sorcery 0.9.0 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f79fec92f71b24d1507e3848c0c943e3b8e7a6ed
-  data.tar.gz: bf2cfc0eb30778fbb3eb85f896a9b73811a179c4
+  metadata.gz: 5c0e37f33ed4fa3e085ccc8e3a6a5526afb632f2
+  data.tar.gz: 1b224ad20e8ed01e04a2b7a25153e5949b56fa4f
 SHA512:
-  metadata.gz: d48170391dc1db75bb8bc88ce444ecc8d957796e0aaf96c29cafc4a01493689bc52e47ecaa5c0968c3aced147d623d2623f9dbe56e3dfdf46bf5309b005345f6
-  data.tar.gz: 4101544b567f3cb86c02bda20721a864b9c32fb688d62e64e7eee7fc0672614d06e0d8c004c8fa494113a9c834c1a09df1be91454ee00ee58865fcd31d01d7e0
+  metadata.gz: 48d1dd07a9ab99ade78c490bfffd27144b3951d5ba1f45bcfc1baede6db4cbe228e8916025bfd69fbc48d3342724b00ac2cfd9ecc41110d1b9fdd9559885091b
+  data.tar.gz: 250ceb737b38dab40dd3e16488f3e37aadf2b09fe94c6147ed92a2d42aab2d61d01601b3a2891403f70cc23ef4e675f4fb1ad83072d59ee71d8d6e5fd9d9c20d

data/CHANGELOG.md

@@ -4,6 +4,15 @@
 
 * Adapters (Mongoid, MongoMapper, DataMapper) are now separated from the core Sorcery repo and moved under `sorcery-rails` organization. Special thanks to @juike!
 
+## 0.9.1
+
+* Fixed fetching private emails from github (thanks to @saratovsource)
+* Added support for `active_for_authentication?` method (thanks to @gchaincl)
+* Fixed migration bug for `external` submodule (thanks to @skv-headless)
+* Added support for new Facebook Graph API (thanks to @mchaisse)
+* Fixed issue with Xing submodule (thanks to @yoyostile)
+* Fixed security bug with using `state` field in oAuth requests
+
 ## 0.9.0
 
 * Sending emails works with Rails 4.2 (thanks to @wooly)

data/README.md

@@ -59,6 +59,7 @@ logged_in?      # available to view
 current_user    # available to view
 redirect_back_or_to # used when a user tries to access a page while logged out, is asked to login, and we want to return him back to the page he originally wanted.
 @user.external? # external users, such as facebook/twitter etc.
+@user.active_for_authentication? # add this method to define behaviour that will prevent selected users from signing in
 User.authenticates_with_sorcery!
 ```
 

data/lib/generators/sorcery/templates/initializer.rb

@@ -119,8 +119,9 @@ Rails.application.config.sorcery.configure do |config|
   # config.facebook.secret = ""
   # config.facebook.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=facebook"
   # config.facebook.user_info_mapping = {:email => "name"}
-  # config.facebook.access_permissions = ["email", "publish_stream"]
+  # config.facebook.access_permissions = ["email", "publish_actions"]
   # config.facebook.display = "page"
+  # config.facebook.api_version = "v2.2"
   #
   # config.github.key = ""
   # config.github.secret = ""

data/lib/generators/sorcery/templates/migration/external.rb

@@ -7,6 +7,6 @@ class SorceryExternal < ActiveRecord::Migration
       t.timestamps
     end
 
-    add_index :<%= model_class_name.tableize %>, [:provider, :uid]
+    add_index :authentications, [:provider, :uid]
   end
 end

data/lib/sorcery/controller/submodules/external.rb

@@ -61,7 +61,7 @@ module Sorcery
             @provider = sorcery_get_provider provider_name
             sorcery_fixup_callback_url @provider
             if @provider.respond_to?(:login_url) && @provider.has_callback?
-              @provider.state = args[:state] if args[:state]
+              @provider.state = args[:state]
               return @provider.login_url(params, session)
             else
               return nil

data/lib/sorcery/model.rb

@@ -92,6 +92,10 @@ module Sorcery
 
         user = sorcery_adapter.find_by_credentials(credentials)
 
+        if user.respond_to?(:active_for_authentication?)
+          return nil if !user.active_for_authentication?
+        end
+
         set_encryption_attributes
 
         user if user && @sorcery_config.before_authenticate.all? {|c| user.send(c)} && user.valid_password?(credentials[1])

data/lib/sorcery/providers/facebook.rb

@@ -12,16 +12,18 @@ module Sorcery
 
       attr_reader   :mode, :param_name, :parse
       attr_accessor :access_permissions, :display, :scope, :token_url,
-                    :user_info_path
+                    :user_info_path, :auth_path, :api_version
 
       def initialize
         super
 
         @site           = 'https://graph.facebook.com'
-        @user_info_path = '/me'
-        @scope          = 'email,offline_access'
+        @auth_site      = 'https://www.facebook.com'
+        @user_info_path = 'me'
+        @scope          = 'email'
         @display        = 'page'
         @token_url      = 'oauth/access_token'
+        @auth_path      = 'dialog/oauth'
         @mode           = :query
         @parse          = :query
         @param_name     = 'access_token'
@@ -44,8 +46,17 @@ module Sorcery
 
       # overrides oauth2#authorize_url to allow customized scope.
       def authorize_url
+
+        # Fix: replace default oauth2 options, specially to prevent the Faraday gem which
+        # concatenates with "/", removing the Facebook api version
+        options = {
+          site:          File::join(@site, api_version.to_s),
+          authorize_url: File::join(@auth_site, api_version.to_s, auth_path),
+          token_url:     token_url
+        }
+
         @scope = access_permissions.present? ? access_permissions.join(',') : scope
-        super
+        super(options)
       end
 
       # tries to login the user from access token

data/lib/sorcery/providers/github.rb

@@ -26,7 +26,9 @@ module Sorcery
         response = access_token.get(user_info_path)
 
         auth_hash(access_token).tap do |h|
-          h[:user_info] = JSON.parse(response.body)
+          h[:user_info] = JSON.parse(response.body).tap do |uih|
+            uih['email'] = primary_email(access_token) if scope =~ /user/
+          end
           h[:uid] = h[:user_info]['id']
         end
       end
@@ -46,6 +48,13 @@ module Sorcery
         get_access_token(args, token_url: token_url, token_method: :post)
       end
 
+      def primary_email(access_token)
+        response = access_token.get(user_info_path + "/emails")
+        emails = JSON.parse(response.body)
+        primary = emails.find{|i| i['primary'] }
+        primary && primary['email'] || emails.first && emails.first['email']
+      end
+
     end
   end
 end

data/lib/sorcery/providers/xing.rb

@@ -34,7 +34,7 @@ module Sorcery
 
         auth_hash(access_token).tap do |h|
           h[:user_info] = JSON.parse(response.body)['users'].first
-          h[:uid] = user_hash[:user_info]['id'].to_s
+          h[:uid] = h[:user_info]['id'].to_s
         end
       end
 

data/lib/sorcery/version.rb

@@ -1,3 +1,3 @@
 module Sorcery
-  VERSION = "0.9.0"
+  VERSION = "0.9.1"
 end

data/spec/controllers/controller_oauth2_spec.rb

@@ -83,29 +83,44 @@ describe SorceryController, :active_record => true do
       it "login_at redirects correctly" do
         get :login_at_test_facebook
         expect(response).to be_a_redirect
-        expect(response).to redirect_to("https://graph.facebook.com/oauth/authorize?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email%2Coffline_access&state=")
+        expect(response).to redirect_to("https://www.facebook.com/dialog/oauth?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email&state=")
       end
+
       it "logins with state" do
         get :login_at_test_with_state
         expect(response).to be_a_redirect
-        expect(response).to redirect_to("https://graph.facebook.com/oauth/authorize?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email%2Coffline_access&state=bla")
+        expect(response).to redirect_to("https://www.facebook.com/dialog/oauth?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email&state=bla")
+      end
+
+      it "logins with Graph API version" do
+        sorcery_controller_external_property_set(:facebook, :api_version, "v2.2")
+        get :login_at_test_with_state
+        expect(response).to be_a_redirect
+        expect(response).to redirect_to("https://www.facebook.com/v2.2/dialog/oauth?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email&state=bla")
+      end
+
+      it "logins without state after login with state" do
+        get :login_at_test_with_state
+        expect(response).to redirect_to("https://www.facebook.com/v2.2/dialog/oauth?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email&state=bla")
+
+        get :login_at_test_facebook
+        expect(response).to redirect_to("https://www.facebook.com/v2.2/dialog/oauth?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email&state=")
       end
+
       after do
         sorcery_controller_external_property_set(:facebook, :callback_url, "http://blabla.com")
       end
     end
 
-    #this test can never pass because of the previous test (the callback url can't change anymore)
-=begin
     context "when callback_url begin with http://" do
       it "login_at redirects correctly" do
         create_new_user
-        get :login_at_test2
-        response.should be_a_redirect
-        response.should redirect_to("https://graph.facebook.com/oauth/authorize?response_type=code&client_id=#{::Sorcery::Controller::Config.facebook.key}&redirect_uri=http%3A%2F%2Fblabla.com&scope=email%2Coffline_access&display=page&state")
+        get :login_at_test_facebook
+        expect(response).to be_a_redirect
+        expect(response).to redirect_to("https://www.facebook.com/v2.2/dialog/oauth?client_id=#{::Sorcery::Controller::Config.facebook.key}&display=page&redirect_uri=http%3A%2F%2Ftest.host%2Foauth%2Ftwitter%2Fcallback&response_type=code&scope=email&state=")
       end
     end
-=end
+
     it "'login_from' logins if user exists" do
       # dirty hack for rails 4
       allow(subject).to receive(:register_last_activity_time_to_db)

data/spec/shared_examples/user_shared_examples.rb

@@ -87,29 +87,42 @@ shared_examples_for "rails_3_core_model" do
       expect(User).to respond_to :authenticate
     end
 
-    it "authenticate returns true if credentials are good" do
-      username = user.send(User.sorcery_config.username_attribute_names.first)
+    describe "#authenticate" do
+      it "returns user if credentials are good" do
+        expect(User.authenticate user.email, 'secret').to eq user
+      end
 
-      expect(User.authenticate username, 'secret').to be_truthy
-    end
+      it "returns nil if credentials are bad" do
+        expect(User.authenticate user.email, 'wrong!').to be nil
+      end
 
-    it "authenticate returns nil if credentials are bad" do
-      username = user.send(User.sorcery_config.username_attribute_names.first)
+      context "with empty credentials" do
+        before do
+          sorcery_model_property_set(:downcase_username_before_authenticating, true)
+        end
 
-      expect(User.authenticate username, 'wrong!').to be nil
-    end
+        after do
+          sorcery_reload!
+        end
 
-    context "with empty credentials" do
-      before do
-        sorcery_model_property_set(:downcase_username_before_authenticating, true)
+        it "don't downcase empty credentials" do
+          expect(User.authenticate(nil, 'wrong!')).to be_falsy
+        end
       end
 
-      after do
-        sorcery_reload!
-      end
+      context "and model implements active_for_authentication?" do
+
+        it "authenticates returns user if active_for_authentication? returns true" do
+          allow_any_instance_of(User).to receive(:active_for_authentication?) { true }
 
-      it "don't downcase empty credentials" do
-        expect(User.authenticate(nil, 'wrong!')).to be_falsy
+          expect(User.authenticate user.email, 'secret').to eq user
+        end
+
+        it "authenticate returns nil if active_for_authentication? returns false" do
+          allow_any_instance_of(User).to receive(:active_for_authentication?) { false }
+
+          expect(User.authenticate user.email, 'secret').to be_nil
+        end
       end
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sorcery
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.1
 platform: ruby
 authors:
 - Noam Ben Ari
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-13 00:00:00.000000000 Z
+date: 2015-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth
@@ -365,3 +365,4 @@ signing_key:
 specification_version: 4
 summary: Magical authentication for Rails 3 & 4 applications
 test_files: []
+has_rdoc: