simple_google_auth 0.0.6 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b07e9d444f3a69575224aae7742706c4e857fd6b
-  data.tar.gz: 03baf12262054337668111cd951ea4b8e259faa1
+  metadata.gz: 2c7a9d7423d02f4853b934ee51ee465b3e5211dc
+  data.tar.gz: 4d0e7eab5f74f770e44fd2b33036010d9eef7c89
 SHA512:
-  metadata.gz: 2fa8cf9287ed2bff1db2be4b8f347b65bc5ca6031f0b754758d886a8a9439c9ed0e6aa776d3c19f400982134a1b11d761ba97a2ec574386f0331b62125e6617f
-  data.tar.gz: e8f0d7c17256ec5ac1b7dca2a75adb48e9a4a767702044cc2b283ea11a58b9295abbb7d222b2510965b7adfd7af3a0eec2cdbdf4c5b4239d4f926e3c8e68075c
+  metadata.gz: 00ff54f0f86e9c386e2d8324549b138b8e94abeffc94c9e4959c339c244ca21a0b6005ff8b95369ed34db98ce257d353f191b981c3200cdaef66565e569d4382
+  data.tar.gz: 3eaf3489ed9eaebc0a42e2600314a7d870ed38c354e25f325c2cc97ea8141f00a664d237c6153df927d56da67dabf6dc312c0d7eea4386aa0788d094f750f413

data/README.md

@@ -13,42 +13,41 @@ such as OmniAuth's Google strategy.
 
 ## Installation
 
-Follow these five steps to integrate with your site.
+Follow these four steps to integrate with your site.
 
-Step 1: Make yourself a project at https://cloud.google.com/console, if you haven't already.
+Step 1: Make yourself a project at https://cloud.google.com/console, if you haven't already.  In that project, go to the "APIs & auth" tab, then the "Credentials" tab.  Create a new client ID of application type "Web application".  Set the Authorized Redirect URI to
+`https://yoursite.com/google-callback`.  You might want to put in `http://localhost:3000/google-callback` so you can test locally too.
 
-Step 2: In that project, go to the "APIs & auth" tab, then the "Credentials" tab.  Create a new client ID of application type "Web application".  Set the Authorized Redirect URI to
-`http://yoursite.com/google-callback`.  You might want to put in `http://localhost:3000/google-callback` so you can test locally too.
-
-Step 3: Add simple_google_auth to your Gemfile
+Step 2: Add simple_google_auth to your `Gemfile` and run `bundle`
 
     gem 'simple_google_auth'
 
-Step 4: In your application.rb, put down some code inside the Application class:
+Step 3: Add the following code to the bottom of your `config/application.rb` and tweak it with your site's values:
 
     SimpleGoogleAuth.configure do |config|
       config.client_id = "the client ID as supplied by Google in step 2"
       config.client_secret = "the client secret as supplied by Google in step 2"
       config.redirect_uri = "http://localhost:3000/google-callback"
       config.authenticate = lambda do |data|
-        data["email"] == "your.email@example.com"
+        data.email == "your.email@example.com" || data.email.ends_with?("@example.net")
       end
     end
 
-Step 5: In your application_controller.rb, add a before filter:
+Step 4: In your `application_controller.rb`, add a before action:
 
-    before_filter :redirect_if_not_google_authenticated
+    before_action :redirect_if_not_google_authenticated
 
-Done!  Any request to your site will now redirect off to Google for authentication.
-A route that captures requests coming in to /google-callback is automatically created and handled for you.
+Done!  Any request to your site will now redirect to Google for authentication.
+A route that captures requests to `/google-callback` on your site is automatically created and handled for you.
 
-If you log in with `your.email@example.com`, it'll let you in to the site and take you to the page you were initially trying to go to.
+If you log in with `your.email@example.com`, or any address in the `example.net` domain, it'll let you in to the site and take you to the page you were initially trying to go to.
 Otherwise it'll redirect to `/` (by default) with `params[:message]` set to the authentication error.
 
-## Setting up multiple environments
+## Setting up a production environment
 
 You might want to put a different configure block in your development.rb and production.rb, each specifying
-a different redirect URI.  Just pop them on the end of the file.
+a different redirect URI.  Just pop them on the end of the file.  You can also have different client IDs and
+secrets, or authentication criteria.
 
     # development.rb
     SimpleGoogleAuth.configure do |config|
@@ -62,23 +61,26 @@ a different redirect URI.  Just pop them on the end of the file.
 
 ## How do I tell who is logged in?
 
-Call `#google_auth_data` from your controller or view and you'll get the identification hash that Google sends back.
+Call `#google_auth_data` from your controller or view and you'll get the authentication data that Google sends back.
+
+    Welcome, <%= google_auth_data.email %>!
 
-    Welcome, <%= google_auth_data["email"] %>!
+SimpleGoogleAuth exposes the following data via methods: access_token, expires_in, token_type, refresh_token, id_token, iss, at_hash, email_verified, sub, azp, email, aud, iat, exp, hd.  You can also use `google_auth_data` as a hash and get any additional fields not listed here.
 
-Take a look at https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo to find out more about the fields in the hash.
+Take a look at [the Google OAuth documentation](https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo)
+to see more information about what these fields mean.
 
 ## Refreshing tokens and offline mode
 
-By default simple_google_auth doesn't check the expiry time
-on the credentials after they've been loaded from google the first time.
+By default SimpleGoogleAuth doesn't check the expiry time
+on the credentials after they've been loaded from Google the first time.
 This is less hassle if all you want is simple authentication for your site,
 but prevents you from using the credentials for other uses (eg. GCal integration)
-because the oauth tokens will expire and google won't accept them anymore.
+because the oauth tokens will expire and Google won't accept them anymore.
 
 If you want the tokens to be refreshed when they expire then you need to
 add an extra line to your config. Doing so will ensure that your
-google auth tokens never get stale and allow you to use offline mode.
+Google auth tokens never get stale and allow you to use offline mode.
 
     SimpleGoogleAuth.configure do |config|
       config.refresh_stale_tokens = true
@@ -89,17 +91,17 @@ be checked to make sure it's not stale. If it is stale the tokens will be
 refreshed before being returned.
 
 If your users have already allowed your site access to a certain set of scopes
-google won't re-issue you a refresh_token automatically. You'll need to set an
-extra param in the request_parameters configuration hash to force google to
+Google won't re-issue you a refresh_token automatically. You'll need to set an
+extra param in the request_parameters configuration hash to force Google to
 send you the refresh token every time your users authenticate.
 
     SimpleGoogleAuth.configure do |config|
       config.refresh_stale_tokens = true
-      config.request_parameters.merge!({ approval_prompt: "force" })
+      config.request_parameters.merge!(approval_prompt: "force")
     end
 
-For more details on offline mode and approval_prompt refer to the google OAuth docs, as of
-writing you can find them #[here](https://developers.google.com/accounts/docs/OAuth2WebServer).
+For more details on offline mode and approval_prompt refer to the 
+[Google OAuth documentation](https://developers.google.com/accounts/docs/OAuth2WebServer).
 
 ## Configuring
 
@@ -107,19 +109,25 @@ There are a few configuration options that can be set using `SimpleGoogleAuth.co
 
 Option | Default | Description
 --- | --- | ---
-client_id | (required) | Client ID as provided by Google.
-client_secret | (required) | Client secret as provided by Google.
+client_id* | (required) | Client ID as provided by Google.
+client_secret* | (required) | Client secret as provided by Google.
 redirect_uri | (required) | Where Google should redirect to after authentication.
 redirect_path | `nil` | A route is created at this path.  If no path is specified, the path is taken from redirect_uri.
 authenticate | (required) | A lambda that's run to determine whether the user should be accepted as valid or not.  Takes one argument, a hash of identification data as provided by Google.  Should return true on success, or false if the login should not proceed.
 failed_login_path | `"/"` | Where to redirect to upon a failed login.  `params[:message]` will be set with the error that occurred.
-ca_path | `"/etc/ssl/certs"` | A path or file of SSL certificates, used to check that we're really talking to the Google servers.
 google_auth_url | `"https://accounts.google.com/o/oauth2/auth"` | Google's authentication URL.
 google_token_url | `"https://accounts.google.com/o/oauth2/token"` | Google's token URL.
 state_session_key_name | `"simple-google-auth.state"` | The name of the session variable used to store a random string used to prevent CSRF attacks during authentication.
 data_session_key_name | `"simple-google-auth.data"` | The name of the session variable used to store identification data from Google.
-request_parameters | {scope: "openid email"} | Parameters to use when requesting a login from Google
+request_parameters | `{scope: "openid email"}` | Parameters to use when requesting a login from Google
+
+Items marked with * may be a lambda, which will be called when that config item is required.
 
 ## Licence
 
-MIT.
+MIT.  Copyright 2014-2015 Roger Nesbitt, Powershop New Zealand Limited.
+
+## Authors and contributors
+
+ - Roger Nesbitt
+ - Andy Newport

data/lib/simple_google_auth.rb

@@ -1,63 +1,37 @@
 require 'net/https'
+require 'simple_google_auth/config'
 
 module SimpleGoogleAuth
-  Config = Struct.new(
-    :client_id,
-    :client_secret,
-    :redirect_uri,
-    :redirect_path,
-    :failed_login_path,
-    :authenticate,
-    :ca_path,
-    :google_auth_url,
-    :google_token_url,
-    :state_session_key_name,
-    :data_session_key_name,
-    :request_parameters,
-    :refresh_stale_tokens
-  ) do
-    def get_or_call(attribute)
-      value = send(attribute)
-      value.respond_to?(:call) ? value.call : value
-    end
-  end
-
   mattr_accessor :config
   self.config = Config.new
 
+  Error = Class.new(StandardError)
+  ProviderError = Class.new(Error)
+  NonJsonResponseError = Class.new(ProviderError)
+
   def self.configure
     yield config
 
     if config.refresh_stale_tokens
-      config.request_parameters.merge!({ access_type: "offline" })
+      config.request_parameters.merge!(access_type: "offline")
     end
   end
-
-  def self.uri(state)
-    query = config.request_parameters.merge(
-      response_type: "code",
-      client_id:     config.get_or_call(:client_id),
-      redirect_uri:  config.redirect_uri,
-      state:         state
-    )
-
-    "#{config.google_auth_url}?" + query.map {|k, v| "#{k}=#{CGI.escape v}"}.join("&")
-  end
 end
 
+require 'simple_google_auth/http_client'
+require 'simple_google_auth/auth_data_presenter'
+require 'simple_google_auth/oauth'
+require 'simple_google_auth/authorization_uri_builder'
+require 'simple_google_auth/engine'
+require 'simple_google_auth/controller'
+require 'simple_google_auth/receiver'
+
 SimpleGoogleAuth.configure do |config|
-  config.ca_path = %w(/etc/ssl/certs).detect {|dir| Dir.exists?(dir)}
   config.google_auth_url = "https://accounts.google.com/o/oauth2/auth"
   config.google_token_url = "https://accounts.google.com/o/oauth2/token"
   config.state_session_key_name = "simple-google-auth.state"
   config.data_session_key_name = "simple-google-auth.data"
   config.failed_login_path = "/"
   config.request_parameters = {scope: "openid email"}
-  config.authenticate = lambda { raise "You must define an authenticate lambda that sets the session" }
+  config.authenticate = lambda {|data| raise "You must define an authenticate lambda that determines whether a user should be allowed access or not"}
 end
-
-require 'simple_google_auth/http_client'
-require 'simple_google_auth/oauth'
-require 'simple_google_auth/engine'
-require 'simple_google_auth/controller'
-require 'simple_google_auth/receiver'

data/lib/simple_google_auth/auth_data_presenter.rb

@@ -0,0 +1,50 @@
+module SimpleGoogleAuth
+  class AuthDataPresenter
+    InvalidAuthDataError = Class.new(Error)
+
+    FIELDS = %w(
+      access_token
+      expires_in
+      token_type
+      refresh_token
+      id_token
+      iss
+      at_hash
+      email_verified
+      sub
+      azp
+      email
+      aud
+      iat
+      exp
+      hd
+      expires_at
+    )
+
+    def initialize(auth_data)
+      raise InvalidAuthDataError if auth_data["id_token"].nil?
+
+      token_data = unpack_json_web_token(auth_data["id_token"])
+      @data = auth_data.merge(token_data)
+    end
+
+    def [](field)
+      @data[field.to_s]
+    end
+
+    FIELDS.each do |field|
+      define_method(field) { @data[field.to_s] }
+    end
+
+    private
+
+    def unpack_json_web_token(id_token)
+      # We don't worry about validating the signature because we got this JWT directly
+      # from Google over HTTPS (see
+      # https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo)
+      signature, id_data_64 = id_token.split(".")
+      id_data_64 << "=" until id_data_64.length % 4 == 0
+      JSON.parse(Base64.decode64(id_data_64))
+    end
+  end
+end

data/lib/simple_google_auth/authorization_uri_builder.rb

@@ -0,0 +1,28 @@
+module SimpleGoogleAuth
+  class AuthorizationUriBuilder
+    def initialize(state)
+      @state = state
+    end
+
+    def uri
+      params = config.request_parameters.merge(
+        response_type: "code",
+        client_id:     config.client_id,
+        redirect_uri:  config.redirect_uri,
+        state:         @state
+      )
+
+      "#{config.google_auth_url}?#{params_to_query(params)}"
+    end
+
+    private
+
+    def config
+      SimpleGoogleAuth.config
+    end
+
+    def params_to_query(params)
+      params.map {|k, v| "#{CGI.escape k.to_s}=#{CGI.escape v.to_s}"}.join("&")
+    end
+  end
+end

data/lib/simple_google_auth/config.rb

@@ -0,0 +1,44 @@
+module SimpleGoogleAuth
+  config_fields = [
+    :client_id,
+    :client_secret,
+    :redirect_uri,
+    :redirect_path,
+    :failed_login_path,
+    :authenticate,
+    :google_auth_url,
+    :google_token_url,
+    :state_session_key_name,
+    :data_session_key_name,
+    :request_parameters,
+    :refresh_stale_tokens
+  ]
+
+  class Config < Struct.new(*config_fields)
+    def ca_path=(value)
+      Rails.logger.warn "ca_path is no longer used by SimpleGoogleAuth as OpenSSL is clever enough to find its ca_path now"
+    end
+
+    def client_id
+      get_or_call super
+    end
+
+    def client_secret
+      get_or_call super
+    end
+
+    def authenticate=(value)
+      if !value.respond_to?(:call)
+        raise Error, "Your SimpleGoogleAuth authenticator must be an object that responds to :call, normally a lambda.  See documentation for configuration details."
+      end
+
+      super
+    end
+
+    private
+
+    def get_or_call(value)
+      value.respond_to?(:call) ? value.call : value
+    end
+  end
+end

data/lib/simple_google_auth/controller.rb

@@ -1,36 +1,44 @@
 module SimpleGoogleAuth
   module Controller
     protected
+
     def redirect_if_not_google_authenticated
       redirect_to google_authentication_uri if google_auth_data.nil?
     end
 
     def google_authentication_uri
       state = session[SimpleGoogleAuth.config.state_session_key_name] = SecureRandom.hex + request.path
-      SimpleGoogleAuth.uri(state)
+      SimpleGoogleAuth::AuthorizationUriBuilder.new(state).uri
     end
 
     def google_auth_data
-      return unless google_auth_data_from_session
+      return unless cached_google_auth_data
 
       if should_refresh_google_auth_data?
         refresh_google_auth_data
       end
-      google_auth_data_from_session
+      cached_google_auth_data
     end
 
     private
 
     def refresh_google_auth_data
       api = SimpleGoogleAuth::OAuth.new(SimpleGoogleAuth.config)
-
-      auth_data = api.refresh_auth_token!(google_auth_data_from_session["refresh_token"])
+      auth_data = api.refresh_auth_token!(cached_google_auth_data["refresh_token"])
 
       session[SimpleGoogleAuth.config.data_session_key_name] = auth_data
+      @_google_auth_data_presenter = nil
+    end
+
+    def cached_google_auth_data
+      @_google_auth_data_presenter ||= google_auth_data_from_session
     end
 
     def google_auth_data_from_session
-      session[SimpleGoogleAuth.config.data_session_key_name]
+      if auth_data = session[SimpleGoogleAuth.config.data_session_key_name]
+        AuthDataPresenter.new(auth_data)
+      end
+    rescue AuthDataPresenter::InvalidAuthDataError
     end
 
     def should_refresh_google_auth_data?
@@ -38,7 +46,7 @@ module SimpleGoogleAuth
     end
 
     def google_auth_data_stale?
-      expiry_time = google_auth_data_from_session["expires_at"]
+      expiry_time = cached_google_auth_data["expires_at"]
 
       expiry_time.nil? || Time.parse(expiry_time).past?
     end

data/lib/simple_google_auth/http_client.rb

@@ -1,30 +1,35 @@
 module SimpleGoogleAuth
   class HttpClient
-    def initialize(url, ca_path)
+    def initialize(url)
       @uri = URI(url)
       @http = Net::HTTP.new(@uri.host, @uri.port)
-      setup_https(ca_path)
+
+      if @uri.scheme == "https"
+        @http.use_ssl = true
+        @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      end
     end
 
     def request(params)
       request = Net::HTTP::Post.new(@uri.request_uri)
       request.set_form_data(params)
       response = @http.request(request)
-      response.body
-    end
 
-    private
-    def setup_https(ca_path)
-      if @uri.scheme == "https"
-        @http.use_ssl = true
-        if ca_path
-          @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-          @http.ca_path = ca_path
-        else
-          @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-          Rails.logger.warn "SimpleGoogleAuth does not have a ca_path configured; SSL with Google is not protected"
-        end
+      if response.content_type != 'application/json'
+        raise NonJsonResponseError, "The server responded with non-JSON content"
+      end
+
+      data = begin
+        JSON.parse(response.body)
+      rescue JSON::ParserError
+        raise NonJsonResponseError, "The server responded with JSON content that was not parseable"
       end
+
+      if response.code !~ /\A2\d\d\z/
+        raise ProviderError, "The server responded with error #{response.code}: #{data.inspect}"
+      end
+
+      data
     end
   end
 end

data/lib/simple_google_auth/oauth.rb

@@ -2,7 +2,7 @@ module SimpleGoogleAuth
   class OAuth
     def initialize(config)
       @config = config
-      @client = HttpClient.new(@config.google_token_url, @config.ca_path)
+      @client = HttpClient.new(@config.google_token_url)
     end
 
     def exchange_code_for_auth_token!(code)
@@ -25,27 +25,34 @@ module SimpleGoogleAuth
         client_secret: @config.client_secret,
         grant_type: "refresh_token")
 
-      parse_auth_response(response).merge("refresh_token" => refresh_token)
+      response["refresh_token"] ||= refresh_token
+
+      parse_auth_response(response)
     end
 
     private
-    def parse_auth_response(response)
-      auth_data = JSON.parse(response)
+    def parse_auth_response(auth_data)
+      validate_data_present!(auth_data)
 
       auth_data["expires_at"] = calculate_expiry(auth_data).to_s
 
-      id_data = decode_id_data(auth_data.delete("id_token"))
-      auth_data.merge!(id_data)
+      auth_data
     end
 
-    def calculate_expiry(auth_data)
-      Time.now + auth_data["expires_in"] - 5.seconds
+    def validate_data_present!(auth_data)
+      %w(id_token expires_in).each do |field|
+        if auth_data[field].blank?
+          raise Error, "Expecting field '#{field}' to be set but it is blank"
+        end
+      end
+
+      if !auth_data['expires_in'].is_a?(Numeric) || auth_data['expires_in'] <= 0
+        raise Error, "Field 'expires_in' must be a number greater than 0"
+      end
     end
 
-    def decode_id_data(id_data)
-      id_data_64 = id_data.split(".")[1]
-      id_data_64 << "=" until id_data_64.length % 4 == 0
-      JSON.parse(Base64.decode64(id_data_64))
+    def calculate_expiry(auth_data)
+      Time.now + auth_data["expires_in"] - 5.seconds
     end
   end
 end

data/lib/simple_google_auth/receiver.rb

@@ -1,7 +1,5 @@
 module SimpleGoogleAuth
   class Receiver
-    Error = Class.new(StandardError)
-
     def call(env)
       request = Rack::Request.new(env)
       config = SimpleGoogleAuth.config
@@ -10,7 +8,8 @@ module SimpleGoogleAuth
       api = SimpleGoogleAuth::OAuth.new(config)
       auth_data = api.exchange_code_for_auth_token!(request.params["code"])
 
-      raise Error, "Authentication failed" unless config.authenticate.call(auth_data)
+      data = AuthDataPresenter.new(auth_data)
+      raise Error, "Authentication failed" unless config.authenticate.call(data)
 
       request.session[config.data_session_key_name] = auth_data
 

data/lib/simple_google_auth/version.rb

@@ -1,3 +1,3 @@
 module SimpleGoogleAuth
-  VERSION = "0.0.6"
+  VERSION = "0.2.0"
 end

data/spec/simple_google_auth/auth_data_presenter_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::AuthDataPresenter do
+  let(:id_data) do
+    {
+      "iss" => "accounts.google.com",
+      "sub" => "10769150350006150715113082367",
+      "email" => "test@test.example",
+      "aud" => "1234987819200.apps.googleusercontent.com",
+      "iat" => 1353601026,
+      "exp" => 1353604926
+    }
+  end
+
+  let(:id_token) { "12345." + Base64.encode64(id_data.to_json).gsub('=', '') }
+  let(:auth_data) do
+    {
+      "id_token" => id_token,
+      "expires_in" => 1200,
+      "access_token" => "abcdef",
+      "token_type" => "Bearer"
+    }
+  end
+
+  subject { SimpleGoogleAuth::AuthDataPresenter.new(auth_data) }
+
+  it "provides indifferent hash access to data in the JWT" do
+    expect(subject['email']).to eq 'test@test.example'
+    expect(subject[:email]).to eq 'test@test.example'
+  end
+
+  it "provides method access to data in the JWT" do
+    expect(subject.email).to eq 'test@test.example'
+  end
+
+  it "raises if id_token not provided" do
+    expect {
+      SimpleGoogleAuth::AuthDataPresenter.new({})
+    }.to raise_error(SimpleGoogleAuth::AuthDataPresenter::InvalidAuthDataError)
+  end
+end

