omniauth 2.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8f836310822161a3a49ac1a691b348917ab7f3de1ec1171e078e1f50dc304142
-  data.tar.gz: a06ee34aa1f4da5fd3785e1237fd457adbf032cf7fe2a8dfb22c1272ca001fb3
+  metadata.gz: 6cb3de3ad6a305065fef63ef3a4344db5bcb3b27694b9283b34df9b60db53071
+  data.tar.gz: 2f2534e820313a07c1ff46e515b9e07124de20324df8c76735dd121c17c02bf3
 SHA512:
-  metadata.gz: c880817de032bda44bc8a7fab28efcf2df943af0bed17a10529d44e45c270ea2968abd0629b7f2ed017527f7b169e0349fe2fc3638b7971da4a2dc536f16ba44
-  data.tar.gz: 856b44834bdb2cab3eb7faa1ac2ae58411694a885a4e3cc14ec3eff2d05616ef667c43b2ab87d39132e5662d5b022f45c0ca0c11ae4bc5057e725d65c6aafa18
+  metadata.gz: e05402733493a06ee4e3c26b30431d0a89c4883350ce4cedad9af29151d6310f0a106f79291c4d634ba955e4618b9be7c796942b08adcee4b6730396f1c1a7af
+  data.tar.gz: 052fca22fac4152907799ab29e112230ad972f227e49616f5537c12a4d000e702c1bbb3b184f0ee29f09a96a1d7a6fe4dbd82e32c5e167269048979993236f3f

data/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth

data/.github/workflows/jruby.yml

@@ -0,0 +1,30 @@
+name: JRuby
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        jruby: [jruby] # TODO: Add back jruby-head once we figure out why there's a bundler mismatch
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.jruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle install
+    - name: Run tests
+      env:
+        JRUBY_OPTS: --debug
+      run: bundle exec rake

data/.github/workflows/main.yml

@@ -9,9 +9,9 @@ name: Ruby
 
 on:
   push:
-    branches: [ master, 2_0-indev ]
+    branches: [ master ]
   pull_request:
-    branches: [ master, 2_0-indev ]
+    branches: [ master ]
 
 jobs:
   test:
@@ -20,7 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu, macos]
-        ruby: [2.5, 2.6, 2.7, head, debug, truffleruby, truffleruby-head]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, head, debug]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
@@ -32,28 +32,6 @@ jobs:
       run: bundle install
     - name: Run tests
       run: bundle exec rake
-  test-jruby:
-    runs-on: ubuntu-18.04
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu, macos]
-        jruby: [jruby, jruby-head]
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.jruby }}
-        bundler-cache: true
-    - name: Install dependencies
-      env:
-        JRUBY_OPTS: --debug
-      run: bundle install
-    - name: Run tests
-      env:
-        JRUBY_OPTS: --debug
-      run: bundle exec rake
   frozen-string-compat:
     runs-on: ubuntu-18.04
     steps:

data/.github/workflows/truffle_ruby.yml

@@ -0,0 +1,26 @@
+name: TruffleRuby
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-18.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos]
+        ruby: [truffleruby, truffleruby-head]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake

data/.gitignore

@@ -11,3 +11,4 @@ log/*
 measurement/*
 pkg/*
 .DS_Store
+.tool-versions

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'jruby-openssl', '~> 0.10.5', :platforms => :jruby
+gem 'jruby-openssl', '~> 0.10.5', platforms: :jruby
 gem 'rake', '>= 12.0'
 gem 'yard', '>= 0.9.11'
 
@@ -13,17 +13,16 @@ end
 
 group :test do
   gem 'coveralls_reborn', '~> 0.19.0', require: false
-  gem 'hashie', '>= 3.4.6', '~> 4.0.0', :platforms => [:jruby_18]
-  gem 'json', '~> 2.3.0', :platforms => %i[jruby_18 jruby_19 ruby_19]
-  gem 'mime-types', '~> 3.1', :platforms => [:jruby_18]
-  gem 'rack', '>= 2.0.6', :platforms => %i[jruby_18 jruby_19 ruby_19 ruby_20 ruby_21]
+  gem 'hashie', '>= 3.4.6', '~> 4.0.0', platforms: [:jruby_18]
+  gem 'json', '~> 2.3.0', platforms: %i[jruby_18 jruby_19 ruby_19]
+  gem 'mime-types', '~> 3.1', platforms: [:jruby_18]
   gem 'rack-test'
-  gem 'rest-client', '~> 2.0.0', :platforms => [:jruby_18]
+  gem 'rest-client', '~> 2.0.0', platforms: [:jruby_18]
   gem 'rspec', '~> 3.5'
   gem 'rack-freeze'
-  gem 'rubocop', '>= 0.58.2', '< 0.69.0', :platforms => %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
+  gem 'rubocop', '>= 0.58.2', '< 0.69.0', platforms: %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]
   gem 'simplecov-lcov'
-  gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
+  gem 'tins', '~> 1.13', platforms: %i[jruby_18 jruby_19 ruby_19]
 end
 
 gemspec

data/README.md

@@ -1,16 +1,22 @@
 # OmniAuth: Standardized Multi-Provider Authentication
 
 [![Gem Version](http://img.shields.io/gem/v/omniauth.svg)][gem]
-[![Build Status](http://img.shields.io/travis/omniauth/omniauth.svg)][travis]
+[![Ruby](https://github.com/omniauth/omniauth/actions/workflows/main.yml/badge.svg)][githubactions]
+[![TruffleRuby](https://github.com/omniauth/omniauth/actions/workflows/truffle_ruby.yml/badge.svg)][githubactionstruffle]
+[![JRuby](https://github.com/omniauth/omniauth/actions/workflows/jruby.yml/badge.svg)][githubactionsjruby]
 [![Code Climate](https://api.codeclimate.com/v1/badges/ffd33970723587806744/maintainability)][codeclimate]
 [![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth.svg)][coveralls]
 
 [gem]: https://rubygems.org/gems/omniauth
-[travis]: http://travis-ci.org/omniauth/omniauth
+[githubactions]: https://github.com/omniauth/omniauth/actions/workflows/main.yml
+[githubactionstruffle]: https://github.com/omniauth/omniauth/actions/workflows/truffle_ruby.yml
+[githubactionsjruby]: https://github.com/omniauth/omniauth/actions/workflows/jruby.yml
 [codeclimate]: https://codeclimate.com/github/omniauth/omniauth
 [coveralls]: https://coveralls.io/r/omniauth/omniauth
 
-This is the documentation for v1.9.1. If you are looking for the documentation for the in-development v2.0.0 version, it can be found [here](https://github.com/omniauth/omniauth/tree/2_0-indev). 
+This is the documentation for the in-development branch of OmniAuth.
+You can find the documentation for the latest stable release [here](https://github.com/omniauth/omniauth/tree/v2.1.1)
+
 ## An Introduction
 OmniAuth is a library that standardizes multi-provider authentication for
 web applications. It was created to be powerful, flexible, and do as
@@ -82,34 +88,7 @@ environment of a request to `/auth/:provider/callback`. This hash
 contains as much information about the user as OmniAuth was able to
 glean from the utilized strategy. You should set up an endpoint in your
 application that matches to the callback URL and then performs whatever
-steps are necessary for your application. For example, in a Rails app
-you would add a line in your `routes.rb` file like this:
-
-```ruby
-post '/auth/:provider/callback', to: 'sessions#create'
-```
-
-And you might then have a `SessionsController` with code that looks
-something like this:
-
-```ruby
-class SessionsController < ApplicationController
-  # If you're using a strategy that POSTs during callback, you'll need to skip the authenticity token check for the callback action only. 
-  skip_before_action :verify_authenticity_token, only: :create
-
-  def create
-    @user = User.find_or_create_from_auth_hash(auth_hash)
-    self.current_user = @user
-    redirect_to '/'
-  end
-
-  protected
-
-  def auth_hash
-    request.env['omniauth.auth']
-  end
-end
-```
+steps are necessary for your application. 
 
 The `omniauth.auth` key in the environment hash provides an
 Authentication Hash which will contain information about the just
@@ -123,35 +102,74 @@ environment information on the callback request. It is entirely up to
 you how you want to implement the particulars of your application's
 authentication flow.
 
-**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation at the application level. More details on how to do this can be found on the [Wiki](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284).
+## rack_csrf
 
-## Configuring The `origin` Param
-The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to.
+`omniauth` is not OOTB-compatible with [rack_csrf](https://github.com/baldowl/rack_csrf). In order to do so, the following code needs to be added to the application bootstrapping code:
 
-There are three possible options:
+```ruby
+OmniAuth::AuthenticityTokenProtection.default_options(key: "csrf.token", authenticity_param: "_csrf")
+```
 
-Default Flow:
+## Rails (without Devise)
+To get started, add the following gems
+
+**Gemfile**:
 ```ruby
-# /auth/twitter/?origin=[URL]
-# No change
-# If blank, `omniauth.origin` is set to HTTP_REFERER
+gem 'omniauth'
+gem "omniauth-rails_csrf_protection"
 ```
 
-Renaming Origin Param:
+Then insert OmniAuth as a middleware
+
+**config/initializers/omniauth.rb**:
 ```ruby
-# /auth/twitter/?return_to=[URL]
-# If blank, `omniauth.origin` is set to HTTP_REFERER
-provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: 'return_to'
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :developer if Rails.env.development?
+end
 ```
 
-Disabling Origin Param:
+Additional providers can be added here in the future. Next we wire it
+all up using routes, a controller and a login view.
+
+**config/routes.rb**:
+
 ```ruby
-# /auth/twitter
-# Origin handled externally, if need be. `omniauth.origin` is not set
-provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: false
+  get 'auth/:provider/callback', to: 'sessions#create'
+  get '/login', to: 'sessions#new'
 ```
 
-## Integrating OmniAuth Into Your Rails API
+**app/controllers/sessions_controller.rb**:
+```ruby
+class SessionsController < ApplicationController
+  def new
+    render :new
+  end
+
+  def create
+    user_info = request.env['omniauth.auth']
+    raise user_info # Your own session management should be placed here.
+  end
+end
+```
+
+**app/views/sessions/new.html.erb**:
+```erb
+<%= form_tag('/auth/developer', method: 'post', data: {turbo: false}) do %>
+  <button type='submit'>Login with Developer</button>
+<% end %>
+```
+
+Now if you visit `/login` and click the Login button, you should see the
+OmniAuth developer login screen. After submitting it, you are returned to your
+application at `Sessions#create`. The raise should now display all the Omniauth
+details you have available to integrate it into your own user management.
+
+If you want out of the box usermanagement, you should consider using Omniauth
+through Devise. Please visit the [Devise Github page](https://github.com/heartcombo/devise#omniauth)
+for more information.
+
+
+## Rails API
 The following middleware are (by default) included for session management in
 Rails applications. When using OmniAuth with a Rails API, you'll need to add
 one of these required middleware back in:
@@ -190,14 +208,51 @@ to `STDOUT` but you can configure this using `OmniAuth.config.logger`:
 OmniAuth.config.logger = Rails.logger
 ```
 
+## Origin Param
+The `origin` url parameter is typically used to inform where a user came from
+and where, should you choose to use it, they'd want to return to.
+Omniauth supports the following settings which can be configured on a provider level:
+
+**Default**:
+```ruby
+provider :twitter, ENV['KEY'], ENV['SECRET']
+POST /auth/twitter/?origin=[URL]
+# If the `origin` parameter is blank, `omniauth.origin` is set to HTTP_REFERER
+```
+
+**Using a differently named origin parameter**:
+```ruby
+provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: 'return_to'
+POST /auth/twitter/?return_to=[URL]
+# If the `return_to` parameter is blank, `omniauth.origin` is set to HTTP_REFERER
+```
+
+**Disabled**:
+```ruby
+provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: false
+POST /auth/twitter
+# This means the origin should be handled by your own application. 
+# Note that `omniauth.origin` will always be blank.
+```
+
 ## Resources
 The [OmniAuth Wiki](https://github.com/omniauth/omniauth/wiki) has
 actively maintained in-depth documentation for OmniAuth. It should be
 your first stop if you are wondering about a more in-depth look at
 OmniAuth, how it works, and how to use it.
 
+## OmniAuth for Enterprise
+
+Available as part of the Tidelift Subscription.
+
+The maintainers of OmniAuth and thousands of other packages are working with
+Tidelift to deliver commercial support and maintenance for the open source
+packages you use to build your applications. Save time, reduce risk, and
+improve code health, while paying the maintainers of the exact packages you use.
+[Learn more.](https://tidelift.com/subscription/pkg/rubygems-omniauth?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+
 ## Supported Ruby Versions
-OmniAuth is tested under 2.1.10, 2.2.6, 2.3.3, 2.4.0, 2.5.0, and JRuby.
+OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.
 
 ## Versioning
 This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations

data/SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version  | Supported          |
+| -------  | ------------------ |
+| 2.1.x    | :white_check_mark: |
+| 2.0.x    | :white_check_mark: |
+| <= 1.9.1 | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.

data/lib/omniauth/authenticity_token_protection.rb

@@ -18,6 +18,8 @@ module OmniAuth
       react env
     end
 
+    alias_method :call, :call!
+
   private
 
     def deny(_env)

data/lib/omniauth/builder.rb

@@ -26,7 +26,7 @@ module OmniAuth
       @options = options
     end
 
-    def provider(klass, *args, &block)
+    def provider(klass, *args, **opts, &block)
       if klass.is_a?(Class)
         middleware = klass
       else
@@ -37,8 +37,7 @@ module OmniAuth
         end
       end
 
-      args.last.is_a?(Hash) ? args.push(options.merge(args.pop)) : args.push(options)
-      use middleware, *args, &block
+      use middleware, *args, **options.merge(opts), &block
     end
 
     def call(env)

data/lib/omniauth/strategy.rb

@@ -180,9 +180,10 @@ module OmniAuth
         raise(error)
       end
 
-      warn_if_using_get
-
       @env = env
+
+      warn_if_using_get_on_request_path
+
       @env['omniauth.strategy'] = self if on_auth_path?
 
       return mock_call!(env) if OmniAuth.config.test_mode
@@ -193,13 +194,16 @@ module OmniAuth
         return callback_call if on_callback_path?
         return other_phase if respond_to?(:other_phase)
       rescue StandardError => e
+        raise e if env.delete('omniauth.error.app')
+
         return fail!(e.message, e)
       end
 
       @app.call(env)
     end
 
-    def warn_if_using_get
+    def warn_if_using_get_on_request_path
+      return unless on_request_path?
       return unless OmniAuth.config.allowed_request_methods.include?(:get)
       return if OmniAuth.config.silence_get_warning
 
@@ -299,10 +303,11 @@ module OmniAuth
     # in test mode.
     def mock_call!(*)
       begin
-        OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
         return mock_request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
         return mock_callback_call if on_callback_path?
       rescue StandardError => e
+        raise e if env.delete('omniauth.error.app')
+
         return fail!(e.message, e)
       end
 
@@ -313,7 +318,10 @@ module OmniAuth
       setup_phase
 
       session['omniauth.params'] = request.GET
+
+      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
       OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
+
       if options.origin_param
         if request.params[options.origin_param]
           session['omniauth.origin'] = request.params[options.origin_param]
@@ -460,6 +468,9 @@ module OmniAuth
 
     def call_app!(env = @env)
       @app.call(env)
+    rescue StandardError => e
+      env['omniauth.error.app'] = true
+      raise e
     end
 
     def full_host
@@ -487,6 +498,7 @@ module OmniAuth
     end
 
     def script_name
+      return '' if @env.nil?
       @env['SCRIPT_NAME'] || ''
     end
 

data/lib/omniauth/version.rb

@@ -1,3 +1,3 @@
 module OmniAuth
-  VERSION = '2.0.0'.freeze
+  VERSION = '2.1.1'.freeze
 end

data/omniauth.gemspec

@@ -6,7 +6,7 @@ require 'omniauth/version'
 
 Gem::Specification.new do |spec|
   spec.add_dependency 'hashie', ['>= 3.4.6']
-  spec.add_dependency 'rack', ['>= 1.6.2', '< 3']
+  spec.add_dependency 'rack', '>= 2.2.3'
   spec.add_development_dependency 'bundler', '~> 2.0'
   spec.add_dependency 'rack-protection'
   spec.add_development_dependency 'rake', '~> 12.0'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Michael Bleigh
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-11 00:00:00.000000000 Z
+date: 2023-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hashie
@@ -32,20 +32,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.2
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
+        version: 2.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.2
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -97,8 +91,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
 - ".github/ISSUE_TEMPLATE.md"
+- ".github/workflows/jruby.yml"
 - ".github/workflows/main.yml"
+- ".github/workflows/truffle_ruby.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -107,6 +104,7 @@ files:
 - LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/omniauth.rb
 - lib/omniauth/auth_hash.rb
 - lib/omniauth/authenticity_token_protection.rb
@@ -142,7 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.5
 requirements: []
-rubygems_version: 3.0.0
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: A generalized Rack framework for multiple-provider authentication.