osso 0.0.3.15 → 0.0.3.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a63fecde3c20b225ac8f4f52dfa33cbbbcc768337b43b38d3e482e7a6d38806a
-  data.tar.gz: 0ef7c41aef96e4b8299481a5cd9ca7f43c1b59b2ef846b813f9e8aa41957530e
+  metadata.gz: 6e33fd333f7c329404b9a9bdeb62551629b38a8b615b6aef556bc4b4c0ca2a03
+  data.tar.gz: e8c21ea78f2f33e5b6497c85148ff67221949ded6c34380dcb48a6eb450d6dc6
 SHA512:
-  metadata.gz: cca50c6661352e1f076b747d90038796ba9f76590c9baa18e05128d2bc891a7f7de1090541f464814f28eacb713e0ed8f65fac34ac78a636674000df64092e1f
-  data.tar.gz: a290b9403984ef9d454529008b62be363a1409cf5ff398a7db7e74f7a99e84f4fadb5c54fb7f939243496a863a4a155c841bf92101e1357dae4cbc2ae51a4f96
+  metadata.gz: 76779ec670e1a6c12589a3b2a1f319e8855ba8770a83489787d56c43bb8a23aa9a75ee9b9864dfce76f54061e3829ce639214ba5f5a4c7c8efc699e1776801a6
+  data.tar.gz: 356194bce279f215d58ea36e0e7e188c4ee134a4a4b55ce435fdee255caf23c39974f0b87a305e332a84b7aaf519db6ee13525beecd47117b9f9ebbd765679e3

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3.15)
+    osso (0.0.3.16)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -66,7 +66,7 @@ GEM
     method_source (1.0.0)
     mini_portile2 (2.4.0)
     minitest (5.14.1)
-    multi_json (1.14.1)
+    multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     nokogiri (1.10.9)

data/lib/osso/graphql/mutations/set_redirect_uris.rb

@@ -31,7 +31,7 @@ module Osso
 
         def update_existing(oauth_client, redirect_uris)
           oauth_client.redirect_uris.each do |redirect|
-            updating_index = redirect_uris.index{ |incoming| incoming[:id] == redirect.id }
+            updating_index = redirect_uris.index { |incoming| incoming[:id] == redirect.id }
 
             if updating_index
               updating = redirect_uris.delete_at(updating_index)

data/lib/osso/models/redirect_uri.rb

@@ -4,17 +4,6 @@ module Osso
   module Models
     class RedirectUri < ActiveRecord::Base
       belongs_to :oauth_client
-
-      # TODO
-      # before_validation :set_primary, on: :creaet, :update
-
-      private
-
-      def set_primary
-        if primary_was.true? && primary.false?
-
-        end
-      end
     end
   end
 end

data/lib/osso/routes/auth.rb

@@ -14,10 +14,6 @@ module Osso
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
 
-    def self.internal_redirect?(env)
-      env['HTTP_REFERER']&.match(env['SERVER_NAME'])
-    end
-
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,
@@ -26,8 +22,8 @@ module Osso
         path_prefix: '/auth/saml',
         callback_suffix: 'callback',
       ) do |identity_provider_id, _env|
-        provider = Models::IdentityProvider.find(identity_provider_id)
-        provider.saml_options
+        Models::IdentityProvider.find(identity_provider_id).
+          saml_options
       end
     end
 
@@ -36,11 +32,10 @@ module Osso
       # their Identity Provider. We find or create a user record,
       # and then create an authorization code for that user. The user
       # is redirected back to your application with this code
-      # as a URL query param, which you then exhange for an access token
+      # as a URL query param, which you then exchange for an access token.
       post '/saml/:id/callback' do
         provider = Models::IdentityProvider.find(params[:id])
-        oauth_client = provider.oauth_client
-        redirect_uri = env['redirect_uri'] || oauth_client.primary_redirect_uri.uri
+        @oauth_client = provider.oauth_client
 
         attributes = env['omniauth.auth']&.
           extra&.
@@ -56,11 +51,29 @@ module Osso
         end
 
         authorization_code = user.authorization_codes.create!(
-          oauth_client: oauth_client,
+          oauth_client: @oauth_client,
           redirect_uri: redirect_uri,
         )
 
-        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+        # Mark IDP as active
+
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
+      end
+
+      def redirect_uri
+        return @oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
+
+        session[:osso_oauth_redirect_uri]
+      end
+
+      def provider_state
+        return 'IDP_INITIATED' if valid_idp_initiated_flow
+
+        session[:osso_oauth_state]
+      end
+
+      def valid_idp_initiated_flow
+        !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
       end
     end
   end

data/lib/osso/routes/oauth.rb

@@ -6,7 +6,7 @@ module Osso
   class Oauth < Sinatra::Base
     include AppConfig
     register Sinatra::Namespace
-    # rubocop:disable Metrics/BlockLength
+
     namespace '/oauth' do
       # Send your users here in order to being an authentication
       # flow. This flow follows the authorization grant oauth
@@ -19,11 +19,11 @@ module Osso
 
         Rack::OAuth2::Server::Authorize.new do |req, _res|
           client = Models::OauthClient.find_by!(identifier: req.client_id)
-          req.verify_redirect_uri!(client.redirect_uri_values)
+          session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
         end.call(env)
 
         if @enterprise.single_provider?
-          session[:oauth_state] = params[:state]
+          session[:osso_oauth_state] = params[:state]
           redirect "/auth/saml/#{@enterprise.provider.id}"
         end
 
@@ -35,9 +35,10 @@ module Osso
         return erb :error
       end
 
-      # Exchange an authorization code token for an access token.
-      # In addition to the token, you must include all paramaters
-      # required by Oauth spec: redirect_uri, client ID, and client secret
+      # Exchange an authorization code for an access token.
+      # In addition to the authorization code, you must include all 
+      # paramaters required by OAuth spec: redirect_uri, client ID, 
+      # and client secret
       post '/token' do
         Rack::OAuth2::Server::Token.new do |req, res|
           code = Models::AuthorizationCode.
@@ -60,4 +61,3 @@ module Osso
     end
   end
 end
-# rubocop:enable Metrics/BlockLength

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.15'
+  VERSION = '0.0.3.16'
 end

data/spec/routes/auth_spec.rb

@@ -63,6 +63,24 @@ describe Osso::Auth do
             )
           end.to change { Osso::Models::AuthorizationCode.count }.by(1)
         end
+
+        describe 'for an IDP initiated login' do
+          it 'redirects with a default state' do
+            mock_saml_omniauth
+
+            post(
+              "/auth/saml/#{okta_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
+              },
+            )
+            expect(last_response).to be_redirect
+            follow_redirect!
+            expect(last_request.url).to match(/.*state=IDP_INITIATED$/)
+          end
+        end
       end
 
       describe 'on subsequent authentications' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.15
+  version: 0.0.3.16
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-15 00:00:00.000000000 Z
+date: 2020-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport