RubyGems - rodauth-omniauth - Versions diffs - 0.5.0 → 0.6.0 - Mend

rodauth-omniauth 0.5.0 → 0.6.0

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +84 -32
data/lib/rodauth/features/omniauth.rb +10 -7
data/rodauth-omniauth.gemspec +2 -2
metadata +5 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bcd1857e0bfd2329c4df0476d8f5091bac5f45c9bd47de6c8c3ef53a99bf0a64
-  data.tar.gz: 57ddd4e9b6e8baf00b66da1f580b01762a0c118f7c962f520a026f6ef94bbfc3
+  metadata.gz: c91c4429c36390bbede1d97214cdb6a40c5a6f5d9255c379f3b17d026cee88c9
+  data.tar.gz: 8e09d6d3c5d4d9eb0022dd5696e1370fc82c22bd068ec5b883212f2117ae3c47
 SHA512:
-  metadata.gz: 9bebec705884e246bd20bee55771711d3fff5d82c9c7f711099e09ac1196e2af8ce0c5d9e1456035da429e33c7439d7ae8c2350b6b33c6081c54f74a93992b74
-  data.tar.gz: 53be14c4e20dff0c17e988b46cc7e0c700b810c6fc7a4440eb94a63abeee9659f9ad880427ce7205dd0fe9c6757b6e48a6e1e99411b1304dba8f011327936246
+  metadata.gz: 03e77668f1f2c2076f003ac455c1f57dcfd5b60f7096cc77e5fe0918bf6484814ab02304eb9286e5323c42c2115102b262edb55dc41174dc0574c9ae0e6c84cc
+  data.tar.gz: f90369c94f3d9baf82dda2490ff716e543cd6cd09a6c8b856b2ba41c0594bcce69a489755520e2aea898eaf6907611d31d53c7cbf2a5f3f0fff51a457511012d

data/README.md CHANGED Viewed

@@ -10,6 +10,10 @@ Add the gem to your project:
 $ bundle add rodauth-omniauth
 ```
+> [!NOTE]
+> Rodauth's CSRF protection will be used for the request validation phase, so there is no need for gems like `omniauth-rails_csrf_protection`.
 ## Usage
 You'll first need to create the table for storing external identities:
@@ -46,17 +50,16 @@ Then enable the `omniauth` feature and register providers in your Rodauth config
 $ bundle add omniauth-facebook omniauth-twitter, omniauth-google-oauth2
 ```
 ```rb
-plugin :rodauth do
-  enable :omniauth
+# in your Rodauth configuration
+enable :omniauth
-  omniauth_provider :facebook, ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"], scope: "email"
-  omniauth_provider :twitter, ENV["TWITTER_API_KEY"], ENV["TWITTER_API_SECRET"]
-  omniauth_provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"], name: :google
-end
+omniauth_provider :facebook, ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"], scope: "email"
+omniauth_provider :twitter, ENV["TWITTER_API_KEY"], ENV["TWITTER_API_SECRET"]
+omniauth_provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"], name: :google
 ```
-> [!NOTE]
-> It is important to note that `rodauth-omniauth` requires OmniAuth 2.x, so it's only compatible with providers gems that support it.
+> [!WARNING]
+> The `rodauth-omniauth` gem requires OmniAuth 2.x, so it's only compatible with providers gems that support it.
 You can now add authentication links to your login form:
@@ -88,6 +91,24 @@ account.identities #=> [#<Account::Identity ...>, ...]
 Currently, provider login is required to return the user's email address, and account creation is assumed not to require additional fields that need to be entered manually. There is currently also no built-in functionality for connecting/removing external identities when signed in. Both features are planned for future versions.
+### Timestamps
+If you want to know when an external identity was used first or last, you may want to add timestamp columns to the identities table:
+```rb
+create_table :account_identities do |t|
+  # ...
+  t.timestamps
+end
+```
+In that case, you'll need to make sure the column values are populated on create/update:
+```rb
+omniauth_identity_insert_hash { super().merge(created_at: Time.now) }
+omniauth_identity_update_hash { { updated_at: Time.now } }
+```
 ### Login
 After provider login, you can perform custom logic at the start of the callback request:
@@ -148,6 +169,31 @@ rodauth.omniauth_request_path(:google, action: "login") #=> "/auth/github?action
 omniauth_create_account? { omniauth_params["action"] != "login" }
 ```
+You can change the default error message for when existing account wasn't found in case automatic account creation is disabled:
+```rb
+omniauth_login_no_matching_account_error_flash "No existing account found"
+```
+### Multifactor authentication
+By default, OmniAuth login will count only as one factor. So, if the user has multifactor authentication enabled, they will be asked to authenticate with 2nd factor when required.
+If you're using OmniAuth login for SSO and want to rely on 2FA policies set on the external provider, you can have OmniAuth login count as two factors:
+```rb
+omniauth_two_factors? true
+```
+You can also make it conditional based on data from the external provider:
+```rb
+omniauth_two_factors? do
+  # only count as two factors if external account uses 2FA
+  omniauth_extra["raw_info"]["two_factor_authentication"]
+end
+```
 ### Identity data
 You can also store extra data on the external identities. For example, we could override the update hash to store `info`, `credentials`, and `extra` data from the auth hash into separate columns:
@@ -193,23 +239,37 @@ omniauth_identities_provider_column :provider
 omniauth_identities_uid_column :uid
 ```
-## Base
+### Audit logging
-The `omniauth` feature builds on top of the `omniauth_base` feature, which sets up OmniAuth and routes its requests, but has no interaction with the database. So, if you would prefer to handle external logins differently, you can load just the `omniauth_base` feature, and implement your own callback phase.
+If you're using the [audit_logging] feature, it can be useful to include the external provider name in the `login` audit logs:
 ```rb
-plugin :rodauth do
-  enable :omniauth_base
+enable :audit_logging
-  omniauth_provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"], scope: "user"
-  omniauth_provider :apple, ENV["APPLE_CLIENT_ID"], ENV["APPLE_CLIENT_SECRET"], scope: "email name"
+audit_log_metadata_for :login do
+  { "provider" => omniauth_provider } if authenticated_by.include?("omniauth")
 end
+```
+## Base
-route do |r|
-  r.rodauth # routes Rodauth and OmniAuth requests
+The `omniauth` feature builds on top of the `omniauth_base` feature, which sets up OmniAuth and routes its requests, but has no interaction with the database. So, if you would prefer to handle external logins differently, you can load just the `omniauth_base` feature, and implement your own callback phase.
+```rb
+# in your Rodauth configuration
+enable :omniauth_base
-  r.get "auth", String, "callback" do
-    # ... handle callback request ...
+omniauth_provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"], scope: "user"
+omniauth_provider :apple, ENV["APPLE_CLIENT_ID"], ENV["APPLE_CLIENT_SECRET"], scope: "email name"
+```
+```rb
+# in your routes
+get "/auth/:provider/callback", to: "rodauth#omniauth_login"
+```
+```rb
+class RodauthController < ApplicationController
+  def omniauth_login
+    # ...
   end
 end
 ```
@@ -307,10 +367,6 @@ omniauth_on_failure do
 end
 ```
-#### CSRF protection
-The default request validation phase uses Rodauth's configured CSRF protection, so there is no need for external gems such as `omniauth-rails_csrf_protection`.
 ### Inheritance
 The registered providers are inherited between Rodauth auth classes, so you can have fine-grained configuration for different account types.
@@ -322,15 +378,13 @@ class RodauthBase < Rodauth::Auth
     omniauth_provider :google_oauth2, ...
   end
 end
-```
-```rb
 class RodauthMain < RodauthBase
   configure do
     omniauth_provider :facebook, ...
   end
 end
-```
-```rb
 class RodauthAdmin < RodauthBase
   configure do
     omniauth_provider :twitter, ...
@@ -339,12 +393,6 @@ class RodauthAdmin < RodauthBase
 end
 ```
 ```rb
-class RodauthApp < Roda
-  plugin :rodauth, auth_class: RodauthMain
-  plugin :rodauth, auth_class: RodauthAdmin, name: :admin
-end
-```
-```rb
 rodauth.omniauth_providers #=> [:google_oauth2, :facebook]
 rodauth(:admin).omniauth_providers #=> [:google_oauth2, :twitter, :github]
 ```
@@ -379,6 +427,9 @@ Content-Type: application/json
 { "success": "You have been logged in" }
 ```
+> [!NOTE]
+> Unless you're using JWT, make sure you're persisting cookies across requests, as most OmniAuth strategies rely on session storage.
 If there was an OmniAuth failure, the error type will be included in the response:
 ```http
@@ -432,3 +483,4 @@ Everyone interacting in the rodauth-omniauth project's codebases, issue trackers
 [rodauth-model]: https://github.com/janko/rodauth-model
 [rodauth-rails]: https://github.com/janko/rodauth-rails
 [omniauth-oauth2]: https://github.com/omniauth/omniauth-oauth2
+[audit_logging]: https://rodauth.jeremyevans.net/rdoc/files/doc/audit_logging_rdoc.html

data/lib/rodauth/features/omniauth.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module Rodauth
     auth_value_method :omniauth_identities_account_id_column, :account_id
     auth_value_method :omniauth_identities_provider_column, :provider
     auth_value_method :omniauth_identities_uid_column, :uid
+    auth_value_method :omniauth_two_factors?, false
     auth_value_methods(
       :omniauth_verify_account?,
@@ -97,7 +98,9 @@ module Rodauth
         end
       end
-      login("omniauth")
+      login("omniauth") do
+        two_factor_update_session("omniauth-two") if omniauth_second_factor?
+      end
     end
     def retrieve_omniauth_identity
@@ -126,7 +129,7 @@ module Rodauth
     def possible_authentication_methods
       methods = super
-      methods << "omniauth" unless methods.include?("password") || omniauth_account_identities_ds.empty?
+      methods << "omniauth" unless methods.include?("password") || (features.include?(:email_auth) && allow_email_auth?) || omniauth_account_identities_ds.empty?
       methods
     end
@@ -142,12 +145,12 @@ module Rodauth
       remove_omniauth_identities
     end
-    def allow_email_auth?
-      (defined?(super) ? super : true) && omniauth_account_identities_ds.empty?
-    end
     attr_reader :omniauth_identity
+    def omniauth_second_factor?
+      features.include?(:two_factor_base) && uses_two_factor_authentication? && omniauth_two_factors?
+    end
     def omniauth_verify_account?
       features.include?(:verify_account) && account[login_column] == omniauth_email
     end
@@ -209,7 +212,7 @@ module Rodauth
     end
     def _account_from_omniauth_identity
-      account_ds(omniauth_identity_account_id).first
+      _account_from_id(omniauth_identity_account_id)
     end
     def omniauth_identity_id

data/rodauth-omniauth.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |spec|
   spec.name          = "rodauth-omniauth"
-  spec.version       = "0.5.0"
+  spec.version       = "0.6.0"
   spec.authors       = ["Janko Marohnić"]
   spec.email         = ["janko@hey.com"]
@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.files         = Dir["README.md", "LICENSE.txt", "*.gemspec", "lib/**/*", "locales/**/*"]
   spec.require_paths = ["lib"]
-  spec.add_dependency "rodauth", "~> 2.13"
+  spec.add_dependency "rodauth", "~> 2.36"
   spec.add_dependency "omniauth", "~> 2.0"
   spec.add_development_dependency "minitest"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-omniauth
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-10 00:00:00.000000000 Z
+date: 2024-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.13'
+        version: '2.36'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.13'
+        version: '2.36'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -212,7 +212,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: Rodauth extension for logging in and creating account via OmniAuth authentication.