RubyGems - rodauth-oauth - Versions diffs - 0.4.0 → 0.4.1 - Mend

rodauth-oauth 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/lib/rodauth/features/oauth.rb +23 -20
data/lib/rodauth/oauth/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b09ecfc1d3a8ee0f5b890620baa14ca6d847362bf38dd158e02bd2c8ebfc204e
-  data.tar.gz: 89f0e82d7721f7ee175b1c53b7b3e0cc534e6983fe37dfc02e433df77b58225d
+  metadata.gz: c7c9cc026f547d781b05599d177237498390c8347791aaf5960e7447d2640b0b
+  data.tar.gz: 290ec103b22d394fbae7f153430605fa032b8baf6b6083e31ad8af8cd3d422b8
 SHA512:
-  metadata.gz: d00a178f561ddecacff0587e1120b68bb22cd10b76b106b00f41167ba9c8bd8b2b8958fd629588924e502be8c947a81d3722102038cd329c006f4b4daf6efada
-  data.tar.gz: 328542ba8ce7ef8e8f605056a9a8cbf6599136232d93f7246b13fe037ebc07225e2051b3ee454eb90ec4ae480e2b493d662d1cbbcd0ae5cc7e57a0ff29b10696
+  metadata.gz: 64c22bd200ff9dcb5e8406ace5f4eb34625bcee5a381e52b6b7e960b614ec3941c0460997542d843ed4eaa843a85a7f2592a027c741d5380a7572edb974ca3a9
+  data.tar.gz: 0a6c93bc131d2fcb45e400173ced20096caa191e3ef73f4e67ab0fc12d5ead9b9f9e6867d163612299141b96b7691429cb5e5b263036887134396f244c3dd4f7

data/CHANGELOG.md CHANGED

@@ -2,6 +2,16 @@
 ## master
+### 0.4.1
+### Improvements
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+### Bugfixes
+* An error ocurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
 ### 0.4.0
 ### Features

data/lib/rodauth/features/oauth.rb CHANGED

@@ -489,13 +489,13 @@ module Rodauth
     def fetch_access_token
       value = request.env["HTTP_AUTHORIZATION"]
-      return unless value
+      return unless value && !value.empty?
       scheme, token = value.split(" ", 2)
       return unless scheme.downcase == oauth_token_type
-      return if token.empty?
+      return if token.nil? || token.empty?
       token
     end
@@ -508,31 +508,34 @@ module Rodauth
       return unless bearer_token
-      # check if token has not expired
-      # check if token has been revoked
-      @authorization_token = oauth_token_by_token(bearer_token)
+      @authorization_token = if is_authorization_server?
+                               # check if token has not expired
+                               # check if token has been revoked
+                               oauth_token_by_token(bearer_token)
+                             else
+                               # where in resource server, NOT the authorization server.
+                               payload = introspection_request("access_token", bearer_token)
+                               return unless payload["active"]
+                               payload
+                             end
     end
     def require_oauth_authorization(*scopes)
-      token_scopes = if is_authorization_server?
-                       authorization_required unless authorization_token
+      authorization_required unless authorization_token
-                       scopes << oauth_application_default_scope if scopes.empty?
+      scopes << oauth_application_default_scope if scopes.empty?
+      token_scopes = if is_authorization_server?
                        authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
                      else
-                       bearer_token = fetch_access_token
-                       authorization_required unless bearer_token
-                       scopes << oauth_application_default_scope if scopes.empty?
-                       # where in resource server, NOT the authorization server.
-                       payload = introspection_request("access_token", bearer_token)
-                       authorization_required unless payload["active"]
-                       payload["scope"].split(oauth_scope_separator)
+                       aux_scopes = authorization_token["scope"]
+                       if aux_scopes
+                         aux_scopes.split(oauth_scope_separator)
+                       else
+                         []
+                       end
                      end
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }

data/lib/rodauth/oauth/version.rb CHANGED

@@ -2,6 +2,6 @@
 module Rodauth
   module OAuth
-    VERSION = "0.4.0"
+    VERSION = "0.4.1"
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-13 00:00:00.000000000 Z
+date: 2020-11-24 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email: