RubyGems - rodauth-oauth - Versions diffs - 0.4.0 → 0.4.1 - Mend

rodauth-oauth 0.4.0 → 0.4.1

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/lib/rodauth/features/oauth.rb +23 -20
data/lib/rodauth/oauth/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b09ecfc1d3a8ee0f5b890620baa14ca6d847362bf38dd158e02bd2c8ebfc204e
-  data.tar.gz: 89f0e82d7721f7ee175b1c53b7b3e0cc534e6983fe37dfc02e433df77b58225d
+  metadata.gz: c7c9cc026f547d781b05599d177237498390c8347791aaf5960e7447d2640b0b
+  data.tar.gz: 290ec103b22d394fbae7f153430605fa032b8baf6b6083e31ad8af8cd3d422b8
 SHA512:
-  metadata.gz: d00a178f561ddecacff0587e1120b68bb22cd10b76b106b00f41167ba9c8bd8b2b8958fd629588924e502be8c947a81d3722102038cd329c006f4b4daf6efada
-  data.tar.gz: 328542ba8ce7ef8e8f605056a9a8cbf6599136232d93f7246b13fe037ebc07225e2051b3ee454eb90ec4ae480e2b493d662d1cbbcd0ae5cc7e57a0ff29b10696
+  metadata.gz: 64c22bd200ff9dcb5e8406ace5f4eb34625bcee5a381e52b6b7e960b614ec3941c0460997542d843ed4eaa843a85a7f2592a027c741d5380a7572edb974ca3a9
+  data.tar.gz: 0a6c93bc131d2fcb45e400173ced20096caa191e3ef73f4e67ab0fc12d5ead9b9f9e6867d163612299141b96b7691429cb5e5b263036887134396f244c3dd4f7

data/CHANGELOG.md CHANGED

@@ -2,6 +2,16 @@
 ## master
+### 0.4.1
+### Improvements
+When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
+### Bugfixes
+* An error ocurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
 ### 0.4.0
 ### Features

data/lib/rodauth/features/oauth.rb CHANGED

@@ -489,13 +489,13 @@ module Rodauth
     def fetch_access_token
       value = request.env["HTTP_AUTHORIZATION"]
-      return unless value
+      return unless value && !value.empty?
       scheme, token = value.split(" ", 2)
       return unless scheme.downcase == oauth_token_type
-      return if token.empty?
+      return if token.nil? || token.empty?
       token
     end
@@ -508,31 +508,34 @@ module Rodauth
       return unless bearer_token
-      # check if token has not expired
-      # check if token has been revoked
-      @authorization_token = oauth_token_by_token(bearer_token)
+      @authorization_token = if is_authorization_server?
+                               # check if token has not expired
+                               # check if token has been revoked
+                               oauth_token_by_token(bearer_token)
+                             else
+                               # where in resource server, NOT the authorization server.
+                               payload = introspection_request("access_token", bearer_token)
+                               return unless payload["active"]
+                               payload
+                             end
     end
     def require_oauth_authorization(*scopes)
-      token_scopes = if is_authorization_server?
-                       authorization_required unless authorization_token
+      authorization_required unless authorization_token
-                       scopes << oauth_application_default_scope if scopes.empty?
+      scopes << oauth_application_default_scope if scopes.empty?
+      token_scopes = if is_authorization_server?
                        authorization_token[oauth_tokens_scopes_column].split(oauth_scope_separator)
                      else
-                       bearer_token = fetch_access_token
-                       authorization_required unless bearer_token
-                       scopes << oauth_application_default_scope if scopes.empty?
-                       # where in resource server, NOT the authorization server.
-                       payload = introspection_request("access_token", bearer_token)
-                       authorization_required unless payload["active"]
-                       payload["scope"].split(oauth_scope_separator)
+                       aux_scopes = authorization_token["scope"]
+                       if aux_scopes
+                         aux_scopes.split(oauth_scope_separator)
+                       else
+                         []
+                       end
                      end
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }

data/lib/rodauth/oauth/version.rb CHANGED

@@ -2,6 +2,6 @@
 module Rodauth
   module OAuth
-    VERSION = "0.4.0"
+    VERSION = "0.4.1"
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-13 00:00:00.000000000 Z
+date: 2020-11-24 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email: