RubyGems - sinatra-portier - Versions diffs - 1.5.2 → 2.0.1 - Mend

sinatra-portier 1.5.2 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/sinatra/browserid/helpers.rb +8 -3
data/lib/sinatra/browserid.rb +34 -15
metadata +31 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cbb567b7fdc34ac49a53113b97b08a27b52c2fd1e85552c2ea44eb7cabfc9666
-  data.tar.gz: 3528e61f4a6fdc75ed3d2aee2bb80235a139860ca079b63d6ee3cfac487adbf3
+  metadata.gz: 31afe71da2eac370eaa964127e62202abf4917c535e7309d317e8e089476a834
+  data.tar.gz: b9bbcb6d954ba8e0653bf277d52df97333b25ac26ea5e5e64608b70067c2b97e
 SHA512:
-  metadata.gz: ce0b199ca249d27d1cefc7db7c25f6bb5595165d7076843a190c448e61b596fcd2b0e3c362ddaf155ca6f7fb3002a73511b0ba4a8f111a5ffc1f5b1bc7b8e15c
-  data.tar.gz: 5c6e1b3cc2890c87f32bda865530accd31ff97df69c5977d1c1de5009337cda8f38447756da9ca202cfae8d34859c8f9d98a6a606efc4d76120ec5587dedceba
+  metadata.gz: 30d0daa34b639d24fb2b0cc6dc71bf693bd6a702ddab6d811e8742116edd13e6470f3c2814c84b41dda9515cb0459224a9268b9bc920a84bfee42c1b5d5c0918
+  data.tar.gz: a90b89b5e2263fe61507ea7f055962218d5f24821ac7b1af96caa8e2f504cf0fddb19720bc0104584531670362d37ec07ce469e39aad733e988df1d21bf5c8fd

data/lib/sinatra/browserid/helpers.rb CHANGED Viewed

@@ -61,9 +61,14 @@ module Sinatra
         redirect_url ||= request.url
         session['redirect_url'] = redirect_url
-        nonce = session[:nonce]
-        unless nonce
-          session[:nonce] = nonce = SecureRandom.base64
+        if session[:nonce]
+            nonce = session[:nonce]
+            # Try to limit how many nonces are stored by keeping the session nonce alive
+            Cachy.delete_key(nonce)
+            Cachy.cache(nonce, expires_in: 600) { true }
+        else
+            session[:nonce] = nonce = SecureRandom.base64
+            Cachy.cache(nonce, expires_in: 600) { true }
         end
         template = ERB.new(Templates::LOGIN_BUTTON)

data/lib/sinatra/browserid.rb CHANGED Viewed

@@ -10,11 +10,21 @@ require "sinatra/base"
 require 'sinatra/browserid/helpers'
 require 'sinatra/browserid/template'
 require 'addressable/uri'
+require 'cachy'
+require 'moneta'
 # This module provides an interface to verify a users email address
 # with browserid.org.
 module Sinatra
     module BrowserID
+        # Init an in-memory cache via the cachy gem. We use this
+        # instead of the session because of dropped sessions
+        # after redirects, see https://github.com/sinatra/sinatra/issues/1742.
+        Cachy.cache_store = Moneta.new(:Memory, expires: 600) # 10 minutes
+                                                              # We need to set a global :expires here because of https://github.com/grosser/cachy/issues/7
         def self.registered(app)
             app.helpers BrowserID::Helpers
@@ -25,24 +35,27 @@ module Sinatra
             app.set :browserid_button_text, "Log in"
             app.get '/_browserid_login' do
-                # TODO(petef): render a page that initiates login without
-                # waiting for a user click.
                 render_login_button
             end
           app.post '/_browserid_assert' do
               begin
-                  # 3. Server checks signature
-                  # for that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
+                  # Server checks signature
+                  # For that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
                   public_key_jwks_uri = Addressable::URI.parse(settings.browserid_url + '/keys.json')
                   public_key_jwks = ::JSON.parse(URI.parse(public_key_jwks_uri).read)
                   public_key = OpenSSL::PKey::RSA.new
                   if public_key.respond_to? :set_key
-                    # set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
-                    # Note that we have no d, as this is a public key, which would be the third param
-                    public_key.set_key( (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2),
-                                        (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2),
-                                        nil)
+                    # We initially set n and d via the then new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
+                    # But with OpenSSL 3 this function throws an error, as keys are immutable now. Instead we have to generate the key directly with
+                    # the right params, as in https://github.com/railslove/epics/issues/138
+                    sequence = []
+                    # modulus:
+                    sequence << OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2))
+                    # exponent:
+                    sequence << OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2))
+                    public_key = OpenSSL::PKey::RSA.new(OpenSSL::ASN1::Sequence(sequence).to_der)
                   else
                     public_key.e = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2
                     public_key.n = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2
@@ -50,19 +63,25 @@ module Sinatra
                   id_token = JWT.decode params[:id_token], public_key, true, { :algorithm => 'RS256' }
                   id_token = id_token[0]
-                  # 4. Needs to make sure token is still valid
+                  # Needs to make sure token is still valid
                   if (id_token["iss"] == settings.browserid_url &&
                       id_token["aud"] == request.base_url.chomp('/') &&
                       id_token["exp"] > Time.now.to_i &&
                       id_token["email_verified"] &&
-                      id_token["nonce"] == session[:nonce])
+                      # nonce is really known to us
+                      Cachy.get(id_token["nonce"]))
                           session[:browserid_email] = id_token['email']
-                          session.delete(:nonce)
+                          Cachy.delete_key(id_token["nonce"])
+                          session.delete(:nonce)  # it's possible the session persisted
                           if session['redirect_url']
                             redirect session['redirect_url']
                           else
                             redirect "/"
                           end
+                  else
+                    # Even when the token check failed the nonce has to be invalidated
+                    Cachy.delete_key(id_token["nonce"])
+                    session.delete(:nonce)
                   end
               rescue OpenURI::HTTPError => e
                   puts "could not validate token: " + e.to_s
@@ -70,8 +89,8 @@ module Sinatra
               halt 403
             end
-        end # def self.registered
-    end # module BrowserID
+        end
+    end
     register BrowserID
-end # module Sinatra
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sinatra-portier
 version: !ruby/object:Gem::Version
-  version: 1.5.2
+  version: 2.0.1
 platform: ruby
 authors:
 - Pete Fritchman
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-05 00:00:00.000000000 Z
+date: 2023-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -81,6 +81,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: cachy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: moneta
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
 description:
 email:
 - malte@paskuda.biz
@@ -114,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Sinatra extension for user authentication with portier