osso 0.0.5 → 0.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13dd15fc9ae37a98f93fdf432534cfb91b04ad6838e799e12e7d77354a90aa0e
-  data.tar.gz: de98a03a7d7580e77b8a664c1bbfc6aba64ab95a46cd894bf09cdc7675d890e2
+  metadata.gz: c1ba94c32e61517dd429dd54e06ac24924ddb1245fff2c4dd1795d9e227972b4
+  data.tar.gz: bd239880638f0d8f344050c5fa92e110dc519c06e75321c28b3fa92e1860a2be
 SHA512:
-  metadata.gz: e92e3154859aed2e787d103d473c418aefca93560fb2d23be70fe8bfeef284acbcc9debb8e425ce8cb780ae987d7ef7cea94008400235aff41496af1f5177848
-  data.tar.gz: 62e8f00ceab23928294bdbc98f671d480e1c86886de4db9a72c8fadf48e280a250e7860669e33571c0ed761fbad37c51054c5931f06bd009f9bb499fb26f7ccd
+  metadata.gz: abb0e59b77e44230d47850e9e43d1a131a76694b6482706ce4d245f6832c823eeffebea468f75a4007e80ecf151271b5e9908e748e191b652c24c32984ff5c74
+  data.tar.gz: 12e250de2709aad8a60da53237a1489034d21f0caa05b084edabab93395266dd77060b0ad68a8d38956a9e8177315d3a35724a746aab04c438a3678194eeff4c

data/.buildkite/pipeline.yml

@@ -12,6 +12,7 @@ steps:
       - coverage/*
   
   - name: ":codeclimate:"
+    soft_fail: true
     plugins:
       - jobready/codeclimate-test-reporter#v2.0:
           artifact: "coverage/.resultset.json"
@@ -19,8 +20,8 @@ steps:
           prefix: '/var/lib/buildkite-agent/builds/enterprise-oss-bk-1/enterpriseoss/osso-rb/'
   
   - block: ":rubygems: Publish :red_button:"
-    branches: "main"
+    if: build.tag != null
   
   - name: "Push :rubygems:"
     commands: "./bin/publish"
-    branches: "main"
+    if: build.tag != null

data/.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  labels:
+    - "dependencies"

data/.github/workflows/automerge.yml

@@ -0,0 +1,19 @@
+name: auto-merge
+
+on:
+  pull_request:
+
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+        with:
+          target: minor
+          github-token: ${{ secrets.TOKEN }}
+      - uses: hmarr/auto-approve-action@v2.0.0
+        if: github.actor == 'dependabot[bot]'
+        with:
+          github-token: "${{ secrets.TOKEN }}"
+      

data/Gemfile

@@ -10,10 +10,10 @@ group :test do
   gem 'faker'
   gem 'pg'
   gem 'rack-test'
-  gem 'rspec', '~> 3.2'
+  gem 'rspec', '~> 3.10'
   gem 'rubocop'
   gem 'simplecov', '= 0.17', require: false
-  gem 'webmock', '~> 3.0'
+  gem 'webmock', '~> 3.11'
 end
 
 gemspec

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.5)
+    osso (0.0.9)
       activesupport (>= 6.0.3.2)
       bcrypt (~> 3.1.13)
       graphql
@@ -13,9 +13,9 @@ PATH
       rack-contrib
       rack-oauth2
       rake
-      rodauth (~> 2.5.0)
-      sequel (~> 5.37.0)
-      sequel-activerecord_connection (~> 0.3)
+      rodauth (>= 2.6, < 2.8)
+      sequel (>= 5.37, < 5.40)
+      sequel-activerecord_connection (>= 0.3, < 2.0)
       sinatra
       sinatra-activerecord
       sinatra-contrib
@@ -23,20 +23,22 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activerecord (6.0.3.4)
-      activemodel (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activesupport (6.0.3.4)
+    activemodel (6.1.0)
+      activesupport (= 6.1.0)
+    activerecord (6.1.0)
+      activemodel (= 6.1.0)
+      activesupport (= 6.1.0)
+    activesupport (6.1.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     aes_key_wrap (1.1.0)
+    after_commit_everywhere (0.1.5)
+      activerecord (>= 4.2)
     annotate (3.1.1)
       activerecord (>= 3.2, < 7.0)
       rake (>= 10.4, < 14.0)
@@ -55,7 +57,7 @@ GEM
     docile (1.3.2)
     factory_bot (6.1.0)
       activesupport (>= 5.0.0)
-    faker (2.14.0)
+    faker (2.15.1)
       i18n (>= 1.6, < 2)
     graphql (1.11.6)
     hashdiff (1.0.1)
@@ -64,7 +66,7 @@ GEM
     i18n (1.8.5)
       concurrent-ruby (~> 1.0)
     json (2.3.1)
-    json-jwt (1.13.0)
+    json-jwt (1.12.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
@@ -88,8 +90,8 @@ GEM
     omniauth-saml (1.10.3)
       omniauth (~> 1.3, >= 1.3.2)
       ruby-saml (~> 1.9)
-    parallel (1.19.2)
-    parser (2.7.2.0)
+    parallel (1.20.1)
+    parser (3.0.0.0)
       ast (~> 2.4.1)
     pg (1.2.3)
     pry (0.13.1)
@@ -97,7 +99,7 @@ GEM
       method_source (~> 1.0)
     public_suffix (4.0.6)
     rack (2.2.3)
-    rack-contrib (2.2.0)
+    rack-contrib (2.3.0)
       rack (~> 2.0)
     rack-oauth2 (1.16.0)
       activesupport
@@ -110,45 +112,46 @@ GEM
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
-    rake (13.0.1)
-    regexp_parser (1.8.2)
+    rake (13.0.3)
+    regexp_parser (2.0.2)
     rexml (3.2.4)
-    roda (3.37.0)
+    roda (3.39.0)
       rack
-    rodauth (2.5.0)
+    rodauth (2.7.0)
       roda (>= 2.6.0)
       sequel (>= 4)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.3)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.3)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.0)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.4)
-    rubocop (1.1.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.0)
+    rubocop (1.7.0)
       parallel (~> 1.10)
       parser (>= 2.7.1.5)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
+      regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 1.0.1)
+      rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.1.0)
+    rubocop-ast (1.3.0)
       parser (>= 2.7.1.5)
     ruby-progressbar (1.10.1)
     ruby-saml (1.11.0)
       nokogiri (>= 1.5.10)
     ruby2_keywords (0.0.2)
-    sequel (5.37.0)
-    sequel-activerecord_connection (0.4.1)
+    sequel (5.39.0)
+    sequel-activerecord_connection (1.2.0)
       activerecord (>= 4.2, < 7)
+      after_commit_everywhere (~> 0.1.5)
       sequel (~> 5.16)
     simplecov (0.17.0)
       docile (~> 1.1)
@@ -169,16 +172,15 @@ GEM
       rack-protection (= 2.1.0)
       sinatra (= 2.1.0)
       tilt (~> 2.0)
-    thread_safe (0.3.6)
     tilt (2.0.10)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.3)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
-    webmock (3.9.3)
+    webmock (3.11.0)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    zeitwerk (2.4.1)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   ruby
@@ -193,10 +195,10 @@ DEPENDENCIES
   pg
   pry
   rack-test
-  rspec (~> 3.2)
+  rspec (~> 3.10)
   rubocop
   simplecov (= 0.17)
-  webmock (~> 3.0)
+  webmock (~> 3.11)
 
 BUNDLED WITH
    2.1.4

data/Rakefile

@@ -4,6 +4,9 @@
 # to tell ActiveRecord where to find the database
 # schema and migrations
 
+ENV['SESSION_SECRET'] ||= 'rake-secret'
+ENV['BASE_URL'] ||= 'https://example.com'
+
 require 'bundler/gem_tasks'
 require 'sinatra/activerecord/rake'
 require './lib/osso'

data/bin/console

@@ -1,6 +1,9 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+ENV['SESSION_SECRET'] ||= 'irb-secret'
+ENV['BASE_URL'] ||= 'https://example.com'
+
 require 'bundler/setup'
 require 'osso'
 

data/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_11_12_160120) do
+ActiveRecord::Schema.define(version: 2020_11_25_143501) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "citext"
@@ -57,7 +57,7 @@ ActiveRecord::Schema.define(version: 2020_11_12_160120) do
     t.citext "email", null: false
     t.integer "status_id", default: 1, null: false
     t.string "role", default: "admin", null: false
-    t.uuid "oauth_client_id"
+    t.string "oauth_client_id"
     t.index ["email"], name: "index_accounts_on_email", unique: true, where: "(status_id = ANY (ARRAY[1, 2]))"
     t.index ["oauth_client_id"], name: "index_accounts_on_oauth_client_id"
   end

data/lib/osso.rb

@@ -2,7 +2,6 @@
 
 module Osso
   require_relative 'osso/error/error'
-  require_relative 'osso/helpers/helpers'
   require_relative 'osso/lib/app_config'
   require_relative 'osso/lib/oauth2_token'
   require_relative 'osso/lib/route_map'

data/lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb

@@ -0,0 +1,28 @@
+class AddSalesforceToProviderServiceEnum < ActiveRecord::Migration[6.0]
+  disable_ddl_transaction!
+
+  def up
+    execute <<-SQL
+      ALTER TYPE identity_provider_service ADD VALUE 'SALESFORCE';
+    SQL
+  end
+  
+  def down
+    execute <<~SQL
+      CREATE TYPE identity_provider_service_new AS ENUM ('AZURE', 'OKTA', 'ONELOGIN', 'GOOGLE', 'PING');
+
+      -- Remove values that won't be compatible with new definition
+      DELETE FROM identity_providers WHERE service = 'SALESFORCE';
+      
+      -- Convert to new type, casting via text representation
+      ALTER TABLE identity_providers 
+        ALTER COLUMN service TYPE identity_provider_service_new 
+          USING (service::text::identity_provider_service_new);
+      
+      -- and swap the types
+      DROP TYPE identity_provider_service;
+      
+      ALTER TYPE identity_provider_service_new RENAME TO identity_provider_service;
+    SQL
+  end
+end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -9,6 +9,7 @@ module Osso
         value('OKTA', 'Okta Identity Provider', value: 'OKTA')
         value('ONELOGIN', 'OneLogin Identity Provider', value: 'ONELOGIN')
         value('PING', 'PingID Identity Provider', value: 'PING')
+        value('SALESFORCE', 'Salesforce Identity Provider', value: 'SALESFORCE')
       end
     end
   end

data/lib/osso/lib/app_config.rb

@@ -7,7 +7,7 @@ module Osso
     def self.included(klass)
       klass.class_eval do
         use Rack::JSONBodyParser
-        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
 
         error ActiveRecord::RecordNotFound do
           status 404

data/lib/osso/models/identity_provider.rb

@@ -30,6 +30,7 @@ module Osso
           idp_sso_target_url: sso_url,
           idp_cert: sso_cert,
           issuer: sso_issuer,
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
         }
       end
 

data/lib/osso/routes/admin.rb

@@ -8,18 +8,43 @@ DEFAULT_VIEWS_DIR = File.join(File.expand_path(Bundler.root), 'views/rodauth')
 module Osso
   class Admin < Roda
     DB = Sequel.postgres(extensions: :activerecord_connection)
-    use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
-
+    use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
+    
+    plugin :json
     plugin :middleware
     plugin :render, engine: 'erb', views: ENV['RODAUTH_VIEWS'] || DEFAULT_VIEWS_DIR
     plugin :route_csrf
 
     plugin :rodauth do
-      enable :login, :verify_account
+      enable :login, :verify_account, :jwt
+
+      base_uri = URI.parse(ENV.fetch('BASE_URL'))
+      base_url base_uri
+      domain base_uri.host
+
+      jwt_secret ENV.fetch('SESSION_SECRET')
+      only_json? false
+
+      email_from { "Osso <no-reply@#{domain}>" }
       verify_account_set_password? true
-      already_logged_in { redirect login_redirect }
       use_database_authentication_functions? false
 
+      verify_account_view do
+        render :admin
+      end
+
+      login_view do
+        render :admin
+      end
+
+      verify_account_email_subject do
+        DB[:accounts].one? ? 'Your Osso instance is ready' : 'You\'ve been invited to start using Osso'
+      end
+
+      verify_account_email_body do
+        DB[:accounts].one? ? render('verify-first-account-email') : render('verify-account-email')
+      end
+
       before_create_account_route do
         request.halt unless DB[:accounts].empty?
       end
@@ -31,13 +56,16 @@ module Osso
       r.rodauth
 
       def current_account
-        Osso::Models::Account.find(rodauth.session['account_id']).
-          context.
+        Osso::Models::Account.find(
+          rodauth.
+          session.
+          to_hash.
+          stringify_keys['account_id']
+        ).context.
           merge({ rodauth: rodauth })
       end
 
       r.on 'admin' do
-        rodauth.require_authentication
         erb :admin, layout: false
       end
 

data/lib/osso/routes/oauth.rb

@@ -16,13 +16,14 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        identity_providers = find_providers
-
         validate_oauth_request(env)
 
-        redirect "/auth/saml/#{identity_providers.first.id}" if identity_providers.one?
+        return erb :hosted_login if render_hosted_login?
+
+        @providers = find_providers
+
+        redirect "/auth/saml/#{@providers.first.id}" if @providers.one?
 
-        @providers = identity_providers.not_pending
         return erb :multiple_providers if @providers.count > 1
 
         raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
@@ -61,6 +62,10 @@ module Osso
 
     private
 
+    def render_hosted_login?
+      [params[:email], params[:domain]].all?(&:nil?)
+    end
+
     def find_providers
       if params[:email]
         user = Osso::Models::User.
@@ -71,6 +76,7 @@ module Osso
 
       Osso::Models::IdentityProvider.
         joins(:oauth_client).
+        not_pending.
         where(
           domain: domain_from_params,
           oauth_clients: { identifier: params[:client_id] },

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.5'
+  VERSION = '0.0.10'
 end

data/lib/tasks/bootstrap.rake

@@ -18,13 +18,20 @@ namespace :osso do
     admin_email = ENV['ADMIN_EMAIL']
 
     if admin_email
-      admin = Osso::Models::Account.create!(
+      admin = Osso::Models::Account.create(
         email: admin_email,
         status_id: 1,
         role: 'admin',
       )
 
-      rodauth = Osso::Admin.rodauth.new(Osso::Admin.new({}))
+      base_uri = URI.parse(ENV['BASE_URL'])
+
+      rodauth = Osso::Admin.rodauth.new(Osso::Admin.new({
+        'HTTP_HOST' => base_uri.host,
+        'SERVER_NAME' => base_uri.to_s,
+        'rack.url_scheme' => base_uri.scheme
+      }))
+
       account = rodauth.account_from_login(admin_email)
       rodauth.setup_account_verification
     end

data/osso-rb.gemspec

@@ -26,9 +26,9 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'rack-contrib'
   spec.add_runtime_dependency 'rack-oauth2'
   spec.add_runtime_dependency 'rake'
-  spec.add_runtime_dependency 'rodauth', '~> 2.5.0'
-  spec.add_runtime_dependency 'sequel', '~> 5.37.0'
-  spec.add_runtime_dependency 'sequel-activerecord_connection', '~> 0.3'
+  spec.add_runtime_dependency 'rodauth', '>= 2.6', '< 2.8'
+  spec.add_runtime_dependency 'sequel', '>= 5.37', '< 5.40'
+  spec.add_runtime_dependency 'sequel-activerecord_connection', '>= 0.3', '< 2.0'
   spec.add_runtime_dependency 'sinatra'
   spec.add_runtime_dependency 'sinatra-activerecord'
   spec.add_runtime_dependency 'sinatra-contrib'

data/spec/models/identity_provider_spec.rb

@@ -66,6 +66,7 @@ describe Osso::Models::IdentityProvider do
           idp_cert: subject.sso_cert,
           idp_sso_target_url: subject.sso_url,
           issuer: subject.sso_issuer,
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
         )
     end
   end

data/spec/routes/admin_spec.rb

@@ -4,23 +4,41 @@ require 'spec_helper'
 
 describe Osso::Admin do
   describe 'get /admin' do
-    it 'redirects to /login without a session' do
+    it 'renders the admin layout' do
       get('/admin')
 
-      expect(last_response).to be_redirect
-      follow_redirect!
-      expect(last_request.url).to match('/login')
+      expect(last_response).to be_ok
     end
+  end
 
-    xit 'renders the admin page for a valid session token' do
-      password = SecureRandom.urlsafe_base64(16)
-      account = create(:verified_account, password: password)
+  describe 'post /graphql' do
+    let(:account) { create(:account) }
 
-      post('/login', { email: account.email, password: password })
+    it 'runs a GraphQL query with a valid jwt' do
+      allow_any_instance_of(described_class.rodauth).to receive(:logged_in?).and_return(true)
+      allow(Osso::Models::Account).to receive(:find).and_return(account)
+      allow(Osso::GraphQL::Schema).to receive(:execute).and_return({graphql: true})
 
-      get('/admin')
+      header 'Content-Type', 'application/json'
+      post("/graphql")
 
       expect(last_response).to be_ok
+      expect(last_json_response).to eq({graphql: true})
+    end
+
+    it 'returns a 400 for an invalid jwt' do
+      header 'Content-Type', 'application/json'
+      header 'Authorization', 'Bearer bad-token'
+      post("/graphql")
+
+      expect(last_response.status).to eq 400
+    end
+    
+    it 'returns a 401 without a jwt' do
+      header 'Content-Type', 'application/json'
+      post("/graphql")
+
+      expect(last_response.status).to eq 401
     end
   end
 end

data/spec/routes/oauth_spec.rb

@@ -27,6 +27,20 @@ describe Osso::Oauth do
         end
       end
 
+      describe 'for a request without email or domain' do
+        it 'redirects to /auth/saml/:provider_id' do
+          get(
+            '/oauth/authorize',
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          expect(last_response).to be_ok
+          expect(last_response.body).to eq('HOSTED LOGIN')
+        end
+      end
+
       describe 'for an enterprise domain with one SAML provider' do
         it 'redirects to /auth/saml/:provider_id' do
           enterprise = create(:enterprise_with_okta, oauth_client: client)

data/spec/support/views/hosted_login.erb

@@ -0,0 +1 @@
+HOSTED LOGIN

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.10
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-16 00:00:00.000000000 Z
+date: 2020-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -168,44 +168,62 @@ dependencies:
   name: rodauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.6'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 2.5.0
+        version: '2.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.5.0
+        version: '2.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.37'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 5.37.0
+        version: '5.40'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.37'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 5.37.0
+        version: '5.40'
 - !ruby/object:Gem::Dependency
   name: sequel-activerecord_connection
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
@@ -305,6 +323,8 @@ files:
 - ".buildkite/hooks/pre-command"
 - ".buildkite/pipeline.yml"
 - ".buildkite/template.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/automerge.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -350,6 +370,7 @@ files:
 - lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb
 - lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb
 - lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb
+- lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb
 - lib/osso/error/account_configuration_error.rb
 - lib/osso/error/error.rb
 - lib/osso/error/missing_saml_attribute_error.rb
@@ -392,8 +413,6 @@ files:
 - lib/osso/graphql/types/oauth_client.rb
 - lib/osso/graphql/types/redirect_uri.rb
 - lib/osso/graphql/types/redirect_uri_input.rb
-- lib/osso/helpers/auth.rb
-- lib/osso/helpers/helpers.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
@@ -442,7 +461,6 @@ files:
 - spec/models/enterprise_account_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/routes/admin_spec.rb
-- spec/routes/app_spec.rb
 - spec/routes/auth_spec.rb
 - spec/routes/oauth_spec.rb
 - spec/spec_helper.rb
@@ -450,6 +468,7 @@ files:
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
 - spec/support/views/error.erb
+- spec/support/views/hosted_login.erb
 - spec/support/views/layout.erb
 - spec/support/views/multiple_providers.erb
 homepage: https://github.com/enterprise-oss/osso-rb

data/lib/osso/helpers/auth.rb

@@ -1,94 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Helpers
-    module Auth
-      END_USER_SCOPE = 'end-user'
-      INTERNAL_SCOPE = 'internal'
-      ADMIN_SCOPE    = 'admin'
-
-      attr_accessor :current_user
-
-      def token_protected!
-        decode(token)
-      rescue JWT::DecodeError
-        halt 401
-      end
-
-      def enterprise_protected!(domain = nil)
-        return if admin_authorized?
-        return if internal_authorized?
-        return if enterprise_authorized?(domain)
-
-        halt 401 if request.post?
-
-        redirect ENV['JWT_URL']
-      end
-
-      def internal_protected!
-        return if admin_authorized?
-        return if internal_authorized?
-
-        redirect ENV['JWT_URL']
-      end
-
-      def admin_protected!
-        return true if admin_authorized?
-
-        redirect ENV['JWT_URL']
-      end
-
-      private
-
-      def enterprise_authorized?(domain)
-        decode(token)
-
-        @current_user[:scope] == END_USER_SCOPE &&
-          @current_user[:email].split('@')[1] == domain
-      rescue JWT::DecodeError
-        false
-      end
-
-      def internal_authorized?
-        decode(token)
-
-        @current_user[:scope] == INTERNAL_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-
-      def admin_authorized?
-        decode(token)
-
-        @current_user[:scope] == ADMIN_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-
-      def token
-        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
-      end
-
-      def chomp_token
-        return unless request['admin_token'].present?
-
-        session['admin_token'] = request['admin_token']
-
-        return if request.post?
-
-        redirect request.path
-      end
-
-      def decode(token)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
-
-        @current_user = payload.symbolize_keys
-      end
-    end
-  end
-end

data/lib/osso/helpers/helpers.rb

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Helpers
-  end
-end
-
-require_relative 'auth'

data/spec/routes/app_spec.rb

@@ -1,6 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'App' do
-end