sinatra-portier 1.5.2 → 2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/sinatra/browserid/helpers.rb +8 -3
  3. data/lib/sinatra/browserid.rb +25 -11
  4. metadata +31 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cbb567b7fdc34ac49a53113b97b08a27b52c2fd1e85552c2ea44eb7cabfc9666
4
- data.tar.gz: 3528e61f4a6fdc75ed3d2aee2bb80235a139860ca079b63d6ee3cfac487adbf3
3
+ metadata.gz: 7cd3476f061fb1de32d057c4f8a6161fb62e0321f47f0c6d264a31d3c16755f7
4
+ data.tar.gz: 1773f716e2a04c6e2b6de9c3fe221b4352004a3b1de09afb763846ff4ea34d17
5
5
  SHA512:
6
- metadata.gz: ce0b199ca249d27d1cefc7db7c25f6bb5595165d7076843a190c448e61b596fcd2b0e3c362ddaf155ca6f7fb3002a73511b0ba4a8f111a5ffc1f5b1bc7b8e15c
7
- data.tar.gz: 5c6e1b3cc2890c87f32bda865530accd31ff97df69c5977d1c1de5009337cda8f38447756da9ca202cfae8d34859c8f9d98a6a606efc4d76120ec5587dedceba
6
+ metadata.gz: 974c8c6c0464f36a73d93bde35a29545874da0ae0c1832d5cac4f0588e4e774fcaf365201e403936a1138c51c39efd07ebd14fb4fd857a72348d3fbf19779ba3
7
+ data.tar.gz: 4b305bc259bad7d833a74d3d27dfbc8922b83a5bb2b6dce48b3077f433b89de7d2635f5506e8c084647fef60b29b8b1973e1329e3390959af80565053b819600
data/lib/sinatra/browserid/helpers.rb CHANGED
@@ -61,9 +61,14 @@ module Sinatra
61
61
  redirect_url ||= request.url
62
62
  session['redirect_url'] = redirect_url
63
63
 
64
- nonce = session[:nonce]
65
- unless nonce
66
- session[:nonce] = nonce = SecureRandom.base64
64
+ if session[:nonce]
65
+ nonce = session[:nonce]
66
+ # Try to limit how many nonces are stored by keeping the session nonce alive
67
+ Cachy.delete_key(nonce)
68
+ Cachy.cache(nonce, expires_in: 600) { true }
69
+ else
70
+ session[:nonce] = nonce = SecureRandom.base64
71
+ Cachy.cache(nonce, expires_in: 600) { true }
67
72
  end
68
73
 
69
74
  template = ERB.new(Templates::LOGIN_BUTTON)
data/lib/sinatra/browserid.rb CHANGED
@@ -10,11 +10,21 @@ require "sinatra/base"
10
10
  require 'sinatra/browserid/helpers'
11
11
  require 'sinatra/browserid/template'
12
12
  require 'addressable/uri'
13
+ require 'cachy'
14
+ require 'moneta'
15
+
13
16
 
14
17
  # This module provides an interface to verify a users email address
15
18
  # with browserid.org.
16
19
  module Sinatra
17
20
  module BrowserID
21
+
22
+ # Init an in-memory cache via the cachy gem. We use this
23
+ # instead of the session because of dropped sessions
24
+ # after redirects, see https://github.com/sinatra/sinatra/issues/1742.
25
+ Cachy.cache_store = Moneta.new(:Memory, expires: 600) # 10 minutes
26
+ # We need to set a global :expires here because of https://github.com/grosser/cachy/issues/7
27
+
18
28
  def self.registered(app)
19
29
  app.helpers BrowserID::Helpers
20
30
 
@@ -25,20 +35,18 @@ module Sinatra
25
35
  app.set :browserid_button_text, "Log in"
26
36
 
27
37
  app.get '/_browserid_login' do
28
- # TODO(petef): render a page that initiates login without
29
- # waiting for a user click.
30
38
  render_login_button
31
39
  end
32
40
 
33
41
  app.post '/_browserid_assert' do
34
42
  begin
35
- # 3. Server checks signature
36
- # for that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
43
+ # Server checks signature
44
+ # For that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
37
45
  public_key_jwks_uri = Addressable::URI.parse(settings.browserid_url + '/keys.json')
38
46
  public_key_jwks = ::JSON.parse(URI.parse(public_key_jwks_uri).read)
39
47
  public_key = OpenSSL::PKey::RSA.new
40
48
  if public_key.respond_to? :set_key
41
- # set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
49
+ # Set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
42
50
  # Note that we have no d, as this is a public key, which would be the third param
43
51
  public_key.set_key( (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2),
44
52
  (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2),
@@ -50,19 +58,25 @@ module Sinatra
50
58
 
51
59
  id_token = JWT.decode params[:id_token], public_key, true, { :algorithm => 'RS256' }
52
60
  id_token = id_token[0]
53
- # 4. Needs to make sure token is still valid
61
+ # Needs to make sure token is still valid
54
62
  if (id_token["iss"] == settings.browserid_url &&
55
63
  id_token["aud"] == request.base_url.chomp('/') &&
56
64
  id_token["exp"] > Time.now.to_i &&
57
65
  id_token["email_verified"] &&
58
- id_token["nonce"] == session[:nonce])
66
+ # nonce is really known to us
67
+ Cachy.get(id_token["nonce"]))
59
68
  session[:browserid_email] = id_token['email']
60
- session.delete(:nonce)
69
+ Cachy.delete_key(id_token["nonce"])
70
+ session.delete(:nonce) # it's possible the session persisted
61
71
  if session['redirect_url']
62
72
  redirect session['redirect_url']
63
73
  else
64
74
  redirect "/"
65
75
  end
76
+ else
77
+ # Even when the token check failed the nonce has to be invalidated
78
+ Cachy.delete_key(id_token["nonce"])
79
+ session.delete(:nonce)
66
80
  end
67
81
  rescue OpenURI::HTTPError => e
68
82
  puts "could not validate token: " + e.to_s
@@ -70,8 +84,8 @@ module Sinatra
70
84
  halt 403
71
85
 
72
86
  end
73
- end # def self.registered
74
- end # module BrowserID
87
+ end
88
+ end
75
89
  register BrowserID
76
- end # module Sinatra
90
+ end
77
91
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sinatra-portier
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.2
4
+ version: '2.0'
5
5
  platform: ruby
6
6
  authors:
7
7
  - Pete Fritchman
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-09-05 00:00:00.000000000 Z
12
+ date: 2022-02-02 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: sinatra
@@ -81,6 +81,34 @@ dependencies:
81
81
  - - ">="
82
82
  - !ruby/object:Gem::Version
83
83
  version: '2.8'
84
+ - !ruby/object:Gem::Dependency
85
+ name: cachy
86
+ requirement: !ruby/object:Gem::Requirement
87
+ requirements:
88
+ - - ">="
89
+ - !ruby/object:Gem::Version
90
+ version: '0.4'
91
+ type: :runtime
92
+ prerelease: false
93
+ version_requirements: !ruby/object:Gem::Requirement
94
+ requirements:
95
+ - - ">="
96
+ - !ruby/object:Gem::Version
97
+ version: '0.4'
98
+ - !ruby/object:Gem::Dependency
99
+ name: moneta
100
+ requirement: !ruby/object:Gem::Requirement
101
+ requirements:
102
+ - - ">="
103
+ - !ruby/object:Gem::Version
104
+ version: '1.4'
105
+ type: :runtime
106
+ prerelease: false
107
+ version_requirements: !ruby/object:Gem::Requirement
108
+ requirements:
109
+ - - ">="
110
+ - !ruby/object:Gem::Version
111
+ version: '1.4'
84
112
  description:
85
113
  email:
86
114
  - malte@paskuda.biz
@@ -114,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
114
142
  - !ruby/object:Gem::Version
115
143
  version: '0'
116
144
  requirements: []
117
- rubygems_version: 3.2.22
145
+ rubygems_version: 3.2.32
118
146
  signing_key:
119
147
  specification_version: 4
120
148
  summary: Sinatra extension for user authentication with portier