rodauth-oauth 1.3.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/doc/release_notes/1_3_1.md +10 -0
  3. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +23 -23
  4. data/lib/rodauth/features/oauth_base.rb +3 -1
  5. data/lib/rodauth/features/oauth_pkce.rb +1 -2
  6. data/lib/rodauth/oauth/version.rb +1 -1
  7. metadata +5 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4d7d5f8b68686703954bf4e335cef0ea33f9e31c94c439df84f08e8ff3270829
4
- data.tar.gz: 1da57ba2082818a74dbca4d1c6bcab0c15f97da891e12c03a8bf91440a4edcfd
3
+ metadata.gz: ac42aa0fb7d65030b403957a408d6d5b1f999614c957ec8176d814030ddb9381
4
+ data.tar.gz: f67cf98dfdb162d1e015d3930b569756f2a25737a64e68ed36fcf31e2d672be2
5
5
  SHA512:
6
- metadata.gz: 8230b54e51d2081e25d1386d6294745d54eebbe11a6677bdb9cade14e0a418658bc2b8a67ae2e6355458f4b43d8a2df1700cd3e0496fa8a10e690318f3d03ba0
7
- data.tar.gz: 31ab5721a6464b751860b6896f47999e189592582842ba419ab0a057ff38af98612d54a8b00177092e2fe5993af1e5554cecafbbfaab18a495656117f19ce4fd
6
+ metadata.gz: e86da1d43f30dfb18e1ae530dc5b1cc9cf69903d32a39bade2dc5881075140d79ef5644159ff40b1406b58dfb12197c79d13f683f20b431330d02d452b3cf87e
7
+ data.tar.gz: ad35b6bc881f1e22f7cb7227115daee9556ebeada9e10b21e8ecfeb9dc0e7a51ddd606ef481f1125064e49d6ee39076bd8bc2043d58d0d103df6a27813a022db
data/doc/release_notes/1_3_1.md ADDED
@@ -0,0 +1,10 @@
1
+ ### 1.3.1 (27/06/2023)
2
+
3
+ #### Bugfixes
4
+
5
+ * Set 401 error response when `client_id` parameter is invalid, or from an unexisting client application, instead of failing with a 500 (@igor-alexandrov).
6
+ * update rails authorize form to use roda request params instead, as plain params was breaking JAR and PAR-based authorize forms in rails applications.
7
+
8
+ #### Chore
9
+
10
+ * set `:padding` to `false` in `Base64.urlsafe_encode64` calls (@felipe.zavan)
data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb CHANGED
@@ -37,10 +37,10 @@
37
37
  </div>
38
38
  <% end %>
39
39
  <% end %>
40
- <%= hidden_field_tag :client_id, params[:client_id] %>
41
- <% %i[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
42
- <% if params[oauth_param] %>
43
- <%= hidden_field_tag oauth_param, params[oauth_param] %>
40
+ <%= hidden_field_tag :client_id, rodauth.raw_param("client_id") %>
41
+ <% %w[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
42
+ <% if rodauth.raw_param(oauth_param) %>
43
+ <%= hidden_field_tag oauth_param, rodauth.raw_param(oauth_param) %>
44
44
  <% end %>
45
45
  <% end %>
46
46
  <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
@@ -49,39 +49,39 @@
49
49
  <% end %>
50
50
  <% end %>
51
51
  <% if rodauth.features.include?(:oauth_pkce) %>
52
- <% if params[:code_challenge] %>
53
- <%= hidden_field_tag :code_challenge, params[:code_challenge] %>
52
+ <% if rodauth.raw_param("code_challenge") %>
53
+ <%= hidden_field_tag :code_challenge, rodauth.raw_param("code_challenge") %>
54
54
  <% end %>
55
- <% if params[:code_challenge_method] %>
56
- <%= hidden_field_tag :code_challenge_method, params[:code_challenge_method] %>
55
+ <% if rodauth.raw_param("code_challenge_method") %>
56
+ <%= hidden_field_tag :code_challenge_method, rodauth.raw_param("code_challenge_method") %>
57
57
  <% end %>
58
58
  <% end %>
59
59
  <% if rodauth.features.include?(:oidc) %>
60
- <% if params[:prompt] %>
61
- <%= hidden_field_tag :prompt, params[:prompt] %>
60
+ <% if rodauth.raw_param("prompt") %>
61
+ <%= hidden_field_tag :prompt, rodauth.raw_param("prompt") %>
62
62
  <% end %>
63
- <% if params[:nonce] %>
64
- <%= hidden_field_tag :nonce, params[:nonce] %>
63
+ <% if rodauth.raw_param("nonce") %>
64
+ <%= hidden_field_tag :nonce, rodauth.raw_param("nonce") %>
65
65
  <% end %>
66
- <% if params[:ui_locales] %>
67
- <%= hidden_field_tag :ui_locales, params[:ui_locales] %>
66
+ <% if rodauth.raw_param("ui_locales") %>
67
+ <%= hidden_field_tag :ui_locales, rodauth.raw_param("ui_locales") %>
68
68
  <% end %>
69
- <% if params[:claims_locales] %>
70
- <%= hidden_field_tag :claims_locales, params[:claims_locales] %>
69
+ <% if rodauth.raw_param("claims_locales") %>
70
+ <%= hidden_field_tag :claims_locales, rodauth.raw_param("claims_locales") %>
71
71
  <% end %>
72
- <% if params[:claims] %>
73
- <%= hidden_field_tag :claims, sanitize(params[:claims]) %>
72
+ <% if rodauth.raw_param("claims") %>
73
+ <%= hidden_field_tag :claims, sanitize(rodauth.raw_param("claims")) %>
74
74
  <% end %>
75
- <% if params[:acr_values] %>
76
- <%= hidden_field_tag :acr_values, params[:acr_values] %>
75
+ <% if rodauth.raw_param("acr_values") %>
76
+ <%= hidden_field_tag :acr_values, rodauth.raw_param("acr_values") %>
77
77
  <% end %>
78
- <% if params[:registration] %>
79
- <%= hidden_field_tag :registration, params[:registration] %>
78
+ <% if rodauth.raw_param("registration") %>
79
+ <%= hidden_field_tag :registration, rodauth.raw_param("registration") %>
80
80
  <% end %>
81
81
  <% end %>
82
82
  </div>
83
83
  <p class="text-center">
84
84
  <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
85
- <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if params[:state] }", class: "btn btn-outline-danger" %>
85
+ <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.raw_param("state") }", class: "btn btn-outline-danger" %>
86
86
  </p>
87
87
  <% end %>
data/lib/rodauth/features/oauth_base.rb CHANGED
@@ -367,7 +367,7 @@ module Rodauth
367
367
  end
368
368
 
369
369
  def require_oauth_application_from_client_secret_basic(token)
370
- client_id, client_secret = Base64.decode64(token).split(/:/, 2)
370
+ client_id, client_secret = Base64.decode64(token).split(":", 2)
371
371
  authorization_required unless client_id
372
372
  oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => client_id).first
373
373
  authorization_required unless supports_auth_method?(oauth_application,
@@ -389,6 +389,8 @@ module Rodauth
389
389
  end
390
390
 
391
391
  def supports_auth_method?(oauth_application, auth_method)
392
+ return false unless oauth_application
393
+
392
394
  supported_auth_methods = if oauth_application[oauth_applications_token_endpoint_auth_method_column]
393
395
  oauth_application[oauth_applications_token_endpoint_auth_method_column].split(/ +/)
394
396
  else
data/lib/rodauth/features/oauth_pkce.rb CHANGED
@@ -76,8 +76,7 @@ module Rodauth
76
76
  when "plain"
77
77
  challenge == verifier
78
78
  when "S256"
79
- generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
80
- generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
79
+ generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), padding: false)
81
80
 
82
81
  challenge == generated_challenge
83
82
  else
data/lib/rodauth/oauth/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Rodauth
4
4
  module OAuth
5
- VERSION = "1.3.0"
5
+ VERSION = "1.3.1"
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth-oauth
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.0
4
+ version: 1.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tiago Cardoso
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-04-01 00:00:00.000000000 Z
11
+ date: 2023-06-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rodauth
@@ -70,6 +70,7 @@ extra_rdoc_files:
70
70
  - doc/release_notes/1_1_0.md
71
71
  - doc/release_notes/1_2_0.md
72
72
  - doc/release_notes/1_3_0.md
73
+ - doc/release_notes/1_3_1.md
73
74
  files:
74
75
  - CHANGELOG.md
75
76
  - LICENSE.txt
@@ -111,6 +112,7 @@ files:
111
112
  - doc/release_notes/1_1_0.md
112
113
  - doc/release_notes/1_2_0.md
113
114
  - doc/release_notes/1_3_0.md
115
+ - doc/release_notes/1_3_1.md
114
116
  - lib/generators/rodauth/oauth/install_generator.rb
115
117
  - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
116
118
  - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
@@ -204,7 +206,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
204
206
  - !ruby/object:Gem::Version
205
207
  version: '0'
206
208
  requirements: []
207
- rubygems_version: 3.3.7
209
+ rubygems_version: 3.4.10
208
210
  signing_key:
209
211
  specification_version: 4
210
212
  summary: Implementation of the OAuth 2.0 protocol on top of rodauth.