sinatra-portier 1.5.2 → 2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/sinatra/browserid/helpers.rb +8 -3
  3. data/lib/sinatra/browserid.rb +25 -11
  4. metadata +31 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cbb567b7fdc34ac49a53113b97b08a27b52c2fd1e85552c2ea44eb7cabfc9666
4
- data.tar.gz: 3528e61f4a6fdc75ed3d2aee2bb80235a139860ca079b63d6ee3cfac487adbf3
3
+ metadata.gz: 7cd3476f061fb1de32d057c4f8a6161fb62e0321f47f0c6d264a31d3c16755f7
4
+ data.tar.gz: 1773f716e2a04c6e2b6de9c3fe221b4352004a3b1de09afb763846ff4ea34d17
5
5
  SHA512:
6
- metadata.gz: ce0b199ca249d27d1cefc7db7c25f6bb5595165d7076843a190c448e61b596fcd2b0e3c362ddaf155ca6f7fb3002a73511b0ba4a8f111a5ffc1f5b1bc7b8e15c
7
- data.tar.gz: 5c6e1b3cc2890c87f32bda865530accd31ff97df69c5977d1c1de5009337cda8f38447756da9ca202cfae8d34859c8f9d98a6a606efc4d76120ec5587dedceba
6
+ metadata.gz: 974c8c6c0464f36a73d93bde35a29545874da0ae0c1832d5cac4f0588e4e774fcaf365201e403936a1138c51c39efd07ebd14fb4fd857a72348d3fbf19779ba3
7
+ data.tar.gz: 4b305bc259bad7d833a74d3d27dfbc8922b83a5bb2b6dce48b3077f433b89de7d2635f5506e8c084647fef60b29b8b1973e1329e3390959af80565053b819600
data/lib/sinatra/browserid/helpers.rb CHANGED
@@ -61,9 +61,14 @@ module Sinatra
61
61
  redirect_url ||= request.url
62
62
  session['redirect_url'] = redirect_url
63
63
 
64
- nonce = session[:nonce]
65
- unless nonce
66
- session[:nonce] = nonce = SecureRandom.base64
64
+ if session[:nonce]
65
+ nonce = session[:nonce]
66
+ # Try to limit how many nonces are stored by keeping the session nonce alive
67
+ Cachy.delete_key(nonce)
68
+ Cachy.cache(nonce, expires_in: 600) { true }
69
+ else
70
+ session[:nonce] = nonce = SecureRandom.base64
71
+ Cachy.cache(nonce, expires_in: 600) { true }
67
72
  end
68
73
 
69
74
  template = ERB.new(Templates::LOGIN_BUTTON)
data/lib/sinatra/browserid.rb CHANGED
@@ -10,11 +10,21 @@ require "sinatra/base"
10
10
  require 'sinatra/browserid/helpers'
11
11
  require 'sinatra/browserid/template'
12
12
  require 'addressable/uri'
13
+ require 'cachy'
14
+ require 'moneta'
15
+
13
16
 
14
17
  # This module provides an interface to verify a users email address
15
18
  # with browserid.org.
16
19
  module Sinatra
17
20
  module BrowserID
21
+
22
+ # Init an in-memory cache via the cachy gem. We use this
23
+ # instead of the session because of dropped sessions
24
+ # after redirects, see https://github.com/sinatra/sinatra/issues/1742.
25
+ Cachy.cache_store = Moneta.new(:Memory, expires: 600) # 10 minutes
26
+ # We need to set a global :expires here because of https://github.com/grosser/cachy/issues/7
27
+
18
28
  def self.registered(app)
19
29
  app.helpers BrowserID::Helpers
20
30
 
@@ -25,20 +35,18 @@ module Sinatra
25
35
  app.set :browserid_button_text, "Log in"
26
36
 
27
37
  app.get '/_browserid_login' do
28
- # TODO(petef): render a page that initiates login without
29
- # waiting for a user click.
30
38
  render_login_button
31
39
  end
32
40
 
33
41
  app.post '/_browserid_assert' do
34
42
  begin
35
- # 3. Server checks signature
36
- # for that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
43
+ # Server checks signature
44
+ # For that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
37
45
  public_key_jwks_uri = Addressable::URI.parse(settings.browserid_url + '/keys.json')
38
46
  public_key_jwks = ::JSON.parse(URI.parse(public_key_jwks_uri).read)
39
47
  public_key = OpenSSL::PKey::RSA.new
40
48
  if public_key.respond_to? :set_key
41
- # set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
49
+ # Set n and d via the new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
42
50
  # Note that we have no d, as this is a public key, which would be the third param
43
51
  public_key.set_key( (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2),
44
52
  (OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2),
@@ -50,19 +58,25 @@ module Sinatra
50
58
 
51
59
  id_token = JWT.decode params[:id_token], public_key, true, { :algorithm => 'RS256' }
52
60
  id_token = id_token[0]
53
- # 4. Needs to make sure token is still valid
61
+ # Needs to make sure token is still valid
54
62
  if (id_token["iss"] == settings.browserid_url &&
55
63
  id_token["aud"] == request.base_url.chomp('/') &&
56
64
  id_token["exp"] > Time.now.to_i &&
57
65
  id_token["email_verified"] &&
58
- id_token["nonce"] == session[:nonce])
66
+ # nonce is really known to us
67
+ Cachy.get(id_token["nonce"]))
59
68
  session[:browserid_email] = id_token['email']
60
- session.delete(:nonce)
69
+ Cachy.delete_key(id_token["nonce"])
70
+ session.delete(:nonce) # it's possible the session persisted
61
71
  if session['redirect_url']
62
72
  redirect session['redirect_url']
63
73
  else
64
74
  redirect "/"
65
75
  end
76
+ else
77
+ # Even when the token check failed the nonce has to be invalidated
78
+ Cachy.delete_key(id_token["nonce"])
79
+ session.delete(:nonce)
66
80
  end
67
81
  rescue OpenURI::HTTPError => e
68
82
  puts "could not validate token: " + e.to_s
@@ -70,8 +84,8 @@ module Sinatra
70
84
  halt 403
71
85
 
72
86
  end
73
- end # def self.registered
74
- end # module BrowserID
87
+ end
88
+ end
75
89
  register BrowserID
76
- end # module Sinatra
90
+ end
77
91
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sinatra-portier
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.2
4
+ version: '2.0'
5
5
  platform: ruby
6
6
  authors:
7
7
  - Pete Fritchman
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-09-05 00:00:00.000000000 Z
12
+ date: 2022-02-02 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: sinatra
@@ -81,6 +81,34 @@ dependencies:
81
81
  - - ">="
82
82
  - !ruby/object:Gem::Version
83
83
  version: '2.8'
84
+ - !ruby/object:Gem::Dependency
85
+ name: cachy
86
+ requirement: !ruby/object:Gem::Requirement
87
+ requirements:
88
+ - - ">="
89
+ - !ruby/object:Gem::Version
90
+ version: '0.4'
91
+ type: :runtime
92
+ prerelease: false
93
+ version_requirements: !ruby/object:Gem::Requirement
94
+ requirements:
95
+ - - ">="
96
+ - !ruby/object:Gem::Version
97
+ version: '0.4'
98
+ - !ruby/object:Gem::Dependency
99
+ name: moneta
100
+ requirement: !ruby/object:Gem::Requirement
101
+ requirements:
102
+ - - ">="
103
+ - !ruby/object:Gem::Version
104
+ version: '1.4'
105
+ type: :runtime
106
+ prerelease: false
107
+ version_requirements: !ruby/object:Gem::Requirement
108
+ requirements:
109
+ - - ">="
110
+ - !ruby/object:Gem::Version
111
+ version: '1.4'
84
112
  description:
85
113
  email:
86
114
  - malte@paskuda.biz
@@ -114,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
114
142
  - !ruby/object:Gem::Version
115
143
  version: '0'
116
144
  requirements: []
117
- rubygems_version: 3.2.22
145
+ rubygems_version: 3.2.32
118
146
  signing_key:
119
147
  specification_version: 4
120
148
  summary: Sinatra extension for user authentication with portier