prx_auth-rails 4.0.0 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1eed8329985438f59a1adc529c8e33748cbfca9becbd285475385c16b25639e6
-  data.tar.gz: 0a065d8fdf1e4d077fdd43da82cc37c3110ada401d31e6eadb5e154ae7001c6f
+  metadata.gz: d46435a82e0473d353a1f1849bfcedfb4db925e5a1bce443a8043ca948bfda69
+  data.tar.gz: b867f26410a93aee077e2bad3515b2fb9fb0ee4a9499cbb6bdaef9287639c158
 SHA512:
-  metadata.gz: 9f45b17435edca7e49910164e330eea45df6c466514b700af6f04182e7df99748d3978911cd777325fb9142e4e9f0e1723bec10917eeea8c04b54b4c98c521b1
-  data.tar.gz: 1dffecbaef3bf75a75759f6312a9acfb3442e5a6ff7b4354abc9e8b19816618f5fe57fd515317cfa03eaf7da0b231c2489b30c3a1f1aab2eca93f9a3e3b17d6b
+  metadata.gz: 308dd3bc5e3eacf014613bac983b097d677f823d60185eb76303345d698f1096e2fa7e24ad74b2f7bf5a2eef4a3222a9bf9ec51a28c1d82698bad48de8d500ad
+  data.tar.gz: b2bf8e7fe515a27e970a4612b7075564366f0a0270c62dca1602e6d51d1dceb7ffe4d5e2143927126bb02b4335bcd09dac501f950c5511cf456c4ffaa309cd42

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -10,19 +10,29 @@ module PrxAuth::Rails
     before_action :set_after_sign_in_path
 
     ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'
+    DEFAULT_SCOPES = 'openid apps'
 
     def new
       config = PrxAuth::Rails.configuration
 
+      scope =
+        if config.prx_scope.present?
+          "#{DEFAULT_SCOPES} #{config.prx_scope}"
+        else
+          DEFAULT_SCOPES
+        end
+
       id_auth_params = {
         client_id: config.prx_client_id,
         nonce: fetch_nonce,
         response_type: 'id_token token',
-        scope: 'openid apps',
+        scope: scope,
         prompt: 'necessary'
       }
 
-      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+      url = '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+
+      redirect_to url, allow_other_host: true
     end
 
     def show
@@ -44,7 +54,7 @@ module PrxAuth::Rails
         redirect_to after_sign_in_path_for(current_user)
       else
         clear_nonce!
-        redirect_to auth_error_sessions_path(error: 'verification_failed')
+        redirect_to auth_error_sessions_path(error: params[:error] || 'unknown_error')
       end
     end
 

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -2,6 +2,7 @@
   <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
       <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
       <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= hidden_field_tag :error, '', id: 'error-field' %>
       <%= f.submit id: 'sessions-form-submit' %>
   <% end %>
 </div>
@@ -23,14 +24,16 @@
   }
 
 window.addEventListener("load", () => {
-  var idToken = document.querySelector("#id-token-field");
   var accessToken = document.querySelector("#access-token-field");
+  var idToken = document.querySelector("#id-token-field");
+  var error = document.querySelector("#error-field");
   var submit = document.querySelector("input#sessions-form-submit[type=submit]");
 
   var hashParams = parseURLFragment();
 
   accessToken.value = hashParams['access_token'];
   idToken.value = hashParams['id_token'];
+  error.value = hashParams['error'];
 
   submit.click();
 });

data/lib/prx_auth/rails/configuration.rb

@@ -2,6 +2,7 @@ class PrxAuth::Rails::Configuration
   attr_accessor :install_middleware,
                 :namespace,
                 :prx_client_id,
+                :prx_scope,
                 :id_host,
                 :cert_path
 
@@ -11,6 +12,7 @@ class PrxAuth::Rails::Configuration
   def initialize
     @install_middleware = true
     @prx_client_id = nil
+    @prx_scope = nil
     @id_host = DEFAULT_ID_HOST
     @cert_path = DEFAULT_CERT_PATH
 

data/lib/prx_auth/rails/ext/controller.rb

@@ -52,7 +52,10 @@ module PrxAuth
       end
 
       def current_user_info
-        session[PRX_USER_INFO_SESSION_KEY] ||= fetch_userinfo
+        session[PRX_USER_INFO_SESSION_KEY] ||= begin
+          info = fetch_userinfo
+          info.slice('name', 'preferred_username', 'email', 'image_href', 'apps')
+        end
       end
 
       def current_user_name
@@ -87,7 +90,7 @@ module PrxAuth
       end
 
       def account_name_for(account_id)
-        account_for(account_id).try(:[], :name)
+        account_for(account_id).try(:[], 'name')
       end
 
       def account_for(account_id)
@@ -107,7 +110,8 @@ module PrxAuth
         missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
         if missing.present?
           fetch_accounts(missing).each do |account|
-            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = account.with_indifferent_access
+            minimal = account.slice('name', 'type')
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = minimal
           end
         end
 

data/lib/prx_auth/rails/version.rb

@@ -2,6 +2,6 @@
 
 module PrxAuth
   module Rails
-    VERSION = '4.0.0'
+    VERSION = '4.1.0'
   end
 end

data/test/prx_auth/rails/configuration_test.rb

@@ -7,6 +7,7 @@ describe PrxAuth::Rails::Configuration do
   it 'initializes with defaults' do
     assert subject.install_middleware
     assert_nil subject.prx_client_id
+    assert_nil subject.prx_scope
     assert_equal 'id.prx.org', subject.id_host
     assert_equal 'api/v1/certs', subject.cert_path
   end
@@ -20,6 +21,7 @@ describe PrxAuth::Rails::Configuration do
       PrxAuth::Rails.configure do |config|
         config.install_middleware = false
         config.prx_client_id = 'some-id'
+        config.prx_scope = 'appname:*'
         config.id_host = 'id.prx.blah'
         config.cert_path = 'cert/path'
         config.namespace = :new_test
@@ -28,6 +30,7 @@ describe PrxAuth::Rails::Configuration do
 
     refute subject.install_middleware
     assert_equal 'some-id', subject.prx_client_id
+    assert_equal 'appname:*', subject.prx_scope
     assert_equal 'id.prx.blah', subject.id_host
     assert_equal 'cert/path', subject.cert_path
     assert_equal :new_test, subject.namespace

data/test/prx_auth/rails/ext/controller_test.rb

@@ -71,7 +71,7 @@ module PrxAuth::Rails::Ext
           to_return(status: 200, body: JSON.generate(body))
 
         assert session[@user_info_key] == nil
-        assert_equal @controller.current_user_info, body
+        assert_equal @controller.current_user_info, body.slice('name', 'apps')
         refute session[@user_info_key] == nil
         assert_equal @controller.current_user_name, 'Some Username'
         assert_equal @controller.current_user_apps, {'PRX Publish' => 'https://publish.prx.test'}
@@ -117,15 +117,18 @@ module PrxAuth::Rails::Ext
         three = {'id' => 3, 'type' => 'GroupAccount', 'name' => 'Three'}
         body = {'_embedded' => {'prx:items' => [one, three]}}
 
+        min_one = one.slice('name', 'type')
+        min_three = three.slice('name', 'type')
+
         id_host = PrxAuth::Rails.configuration.id_host
         stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3").
           to_return(status: 200, body: JSON.generate(body))
 
         assert_nil session[@account_mapping_key]
-        assert_equal @controller.accounts_for([1, 2, 3]), [one, nil, three]
+        assert_equal @controller.accounts_for([1, 2, 3]), [min_one, nil, min_three]
         refute_nil session[@account_mapping_key]
-        assert_equal @controller.account_for(1), one
-        assert_equal @controller.account_for(3), three
+        assert_equal @controller.account_for(1), min_one
+        assert_equal @controller.account_for(3), min_three
         assert_equal @controller.account_name_for(1), 'One'
         assert_equal @controller.account_name_for(3), 'Three'
       end
@@ -152,12 +155,16 @@ module PrxAuth::Rails::Ext
         session[@account_mapping_key] = {1 => one, 3 => three}
         body = {'_embedded' => {'prx:items' => [two]}}
 
+        min_one = one.slice('name', 'type')
+        min_two = two.slice('name', 'type')
+        min_three = three.slice('name', 'type')
+
         id_host = PrxAuth::Rails.configuration.id_host
         stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
           to_return(status: 200, body: JSON.generate(body))
 
-        assert_equal @controller.accounts_for([1, 2, 3]), [one, two, three]
-        assert_equal @controller.account_for(2), two
+        assert_equal @controller.accounts_for([1, 2, 3]), [min_one, min_two, min_three]
+        assert_equal @controller.account_for(2), min_two
         assert_equal @controller.account_name_for(2), 'Two'
       end
     end

data/test/prx_auth/rails/sessions_controller_test.rb

@@ -82,6 +82,7 @@ module PrxAuth::Rails
 
     test 'should respond with redirect to the auth error page / code if the nonce does not match' do
       @controller.stub(:validate_token, @stub_claims) do
+        @token_params[:error] = 'verification_failed'
         session[@nonce_session_key] = 'nonce-does-not-match'
         post :create, params: @token_params, format: :json
         assert response.code == '302'
@@ -105,6 +106,7 @@ module PrxAuth::Rails
       @controller.stub(:id_claims, @stub_claims) do
         @controller.stub(:access_claims, @stub_claims.merge('sub' => '444')) do
 
+          @token_params[:error] = 'verification_failed'
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth-rails
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.1.0
 platform: ruby
 authors:
 - Chris Rhoden
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-06 00:00:00.000000000 Z
+date: 2023-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack