rack-oauth2 1.17.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ea33651fcefd142210b8b6c275eb6a3c6096274796ef3070a5fa87da18433a6
-  data.tar.gz: 284e253fbefbe51cc1d645ec348584160c6f4363251f908ea536d1796b3444e5
+  metadata.gz: f2c3515e2af90285deab9032fece3d0ef8c7445405cc1cce705160c19fb2052b
+  data.tar.gz: e95c0fca744d8d12d97e1be23ff48cb00250d92a536de03382021e73e809c737
 SHA512:
-  metadata.gz: ae2c8ced737f24a116a0b484d745477e8e4b03732e5a7147428e4d63fee61518ca43a705020817b09311ac030267e1b55ab072f421b26a90292482945c9b3bd3
-  data.tar.gz: 2e70af95a0040f956e3de8d918d50c3322107f68cb7a5af25a9987cac914c40d6453202e97e42395bf1707e78b65987f0b059b9c77bf3421070ee6f51a2dddd3
+  metadata.gz: 6c2a9ddb2f9b4b9d18c337d678bf88d660f3597d09ec9d63195062cd1c5fc0a3c5105135f51aa1f4efef4e64b9e66c2a6f36dc6b4037b5c09cefbace858ce67e
+  data.tar.gz: e0add9d0227669a3cfd6e11c208bc36f89c13ec8cda2ab2352bb9b0d29ee0ac59b266aee90732c4e756895fc8d66ebaefdd4defe5342392e67e08d9022514da9

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/spec.yml

@@ -0,0 +1,31 @@
+name: Spec
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04', 'ubuntu-22.04']
+        ruby-version: ['3.1', '3.2', '3.3']
+        include:
+        - os: 'ubuntu-20.04'
+          ruby-version: '3.0'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -0,0 +1,31 @@
+## [Unreleased]
+
+## [2.2.0] - 2022-10-11
+
+### Changed
+
+- automatic json response decoding, and remove legacy token support by @nov in https://github.com/nov/rack-oauth2/pull/95
+
+## [2.1.0] - 2022-10-10
+
+### Added
+
+- accept local_http_config on Rack::OAuth2::Client#access_token! & revoke!  to support custom headers etc. by @nov in https://github.com/nov/rack-oauth2/pull/93
+
+## [2.0.1] - 2022-10-09
+
+### Fixed
+
+- changes for mTLS on faraday by @nov in https://github.com/nov/rack-oauth2/pull/92
+
+## [2.0.0] - 2022-10-09
+
+### Added
+
+- start recording CHANGELOG
+
+### Changed
+
+- Switch from httpclient to faraday v2 https://github.com/nov/rack-oauth2/pull/91
+- make url-encoded the default https://github.com/nov/rack-oauth2/commit/98faf139be4f5bf9ec6134d31f65a298259d8a8b
+- let faraday encode params https://github.com/nov/rack-oauth2/commit/f399b3afb8facb3635b8842baee8584bc4d3ce73

data/README.rdoc

@@ -1,9 +1,7 @@
 = rack-oauth2
 
 OAuth 2.0 Server & Client Library.
-Both Bearer and MAC token type are supported.
-
-{<img src="https://secure.travis-ci.org/nov/rack-oauth2.png" />}[http://travis-ci.org/nov/rack-oauth2]
+Both Bearer token type are supported.
 
 The OAuth 2.0 Authorization Framework (RFC 6749)
 http://www.rfc-editor.org/rfc/rfc6749.txt
@@ -11,9 +9,6 @@ http://www.rfc-editor.org/rfc/rfc6749.txt
 The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
 http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06
 
-HTTP Authentication: MAC Access Authentication (draft 01)
-http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01
-
 == Installation
 
   gem install rack-oauth2
@@ -31,31 +26,17 @@ http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01
 Source on GitHub
 https://github.com/nov/rack-oauth2-sample
 
-=== MAC
-
-Source on GitHub
-https://github.com/nov/rack-oauth2-sample-mac
-
 == Sample Client
 
-=== Common between Bearer and MAC
-
 Authorization Request (request_type: 'code' and 'token')
 https://gist.github.com/862393
 
 Token Request (grant_type: 'client_credentials', 'password', 'authorization_code' and 'refresh_token')
 https://gist.github.com/883541
 
-=== Bearer
-
 Resource Request (request both for resource owner resource and for client resource)
 https://gist.github.com/883575
 
-=== MAC
-
-Resource Request (request both for resource owner resource and for client resource)
-https://gist.github.com/933885
-
 == Note on Patches/Pull Requests
 
 * Fork the project.

data/VERSION

@@ -1 +1 @@
-1.17.0
+2.2.1

data/lib/rack/oauth2/access_token/authenticator.rb

@@ -6,18 +6,9 @@ module Rack
           @token = token
         end
 
-        # Callback called in HTTPClient (before sending a request)
-        # request:: HTTP::Message
-        def filter_request(request)
+        def authenticate(request)
           @token.authenticate(request)
         end
-
-        # Callback called in HTTPClient (after received a response)
-        # response:: HTTP::Message
-        # request::  HTTP::Message
-        def filter_response(response, request)
-          # nothing to do
-        end
       end
     end
   end

data/lib/rack/oauth2/access_token/bearer.rb

@@ -3,7 +3,7 @@ module Rack
     class AccessToken
       class Bearer < AccessToken
         def authenticate(request)
-          request.header["Authorization"] = "Bearer #{access_token}"
+          request.headers["Authorization"] = "Bearer #{access_token}"
         end
 
         def to_mtls(attributes = {})

data/lib/rack/oauth2/access_token/mtls.rb

@@ -7,8 +7,8 @@ module Rack
         def initialize(attributes = {})
           super
           self.token_type = :bearer
-          httpclient.ssl_config.client_key = private_key
-          httpclient.ssl_config.client_cert = certificate
+          http_client.ssl.client_key = private_key
+          http_client.ssl.client_cert = certificate
         end
       end
     end

data/lib/rack/oauth2/access_token.rb

@@ -5,7 +5,7 @@ module Rack
       attr_required :access_token, :token_type
       attr_optional :refresh_token, :expires_in, :scope
       attr_accessor :raw_attributes
-      delegate :get, :patch, :post, :put, :delete, to: :httpclient
+      delegate :get, :patch, :post, :put, :delete, to: :http_client
 
       alias_method :to_s, :access_token
 
@@ -18,9 +18,9 @@ module Rack
         attr_missing!
       end
 
-      def httpclient
-        @httpclient ||= Rack::OAuth2.http_client("#{self.class} (#{VERSION})") do |config|
-          config.request_filter << Authenticator.new(self)
+      def http_client
+        @http_client ||= Rack::OAuth2.http_client("#{self.class} (#{VERSION})") do |faraday|
+          Authenticator.new(self).authenticate(faraday)
         end
       end
 
@@ -39,6 +39,4 @@ end
 
 require 'rack/oauth2/access_token/authenticator'
 require 'rack/oauth2/access_token/bearer'
-require 'rack/oauth2/access_token/mac'
-require 'rack/oauth2/access_token/legacy'
 require 'rack/oauth2/access_token/mtls'

data/lib/rack/oauth2/client.rb

@@ -3,7 +3,7 @@ module Rack
     class Client
       include AttrRequired, AttrOptional
       attr_required :identifier
-      attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint
+      attr_optional :secret, :private_key, :certificate, :redirect_uri, :scheme, :host, :port, :authorization_endpoint, :token_endpoint, :revocation_endpoint
 
       def initialize(attributes = {})
         (required_attributes + optional_attributes).each do |key|
@@ -69,17 +69,76 @@ module Rack
       end
 
       def access_token!(*args)
-        headers, params = {}, @grant.as_json
+        headers, params, http_client, options = authenticated_context_from(*args)
+        params[:scope] = Array(options.delete(:scope)).join(' ') if options[:scope].present?
+        params.merge! @grant.as_json
+        params.merge! options
+        handle_response do
+          http_client.post(
+            absolute_uri_for(token_endpoint),
+            Util.compact_hash(params),
+            headers
+          ) do |req|
+            yield req if block_given?
+          end
+        end
+      end
+
+      def revoke!(*args)
+        headers, params, http_client, options = authenticated_context_from(*args)
+
+        params.merge! case
+        when access_token = options.delete(:access_token)
+          {
+            token: access_token,
+            token_type_hint: :access_token
+          }
+        when refresh_token = options.delete(:refresh_token)
+          {
+            token: refresh_token,
+            token_type_hint: :refresh_token
+          }
+        when @grant.is_a?(Grant::RefreshToken)
+          {
+            token: @grant.refresh_token,
+            token_type_hint: :refresh_token
+          }
+        when options[:token].blank?
+          raise ArgumentError, 'One of "token", "access_token" and "refresh_token" is required'
+        end
+        params.merge! options
+
+        handle_revocation_response do
+          http_client.post(
+            absolute_uri_for(revocation_endpoint),
+            Util.compact_hash(params),
+            headers
+          ) do |req|
+            yield req if block_given?
+          end
+        end
+      end
+
+      private
+
+      def absolute_uri_for(endpoint)
+        _endpoint_ = Util.parse_uri endpoint
+        _endpoint_.scheme ||= self.scheme || 'https'
+        _endpoint_.host ||= self.host
+        _endpoint_.port ||= self.port
+        raise 'No Host Info' unless _endpoint_.host
+        _endpoint_.to_s
+      end
+
+      def authenticated_context_from(*args)
+        headers, params = {}, {}
         http_client = Rack::OAuth2.http_client
 
         # NOTE:
         #  Using Array#extract_options! for backward compatibility.
         #  Until v1.0.5, the first argument was 'client_auth_method' in scalar.
         options = args.extract_options!
-        client_auth_method = args.first || options.delete(:client_auth_method).try(:to_sym) || :basic
-
-        params[:scope] = Array(options.delete(:scope)).join(' ') if options[:scope].present?
-        params.merge! options
+        client_auth_method = args.first || options.delete(:client_auth_method)&.to_sym || :basic
 
         case client_auth_method
         when :basic
@@ -100,9 +159,11 @@ module Rack
             client_assertion_type: URN::ClientAssertionType::JWT_BEARER
           )
           # NOTE: optionally auto-generate client_assertion.
-          if params[:client_assertion].blank?
+          params[:client_assertion] = if options[:client_assertion].present?
+            options.delete(:client_assertion)
+          else
             require 'json/jwt'
-            params[:client_assertion] = JSON::JWT.new(
+            JSON::JWT.new(
               iss: identifier,
               sub: identifier,
               aud: absolute_uri_for(token_endpoint),
@@ -119,32 +180,16 @@ module Rack
           params.merge!(
             client_id: identifier
           )
-          http_client.ssl_config.client_key = private_key
-          http_client.ssl_config.client_cert = certificate
+          http_client.ssl.client_key = private_key
+          http_client.ssl.client_cert = certificate
         else
           params.merge!(
             client_id: identifier,
             client_secret: secret
           )
         end
-        handle_response do
-          http_client.post(
-            absolute_uri_for(token_endpoint),
-            Util.compact_hash(params),
-            headers
-          )
-        end
-      end
-
-      private
 
-      def absolute_uri_for(endpoint)
-        _endpoint_ = Util.parse_uri endpoint
-        _endpoint_.scheme ||= self.scheme || 'https'
-        _endpoint_.host ||= self.host
-        _endpoint_.port ||= self.port
-        raise 'No Host Info' unless _endpoint_.host
-        _endpoint_.to_s
+        [headers, params, http_client, options]
       end
 
       def handle_response
@@ -157,27 +202,30 @@ module Rack
         end
       end
 
+      def handle_revocation_response
+        response = yield
+        case response.status
+        when 200..201
+          :success
+        else
+          handle_error_response response
+        end
+      end
+
       def handle_success_response(response)
-        token_hash = JSON.parse(response.body).with_indifferent_access
-        case (@forced_token_type || token_hash[:token_type]).try(:downcase)
+        token_hash = response.body.with_indifferent_access
+        case (@forced_token_type || token_hash[:token_type])&.downcase
         when 'bearer'
           AccessToken::Bearer.new(token_hash)
-        when 'mac'
-          AccessToken::MAC.new(token_hash)
-        when nil
-          AccessToken::Legacy.new(token_hash)
         else
           raise 'Unknown Token Type'
         end
-      rescue JSON::ParserError
-        # NOTE: Facebook support (They don't use JSON as token response)
-        AccessToken::Legacy.new Rack::Utils.parse_nested_query(response.body).with_indifferent_access
       end
 
       def handle_error_response(response)
-        error = JSON.parse(response.body).with_indifferent_access
+        error = response.body.with_indifferent_access
         raise Error.new(response.status, error)
-      rescue JSON::ParserError
+      rescue Faraday::ParsingError, NoMethodError
         raise Error.new(response.status, error: 'Unknown', error_description: response.body)
       end
     end

data/lib/rack/oauth2/server/abstract/error.rb

@@ -27,7 +27,7 @@ module Rack
             response.status = status
             yield response if block_given?
             unless response.redirect?
-              response.header['Content-Type'] = 'application/json'
+              response.headers['Content-Type'] = 'application/json'
               response.write Util.compact_hash(protocol_params).to_json
             end
             response.finish
@@ -42,6 +42,7 @@ module Rack
 
         class Unauthorized < Error
           def initialize(error = :unauthorized, description = nil, options = {})
+            @skip_www_authenticate = options[:skip_www_authenticate]
             super 401, error, description, options
           end
         end

data/lib/rack/oauth2/server/extension/pkce.rb

@@ -27,7 +27,7 @@ module Rack
 
             def verify_code_verifier!(code_challenge, code_challenge_method = :S256)
               if code_verifier.present? || code_challenge.present?
-                case code_challenge_method.try(:to_sym)
+                case code_challenge_method&.to_sym
                 when :S256
                   code_challenge == Util.urlsafe_base64_encode(
                     OpenSSL::Digest::SHA256.digest(code_verifier.to_s)

data/lib/rack/oauth2/server/rails/response_ext.rb

@@ -21,9 +21,9 @@ module Rack
             end
           end
 
-          def header
+          def headers
             ensure_finish do
-              @header
+              @headers
             end
           end
 
@@ -39,7 +39,7 @@ module Rack
           end
 
           def ensure_finish
-            @status, @header, @body = finish unless finished?
+            @status, @headers, @body = finish unless finished?
             yield
           end
         end

data/lib/rack/oauth2/server/resource/error.rb

@@ -13,11 +13,11 @@ module Rack
           def finish
             super do |response|
               self.realm ||= DEFAULT_REALM
-              header = response.header['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
+              headers = response.headers['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
               if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
-                header << ", error=\"#{error}\""
-                header << ", error_description=\"#{description}\"" if description.present?
-                header << ", error_uri=\"#{uri}\""                 if uri.present?
+                headers << ", error=\"#{error}\""
+                headers << ", error_description=\"#{description}\"" if description.present?
+                headers << ", error_uri=\"#{uri}\""                 if uri.present?
               end
             end
           end

data/lib/rack/oauth2/server/resource.rb

@@ -52,4 +52,3 @@ end
 
 require 'rack/oauth2/server/resource/error'
 require 'rack/oauth2/server/resource/bearer'
-require 'rack/oauth2/server/resource/mac'

data/lib/rack/oauth2/server/token/error.rb

@@ -8,7 +8,9 @@ module Rack
         class Unauthorized < Abstract::Unauthorized
           def finish
             super do |response|
-              response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              unless @skip_www_authenticate
+                response.headers['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+              end
             end
           end
         end

data/lib/rack/oauth2/server/token.rb

@@ -44,7 +44,7 @@ module Rack
 
         class Request < Abstract::Request
           attr_required :grant_type
-          attr_optional :client_secret
+          attr_optional :client_secret, :client_assertion, :client_assertion_type
 
           def initialize(env)
             auth = Rack::Auth::Basic::Request.new(env)
@@ -56,6 +56,15 @@ module Rack
             else
               super
               @client_secret = params['client_secret']
+              @client_assertion = params['client_assertion']
+              @client_assertion_type = params['client_assertion_type']
+              if client_assertion.present? && client_assertion_type == URN::ClientAssertionType::JWT_BEARER
+                require 'json/jwt'
+                @client_id = JSON::JWT.decode(
+                  client_assertion,
+                  :skip_verification
+                )[:sub] rescue nil
+              end
             end
             @grant_type = params['grant_type'].to_s
           end
@@ -71,9 +80,9 @@ module Rack
           def finish
             attr_missing!
             write Util.compact_hash(protocol_params).to_json
-            header['Content-Type'] = 'application/json'
-            header['Cache-Control'] = 'no-store'
-            header['Pragma'] = 'no-cache'
+            headers['Content-Type'] = 'application/json'
+            headers['Cache-Control'] = 'no-store'
+            headers['Pragma'] = 'no-cache'
             super
           end
         end

data/lib/rack/oauth2.rb

@@ -1,5 +1,6 @@
 require 'rack'
-require 'httpclient'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'logger'
 require 'active_support'
 require 'active_support/core_ext'
@@ -40,13 +41,15 @@ module Rack
     self.debugging = false
 
     def self.http_client(agent_name = "Rack::OAuth2 (#{VERSION})", &local_http_config)
-      _http_client_ = HTTPClient.new(
-        agent_name: agent_name
-      )
-      http_config.try(:call, _http_client_)
-      local_http_config.try(:call, _http_client_) unless local_http_config.nil?
-      _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
-      _http_client_
+      Faraday.new(headers: {user_agent: agent_name}) do |faraday|
+        faraday.request :url_encoded
+        faraday.request :json
+        faraday.response :json
+        faraday.adapter Faraday.default_adapter
+        local_http_config&.call(faraday)
+        http_config&.call(faraday)
+        faraday.response :logger, Rack::OAuth2.logger, bodies: true if debugging?
+      end
     end
 
     def self.http_config(&block)
@@ -56,7 +59,6 @@ module Rack
     def self.reset_http_config!
       @@http_config = nil
     end
-
   end
 end
 
@@ -65,4 +67,3 @@ require 'rack/oauth2/util'
 require 'rack/oauth2/server'
 require 'rack/oauth2/client'
 require 'rack/oauth2/access_token'
-require 'rack/oauth2/debugger'

data/rack-oauth2.gemspec

@@ -2,19 +2,20 @@ Gem::Specification.new do |s|
   s.name = 'rack-oauth2'
   s.version = File.read('VERSION')
   s.authors = ['nov matake']
-  s.description = %q{OAuth 2.0 Server & Client Library. Both Bearer and MAC token type are supported.}
-  s.summary = %q{OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported}
+  s.description = %q{OAuth 2.0 Server & Client Library. Both Bearer token type are supported.}
+  s.summary = %q{OAuth 2.0 Server & Client Library - Both Bearer token type are supported}
   s.email = 'nov@matake.jp'
   s.extra_rdoc_files = ['LICENSE', 'README.rdoc']
   s.rdoc_options = ['--charset=UTF-8']
-  s.homepage = 'http://github.com/nov/rack-oauth2'
+  s.homepage = 'https://github.com/nov/rack-oauth2'
   s.license = 'MIT'
   s.require_paths = ['lib']
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.files = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.add_runtime_dependency 'rack', '>= 2.1.0'
-  s.add_runtime_dependency 'httpclient'
+  s.add_runtime_dependency 'faraday', '~> 2.0'
+  s.add_runtime_dependency 'faraday-follow_redirects'
   s.add_runtime_dependency 'activesupport'
   s.add_runtime_dependency 'attr_required'
   s.add_runtime_dependency 'json-jwt', '>= 1.11.0'
@@ -23,4 +24,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec'
   s.add_development_dependency 'rspec-its'
   s.add_development_dependency 'webmock'
+  s.add_development_dependency 'rexml'
 end

data/spec/helpers/webmock_helper.rb

@@ -13,7 +13,7 @@ module WebMockHelper
 
   def request_for(method, options = {})
     request = {}
-    params = options.try(:[], :params) || {}
+    params = options&.[](:params) || {}
     case method
     when :post, :put, :delete
       request[:body] = params
@@ -28,7 +28,13 @@ module WebMockHelper
 
   def response_for(response_file, options = {})
     response = {}
-    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', response_file))
+    format = options[:format] || :json
+    if format == :json
+      response[:headers] = {
+        'Content-Type': 'application/json'
+      }
+    end
+    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{format}"))
     if options[:status]
       response[:status] = options[:status]
     end

data/spec/rack/oauth2/access_token/authenticator_spec.rb

@@ -2,25 +2,16 @@ require 'spec_helper'
 
 describe Rack::OAuth2::AccessToken::Authenticator do
   let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
-  let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
+  let(:request) { Faraday::Request.new(:get, URI.parse(resource_endpoint)) }
   let(:authenticator) { Rack::OAuth2::AccessToken::Authenticator.new(token) }
 
   shared_examples_for :authenticator do
     it 'should let the token authenticate the request' do
       expect(token).to receive(:authenticate).with(request)
-      authenticator.filter_request(request)
+      authenticator.authenticate(request)
     end
   end
 
-  context 'when Legacy token is given' do
-    let(:token) do
-      Rack::OAuth2::AccessToken::Legacy.new(
-        access_token: 'access_token'
-      )
-    end
-    it_behaves_like :authenticator
-  end
-
   context 'when Bearer token is given' do
     let(:token) do
       Rack::OAuth2::AccessToken::Bearer.new(
@@ -29,15 +20,4 @@ describe Rack::OAuth2::AccessToken::Authenticator do
     end
     it_behaves_like :authenticator
   end
-
-  context 'when MAC token is given' do
-    let(:token) do
-      Rack::OAuth2::AccessToken::MAC.new(
-        access_token: 'access_token',
-        mac_key: 'secret',
-        mac_algorithm: 'hmac-sha-256'
-      )
-    end
-    it_behaves_like :authenticator
-  end
 end