redmine_sign_in 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5cde64e138fd24f3788baa8ff515bcc3708eac43ca8afb8133e5519ed8ad26e2
+  data.tar.gz: ba073f1a97a90f37c154489ccf272346ac184f047cebaaeb6b89fef3aadf8607
+SHA512:
+  metadata.gz: 79f1718a0d06cdb90f91b17348a660397e53808dda38849f076a6bc33a7c8951dbf435a71255a7f66c584bb10b0da51e1ed2cd0bcfe163c9b789118aa14af1a7
+  data.tar.gz: fe637b8b3b240723d7ba0cd011d1688feb293387172df9c69465fe6970deed45fb92f2a5b5f36a75a3645fa95dde1ac65028e02adf2944a52fbc3361d043436e

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Renuo AG
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,158 @@
+# Redmine Sign-In for Rails
+
+Add Redmine sign-in to your Rails app. Lets users sign up for and sign in to your service with their Redmine accounts via OAuth 2.0.
+
+Requires Redmine 7+ and Rails 7.1+.
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem 'redmine_sign_in'
+```
+
+## Configuration
+
+### 1. Register an OAuth application in Redmine
+
+In Redmine, go to your account settings → **Applications** → **Register your application**. Set:
+
+- **Name** — anything
+- **Redirect URI** — `https://your-app.example.com/redmine_sign_in/callback`
+
+For local development, register a separate application with `http://localhost:3000/redmine_sign_in/callback`.
+
+Save and copy the resulting **client ID** and **client secret**.
+
+### 2. Configure the gem
+
+Run `bin/rails credentials:edit` and add:
+
+```yaml
+redmine_sign_in:
+  host: https://redmine.example.com
+  client_id: [Your client ID]
+  client_secret: [Your client secret]
+```
+
+Or in an initializer:
+
+```ruby
+# config/initializers/redmine_sign_in.rb
+Rails.application.configure do
+  config.redmine_sign_in.host          = ENV['REDMINE_SIGN_IN_HOST']
+  config.redmine_sign_in.client_id     = ENV['REDMINE_SIGN_IN_CLIENT_ID']
+  config.redmine_sign_in.client_secret = ENV['REDMINE_SIGN_IN_CLIENT_SECRET']
+end
+```
+
+`host` is the base URL of your Redmine instance (no trailing slash). The gem derives the authorize, token, and userinfo URLs from it:
+
+- `#{host}/oauth/authorize`
+- `#{host}/oauth/token`
+- `#{host}/users/current.json`
+
+You can override any of them with `config.redmine_sign_in.authorize_url`, `config.redmine_sign_in.token_url`, or `config.redmine_sign_in.userinfo_url`.
+
+The callback mount point can be changed via `config.redmine_sign_in.root` (default: `redmine_sign_in`).
+
+## Usage
+
+The gem provides a `redmine_sign_in_button` helper:
+
+```erb
+<%= redmine_sign_in_button 'Sign in with Redmine', proceed_to: create_login_url %>
+```
+
+When using Hotwire/Turbo, disable Turbo on the button:
+
+```erb
+<%= redmine_sign_in_button 'Sign in with Redmine',
+      proceed_to: create_login_url,
+      data: { turbo: 'false' } %>
+```
+
+After authenticating, the gem redirects to `proceed_to` with either:
+
+- `flash[:redmine_sign_in][:access_token]` — the Redmine OAuth access token, or
+- `flash[:redmine_sign_in][:error]` — an [OAuth error code](https://tools.ietf.org/html/rfc6749#section-4.1.2.1).
+
+A typical login controller:
+
+```ruby
+class LoginsController < ApplicationController
+  def new
+  end
+
+  def create
+    if user = authenticate_with_redmine
+      cookies.signed[:user_id] = user.id
+      redirect_to user
+    else
+      redirect_to new_session_url, alert: 'authentication_failed'
+    end
+  end
+
+  private
+    def authenticate_with_redmine
+      if access_token = flash[:redmine_sign_in][:access_token]
+        identity = RedmineSignIn::Identity.new(access_token)
+        User.find_by(redmine_id: identity.user_id)
+      elsif error = flash[:redmine_sign_in][:error]
+        logger.error "Redmine authentication error: #{error}"
+        nil
+      end
+    end
+end
+```
+
+The `proceed_to` URL must be on the same origin as your app — this is enforced to prevent [open redirects](https://owasp.org/www-community/attacks/Unvalidated_Redirects_and_Forwards_Cheat_Sheet).
+
+### `RedmineSignIn::Identity`
+
+Wraps an access token and lazily fetches `/users/current.json` on first attribute read. Use `user_id` (the stable numeric Redmine user ID) to match against your own user records.
+
+- `user_id` — Redmine's numeric user id. Stable; prefer over email.
+- `login` — Redmine login handle.
+- `email_address` — the user's `mail` field.
+- `name` — full name (`firstname lastname`).
+- `given_name` — `firstname`.
+- `family_name` — `lastname`.
+
+Raises `RedmineSignIn::Identity::FetchError` if Redmine returns a non-success response or invalid JSON.
+
+## Development
+
+```sh
+bin/setup    # bundle install
+bin/test     # run the test suite
+bin/lint     # run rubocop
+bin/dummy    # boot the test/dummy app at http://localhost:3000
+```
+
+The dummy app under `test/dummy` includes a welcome page (`/`) that renders
+the `redmine_sign_in_button` helper, plus a `/login` endpoint that prints the
+identity returned after the round-trip. Configure a real Redmine via env vars
+before booting it:
+
+```sh
+REDMINE_SIGN_IN_HOST=https://redmine.example.com \
+REDMINE_SIGN_IN_CLIENT_ID=... \
+REDMINE_SIGN_IN_CLIENT_SECRET=... \
+bin/dummy
+```
+
+## Credits
+
+This gem is heavily inspired by
+[basecamp/google_sign_in](https://github.com/basecamp/google_sign_in). The
+engine layout, controller flow, flash-based handoff, and `RedirectProtector`
+all follow that gem's design. The main departure is that Redmine's OAuth2
+provider is not OIDC, so the flash carries an access token (not an ID token)
+and `RedmineSignIn::Identity` fetches `/users/current.json` instead of
+verifying a JWT locally.
+
+## License
+
+MIT.

data/app/controllers/redmine_sign_in/authorizations_controller.rb

@@ -0,0 +1,19 @@
+require "securerandom"
+
+class RedmineSignIn::AuthorizationsController < RedmineSignIn::BaseController
+  skip_forgery_protection only: :create
+
+  def create
+    redirect_to login_url(state: state),
+      allow_other_host: true, flash: { proceed_to: params.require(:proceed_to), state: state }
+  end
+
+  private
+    def login_url(**params)
+      client.auth_code.authorize_url(**params)
+    end
+
+    def state
+      @state ||= SecureRandom.base64(24)
+    end
+end

data/app/controllers/redmine_sign_in/base_controller.rb

@@ -0,0 +1,8 @@
+class RedmineSignIn::BaseController < ActionController::Base
+  protect_from_forgery with: :exception
+
+  private
+    def client
+      @client ||= RedmineSignIn.oauth2_client(redirect_uri: callback_url)
+    end
+end

data/app/controllers/redmine_sign_in/callbacks_controller.rb

@@ -0,0 +1,43 @@
+require "redmine_sign_in/redirect_protector"
+
+class RedmineSignIn::CallbacksController < RedmineSignIn::BaseController
+  def show
+    redirect_to proceed_to_url, flash: { redmine_sign_in: redmine_sign_in_response }
+    clear_redeemed_flash_keys if valid_request?
+  rescue RedmineSignIn::RedirectProtector::Violation => error
+    logger.error error.message
+    head :bad_request
+  end
+
+  private
+    def proceed_to_url
+      flash[:proceed_to].tap { |url| RedmineSignIn::RedirectProtector.ensure_same_origin(url, request.url) }
+    end
+
+    def redmine_sign_in_response
+      if valid_request? && params[:code].present?
+        { access_token: access_token }
+      else
+        { error: error_message_for(params[:error]) }
+      end
+    rescue OAuth2::Error => error
+      { error: error_message_for(error.code) }
+    end
+
+    def valid_request?
+      flash[:state].present? && params[:state] == flash[:state]
+    end
+
+    def access_token
+      client.auth_code.get_token(params[:code]).token
+    end
+
+    def error_message_for(error_code)
+      error_code.presence_in(RedmineSignIn::OAUTH2_ERRORS) || "invalid_request"
+    end
+
+    def clear_redeemed_flash_keys
+      flash.delete(:proceed_to)
+      flash.delete(:state)
+    end
+end

data/app/helpers/redmine_sign_in/button_helper.rb

@@ -0,0 +1,7 @@
+module RedmineSignIn::ButtonHelper
+  def redmine_sign_in_button(text = nil, proceed_to:, **options, &block)
+    form_with url: redmine_sign_in.authorization_path, local: true do
+      hidden_field_tag(:proceed_to, proceed_to, id: nil) + button_tag(text, name: nil, **options, &block)
+    end
+  end
+end

data/config/routes.rb

@@ -0,0 +1,4 @@
+RedmineSignIn::Engine.routes.draw do
+  resource :authorization, only: :create
+  resource :callback, only: :show
+end

data/lib/redmine_sign_in/engine.rb

@@ -0,0 +1,47 @@
+require "rails/engine"
+require "redmine_sign_in" unless defined?(RedmineSignIn)
+
+module RedmineSignIn
+  class Engine < ::Rails::Engine
+    isolate_namespace RedmineSignIn
+
+    config.redmine_sign_in = ActiveSupport::OrderedOptions.new
+
+    initializer "redmine_sign_in.config" do |app|
+      config.after_initialize do
+        credentials = app.credentials.redmine_sign_in || {}
+
+        RedmineSignIn.client_id     = config.redmine_sign_in.client_id     || credentials[:client_id]
+        RedmineSignIn.client_secret = config.redmine_sign_in.client_secret || credentials[:client_secret]
+        RedmineSignIn.host          = config.redmine_sign_in.host          || credentials[:host]
+
+        if RedmineSignIn.host.present?
+          host = RedmineSignIn.host.chomp("/")
+          RedmineSignIn.authorize_url = config.redmine_sign_in.authorize_url || "#{host}/oauth/authorize"
+          RedmineSignIn.token_url     = config.redmine_sign_in.token_url     || "#{host}/oauth/token"
+          RedmineSignIn.userinfo_url  = config.redmine_sign_in.userinfo_url  || "#{host}/users/current.json"
+        else
+          RedmineSignIn.authorize_url = config.redmine_sign_in.authorize_url
+          RedmineSignIn.token_url     = config.redmine_sign_in.token_url
+          RedmineSignIn.userinfo_url  = config.redmine_sign_in.userinfo_url
+        end
+
+        RedmineSignIn.oauth2_client_options = config.redmine_sign_in.oauth2_client_options
+      end
+    end
+
+    config.to_prepare do
+      ActionController::Base.helper RedmineSignIn::Engine.helpers
+    end
+
+    initializer "redmine_sign_in.mount" do |app|
+      app.routes.prepend do
+        mount RedmineSignIn::Engine, at: app.config.redmine_sign_in.root || "redmine_sign_in"
+      end
+    end
+
+    initializer "redmine_sign_in.parameter_filters" do |app|
+      app.config.filter_parameters << :code
+    end
+  end
+end

data/lib/redmine_sign_in/identity.rb

@@ -0,0 +1,71 @@
+require "net/http"
+require "json"
+require "uri"
+
+module RedmineSignIn
+  class Identity
+    class FetchError < StandardError; end
+
+    def initialize(access_token, userinfo_url: RedmineSignIn.userinfo_url)
+      @access_token = access_token
+      @userinfo_url = userinfo_url
+    end
+
+    def user_id
+      payload["id"]
+    end
+
+    def login
+      payload["login"]
+    end
+
+    # Nil when the user has "Hide my email address" enabled in their Redmine
+    # account preferences and the OAuth token isn't admin — Redmine omits the
+    # `mail` field from /users/current.json in that case. Fall back to #login
+    # if your Redmine uses email-as-login.
+    def email_address
+      payload["mail"]
+    end
+
+    def name
+      [ payload["firstname"], payload["lastname"] ].compact.join(" ")
+    end
+
+    def given_name
+      payload["firstname"]
+    end
+
+    def family_name
+      payload["lastname"]
+    end
+
+    private
+      def payload
+        @payload ||= fetch_payload
+      end
+
+      def fetch_payload
+        if @userinfo_url.blank?
+          raise ArgumentError, "RedmineSignIn.userinfo_url (or RedmineSignIn.host) must be set to fetch identity"
+        end
+
+        uri = URI(@userinfo_url)
+        request = Net::HTTP::Get.new(uri)
+        request["Authorization"] = "Bearer #{@access_token}"
+        request["Accept"] = "application/json"
+
+        response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|
+          http.request(request)
+        end
+
+        unless response.is_a?(Net::HTTPSuccess)
+          raise FetchError, "Failed to fetch Redmine user from #{@userinfo_url}: #{response.code} #{response.message}"
+        end
+
+        body = JSON.parse(response.body)
+        body["user"] || body
+      rescue JSON::ParserError => error
+        raise FetchError, "Invalid JSON response from #{@userinfo_url}: #{error.message}"
+      end
+  end
+end

data/lib/redmine_sign_in/redirect_protector.rb

@@ -0,0 +1,35 @@
+require "uri"
+
+module RedmineSignIn
+  module RedirectProtector
+    extend self
+
+    class Violation < StandardError; end
+
+    QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
+
+    def ensure_same_origin(target, source)
+      unless uri_same_origin?(target, source) || absolute_path?(target)
+        raise Violation, "Redirect target #{target.inspect} does not have same origin as request #{source.inspect}"
+      end
+    end
+
+    private
+      def uri_same_origin?(target, source)
+        target =~ QUALIFIED_URL_PATTERN && origin_of(target) == origin_of(source)
+      rescue ArgumentError, URI::Error
+        false
+      end
+
+      def absolute_path?(target)
+        target =~ URI::DEFAULT_PARSER.regexp[:ABS_PATH] && URI(target).host.nil? && !target.start_with?("//")
+      rescue ArgumentError, URI::Error
+        false
+      end
+
+      def origin_of(url)
+        uri = URI(url)
+        "#{uri.scheme}://#{uri.host}:#{uri.port}"
+      end
+  end
+end

data/lib/redmine_sign_in.rb

@@ -0,0 +1,51 @@
+require "active_support"
+require "active_support/rails"
+require "oauth2"
+
+# Inspired by and structured after basecamp/google_sign_in
+# (https://github.com/basecamp/google_sign_in).
+module RedmineSignIn
+  mattr_accessor :client_id
+  mattr_accessor :client_secret
+  mattr_accessor :host
+  mattr_accessor :authorize_url
+  mattr_accessor :token_url
+  mattr_accessor :userinfo_url
+  mattr_accessor :oauth2_client_options, default: nil
+
+  # https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+  authorization_request_errors = %w[
+    invalid_request
+    unauthorized_client
+    access_denied
+    unsupported_response_type
+    invalid_scope
+    server_error
+    temporarily_unavailable
+  ]
+
+  # https://tools.ietf.org/html/rfc6749#section-5.2
+  access_token_request_errors = %w[
+    invalid_request
+    invalid_client
+    invalid_grant
+    unauthorized_client
+    unsupported_grant_type
+    invalid_scope
+  ]
+
+  OAUTH2_ERRORS = authorization_request_errors | access_token_request_errors
+
+  def self.oauth2_client(redirect_uri:)
+    OAuth2::Client.new \
+      RedmineSignIn.client_id,
+      RedmineSignIn.client_secret,
+      authorize_url: RedmineSignIn.authorize_url,
+      token_url: RedmineSignIn.token_url,
+      redirect_uri: redirect_uri,
+      **RedmineSignIn.oauth2_client_options.to_h
+  end
+end
+
+require "redmine_sign_in/identity"
+require "redmine_sign_in/engine" if defined?(Rails) && !defined?(RedmineSignIn::Engine)

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: redmine_sign_in
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Simon Isler
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-05-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.1.0
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+description:
+email:
+- simon.isler@renuo.ch
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- app/controllers/redmine_sign_in/authorizations_controller.rb
+- app/controllers/redmine_sign_in/base_controller.rb
+- app/controllers/redmine_sign_in/callbacks_controller.rb
+- app/helpers/redmine_sign_in/button_helper.rb
+- config/routes.rb
+- lib/redmine_sign_in.rb
+- lib/redmine_sign_in/engine.rb
+- lib/redmine_sign_in/identity.rb
+- lib/redmine_sign_in/redirect_protector.rb
+homepage: https://github.com/renuo/redmine_sign_in
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Sign in with Redmine for Rails applications
+test_files: []