sinatra-canvas_auth 0.0.3 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 18c5767aed8a836503fa4c9880faa99e5e3b21c1
-  data.tar.gz: 675e5cbbd76fa389ebd9b63580c5a25454be275d
+  metadata.gz: 829a0ea15cee0cbe68d6e29af2ffb52a2f839903
+  data.tar.gz: 651e5961b52eba8b9423c6acecd0b2f34ecaa0fc
 SHA512:
-  metadata.gz: c002fbf02f0f41127c26aa81d2d7d1cf438ea152e55ec5e8d67d0d103b26aaad69e213d9006b95a1c227e15554e8a6493a031c1a7471f6e269608c3ec914f806
-  data.tar.gz: c1132a29cc37e8a34f0daada820b865629de65f6af4098883852e945737eb2e23dae937c609949b0f34eccbfc8741f3651f3bb747d4e10bb9af3fc71ecaaa15c
+  metadata.gz: f92f0c1a68083d4b58e907b0d0d811037619223e29fbfb40c6c684e005303803b1058552a30b0e8437f83359412c45e5222aa464b2b72e2a008318660d737887
+  data.tar.gz: 4d4635ca2e3c66edd45d06dc8cfa211f9f8909ad8c9c58781ebb6054bb707c703edc66a2361aa46a170c7225757b5b007c87730dba60981c14f103b1eb439b3d

data/README.md

@@ -105,12 +105,19 @@ CanvasAuth requires a baseline configuration to function, as Canvas API settings
   Default: [/.*/]  
   To only require authentication for certain routes, they may be explicitly specified here with either strings or regular expression. By default, all app routes will require authentication.
   ```ruby
-  set :auth_paths, ['/admin', /^\/courses\/(\d)+$]
+  set :auth_paths, ['/admin', /^\/courses\/(\d)+$/]
   ```
 
   Alternative syntax:
   ```ruby
-  authenticate '/admin', /^\/courses\/(\d)+$
+  authenticate '/admin', /^\/courses\/(\d)+$/
+  ```
+
+* **public_paths** (Array)  
+  Default: []  
+  The inverse of auth_paths, routes matching strings or regexps in this array will not require authentication
+  ```ruby
+  set :public_paths, ['/homepage', /^\/assets\/.+$/]
   ```
 
 * **unauthorized_redirect** (String)  
@@ -126,6 +133,13 @@ CanvasAuth requires a baseline configuration to function, as Canvas API settings
   ```ruby
   set :logout_redirect, '/goodbye'
   ```
+
+* **failure_redirect** (String)  
+  Default: "/login-failure"  
+  If the user declines to grant the app access to their Canvas account, or the API request for a Canvas token raises an unexpected error, the user will be redirected to this path.
+  ```ruby
+  set :error_path, '/auth-error'
+  ```
  
 
 #### Callbacks
@@ -164,9 +178,10 @@ The following are optional hooks called by CanvasAuth which allow you to customi
   * GET  /canvas-auth-logout
   * POST /canvas-auth-token
 
-* The following routes are also defined by CanvasAuth, but only as placeholders that may (and should) be overridden by your application. They do not include any functionality and serve only as landing pages to prevent 404ing on the default redirects.
+* The following routes are also defined by CanvasAuth, and may be overridden by your application, should you wish to replace the default view/behavior provided:
   * GET /unauthorized
   * GET /logged-out
+  * GET /login-failure
 
 * All routes defined by CanvasAuth are permanently exempt from the requiring authentication, to avoid redirect loops.
 ## Contributing

data/lib/sinatra/canvas_auth.erb

@@ -0,0 +1,89 @@
+<% params ||= {} %>
+
+<!DOCTYPE html>
+<html>
+<head>
+  <style>
+    #box-content {
+      background-color: #FFF;
+      padding: 24px;
+    }
+
+    #modal-box {
+      border-radius: 3px;
+      box-shadow: 0 1px 4px 1px rgba(0,0,0,0.4);
+      box-sizing: border-box;
+      margin: 36px auto 0;
+      width: 696px;
+    }
+
+    .btn {
+      background-color: #CFB87C;
+      color: #2D3B45;
+      border: 1px solid;
+      border-color: #C7CDD1;
+      border-radius: 3px;
+      padding: 8px 14px;
+      font-size: 14px;
+      font-size: .875rem;
+      line-height: 20px;
+      text-align: center;
+      cursor: pointer;
+      font-weight: 300;
+    }
+
+    .btn:hover {
+      background-color: #c8ae69;
+    }
+
+    body {
+      background-color: #2e3c46;
+      font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;
+      font-weight: 300;
+    }
+
+    form {
+      margin-top: 30px;
+    }
+
+    header {
+      background-color: #34444f;
+      padding: 18px;
+    }
+
+    h2 {
+      margin-top: 0;
+      font-weight: 300;
+    }
+
+    img {
+      width: 140px;
+      height: 57px;
+    }
+  </style>
+</head>
+
+<body>
+  <div id="modal-box">
+    <header>
+      <img alt="Canvas by Instructure" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARgAAAByCAYAAACIls4EAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyhpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIDIwMTUgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6ODIxNkEzODM0OUI4MTFFNUIwMTFCREYzMTYyNDQwM0YiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6ODIxNkEzODQ0OUI4MTFFNUIwMTFCREYzMTYyNDQwM0YiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4MjE2QTM4MTQ5QjgxMUU1QjAxMUJERjMxNjI0NDAzRiIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4MjE2QTM4MjQ5QjgxMUU1QjAxMUJERjMxNjI0NDAzRiIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/Pruwz2EAABbFSURBVHja7F0JuBXFle4HqLgERCIKLsElKKDBZRRxYYko+gFmokFHRxAmq7glLpPEmOCMGTIuCToaCDpxRUXiIGpch9EXxlHRSIwCikAEjLtBATUswpv/954bmraru7pvv/vuffz/953vvtddXVXd1fX3qVOnTjU0NTUFgiAIzYE2egSCIIhgBEEQwQiCIIhgBEEQwQiCIIIRBEEQwQiCIIIRBEEEIwiCIIIRBEEEIwiCCEYQBEEEIwiCCEYQBBGMIAiCCEYQBBGMIAgiGEEQBBGMIAgiGEEQRDCCIAgiGEEQRDCCIGxuaGjuAuYP3Kc7fvpCepvsCtkd0hGydSjpCsi7kDcgiyFzIS9CZvdqXLBSTSUI9QXuudasBANyeQ4/B1WYzQbI90EyV6nJBKG+CKa5h0ivFzSM+7OaSxDqDxUTDLSUtgmn7y+gjmsgj+YoWxCEeiYYdPBh+FmE38MdSaZClldYxzswPHLlMQFlPwjZXU0pCK2EYNCht4XcZBpKd8jVcelADKvwc1EF9aPh92JHHfbBz1mQ4yHz8P/pak5BqHOCQUfuhR8ab0eHDh+C44c6LiER3ZqjbjTujgRJveU4f2ao/ttBbkMdboa0V7MKQh0SDDrvcfh5CrJPzOkTHFpME37+CTIpQ1HUfE7EtUk2nOExx86ANKKeO6lpBaGOCAaddiR+HoB0cCRxTkeDKNZDxuLPIZA5CcWsh9wC2R/p702oS2f87Ok4TZ+bJ5FmbzWvILQsvPxg0Fk5HJmYkuxpkEI/z/z2w88xQcnhjoT1DmQe5GHk8Z7H9d3x82pKMk6RD0J+C9XMglB90A+mnUdnHuVBLpmATk8v3bnNfH+7QB7nDBfKW6bmFoQaGyKhc3KG5ibPvBZVsd50vPvEk2Rm4j52UFMLQg0RDDplT/zcFfjbaf4vS8G0o0C+ATkb8oWMGhDJ5WnP5F+ETEMZ7dTcglADBIPOyGlfGlk/55nPOsj0DOTCWaj5kBsg10JewrFjMtb9jgxpj4b8TM0tCLWhwVxrX35fXAet4p0M6cdDuoT+56rqazLWnUO3LLaVC0Fix6rJBaEFCQad8O+DTZ3o0rAE8q8Zy90v5ljPjMOk1UHJkzcL6IjXUc0uCNVBuwi5cMr4ugzXc0p5GDr7BxnL5fCoR+RY5ulklPtb1Pm7gWOpQgy62lBpbK02SFNTE/176FPE321CQ9DX7Lk939DQ8ElBZVFzPACyV1CK00MvaLoukLwZg+f9oGS8fxFl/rWgMo/Ez+djTi1DGXNC6ViPw214uz9kRzv1EeRPQckG9xCuWZ6hbA79B7veZeT1RM574mTCIY7TC5HvPM98eM/03/oSpBuks7UHvdpXmPA9mIc832zGd7CNffD7QOi0Wv4osx7lmE0L7N7WexOMZeb7Is2GnIpO/qqRE7WSkyBrIbenTA1fAukPKc/u8JpzUuw2THu61ZH+Mv9rJHMNznE5wcRQfknoiPQN5mFcK6TCzk1fo1Mhe6QkX4n0M0iqaNw/5Hx5RkDGWOf1MX6vw3V83jT6T0G5H1dwuz+FDIg5TgfL0VY/en5/3zqbC2dbvabwfUKd3vAom/X+pXXeuOfaBfmsyXFP55vE4atByccrqU24/OZcyIkhIk1rR36Qafe8AXVeXCD5c1QwNPCzv/KZNQalRc33oB6rowkaYjpye2vgM2OGMuyUnC2i2/+d5U6Ka76Cn7tDLytd/Qfi/JwEwtjJXnSWdw/SLk5I29UIbbfQ4QtwzS9CaTpZI58RSVfWAB6CTMA1jTVELFvh5ydW7zxrqNgpz/f9iqO8v8PPjaYR5MU7VubtOe+5MYFgfmQkdkTGbKlpnYQ6Pe5R/hWBewHuCcjj/oz3wz60NOadK9erq4u0cC01gysh3wjyR5ekVvGfkAtRzqqcbUKH18mQ4yp4L/iRv5wjoLKGnRrRDp2Whth9jc34Er+MDvp+TLqFMV+bB5B2WBEdEfn/POYLQbbcEWV8GEnLe+oeqg+Hby8g3ZqghmBq9X1B5RH/qEEOQ6POTymPH41fQbYo6BaoCZyDcpsKIphZNlTbJWd9qHkPRn2eTCmfYVtdTp7UzkZmvJ/DgtL6vDhMRn7fcVzH9/OBGFNBXrxCjRTl/Tlj/ftaPToXVA9q1SejHotSPXltZshndihOld23wP64V8yx9mY3eDlS5ybrdK8GNQojlyeMCCsFh1S/Q56D0KhzHeV9y75QReIsI+9LCsqvf4XX0540Hfe6P57Du65EtIcgDTvBgTGnh+LcFkizLkO5IxLOTUmwszVWQKZxIFE9SsLw1WSQln2Uwdw6FFgPPtfTApv4KSpk5vMxx+YUWOk/xhyjwWtJUGewYdF9BZFLGWuss7swOENeqzOkvRj3c3ANPV4Ou6/wSOcKH9LJ7FJZhkcuglkauJ1PaTztkkEz8wUNs5dlqPstnuSy1swjPrgKBPe3WeWiCIYGt3DkfxrcLi7wxflFhGRouR5rU9X1hnEpw6KPzE5ymtkiOJNyih2Lu1/O5H05RTWm8TjOMXG5vZB9TUVug3y2tmFUD7NnzUrIly/pj5vpOb1jdR5n79Jkzw/KSDOaJ+HOwL3UZESGOvZ12F6I213DRxy/Bz9fC0q2wShoyzzBtJutkHYbSIOR57E2zE1677+D+/cJV8JwJ64YTnw2E20oux2KZz3IFbQZ8YNC++z0mPqzbv8cZ+M4FrJHJW8Drt8ZMhpyGuRzRb9tyHNL+uhAvgXZs8K8GiD7QgZUWXvZHbK6yY37k14Ou/6xUPoVkAN9v1iQSaFrqU5/3vPab0M2OOrMmZwdMjyDxqZkrIV8D7JlzLVtIKMgq1LyuMCjHg84rl3OYZLnvfw8oQ49Pa4/GvKxpX8X8mXfoQ1kcULZZ3vkcZfj2pVmV/KpR1fIDXbdJNOKwuc/7WxbQ9ZBmiDPQ8aYobTVgeuRIOdCFtn9vlllgpmQ8FLcB2nrkUdbTs3ai9k/Y/kkmasg/x3XgVOunZhQ9+EFEcwnkMEeeRwGWZOQz4MeeZyScP1xns9ymeP65zI8j6Mgr0G+lLE9+ibU/26P6193XHthjve6b5RcygTTxlSedqGxIVVxRoXr1srIheuffh+UliSUjcY7Z11oWQG58Ks4xnGaw5vRaU5Lpl4zDWc6DsXfs7LUgSo7hC/QcPyuzXgLSc6MvQt6TJzinOlxH3SyS1pbtp9HWfdGhvVZh0lJw6MpGdqE/kVfxO8LGduSbhtP5bl/exe7JTyXIGtdXMPBNg57AL+Ms1oLyVgc4SeMQOMMbtXAwGCjR2QUP8zikWpEkTueTpxDlMc1r5i9Jw47F2hr88V/BCUfkDh09nwG0xynv+oxTHKREOs0tbnbw+AyIqfZYJJ8rj4u8qUnwfRynONX/u5633uIOyDgh56vLntDrypVZZDj+PKEF73W4NpIrwib2wJ0tGUZOuVy00jjsA0IwsdDOddsUsrs0czmdOOPwOW9vF3Ks+M0tkuD7Vc0wSS5Y/czdbyewbVKSSvDe1SpHq61KrNyDFdaCq6p8CI+QosLvmY7j+up1S7JMUxKnD2qgfbwIVcXOV1unr2FEUzalN4PHJpBT0gfSJuWfONRfg+rR9uYc/Q5+V5KFtUaBrpIbl4gEH+p0jWbDDUTtJikYdKIhOHF9Co+s0rW07nsd5yhnY97vx5yOuQIOgbawtjMINOlOfzsQwNpr8YFC6zTdrIhR3kGYy6OnVBe9FhFYqGDEP0JylN7C3BsaGRN05Ee4/Guzf4WlBbwubw2l1S7J5uKz+nto2yIyHegY5DuF3VAM1ZrQ45r1hdQLg2yP0kYJj2cYXh0L0jrw5xtQjvWYHvG1I62h2yVclkltq9fQ0Y5ztGs8E2TcB3p3PqWDZXZ32mX+x3kWdz3BhfB+MRH4bz4Avt7fLCpWzct1tcHpV0CqonLQuTyKRHaQxsYqXcaqhEfpkOC2vp+FYmFX2S6+HPl7h6BQC1mIZ7LUw7bw4gowQQFzR6F2oQkf4n1n4Yq3vcslE1t68QMl3U0ie6L9g7y4izjROS7IjpE8hnihL/yccavQS3wbsQ5JQ2IxN71Gf5sVYW6JpWxtkrkwiEal29MELl8BrdlGCa5tBeuf3o0Q3tsCbnOhirHVpNcQuAC2NkF5NPFFI+5USc9X/tJeKwXt/jxvRZ4OHEL2t63gOA196FsycJtcd2TgZ9/yOaIqQ6i32Q2KWV4NNU3EJjlMzXIHpGxaC1mhSkH/OgUEW2A9txHcH99wgTjM/YNT7tdGXP+8hZ4PlfG1D3qfOUThKgaYRyS/By2bGZyofH7N4F7ml7DpIYGDlN/6zg9wnN4lGX26LygFIiqFu79rxCGQqHD6Y9Mo6pEq6Y54M6ymwAJZoXHRX+zONuWrsfYS8u/T8OxCdV+MCiTAaRoFKMPCYMEjcSxKPn5bG2yogrVpd+ByyDZqZnL5kJH1+JKfnEn23OkmstQBU4EJYNea4XPbNJJjjQLzbPWh/DpM3RpQhLag+gaQj+0bVPaY0yBRPM2ZDyE6/O2sWE0zRBcdHuRfdC5SLQxSF65T/Qs23ba2ZAn6SV/Dh13SaRz0517Zku/EagHI5glRTGjnwOnMjt7amfN9ZVYjxfrzSDeJaB7FcbZcaCbPAMU/V46zKd40PGuhGeTTixAeyFJuSYWOHExLmsQr+Z4X4PS7OaSBK2Yxul/C0qr/ePA9WnTqMGkRcD6ab2+MRbFLk27eqNK1XEFNe/dXAXagsYjHacvzkEurXbzOgsy5XLxH2Fxb/YsgGBcEyKzc5DLFi30rNZDqMn0T/jAH1EeIiVt+ToDnXRGnb87VwfJOxa8UqV6uFbY9s+6sjkDdk54Ce/IkV9r3/LFOUyyoUIcnmZ4yAxluLxk78qhubRoe5im8++O013LBOOK5To3Qb2uJy2GAZy415Nrpmt+larS6DjOWConN1OZrjgtq8ywmUUbagjSvb7rXYt5Jtjo7xUdJrlirEwpqE2W5qjybjXw2Fwf6PZlgpnjGI8OiAvwXackM9+GCnGhN/9YpWo8FpSi1cXhZxmDNjVY6M00uGbItvUNqhQC45VsvxnYYlxaTJyWSSP5XRnzd80o5nm2lcYx5rvUJy6WSwa4wp2sKxPMc8HG8IH8m3sd0eV+eWt6a2ypA7ft4BRheTnBWzi+tBrl28ZlrmEJNYOHbBsLH01igmd6l9bGdj864y1cFGweoEbiO1R5BO2a1QfMlf6YjMTA9AdUSC4MzfksZKrNbuWBaz+zjcH4ufF8JSEzLZzleMirkJe522LRUfGQ39cgcyCvQX4N2b6CvFoqZGZPi9rmwku2d5Hr+h0g00LpZ6eRDM4vcZT1gg+hWR4XpISovDnDM2isNI9QXlcn1Gn7Ctrp8SY/nJIj739x5MWZxqM989iPs5JJFfMhFwtPWgbfk3+wdXM+ddgKck1CFa72qIZ3h73GQlCGZWyB5HJ0TP6P1OPnMRIXNw4bLDbv120lK0Mqngy5FvKBgyh2TCjvpoSyuGp2WFyoThuGMTTlvR4drbURzBiPe16ZZ4UxrhmQkCfDoP4Q0tlxbTfIj0NxfHMRDLWfCLmE8ZrFGuYWLl+AbBu6rgOkH+TShHChZeyfuvFaBgKgI1k0/sYfMPw4qKD8OQ0YZ8XfFWW8XmcEw+fEfXn2LlLBgwyJ21nANtZKczjkCmCGjfjAbA2sY8/AL6YKcQvKHu1LMIFjZ0ffPMIEY0PeOHRCfh/kbCMOF94OSnstVXzPkbypIcy15+sCPdQ5pOfKZXrVlh3fvI3s5ogXVz4Xdf5Pyr3F2VNYb9+4P7ei+DPKMXmLwBaeRrG8aJfB8FbTsOX8Q4Ni1291cRkJzcM0bUqaREIiGhKU/DQOyUAurQ4W8S3NPWNKzrxJHt9NSVbefH6QtclRQXEzePwYPZWjf/uSC8nz7LSOW9YcvLaODUp7ufxj5NhvCmzz/wo+O5U7Jy4GTT1sHcv4thz+BKX9svesMDsaqYdyx8KENN+253FoBeWQEFcFm89KbG5KdqrjHL2yH6ug/bllDPcPuqLCOj6TtU25wBFlHx+Udl68KChub7RyfYaFd5ZsF9NBOX9N/xdurhRdfUvbBwMNT4Lcadu0EmcZy9GVmjNS3Ix7fAJx8abGWRlU1ehBeR7yiw04jOPTcA1Jgxtw0TBJNfuMSJ70VTjfjkf9A7gtCzvzBOTVWEMkw1WnlxsB5Ak7SRIfmzaTQa3J9tyZHPMh8AEj3p9k7bq5EMxMG6LEBXW6wxVgKUP7X4k2Yf4Tc2iLH1vfaZPno2EhWn/ACQPrp0MqfFZ0v+BC4yui2+42RDopY4Y86GkfoOp9aliLwPUkmQ04tj5FM+LWGdGFiTfiuq972GPaR3d0xLFTrKF8fEk4XDg9RI61YJfZy9RKrtxN26+Y986tZyfY9h1Zy+pvRHy8xxCTbUs7xyS+OEXYT+rBBhPKn+9o3D5BByLv5wtqe+4AwI3iRgbpEepILFxweBnKX4pr+bxuymKDcdSBo5RR9k70CfzCi6w3jWWa2VyWx+T7GYLpYGM03025+eUciM6aKa4syqGRMzqHvxr5ZLbKI6/zguQ9e6KYhHLGBjUI83HpYY28R8gQR62QBlwa/uagMdcUUBZnBw62sX4X06D4Vebqcho4X0A58yPX0FkxLuzDMqSd41luxXmE8mJkNbqk0661zuq+1jriikoXDXLnQrNNbdKxkO/9zdT2vaztdwu1/Yc2zKfH7LPmT1W+hssODnIQzIyc9ehg9eDQfadg43KEJnu+79l7+ELaexg7i8TtWYNSrFtfcKuJA7J4/dKfJSjFhK2IYJDPsKAUqsEXHDv3RDkrAkEQmvuD+VkDjy1uvDlDPmTRSzOWHbf69LaM5EJb0S8zljta5CII1YPLgkz334UZ8jkz4y6Q3MFvnGkU1Hx+FaRP3UUxJnCvTI3DVSCXR9XkglA9NCRoCByb05Dru0bhXHTga6tVcdSPe/oe6ZmcjkXH1Wi8XkHYfIZIoaHSS/jh7IzvdFy/alXcdg44zDM5NbGTRS6CUDtDpDLJPBT4x/3cu4r1plejT3Q1LiMY3NpWhgtCvSC1k6Jz3mobyE9MSbougwZCBz4uN6cNhdNijAvMqe6HUV5RLvQkl0HIb5maWRBqlGCMZCaBFDgff3OC1pOqJSAPbjBFjz/XIsj1SMM1HuNS4rSsSinqT5AhyGORmlgQanSIFCEZTiNzkd5KR5JnEoilLYQa0CMJ5ELQ2Yuu/i8i/VcS6vIXI5E40DB9uMhFEOqIYKxjc+sGGnPj4pbOcJALZ6puDEprJ3zBmavpuHZ4Qpo4BzsuUKNn8dtqWkGoM4IxkqH7+MHBps54s3D8RcclNBKPylm320AyrvUZXHBZnuHi8I0br42OrlMSBKGOCMZI5iMIiYMaBhfEnePQXqiJXFlB/bgOYryjDtSi6MnLma7e+H+KmlMQagsVR7SjfcW1ehrnvomf6yssgguqusVNNSeVLQhCy6KQiHYpHXx4AfXk9hzH5ihbEIR6HCJlwC4F5EE7y65qKkHYDIdIHkOo7kEppkZvE5IFHexoXwmHZ+Aq53eD0l7R3LeIsT1pOJ4NTWWlmkoQ6m+I1FDY3iWCIAhVHiIJgiCCEQRBEMEIgiCCEQRBEMEIgiCCEQRBBCMIgiCCEQRBBCMIgghGEARBBCMIgghGEAQRjCAIgghGEAQRjCAIIhhBEAQRjCAIIhhBEEQwgiAIIhhBEEQwgiCIYARBEEQwgiDUHP5fgAEA8vadNCdwwY4AAAAASUVORK5CYII=" />
+    </header>
+
+    <div id="box-content">
+      <h2>
+        <%= header %>
+      </h2>
+
+      <p>
+        <%= message %>
+      </p>
+
+      <% if login_url(params['state']) %>
+        <form method='GET' action='<%= login_url(params['state']) %>'>
+          <input class='btn' type='submit' value='Return to login'/>
+        </form>
+      <% end %>
+    </div>
+  </div>
+</body>
+</html>

data/lib/sinatra/canvas_auth.rb

@@ -1,18 +1,23 @@
 require 'sinatra'
 require 'rest-client'
+require 'securerandom'
 
 module Sinatra
   module CanvasAuth
 
+    class StateError < ::StandardError; end
+
     DEFAULT_SETTINGS = {
       :auth_paths            => [/.*/],
       :canvas_url            => nil,
       :client_id             => nil,
       :client_secret         => nil,
+      :failure_redirect      => '/login-failure',
       :login_path            => '/canvas-auth-login',
       :token_path            => '/canvas-auth-token',
       :logout_path           => '/canvas-auth-logout',
       :logout_redirect       => '/logged-out',
+      :public_paths          => [],
       :unauthorized_redirect => '/unauthorized'
     }.freeze
 
@@ -24,14 +29,35 @@ module Sinatra
     def self.registered(app)
       self.merge_defaults(app)
 
+      app.helpers do
+        def login_url(state = nil)
+          return false if request.nil?
+          path_elements = [request.env['SCRIPT_NAME'], settings.login_path]
+          path_elements << state if state
+          File.join(path_elements)
+        end
+
+        def render_view(header='', message='')
+          render(:erb, :canvas_auth, {
+            :views => File.expand_path(File.dirname(__FILE__)),
+            :locals => {
+              :header => header,
+              :message => message
+            }
+          })
+        end
+      end
+
       app.get app.login_path do
-        params['state'] ||= request.env['SCRIPT_NAME']
+        session['oauth_redirect'] ||= request.env['SCRIPT_NAME']
+        session['oauth_state'] = SecureRandom.urlsafe_base64(24)
+
         redirect_uri = "#{request.scheme}://#{request.host_with_port}" \
-                       "#{request.env['SCRIPT_NAME']}#{app.token_path}"
+                       "#{request.env['SCRIPT_NAME']}#{settings.token_path}"
 
-        redirect_params = "client_id=#{app.client_id}&" \
+        redirect_params = "client_id=#{settings.client_id}&" \
                           "response_type=code&" \
-                          "state=#{CGI.escape(params['state'])}&" \
+                          "state=#{session['oauth_state']}&" \
                           "redirect_uri=#{CGI.escape(redirect_uri)}"
 
         ['scope', 'purpose', 'force_login', 'unique_id'].each do |optional_param|
@@ -40,7 +66,7 @@ module Sinatra
           end
         end
 
-        redirect "#{app.canvas_url}/login/oauth2/auth?#{redirect_params}"
+        redirect "#{settings.canvas_url}/login/oauth2/auth?#{redirect_params}"
       end
 
       app.get app.token_path do
@@ -50,14 +76,20 @@ module Sinatra
           :client_secret => settings.client_secret
         }
 
-        response = RestClient.post("#{settings.canvas_url}/login/oauth2/token", payload)
+        begin
+          CanvasAuth.verify_oauth_state(session, params)
+          response = RestClient.post("#{settings.canvas_url}/login/oauth2/token", payload)
+        rescue RestClient::Exception, CanvasAuth::StateError => e
+          failure_url = File.join(request.env['SCRIPT_NAME'], settings.failure_redirect)
+          redirect (failure_url + "?error=#{params[:error] || CGI.escape(e.to_s)}")
+        end
+
         response = JSON.parse(response)
         session['user_id'] = response['user']['id']
         session['access_token'] = response['access_token']
-
         oauth_callback(response) if self.respond_to?(:oauth_callback)
 
-        redirect params['state']
+        redirect session['oauth_redirect']
       end
 
       app.get app.logout_path do
@@ -77,24 +109,31 @@ module Sinatra
         redirect to(settings.logout_redirect)
       end
 
-      # These two routes exist to prevent 404'ing with default options, but
-      # ideally they should be overridden by the app, or alternate paths given
-      app.get '/unauthorized' do
-        'Your canvas account unauthorized to view this resource'
+      app.get app.logout_redirect do
+        render_view('Logged out', 'You have been successfully logged out')
       end
 
-      app.get '/logged-out' do
-        "You have been logged out <a href='canvas-auth-login'>" \
-        "Click here</a> to log in again."
+      app.get app.unauthorized_redirect do
+        render_view('Authentication Failed',
+                    'Your canvas account is unauthorized to view this resource')
       end
 
+      app.get app.failure_redirect do
+        message = "Login could not be completed."
+        if params[:error] && !params[:error].empty?
+          message += " (#{CGI.unescape(params[:error])})"
+        end
+
+        render_view("Authentication Failed", message)
+      end
 
       # Redirect unauthenticated/unauthorized users before hitting app routes
       app.before do
         current_path = "#{request.env['SCRIPT_NAME']}#{request.env['PATH_INFO']}"
         if CanvasAuth.auth_path?(self.settings, current_path, request.env['SCRIPT_NAME'])
           if session['user_id'].nil?
-            redirect "#{request.env['SCRIPT_NAME']}#{settings.login_path}?state=#{current_path}"
+            session['oauth_redirect'] = current_path
+            redirect "#{request.env['SCRIPT_NAME']}#{settings.login_path}"
           elsif self.respond_to?(:authorized) && !authorized
             redirect "#{request.env['SCRIPT_NAME']}#{settings.unauthorized_redirect}"
           end
@@ -105,9 +144,11 @@ module Sinatra
     # Should the current path ask for authentication or is it public?
     def self.auth_path?(app, current_path, script_name = '')
       exempt_paths = [ app.login_path, app.token_path, app.logout_path,
-                       app.logout_redirect, app.unauthorized_redirect ]
+                       app.logout_redirect, app.unauthorized_redirect,
+                       app.failure_redirect ]
 
       app.auth_paths.select{ |p| current_path.match(p) }.any? &&
+      !app.public_paths.select{ |p| current_path.match(p) }.any? &&
       !exempt_paths.map{|p| File.join(script_name, p)}.include?(current_path)
     end
 
@@ -118,6 +159,17 @@ module Sinatra
         end
       end
     end
+
+    # Verify state param from Canvas is the same one originally sent. Otherwise,
+    # unauthorized requests can be made by intercepting the redirect from Canvas
+    # to app token_path and tricking an authorized user into accessing the link.
+    # http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html
+    def self.verify_oauth_state(params, session)
+      saved_state = session['oauth_state']
+      if saved_state != params['state'] || (saved_state && saved_state.empty?)
+        raise CanvasAuth::StateError, 'Invalid OAuth state token provided'
+      end
+    end
   end
 
   register CanvasAuth

data/lib/sinatra/canvas_auth/version.rb

@@ -1,5 +1,5 @@
 module Sinatra
   module CanvasAuth
-    VERSION = "0.0.3"
+    VERSION = "0.1.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sinatra-canvas_auth
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.1.0
 platform: ruby
 authors:
 - Connor Ford
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-27 00:00:00.000000000 Z
+date: 2016-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -73,6 +73,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - README.md
+- lib/sinatra/canvas_auth.erb
 - lib/sinatra/canvas_auth.rb
 - lib/sinatra/canvas_auth/version.rb
 homepage: https://github.com/cuonline