data/spec/simple_google_auth/authorization_uri_builder_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::AuthorizationUriBuilder do
+  subject do
+    SimpleGoogleAuth::AuthorizationUriBuilder.new("somestate")
+  end
+
+  describe "#uri" do
+    it "constructs an authorization URI" do
+      expect(subject.uri).to eq 'https://accounts.google.com/o/oauth2/auth?scope=openid+email&response_type=code&client_id=123&redirect_uri=%2Fabc&state=somestate'
+    end
+  end
+end

data/spec/simple_google_auth/config_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::Config do
+  subject { SimpleGoogleAuth::Config.new }
+
+  describe "#client_id" do
+    it "gets the value if it doesn't respond to call" do
+      subject.client_id = '12345'
+      expect(subject.client_id).to eq '12345'
+    end
+
+    it "calls to get the value if it responds to call" do
+      subject.client_id = lambda { '12345' }
+      expect(subject.client_id).to eq '12345'
+    end
+  end
+
+  describe "#authenticate=" do
+    it "saves the value if it is callable" do
+      fn = lambda {|data| true}
+      subject.authenticate = fn
+      expect(subject.authenticate).to eql fn
+    end
+
+    it "raises if the value isn't callable" do
+      expect {
+        subject.authenticate = "not a lambda"
+      }.to raise_error(SimpleGoogleAuth::Error, /responds to :call/)
+    end
+  end
+
+  describe "#ca_path=" do
+    it "logs a warning" do
+      Rails.logger ||= double
+      expect(Rails.logger).to receive(:warn)
+      subject.ca_path = "/etc/certs"
+    end
+  end
+end

data/spec/simple_google_auth/controller_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::Controller do
+  class TestController
+    include SimpleGoogleAuth::Controller
+
+    attr_reader :request, :session
+
+    def redirect_to(x)
+    end
+  end
+
+  subject { TestController.new }
+
+  let(:id_data) { Base64.encode64({email:"hi@hi"}.to_json).gsub('=', '') }
+  let(:auth_data) { {"id_token" => "123." + id_data} }
+  let(:request) { double(path: "/somepath") }
+  let(:session) { {} }
+
+  before do
+    allow(subject).to receive(:request).and_return(request)
+    allow(subject).to receive(:session).and_return(session)
+  end
+
+  describe "#redirect_if_not_google_authenticated" do
+    it "redirects if not authenticated" do
+      expect(SecureRandom).to receive(:hex).and_return("abcd")
+      expect(subject).to receive(:redirect_to).with("https://accounts.google.com/o/oauth2/auth?scope=openid+email&response_type=code&client_id=123&redirect_uri=%2Fabc&state=abcd%2Fsomepath")
+      subject.send(:redirect_if_not_google_authenticated)
+    end
+
+    it "does nothing if authenticated" do
+      session[SimpleGoogleAuth.config.data_session_key_name] = auth_data
+      expect(subject).to_not receive(:redirect_to)
+      subject.send(:redirect_if_not_google_authenticated)
+    end
+  end
+
+  describe "#google_auth_data" do
+    it "returns data from the session" do
+      session[SimpleGoogleAuth.config.data_session_key_name] = auth_data
+      data = subject.send(:google_auth_data)
+      expect(data.email).to eq 'hi@hi'
+    end
+
+    it "refreshes the token data if it's expired and refresh_stale_tokens is true"
+  end
+end

data/spec/simple_google_auth/http_client_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::HttpClient do
+  describe "#request" do
+    let(:http) { instance_double(Net::HTTP) }
+    let(:request) { instance_double(Net::HTTP::Post) }
+
+    before do
+      expect(Net::HTTP).to receive(:new).with("some.host", 443).and_return(http)
+      expect(http).to receive(:use_ssl=).with(true)
+      expect(http).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+      expect(http).to receive(:request).with(request).and_return(response)
+
+      expect(Net::HTTP::Post).to receive(:new).with("/somepath").and_return(request)
+      expect(request).to receive(:set_form_data).with('some' => 'data')
+    end
+
+    subject { SimpleGoogleAuth::HttpClient.new("https://some.host/somepath") }
+
+    context "when the call is successful" do
+      let(:response) do
+        instance_double(
+          Net::HTTPSuccess,
+          code: '200',
+          body: {"data" => "very"}.to_json,
+          content_type: 'application/json'
+        )
+      end
+
+      it "returns the server's response" do
+        expect(subject.request('some' => 'data')).to eq("data" => "very")
+      end
+    end
+
+    context "when non-json data is returned" do
+      let(:response) do
+        instance_double(
+          Net::HTTPSuccess,
+          code: '200',
+          body: "some html",
+          content_type: 'text/html'
+        )
+      end
+
+      it "raises an error" do
+        expect { subject.request('some' => 'data') }.to raise_error(SimpleGoogleAuth::NonJsonResponseError, /non-JSON/)
+      end
+    end
+
+    context "when non-json-parseable data is returned" do
+      let(:response) do
+        instance_double(
+          Net::HTTPSuccess,
+          code: '200',
+          body: "some html",
+          content_type: 'application/json'
+        )
+      end
+
+      it "raises an error" do
+        expect { subject.request('some' => 'data') }.to raise_error(SimpleGoogleAuth::NonJsonResponseError, /parseable/)
+      end
+    end
+
+    context "when non-successful json data is returned" do
+      let(:response) do
+        instance_double(
+          Net::HTTPSuccess,
+          code: '400',
+          body: {"data" => "very"}.to_json,
+          content_type: 'application/json'
+        )
+      end
+
+      it "raises an error" do
+        expect { subject.request('some' => 'data') }.to raise_error(SimpleGoogleAuth::ProviderError, /400.+very/)
+      end
+    end
+  end
+end

data/spec/simple_google_auth/oauth_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::OAuth do
+  let(:config) do
+    instance_double(
+      SimpleGoogleAuth::Config,
+      google_token_url: "/token/url",
+      client_id: '12345',
+      client_secret: 'abcde',
+      redirect_uri: '/ok'
+    )
+  end
+
+  let(:client) { instance_double(SimpleGoogleAuth::HttpClient) }
+  let(:response) { {"id_token" => "sometoken", "expires_in" => 1200, "other" => "data"} }
+  let(:expires_at) { Time.now + 1200 - 5 }
+  
+  before do
+    now = Time.now
+    allow(Time).to receive(:now).and_return(now)
+
+    expect(SimpleGoogleAuth::HttpClient).to receive(:new).with(config.google_token_url).and_return(client)
+  end
+
+  subject { SimpleGoogleAuth::OAuth.new(config) }
+
+  describe "#exchange_code_for_auth_token!" do
+    before do
+      expect(client).to receive(:request).with(
+        code: "magic",
+        grant_type: "authorization_code",
+        client_id: "12345",
+        client_secret: "abcde",
+        redirect_uri: "/ok"
+      ).and_return(response)
+    end
+
+    it "returns a hash of auth token data" do
+      expect(subject.exchange_code_for_auth_token!('magic')).to eq('expires_in' => 1200, 'other' => 'data', 'id_token' => 'sometoken', 'expires_at' => expires_at.to_s)
+    end
+  end
+
+  describe "#refresh_auth_token!" do
+    context "when a refresh token is provided" do
+      before do
+        expect(client).to receive(:request).with(
+          refresh_token: "magic",
+          grant_type: "refresh_token",
+          client_id: "12345",
+          client_secret: "abcde",
+        ).and_return(response)
+      end
+
+      it "returns a hash of auth token data" do
+        expect(subject.refresh_auth_token!('magic')).to eq('expires_in' => 1200, 'other' => 'data', 'id_token' => 'sometoken', 'expires_at' => expires_at.to_s, 'refresh_token' => 'magic')
+      end
+    end
+
+    context "when no refresh token is provided" do
+      it "does nothing and returns nil" do
+        expect(subject.refresh_auth_token!(nil)).to be nil
+      end
+    end
+  end
+end

data/spec/simple_google_auth/receiver_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth::Receiver do
+  let(:authenticator) { double(call: true) }
+  let(:authentication_result) { true }
+  let(:session) { double }
+  let(:state) { "abcd" * 8 + "/place" }
+  let(:code) { "sekrit" }
+  let(:params) { {"state" => state, "code" => code} }
+  let(:request) { instance_double(Rack::Request, session: session, params: params) }
+  let(:api) { instance_double(SimpleGoogleAuth::OAuth) }
+  let(:auth_data) { double }
+  let(:env) { double }
+  let(:auth_data_presenter) { instance_double(SimpleGoogleAuth::AuthDataPresenter) }
+
+  before do
+    expect(Rack::Request).to receive(:new).with(env).and_return(request)
+    expect(session).to receive(:[]).at_least(:once).with('simple-google-auth.state').and_return(state)
+
+    SimpleGoogleAuth.config.authenticate = authenticator
+    SimpleGoogleAuth.config.failed_login_path = '/error'
+  end
+
+  subject { SimpleGoogleAuth::Receiver.new.call(env) }
+
+  context "when a valid code is provided to the receiver" do
+    before do
+      expect(SimpleGoogleAuth::OAuth).to receive(:new).with(SimpleGoogleAuth.config).and_return(api)
+      expect(api).to receive(:exchange_code_for_auth_token!).with(code).and_return(auth_data)
+
+      expect(SimpleGoogleAuth::AuthDataPresenter).to receive(:new).with(auth_data).and_return(auth_data_presenter)
+      expect(authenticator).to receive(:call).with(auth_data_presenter).and_return(authentication_result)
+    end
+
+    context "and the authenticator accepts the login" do
+      before do
+        expect(session).to receive(:[]=).with('simple-google-auth.data', auth_data)
+      end
+
+      it "redirects to the URL specified in the session" do
+        expect(subject).to eq [302, {"Location" => "/place"}, [" "]] 
+      end
+    end
+
+    context "and the authenticator rejects the login" do
+      let(:authentication_result) { false }
+
+      it "redirects to the failed login path with a message" do
+        expect(subject).to eq [302, {"Location" => "/error?message=Authentication+failed"}, [" "]] 
+      end
+    end
+  end
+
+  context "when the state doesn't match" do
+    let(:params) { {"state" => "doesnotmatch", "code" => code} }
+
+    it "redirects to the failed login path with a message" do
+      expect(subject).to eq [302, {"Location" => "/error?message=Invalid+state+returned+from+Google"}, [" "]] 
+    end
+  end
+
+  context "when the google authentication fails" do
+    let(:params) { {"state" => state, "error" => "bad stuff"} }
+
+    it "redirects to the failed login path with a message" do
+      expect(subject).to eq [302, {"Location" => "/error?message=Authentication+failed%3A+bad+stuff"}, [" "]] 
+    end
+  end
+
+  context "when no code is returned (unexpected)" do
+    let(:params) { {"state" => state} }
+
+    it "redirects to the failed login path with a message" do
+      expect(subject).to eq [302, {"Location" => "/error?message=No+authentication+code+returned"}, [" "]] 
+    end
+  end
+end

data/spec/simple_google_auth_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe SimpleGoogleAuth do
+  describe "::configure" do
+    it "yields the config object" do
+      SimpleGoogleAuth.configure do |config|
+        expect(config).to be_a(SimpleGoogleAuth::Config)
+      end
+    end
+
+    it "sets access_type to offline if refresh_stale_tokens set"
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,102 @@
+ENV['RAILS_ENV'] ||= 'test'
+
+require 'rails/all'
+#require 'rspec/rails'
+require 'simple_google_auth'
+
+SimpleGoogleAuth.configure do |c|
+  c.client_id = '123'
+  c.redirect_uri = '/abc'
+end
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: simple_google_auth
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.2.0
 platform: ruby
 authors:
 - Roger Nesbitt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-28 00:00:00.000000000 Z
+date: 2015-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
 description: An extremely easy way to protect your site by requiring Google logins
   without having to set up a traditional authentication system
 email:
@@ -37,12 +51,24 @@ files:
 - Rakefile
 - config/routes.rb
 - lib/simple_google_auth.rb
+- lib/simple_google_auth/auth_data_presenter.rb
+- lib/simple_google_auth/authorization_uri_builder.rb
+- lib/simple_google_auth/config.rb
 - lib/simple_google_auth/controller.rb
 - lib/simple_google_auth/engine.rb
 - lib/simple_google_auth/http_client.rb
 - lib/simple_google_auth/oauth.rb
 - lib/simple_google_auth/receiver.rb
 - lib/simple_google_auth/version.rb
+- spec/simple_google_auth/auth_data_presenter_spec.rb
+- spec/simple_google_auth/authorization_uri_builder_spec.rb
+- spec/simple_google_auth/config_spec.rb
+- spec/simple_google_auth/controller_spec.rb
+- spec/simple_google_auth/http_client_spec.rb
+- spec/simple_google_auth/oauth_spec.rb
+- spec/simple_google_auth/receiver_spec.rb
+- spec/simple_google_auth_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/mogest/simple_google_auth
 licenses:
 - MIT
@@ -67,4 +93,13 @@ rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Super simple Google authentication for your Rails site
-test_files: []
+test_files:
+- spec/simple_google_auth/auth_data_presenter_spec.rb
+- spec/simple_google_auth/authorization_uri_builder_spec.rb
+- spec/simple_google_auth/config_spec.rb
+- spec/simple_google_auth/controller_spec.rb
+- spec/simple_google_auth/http_client_spec.rb
+- spec/simple_google_auth/oauth_spec.rb
+- spec/simple_google_auth/receiver_spec.rb
+- spec/simple_google_auth_spec.rb
+- spec/spec_helper.rb