rodauth-oauth 1.6.2 → 1.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a33a9ee71a918fe0ea7e71e63062d9399117081bd6d065e5d00dcd4d73ffe8a3
-  data.tar.gz: b269c68bb2a1eb45bba20ce222b18184d5e64d83ce3ccba1641403e01d2a2c28
+  metadata.gz: 83351fdb82b53fcc94fbafcfe1f3a2057b887b633ae39c4de24a5268136164ec
+  data.tar.gz: 6b1d1f26cfc189cb6d18269af0634f358724a156bd26edc514bb008615e55e68
 SHA512:
-  metadata.gz: 74221c277a9f55e01447063cbc9f8f0d01bb3b77bedbcb86b7b14ab6baeb50d09cbb556c9e54cf14a50d91460a427a9eaaa1a541f4f2e0e87edd724df28703e8
-  data.tar.gz: 3fcfe3de3b11791ceea035142344f7bbf88a05082452c77b17c4c6fdfc872b956d44f9d04307e61b476b38b340ee7fc68bd27da3698e402b3b7d75628d7c0008
+  metadata.gz: c2197aad8a6e0d0e5d46ef2b18f0730133d06463c1115c60a949b079849c8bb5ab62e1424db5fea1ede68ae5ff1084dfe805a4247164387163a16f8b5f425c40
+  data.tar.gz: 63f3c8bfff288028767e833735c8c1496595a9ec08a7c06463df98fe2b93ad987d95e42e0e68c08c24698b97a454924a326d6326c056f41181920c189f04472d

data/README.md

@@ -50,6 +50,7 @@ This gem implements the following RFCs and features of OAuth:
 * `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
+* `oauth_dpop` - [OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/rfc9449/);
 
 * `oauth_dynamic_client_registration` - [Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) and [Dynamic Client Registration Management](https://www.rfc-editor.org/rfc/rfc7592);
 * OAuth application and token management dashboards;
@@ -67,7 +68,7 @@ It also implements several components of [OpenID Connect](https://openid.net/con
 * `oidc_frontchannel_logout` - [Frontchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Frontchannel-Logout);
 * `oidc_backchannel_logout` - [Backchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Backchannel-Logout);
 
-This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
+This gem supports also rails (via [rodauth-rails]((https://github.com/janko/rodauth-rails)), which also dictates the versioning policy).
 
 
 ## Installation

data/doc/release_notes/1_6_3.md

@@ -0,0 +1,9 @@
+### 1.6.3
+
+#### Improvements
+
+* all routes can now be used via rodauth `internal_request` feature.
+
+#### Bugfixes
+
+* `oauth_application_management` feature: fixed "new oauth application" link to account for for prefix usage.

data/doc/release_notes/1_6_4.md

@@ -0,0 +1,9 @@
+### 1.6.4
+
+#### Bugfixes
+
+* on `/userinfo` request, enforce existence of oauth grant before proceeding with the userinfo requests.
+
+#### Chore
+
+* linting + tweaks to example scripts.

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -33,6 +33,10 @@ module Rodauth
       :oauth_grants_resource_owner_columns
     )
 
+    OAUTH_ACCESS_TYPES = %w[offline online].freeze
+
+    OAUTH_APPROVAL_PROMPTS = %w[force auto].freeze
+
     # /authorize
     auth_server_route(:authorize) do |r|
       require_authorizable_account
@@ -106,22 +110,18 @@ module Rodauth
       false
     end
 
-    ACCESS_TYPES = %w[offline online].freeze
-
     def check_valid_access_type?
       return true unless use_oauth_access_type?
 
       access_type = param_or_nil("access_type")
-      !access_type || ACCESS_TYPES.include?(access_type)
+      !access_type || OAUTH_ACCESS_TYPES.include?(access_type)
     end
 
-    APPROVAL_PROMPTS = %w[force auto].freeze
-
     def check_valid_approval_prompt?
       return true unless use_oauth_access_type?
 
       approval_prompt = param_or_nil("approval_prompt")
-      !approval_prompt || APPROVAL_PROMPTS.include?(approval_prompt)
+      !approval_prompt || OAUTH_APPROVAL_PROMPTS.include?(approval_prompt)
     end
 
     def resource_owner_params
@@ -142,7 +142,7 @@ module Rodauth
         oauth_grants_redirect_uri_column => redirect_uri,
         oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
         oauth_grants_access_type_column => "online"
-      ).count.zero?
+      ).none?
 
       # if there's a previous oauth grant for the params combo, it means that this user has approved before.
       request.env["REQUEST_METHOD"] = "POST"

data/lib/rodauth/features/oauth_base.rb

@@ -462,14 +462,14 @@ module Rodauth
     end
 
     def generate_token(grant_params = {}, should_generate_refresh_token = true)
-      if grant_params[oauth_grants_id_column] && (oauth_reuse_access_token &&
-           (
-             if oauth_grants_token_hash_column
-               grant_params[oauth_grants_token_hash_column]
-             else
-               grant_params[oauth_grants_token_column]
-             end
-           ))
+      if grant_params[oauth_grants_id_column] && oauth_reuse_access_token &&
+         (
+           if oauth_grants_token_hash_column
+             grant_params[oauth_grants_token_hash_column]
+           else
+             grant_params[oauth_grants_token_column]
+           end
+         )
         return grant_params
       end
 

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -18,7 +18,7 @@ module Rodauth
       request.on(registration_client_uri_route) do
         # CLIENT REGISTRATION URI
         request.on(String) do |client_id|
-          (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1])
+          token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]
 
           next unless token
 

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -266,14 +266,14 @@ module Rodauth
                  end
 
         now = Time.now
-        if verify_claims && (
-            (!claims[:exp] || Time.at(claims[:exp]) < now) &&
-            (claims[:nbf] && Time.at(claims[:nbf]) < now) &&
-            (claims[:iat] && Time.at(claims[:iat]) < now) &&
-            (verify_iss && claims[:iss] != oauth_jwt_issuer) &&
-            (verify_aud && !verify_aud(claims[:aud], claims[:client_id])) &&
-            (verify_jti && !verify_jti(claims[:jti], claims))
-          )
+        if verify_claims &&
+           (!claims[:exp] || Time.at(claims[:exp]) < now) &&
+           claims[:nbf] && Time.at(claims[:nbf]) < now &&
+           claims[:iat] && Time.at(claims[:iat]) < now &&
+           verify_iss && claims[:iss] != oauth_jwt_issuer &&
+           verify_aud && !verify_aud(claims[:aud], claims[:client_id]) &&
+           verify_jti && !verify_jti(claims[:jti], claims)
+
           return
         end
 
@@ -347,7 +347,6 @@ module Rodauth
       def jwt_encode(payload,
                      signing_algorithm: oauth_jwt_keys.keys.first,
                      headers: {}, **)
-
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
         key = key.first if key.is_a?(Array)
 
@@ -475,7 +474,6 @@ module Rodauth
           jwe_key: oauth_jwt_jwe_keys[[jws_encryption_algorithm, jws_encryption_method]] || oauth_jwt_jwe_keys.values.first,
           **args
         )
-
           token = if jwks && jwks.any? { |k| k[:use] == "enc" }
                     JWE.__rodauth_oauth_decrypt_from_jwks(token, jwks, alg: jws_encryption_algorithm, enc: jws_encryption_method)
                   elsif jwe_key

data/lib/rodauth/features/oauth_token_introspection.rb

@@ -99,7 +99,7 @@ module Rodauth
     private
 
     def require_oauth_application_for_introspect
-      (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1])
+      token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]
 
       return require_oauth_application unless token
 

data/lib/rodauth/features/oidc.rb

@@ -144,7 +144,9 @@ module Rodauth
             **resource_owner_params_from_jwt_claims(claims)
           ).first
 
-          claims_locales = oauth_grant[oauth_grants_claims_locales_column] if oauth_grant
+          throw_json_response_error(oauth_authorization_required_error_status, "invalid_token") unless oauth_grant
+
+          claims_locales = oauth_grant[oauth_grants_claims_locales_column]
 
           if (claims = oauth_grant[oauth_grants_claims_column])
             claims = JSON.parse(claims)
@@ -317,9 +319,8 @@ module Rodauth
       # MUST ignore the offline_access request unless the Client
       # is using a response_type value that would result in an
       # Authorization Code
-      if sc && sc.include?("offline_access") && !(param_or_nil("prompt") == "consent" && (
-                (response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code")
-              ))
+      if sc && sc.include?("offline_access") && !(param_or_nil("prompt") == "consent" &&
+                (response_type = param_or_nil("response_type")) && response_type.split(" ").include?("code"))
         sc.delete("offline_access")
 
         request.params["scope"] = sc.join(" ")
@@ -792,9 +793,7 @@ module Rodauth
     # Metadata
 
     def openid_configuration_body(path = nil)
-      metadata = oauth_server_metadata_body(path).select do |k, _|
-        VALID_METADATA_KEYS.include?(k)
-      end
+      metadata = oauth_server_metadata_body(path).slice(*VALID_METADATA_KEYS)
 
       scope_claims = oauth_application_scopes.each_with_object([]) do |scope, claims|
         oidc, param = scope.split(".", 2)
@@ -873,7 +872,7 @@ module Rodauth
       return unless digest
 
       hash = digest.digest(hash)
-      hash = hash[0...hash.size / 2]
+      hash = hash[0...(hash.size / 2)]
       Base64.urlsafe_encode64(hash).tr("=", "")
     end
   end

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -132,8 +132,8 @@ module Rodauth
         end
       end
 
-      if features.include?(:oidc_rp_initiated_logout) && (defined?(oauth_applications_post_logout_redirect_uris_column) &&
-           (value = @oauth_application_params[oauth_applications_post_logout_redirect_uris_column]))
+      if features.include?(:oidc_rp_initiated_logout) && defined?(oauth_applications_post_logout_redirect_uris_column) &&
+         (value = @oauth_application_params[oauth_applications_post_logout_redirect_uris_column])
         if value.is_a?(Array)
           @oauth_application_params[oauth_applications_post_logout_redirect_uris_column] = value.each do |redirect_uri|
             unless check_valid_uri?(redirect_uri)

data/lib/rodauth/features/oidc_rp_initiated_logout.rb

@@ -23,7 +23,7 @@ module Rodauth
         catch_error do
           validate_oidc_logout_params
 
-          claims = oauth_application = nil
+          claims = nil
 
           if (id_token_hint = param_or_nil("id_token_hint"))
             #

data/lib/rodauth/oauth/database_extensions.rb

@@ -81,7 +81,7 @@ module Rodauth
           end
 
           def __insert_or_do_nothing_and_return__(dataset, pkey, unique_columns, params)
-            find_params = params.select { |key, _| unique_columns.include?(key) }
+            find_params = params.slice(*unique_columns)
             dataset.where(find_params).first || __insert_and_return__(dataset, pkey, params)
           end
         end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.6.2"
+    VERSION = "1.6.4"
   end
 end

data/lib/rodauth/oauth.rb

@@ -6,8 +6,8 @@ require "rodauth/oauth/version"
 module Rodauth
   module OAuth
     module FeatureExtensions
-      def auth_server_route(*args, &blk)
-        routes = route(*args, &blk)
+      def auth_server_route(name, *args, &blk)
+        routes = route(name, *args, &blk)
 
         handle_meth = routes.last
 
@@ -19,6 +19,9 @@ module Rodauth
 
         alias_method :"#{handle_meth}_not_for_auth_server", handle_meth
         alias_method handle_meth, :"#{handle_meth}_for_auth_server"
+
+        # make all requests usable via internal_request feature
+        internal_request_method name
       end
 
       # override

data/templates/oauth_applications.str

@@ -1,5 +1,5 @@
 <div id="oauth-applications">
-  <a class="btn btn-outline-primary" href="/oauth-applications/new">#{rodauth.new_oauth_application_page_title}</a>
+  <a class="btn btn-outline-primary" href="#{rodauth.oauth_applications_path}/new">#{rodauth.new_oauth_application_page_title}</a>
   #{
     if @oauth_applications.count.zero?
       "<p>#{rodauth.oauth_no_applications_text}</p>"

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.6.2
+  version: 1.6.4
 platform: ruby
 authors:
 - Tiago Cardoso
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-17 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -44,10 +43,10 @@ email:
 executables: []
 extensions: []
 extra_rdoc_files:
+- CHANGELOG.md
 - LICENSE.txt
-- README.md
 - MIGRATION-GUIDE-v1.md
-- CHANGELOG.md
+- README.md
 - doc/release_notes/0_0_1.md
 - doc/release_notes/0_0_2.md
 - doc/release_notes/0_0_3.md
@@ -91,6 +90,8 @@ extra_rdoc_files:
 - doc/release_notes/1_6_0.md
 - doc/release_notes/1_6_1.md
 - doc/release_notes/1_6_2.md
+- doc/release_notes/1_6_3.md
+- doc/release_notes/1_6_4.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -139,6 +140,8 @@ files:
 - doc/release_notes/1_6_0.md
 - doc/release_notes/1_6_1.md
 - doc/release_notes/1_6_2.md
+- doc/release_notes/1_6_3.md
+- doc/release_notes/1_6_4.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -225,7 +228,6 @@ metadata:
   source_code_uri: https://gitlab.com/os85/rodauth-oauth
   changelog_uri: https://gitlab.com/os85/rodauth-oauth/-/blob/master/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -240,8 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.
 test_files: []