RubyGems - sinatra-portier - Versions diffs - 1.4.0 → 2.0 - Mend

sinatra-portier 1.4.0 → 2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +5 -5
data/README.md +7 -1
data/example/app.rb +23 -22
data/example/config.ru +8 -2
data/lib/sinatra/browserid/helpers.rb +30 -3
data/lib/sinatra/browserid.rb +40 -14
metadata +63 -9
data/example/views/index.erb +0 -21

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: fbc4d5679b36bfe8c83d6657e0835d7b4747f76b
-  data.tar.gz: bbe2ce4265fc758c9206f4e7986876e2477f72a5
+SHA256:
+  metadata.gz: 7cd3476f061fb1de32d057c4f8a6161fb62e0321f47f0c6d264a31d3c16755f7
+  data.tar.gz: 1773f716e2a04c6e2b6de9c3fe221b4352004a3b1de09afb763846ff4ea34d17
 SHA512:
-  metadata.gz: cdc7a80021f5577be656d395f0a809e4f9e3e7b937545e295ec4e5cf98a881701266e0d504395855ae77815047ca0b53aea09d511ab22b921ffef3bf320f4352
-  data.tar.gz: a55f87fec6301cc3d3fa1727bd66d3b2d96a062c7a7190082fe640c7352f2f6547b66b0481d91f945bd74a9332b106913c85800b1dc777385ec0683d7f3a2b94
+  metadata.gz: 974c8c6c0464f36a73d93bde35a29545874da0ae0c1832d5cac4f0588e4e774fcaf365201e403936a1138c51c39efd07ebd14fb4fd857a72348d3fbf19779ba3
+  data.tar.gz: 4b305bc259bad7d833a74d3d27dfbc8922b83a5bb2b6dce48b3077f433b89de7d2635f5506e8c084647fef60b29b8b1973e1329e3390959af80565053b819600

data/README.md CHANGED Viewed

@@ -53,7 +53,13 @@ end
 ```
 See the rdoc for more details on the helper functions.  For a functioning
-example app, run <tt>rackup -p $PORT</tt> in the example directory.
+example app, start the app in the example directory:
+```
+bundle install
+bundle exec rackup -p PORT
+```
 Available sinatra settings:

data/example/app.rb CHANGED Viewed

@@ -1,28 +1,29 @@
-#!/usr/bin/env ruby
-$: << File.join(File.dirname(__FILE__), "..", "lib")
-require "sinatra/base"
-require "sinatra/browserid"
-class TestApp < Sinatra::Base
-  register Sinatra::BrowserID
+require 'sinatra'
+require 'sinatra/browserid'
+register Sinatra::BrowserID
+set :sessions, true
+# Disabling origin-check is needed to make webkit-browsers like Chrome work.
+# Behind a proxy you will also need to disable :remote_token, regardless for which browser.
+set :protection, except: [:http_origin]
+get '/' do
+    if authorized?
+        "Welcome, #{authorized_email}"
+    else
+        render_login_button
+    end
+end
-  set :sessions, true
+get '/secure' do
+    authorize!                 # require a user be logged in
-  get '/' do
-    erb :index
-  end
+    authorized_email   # browserid email
+end
-  get '/logout' do
+get '/logout' do
     logout!
     redirect '/'
-  end
-  get '/confidential' do
-    authorize!
-    "Hey #{authorized_email}, you're authorized!"
-  end
-end
+end

data/example/config.ru CHANGED Viewed

@@ -1,2 +1,8 @@
-require "./app"
-run TestApp
+require 'rubygems'
+require 'bundler'
+Bundler.require
+require './app.rb'
+run Sinatra::Application.new

data/lib/sinatra/browserid/helpers.rb CHANGED Viewed

@@ -28,6 +28,28 @@ module Sinatra
         session[:browserid_email]
       end
+      # Normalize the email like the broker will do it, see
+      # https://github.com/portier/portier.github.io/blob/master/specs/Email-Normalization.md
+      def normalize_email(email)
+        begin
+            user, domain = email.split("@")
+            if user == nil or user.empty?
+                raise ArgumentError.new('user part must not be empty')
+            end
+            user = user.downcase
+            domain = SimpleIDN.to_ascii(domain).downcase
+            begin
+                IPAddr.new(domain)
+            rescue
+                # if domain could not be parsed as IP we are good
+                return user + "@" + domain
+            end
+            raise ArgumentError.new('domain must not be an IP')
+        rescue Exception => e
+            raise ArgumentError, 'Not a valid email adress: ' + e.message
+        end
+      end
       # Returns the HTML to render the Persona login form.
       # Optionally takes a URL parameter for where the user should
       # be redirected to after the assert POST back.
@@ -39,9 +61,14 @@ module Sinatra
         redirect_url ||= request.url
         session['redirect_url'] = redirect_url
-        nonce = session[:nonce]
-        unless nonce
-          session[:nonce] = nonce = SecureRandom.base64
+        if session[:nonce]
+            nonce = session[:nonce]
+            # Try to limit how many nonces are stored by keeping the session nonce alive
+            Cachy.delete_key(nonce)
+            Cachy.cache(nonce, expires_in: 600) { true }
+        else
+            session[:nonce] = nonce = SecureRandom.base64
+            Cachy.cache(nonce, expires_in: 600) { true }
         end
         template = ERB.new(Templates::LOGIN_BUTTON)

data/lib/sinatra/browserid.rb CHANGED Viewed

@@ -4,14 +4,27 @@ require "open-uri"
 require 'json'
 require 'url_safe_base64'
 require 'jwt'
+require 'simpleidn'
+require 'ipaddr'
 require "sinatra/base"
 require 'sinatra/browserid/helpers'
 require 'sinatra/browserid/template'
+require 'addressable/uri'
+require 'cachy'
+require 'moneta'
 # This module provides an interface to verify a users email address
 # with browserid.org.
 module Sinatra
     module BrowserID
+        # Init an in-memory cache via the cachy gem. We use this
+        # instead of the session because of dropped sessions
+        # after redirects, see https://github.com/sinatra/sinatra/issues/1742.
+        Cachy.cache_store = Moneta.new(:Memory, expires: 600) # 10 minutes
+                                                              # We need to set a global :expires here because of https://github.com/grosser/cachy/issues/7
         def self.registered(app)
             app.helpers BrowserID::Helpers
@@ -22,35 +35,48 @@ module Sinatra
             app.set :browserid_button_text, "Log in"
             app.get '/_browserid_login' do
-                # TODO(petef): render a page that initiates login without
-                # waiting for a user click.
                 render_login_button
             end
           app.post '/_browserid_assert' do
               begin
-                  # 3. Server checks signature
-                  # for that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
-                  public_key_jwks = ::JSON.parse(URI.parse(URI.escape(settings.browserid_url + '/keys.json')).read)
+                  # Server checks signature
+                  # For that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
+                  public_key_jwks_uri = Addressable::URI.parse(settings.browserid_url + '/keys.json')
+                  public_key_jwks = ::JSON.parse(URI.parse(public_key_jwks_uri).read)
                   public_key = OpenSSL::PKey::RSA.new
-                  public_key.e = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2
-                  public_key.n = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2
+                  if public_key.respond_to? :set_key
+                    # Set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
+                    # Note that we have no d, as this is a public key, which would be the third param
+                    public_key.set_key( (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2),
+                                        (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2),
+                                        nil)
+                  else
+                    public_key.e = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2
+                    public_key.n = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2
+                  end
                   id_token = JWT.decode params[:id_token], public_key, true, { :algorithm => 'RS256' }
                   id_token = id_token[0]
-                  # 4. Needs to make sure token is still valid
+                  # Needs to make sure token is still valid
                   if (id_token["iss"] == settings.browserid_url &&
                       id_token["aud"] == request.base_url.chomp('/') &&
                       id_token["exp"] > Time.now.to_i &&
                       id_token["email_verified"] &&
-                      id_token["nonce"] == session[:nonce])
-                          session[:browserid_email] = id_token["email"]
-                          session.delete(:nonce)
+                      # nonce is really known to us
+                      Cachy.get(id_token["nonce"]))
+                          session[:browserid_email] = id_token['email']
+                          Cachy.delete_key(id_token["nonce"])
+                          session.delete(:nonce)  # it's possible the session persisted
                           if session['redirect_url']
                             redirect session['redirect_url']
                           else
                             redirect "/"
                           end
+                  else
+                    # Even when the token check failed the nonce has to be invalidated
+                    Cachy.delete_key(id_token["nonce"])
+                    session.delete(:nonce)
                   end
               rescue OpenURI::HTTPError => e
                   puts "could not validate token: " + e.to_s
@@ -58,8 +84,8 @@ module Sinatra
               halt 403
             end
-        end # def self.registered
-    end # module BrowserID
+        end
+    end
     register BrowserID
-end # module Sinatra
+end

metadata CHANGED Viewed

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: sinatra-portier
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: '2.0'
 platform: ruby
 authors:
 - Pete Fritchman
 - Malte Paskuda
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-09-05 00:00:00.000000000 Z
+date: 2022-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -53,7 +53,63 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.2.2
-description:
+- !ruby/object:Gem::Dependency
+  name: simpleidn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.9
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: cachy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: moneta
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description:
 email:
 - malte@paskuda.biz
 executables: []
@@ -63,7 +119,6 @@ files:
 - README.md
 - example/app.rb
 - example/config.ru
-- example/views/index.erb
 - lib/sinatra/browserid.rb
 - lib/sinatra/browserid/helpers.rb
 - lib/sinatra/browserid/template.rb
@@ -71,7 +126,7 @@ files:
 homepage: https://github.com/onli/sinatra-portier
 licenses: []
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options:
 - "--inline-source"
 require_paths:
@@ -87,9 +142,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
-signing_key:
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: Sinatra extension for user authentication with portier
 test_files: []

data/example/views/index.erb DELETED Viewed

@@ -1,21 +0,0 @@
-<html>
-<head>
-</head>
-<body>
-<h1>Test App</h1>
-<p>
-<% if authorized? %>
-Hello, <%= authorized_email %> <a href="/logout">(logout)</a>
-<% else %>
-<%= render_login_button %>
-<% end %>
-</p>
-<p>
-see a <a href="/confidential">page that requires a login</a>.
-</p>
-</body>
-</html>