RubyGems - sinatra-portier - Versions diffs - 1.4.0 → 2.0 - Mend

sinatra-portier 1.4.0 → 2.0

Files changed (8) hide show

checksums.yaml +5 -5
data/README.md +7 -1
data/example/app.rb +23 -22
data/example/config.ru +8 -2
data/lib/sinatra/browserid/helpers.rb +30 -3
data/lib/sinatra/browserid.rb +40 -14
metadata +63 -9
data/example/views/index.erb +0 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: fbc4d5679b36bfe8c83d6657e0835d7b4747f76b
-  data.tar.gz: bbe2ce4265fc758c9206f4e7986876e2477f72a5
+SHA256:
+  metadata.gz: 7cd3476f061fb1de32d057c4f8a6161fb62e0321f47f0c6d264a31d3c16755f7
+  data.tar.gz: 1773f716e2a04c6e2b6de9c3fe221b4352004a3b1de09afb763846ff4ea34d17
 SHA512:
-  metadata.gz: cdc7a80021f5577be656d395f0a809e4f9e3e7b937545e295ec4e5cf98a881701266e0d504395855ae77815047ca0b53aea09d511ab22b921ffef3bf320f4352
-  data.tar.gz: a55f87fec6301cc3d3fa1727bd66d3b2d96a062c7a7190082fe640c7352f2f6547b66b0481d91f945bd74a9332b106913c85800b1dc777385ec0683d7f3a2b94
+  metadata.gz: 974c8c6c0464f36a73d93bde35a29545874da0ae0c1832d5cac4f0588e4e774fcaf365201e403936a1138c51c39efd07ebd14fb4fd857a72348d3fbf19779ba3
+  data.tar.gz: 4b305bc259bad7d833a74d3d27dfbc8922b83a5bb2b6dce48b3077f433b89de7d2635f5506e8c084647fef60b29b8b1973e1329e3390959af80565053b819600

data/README.md CHANGED Viewed

@@ -53,7 +53,13 @@ end
 ```
 See the rdoc for more details on the helper functions.  For a functioning
-example app, run <tt>rackup -p $PORT</tt> in the example directory.
+example app, start the app in the example directory:
+```
+bundle install
+bundle exec rackup -p PORT
+```
 Available sinatra settings:

data/example/app.rb CHANGED Viewed

@@ -1,28 +1,29 @@
-#!/usr/bin/env ruby
-$: << File.join(File.dirname(__FILE__), "..", "lib")
-require "sinatra/base"
-require "sinatra/browserid"
-class TestApp < Sinatra::Base
-  register Sinatra::BrowserID
+require 'sinatra'
+require 'sinatra/browserid'
+register Sinatra::BrowserID
+set :sessions, true
+# Disabling origin-check is needed to make webkit-browsers like Chrome work.
+# Behind a proxy you will also need to disable :remote_token, regardless for which browser.
+set :protection, except: [:http_origin]
+get '/' do
+    if authorized?
+        "Welcome, #{authorized_email}"
+    else
+        render_login_button
+    end
+end
-  set :sessions, true
+get '/secure' do
+    authorize!                 # require a user be logged in
-  get '/' do
-    erb :index
-  end
+    authorized_email   # browserid email
+end
-  get '/logout' do
+get '/logout' do
     logout!
     redirect '/'
-  end
-  get '/confidential' do
-    authorize!
-    "Hey #{authorized_email}, you're authorized!"
-  end
-end
+end

data/example/config.ru CHANGED Viewed

@@ -1,2 +1,8 @@
-require "./app"
-run TestApp
+require 'rubygems'
+require 'bundler'
+Bundler.require
+require './app.rb'
+run Sinatra::Application.new

data/lib/sinatra/browserid/helpers.rb CHANGED Viewed

@@ -28,6 +28,28 @@ module Sinatra
         session[:browserid_email]
       end
+      # Normalize the email like the broker will do it, see
+      # https://github.com/portier/portier.github.io/blob/master/specs/Email-Normalization.md
+      def normalize_email(email)
+        begin
+            user, domain = email.split("@")
+            if user == nil or user.empty?
+                raise ArgumentError.new('user part must not be empty')
+            end
+            user = user.downcase
+            domain = SimpleIDN.to_ascii(domain).downcase
+            begin
+                IPAddr.new(domain)
+            rescue
+                # if domain could not be parsed as IP we are good
+                return user + "@" + domain
+            end
+            raise ArgumentError.new('domain must not be an IP')
+        rescue Exception => e
+            raise ArgumentError, 'Not a valid email adress: ' + e.message
+        end
+      end
       # Returns the HTML to render the Persona login form.
       # Optionally takes a URL parameter for where the user should
       # be redirected to after the assert POST back.
@@ -39,9 +61,14 @@ module Sinatra
         redirect_url ||= request.url
         session['redirect_url'] = redirect_url
-        nonce = session[:nonce]
-        unless nonce
-          session[:nonce] = nonce = SecureRandom.base64
+        if session[:nonce]
+            nonce = session[:nonce]
+            # Try to limit how many nonces are stored by keeping the session nonce alive
+            Cachy.delete_key(nonce)
+            Cachy.cache(nonce, expires_in: 600) { true }
+        else
+            session[:nonce] = nonce = SecureRandom.base64
+            Cachy.cache(nonce, expires_in: 600) { true }
         end
         template = ERB.new(Templates::LOGIN_BUTTON)

data/lib/sinatra/browserid.rb CHANGED Viewed

@@ -4,14 +4,27 @@ require "open-uri"
 require 'json'
 require 'url_safe_base64'
 require 'jwt'
+require 'simpleidn'
+require 'ipaddr'
 require "sinatra/base"
 require 'sinatra/browserid/helpers'
 require 'sinatra/browserid/template'
+require 'addressable/uri'
+require 'cachy'
+require 'moneta'
 # This module provides an interface to verify a users email address
 # with browserid.org.
 module Sinatra
     module BrowserID
+        # Init an in-memory cache via the cachy gem. We use this
+        # instead of the session because of dropped sessions
+        # after redirects, see https://github.com/sinatra/sinatra/issues/1742.
+        Cachy.cache_store = Moneta.new(:Memory, expires: 600) # 10 minutes
+                                                              # We need to set a global :expires here because of https://github.com/grosser/cachy/issues/7
         def self.registered(app)
             app.helpers BrowserID::Helpers
@@ -22,35 +35,48 @@ module Sinatra
             app.set :browserid_button_text, "Log in"
             app.get '/_browserid_login' do
-                # TODO(petef): render a page that initiates login without
-                # waiting for a user click.
                 render_login_button
             end
           app.post '/_browserid_assert' do
               begin
-                  # 3. Server checks signature
-                  # for that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
-                  public_key_jwks = ::JSON.parse(URI.parse(URI.escape(settings.browserid_url + '/keys.json')).read)
+                  # Server checks signature
+                  # For that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
+                  public_key_jwks_uri = Addressable::URI.parse(settings.browserid_url + '/keys.json')
+                  public_key_jwks = ::JSON.parse(URI.parse(public_key_jwks_uri).read)
                   public_key = OpenSSL::PKey::RSA.new
-                  public_key.e = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2
-                  public_key.n = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2
+                  if public_key.respond_to? :set_key
+                    # Set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
+                    # Note that we have no d, as this is a public key, which would be the third param
+                    public_key.set_key( (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2),
+                                        (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2),
+                                        nil)
+                  else
+                    public_key.e = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2
+                    public_key.n = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2
+                  end
                   id_token = JWT.decode params[:id_token], public_key, true, { :algorithm => 'RS256' }
                   id_token = id_token[0]
-                  # 4. Needs to make sure token is still valid
+                  # Needs to make sure token is still valid
                   if (id_token["iss"] == settings.browserid_url &&
                       id_token["aud"] == request.base_url.chomp('/') &&
                       id_token["exp"] > Time.now.to_i &&
                       id_token["email_verified"] &&
-                      id_token["nonce"] == session[:nonce])
-                          session[:browserid_email] = id_token["email"]
-                          session.delete(:nonce)
+                      # nonce is really known to us
+                      Cachy.get(id_token["nonce"]))
+                          session[:browserid_email] = id_token['email']
+                          Cachy.delete_key(id_token["nonce"])
+                          session.delete(:nonce)  # it's possible the session persisted
                           if session['redirect_url']
                             redirect session['redirect_url']
                           else
                             redirect "/"
                           end
+                  else
+                    # Even when the token check failed the nonce has to be invalidated
+                    Cachy.delete_key(id_token["nonce"])
+                    session.delete(:nonce)
                   end
               rescue OpenURI::HTTPError => e
                   puts "could not validate token: " + e.to_s
@@ -58,8 +84,8 @@ module Sinatra
               halt 403
             end
-        end # def self.registered
-    end # module BrowserID
+        end
+    end
     register BrowserID
-end # module Sinatra
+end

metadata CHANGED Viewed

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: sinatra-portier
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: '2.0'
 platform: ruby
 authors:
 - Pete Fritchman
 - Malte Paskuda
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-09-05 00:00:00.000000000 Z
+date: 2022-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -53,7 +53,63 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.2.2
-description:
+- !ruby/object:Gem::Dependency
+  name: simpleidn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.9
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: cachy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: moneta
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description:
 email:
 - malte@paskuda.biz
 executables: []
@@ -63,7 +119,6 @@ files:
 - README.md
 - example/app.rb
 - example/config.ru
-- example/views/index.erb
 - lib/sinatra/browserid.rb
 - lib/sinatra/browserid/helpers.rb
 - lib/sinatra/browserid/template.rb
@@ -71,7 +126,7 @@ files:
 homepage: https://github.com/onli/sinatra-portier
 licenses: []
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options:
 - "--inline-source"
 require_paths:
@@ -87,9 +142,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
-signing_key:
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: Sinatra extension for user authentication with portier
 test_files: []

data/example/views/index.erb DELETED Viewed

@@ -1,21 +0,0 @@
-<html>
-<head>
-</head>
-<body>
-<h1>Test App</h1>
-<p>
-<% if authorized? %>
-Hello, <%= authorized_email %> <a href="/logout">(logout)</a>
-<% else %>
-<%= render_login_button %>
-<% end %>
-</p>
-<p>
-see a <a href="/confidential">page that requires a login</a>.
-</p>
-</body>
-</html>