sorcery 0.11.0 → 0.16.1

data/lib/sorcery/model/submodules/reset_password.rb

@@ -16,6 +16,8 @@ module Sorcery
             attr_accessor :reset_password_token_attribute_name
             # Expires at attribute name.
             attr_accessor :reset_password_token_expires_at_attribute_name
+            # Counter access to reset password page
+            attr_accessor :reset_password_page_access_count_attribute_name
             # When was email sent, used for hammering protection.
             attr_accessor :reset_password_email_sent_at_attribute_name
             # Mailer class (needed)
@@ -34,6 +36,8 @@ module Sorcery
           base.sorcery_config.instance_eval do
             @defaults.merge!(:@reset_password_token_attribute_name            => :reset_password_token,
                              :@reset_password_token_expires_at_attribute_name => :reset_password_token_expires_at,
+                             :@reset_password_page_access_count_attribute_name =>
+                                 :access_count_to_reset_password_page,
                              :@reset_password_email_sent_at_attribute_name    => :reset_password_email_sent_at,
                              :@reset_password_mailer                          => nil,
                              :@reset_password_mailer_disabled                 => false,
@@ -97,6 +101,7 @@ module Sorcery
             config = sorcery_config
             # hammering protection
             return false if config.reset_password_time_between_emails.present? && send(config.reset_password_email_sent_at_attribute_name) && send(config.reset_password_email_sent_at_attribute_name) > config.reset_password_time_between_emails.seconds.ago.utc
+
             self.class.sorcery_adapter.transaction do
               generate_reset_password_token!
               mail = send_reset_password_email! unless config.reset_password_mailer_disabled
@@ -104,11 +109,29 @@ module Sorcery
             mail
           end
 
+          # Increment access_count_to_reset_password_page attribute.
+          # For example, access_count_to_reset_password_page attribute is over 1, which
+          # means the user doesn't have a right to access.
+          def increment_password_reset_page_access_counter
+            sorcery_adapter.increment(sorcery_config.reset_password_page_access_count_attribute_name)
+          end
+
+          # Reset access_count_to_reset_password_page attribute into 0.
+          # This is expected to be used after sending an instruction email.
+          def reset_password_reset_page_access_counter
+            send(:"#{sorcery_config.reset_password_page_access_count_attribute_name}=", 0)
+            sorcery_adapter.save
+          end
+
           # Clears token and tries to update the new password for the user.
-          def change_password!(new_password)
+          def change_password(new_password, raise_on_failure: false)
             clear_reset_password_token
             send(:"#{sorcery_config.password_attribute_name}=", new_password)
-            sorcery_adapter.save
+            sorcery_adapter.save raise_on_failure: raise_on_failure
+          end
+
+          def change_password!(new_password)
+            change_password(new_password, raise_on_failure: true)
           end
 
           protected

data/lib/sorcery/model/submodules/user_activation.rb

@@ -45,7 +45,7 @@ module Sorcery
             # don't setup activation if no password supplied - this user is created automatically
             sorcery_adapter.define_callback :before, :create, :setup_activation, if: proc { |user| user.send(sorcery_config.password_attribute_name).present? }
             # don't send activation needed email if no crypted password created - this user is external (OAuth etc.)
-            sorcery_adapter.define_callback :after, :create, :send_activation_needed_email!, if: :send_activation_needed_email?
+            sorcery_adapter.define_callback :after, :commit, :send_activation_needed_email!, on: :create, if: :send_activation_needed_email?
           end
 
           base.sorcery_config.after_config << :validate_mailer_defined

data/lib/sorcery/model/temporary_token.rb

@@ -7,12 +7,14 @@ module Sorcery
     # such as reseting password and activating the user by email.
     module TemporaryToken
       def self.included(base)
+        # FIXME: This may not be the ideal way of passing sorcery_config to generate_random_token.
+        @sorcery_config = base.sorcery_config
         base.extend(ClassMethods)
       end
 
       # Random code, used for salt and temporary tokens.
       def self.generate_random_token
-        SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
+        SecureRandom.urlsafe_base64(@sorcery_config.token_randomness).tr('lIO0', 'sxyz')
       end
 
       module ClassMethods

data/lib/sorcery/protocols/oauth.rb

@@ -9,6 +9,7 @@ module Sorcery
 
       def get_request_token(token = nil, secret = nil)
         return ::OAuth::RequestToken.new(get_consumer, token, secret) if token && secret
+
         get_consumer.get_request_token(oauth_callback: @callback_url)
       end
 

data/lib/sorcery/providers/auth0.rb

@@ -0,0 +1,46 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with Auth0.com
+    #
+    #   config.auth0.key = <key>
+    #   config.auth0.secret = <secret>
+    #   config.auth0.domain = <domain>
+    #   ...
+    #
+    class Auth0 < Base
+      include Protocols::Oauth2
+
+      attr_accessor :auth_path, :token_path, :user_info_path, :scope
+
+      def initialize
+        super
+
+        @auth_path      = '/authorize'
+        @token_path     = '/oauth/token'
+        @user_info_path = '/userinfo'
+        @scope          = 'openid profile email'
+      end
+
+      def get_user_hash(access_token)
+        response = access_token.get(user_info_path)
+
+        auth_hash(access_token).tap do |h|
+          h[:user_info] = JSON.parse(response.body)
+          h[:uid] = h[:user_info]['sub']
+        end
+      end
+
+      def login_url(_params, _session)
+        authorize_url(authorize_url: auth_path)
+      end
+
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
+
+        get_access_token(args, token_url: token_path, token_method: :post)
+      end
+    end
+  end
+end

data/lib/sorcery/providers/battlenet.rb

@@ -0,0 +1,51 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with BattleNet
+
+    class Battlenet < Base
+      include Protocols::Oauth2
+
+      attr_accessor :auth_path, :scope, :token_url, :user_info_path
+
+      def initialize
+        super
+
+        @scope          = 'openid'
+        @site           = 'https://eu.battle.net/'
+        @auth_path      = '/oauth/authorize'
+        @token_url      = '/oauth/token'
+        @user_info_path = '/oauth/userinfo'
+        @state          = SecureRandom.hex(16)
+      end
+
+      def get_user_hash(access_token)
+        response = access_token.get(user_info_path)
+        body = JSON.parse(response.body)
+        auth_hash(access_token).tap do |h|
+          h[:user_info] = body
+          h[:battletag] = body['battletag']
+          h[:uid] = body['id']
+        end
+      end
+
+      # calculates and returns the url to which the user should be redirected,
+      # to get authenticated at the external provider's site.
+      def login_url(_params, _session)
+        authorize_url(authorize_url: auth_path)
+      end
+
+      # tries to login the user from access token
+      def process_callback(params, _session)
+        args = { code: params[:code] }
+        get_access_token(
+          args,
+          token_url: token_url,
+          client_id: @key,
+          client_secret: @secret,
+          grant_type: 'authorization_code',
+          token_method: :post
+        )
+      end
+    end
+  end
+end

data/lib/sorcery/providers/discord.rb

@@ -0,0 +1,52 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with discordapp.com
+
+    class Discord < Base
+      include Protocols::Oauth2
+
+      attr_accessor :auth_path, :scope, :token_url, :user_info_path
+
+      def initialize
+        super
+
+        @scope          = 'identify'
+        @site           = 'https://discordapp.com/'
+        @auth_path      = '/api/oauth2/authorize'
+        @token_url      = '/api/oauth2/token'
+        @user_info_path = '/api/users/@me'
+        @state          = SecureRandom.hex(16)
+      end
+
+      def get_user_hash(access_token)
+        response = access_token.get(user_info_path)
+        body = JSON.parse(response.body)
+        auth_hash(access_token).tap do |h|
+          h[:user_info] = body
+          h[:uid] = body['id']
+        end
+      end
+
+      # calculates and returns the url to which the user should be redirected,
+      # to get authenticated at the external provider's site.
+      def login_url(_params, _session)
+        authorize_url(authorize_url: auth_path)
+      end
+
+      # tries to login the user from access token
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
+        get_access_token(
+          args,
+          token_url: token_url,
+          client_id: @key,
+          client_secret: @secret,
+          grant_type: 'authorization_code',
+          token_method: :post
+        )
+      end
+    end
+  end
+end

data/lib/sorcery/providers/heroku.rb

@@ -45,6 +45,7 @@ module Sorcery
       # tries to login the user from access token
       def process_callback(params, _session)
         raise 'Invalid state. Potential Cross Site Forgery' if params[:state] != state
+
         args = {}.tap do |a|
           a[:code] = params[:code] if params[:code]
         end

data/lib/sorcery/providers/instagram.rb

@@ -0,0 +1,73 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with Instagram.com.
+    class Instagram < Base
+      include Protocols::Oauth2
+
+      attr_accessor :access_permissions, :token_url,
+                    :authorization_path, :user_info_path,
+                    :scope, :user_info_fields
+
+      def initialize
+        super
+
+        @site = 'https://api.instagram.com'
+        @token_url = '/oauth/access_token'
+        @authorization_path = '/oauth/authorize/'
+        @user_info_path = '/v1/users/self'
+        @scope = 'basic'
+      end
+
+      def self.included(base)
+        base.extend Sorcery::Providers
+      end
+
+      # provider implements method to build Oauth client
+      def login_url(_params, _session)
+        authorize_url(token_url: @token_url)
+      end
+
+      # overrides oauth2#authorize_url to allow customized scope.
+      def authorize_url(opts = {})
+        @scope = access_permissions.present? ? access_permissions.join(' ') : scope
+        super(opts.merge(token_url: @token_url))
+      end
+
+      # pass oauth2 param `code` provided by instgrm server
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
+        get_access_token(
+          args,
+          token_url: @token_url,
+          client_id: @key,
+          client_secret: @secret
+        )
+      end
+
+      # see `user_info_mapping` in config/initializer,
+      # given `user_info_mapping` to specify
+      #   {:db_attribute_name => 'instagram_attr_name'}
+      # so that Sorcery can build AR model from attr names
+      #
+      # NOTE: instead of just getting the user info
+      # from the access_token (which already returns them),
+      # testing strategy relies on querying user_info_path
+      def get_user_hash(access_token)
+        call_api_params = {
+          access_token: access_token.token,
+          client_id: access_token[:client_id]
+        }
+        response = access_token.get(
+          "#{user_info_path}?#{call_api_params.to_param}"
+        )
+
+        user_attrs = {}
+        user_attrs[:user_info] = JSON.parse(response.body)['data']
+        user_attrs[:uid] = user_attrs[:user_info]['id']
+        user_attrs
+      end
+    end
+  end
+end

data/lib/sorcery/providers/line.rb

@@ -0,0 +1,63 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with line.com.
+    #
+    #   config.line.key = <key>
+    #   config.line.secret = <secret>
+    #   ...
+    #
+    class Line < Base
+      include Protocols::Oauth2
+
+      attr_accessor :token_url, :user_info_path, :auth_path, :scope, :bot_prompt
+
+      def initialize
+        super
+
+        @site           = 'https://access.line.me'
+        @user_info_path = 'https://api.line.me/v2/profile'
+        @token_url      = 'https://api.line.me/oauth2/v2.1/token'
+        @auth_path      = 'oauth2/v2.1/authorize'
+        @scope          = 'profile'
+      end
+
+      def get_user_hash(access_token)
+        response = access_token.get(user_info_path)
+        auth_hash(access_token).tap do |h|
+          h[:user_info] = JSON.parse(response.body)
+          h[:uid] = h[:user_info]['userId'].to_s
+        end
+      end
+
+      # calculates and returns the url to which the user should be redirected,
+      # to get authenticated at the external provider's site.
+      def login_url(_params, _session)
+        @state = SecureRandom.hex(16)
+        authorize_url(authorize_url: auth_path)
+      end
+
+      # overrides oauth2#authorize_url to add bot_prompt query.
+      def authorize_url(options = {})
+        options.merge!({
+          connection_opts: { params: { bot_prompt: bot_prompt } }
+        }) if bot_prompt.present?
+
+        super(options)
+      end
+
+      # tries to login the user from access token
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
+
+        get_access_token(
+          args,
+          token_url: token_url,
+          token_method: :post,
+          grant_type: 'authorization_code'
+        )
+      end
+    end
+  end
+end

data/lib/sorcery/providers/linkedin.rb

@@ -1,65 +1,74 @@
 module Sorcery
   module Providers
-    # This class adds support for OAuth with Linkedin.com.
+    # This class adds support for OAuth with LinkedIn.
     #
     #   config.linkedin.key = <key>
     #   config.linkedin.secret = <secret>
     #   ...
     #
     class Linkedin < Base
-      include Protocols::Oauth
+      include Protocols::Oauth2
 
-      attr_accessor :authorize_path, :access_permissions, :access_token_path,
-                    :request_token_path, :user_info_fields, :user_info_path
+      attr_accessor :auth_url, :scope, :token_url, :user_info_url, :email_info_url
 
       def initialize
-        @configuration = {
-          site: 'https://api.linkedin.com',
-          authorize_path: '/uas/oauth/authenticate',
-          request_token_path: '/uas/oauth/requestToken',
-          access_token_path: '/uas/oauth/accessToken'
-        }
-        @user_info_path = '/v1/people/~'
-      end
+        super
 
-      # Override included get_consumer method to provide authorize_path
-      def get_consumer
-        # Add access permissions to request token path
-        @configuration[:request_token_path] += '?scope=' + access_permissions.join('+') unless access_permissions.blank? || @configuration[:request_token_path].include?('?scope=')
-        ::OAuth::Consumer.new(@key, @secret, @configuration)
+        @site           = 'https://api.linkedin.com'
+        @auth_url       = '/oauth/v2/authorization'
+        @token_url      = '/oauth/v2/accessToken'
+        @user_info_url  = 'https://api.linkedin.com/v2/me'
+        @email_info_url = 'https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))'
+        @scope          = 'r_liteprofile r_emailaddress'
+        @state          = SecureRandom.hex(16)
       end
 
       def get_user_hash(access_token)
-        # Always include id for provider uid and prevent accidental duplication via setting `user_info_field = ['id']` (needed in Sorcery 0.9.1)
-        info_fields = user_info_fields ? user_info_fields.reject{|n| n == 'id'} : []
-        fields = info_fields.any? ? 'id,' + info_fields.join(',') : 'id'
-        response = access_token.get("#{@user_info_path}:(#{fields})", 'x-li-format' => 'json')
+        user_info = get_user_info(access_token)
 
         auth_hash(access_token).tap do |h|
-          h[:user_info] = JSON.parse(response.body)
-          h[:uid] = h[:user_info]['id'].to_s
+          h[:user_info] = user_info
+          h[:uid]       = h[:user_info]['id']
         end
       end
 
       # calculates and returns the url to which the user should be redirected,
       # to get authenticated at the external provider's site.
-      def login_url(_params, session)
-        req_token = get_request_token
-        session[:request_token]         = req_token.token
-        session[:request_token_secret]  = req_token.secret
-        authorize_url(request_token: req_token.token, request_token_secret: req_token.secret)
+      def login_url(_params, _session)
+        authorize_url(authorize_url: auth_url)
       end
 
       # tries to login the user from access token
-      def process_callback(params, session)
-        args = {
-          oauth_verifier:       params[:oauth_verifier],
-          request_token:        session[:request_token],
-          request_token_secret: session[:request_token_secret]
-        }
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
+
+        get_access_token(args, token_url: token_url, token_method: :post)
+      end
+
+      def get_user_info(access_token)
+        response  = access_token.get(user_info_url)
+        user_info = JSON.parse(response.body)
+
+        if email_in_scope?
+          email = fetch_email(access_token)
+
+          return user_info.merge(email)
+        end
+
+        user_info
+      end
+
+      def email_in_scope?
+        scope.include?('r_emailaddress')
+      end
+
+      def fetch_email(access_token)
+        email_response = access_token.get(email_info_url)
+        email_info     = JSON.parse(email_response.body)['elements'].first
 
-        args[:code] = params[:code] if params[:code]
-        get_access_token(args)
+        email_info['handle~']
       end
     end
   end