rodauth-omniauth 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99f2cd5c47082f18ff2b0feeea0106c104edf6454e354fb04f8c74044b7796b2
-  data.tar.gz: 58c096a1176cce8c2aa1ef0741c35e0ec81a36fb1d3d7bf9350b01c143daffdb
+  metadata.gz: b983cad17d20d291428c75e8efd5d59b313e83ac68f7998d7d1ec6c508db0ac4
+  data.tar.gz: e5db5f29f5d2897312d9dc4eca1cc34718ff56bd024bf2f79473a230a9e3cfbc
 SHA512:
-  metadata.gz: 3ee9f500a18535a215d74d6cbc250561a7d0b61cc5818166e7bf481b74bf67dedf2547228ffbec177273715d1001cce2178e7590cadc8c21b102ef1b9585f9c5
-  data.tar.gz: fe0337fdc2ef82ea53c5b8514383df10d60433900deaa35fa519ffe0e846c3a5e79deead46b1e790e29a35ffac0a00a2301c6437376d8fd91832d8ee1cb49a8e
+  metadata.gz: d371d95667924f9e6ea1da68ab3e59471d794230de35eefa7d816edba211c734c981e1ef8ce724987cf58e0e10bf52773bad671dbb352dbbcd6b2762725bba1d
+  data.tar.gz: 78feadd9466089523ec85e021c980fc90af051c92d6c981e04476888546524f4bcd010321bd89d0f5a4f788c68221ac87dfa6112ea97e67074c9c3ca532daadd

data/README.md

@@ -1,6 +1,6 @@
 # rodauth-omniauth
 
-[Rodauth] feature that offers login and registration via multiple external providers using [OmniAuth]. The external identities are automatically stored in the database, and associated to the main account record.
+[Rodauth] feature that offers login and registration via multiple external providers using [OmniAuth], together with the persistence of external identities.
 
 ## Installation
 
@@ -15,16 +15,28 @@ $ bundle add rodauth-omniauth
 You'll first need to create the table for storing external identities:
 
 ```rb
-Sequel.migration do                       # class CreateAccountIdentities < ActiveRecord::Migration
-  change do                               #   def change
-    create_table :account_identities do   #     create_table :account_identities do |t|
-      primary_key :id                     #       t.references :account, null: false, foreign_key: { on_delete: :cascade }
-      foreign_key :account_id, :accounts  #       t.string :provider, null: false
-      String :provider, null: false       #       t.string :uid, null: false
-      String :uid, null: false            #       t.index [:provider, :uid], unique: true
-      unique [:provider, :uid]            #     end
-    end                                   #   end
-  end                                     # end
+Sequel.migration do
+  change do
+    create_table :account_identities do
+      primary_key :id
+      foreign_key :account_id, :accounts
+      String :provider, null: false
+      String :uid, null: false
+      unique [:provider, :uid]
+    end
+  end
+end
+```
+```rb
+class CreateAccountIdentities < ActiveRecord::Migration
+  def change
+    create_table :account_identities do |t|
+      t.references :account, null: false, foreign_key: { on_delete: :cascade }
+      t.string :provider, null: false
+      t.string :uid, null: false
+      t.index [:provider, :uid], unique: true
+    end
+  end
 end
 ```
 
@@ -47,16 +59,11 @@ You can now add authentication links to your login form:
 
 ```erb
 <!-- app/views/rodauth/_login_form_footer.html.erb -->
-<%== rodauth.login_form_footer_links_heading %>
-
-<ul>
+<!-- ... -->
   <li><%= button_to "Login via Facebook", rodauth.omniauth_request_path(:facebook), method: :post, data: { turbo: false }, class: "btn btn-link p-0" %></li>
   <li><%= button_to "Login via Twitter", rodauth.omniauth_request_path(:twitter), method: :post, data: { turbo: false }, class: "btn btn-link p-0" %></li>
   <li><%= button_to "Login via Google", rodauth.omniauth_request_path(:google), method: :post, data: { turbo: false }, class: "btn btn-link p-0" %></li>
-  <% rodauth.login_form_footer_links.each do |_, link, text| %>
-    <li><%= link_to text, link %></li>
-  <% end %>
-</ul>
+<!-- ... -->
 ```
 
 Assuming you configured the providers correctly, you should now be able to authenticate via an external provider. The `omniauth` feature handles the callback request, automatically creating new identities and verified accounts from those identities as needed.
@@ -73,7 +80,25 @@ Currently, provider login is required to return the user's email address, and ac
 
 ### Login
 
-If the local account associated to the external identity exists and is unverified (e.g. it was created through normal registration), the external login will abort during the callback phase. You can change the default error flash and redirect location in this case:
+After provider login, you can perform custom logic at the start of the callback request:
+
+```rb
+before_omniauth_callback_route do
+  omniauth_provider #=> :google
+end
+```
+
+If the external identity doesn't already exist, and there is an account with email matching the identity's, the new identity will be assigned to that account. You can change how existing accounts are searched after provider login:
+
+```rb
+account_from_omniauth do
+  account_table_ds.first(email: omniauth_email) # roughly the default implementation
+end
+# or
+account_from_omniauth {} # disable finding existing accounts for new identities
+```
+
+If the account associated to the external identity exists and is unverified (e.g. it was created through normal registration), the callback phase will return an error response, as only verified accounts can be logged into. You can change the default error flash and redirect location in this case:
 
 ```rb
 omniauth_login_unverified_account_error_flash "The account matching the external identity is currently awaiting verification"
@@ -82,9 +107,7 @@ omniauth_login_failure_redirect { require_login_redirect }
 
 ### Account creation
 
-Since provider accounts have verified the email address, local accounts created via external logins are automatically considered verified.
-
-If you want to use extra user information for account creation, you can do so via hooks:
+Accounts created via external login are automatically verified, because it's assumed your email address was verified by the external provider. If you want to use extra user information for account creation, you can do so via hooks:
 
 ```rb
 before_omniauth_create_account { account[:name] = omniauth_name }
@@ -94,7 +117,7 @@ after_omniauth_create_account do
 end
 ```
 
-When the account is closed, its external identities are automatically cleared from the database.
+When the account is closed, its external identities are automatically deleted from the database.
 
 ### Identity data
 
@@ -118,7 +141,7 @@ omniauth_identity_update_hash do
 end
 ```
 
-With this configuration, the identity record will be automatically synced with most recent state on each provider login. If you would like to only save provider data on first login, you can override the insert hash instead:
+With this configuration, the identity record will be automatically synced with most recent state on each provider login. If you would like to only save provider data when the identity is created, you can override the insert hash instead:
 
 ```rb
 # this data will be stored only on first login
@@ -131,6 +154,16 @@ omniauth_identity_insert_hash do
 end
 ```
 
+You can change the table name or any of the column names:
+
+```rb
+omniauth_identities_table :account_identities
+omniauth_identities_id_column :id
+omniauth_identities_account_id_column :account_id
+omniauth_identities_provider_column :provider
+omniauth_identities_uid_column :uid
+```
+
 ### Model associations
 
 When using the [rodauth-model] gem, an `identities` one-to-many association will be defined on the account model:
@@ -205,13 +238,13 @@ URL helpers are provided as well:
 rodauth.prefix #=> "/user"
 rodauth.omniauth_prefix #=> "/auth"
 
-rodauth.omniauth_request_route #=> "auth/facebook"
-rodauth.omniauth_request_path #=> "/user/auth/facebook"
-rodauth.omniauth_request_url #=> "https://example.com/user/auth/facebook"
+rodauth.omniauth_request_route(:facebook) #=> "auth/facebook"
+rodauth.omniauth_request_path(:facebook) #=> "/user/auth/facebook"
+rodauth.omniauth_request_url(:facebook) #=> "https://example.com/user/auth/facebook"
 
-rodauth.omniauth_callback_route #=> "auth/facebook/callback"
-rodauth.omniauth_callback_path #=> "/user/auth/facebook/callback"
-rodauth.omniauth_callback_url #=> "https://example.com/user/auth/facebook/callback"
+rodauth.omniauth_callback_route(:facebook) #=> "auth/facebook/callback"
+rodauth.omniauth_callback_path(:facebook) #=> "/user/auth/facebook/callback"
+rodauth.omniauth_callback_url(:facebook) #=> "https://example.com/user/auth/facebook/callback"
 ```
 
 The prefix for the OmniAuth app can be changed:
@@ -257,9 +290,9 @@ Or provide your own implementation:
 ```rb
 omniauth_on_failure do
   case omniauth_error_type
-  when :no_authorization_code then ...
-  when :uknown_signature_algorithm then ...
-  else ...
+  when :no_authorization_code then # ...
+  when :uknown_signature_algorithm then # ...
+  else # ...
   end
 end
 ```
@@ -308,16 +341,32 @@ rodauth(:admin).omniauth_providers #=> [:google_oauth2, :twitter, :github]
 
 ### JSON
 
-JSON requests are supported for the request and callback phases. The request phase endpoint will return the authorize URL:
+JSON requests are supported for request and callback phases. The request phase endpoint will return the authorize URL:
 
 ```http
-POST /auth/facebook
+POST /auth/github
 Accept: application/json
 Content-Type: application/json
+```
+```http
+200 OK
+Content-Type: application/json
+
+{ "authorize_url": "https://github.com/login/oauth/authorize?..." }
+```
+
+When you redirect the user to the authorize URL, and they authorize the OAuth app, the callback endpoint they're redirected to will contain query parameters that need to passed for the callback request to the backend.
 
+```http
+GET /auth/github/callback?code=...&state=...
+Accept: application/json
+Content-Type: application/json
+```
+```http
 200 OK
 Content-Type: application/json
-{ "authorize_url": "https://external.com/login" }
+
+{ "success": "You have been logged in" }
 ```
 
 If there was a login failure, the error type will be included in the response:
@@ -326,12 +375,22 @@ If there was a login failure, the error type will be included in the response:
 POST /auth/facebook/callback
 Accept: application/json
 Content-Type: application/json
-
+```
+```http
 500 Internal Server Error
 Content-Type: application/json
+
 { "error_type": "some_error", "error": "There was an error logging in with the external provider" }
 ```
 
+In this flow, you'll need to configure the callback URL on the OAuth app to point to the frontend app. On the OmniAuth strategy, you'll need to configure the same for GitHub requests, but keep the backend callback endpoint. For strategies based on [omniauth-oauth2], you can achieve this as follows:
+
+```rb
+omniauth_provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"],
+  authorize_params: { redirect_uri: "https://frontend.example.com/github/callback" },
+  token_params: { redirect_uri: "https://frontend.example.com/github/callback" }
+```
+
 You can change authorize URL and error type keys:
 
 ```rb
@@ -341,7 +400,7 @@ omniauth_error_type_key "error_type"
 
 ### JWT
 
-JWT requests are supported for the request and callback phases. OmniAuth information will be stored in JWT session data during the request phase, and restored during the callback phase, as long as the updated JWT token is passed.
+JWT requests are supported for the request and callback phases. OmniAuth data will be stored in the JWT token during the request phase, and restored during the callback phase, as long as the updated JWT token is passed.
 
 ## Development
 
@@ -351,6 +410,10 @@ Run tests with Rake:
 $ bundle exec rake test
 ```
 
+## Credits
+
+The implementation of this gem was inspired by [this OmniAuth guide](https://github.com/omniauth/omniauth/wiki/Managing-Multiple-Providers).
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
@@ -362,3 +425,4 @@ Everyone interacting in the rodauth-omniauth project's codebases, issue trackers
 [Rodauth]: https://github.com/jeremyevans/rodauth
 [OmniAuth]: https://github.com/omniauth/omniauth
 [rodauth-model]: https://github.com/janko/rodauth-model
+[omniauth-oauth2]: https://github.com/omniauth/omniauth-oauth2

data/lib/rodauth/features/omniauth.rb

@@ -31,6 +31,7 @@ module Rodauth
 
     auth_private_methods(
       :retrieve_omniauth_identity,
+      :account_from_omniauth,
       :account_from_omniauth_identity,
       :omniauth_new_account,
     )
@@ -57,11 +58,11 @@ module Rodauth
       end
 
       unless account
-        account_from_login(omniauth_email)
+        account_from_omniauth
       end
 
       if account && !open_account?
-        set_redirect_error_status unopen_account_error_status
+        set_response_error_reason_status(:unverified_account, unopen_account_error_status)
         set_redirect_error_flash omniauth_login_unverified_account_error_flash
         redirect omniauth_login_failure_redirect
       end
@@ -92,6 +93,10 @@ module Rodauth
       @account = _account_from_omniauth_identity
     end
 
+    def account_from_omniauth
+      @account = _account_from_omniauth
+    end
+
     def omniauth_new_account
       @account = _omniauth_new_account(omniauth_email)
     end
@@ -112,6 +117,16 @@ module Rodauth
 
     private
 
+    def before_confirm_password
+      authenticated_by.delete("omniauth")
+      super if defined?(super)
+    end
+
+    def after_close_account
+      super if defined?(super)
+      remove_omniauth_identities
+    end
+
     def allow_email_auth?
       (defined?(super) ? super : true) && omniauth_account_identities_ds.empty?
     end
@@ -159,13 +174,12 @@ module Rodauth
       )
     end
 
-    def _account_from_omniauth_identity
-      account_ds(omniauth_identity_account_id).first
+    def _account_from_omniauth
+      _account_from_login(omniauth_email)
     end
 
-    def after_close_account
-      super if defined?(super)
-      remove_omniauth_identities
+    def _account_from_omniauth_identity
+      account_ds(omniauth_identity_account_id).first
     end
 
     def omniauth_identity_id

data/lib/rodauth/features/omniauth_base.rb

@@ -138,7 +138,7 @@ module Rodauth
         json_response[omniauth_error_type_key] = omniauth_error_type
       end
 
-      set_redirect_error_status omniauth_failure_error_status
+      set_response_error_reason_status(:omniauth_failure, omniauth_failure_error_status)
       set_redirect_error_flash omniauth_failure_error_flash
       redirect omniauth_failure_redirect
     end
@@ -164,9 +164,11 @@ module Rodauth
     # Makes OmniAuth strategies use the JWT session hash.
     def set_omniauth_jwt_session
       rack_session = request.env["rack.session"]
+      session.keys.each { |k| session[k.to_s] = session.delete(k) } unless scope.opts[:sessions_convert_symbols]
       request.env["rack.session"] = session
       yield
     ensure
+      session.keys.each { |k| session[k.to_sym] = session.delete(k) } unless scope.opts[:sessions_convert_symbols]
       request.env["rack.session"] = rack_session
     end
 

data/rodauth-omniauth.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |spec|
   spec.name          = "rodauth-omniauth"
-  spec.version       = "0.1.0"
+  spec.version       = "0.3.0"
   spec.authors       = ["Janko Marohnić"]
   spec.email         = ["janko@hey.com"]
 
@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.files         = Dir["README.md", "LICENSE.txt", "*.gemspec", "lib/**/*"]
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "rodauth", "~> 2.0"
+  spec.add_dependency "rodauth", "~> 2.13"
   spec.add_dependency "omniauth", "~> 2.0"
 
   spec.add_development_dependency "minitest"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-omniauth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-03 00:00:00.000000000 Z
+date: 2022-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.13'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.13'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement