Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-omniauth for
openSUSE:Factory checked in at 2021-01-21 21:56:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-omniauth (Old)
and /work/SRC/openSUSE:Factory/.rubygem-omniauth.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-omniauth"
Thu Jan 21 21:56:00 2021 rev:5 rq:865210 version:2.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-omniauth/rubygem-omniauth.changes
2020-05-11 13:39:02.080825893 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-omniauth.new.28504/rubygem-omniauth.changes
2021-01-21 21:56:02.113822344 +0100
@@ -1,0 +2,6 @@
+Wed Jan 20 13:01:14 UTC 2021 - Stephan Kulow <co...@suse.com>
+
+updated to version 2.0.1
+ no changelog found
+
+-------------------------------------------------------------------
Old:
----
omniauth-1.9.1.gem
New:
----
omniauth-2.0.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-omniauth.spec ++++++
--- /var/tmp/diff_new_pack.9o28ui/_old 2021-01-21 21:56:02.729822773 +0100
+++ /var/tmp/diff_new_pack.9o28ui/_new 2021-01-21 21:56:02.733822776 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-omniauth
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-omniauth
-Version: 1.9.1
+Version: 2.0.1
Release: 0
%define mod_name omniauth
%define mod_full_name %{mod_name}-%{version}
++++++ omniauth-1.9.1.gem -> omniauth-2.0.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.github/FUNDING.yml new/.github/FUNDING.yml
--- old/.github/FUNDING.yml 1970-01-01 01:00:00.000000000 +0100
+++ new/.github/FUNDING.yml 2021-01-16 22:19:44.000000000 +0100
@@ -0,0 +1,2 @@
+github: bobbymcwho
+tidelift: rubygems/omniauth
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.github/workflows/main.yml
new/.github/workflows/main.yml
--- old/.github/workflows/main.yml 1970-01-01 01:00:00.000000000 +0100
+++ new/.github/workflows/main.yml 2021-01-16 22:19:44.000000000 +0100
@@ -0,0 +1,89 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies
and run tests with Rake
+# For more information see:
https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+
+jobs:
+ test:
+ runs-on: ubuntu-18.04
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu, macos]
+ ruby: [2.5, 2.6, 2.7, head, debug, truffleruby, truffleruby-head]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up Ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: ${{ matrix.ruby }}
+ bundler-cache: true
+ - name: Install dependencies
+ run: bundle install
+ - name: Run tests
+ run: bundle exec rake
+ test-jruby:
+ runs-on: ubuntu-18.04
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu, macos]
+ jruby: [jruby, jruby-head]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up Ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: ${{ matrix.jruby }}
+ bundler-cache: true
+ - name: Install dependencies
+ env:
+ JRUBY_OPTS: --debug
+ run: bundle install
+ - name: Run tests
+ env:
+ JRUBY_OPTS: --debug
+ run: bundle exec rake
+ frozen-string-compat:
+ runs-on: ubuntu-18.04
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up Ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: 2.6
+ bundler-cache: true
+ - name: Install dependencies
+ run: bundle install
+ - name: Run tests
+ env:
+ RUBYOPT: "--enable-frozen-string-literal"
+ run: bundle exec rake
+ coveralls:
+ runs-on: ubuntu-18.04
+ steps:
+ - uses: actions/checkout@v2
+ - name: Set up Ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: 2.6
+ bundler-cache: true
+ - name: Install dependencies
+ run: bundle install
+ - name: Run tests
+ run: bundle exec rake
+ - name: Coveralls GitHub Action
+ uses: coverallsapp/github-action@v1.1.2
+ with:
+ github-token: ${{ secrets.github_token }}
+ path-to-lcov: './coverage/lcov/omniauth.lcov'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 2020-03-02 18:36:11.000000000 +0100
+++ new/.gitignore 2021-01-16 22:19:44.000000000 +0100
@@ -10,3 +10,4 @@
log/*
measurement/*
pkg/*
+.DS_Store
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.travis.yml new/.travis.yml
--- old/.travis.yml 2020-03-02 18:36:11.000000000 +0100
+++ new/.travis.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,25 +0,0 @@
-bundler_args: --without development
-before_install:
- - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
- - gem install bundler -v '1.17.3'
-install:
- - bundle _1.17.3_ install --jobs=3 --retry=3
-cache: bundler
-env:
- global:
- - JRUBY_OPTS="$JRUBY_OPTS --debug"
-language: ruby
-rvm:
- - jruby-9000
- - 2.2.9
- - 2.3.5
- - 2.4.4
- - 2.5.3
- - jruby-head
- - ruby-head
-matrix:
- allow_failures:
- - rvm: jruby-head
- - rvm: ruby-head
- fast_finish: true
-sudo: false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Gemfile new/Gemfile
--- old/Gemfile 2020-03-02 18:36:11.000000000 +0100
+++ new/Gemfile 2021-01-16 22:19:44.000000000 +0100
@@ -1,6 +1,6 @@
source 'https://rubygems.org'
-gem 'jruby-openssl', '~> 0.9.19', :platforms => :jruby
+gem 'jruby-openssl', '~> 0.10.5', :platforms => :jruby
gem 'rake', '>= 12.0'
gem 'yard', '>= 0.9.11'
@@ -12,16 +12,18 @@
end
group :test do
- gem 'coveralls', :require => false
+ gem 'coveralls_reborn', '~> 0.19.0', require: false
gem 'hashie', '>= 3.4.6', '~> 4.0.0', :platforms => [:jruby_18]
- gem 'json', '~> 2.0.3', :platforms => %i[jruby_18 jruby_19 ruby_19]
+ gem 'json', '~> 2.3.0', :platforms => %i[jruby_18 jruby_19 ruby_19]
gem 'mime-types', '~> 3.1', :platforms => [:jruby_18]
gem 'rack', '>= 2.0.6', :platforms => %i[jruby_18 jruby_19 ruby_19 ruby_20
ruby_21]
gem 'rack-test'
gem 'rest-client', '~> 2.0.0', :platforms => [:jruby_18]
- gem 'rspec', '~> 3.5.0'
+ gem 'rspec', '~> 3.5'
+ gem 'rack-freeze'
gem 'rubocop', '>= 0.58.2', '< 0.69.0', :platforms => %i[ruby_20 ruby_21
ruby_22 ruby_23 ruby_24]
- gem 'tins', '~> 1.13.0', :platforms => %i[jruby_18 jruby_19 ruby_19]
+ gem 'simplecov-lcov'
+ gem 'tins', '~> 1.13', :platforms => %i[jruby_18 jruby_19 ruby_19]
end
gemspec
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2020-03-02 18:36:11.000000000 +0100
+++ new/README.md 2021-01-16 22:19:44.000000000 +0100
@@ -2,15 +2,16 @@
[][gem]
[][travis]
-[][codeclimate]
+[][codeclimate]
[][coveralls]
-[](https://hakiri.io/github/omniauth/omniauth/master)
[gem]: https://rubygems.org/gems/omniauth
[travis]: http://travis-ci.org/omniauth/omniauth
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth
[coveralls]: https://coveralls.io/r/omniauth/omniauth
+This is the documentation for version 2.0.1.
+
## An Introduction
OmniAuth is a library that standardizes multi-provider authentication for
web applications. It was created to be powerful, flexible, and do as
@@ -32,8 +33,8 @@
## Getting Started
Each OmniAuth strategy is a Rack Middleware. That means that you can use
it the same way that you use any other Rack middleware. For example, to
-use the built-in Developer strategy in a Sinatra application I might do
-this:
+use the built-in Developer strategy in a Sinatra application you might
+do this:
```ruby
require 'sinatra'
@@ -45,7 +46,7 @@
end
```
-Because OmniAuth is built for *multi-provider* authentication, I may
+Because OmniAuth is built for *multi-provider* authentication, you may
want to leave room to run multiple strategies. For this, the built-in
`OmniAuth::Builder` class gives you an easy way to specify multiple
strategies. Note that there is **no difference** between the following
@@ -82,18 +83,21 @@
contains as much information about the user as OmniAuth was able to
glean from the utilized strategy. You should set up an endpoint in your
application that matches to the callback URL and then performs whatever
-steps are necessary for your application. For example, in a Rails app I
-would add a line in my `routes.rb` file like this:
+steps are necessary for your application. For example, in a Rails app
+you would add a line in your `routes.rb` file like this:
```ruby
-get '/auth/:provider/callback', to: 'sessions#create'
+post '/auth/:provider/callback', to: 'sessions#create'
```
-And I might then have a `SessionsController` with code that looks
+And you might then have a `SessionsController` with code that looks
something like this:
```ruby
class SessionsController < ApplicationController
+ # If you're using a strategy that POSTs during callback, you'll need to skip
the authenticity token check for the callback action only.
+ skip_before_action :verify_authenticity_token, only: :create
+
def create
@user = User.find_or_create_from_auth_hash(auth_hash)
self.current_user = @user
@@ -108,7 +112,7 @@
end
```
-The `omniauth.auth` key in the environment hash gives me my
+The `omniauth.auth` key in the environment hash provides an
Authentication Hash which will contain information about the just
authenticated user including a unique id, the strategy they just used
for authentication, and personal details such as name and email address
@@ -163,7 +167,7 @@
and have sessions functioning as normal.
To be clear: sessions may work, but your session options will be ignored
-(i.e the session key will default to `_session_id`). Instead of the
+(i.e. the session key will default to `_session_id`). Instead of the
initializer, you'll have to set the relevant options somewhere
before your middleware is built (like `application.rb`) and pass them to your
preferred middleware, like this:
@@ -193,8 +197,14 @@
your first stop if you are wondering about a more in-depth look at
OmniAuth, how it works, and how to use it.
+## OmniAuth for Enterprise
+
+Available as part of the Tidelift Subscription.
+
+The maintainers of OmniAuth and thousands of other packages are working with
Tidelift to deliver commercial support and maintenance for the open source
packages you use to build your applications. Save time, reduce risk, and
improve code health, while paying the maintainers of the exact packages you
use. [Learn
more.](https://tidelift.com/subscription/pkg/rubygems-omniauth?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+
## Supported Ruby Versions
-OmniAuth is tested under 2.1.10, 2.2.6, 2.3.3, 2.4.0, 2.5.0, and JRuby.
+OmniAuth is tested under 2.5, 2.6, 2.7, truffleruby, and JRuby.
## Versioning
This library aims to adhere to [Semantic Versioning 2.0.0][semver]. Violations
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SECURITY.md new/SECURITY.md
--- old/SECURITY.md 1970-01-01 01:00:00.000000000 +0100
+++ new/SECURITY.md 2021-01-16 22:19:44.000000000 +0100
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 2.0.x | :white_check_mark: |
+| <= 1.9.1 | :x: |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/authenticity_token_protection.rb
new/lib/omniauth/authenticity_token_protection.rb
--- old/lib/omniauth/authenticity_token_protection.rb 1970-01-01
01:00:00.000000000 +0100
+++ new/lib/omniauth/authenticity_token_protection.rb 2021-01-16
22:19:44.000000000 +0100
@@ -0,0 +1,32 @@
+require 'rack-protection'
+
+module OmniAuth
+ class AuthenticityError < StandardError; end
+ class AuthenticityTokenProtection < Rack::Protection::AuthenticityToken
+ def initialize(options = {})
+ @options = default_options.merge(options)
+ end
+
+ def self.call(env)
+ new.call!(env)
+ end
+
+ def call!(env)
+ return if accepts?(env)
+
+ instrument env
+ react env
+ end
+
+ alias_method :call, :call!
+
+ private
+
+ def deny(_env)
+ OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")
+ raise AuthenticityError.new(options[:message])
+ end
+
+ alias default_reaction deny
+ end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/builder.rb new/lib/omniauth/builder.rb
--- old/lib/omniauth/builder.rb 2020-03-02 18:36:11.000000000 +0100
+++ new/lib/omniauth/builder.rb 2021-01-16 22:19:44.000000000 +0100
@@ -31,7 +31,7 @@
middleware = klass
else
begin
- middleware =
OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s)
+ middleware =
OmniAuth::Strategies.const_get(OmniAuth::Utils.camelize(klass.to_s).to_s, false)
rescue NameError
raise(LoadError.new("Could not find matching strategy for
#{klass.inspect}. You may need to install an additional gem (such as
omniauth-#{klass})."))
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/failure_endpoint.rb
new/lib/omniauth/failure_endpoint.rb
--- old/lib/omniauth/failure_endpoint.rb 2020-03-02 18:36:11.000000000
+0100
+++ new/lib/omniauth/failure_endpoint.rb 2021-01-16 22:19:44.000000000
+0100
@@ -27,10 +27,19 @@
def redirect_to_failure
message_key = env['omniauth.error.type']
- new_path =
"#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}"
+
+ new_path =
"#{env['SCRIPT_NAME']}#{strategy_path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
end
+ def strategy_path_prefix
+ if env['omniauth.error.strategy']
+ env['omniauth.error.strategy'].path_prefix
+ else
+ OmniAuth.config.path_prefix
+ end
+ end
+
def strategy_name_query_param
return '' unless env['omniauth.error.strategy']
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/form.rb new/lib/omniauth/form.rb
--- old/lib/omniauth/form.rb 2020-03-02 18:36:11.000000000 +0100
+++ new/lib/omniauth/form.rb 2021-01-16 22:19:44.000000000 +0100
@@ -9,7 +9,7 @@
options[:header_info] ||= ''
self.options = options
- @html = ''
+ @html = +'' # unary + string allows it to be mutable if strings are
frozen
@with_custom_button = false
@footer = nil
header(options[:title], options[:header_info])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/strategy.rb new/lib/omniauth/strategy.rb
--- old/lib/omniauth/strategy.rb 2020-03-02 18:36:11.000000000 +0100
+++ new/lib/omniauth/strategy.rb 2021-01-16 22:19:44.000000000 +0100
@@ -180,18 +180,44 @@
raise(error)
end
+ warn_if_using_get
+
@env = env
@env['omniauth.strategy'] = self if on_auth_path?
return mock_call!(env) if OmniAuth.config.test_mode
- return options_call if on_auth_path? && options_request?
- return request_call if on_request_path? &&
OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
- return callback_call if on_callback_path?
- return other_phase if respond_to?(:other_phase)
+
+ begin
+ return options_call if on_auth_path? && options_request?
+ return request_call if on_request_path? &&
OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
+ return callback_call if on_callback_path?
+ return other_phase if respond_to?(:other_phase)
+ rescue StandardError => e
+ return fail!(e.message, e)
+ end
@app.call(env)
end
+ def warn_if_using_get
+ return unless OmniAuth.config.allowed_request_methods.include?(:get)
+ return if OmniAuth.config.silence_get_warning
+
+ log :warn, <<-WARN
+ You are using GET as an allowed request method for OmniAuth. This may leave
+ you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
+ to its own routes. You should review the following resources to guide your
+ mitigation:
+ https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+ https://github.com/omniauth/omniauth/issues/960
+ https://nvd.nist.gov/vuln/detail/CVE-2015-9284
+ https://github.com/omniauth/omniauth/pull/809
+
+ You can ignore this warning by setting:
+ OmniAuth.config.silence_get_warning = true
+ WARN
+ end
+
# Responds to an OPTIONS request.
def options_call
OmniAuth.config.before_options_phase.call(env) if
OmniAuth.config.before_options_phase
@@ -202,17 +228,19 @@
# Performs the steps necessary to run the request phase of a strategy.
def request_call # rubocop:disable CyclomaticComplexity, MethodLength,
PerceivedComplexity
setup_phase
- log :info, 'Request phase initiated.'
+ log :debug, 'Request phase initiated.'
# store query params from the request url, extracted in the
callback_phase
session['omniauth.params'] = request.GET
+
+ OmniAuth.config.request_validation_phase.call(env) if
OmniAuth.config.request_validation_phase
OmniAuth.config.before_request_phase.call(env) if
OmniAuth.config.before_request_phase
if options.form.respond_to?(:call)
- log :info, 'Rendering form from supplied Rack endpoint.'
+ log :debug, 'Rendering form from supplied Rack endpoint.'
options.form.call(env)
elsif options.form
- log :info, 'Rendering form from underlying application.'
+ log :debug, 'Rendering form from underlying application.'
call_app!
elsif !options.origin_param
request_phase
@@ -225,12 +253,14 @@
request_phase
end
+ rescue OmniAuth::AuthenticityError => e
+ fail!(:authenticity_error, e)
end
# Performs the steps necessary to run the callback phase of a strategy.
def callback_call
setup_phase
- log :info, 'Callback phase initiated.'
+ log :debug, 'Callback phase initiated.'
@env['omniauth.origin'] = session.delete('omniauth.origin')
@env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
@env['omniauth.params'] = session.delete('omniauth.params') || {}
@@ -268,8 +298,13 @@
# in the event that OmniAuth has been configured to be
# in test mode.
def mock_call!(*)
- return mock_request_call if on_request_path? &&
OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
- return mock_callback_call if on_callback_path?
+ begin
+ OmniAuth.config.request_validation_phase.call(env) if
OmniAuth.config.request_validation_phase
+ return mock_request_call if on_request_path? &&
OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
+ return mock_callback_call if on_callback_path?
+ rescue StandardError => e
+ return fail!(e.message, e)
+ end
call_app!
end
@@ -312,10 +347,10 @@
# underlying application. This will default to `/auth/:provider/setup`.
def setup_phase
if options[:setup].respond_to?(:call)
- log :info, 'Setup endpoint detected, running now.'
+ log :debug, 'Setup endpoint detected, running now.'
options[:setup].call(env)
elsif options[:setup]
- log :info, 'Calling through to underlying application for setup.'
+ log :debug, 'Calling through to underlying application for setup.'
setup_env = env.merge('PATH_INFO' => setup_path, 'REQUEST_METHOD' =>
'GET')
call_app!(setup_env)
end
@@ -345,11 +380,13 @@
end
def auth_hash
- hash = AuthHash.new(:provider => name, :uid => uid)
- hash.info = info unless skip_info?
- hash.credentials = credentials if credentials
- hash.extra = extra if extra
- hash
+ credentials_data = credentials
+ extra_data = extra
+ AuthHash.new(:provider => name, :uid => uid).tap do |auth|
+ auth.info = info unless skip_info?
+ auth.credentials = credentials_data if credentials_data
+ auth.extra = extra_data if extra_data
+ end
end
# Determines whether or not user info should be retrieved. This
@@ -389,7 +426,12 @@
end
def request_path
- @request_path ||= options[:request_path].is_a?(String) ?
options[:request_path] : "#{path_prefix}/#{name}"
+ @request_path ||=
+ if options[:request_path].is_a?(String)
+ options[:request_path]
+ else
+ "#{script_name}#{path_prefix}/#{name}"
+ end
end
def callback_path
@@ -397,7 +439,7 @@
path = options[:callback_path] if options[:callback_path].is_a?(String)
path ||= current_path if options[:callback_path].respond_to?(:call) &&
options[:callback_path].call(env)
path ||= custom_path(:request_path)
- path ||= "#{path_prefix}/#{name}/callback"
+ path ||= "#{script_name}#{path_prefix}/#{name}/callback"
path
end
end
@@ -409,7 +451,7 @@
CURRENT_PATH_REGEX = %r{/$}.freeze
EMPTY_STRING = ''.freeze
def current_path
- @current_path ||= request.path_info.downcase.sub(CURRENT_PATH_REGEX,
EMPTY_STRING)
+ @current_path ||= request.path.downcase.sub(CURRENT_PATH_REGEX,
EMPTY_STRING)
end
def query_string
@@ -441,7 +483,7 @@
end
def callback_url
- full_host + script_name + callback_path + query_string
+ full_host + callback_path + query_string
end
def script_name
@@ -491,16 +533,15 @@
OmniAuth.config.on_failure.call(env)
end
- def dup
- super.tap do
- @options = @options.dup
- end
- end
-
class Options < OmniAuth::KeyStore; end
protected
+ def initialize_copy(*args)
+ super
+ @options = @options.dup
+ end
+
def merge_stack(stack)
stack.inject({}) do |a, e|
a.merge!(e)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth/version.rb new/lib/omniauth/version.rb
--- old/lib/omniauth/version.rb 2020-03-02 18:36:11.000000000 +0100
+++ new/lib/omniauth/version.rb 2021-01-16 22:19:44.000000000 +0100
@@ -1,3 +1,3 @@
module OmniAuth
- VERSION = '1.9.1'.freeze
+ VERSION = '2.0.1'.freeze
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/omniauth.rb new/lib/omniauth.rb
--- old/lib/omniauth.rb 2020-03-02 18:36:11.000000000 +0100
+++ new/lib/omniauth.rb 2021-01-16 22:19:44.000000000 +0100
@@ -15,6 +15,7 @@
autoload :Form, 'omniauth/form'
autoload :AuthHash, 'omniauth/auth_hash'
autoload :FailureEndpoint, 'omniauth/failure_endpoint'
+ autoload :AuthenticityTokenProtection,
'omniauth/authenticity_token_protection'
def self.strategies
@strategies ||= []
@@ -29,20 +30,22 @@
logger
end
- def self.defaults
+ def self.defaults # rubocop:disable MethodLength
@defaults ||= {
:camelizations => {},
:path_prefix => '/auth',
:on_failure => OmniAuth::FailureEndpoint,
:failure_raise_out_environments => ['development'],
+ :request_validation_phase => OmniAuth::AuthenticityTokenProtection,
:before_request_phase => nil,
:before_callback_phase => nil,
:before_options_phase => nil,
:form_css => Form::DEFAULT_CSS,
:test_mode => false,
:logger => default_logger,
- :allowed_request_methods => %i[get post],
- :mock_auth => {:default => AuthHash.new('provider' => 'default', 'uid'
=> '1234', 'info' => {'name' => 'Example User'})}
+ :allowed_request_methods => %i[post],
+ :mock_auth => {:default => AuthHash.new('provider' => 'default', 'uid'
=> '1234', 'info' => {'name' => 'Example User'})},
+ :silence_get_warning => false
}
end
@@ -74,6 +77,14 @@
end
end
+ def request_validation_phase(&block)
+ if block_given?
+ @request_validation_phase = block
+ else
+ @request_validation_phase
+ end
+ end
+
def before_request_phase(&block)
if block_given?
@before_request_phase = block
@@ -111,8 +122,9 @@
camelizations[name.to_s] = camelized.to_s
end
- attr_writer :on_failure, :before_callback_phase, :before_options_phase,
:before_request_phase
- attr_accessor :failure_raise_out_environments, :path_prefix,
:allowed_request_methods, :form_css, :test_mode, :mock_auth, :full_host,
:camelizations, :logger
+ attr_writer :on_failure, :before_callback_phase, :before_options_phase,
:before_request_phase, :request_validation_phase
+ attr_accessor :failure_raise_out_environments, :path_prefix,
:allowed_request_methods, :form_css,
+ :test_mode, :mock_auth, :full_host, :camelizations, :logger,
:silence_get_warning
end
def self.config
@@ -159,7 +171,7 @@
if first_letter_in_uppercase
word.to_s.gsub(%r{/(.?)}) { '::' + Regexp.last_match[1].upcase
}.gsub(/(^|_)(.)/) { Regexp.last_match[2].upcase }
else
- word.first + camelize(word)[1..-1]
+ camelize(word).tap { |w| w[0] = w[0].downcase }
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2020-03-02 18:36:11.000000000 +0100
+++ new/metadata 2021-01-16 22:19:44.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: omniauth
version: !ruby/object:Gem::Version
- version: 1.9.1
+ version: 2.0.1
platform: ruby
authors:
- Michael Bleigh
@@ -10,7 +10,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2020-03-02 00:00:00.000000000 Z
+date: 2021-01-16 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: hashie
@@ -52,14 +52,28 @@
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '1.14'
+ version: '2.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '1.14'
+ version: '2.0'
+- !ruby/object:Gem::Dependency
+ name: rack-protection
+ requirement: !ruby/object:Gem::Requirement
+ requirements:
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: '0'
+ type: :runtime
+ prerelease: false
+ version_requirements: !ruby/object:Gem::Requirement
+ requirements:
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: '0'
- !ruby/object:Gem::Dependency
name: rake
requirement: !ruby/object:Gem::Requirement
@@ -83,18 +97,21 @@
extensions: []
extra_rdoc_files: []
files:
+- ".github/FUNDING.yml"
- ".github/ISSUE_TEMPLATE.md"
+- ".github/workflows/main.yml"
- ".gitignore"
- ".rspec"
- ".rubocop.yml"
-- ".travis.yml"
- ".yardopts"
- Gemfile
- LICENSE.md
- README.md
- Rakefile
+- SECURITY.md
- lib/omniauth.rb
- lib/omniauth/auth_hash.rb
+- lib/omniauth/authenticity_token_protection.rb
- lib/omniauth/builder.rb
- lib/omniauth/failure_endpoint.rb
- lib/omniauth/form.css
@@ -127,8 +144,7 @@
- !ruby/object:Gem::Version
version: 1.3.5
requirements: []
-rubyforge_project:
-rubygems_version: 2.6.14.4
+rubygems_version: 3.0.0
signing_key:
specification_version: 4
summary: A generalized Rack framework for multiple-provider authentication.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/omniauth.gemspec new/omniauth.gemspec
--- old/omniauth.gemspec 2020-03-02 18:36:11.000000000 +0100
+++ new/omniauth.gemspec 2021-01-16 22:19:44.000000000 +0100
@@ -7,7 +7,8 @@
Gem::Specification.new do |spec|
spec.add_dependency 'hashie', ['>= 3.4.6']
spec.add_dependency 'rack', ['>= 1.6.2', '< 3']
- spec.add_development_dependency 'bundler', '~> 1.14'
+ spec.add_development_dependency 'bundler', '~> 2.0'
+ spec.add_dependency 'rack-protection'
spec.add_development_dependency 'rake', '~> 12.0'
spec.authors = ['Michael Bleigh', 'Erik Michaels-Ober', 'Tom Milewski']
spec.description = 'A generalized Rack framework for multiple-provider
authentication.'
