warden-github 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 83a3ef77c9c968b979e04291579d63e3d4a9b846
-  data.tar.gz: 1d26de519180cb5f2bfad3b1a2e1b53a17f721f1
+  metadata.gz: 1d16b8a0ce775cffede49bad96b407ea7bb03814
+  data.tar.gz: ad6b95da408a4163251445886b2638c2061b48f2
 SHA512:
-  metadata.gz: e4f66055aab939e314e2ba914dc6c976a4e6877ca4cbbee9b1d91f866364564d61ea12bf0f58942800310520d5e6e236fa5fee7f1d908111e980f80d385f672e
-  data.tar.gz: f220011a871bbc64cbdf0280277b37a5c07a0b06e92637cef245534a861ec583599dea5d8bd38d5aefe635719ad12200d72724e4779c4be0d88e65ff4a7da29a
+  metadata.gz: f6cd9e974843071be78465b45b44c3332d3ad9ec44069d91768868d85141f9b94415543ee026c88c097e5c27aca85042dd1838ed414085221a9545b47678fff3
+  data.tar.gz: a06e7b94ddafc1eafa30cfb5257e17cf7f8c3077b4660def2cd60f08043aa113365963d00db5eed1db976518aff381cc7fc8a26fbdcf8e1718c2d191f96c6c92

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+v1.2.0 2015/02/18
+
+* Implement single sign out for cookie sessions of GitHub properties
+
 v1.0.3 2014/12/13
 
 * Reintroduce membership caching to reduce API hits for validating team membership.

data/README.md

@@ -143,6 +143,32 @@ If you're looking for an easy way to integrate this into a Sinatra or Rails appl
 - [sinatra_auth_github](https://github.com/atmos/sinatra_auth_github)
 - [warden-github-rails](https://github.com/fphilipe/warden-github-rails)
 
+## Single Sign Out
+
+OAuth applications owned by the GitHub organization are sent an extra browser parameter to ensure that the user remains logged in to github.com. Taking advantage of this is provided by a small module you include into your controller and a before filter. Your `ApplicationController` should resemble something like this.
+
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Warden::GitHub::SSO
+
+  protect_from_forgery with: :exception
+
+  before_filter :verify_logged_in_user
+
+  private
+
+  def verify_logged_in_user
+    unless github_user && warden_github_sso_session_valid?(github_user, 120)
+      request.env['warden'].logout
+      request.env['warden'].authenticate!
+    end
+  end
+end
+```
+
+You can also see single sign out in action in the example app.
+
 ## Additional Information
 
 - [warden](https://github.com/hassox/warden)

data/example/simple_app.rb

@@ -2,6 +2,8 @@ require File.expand_path('../setup', __FILE__)
 
 module Example
   class SimpleApp < BaseApp
+    include Warden::GitHub::SSO
+
     enable :inline_templates
 
     GITHUB_CONFIG = {
@@ -18,16 +20,24 @@ module Example
       config.serialize_into_session { |user| Warden::GitHub::Verifier.dump(user) }
     end
 
+    def verify_browser_session
+      if env['warden'].user && !warden_github_sso_session_valid?(env['warden'].user, 10)
+        env['warden'].logout
+      end
+    end
+
     get '/' do
       erb :index
     end
 
     get '/profile' do
+      verify_browser_session
       env['warden'].authenticate!
       erb :profile
     end
 
     get '/login' do
+      verify_browser_session
       env['warden'].authenticate!
       redirect '/'
     end
@@ -86,4 +96,12 @@ __END__
   <dd><%= env['warden'].user.team_member?(632) %></dd>
   <dt>GitHub Site Admin:</dt>
   <dd><%= env['warden'].user.site_admin? %></dd>
+  <% if env['warden'].user.using_single_sign_out? %>
+    <dt>GitHub Browser Session ID</dt>
+    <dd><%= env['warden'].user.browser_session_id %></dd>
+    <dt>GitHub Browser Session Valid</dt>
+    <dd><%= warden_github_sso_session_valid?(env['warden'].user, 10) %></dd>
+    <dt>GitHub Browser Session Verified At</dt>
+    <dd><%= Time.at(warden_github_sso_session_verified_at) %></dd>
+  <% end %>
 </dl>

data/lib/warden/github.rb

@@ -1,6 +1,8 @@
 require 'json'
 require 'warden'
+require 'octokit'
 
+require 'warden/github/sso'
 require 'warden/github/user'
 require 'warden/github/oauth'
 require 'warden/github/version'

data/lib/warden/github/sso.rb

@@ -0,0 +1,30 @@
+module Warden
+  module GitHub
+    module SSO
+      def warden_github_sso_session_valid?(user, expiry_in_seconds = 30)
+        return true if defined?(::Rails) && ::Rails.env.test?
+        if warden_github_sso_session_needs_reverification?(user, expiry_in_seconds)
+          if user.browser_session_valid?(expiry_in_seconds)
+            warden_github_sso_session_reverify!
+            return true
+          end
+          return false
+        end
+        true
+      end
+
+      def warden_github_sso_session_verified_at
+        session[:warden_github_sso_session_verified_at] || Time.now.utc.to_i - 86400
+      end
+
+      def warden_github_sso_session_reverify!
+        session[:warden_github_sso_session_verified_at] = Time.now.utc.to_i
+      end
+
+      def warden_github_sso_session_needs_reverification?(user, expiry_in_seconds)
+        user.using_single_sign_out? &&
+          (warden_github_sso_session_verified_at <= (Time.now.utc.to_i - expiry_in_seconds))
+      end
+    end
+  end
+end

data/lib/warden/github/strategy.rb

@@ -70,6 +70,10 @@ module Warden
         elsif (error = params['error']) && !error.empty?
           abort_flow!(error.gsub(/_/, ' '))
         end
+
+        if params['browser_session_id']
+          custom_session['browser_session_id'] = params['browser_session_id']
+        end
       end
 
       def custom_session
@@ -77,7 +81,7 @@ module Warden
       end
 
       def load_user
-        User.load(oauth.access_token)
+        User.load(oauth.access_token, custom_session['browser_session_id'])
       rescue OAuth::BadVerificationCode => e
         abort_flow!(e.message)
       end

data/lib/warden/github/user.rb

@@ -1,11 +1,9 @@
-require 'octokit'
-
 module Warden
   module GitHub
-    class User < Struct.new(:attribs, :token)
+    class User < Struct.new(:attribs, :token, :browser_session_id)
       ATTRIBUTES = %w[id login name gravatar_id avatar_url email company site_admin].freeze
 
-      def self.load(access_token)
+      def self.load(access_token, browser_session_id = nil)
         api  = Octokit::Client.new(:access_token => access_token)
         data =  { }
 
@@ -13,7 +11,7 @@ module Warden
           data[k.to_s] = v if ATTRIBUTES.include?(k.to_s)
         end
 
-        new(data, access_token)
+        new(data, access_token, browser_session_id)
       end
 
       def marshal_dump
@@ -71,6 +69,27 @@ module Warden
         !!site_admin
       end
 
+      # Identify if the browser session is still valid
+      #
+      # Returns: true if the browser session is still active or the GitHub API is unavailable
+      def browser_session_valid?(since = 120)
+        return true unless using_single_sign_out?
+        client = api
+        client.get("/user/sessions/active", :browser_session_id => browser_session_id)
+        client.last_response.status == 204
+      rescue Octokit::ServerError # GitHub API unavailable
+        true
+      rescue Octokit::ClientError => e # GitHub API failed
+        false
+      end
+
+      # Identify if the user is on a GitHub SSO property
+      #
+      # Returns: true if a browser_session_id is present, false otherwise.
+      def using_single_sign_out?
+        !(browser_session_id.nil? || browser_session_id == "")
+      end
+
       # Access the GitHub API from Octokit
       #
       # Octokit is a robust client library for the GitHub API

data/lib/warden/github/version.rb

@@ -1,5 +1,5 @@
 module Warden
   module GitHub
-    VERSION = "1.1.1"
+    VERSION = "1.2.0"
   end
 end

data/spec/integration/oauth_spec.rb

@@ -100,6 +100,23 @@ describe 'OAuth' do
         authenticated_uri.query.should eq 'foo=bar'
       end
     end
+
+    context 'with GitHub SSO and code was exchanged for an access token' do
+      it 'redirects back to the original path' do
+        stub_code_for_token_exchange
+        stub_user_retrieval
+
+        unauthenticated_response = get '/profile?foo=bar'
+        github_uri = redirect_uri(unauthenticated_response)
+        state = github_uri.query_values['state']
+
+        callback_response = get "/profile?code=#{code}&state=#{state}&browser_session_id=abcdefghijklmnop"
+        authenticated_uri = redirect_uri(callback_response)
+
+        authenticated_uri.path.should eq '/profile'
+        authenticated_uri.query.should eq 'foo=bar'
+      end
+    end
   end
 
   context 'when not inside OAuth flow' do

data/spec/spec_helper.rb

@@ -16,4 +16,9 @@ RSpec.configure do |config|
   def app
     Example.app
   end
+
+  def stub_user_session_request
+    stub_request(:get, "https://api.github.com/user/sessions/active?browser_session_id=abcdefghijklmnop").
+      with(:headers => {'Accept'=>'application/vnd.github.v3+json', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Authorization'=>'token the_token', 'Content-Type'=>'application/json', 'User-Agent'=>"Octokit Ruby Gem #{Octokit::VERSION}"})
+  end
 end

data/spec/unit/sso_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+class FakeController
+  def session
+    @session ||= {}
+  end
+  include Warden::GitHub::SSO
+end
+
+describe Warden::GitHub::SSO do
+  let(:default_attrs) do
+    { 'login' => 'john',
+      'name' => 'John Doe',
+      'gravatar_id' => '38581cb351a52002548f40f8066cfecg',
+      'avatar_url' => 'http://example.com/avatar.jpg',
+      'email' => 'john@doe.com',
+      'company' => 'Doe, Inc.' }
+  end
+
+  let(:user) do
+    Warden::GitHub::User.new(default_attrs, "the_token", "abcdefghijklmnop")
+  end
+
+  subject do
+    FakeController.new
+  end
+
+  describe "warden_github_sso_session_valid?" do
+    it "identifies when browsers need to be reverified" do
+      subject.session[:warden_github_sso_session_verified_at] = Time.now.utc.to_i - 10
+      subject.should be_warden_github_sso_session_valid(user)
+
+      subject.session[:warden_github_sso_session_verified_at] = Time.now.utc.to_i - 300
+      stub_user_session_request.to_return(:status => 204, :body => "", :headers => {})
+      subject.should be_warden_github_sso_session_valid(user)
+
+      subject.session[:warden_github_sso_session_verified_at] = Time.now.utc.to_i - 300
+      stub_user_session_request.to_return(:status => 404, :body => "", :headers => {})
+      subject.should_not be_warden_github_sso_session_valid(user)
+    end
+  end
+end

data/spec/unit/user_spec.rb

@@ -15,6 +15,10 @@ describe Warden::GitHub::User do
     described_class.new(default_attrs, token)
   end
 
+  let(:sso_user) do
+    described_class.new(default_attrs, token, "abcdefghijklmnop")
+  end
+
   describe '#token' do
     it 'returns the token' do
       user.token.should eq token
@@ -108,4 +112,33 @@ describe Warden::GitHub::User do
   it 'marshals correctly' do
     Marshal.load(Marshal.dump(user)).should eq user
   end
+
+  describe 'single sign out' do
+    it "knows if the user is using single sign out" do
+      user.should_not be_using_single_sign_out
+      sso_user.should be_using_single_sign_out
+    end
+
+    context "browser reverification" do
+      it "handles success" do
+        stub_user_session_request.to_return(:status => 204, :body => "", :headers => {})
+        sso_user.should be_browser_session_valid
+      end
+
+      it "handles failure" do
+        stub_user_session_request.to_return(:status => 404, :body => "", :headers => {})
+        sso_user.should_not be_browser_session_valid
+      end
+
+      it "handles GitHub being unavailable" do
+        stub_user_session_request.to_raise(Octokit::ServerError.new)
+        sso_user.should be_browser_session_valid
+      end
+
+      it "handles authentication failures" do
+        stub_user_session_request.to_return(:status => 403, :body => "", :headers => {})
+        sso_user.should_not be_browser_session_valid
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: warden-github
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - Corey Donohoe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-15 00:00:00.000000000 Z
+date: 2015-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: warden
@@ -216,6 +216,7 @@ files:
 - lib/warden/github/hook.rb
 - lib/warden/github/membership_cache.rb
 - lib/warden/github/oauth.rb
+- lib/warden/github/sso.rb
 - lib/warden/github/strategy.rb
 - lib/warden/github/user.rb
 - lib/warden/github/verifier.rb
@@ -226,6 +227,7 @@ files:
 - spec/unit/config_spec.rb
 - spec/unit/membership_cache_spec.rb
 - spec/unit/oauth_spec.rb
+- spec/unit/sso_spec.rb
 - spec/unit/user_spec.rb
 - warden-github.gemspec
 homepage: http://github.com/atmos/warden-github
@@ -259,4 +261,5 @@ test_files:
 - spec/unit/config_spec.rb
 - spec/unit/membership_cache_spec.rb
 - spec/unit/oauth_spec.rb
+- spec/unit/sso_spec.rb
 - spec/unit/user_spec.rb