Class: OmniAuth::Strategies::Spiffy

Inherits:

OAuth2

• Object
• OAuth2
• OmniAuth::Strategies::Spiffy

Defined in:

lib/omniauth/strategies/spiffy.rb

Constant Summary

DEFAULT_SCOPE =

Available scopes: content themes products customers orders script_tags shipping read_* or write_*

'read_products'

SCOPE_DELIMITER =

','

MINUTE =

60

CODE_EXPIRES_AFTER =

10 * MINUTE

Class Method Summary

• .encoded_params_for_signature(params) ⇒ Object
• .hmac_sign(encoded_params, secret) ⇒ Object

Instance Method Summary

• #authorize_params ⇒ Object
• #build_access_token ⇒ Object
• #callback_phase ⇒ Object
• #callback_url ⇒ Object
• #fix_https ⇒ Object
• #normalized_scopes(scopes) ⇒ Object
• #request_phase ⇒ Object
• #setup_phase ⇒ Object
• #valid_permissions?(token) ⇒ Boolean
• #valid_scope?(token) ⇒ Boolean
• #valid_signature? ⇒ Boolean
• #valid_site? ⇒ Boolean

Class Method Details

.encoded_params_for_signature(params) ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 80

def self.encoded_params_for_signature(params)
  params = params.dup
  params.delete('hmac')
  params.delete('signature') # deprecated signature
  params.map{|k,v| "#{URI.escape(k.to_s, '&=%')}=#{URI.escape(v.to_s, '&%')}"}.sort.join('&')
end

.hmac_sign(encoded_params, secret) ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 87

def self.hmac_sign(encoded_params, secret)
  OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, secret, encoded_params)
end

Instance Method Details

#authorize_params ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 137

def authorize_params
  super.tap do |params|
    params[:scope] = normalized_scopes(params[:scope] || DEFAULT_SCOPE).join(SCOPE_DELIMITER)
    params[:grant_options] = ['per-user'] if options[:per_user_permissions]
  end
end

#build_access_token ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 133

def build_access_token
  @built_access_token ||= super
end

#callback_phase ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 112

def callback_phase
  return fail!(:invalid_site, CallbackError.new(:invalid_site, "OAuth endpoint is not a Spiffy Stores site.")) unless valid_site?
  return fail!(:invalid_signature, CallbackError.new(:invalid_signature, "Signature does not match, it may have been tampered with.")) unless valid_signature?

  error = request.params["error_reason"] || request.params["error"]

  if error
    return fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
  else
    token = build_access_token
    unless valid_scope?(token)
      return fail!(:invalid_scope, CallbackError.new(:invalid_scope, "Scope does not match, it may have been tampered with."))
    end
    unless valid_permissions?(token)
      return fail!(:invalid_permissions, CallbackError.new(:invalid_permissions, "Requested API access mode does not match."))
    end
  end

  super
end

#callback_url ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 144

def callback_url
  options[:callback_url] || full_host + script_name + callback_path
end

#fix_https ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 95

def fix_https
  options[:client_options][:site] = options[:client_options][:site].gsub(/\Ahttp\:/, 'https:')
end

#normalized_scopes(scopes) ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 74

def normalized_scopes(scopes)
  scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
  ignore_scopes = scope_list.map { |scope| scope =~ /\Awrite_(.*)\z/ && "read_#{$1}" }.compact
  scope_list - ignore_scopes
end

#request_phase ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 104

def request_phase
  if valid_site?
    super
  else
    fail!(:invalid_site)
  end
end

#setup_phase ⇒ Object

# File 'lib/omniauth/strategies/spiffy.rb', line 99

def setup_phase
  super
  fix_https
end

#valid_permissions?(token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/omniauth/strategies/spiffy.rb', line 91

def valid_permissions?(token)
  token && (options[:per_user_permissions] == !token['associated_user'].nil?)
end

#valid_scope?(token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/omniauth/strategies/spiffy.rb', line 67

def valid_scope?(token)
  params = options.authorize_params.merge(options_for("authorize"))
  return false unless token && params[:scope] && token['scope']
  expected_scope = normalized_scopes(params[:scope]).sort
  (expected_scope == token['scope'].split(SCOPE_DELIMITER).sort)
end

#valid_signature? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/omniauth/strategies/spiffy.rb', line 53

def valid_signature?
  return false unless request.POST.empty?

  params = request.GET
  signature = params['hmac']
  timestamp = params['timestamp']
  return false unless signature && timestamp

  return false unless timestamp.to_i > Time.now.to_i - CODE_EXPIRES_AFTER

  calculated_signature = self.class.hmac_sign(self.class.encoded_params_for_signature(params), options.client_secret)
  Rack::Utils.secure_compare(calculated_signature, signature)
end

#valid_site? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/omniauth/strategies/spiffy.rb', line 49

def valid_site?
  !!(/\A(https|http)\:\/\/[a-zA-Z0-9][a-zA-Z0-9\-]*\.#{Regexp.quote(options[:spiffy_stores_domain])}[\/]?\z/ =~ options[:client_options][:site])
end