rack-oauth2 1.17.0 → 2.2.1

data/spec/rack/oauth2/server/token/error_spec.rb

@@ -7,9 +7,9 @@ describe Rack::OAuth2::Server::Token::BadRequest do
 
   describe '#finish' do
     it 'should respond in JSON' do
-      status, header, response = error.finish
+      status, headers, response = error.finish
       status.should == 400
-      header['Content-Type'].should == 'application/json'
+      headers['Content-Type'].should == 'application/json'
       response.should == ['{"error":"invalid_request"}']
     end
   end
@@ -22,10 +22,10 @@ describe Rack::OAuth2::Server::Token::Unauthorized do
 
   describe '#finish' do
     it 'should respond in JSON' do
-      status, header, response = error.finish
+      status, headers, response = error.finish
       status.should == 401
-      header['Content-Type'].should == 'application/json'
-      header['WWW-Authenticate'].should == 'Basic realm="OAuth2 Token Endpoint"'
+      headers['Content-Type'].should == 'application/json'
+      headers['WWW-Authenticate'].should == 'Basic realm="OAuth2 Token Endpoint"'
       response.should == ['{"error":"invalid_request"}']
     end
   end

data/spec/rack/oauth2/server/token_spec.rb

@@ -28,7 +28,7 @@ describe Rack::OAuth2::Server::Token do
         )
       end
       it 'should fail with unsupported_grant_type' do
-        status, header, response = app.call(env)
+        status, headers, response = app.call(env)
         status.should == 400
         response.first.should include '"error":"invalid_request"'
       end
@@ -43,7 +43,7 @@ describe Rack::OAuth2::Server::Token do
         )
       end
       it 'should ignore duplicates' do
-        status, header, response = app.call(env)
+        status, headers, response = app.call(env)
         status.should == 200
       end
     end
@@ -71,6 +71,60 @@ describe Rack::OAuth2::Server::Token do
     end
   end
 
+  context 'when client_id is given via JWT client assertion' do
+    before do
+      require 'json/jwt'
+      params[:client_assertion] = JSON::JWT.new(
+        sub: params[:client_id]
+        # NOTE: actual client_assertion should have more claims.
+      ).sign('client_secret').to_s
+      params[:client_assertion_type] = Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER
+      params.delete(:client_id)
+    end
+
+    context 'when client_assertion is invalid JWT' do
+      before do
+        params[:client_assertion] = 'invalid-jwt'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion_type is missing' do
+      before do
+        params.delete(:client_assertion_type)
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion_type is unknown' do
+      before do
+        params[:client_assertion_type] = 'unknown'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'when client_assertion issuer is different from client_id' do
+      before do
+        params[:client_id] = 'another_client_id'
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+
+    context 'otherwise' do
+      its(:status)       { should == 200 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"access_token":"access_token"' }
+    end
+  end
+
   Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
     status = if error == :invalid_client
       401
@@ -87,7 +141,22 @@ describe Rack::OAuth2::Server::Token do
       its(:content_type) { should == 'application/json' }
       its(:body)         { should include "\"error\":\"#{error}\"" }
       its(:body)         { should include "\"error_description\":\"#{default_message}\"" }
+      if error == :invalid_client
+        its(:headers)    { should include 'WWW-Authenticate' }
+      end
+    end
+  end
+
+  context 'when skip_www_authenticate option is specified on invalid_client' do
+    let(:app) do
+      Rack::OAuth2::Server::Token.new do |request, response|
+        request.invalid_client!(
+          Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION[:invalid_client],
+          skip_www_authenticate: true
+        )
+      end
     end
+    its(:headers) { should_not include 'WWW-Authenticate' }
   end
 
   context 'when responding' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 2.2.1
 platform: ruby
 authors:
 - nov matake
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-26 00:00:00.000000000 Z
+date: 2023-12-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -25,7 +25,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 2.1.0
 - !ruby/object:Gem::Dependency
-  name: httpclient
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-follow_redirects
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -150,8 +164,21 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: OAuth 2.0 Server & Client Library. Both Bearer and MAC token type are
-  supported.
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OAuth 2.0 Server & Client Library. Both Bearer token type are supported.
 email: nov@matake.jp
 executables: []
 extensions: []
@@ -160,9 +187,11 @@ extra_rdoc_files:
 - README.rdoc
 files:
 - ".document"
+- ".github/FUNDING.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.rdoc
@@ -172,11 +201,6 @@ files:
 - lib/rack/oauth2/access_token.rb
 - lib/rack/oauth2/access_token/authenticator.rb
 - lib/rack/oauth2/access_token/bearer.rb
-- lib/rack/oauth2/access_token/legacy.rb
-- lib/rack/oauth2/access_token/mac.rb
-- lib/rack/oauth2/access_token/mac/sha256_hex_verifier.rb
-- lib/rack/oauth2/access_token/mac/signature.rb
-- lib/rack/oauth2/access_token/mac/verifier.rb
 - lib/rack/oauth2/access_token/mtls.rb
 - lib/rack/oauth2/client.rb
 - lib/rack/oauth2/client/error.rb
@@ -188,8 +212,6 @@ files:
 - lib/rack/oauth2/client/grant/refresh_token.rb
 - lib/rack/oauth2/client/grant/saml2_bearer.rb
 - lib/rack/oauth2/client/grant/token_exchange.rb
-- lib/rack/oauth2/debugger.rb
-- lib/rack/oauth2/debugger/request_filter.rb
 - lib/rack/oauth2/server.rb
 - lib/rack/oauth2/server/abstract.rb
 - lib/rack/oauth2/server/abstract/error.rb
@@ -212,8 +234,6 @@ files:
 - lib/rack/oauth2/server/resource/bearer.rb
 - lib/rack/oauth2/server/resource/bearer/error.rb
 - lib/rack/oauth2/server/resource/error.rb
-- lib/rack/oauth2/server/resource/mac.rb
-- lib/rack/oauth2/server/resource/mac/error.rb
 - lib/rack/oauth2/server/token.rb
 - lib/rack/oauth2/server/token/authorization_code.rb
 - lib/rack/oauth2/server/token/client_credentials.rb
@@ -229,23 +249,14 @@ files:
 - rack-oauth2.gemspec
 - spec/helpers/time.rb
 - spec/helpers/webmock_helper.rb
-- spec/mock_response/blank
+- spec/mock_response/blank.txt
 - spec/mock_response/errors/invalid_request.json
 - spec/mock_response/resources/fake.txt
 - spec/mock_response/tokens/_Bearer.json
 - spec/mock_response/tokens/bearer.json
-- spec/mock_response/tokens/legacy.json
-- spec/mock_response/tokens/legacy.txt
-- spec/mock_response/tokens/legacy_without_expires_in.txt
-- spec/mock_response/tokens/mac.json
 - spec/mock_response/tokens/unknown.json
 - spec/rack/oauth2/access_token/authenticator_spec.rb
 - spec/rack/oauth2/access_token/bearer_spec.rb
-- spec/rack/oauth2/access_token/legacy_spec.rb
-- spec/rack/oauth2/access_token/mac/sha256_hex_verifier_spec.rb
-- spec/rack/oauth2/access_token/mac/signature_spec.rb
-- spec/rack/oauth2/access_token/mac/verifier_spec.rb
-- spec/rack/oauth2/access_token/mac_spec.rb
 - spec/rack/oauth2/access_token_spec.rb
 - spec/rack/oauth2/client/error_spec.rb
 - spec/rack/oauth2/client/grant/authorization_code_spec.rb
@@ -255,7 +266,6 @@ files:
 - spec/rack/oauth2/client/grant/refresh_token_spec.rb
 - spec/rack/oauth2/client/grant/saml2_bearer_spec.rb
 - spec/rack/oauth2/client_spec.rb
-- spec/rack/oauth2/debugger/request_filter_spec.rb
 - spec/rack/oauth2/oauth2_spec.rb
 - spec/rack/oauth2/server/abstract/error_spec.rb
 - spec/rack/oauth2/server/authorize/code_spec.rb
@@ -268,8 +278,6 @@ files:
 - spec/rack/oauth2/server/resource/bearer/error_spec.rb
 - spec/rack/oauth2/server/resource/bearer_spec.rb
 - spec/rack/oauth2/server/resource/error_spec.rb
-- spec/rack/oauth2/server/resource/mac/error_spec.rb
-- spec/rack/oauth2/server/resource/mac_spec.rb
 - spec/rack/oauth2/server/resource_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
 - spec/rack/oauth2/server/token/client_credentials_spec.rb
@@ -281,11 +289,11 @@ files:
 - spec/rack/oauth2/server/token_spec.rb
 - spec/rack/oauth2/util_spec.rb
 - spec/spec_helper.rb
-homepage: http://github.com/nov/rack-oauth2
+homepage: https://github.com/nov/rack-oauth2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -301,30 +309,21 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
-summary: OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported
+summary: OAuth 2.0 Server & Client Library - Both Bearer token type are supported
 test_files:
 - spec/helpers/time.rb
 - spec/helpers/webmock_helper.rb
-- spec/mock_response/blank
+- spec/mock_response/blank.txt
 - spec/mock_response/errors/invalid_request.json
 - spec/mock_response/resources/fake.txt
 - spec/mock_response/tokens/_Bearer.json
 - spec/mock_response/tokens/bearer.json
-- spec/mock_response/tokens/legacy.json
-- spec/mock_response/tokens/legacy.txt
-- spec/mock_response/tokens/legacy_without_expires_in.txt
-- spec/mock_response/tokens/mac.json
 - spec/mock_response/tokens/unknown.json
 - spec/rack/oauth2/access_token/authenticator_spec.rb
 - spec/rack/oauth2/access_token/bearer_spec.rb
-- spec/rack/oauth2/access_token/legacy_spec.rb
-- spec/rack/oauth2/access_token/mac/sha256_hex_verifier_spec.rb
-- spec/rack/oauth2/access_token/mac/signature_spec.rb
-- spec/rack/oauth2/access_token/mac/verifier_spec.rb
-- spec/rack/oauth2/access_token/mac_spec.rb
 - spec/rack/oauth2/access_token_spec.rb
 - spec/rack/oauth2/client/error_spec.rb
 - spec/rack/oauth2/client/grant/authorization_code_spec.rb
@@ -334,7 +333,6 @@ test_files:
 - spec/rack/oauth2/client/grant/refresh_token_spec.rb
 - spec/rack/oauth2/client/grant/saml2_bearer_spec.rb
 - spec/rack/oauth2/client_spec.rb
-- spec/rack/oauth2/debugger/request_filter_spec.rb
 - spec/rack/oauth2/oauth2_spec.rb
 - spec/rack/oauth2/server/abstract/error_spec.rb
 - spec/rack/oauth2/server/authorize/code_spec.rb
@@ -347,8 +345,6 @@ test_files:
 - spec/rack/oauth2/server/resource/bearer/error_spec.rb
 - spec/rack/oauth2/server/resource/bearer_spec.rb
 - spec/rack/oauth2/server/resource/error_spec.rb
-- spec/rack/oauth2/server/resource/mac/error_spec.rb
-- spec/rack/oauth2/server/resource/mac_spec.rb
 - spec/rack/oauth2/server/resource_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
 - spec/rack/oauth2/server/token/client_credentials_spec.rb

data/.travis.yml

@@ -1,8 +0,0 @@
-before_install:
-  - gem install bundler
-
-rvm:
-  - 2.5.8
-  - 2.6.6
-  - 2.7.2
-  - 3.0.0

data/lib/rack/oauth2/access_token/legacy.rb

@@ -1,19 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class Legacy < AccessToken
-        def initialize(attributes = {})
-          super
-          self.expires_in = (
-            self.expires_in ||
-            attributes[:expires]
-          ).try(:to_i)
-        end
-
-        def authenticate(request)
-          request.header["Authorization"] = "OAuth #{access_token}"
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/access_token/mac/sha256_hex_verifier.rb

@@ -1,17 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC
-        class Sha256HexVerifier < Verifier
-          attr_optional :raw_body
-
-          def calculate
-            return nil unless raw_body.present?
-            
-            OpenSSL::Digest::SHA256.new.digest(raw_body).unpack('H*').first
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/access_token/mac/signature.rb

@@ -1,34 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC
-        class Signature < Verifier
-          attr_required :secret, :ts, :nonce, :method, :request_uri, :host, :port
-          attr_optional :ext, :query
-
-          def calculate
-            Rack::OAuth2::Util.base64_encode OpenSSL::HMAC.digest(
-              hash_generator,
-              secret,
-              normalized_request_string
-            )
-          end
-
-          def normalized_request_string
-            [
-              ts.to_i,
-              nonce,
-              method.to_s.upcase,
-              request_uri,
-              host,
-              port,
-              ext || '',
-              nil
-            ].join("\n")
-          end
-
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/access_token/mac/verifier.rb

@@ -1,44 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC
-        class Verifier
-          include AttrRequired, AttrOptional
-          attr_required :algorithm
-
-          class VerificationFailed < StandardError; end
-
-          def initialize(attributes = {})
-            (required_attributes + optional_attributes).each do |key|
-              self.send :"#{key}=", attributes[key]
-            end
-            attr_missing!
-          rescue AttrRequired::AttrMissing => e
-            raise VerificationFailed.new("#{self.class.name.demodulize} Invalid: #{e.message}")
-          end
-
-          def verify!(expected)
-            if expected == self.calculate
-              :verified
-            else
-              raise VerificationFailed.new("#{self.class.name.demodulize} Invalid")
-            end
-          end
-
-          private
-
-          def hash_generator
-            case algorithm.to_s
-            when 'hmac-sha-1'
-              OpenSSL::Digest::SHA1.new
-            when 'hmac-sha-256'
-              OpenSSL::Digest::SHA256.new
-            else
-              raise 'Unsupported Algorithm'
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/access_token/mac.rb

@@ -1,103 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC < AccessToken
-        attr_required :mac_key, :mac_algorithm
-        attr_optional :ts, :ext_verifier, :ts_expires_in
-        attr_reader :nonce, :signature, :ext
-
-        def initialize(attributes = {})
-          super(attributes)
-          @issued_at = Time.now.utc
-          @ts_expires_in ||= 5.minutes
-        end
-
-        def token_response
-          super.merge(
-            mac_key: mac_key,
-            mac_algorithm: mac_algorithm
-          )
-        end
-
-        def verify!(request)
-          if self.ext_verifier.present?
-            body = request.body.read
-            request.body.rewind # for future use
-
-            self.ext_verifier.new(
-              raw_body: body,
-              algorithm: self.mac_algorithm
-            ).verify!(request.ext)
-          end
-
-          now = Time.now.utc.to_i
-          now = @ts.to_i if @ts.present?
-
-          raise Rack::OAuth2::AccessToken::MAC::Verifier::VerificationFailed.new("Request ts expired") if now - request.ts.to_i > @ts_expires_in.to_i
-
-          Signature.new(
-            secret:      self.mac_key,
-            algorithm:   self.mac_algorithm,
-            nonce:       request.nonce,
-            method:      request.request_method,
-            request_uri: request.fullpath,
-            host:        request.host,
-            port:        request.port,
-            ts:          request.ts,
-            ext:         request.ext
-          ).verify!(request.signature)
-        rescue Verifier::VerificationFailed => e
-          request.invalid_token! e.message
-        end
-
-        def authenticate(request)
-          @nonce = generate_nonce
-          @ts_generated = @ts || Time.now.utc
-
-          if self.ext_verifier.present?
-            @ext = self.ext_verifier.new(
-              raw_body: request.body,
-              algorithm: self.mac_algorithm
-            ).calculate
-          end
-
-          @signature = Signature.new(
-            secret:      self.mac_key,
-            algorithm:   self.mac_algorithm,
-            nonce:       self.nonce,
-            method:      request.header.request_method,
-            request_uri: request.header.create_query_uri,
-            host:        request.header.request_uri.host,
-            port:        request.header.request_uri.port,
-            ts:          @ts_generated,
-            ext:         @ext
-          ).calculate
-
-          request.header['Authorization'] = authorization_header
-        end
-
-        private
-
-        def authorization_header
-          header = "MAC id=\"#{access_token}\""
-          header << ", nonce=\"#{nonce}\""
-          header << ", ts=\"#{@ts_generated.to_i}\""
-          header << ", mac=\"#{signature}\""
-          header << ", ext=\"#{ext}\"" if @ext.present?
-          header
-        end
-
-        def generate_nonce
-          [
-            (Time.now.utc - @issued_at).to_i,
-            SecureRandom.hex
-          ].join(':')
-        end
-      end
-    end
-  end
-end
-
-require 'rack/oauth2/access_token/mac/verifier'
-require 'rack/oauth2/access_token/mac/sha256_hex_verifier'
-require 'rack/oauth2/access_token/mac/signature'

data/lib/rack/oauth2/debugger/request_filter.rb

@@ -1,30 +0,0 @@
-module Rack
-  module OAuth2
-    module Debugger
-      class RequestFilter
-        # Callback called in HTTPClient (before sending a request)
-        # request:: HTTP::Message
-        def filter_request(request)
-          started = "======= [Rack::OAuth2] HTTP REQUEST STARTED ======="
-          log started, request.dump
-        end
-
-        # Callback called in HTTPClient (after received a response)
-        # request::  HTTP::Message
-        # response:: HTTP::Message
-        def filter_response(request, response)
-          finished = "======= [Rack::OAuth2] HTTP REQUEST FINISHED ======="
-          log '-' * 50, response.dump, finished
-        end
-
-        private
-
-        def log(*outputs)
-          outputs.each do |output|
-            OAuth2.logger.info output
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/debugger.rb

@@ -1,3 +0,0 @@
-Dir[File.dirname(__FILE__) + '/debugger/*.rb'].each do |file|
-  require file
-end

data/lib/rack/oauth2/server/resource/mac/error.rb

@@ -1,24 +0,0 @@
-module Rack
-  module OAuth2
-    module Server
-      class Resource
-        class MAC
-          class Unauthorized < Resource::Unauthorized
-            def scheme
-              :MAC
-            end
-          end
-
-          module ErrorMethods
-            include Resource::ErrorMethods
-            def unauthorized!(error = nil, description = nil, options = {})
-              raise Unauthorized.new(error, description, options)
-            end
-          end
-
-          Request.send :include, ErrorMethods
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/server/resource/mac.rb

@@ -1,36 +0,0 @@
-module Rack
-  module OAuth2
-    module Server
-      class Resource
-        class MAC < Resource
-          def _call(env)
-            self.request = Request.new(env)
-            super
-          end
-
-          private
-
-          class Request < Resource::Request
-            attr_reader :nonce, :ts, :ext, :signature
-
-            def setup!
-              auth_params = Rack::Auth::Digest::Params.parse(@auth_header.params).with_indifferent_access
-              @access_token = auth_params[:id]
-              @nonce = auth_params[:nonce]
-              @ts = auth_params[:ts]
-              @ext = auth_params[:ext]
-              @signature = auth_params[:mac]
-              self
-            end
-
-            def oauth2?
-              @auth_header.provided? && @auth_header.scheme.to_s == 'mac'
-            end
-          end
-        end
-      end
-    end
-  end
-end
-
-require 'rack/oauth2/server/resource/mac/error'

data/spec/mock_response/tokens/legacy.json

@@ -1,5 +0,0 @@
-{
-  "access_token":"access_token",
-  "refresh_token":"refresh_token",
-  "expires_in":3600
-}

data/spec/mock_response/tokens/legacy.txt

@@ -1 +0,0 @@
-access_token=access_token&expires=3600

data/spec/mock_response/tokens/legacy_without_expires_in.txt

@@ -1 +0,0 @@
-access_token=access_token