white_check_mark: |
+| <= 1.9.1 | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

data/lib/omniauth/authenticity_token_protection.rb

@@ -0,0 +1,32 @@
+require 'rack-protection'
+
+module OmniAuth
+  class AuthenticityError < StandardError; end
+  class AuthenticityTokenProtection < Rack::Protection::AuthenticityToken
+    def initialize(options = {})
+      @options = default_options.merge(options)
+    end
+
+    def self.call(env)
+      new.call!(env)
+    end
+
+    def call!(env)
+      return if accepts?(env)
+
+      instrument env
+      react env
+    end
+
+    alias_method :call, :call!
+
+  private
+
+    def deny(_env)
+      OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")
+      raise AuthenticityError.new(options[:message])
+    end
+
+    alias default_reaction deny
+  end
+end

data/lib/omniauth/builder.rb

@@ -26,19 +26,18 @@ module OmniAuth
       @options = options
     end
 
-    def provider(klass, *args, &block)
+    def provider(klass, *args, **opts, &block)
       if klass.is_a?(Class)
         middleware = klass
       else
         begin
-          middleware = OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s)
+          middleware = OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s, false)
         rescue NameError
           raise(LoadError.new("Could not find matching strategy for #{klass.inspect}. You may need to install an additional gem (such as omniauth-#{klass})."))
         end
       end
 
-      args.last.is_a?(Hash) ? args.push(options.merge(args.pop)) : args.push(options)
-      use middleware, *args, &block
+      use middleware, *args, **options.merge(opts), &block
     end
 
     def call(env)

data/lib/omniauth/failure_endpoint.rb

@@ -27,10 +27,19 @@ module OmniAuth
 
     def redirect_to_failure
       message_key = env['omniauth.error.type']
-      new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
+
+      new_path = "#{env['SCRIPT_NAME']}#{strategy_path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
       Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
     end
 
+    def strategy_path_prefix
+      if env['omniauth.error.strategy']
+        env['omniauth.error.strategy'].path_prefix
+      else
+        OmniAuth.config.path_prefix
+      end
+    end
+
     def strategy_name_query_param
       return '' unless env['omniauth.error.strategy']
 

data/lib/omniauth/form.rb

@@ -7,9 +7,10 @@ module OmniAuth
     def initialize(options = {})
       options[:title] ||= 'Authentication Info Required'
       options[:header_info] ||= ''
+      options[:method] ||= 'post'
       self.options = options
 
-      @html = ''
+      @html = +'' # unary + string allows it to be mutable if strings are frozen
       @with_custom_button = false
       @footer = nil
       header(options[:title], options[:header_info])
@@ -75,7 +76,7 @@ module OmniAuth
       </head>
       <body>
       <h1>#{title}</h1>
-      <form method='post' #{"action='#{options[:url]}' " if options[:url]}noValidate='noValidate'>
+      <form method='#{options[:method]}' #{"action='#{options[:url]}' " if options[:url]}noValidate='noValidate'>
       HTML
       self
     end

data/lib/omniauth/strategies/developer.rb

@@ -35,7 +35,7 @@ module OmniAuth
       option :uid_field, :email
 
       def request_phase
-        form = OmniAuth::Form.new(:title => 'User Info', :url => callback_path)
+        form = OmniAuth::Form.new(:title => 'User Info', :url => callback_path, :method => 'get')
         options.fields.each do |field|
           form.text_field field.to_s.capitalize.tr('_', ' '), field.to_s
         end

data/lib/omniauth/strategy.rb

@@ -181,17 +181,47 @@ module OmniAuth
       end
 
       @env = env
+
+      warn_if_using_get_on_request_path
+
       @env['omniauth.strategy'] = self if on_auth_path?
 
       return mock_call!(env) if OmniAuth.config.test_mode
-      return options_call if on_auth_path? && options_request?
-      return request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
-      return callback_call if on_callback_path?
-      return other_phase if respond_to?(:other_phase)
+
+      begin
+        return options_call if on_auth_path? && options_request?
+        return request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
+        return callback_call if on_callback_path?
+        return other_phase if respond_to?(:other_phase)
+      rescue StandardError => e
+        raise e if env.delete('omniauth.error.app')
+
+        return fail!(e.message, e)
+      end
 
       @app.call(env)
     end
 
+    def warn_if_using_get_on_request_path
+      return unless on_request_path?
+      return unless OmniAuth.config.allowed_request_methods.include?(:get)
+      return if OmniAuth.config.silence_get_warning
+
+      log :warn, <<-WARN
+  You are using GET as an allowed request method for OmniAuth. This may leave
+  you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
+  to its own routes. You should review the following resources to guide your
+  mitigation:
+  https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+  https://github.com/omniauth/omniauth/issues/960
+  https://nvd.nist.gov/vuln/detail/CVE-2015-9284
+  https://github.com/omniauth/omniauth/pull/809
+
+  You can ignore this warning by setting:
+  OmniAuth.config.silence_get_warning = true
+      WARN
+    end
+
     # Responds to an OPTIONS request.
     def options_call
       OmniAuth.config.before_options_phase.call(env) if OmniAuth.config.before_options_phase
@@ -202,17 +232,19 @@ module OmniAuth
     # Performs the steps necessary to run the request phase of a strategy.
     def request_call # rubocop:disable CyclomaticComplexity, MethodLength, PerceivedComplexity
       setup_phase
-      log :info, 'Request phase initiated.'
+      log :debug, 'Request phase initiated.'
 
       # store query params from the request url, extracted in the callback_phase
       session['omniauth.params'] = request.GET
+
+      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
       OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
 
       if options.form.respond_to?(:call)
-        log :info, 'Rendering form from supplied Rack endpoint.'
+        log :debug, 'Rendering form from supplied Rack endpoint.'
         options.form.call(env)
       elsif options.form
-        log :info, 'Rendering form from underlying application.'
+        log :debug, 'Rendering form from underlying application.'
         call_app!
       elsif !options.origin_param
         request_phase
@@ -225,12 +257,14 @@ module OmniAuth
 
         request_phase
       end
+    rescue OmniAuth::AuthenticityError => e
+      fail!(:authenticity_error, e)
     end
 
     # Performs the steps necessary to run the callback phase of a strategy.
     def callback_call
       setup_phase
-      log :info, 'Callback phase initiated.'
+      log :debug, 'Callback phase initiated.'
       @env['omniauth.origin'] = session.delete('omniauth.origin')
       @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
       @env['omniauth.params'] = session.delete('omniauth.params') || {}
@@ -268,8 +302,14 @@ module OmniAuth
     # in the event that OmniAuth has been configured to be
     # in test mode.
     def mock_call!(*)
-      return mock_request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
-      return mock_callback_call if on_callback_path?
+      begin
+        return mock_request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
+        return mock_callback_call if on_callback_path?
+      rescue StandardError => e
+        raise e if env.delete('omniauth.error.app')
+
+        return fail!(e.message, e)
+      end
 
       call_app!
     end
@@ -278,7 +318,10 @@ module OmniAuth
       setup_phase
 
       session['omniauth.params'] = request.GET
+
+      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
       OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
+
       if options.origin_param
         if request.params[options.origin_param]
           session['omniauth.origin'] = request.params[options.origin_param]
@@ -312,10 +355,10 @@ module OmniAuth
     # underlying application. This will default to `/auth/:provider/setup`.
     def setup_phase
       if options[:setup].respond_to?(:call)
-        log :info, 'Setup endpoint detected, running now.'
+        log :debug, 'Setup endpoint detected, running now.'
         options[:setup].call(env)
       elsif options[:setup]
-        log :info, 'Calling through to underlying application for setup.'
+        log :debug, 'Calling through to underlying application for setup.'
         setup_env = env.merge('PATH_INFO' => setup_path, 'REQUEST_METHOD' => 'GET')
         call_app!(setup_env)
       end
@@ -345,11 +388,13 @@ module OmniAuth
     end
 
     def auth_hash
-      hash = AuthHash.new(:provider => name, :uid => uid)
-      hash.info = info unless skip_info?
-      hash.credentials = credentials if credentials
-      hash.extra = extra if extra
-      hash
+      credentials_data = credentials
+      extra_data = extra
+      AuthHash.new(:provider => name, :uid => uid).tap do |auth|
+        auth.info = info unless skip_info?
+        auth.credentials = credentials_data if credentials_data
+        auth.extra = extra_data if extra_data
+      end
     end
 
