Module: Sinatra::CanvasAuth
- Defined in:
- lib/sinatra/canvas_auth.rb,
lib/sinatra/canvas_auth/version.rb
Defined Under Namespace
Classes: StateError
Constant Summary collapse
- DEFAULT_SETTINGS =
{ :auth_paths => [/.*/], :canvas_url => nil, :client_id => nil, :client_secret => nil, :failure_redirect => '/login-failure', :login_path => '/canvas-auth-login', :token_path => '/canvas-auth-token', :logout_path => '/canvas-auth-logout', :logout_redirect => '/logged-out', :public_paths => [], :unauthorized_redirect => '/unauthorized' }.freeze
- VERSION =
"0.1.1"
Class Method Summary collapse
-
.auth_path?(app, current_path, script_name = '') ⇒ Boolean
Should the current path ask for authentication or is it public?.
- .merge_defaults(app) ⇒ Object
- .registered(app) ⇒ Object
-
.verify_oauth_state(params, session) ⇒ Object
Verify state param from Canvas is the same one originally sent.
Instance Method Summary collapse
-
#authenticate(*paths) ⇒ Object
Just a prettier syntax for setting auth_paths.
Class Method Details
.auth_path?(app, current_path, script_name = '') ⇒ Boolean
Should the current path ask for authentication or is it public?
145 146 147 148 149 150 151 152 153 |
# File 'lib/sinatra/canvas_auth.rb', line 145 def self.auth_path?(app, current_path, script_name = '') exempt_paths = [ app.login_path, app.token_path, app.logout_path, app.logout_redirect, app., app.failure_redirect ] app.auth_paths.select{ |p| current_path.match(p) }.any? && !app.public_paths.select{ |p| current_path.match(p) }.any? && !exempt_paths.map{|p| File.join(script_name, p)}.include?(current_path) end |
.merge_defaults(app) ⇒ Object
155 156 157 158 159 160 161 |
# File 'lib/sinatra/canvas_auth.rb', line 155 def self.merge_defaults(app) DEFAULT_SETTINGS.each do |key, value| if !app.respond_to?(key) app.set key, value end end end |
.registered(app) ⇒ Object
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
# File 'lib/sinatra/canvas_auth.rb', line 29 def self.registered(app) self.merge_defaults(app) app.helpers do def login_url(state = nil) return false if request.nil? path_elements = [request.env['SCRIPT_NAME'], settings.login_path] path_elements << state if state File.join(path_elements) end def render_view(header='', ='') render(:erb, :canvas_auth, { :views => File.(File.dirname(__FILE__)), :locals => { :header => header, :message => } }) end end app.get app.login_path do session['oauth_redirect'] ||= request.env['SCRIPT_NAME'] session['oauth_state'] = SecureRandom.urlsafe_base64(24) redirect_uri = "#{request.scheme}://#{request.host_with_port}" \ "#{request.env['SCRIPT_NAME']}#{settings.token_path}" redirect_params = "client_id=#{settings.client_id}&" \ "response_type=code&" \ "state=#{session['oauth_state']}&" \ "redirect_uri=#{CGI.escape(redirect_uri)}" ['scope', 'purpose', 'force_login', 'unique_id'].each do |optional_param| if params[optional_param] redirect_params += "&#{optional_param}=#{CGI.escape(params[optional_param])}" end end redirect "#{settings.canvas_url}/login/oauth2/auth?#{redirect_params}" end app.get app.token_path do payload = { :code => params['code'], :client_id => settings.client_id, :client_secret => settings.client_secret } begin CanvasAuth.verify_oauth_state(session, params) response = RestClient.post("#{settings.canvas_url}/login/oauth2/token", payload) rescue RestClient::Exception, CanvasAuth::StateError => e failure_url = File.join(request.env['SCRIPT_NAME'], settings.failure_redirect) redirect (failure_url + "?error=#{params[:error] || CGI.escape(e.to_s)}") end response = JSON.parse(response) session['user_id'] = response['user']['id'] session['access_token'] = response['access_token'] oauth_callback(response) if self.respond_to?(:oauth_callback) redirect session['oauth_redirect'] end app.get app.logout_path do if session['access_token'] delete_url = "#{settings.canvas_url}/login/oauth2/token" delete_url += "&expire_sessions=1" if params['expire_sessions'] RestClient::Request.execute({ :method => :delete, :url => delete_url, :headers => { :authorization => "Bearer #{session['access_token']}" } }) end session.clear redirect to(settings.logout_redirect) end app.get app.logout_redirect do render_view('Logged out', 'You have been successfully logged out') end app.get app. do render_view('Authentication Failed', 'Your canvas account is unauthorized to view this resource') end app.get app.failure_redirect do = "Login could not be completed." if params[:error] && !params[:error].empty? += " (#{CGI.unescape(params[:error])})" end render_view("Authentication Failed", ) end # Redirect unauthenticated/unauthorized users before hitting app routes app.before do current_path = "#{request.env['SCRIPT_NAME']}#{request.env['PATH_INFO']}" if CanvasAuth.auth_path?(self.settings, current_path, request.env['SCRIPT_NAME']) if session['user_id'].nil? session['oauth_redirect'] = current_path redirect "#{request.env['SCRIPT_NAME']}#{settings.login_path}" elsif self.respond_to?(:authorized) && ! redirect "#{request.env['SCRIPT_NAME']}#{settings.}" end end end end |
.verify_oauth_state(params, session) ⇒ Object
Verify state param from Canvas is the same one originally sent. Otherwise, unauthorized requests can be made by intercepting the redirect from Canvas to app token_path and tricking an authorized user into accessing the link. homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html
167 168 169 170 171 172 |
# File 'lib/sinatra/canvas_auth.rb', line 167 def self.verify_oauth_state(params, session) saved_state = session['oauth_state'] if saved_state != params['state'] || (saved_state && saved_state.empty?) raise CanvasAuth::StateError, 'Invalid OAuth state token provided' end end |
Instance Method Details
#authenticate(*paths) ⇒ Object
Just a prettier syntax for setting auth_paths
25 26 27 |
# File 'lib/sinatra/canvas_auth.rb', line 25 def authenticate(*paths) set :auth_paths, paths end |