simple_oauth 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e33b22e5f3c253796236a61dda5f130f2943c4e2
-  data.tar.gz: 070a415e6824f5e370668c3253c3431480a216b2
+SHA256:
+  metadata.gz: c50ae9a3795998aadd96790e68574680bec0bc5d848ad2fd139327e4123b2872
+  data.tar.gz: 6c8d45ae40b2f52846d0c83ce9e4b7d4f1fb53caa0f516734c81abcb5ecc7f3a
 SHA512:
-  metadata.gz: e861d3e040c487c501e1c422a9120be8fe51fefad5162956f686d4457fc602bf35f91ea7f2e5633cd18c94f0a039e10b3ffb578d253ff45d76f83d67bb02b85c
-  data.tar.gz: c4bd1d327734ab9b88d754ada4ce5b2f534a5db640c1f6126941910fe6877c90b39a52d218cd09fc1d77a94a2ddd47b16a60b49f744a537529ee430f72e4b764
+  metadata.gz: c9d3a63ea92cd30dec03017175fd3be9611b484a20f79a7810229885f9f4697b81eeccdce3dd399f25d1e9f6ea316ca09dee0440d961be869f71a3f6a120d02c
+  data.tar.gz: 2a511446baa6096738e47e93b57eaedf6e53840e570c8664dee0227303ecade3237336e475292108403c791728bac88ab847b17d33ccc5535c2c1fb5c12a2a7a

data/.rubocop.yml

@@ -1,57 +1,59 @@
-Metrics/AbcSize:
-  Max: 16
-
-Metrics/BlockNesting:
-  Max: 1
-
-Metrics/LineLength:
-  AllowURI: true
+require:
+  - standard
+
+plugins:
+  - standard-performance
+  - rubocop-minitest
+  - rubocop-performance
+  - rubocop-rake
+
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 3.2
+
+Layout/ArgumentAlignment:
+  Enabled: true
+  EnforcedStyle: with_fixed_indentation
+
+Layout/LeadingCommentSpace:
+  AllowRBSInlineAnnotation: true
+
+Layout/ArrayAlignment:
+  Enabled: true
+  EnforcedStyle: with_fixed_indentation
+
+Layout/EndAlignment:
+  Enabled: true
+  EnforcedStyleAlignWith: variable
+
+Layout/HashAlignment:
+  Enabled: true
+  EnforcedHashRocketStyle: key
+  EnforcedColonStyle: key
+  EnforcedLastArgumentHashStyle: always_inspect
+
+Layout/ParameterAlignment:
+  Enabled: true
+  EnforcedStyle: with_fixed_indentation
+  IndentationWidth: ~
+
+Layout/SpaceInsideHashLiteralBraces:
   Enabled: false
 
-Metrics/MethodLength:
-  CountComments: false
-  Max: 7
-
 Metrics/ParameterLists:
-  Max: 4
-  CountKeywordArgs: true
-
-Style/AccessModifierIndentation:
-  EnforcedStyle: outdent
+  CountKeywordArgs: false
 
-Style/CollectionMethods:
-  PreferredMethods:
-    map:      'collect'
-    reduce:   'inject'
-    find:     'detect'
-    find_all: 'select'
+Style/Alias:
+  Enabled: true
+  EnforcedStyle: prefer_alias_method
 
-Style/Documentation:
+Style/FrozenStringLiteralComment:
   Enabled: false
 
-Style/DotPosition:
-  EnforcedStyle: trailing
-
-Style/DoubleNegation:
-  Enabled: false
-
-Style/EachWithObject:
-  Enabled: false
-
-Style/Encoding:
-  Enabled: false
-
-Style/HashSyntax:
-  EnforcedStyle: hash_rockets
-
-Style/Lambda:
-  Enabled: false
-
-Style/RaiseArgs:
-  EnforcedStyle: compact
-
-Style/SpaceInsideHashLiteralBraces:
-  EnforcedStyle: no_space
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
 
-Style/TrailingComma:
-  EnforcedStyleForMultiline: 'comma'
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: double_quotes

data/CHANGELOG.md

@@ -0,0 +1,21 @@
+## [0.4.0] - 2026-02-01
+
+### Added
+
+* Extensible signature method registry allowing custom signature methods to be registered at runtime
+* Support for RSA-SHA256 and HMAC-SHA256 signature methods
+* OAuth Request Body Hash support (`oauth_body_hash` parameter) for signing requests with non-form-encoded bodies
+* Support for parsing OAuth credentials from POST body via `Header.parse_form_body`
+* Support for `realm` parameter in OAuth Authorization header
+
+### Fixed
+
+* Avoid symbolizing untrusted input in parse methods for security
+* Refactored `Header.parse` for improved robustness using StringScanner
+
+### Changed
+
+* Supports Ruby 3.2, 3.3, 3.4, and 4.0
+* Added `base64` and `cgi` as explicit runtime dependencies
+* Migrated test suite from RSpec to Minitest
+

data/LICENSE.md

@@ -1,20 +1,21 @@
-Copyright (c) 2010-2013 Steve Richert, Erik Michaels-Ober
+The MIT License (MIT)
 
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
+Copyright (c) 2010-2026 Steve Richert, Erik Berlin
 
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,44 +1,138 @@
 # simple_oauth
 
-[![Gem Version](http://img.shields.io/gem/v/simple_oauth.svg)][gem]
-[![Build Status](http://img.shields.io/travis/laserlemon/simple_oauth.svg)][travis]
-[![Dependency Status](http://img.shields.io/gemnasium/laserlemon/simple_oauth.svg)][gemnasium]
-[![Code Climate](http://img.shields.io/codeclimate/github/laserlemon/simple_oauth.svg)][codeclimate]
-[![Coverage Status](http://img.shields.io/coveralls/laserlemon/simple_oauth.svg)][coveralls]
-
-[gem]: https://rubygems.org/gems/simple_oauth
-[travis]: http://travis-ci.org/laserlemon/simple_oauth
-[gemnasium]: https://gemnasium.com/laserlemon/simple_oauth
-[codeclimate]: https://codeclimate.com/github/laserlemon/simple_oauth
-[coveralls]: https://coveralls.io/r/laserlemon/simple_oauth
-
-Simply builds and verifies OAuth headers
-
-## Supported Rubies
-This library aims to support and is [tested
-against](http://travis-ci.org/laserlemon/simple_oauth) the following Ruby
-implementations:
-
-* Ruby 1.8.7
-* Ruby 1.9.3
-* Ruby 2.0.0
-* Ruby 2.1
-* [JRuby](http://jruby.org/)
-* [Rubinius](http://rubini.us/)
-
-If something doesn't work on one of these interpreters, it's a bug.
-
-This library may inadvertently work (or seem to work) on other Ruby
-implementations, however support will only be provided for the versions listed
-above.
-
-If you would like this library to support another Ruby version, you may
-volunteer to be a maintainer. Being a maintainer entails making sure all tests
-run and pass on that implementation. When something breaks on your
-implementation, you will be responsible for providing patches in a timely
-fashion. If critical issues for a particular implementation exist at the time
-of a major release, support for that Ruby version may be dropped.
-
-## Copyright
-Copyright (c) 2010-2013 Steve Richert, Erik Michaels-Ober. See
-[LICENSE](LICENSE.md) for details.
+[![Gem Version](https://badge.fury.io/rb/simple_oauth.svg)](https://badge.fury.io/rb/simple_oauth)
+[![Test](https://github.com/laserlemon/simple_oauth/actions/workflows/test.yml/badge.svg)](https://github.com/laserlemon/simple_oauth/actions/workflows/test.yml)
+[![Mutant](https://github.com/laserlemon/simple_oauth/actions/workflows/mutant.yml/badge.svg)](https://github.com/laserlemon/simple_oauth/actions/workflows/mutant.yml)
+[![Lint](https://github.com/laserlemon/simple_oauth/actions/workflows/lint.yml/badge.svg)](https://github.com/laserlemon/simple_oauth/actions/workflows/lint.yml)
+[![Typecheck](https://github.com/laserlemon/simple_oauth/actions/workflows/typecheck.yml/badge.svg)](https://github.com/laserlemon/simple_oauth/actions/workflows/typecheck.yml)
+[![Yardstick](https://github.com/laserlemon/simple_oauth/actions/workflows/yardstick.yml/badge.svg)](https://github.com/laserlemon/simple_oauth/actions/workflows/yardstick.yml)
+
+Simply builds and verifies OAuth headers per [RFC 5849](https://tools.ietf.org/html/rfc5849)
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add simple_oauth
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install simple_oauth
+
+## Usage
+
+### Building an OAuth Header
+
+```ruby
+require "simple_oauth"
+
+header = SimpleOAuth::Header.new(
+  :get,
+  "https://api.example.com/resource",
+  {status: "Hello"},
+  consumer_key: "consumer_key",
+  consumer_secret: "consumer_secret",
+  token: "access_token",
+  token_secret: "token_secret"
+)
+
+header.to_s
+# => "OAuth oauth_consumer_key=\"consumer_key\", oauth_nonce=\"...\", ..."
+```
+
+### Signature Methods
+
+Built-in signature methods: `HMAC-SHA1` (default), `HMAC-SHA256`, `RSA-SHA1`, `RSA-SHA256`, and `PLAINTEXT`.
+
+```ruby
+# Using HMAC-SHA256
+header = SimpleOAuth::Header.new(:get, url, params,
+  consumer_key: "key",
+  consumer_secret: "secret",
+  signature_method: "HMAC-SHA256"
+)
+
+# Using RSA-SHA1 (pass PEM-encoded private key as consumer_secret)
+header = SimpleOAuth::Header.new(:get, url, params,
+  consumer_key: "key",
+  consumer_secret: File.read("private_key.pem"),
+  signature_method: "RSA-SHA1"
+)
+```
+
+### Custom Signature Methods
+
+Register custom signature methods at runtime:
+
+```ruby
+SimpleOAuth::Signature.register("HMAC-SHA512") do |secret, signature_base|
+  Base64.encode64(OpenSSL::HMAC.digest("SHA512", secret, signature_base)).delete("\n")
+end
+
+# Check registered methods
+SimpleOAuth::Signature.registered?("HMAC-SHA512") # => true
+SimpleOAuth::Signature.methods # => ["hmac_sha1", "hmac_sha256", "rsa_sha1", "rsa_sha256", "plaintext", "hmac_sha512"]
+```
+
+### OAuth Request Body Hash
+
+For non-form-encoded request bodies (e.g., JSON), pass the body as the fifth parameter to compute `oauth_body_hash`:
+
+```ruby
+json_body = '{"text": "Hello, World!"}'
+
+header = SimpleOAuth::Header.new(:post, url, {},
+  {consumer_key: "key", consumer_secret: "secret"},
+  json_body
+)
+```
+
+### Realm Parameter
+
+Include a realm in the Authorization header:
+
+```ruby
+header = SimpleOAuth::Header.new(:get, url, params,
+  consumer_key: "key",
+  consumer_secret: "secret",
+  realm: "Example"
+)
+# => "OAuth realm=\"Example\", oauth_consumer_key=\"key\", ..."
+```
+
+### Parsing OAuth Headers
+
+Parse an OAuth Authorization header:
+
+```ruby
+parsed = SimpleOAuth::Header.parse('OAuth oauth_consumer_key="key", oauth_signature="sig"')
+# => {consumer_key: "key", signature: "sig"}
+```
+
+Parse OAuth credentials from a form-encoded POST body:
+
+```ruby
+parsed = SimpleOAuth::Header.parse_form_body('oauth_consumer_key=key&oauth_signature=sig&status=hello')
+# => {consumer_key: "key", signature: "sig"}
+```
+
+### Verifying Signatures
+
+```ruby
+# Parse incoming Authorization header
+header = SimpleOAuth::Header.new(:get, request_url, params, authorization_header)
+
+# Verify the signature
+header.valid?(consumer_secret: "secret", token_secret: "token_secret")
+# => true
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/laserlemon/simple_oauth.
+
+This project conforms to [Standard Ruby](https://github.com/standardrb/standard). Patches that don’t maintain that standard will not be accepted.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -1,27 +1,36 @@
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
+require "bundler/gem_tasks"
+require "rake/testtask"
+require "rubocop/rake_task"
+require "standard/rake"
 
-RSpec::Core::RakeTask.new(:spec)
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
 
-task :test => :spec
+RuboCop::RakeTask.new
 
-begin
-  require 'rubocop/rake_task'
-  RuboCop::RakeTask.new
-rescue LoadError
-  task :rubocop do
-    $stderr.puts 'RuboCop is disabled'
-  end
+desc "Run mutation tests"
+task :mutant do
+  system("bundle", "exec", "mutant", "run") || exit(1)
 end
 
-require 'yardstick/rake/measurement'
-Yardstick::Rake::Measurement.new do |measurement|
-  measurement.output = 'measurement/report.txt'
+require "yard"
+YARD::Rake::YardocTask.new(:yard)
+
+desc "Check documentation coverage"
+task :yardstick do
+  require "yardstick/rake/verify"
+  Yardstick::Rake::Verify.new(:verify_docs) do |verify|
+    verify.threshold = 100
+  end
+  Rake::Task[:verify_docs].invoke
 end
 
-require 'yardstick/rake/verify'
-Yardstick::Rake::Verify.new do |verify|
-  verify.threshold = 47
+desc "Run type checker"
+task :steep do
+  system("bundle", "exec", "steep", "check") || exit(1)
 end
 
-task :default => [:spec, :rubocop, :verify_measurements]
+task default: %i[test rubocop standard mutant yardstick steep]

data/Steepfile

@@ -0,0 +1,18 @@
+D = Steep::Diagnostic
+
+target :lib do
+  signature "sig"
+
+  check "lib"
+
+  library "base64"
+  library "openssl"
+  library "uri"
+  library "cgi"
+  library "securerandom"
+
+  configure_code_diagnostics(D::Ruby.strict) do |hash|
+    # Allow FallbackAny warnings for variables in ensure blocks
+    hash[D::Ruby::FallbackAny] = :hint
+  end
+end

data/lib/simple_oauth/encoding.rb

@@ -0,0 +1,48 @@
+require "uri"
+
+module SimpleOAuth
+  # OAuth percent-encoding utilities
+  #
+  # Provides methods for encoding and decoding values according to the OAuth specification.
+  # These methods can be used as module functions or extended into a class.
+  #
+  # @api public
+  # @example Using as module functions
+  #   SimpleOAuth::Encoding.escape("hello world") # => "hello%20world"
+  #
+  # @example Extending into a class
+  #   class MyClass
+  #     extend SimpleOAuth::Encoding
+  #   end
+  #   MyClass.escape("hello world") # => "hello%20world"
+  module Encoding
+    # Characters that don't need to be escaped per OAuth spec
+    UNRESERVED_CHARS = /[^a-z0-9\-._~]/i
+
+    # Percent-encodes a value according to OAuth specification
+    #
+    # @api public
+    # @param value [String, #to_s] the value to encode
+    # @return [String] the percent-encoded value
+    # @example
+    #   SimpleOAuth::Encoding.escape("hello world")
+    #   # => "hello%20world"
+    def escape(value)
+      URI::RFC2396_PARSER.escape(value.to_s, UNRESERVED_CHARS)
+    end
+    alias_method :encode, :escape
+
+    # Decodes a percent-encoded value
+    #
+    # @api public
+    # @param value [String, #to_s] the value to decode
+    # @return [String] the decoded value
+    # @example
+    #   SimpleOAuth::Encoding.unescape("hello%20world")
+    #   # => "hello world"
+    def unescape(value)
+      URI::RFC2396_PARSER.unescape(value.to_s)
+    end
+    alias_method :decode, :unescape
+  end
+end

data/lib/simple_oauth/errors.rb

@@ -0,0 +1,7 @@
+module SimpleOAuth
+  # Error raised when parsing a malformed OAuth Authorization header
+  class ParseError < StandardError; end
+
+  # Error raised when invalid options are passed to Header
+  class InvalidOptionsError < StandardError; end
+end

data/lib/simple_oauth/header/class_methods.rb

@@ -0,0 +1,99 @@
+require "base64"
+require "cgi"
+require "openssl"
+require "securerandom"
+
+module SimpleOAuth
+  class Header
+    # Class methods for Header - parsing, defaults, and body hashing
+    #
+    # @api private
+    module ClassMethods
+      # Returns default OAuth options with generated nonce and timestamp
+      #
+      # @api public
+      # @param body [String, nil] optional request body for computing oauth_body_hash
+      # @return [Hash] default options including nonce, signature_method, timestamp, and version
+      # @example
+      #   SimpleOAuth::Header.default_options
+      #   # => {nonce: "abc123...", signature_method: "HMAC-SHA1", timestamp: "1234567890", version: "1.0"}
+      def default_options(body = nil)
+        {
+          nonce: generate_nonce,
+          signature_method: DEFAULT_SIGNATURE_METHOD,
+          timestamp: Integer(Time.now).to_s,
+          version: OAUTH_VERSION
+        }.tap { |opts| opts[:body_hash] = body_hash(body) if body }
+      end
+
+      # Computes the oauth_body_hash for a request body
+      #
+      # @api public
+      # @param body [String] the raw request body
+      # @param algorithm [String] the hash algorithm to use (default: "SHA1")
+      # @return [String] Base64-encoded hash of the body
+      # @example
+      #   SimpleOAuth::Header.body_hash('{"text": "Hello"}')
+      #   # => "aOjMoMwMP1RZ0hKa1HryYDlCKck="
+      def body_hash(body, algorithm = "SHA1")
+        encode_base64(OpenSSL::Digest.digest(algorithm, body || ""))
+      end
+
+      # Parses an OAuth Authorization header string into a hash
+      #
+      # @api public
+      # @param header [String, #to_s] the OAuth Authorization header string
+      # @return [Hash] parsed OAuth attributes with symbol keys (only valid OAuth keys)
+      # @raise [SimpleOAuth::ParseError] if the header is malformed
+      # @example
+      #   SimpleOAuth::Header.parse('OAuth oauth_consumer_key="key", oauth_signature="sig"')
+      #   # => {consumer_key: "key", signature: "sig"}
+      def parse(header)
+        Parser.new(header).parse(PARSE_KEYS)
+      end
+
+      # Parses OAuth parameters from a form-encoded POST body
+      #
+      # OAuth 1.0 allows credentials to be transmitted in the request body for
+      # POST requests with Content-Type: application/x-www-form-urlencoded
+      #
+      # @api public
+      # @param body [String, #to_s] the form-encoded request body
+      # @return [Hash] parsed OAuth attributes with symbol keys (only valid OAuth keys)
+      # @example
+      #   SimpleOAuth::Header.parse_form_body('oauth_consumer_key=key&oauth_signature=sig&status=hello')
+      #   # => {consumer_key: "key", signature: "sig"}
+      def parse_form_body(body)
+        valid_keys = PARSE_KEYS.map(&:to_s)
+
+        result = {} #: Hash[Symbol, String]
+        CGI.parse(body.to_s).each do |key, values|
+          next unless key.start_with?(OAUTH_PREFIX)
+
+          parsed_key = key.delete_prefix(OAUTH_PREFIX)
+          result[parsed_key.to_sym] = values.first || "" if valid_keys.include?(parsed_key)
+        end
+        result
+      end
+
+      private
+
+      # Generates a random nonce for OAuth requests
+      #
+      # @api private
+      # @return [String] hex-encoded random bytes
+      def generate_nonce
+        SecureRandom.hex
+      end
+
+      # Encodes binary data as Base64 without newlines
+      #
+      # @api private
+      # @param data [String] binary data to encode
+      # @return [String] Base64-encoded string
+      def encode_base64(data)
+        Base64.strict_encode64(data)
+      end
+    end
+  end
+end