     # Determines whether or not user info should be retrieved. This
@@ -389,7 +434,12 @@ module OmniAuth
     end
 
     def request_path
-      @request_path ||= options[:request_path].is_a?(String) ? options[:request_path] : "#{path_prefix}/#{name}"
+      @request_path ||=
+        if options[:request_path].is_a?(String)
+          options[:request_path]
+        else
+          "#{script_name}#{path_prefix}/#{name}"
+        end
     end
 
     def callback_path
@@ -397,7 +447,7 @@ module OmniAuth
         path = options[:callback_path] if options[:callback_path].is_a?(String)
         path ||= current_path if options[:callback_path].respond_to?(:call) && options[:callback_path].call(env)
         path ||= custom_path(:request_path)
-        path ||= "#{path_prefix}/#{name}/callback"
+        path ||= "#{script_name}#{path_prefix}/#{name}/callback"
         path
       end
     end
@@ -409,7 +459,7 @@ module OmniAuth
     CURRENT_PATH_REGEX = %r{/$}.freeze
     EMPTY_STRING       = ''.freeze
     def current_path
-      @current_path ||= request.path_info.downcase.sub(CURRENT_PATH_REGEX, EMPTY_STRING)
+      @current_path ||= request.path.downcase.sub(CURRENT_PATH_REGEX, EMPTY_STRING)
     end
 
     def query_string
@@ -418,6 +468,9 @@ module OmniAuth
 
     def call_app!(env = @env)
       @app.call(env)
+    rescue StandardError => e
+      env['omniauth.error.app'] = true
+      raise e
     end
 
     def full_host
@@ -441,10 +494,11 @@ module OmniAuth
     end
 
     def callback_url
-      full_host + script_name + callback_path + query_string
+      full_host + callback_path + query_string
     end
 
     def script_name
+      return '' if @env.nil?
       @env['SCRIPT_NAME'] || ''
     end
 
@@ -491,16 +545,15 @@ module OmniAuth
       OmniAuth.config.on_failure.call(env)
     end
 
-    def dup
-      super.tap do
-        @options = @options.dup
-      end
-    end
-
     class Options < OmniAuth::KeyStore; end
 
   protected
 
+    def initialize_copy(*args)
+      super
+      @options = @options.dup
+    end
+
     def merge_stack(stack)
       stack.inject({}) do |a, e|
         a.merge!(e)

data/lib/omniauth/version.rb

@@ -1,3 +1,3 @@
 module OmniAuth
-  VERSION = '1.9.2'.freeze
+  VERSION = '2.1.2'.freeze
 end

data/lib/omniauth.rb

@@ -1,3 +1,7 @@
+# TODO: Fixed in https://github.com/rack/rack/pull/1610 for Rack 3
+if defined?(RUBY_ENGINE) && RUBY_ENGINE == "jruby"
+  require 'delegate'
+end
 require 'rack'
 require 'singleton'
 require 'logger'
@@ -15,6 +19,7 @@ module OmniAuth
   autoload :Form,     'omniauth/form'
   autoload :AuthHash, 'omniauth/auth_hash'
   autoload :FailureEndpoint, 'omniauth/failure_endpoint'
+  autoload :AuthenticityTokenProtection, 'omniauth/authenticity_token_protection'
 
   def self.strategies
     @strategies ||= []
@@ -29,20 +34,22 @@ module OmniAuth
       logger
     end
 
-    def self.defaults
+    def self.defaults # rubocop:disable MethodLength
       @defaults ||= {
         :camelizations => {},
         :path_prefix => '/auth',
         :on_failure => OmniAuth::FailureEndpoint,
         :failure_raise_out_environments => ['development'],
+        :request_validation_phase => OmniAuth::AuthenticityTokenProtection,
         :before_request_phase   => nil,
         :before_callback_phase  => nil,
         :before_options_phase   => nil,
         :form_css => Form::DEFAULT_CSS,
         :test_mode => false,
         :logger => default_logger,
-        :allowed_request_methods => %i[get post],
-        :mock_auth => {:default => AuthHash.new('provider' => 'default', 'uid' => '1234', 'info' => {'name' => 'Example User'})}
+        :allowed_request_methods => %i[post],
+        :mock_auth => {:default => AuthHash.new('provider' => 'default', 'uid' => '1234', 'info' => {'name' => 'Example User'})},
+        :silence_get_warning => false
       }
     end
 
@@ -74,6 +81,14 @@ module OmniAuth
       end
     end
 
+    def request_validation_phase(&block)
+      if block_given?
+        @request_validation_phase = block
+      else
+        @request_validation_phase
+      end
+    end
+
     def before_request_phase(&block)
       if block_given?
         @before_request_phase = block
@@ -111,8 +126,9 @@ module OmniAuth
       camelizations[name.to_s] = camelized.to_s
     end
 
-    attr_writer :on_failure, :before_callback_phase, :before_options_phase, :before_request_phase
-    attr_accessor :failure_raise_out_environments, :path_prefix, :allowed_request_methods, :form_css, :test_mode, :mock_auth, :full_host, :camelizations, :logger
+    attr_writer :on_failure, :before_callback_phase, :before_options_phase, :before_request_phase, :request_validation_phase
+    attr_accessor :failure_raise_out_environments, :path_prefix, :allowed_request_methods, :form_css,
+                  :test_mode, :mock_auth, :full_host, :camelizations, :logger, :silence_get_warning
   end
 
   def self.config
@@ -159,7 +175,7 @@ module OmniAuth
       if first_letter_in_uppercase
         word.to_s.gsub(%r{/(.?)}) { '::' + Regexp.last_match[1].upcase }.gsub(/(^|_)(.)/) { Regexp.last_match[2].upcase }
       else
-        word.first + camelize(word)[1..-1]
+        camelize(word).tap { |w| w[0] = w[0].downcase }
       end
     end
   end

data/omniauth.gemspec

@@ -6,8 +6,9 @@ require 'omniauth/version'
 
 Gem::Specification.new do |spec|
   spec.add_dependency 'hashie', ['>= 3.4.6']
-  spec.add_dependency 'rack', ['>= 1.6.2', '< 3']
-  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_dependency 'rack', '>= 2.2.3'
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_dependency 'rack-protection'
   spec.add_development_dependency 'rake', '~> 12.0'
   spec.authors       = ['Michael Bleigh', 'Erik Michaels-Ober', 'Tom Milewski']
   spec.description   = 'A generalized Rack framework for multiple-provider authentication.'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth
 version: !ruby/object:Gem::Version
-  version: 1.9.2
+  version: 2.1.2
 platform: ruby
 authors:
 - Michael Bleigh
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-18 00:00:00.000000000 Z
+date: 2023-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hashie
@@ -32,34 +32,42 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.2
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
+        version: 2.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.2
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rack-protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -83,18 +91,24 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
 - ".github/ISSUE_TEMPLATE.md"
+- ".github/dependabot.yml"
+- ".github/workflows/jruby.yml"
+- ".github/workflows/main.yml"
+- ".github/workflows/truffle_ruby.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - ".yardopts"
 - Gemfile
 - LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/omniauth.rb
 - lib/omniauth/auth_hash.rb
+- lib/omniauth/authenticity_token_protection.rb
 - lib/omniauth/builder.rb
 - lib/omniauth/failure_endpoint.rb
 - lib/omniauth/form.css
@@ -127,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.5
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: A generalized Rack framework for multiple-provider authentication.

data/.travis.yml

@@ -1,25 +0,0 @@
-bundler_args: --without development
-before_install:
-  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
-  - gem install bundler -v '1.17.3'
-install:
- - bundle _1.17.3_ install --jobs=3 --retry=3
-cache: bundler
-env:
-  global:
-    - JRUBY_OPTS="$JRUBY_OPTS --debug"
-language: ruby
-rvm:
-  - jruby-9000
-  - 2.2.9
-  - 2.3.5
-  - 2.4.4
-  - 2.5.3
-  - jruby-head
-  - ruby-head
-matrix:
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-  fast_finish: true
-sudo: false