signet-rails 0.0.8 → 0.0.9

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a1ad0e819bbfeceb6ab6795c49ca30d37ee15986
+  data.tar.gz: 9713281a98476b5ed795506df87b93a0686881dd
+SHA512:
+  metadata.gz: 9f5205dcfea2bdf5411d46f371672ce810e81b04406c3e24a5477016332260a782420080ba4443f70a0ef67d5c6192dcf145429c8302132b21e1bfb523eeebd9
+  data.tar.gz: 1f078768bc115957fa5410657cfe579e174ab5d96ce03e15f1bf3267ca8f69401fb8467b182f5b5ae14baec7df8f2862db403c90f349d218f24c18c4b07d9e38

data/.gitignore

@@ -15,3 +15,5 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+tags
+bin

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.rubocop.yml

@@ -0,0 +1,5 @@
+LineLength:
+  Max: 120
+
+Documentation:
+  Enabled: false

data/lib/signet/rails/builder.rb

@@ -3,136 +3,195 @@ require 'active_support/core_ext/string'
 
 module Signet
   module Rails
+
+    # The overall structure:
+    #
+    # Builder - used to create OAuth2 providers. These providers are Rack middleware
+    # and instances of Handler. A Builder can create multiple providers. See initialize
+    # def below
+    #
+    # Handler - Rack middleware that represents and instance of an OAuth2 provider
+    #
+    # Factory - a dumb factory that takes an env and returns an instance of 
+    # a named Signet::OAuth2::Client
     class Builder < ::Rack::Builder
-      @@default_options = {}
 
-      def self.set_default_options opts = {}
-	# normalize to symbol hash
-	n_opts = opts.inject({}) { |memo,(k,v)| memo[k.to_sym] = v; memo }
-	@@default_options = n_opts
+      class << self
+        attr_accessor :default_options 
       end
 
-      def initialize(app, &block)
-	super
+      # User can set default_options for all providers via this static accessor 
+      #
+      # TODO not very pretty.... can we refactor?
+      Builder.default_options = {}
+
+      # Options accepted by this Builder
+      #
+      # TODO obviously we can find a better way of packaging defaults e.g. Google setup
+      OPTIONS = {
+        # What returned OAuth2 values are persisted?
+        #
+        # Google config is the default. See:
+        #
+        # https://developers.google.com/accounts/docs/OAuth2WebServer#handlingtheresponse
+        #
+        # specifically, the section that deals with the 'shape' of the response to a request
+        # for an access token
+        persist_attrs: [:refresh_token, :access_token, :expires_in],
+
+        # What is the name of this provider? It will be used in the auth and auth_callback urls:
+        #
+        # /signet/google/auth - to authorise a user
+        # /signet/google/auth_callback - to handle the response from the OAuth2 provider
+        name: :google,
+
+        # What type is this provider? Is it a login-based OAuth2 adapter? If so, the callback 
+        # will be used to identify a user and create one if necessary, specifically the uid
+        # in the response will be used as a secondary key in the user table 
+        #
+        # Options: 
+        #       :login - as described above
+        #       :webserver - the expectation will be that 
+        type: :webserver,
+
+        # TODO need to define this better
+        storage_attr: :signet,
+
+        # TODO: see https://developers.google.com/accounts/docs/OAuth2Login#authenticationuriparameters
+        approval_prompt: 'auto',
+        authorization_uri: 'https://accounts.google.com/o/oauth2/auth',
+        token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
+
+        # whether we handle the persistence of the auth callback or simply pass-through
+        handle_auth_callback: true,
+
+        # These need to be set either as default_options or per provider
+        client_id: nil,
+        client_secret: nil,
+
+        # redirect_uri can be set otherwise it will default based on the Rack env
+        redirect_uri: nil,
+
+        # A method which takes a Rack env and a Signet::OAuth2::Client (minus
+        # credentials) and returns a persistence wrapped object TODO finish
+        extract_credentials_from_env: nil,
+
+        # TODO
+        extract_credentials_from_env_by_oauth_id: nil,
+
+        # What connection object to use (Signet::OAuth2::Client will default to a Faraday default if 
+        # this is not set)
+        connection: nil,
+      }
+
+      def self.set_default_options(opts = {})
+        Builder.default_options = opts.symbolize_keys
       end
 
-      def provider(opts = {}, &block)
-	# normalize to symbol hash
-	n_opts = opts.inject({}) { |memo,(k,v)| memo[k.to_sym] = v; memo }
-
-	# use the default_options as a base... then merge these changes on top
-	combined_options = @@default_options.merge(n_opts)
-
-	# now set some defaults if they aren't already set
-	
-	combined_options[:persist_attrs] ||= [:refresh_token, :access_token, :expires_in, :issued_at]
-	combined_options[:name] ||= :google
-
-	# is this a login-based OAuth2 adapter? If so, the callback will be used to identify a
-	# user and create one if necessary
-	# Options: :login, :webserver
-	combined_options[:type] ||= :webserver
-
-	# name of hash-behaving attribute on our wrapper that contains credentials
-	# keyed by :name
-	# {
-        #   "google": {
-        #     "uid": "012345676789abcde",
-        #     "refresh_token": "my_first_refresh_token",
-        #     "access_token": "my_first_access_token",
-        #     "expires_in": 123
-        #   }
-        # }
-	combined_options[:storage_attr] ||= :signet
-
-	# TODO: see https://developers.google.com/accounts/docs/OAuth2Login#authenticationuriparameters
-	combined_options[:approval_prompt] ||= 'auto'
-
-	# unless specified, we need to set this at request-time because we need the env to get server etc
-	# combined_options[:redirect_uri] = ??? need env 
-	
-	# TODO: better way of sourcing these defaults... from signet?
-	combined_options[:authorization_uri] ||= 'https://accounts.google.com/o/oauth2/auth'
-	combined_options[:token_credential_uri] ||= 'https://accounts.google.com/o/oauth2/token'
-
-	# whether we handle the persistence of the auth callback or simply pass-through
-	combined_options[:handle_auth_callback] ||= true
-
-	# The following lambda will be used when creating a new client in a factory
-	# to get the persistence object 
-	combined_options[:extract_from_env] ||= lambda do |env, client|
-	  oac = nil
-	  session = env['rack.session']
-	  if !!session && !!session[:user_id]
-	    begin
-	      u = User.find(session[:user_id])
-	      oac = u.o_auth2_credentials.where(name: combined_options[:name]).first
-	    rescue ActiveRecord::RecordNotFound => e
-	    end
-	  end
-	  oac
-	end
-
-	# The following lambda will be used when handling the callback from the oauth server
-	# In this flow we might not yet have established a session... need to handle two
-	# flows, one for login, one not
-	# when on a login auth_callback, how do we get the persistence object from the JWT?
-	combined_options[:extract_by_oauth_id] ||= lambda do |env, client, id|
-	  oac = nil
-	  begin
-	    u = nil
-	    if combined_options[:type] == :login
-	      u = User.first_or_initialize(uid: combined_options[:name].to_s + "_" + id)
-	      u.save
-	    else
-	      session = env['rack.session']
-	      if !!session && !!session[:user_id]
-		begin
-		  u = User.find(session[:user_id])
-		rescue ActiveRecord::RecordNotFound => e
-		end
-	      else
-		raise "Expected to be able to find user in session"
-	      end
-	    end
-
-	    oac = u.o_auth2_credentials.first_or_initialize(name: combined_options[:name])
-
-	  rescue ActiveRecord::RecordNotFound => e
-	  end
-
-	  oac
-	end
-
-	combined_options[:persistence_wrapper] ||= :active_record
-
-	# define a lambda that returns a lambda that wraps our OAC lambda return object
-	# in a persistance object
-	persistence_wrapper = lambda do |meth|
-	  lambda do |env, client, *args|
-	    y = meth.call env, client, *args
-	    klass_str = combined_options[:persistence_wrapper].to_s
-	    require "signet/rails/wrappers/#{klass_str}"
-	    w = "Signet::Rails::Wrappers::#{klass_str.camelize}".constantize.new y, client
-	  end
-	end
-
-	combined_options[:extract_by_oauth_id] = persistence_wrapper.call combined_options[:extract_by_oauth_id]
-	combined_options[:extract_from_env] = persistence_wrapper.call combined_options[:extract_from_env]
-
-	# TODO: check here we have the basics?
-	
-	# TODO: better auth_options split?
-	auth_option_keys = [:prompt, :redirect_uri, :access_type, :approval_prompt, :client_id]
-	base_options = combined_options
-	auth_options = base_options.select { |k,v| auth_option_keys.include? k }
-
-	use Signet::Rails::Handler, base_options, auth_options, &block
+      # Standard ::Rack::Builder initialize
+      # 
+      # It is expected that after creating an instance of Signet::Rails::Builder one will call
+      # provider at least one in order to add an instance of the Handler Rack middleware to the
+      # Rack. e.g.
+      #
+      # class FakeApp < Sinatra::Base
+      #   get "/" do
+      #     "Hello"
+      #   end
+      # end
+      #
+      # Signet::Rails::Builder.new FakeApp.new do
+      #   provider name: :google...
+      # end
+      def initialize(app, &block)
+        super
       end
 
+      # Called when constructing the Rack stack
       def call(env)
-	to_app.call(env)
+        to_app.call(env)
       end
+
+      # add an OAuth2 Handler to the initialize'ed app, defined by options
+      def provider(opts = {}, &block)
+        combined_options = OPTIONS.merge \
+          Builder.default_options.merge \
+          opts.symbolize_keys
+
+        provider_name = combined_options[:name]
+
+        # the following defaults depend on other defaults... hence are initialised here
+        # If customising either, clearly a similar effect can be achieved in the calling
+        # code or by passing in a &block which get invoked in Rack space (see the use call
+        # below)
+
+        # minor efficiency gain... only load the ActiveRecord persistance wrapper if the 
+        # user hasn't set either extract_credentials_from_env or extract_credentials_from_env_by_oauth_id
+
+        unless combined_options[:extract_credentials_from_env] and combined_options[:extract_credentials_from_env_by_oauth_id]
+          require 'active_record'
+          require 'signet/rails/wrappers/active_record' 
+        end
+
+        # TODO document
+        # Deliberately left verbose to give an example (although the code that follows
+        # could hardly be desribed as example) of what's required
+        combined_options[:extract_credentials_from_env] ||= lambda do |env, client|
+          oac = nil
+          session = env['rack.session']
+          if !!session && !!session[:user_id]
+            begin
+              u = ::User.find(session[:user_id])
+              oac = u.o_auth2_credentials.where(name: combined_options[:name]).first
+            rescue ::ActiveRecord::RecordNotFound => e
+            end
+          end
+          Signet::Rails::Wrappers::ActiveRecord.new oac, client
+        end
+
+        combined_options[:extract_credentials_from_env_by_oauth_id] ||= lambda do |env, client, id|
+          oac = nil
+          begin
+            u = nil
+            if combined_options[:type] == :login
+              u = ::User.where(uid: combined_options[:name].to_s + "_" + id).first_or_create
+            else
+              session = env['rack.session']
+              if !!session && !!session[:user_id]
+                begin
+                  u = ::User.find(session[:user_id])
+                rescue ::ActiveRecord::RecordNotFound => e
+                end
+              else
+                raise "Expected to be able to find user in session"
+              end
+            end
+
+            oac = u.o_auth2_credentials.where(name: combined_options[:name]).first_or_initialize
+
+          rescue ::ActiveRecord::RecordNotFound => e
+            # TODO 
+          end
+
+          Signet::Rails::Wrappers::ActiveRecord.new oac, client
+        end
+
+        # TODO: check here we have the basics?
+
+        # TODO: better auth_options split?
+        auth_option_keys = [:prompt, :redirect_uri, :approval_prompt, :client_id]
+        auth_options = combined_options.slice(*auth_option_keys)
+
+        # verify we have certain required values
+        if combined_options[:type] == :login
+          raise ArgumentError, 'Client id is required for a type: :login provider' unless auth_options[:client_id] and auth_options[:client_id].is_a? String 
+          raise ArgumentError, 'Scope is required' unless combined_options[:scope] 
+          # TODO error handling for scope: must be a string or array of strings
+        end
+
+        use Signet::Rails::Handler, combined_options, auth_options, &block
+      end
+
     end
   end
 end

data/lib/signet/rails/factory.rb

@@ -1,32 +1,63 @@
-require 'signet/oauth_2'
+require 'signet/oauth_2/client'
 
 module Signet
   module Rails
 
+    # Factory for creating instances of the Signet::OAuth2::Client or extracting 
+    # them from an existing env
+    #
+    # There are two use cases:
+    #
+    # 1. This is called from within the user app (e.g. Rails) - in this case we 
+    # extract an existing instance from the env provided by the Handler Rack 
+    # middleware. We then load the persisted token information (if there is any)
+    # and set that on the client. The client is then returned.
+    #
+    #   name: the provider name
+    #   env: the env available to the caller e.g. request.env in rails
+    #   options: left blank
+    #
+    # 2. This is called from within the Handler Rack Middleware (as described above)
+    # In this case, we have have to construct the client instance from the Handler
+    # options (previously configured)
+    #
+    #   name: the provider name
+    #   env: the env available to the caller e.g. request.env in rails, the env
+    #        from the previous Rack middleware in the case of a Handler
+    #   options: load_token: false
+    #
+    # In either case, we can rely on env["signet.<HANDLER_NAME>"] being set at the 
+    # point of calling
     class Factory
-      def self.create_from_env name, env, opt_hsh = {load_token: true}
+
+      def self.create_from_env(name, env, options = { load_token: true })
+        # TODO: checking of env not pretty...thread safe? best approach? 
         
-        # TODO: not pretty...thread safe? best approach? Other uses below
-        handler = env["signet.#{name.to_s}"]
-	instance = env["signet.#{name.to_s}.instance"]
-	
-        #client = instance.obj
-        client = instance
+        # If there is already an instance in this env, return it
+        env["signet.#{name}.instance"] ||
+        # else create one from the handler
+        create_client_from_handler(env["signet.#{name}"], name, env, options)
+      end
 
-        return client if !!client
+      private
 
-	if handler.nil? 
-	  raise ArgumentError, "Unable to find signet handler named #{name.to_s}"
-	end
+      def self.create_client_from_handler(handler, name, env, options)
+        # There should be a handler set at this stage... big problems otherwise
+        raise ArgumentError, "Unable to find signet handler named #{name}" unless handler
 
         client = Signet::OAuth2::Client.new handler.options
 
-        if opt_hsh[:load_token]
-          obj = handler.options[:extract_from_env].call env, client
+        # at this point we have satisfied use case 2
+
+        # here is use case 1; the client we have created thus far is blank as far
+        # as access/refresh tokens are concerned. If we are calling from a user app
+        # then we want that loaded (for the current user)
+        if options[:load_token]
+          obj = handler.options[:extract_credentials_from_env].call env, client
           handler.load_token_state obj, client
 
-          #instance.obj = obj
-	  env["signet.#{name.to_s}.instance"] = obj
+          # store the created instance in the env for future use/persistance 
+          env["signet.#{name}.instance"] = obj
         end
 
         client

data/lib/signet/rails/handler.rb

@@ -4,122 +4,182 @@ require 'rack/utils'
 
 module Signet
   module Rails
-    class Handler
+
+    class Handler # this is the Rack middleware - it responds to call(env)
+
+      # we are initialized here with the app that is above us in the stack
+      # i.e. where we relay the request (unless handled)
       def initialize(app, opts = {}, auth_opts = {}, &block)
-	@app = app
-	@options = opts
-	@auth_options = auth_opts
+        @app = app
+        @options = opts
+        @auth_options = auth_opts
       end
 
-      def options
-	# TODO: this is because signet doesn't dup what we pass in....
-	@options.dup
+      # The Rack entry point. This method gets called from the Rack middleware below us 
+      # in the stack. If we need to handle the request we respond else we pass the request
+      # up the stack and then persist the oauth tokens 
+      def call(env)
+
+        # Make this Handler available to the env
+        # TODO rework this to use singleton?
+        env["signet.#{options[:name]}"] = self
+
+        status, headers, body = nil, nil, nil
+
+        # TODO: better way than a gross if elsif block?
+        #
+        # There are two requests which we do something with:
+        #
+        # 1. on_auth_path? - a request to auth against a particular
+        # provider. We respond to this by redirecting to the provider's
+        # authorization_uri, translating appropriate options
+        # 
+        # 2. on_auth_callback_path? - the callback from the provider's
+        # authorization_uri (ultimately) which will have an authorisation
+        # code. We respond to this by extracting the code, getting an 
+        # access token (and response token), persisting said tokens then
+        # forwarding the request to the next Rack app up the stack. When
+        # the Rack app above us responds we parse the env to extract 
+        # the potentially modified TODO finish
+        if on_auth_path?(env)
+          status, headers, body = create_auth_redirect_response env
+        else
+          if on_auth_callback_path?(env)
+            process_auth_callback env
+          end
+
+          status, headers, body = @app.call(env)
+
+          # did we create an instance during the process of @app.call?
+          # if so persist
+          instance = env["signet.#{options[:name]}.instance"]
+          if instance
+            save_token_state instance, instance.client
+            instance.persist
+          end
+        end
+
+        # notice here that only on_auth_path?(env) will ensure we respond
+        # otherwise status will be nil
+        [status, headers, body]
       end
 
-      def auth_options env
-	# TODO: this is because signet doesn't dup what we pass in....
-	ret = @auth_options.dup
-	unless ret.include? :redirect_uri
-	  req = Rack::Request.new env
-	  scheme = req.ssl? ? 'https' : 'http'
-	  ret[:redirect_uri] = "#{scheme}://#{req.host_with_port}/signet/#{options[:name]}/auth_callback"
-	end
-	ret
+
+      # Take a persistence wrapper object and a Signet::OAuth2Client
+      # and transfer the :persist_attrs to the persistence wrapper
+      def save_token_state wrapper, client
+        if not wrapper.credentials.respond_to?(options[:storage_attr])
+          raise "Persistence object does not support the storage attribute #{options[:storage_attr]}"
+        end
+
+        if (store_hash = wrapper.credentials.method(options[:storage_attr]).call).nil?
+          store_hash = wrapper.credentials.method("#{options[:storage_attr]}=").call({})
+        end
+
+        # not nice... the wrapper.credentials.changed? will only be triggered if we clone the hash
+        # Is this a bug? https://github.com/rails/rails/issues/11968
+        # TODO: check if there is a better solution
+        store_hash = store_hash.clone
+
+        for i in options[:persist_attrs]
+          if client.respond_to?(i)
+            # only transfer the value if it is non-nil
+            store_hash[i.to_s] = client.method(i).call unless client.method(i).call.nil?
+          end
+        end
+
+        wrapper.credentials.method("#{options[:storage_attr]}=").call(store_hash)
       end
 
-      def handle(env)
-
-	# set these to 'handle' the request
-	status = headers = body = nil
-
-	# TODO: better way than a gross if elsif block?
-	if "/signet/#{options[:name]}/auth" == env['PATH_INFO'] && 'GET' == env['REQUEST_METHOD']
-
-	  # we are looking to auth... so nothing to load
-	  client = Factory.create_from_env options[:name], env, load_token: false
-
-	  r = Rack::Response.new
-	  redirect_uri = client.authorization_uri(auth_options(env)).to_s
-	  r.redirect(redirect_uri)
-	  status, headers, body = r.finish
-	elsif "/signet/#{options[:name]}/auth_callback" == env['PATH_INFO'] && 'GET' == env['REQUEST_METHOD']
-	  client = Factory.create_from_env options[:name], env, load_token: false
-	  query_string_params = Rack::Utils.parse_query(env['QUERY_STRING'])
-	  client.code = query_string_params['code']
-	  client.redirect_uri = auth_options(env)[:redirect_uri]
-	  client.fetch_access_token! 
-
-	  if options[:handle_auth_callback]
-	    obj = options[:extract_by_oauth_id].call env, client, client.decoded_id_token['sub']
-	    persist_token_state obj, client
-	    obj.persist
-	    env["signet.#{options[:name]}.persistence_obj"] = obj.obj
-	  else
-	    env["signet.#{options[:name]}.auth_client"] = client
-	  end
-	end
-
-	[status, headers, body]
+      # The inverse of save_token_state
+      def load_token_state wrapper, client
+        if not wrapper.credentials.respond_to?(options[:storage_attr])
+          raise "Persistence object does not support the storage attribute #{options[:storage_attr]}"
+        end
+
+        if not (store_hash = wrapper.credentials.method(options[:storage_attr]).call).nil?
+          for i in options[:persist_attrs]
+            if client.respond_to?(i.to_s+'=')
+              client.method(i.to_s+'=').call(store_hash[i.to_s])
+            end
+          end
+        end
       end
 
-      def persist_token_state wrapper, client
-	if not wrapper.obj.respond_to?(options[:storage_attr])
-	  raise "Persistence object does not support the storage attribute #{options[:storage_attr]}"
-	end
-
-	if (store_hash = wrapper.obj.method(options[:storage_attr]).call).nil?
-	  store_hash = wrapper.obj.method("#{options[:storage_attr]}=").call({})
-	end
-
-	# not nice... the wrapper.obj.changed? will only be triggered if we clone the hash
-	# Is this a bug? https://github.com/rails/rails/issues/11968
-	# TODO: check if there is a better solution
-	store_hash = store_hash.clone
-
-	for i in options[:persist_attrs]
-	  if client.respond_to?(i) 
-	    # only transfer the value if it is non-nil
-	    store_hash[i.to_s] = client.method(i).call unless client.method(i).call.nil?
-	  end
-	end
-
-	wrapper.obj.method("#{options[:storage_attr]}=").call(store_hash)
-	
+      # TODO the code separation here is not great. Refactoring so that 
+      # we don't have to publicly expose our options would be best
+      def options
+        # TODO: Signet does not dup the options that are passed to it...
+        # hence 'our' value would be corrupted were it not dup'ed here
+        @options.dup
       end
 
-      def load_token_state wrapper, client
-	if not wrapper.obj.respond_to?(options[:storage_attr])
-	  raise "Persistence object does not support the storage attribute #{options[:storage_attr]}"
-	end
-
-	if not (store_hash = wrapper.obj.method(options[:storage_attr]).call).nil?
-	  for i in options[:persist_attrs]
-	    if client.respond_to?(i.to_s+'=')
-	      client.method(i.to_s+'=').call(store_hash[i.to_s])
-	    end
-	  end
-	end
+      def auth_options(env)
+        # TODO: Signet does not dup the options that are passed to it...
+        # hence 'our' value would be corrupted were it not dup'ed here
+        ret = @auth_options.dup
+
+        # the redirect uri can't be set at config time (when we mount the
+        # Rack middleware) - it must be done at request time. TODO really?
+        # Build the redirect_uri from the env in which we are called
+        unless ret.include? :redirect_uri and not ret[:redirect_uri].nil?
+          req = Rack::Request.new env
+          scheme = req.ssl? ? 'https' : 'http'
+          ret[:redirect_uri] = "#{scheme}://#{req.host_with_port}/signet/#{options[:name]}/auth_callback"
+        end
+        ret
+      end
+      
+      private
+
+      def create_auth_redirect_response(env)
+        # we build the redirect uri from an OAuth2 client
+        # clearly we don't need token state loaded... indeed
+        # it probably doesn't exist for this user if we're being
+        # asked to auth
+        client = Factory.create_from_env(options[:name], env, load_token: false)
+
+        response = Rack::Response.new
+
+        # if it needs reiterating... we can't set the redirect uri 
+        # at config time because we don't have certain config
+        # available like server_name etc. This is available at request
+        # time (i.e. now)
+        redirect_uri = client.authorization_uri(auth_options(env)).to_s
+        response.redirect(redirect_uri)
+
+        # will return status, headers, body
+        response.finish
       end
 
-      def call(env)
-	# rework this to use singleton?
-	env["signet.#{options[:name]}"] = self
+      def process_auth_callback(env)
 
-	status, headers, body = handle(env)
+        client = Factory.create_from_env options[:name], env, load_token: false
+        query_string_params = Rack::Utils.parse_query(env['QUERY_STRING'])
+        client.code = query_string_params['code']
+        client.redirect_uri = auth_options(env)[:redirect_uri]
 
-	unless status
+        raise ArgumentError, 'Missing authorization code in auth_callback' unless client.code
 
-	  status, headers, body = @app.call(env)
+        # TODO is there a better way of passing in a connection for testing?
+        client.fetch_access_token!({connection: options[:connection]})
 
-	  instance = env["signet.#{options[:name]}.instance"] 
-	  if !!instance
-	    persist_token_state instance, instance.client
-	    instance.persist
-	  end
+        if options[:handle_auth_callback]
+          user_oauth_credentials = options[:extract_credentials_from_env_by_oauth_id].call env, client, client.decoded_id_token['sub']
+          save_token_state user_oauth_credentials, client
+          user_oauth_credentials.persist
+          env["signet.#{options[:name]}.persistence_obj"] = user_oauth_credentials.credentials
+        else
+          env["signet.#{options[:name]}.auth_client"] = client
+        end
+      end
 
-	end
+      def on_auth_path?(env)
+        "/signet/#{options[:name]}/auth" == env['PATH_INFO'] && 'GET' == env['REQUEST_METHOD']
+      end
 
-	[status, headers, body]
+      def on_auth_callback_path?(env)
+        "/signet/#{options[:name]}/auth_callback" == env['PATH_INFO'] && 'GET' == env['REQUEST_METHOD']
       end
     end
   end