rodauth-omniauth 0.5.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dad995353c13952f65bb35c561c82d755f2319318ac2409adc948b4b95fd6171
-  data.tar.gz: 30bdc64ac42ad66ff6003e5d95ffd5123ce9564661157ffb25f0f496e2772a3e
+  metadata.gz: c91c4429c36390bbede1d97214cdb6a40c5a6f5d9255c379f3b17d026cee88c9
+  data.tar.gz: 8e09d6d3c5d4d9eb0022dd5696e1370fc82c22bd068ec5b883212f2117ae3c47
 SHA512:
-  metadata.gz: '099007ffbf1e055d03625fbe9d90d3b032c27a83803a900e8f3b859dc2b8f350cc10fca07e92668dd49543c1e612a01bc4b0ba582066b633ef147883715a27fa'
-  data.tar.gz: 699b0e8890e5b117c69bf6b7a6aa89e140aebea976ec56455feaee688ef260e7dc71bb9cbc7bc05397ffef6a40f6c4d1260ef5f7885958e6213e4adc7541e270
+  metadata.gz: 03e77668f1f2c2076f003ac455c1f57dcfd5b60f7096cc77e5fe0918bf6484814ab02304eb9286e5323c42c2115102b262edb55dc41174dc0574c9ae0e6c84cc
+  data.tar.gz: f90369c94f3d9baf82dda2490ff716e543cd6cd09a6c8b856b2ba41c0594bcce69a489755520e2aea898eaf6907611d31d53c7cbf2a5f3f0fff51a457511012d

data/README.md

@@ -10,6 +10,10 @@ Add the gem to your project:
 $ bundle add rodauth-omniauth
 ```
 
+> [!NOTE]
+> Rodauth's CSRF protection will be used for the request validation phase, so there is no need for gems like `omniauth-rails_csrf_protection`.
+
+
 ## Usage
 
 You'll first need to create the table for storing external identities:
@@ -46,17 +50,16 @@ Then enable the `omniauth` feature and register providers in your Rodauth config
 $ bundle add omniauth-facebook omniauth-twitter, omniauth-google-oauth2
 ```
 ```rb
-plugin :rodauth do
-  enable :omniauth
+# in your Rodauth configuration
+enable :omniauth
 
-  omniauth_provider :facebook, ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"], scope: "email"
-  omniauth_provider :twitter, ENV["TWITTER_API_KEY"], ENV["TWITTER_API_SECRET"]
-  omniauth_provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"], name: :google
-end
+omniauth_provider :facebook, ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"], scope: "email"
+omniauth_provider :twitter, ENV["TWITTER_API_KEY"], ENV["TWITTER_API_SECRET"]
+omniauth_provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"], name: :google
 ```
 
-> [!NOTE]
-> It is important to note that `rodauth-omniauth` requires OmniAuth 2.x, so it's only compatible with providers gems that support it.
+> [!WARNING]
+> The `rodauth-omniauth` gem requires OmniAuth 2.x, so it's only compatible with providers gems that support it.
 
 You can now add authentication links to your login form:
 
@@ -90,7 +93,16 @@ Currently, provider login is required to return the user's email address, and ac
 
 ### Timestamps
 
-If you'll be adding created/updated timestamps to the identities table, also add these lines to your Rodauth configuration:
+If you want to know when an external identity was used first or last, you may want to add timestamp columns to the identities table:
+
+```rb
+create_table :account_identities do |t|
+  # ...
+  t.timestamps
+end
+```
+
+In that case, you'll need to make sure the column values are populated on create/update:
 
 ```rb
 omniauth_identity_insert_hash { super().merge(created_at: Time.now) }
@@ -163,6 +175,25 @@ You can change the default error message for when existing account wasn't found
 omniauth_login_no_matching_account_error_flash "No existing account found"
 ```
 
+### Multifactor authentication
+
+By default, OmniAuth login will count only as one factor. So, if the user has multifactor authentication enabled, they will be asked to authenticate with 2nd factor when required.
+
+If you're using OmniAuth login for SSO and want to rely on 2FA policies set on the external provider, you can have OmniAuth login count as two factors:
+
+```rb
+omniauth_two_factors? true
+```
+
+You can also make it conditional based on data from the external provider:
+
+```rb
+omniauth_two_factors? do
+  # only count as two factors if external account uses 2FA
+  omniauth_extra["raw_info"]["two_factor_authentication"]
+end
+```
+
 ### Identity data
 
 You can also store extra data on the external identities. For example, we could override the update hash to store `info`, `credentials`, and `extra` data from the auth hash into separate columns:
@@ -210,9 +241,11 @@ omniauth_identities_uid_column :uid
 
 ### Audit logging
 
-If you're using the `audit_logging` feature, it can be useful to include the external provider name in the `login` audit logs:
+If you're using the [audit_logging] feature, it can be useful to include the external provider name in the `login` audit logs:
 
 ```rb
+enable :audit_logging
+
 audit_log_metadata_for :login do
   { "provider" => omniauth_provider } if authenticated_by.include?("omniauth")
 end
@@ -223,18 +256,20 @@ end
 The `omniauth` feature builds on top of the `omniauth_base` feature, which sets up OmniAuth and routes its requests, but has no interaction with the database. So, if you would prefer to handle external logins differently, you can load just the `omniauth_base` feature, and implement your own callback phase.
 
 ```rb
-plugin :rodauth do
-  enable :omniauth_base
-
-  omniauth_provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"], scope: "user"
-  omniauth_provider :apple, ENV["APPLE_CLIENT_ID"], ENV["APPLE_CLIENT_SECRET"], scope: "email name"
-end
+# in your Rodauth configuration
+enable :omniauth_base
 
-route do |r|
-  r.rodauth # routes Rodauth and OmniAuth requests
-
-  r.get "auth", String, "callback" do
-    # ... handle callback request ...
+omniauth_provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"], scope: "user"
+omniauth_provider :apple, ENV["APPLE_CLIENT_ID"], ENV["APPLE_CLIENT_SECRET"], scope: "email name"
+```
+```rb
+# in your routes
+get "/auth/:provider/callback", to: "rodauth#omniauth_login"
+```
+```rb
+class RodauthController < ApplicationController
+  def omniauth_login
+    # ...
   end
 end
 ```
@@ -332,10 +367,6 @@ omniauth_on_failure do
 end
 ```
 
-#### CSRF protection
-
-The default request validation phase uses Rodauth's configured CSRF protection, so there is no need for external gems such as `omniauth-rails_csrf_protection`.
-
 ### Inheritance
 
 The registered providers are inherited between Rodauth auth classes, so you can have fine-grained configuration for different account types.
@@ -347,15 +378,13 @@ class RodauthBase < Rodauth::Auth
     omniauth_provider :google_oauth2, ...
   end
 end
-```
-```rb
+
 class RodauthMain < RodauthBase
   configure do
     omniauth_provider :facebook, ...
   end
 end
-```
-```rb
+
 class RodauthAdmin < RodauthBase
   configure do
     omniauth_provider :twitter, ...
@@ -364,12 +393,6 @@ class RodauthAdmin < RodauthBase
 end
 ```
 ```rb
-class RodauthApp < Roda
-  plugin :rodauth, auth_class: RodauthMain
-  plugin :rodauth, auth_class: RodauthAdmin, name: :admin
-end
-```
-```rb
 rodauth.omniauth_providers #=> [:google_oauth2, :facebook]
 rodauth(:admin).omniauth_providers #=> [:google_oauth2, :twitter, :github]
 ```
@@ -404,6 +427,9 @@ Content-Type: application/json
 { "success": "You have been logged in" }
 ```
 
+> [!NOTE]
+> Unless you're using JWT, make sure you're persisting cookies across requests, as most OmniAuth strategies rely on session storage.
+
 If there was an OmniAuth failure, the error type will be included in the response:
 
 ```http
@@ -457,3 +483,4 @@ Everyone interacting in the rodauth-omniauth project's codebases, issue trackers
 [rodauth-model]: https://github.com/janko/rodauth-model
 [rodauth-rails]: https://github.com/janko/rodauth-rails
 [omniauth-oauth2]: https://github.com/omniauth/omniauth-oauth2
+[audit_logging]: https://rodauth.jeremyevans.net/rdoc/files/doc/audit_logging_rdoc.html

data/lib/rodauth/features/omniauth.rb

@@ -20,6 +20,7 @@ module Rodauth
     auth_value_method :omniauth_identities_account_id_column, :account_id
     auth_value_method :omniauth_identities_provider_column, :provider
     auth_value_method :omniauth_identities_uid_column, :uid
+    auth_value_method :omniauth_two_factors?, false
 
     auth_value_methods(
       :omniauth_verify_account?,
@@ -97,7 +98,9 @@ module Rodauth
         end
       end
 
-      login("omniauth")
+      login("omniauth") do
+        two_factor_update_session("omniauth-two") if omniauth_second_factor?
+      end
     end
 
     def retrieve_omniauth_identity
@@ -144,6 +147,10 @@ module Rodauth
 
     attr_reader :omniauth_identity
 
+    def omniauth_second_factor?
+      features.include?(:two_factor_base) && uses_two_factor_authentication? && omniauth_two_factors?
+    end
+
     def omniauth_verify_account?
       features.include?(:verify_account) && account[login_column] == omniauth_email
     end
@@ -205,7 +212,7 @@ module Rodauth
     end
 
     def _account_from_omniauth_identity
-      account_ds(omniauth_identity_account_id).first
+      _account_from_id(omniauth_identity_account_id)
     end
 
     def omniauth_identity_id

data/rodauth-omniauth.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |spec|
   spec.name          = "rodauth-omniauth"
-  spec.version       = "0.5.1"
+  spec.version       = "0.6.0"
   spec.authors       = ["Janko Marohnić"]
   spec.email         = ["janko@hey.com"]
 
@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.files         = Dir["README.md", "LICENSE.txt", "*.gemspec", "lib/**/*", "locales/**/*"]
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "rodauth", "~> 2.13"
+  spec.add_dependency "rodauth", "~> 2.36"
   spec.add_dependency "omniauth", "~> 2.0"
 
   spec.add_development_dependency "minitest"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-omniauth
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-12 00:00:00.000000000 Z
+date: 2024-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.13'
+        version: '2.36'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.13'
+        version: '2.36'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -212,7 +212,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: Rodauth extension for logging in and creating account via OmniAuth authentication.