Module: Sinatra::CanvasAuth

Defined in:
lib/sinatra/canvas_auth.rb,
lib/sinatra/canvas_auth/version.rb

Defined Under Namespace

Classes: StateError

Constant Summary collapse

DEFAULT_SETTINGS = 
{
  :auth_paths            => [/.*/],
  :canvas_url            => nil,
  :client_id             => nil,
  :client_secret         => nil,
  :failure_redirect      => '/login-failure',
  :login_path            => '/canvas-auth-login',
  :token_path            => '/canvas-auth-token',
  :logout_path           => '/canvas-auth-logout',
  :logout_redirect       => '/logged-out',
  :public_paths          => [],
  :unauthorized_redirect => '/unauthorized'
}.freeze
VERSION = 
"0.1.1"

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.auth_path?(app, current_path, script_name = '') ⇒ Boolean

Should the current path ask for authentication or is it public?

Returns:

  • (Boolean) 


145
146
147
148
149
150
151
152
153
 
# File 'lib/sinatra/canvas_auth.rb', line 145

def self.auth_path?(app, current_path, script_name = '')
  exempt_paths = [ app., app.token_path, app.logout_path,
                   app.logout_redirect, app.unauthorized_redirect,
                   app.failure_redirect ]

  app.auth_paths.select{ |p| current_path.match(p) }.any? &&
  !app.public_paths.select{ |p| current_path.match(p) }.any? &&
  !exempt_paths.map{|p| File.join(script_name, p)}.include?(current_path)
end

.merge_defaults(app) ⇒ Object 



155
156
157
158
159
160
161
 
# File 'lib/sinatra/canvas_auth.rb', line 155

def self.merge_defaults(app)
  DEFAULT_SETTINGS.each do |key, value|
    if !app.respond_to?(key)
      app.set key, value
    end
  end
end

.registered(app) ⇒ Object 



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
# File 'lib/sinatra/canvas_auth.rb', line 29

def self.registered(app)
  self.merge_defaults(app)

  app.helpers do
    def (state = nil)
      return false if request.nil?
      path_elements = [request.env['SCRIPT_NAME'], settings.]
      path_elements << state if state
      File.join(path_elements)
    end

    def render_view(header='', message='')
      render(:erb, :canvas_auth, {
        :views => File.expand_path(File.dirname(__FILE__)),
        :locals => {
          :header => header,
          :message => message
        }
      })
    end
  end

  app.get app. do
    session['oauth_redirect'] ||= request.env['SCRIPT_NAME']
    session['oauth_state'] = SecureRandom.urlsafe_base64(24)

    redirect_uri = "#{request.scheme}://#{request.host_with_port}" \
                   "#{request.env['SCRIPT_NAME']}#{settings.token_path}"

    redirect_params = "client_id=#{settings.client_id}&" \
                      "response_type=code&" \
                      "state=#{session['oauth_state']}&" \
                      "redirect_uri=#{CGI.escape(redirect_uri)}"

    ['scope', 'purpose', 'force_login', 'unique_id'].each do |optional_param|
      if params[optional_param]
        redirect_params += "&#{optional_param}=#{CGI.escape(params[optional_param])}"
      end
    end

    redirect "#{settings.canvas_url}/login/oauth2/auth?#{redirect_params}"
  end

  app.get app.token_path do
    payload = {
      :code          => params['code'],
      :client_id     => settings.client_id,
      :client_secret => settings.client_secret
    }

    begin
      CanvasAuth.verify_oauth_state(session, params)
      response = RestClient.post("#{settings.canvas_url}/login/oauth2/token", payload)
    rescue RestClient::Exception, CanvasAuth::StateError => e
      failure_url = File.join(request.env['SCRIPT_NAME'], settings.failure_redirect)
      redirect (failure_url + "?error=#{params[:error] || CGI.escape(e.to_s)}")
    end

    response = JSON.parse(response)
    session['user_id'] = response['user']['id']
    session['access_token'] = response['access_token']
    oauth_callback(response) if self.respond_to?(:oauth_callback)

    redirect session['oauth_redirect']
  end

  app.get app.logout_path do
    if session['access_token']
      delete_url = "#{settings.canvas_url}/login/oauth2/token"
      delete_url += "&expire_sessions=1" if params['expire_sessions']

      RestClient::Request.execute({
        :method  => :delete,
        :url     => delete_url,
        :headers => {
          :authorization => "Bearer #{session['access_token']}"
        }
      })
    end
    session.clear
    redirect to(settings.logout_redirect)
  end

  app.get app.logout_redirect do
    render_view('Logged out', 'You have been successfully logged out')
  end

  app.get app.unauthorized_redirect do
    render_view('Authentication Failed',
                'Your canvas account is unauthorized to view this resource')
  end

  app.get app.failure_redirect do
    message = "Login could not be completed."
    if params[:error] && !params[:error].empty?
      message += " (#{CGI.unescape(params[:error])})"
    end

    render_view("Authentication Failed", message)
  end

  # Redirect unauthenticated/unauthorized users before hitting app routes
  app.before do
    current_path = "#{request.env['SCRIPT_NAME']}#{request.env['PATH_INFO']}"
    if CanvasAuth.auth_path?(self.settings, current_path, request.env['SCRIPT_NAME'])
      if session['user_id'].nil?
        session['oauth_redirect'] = current_path
        redirect "#{request.env['SCRIPT_NAME']}#{settings.}"
      elsif self.respond_to?(:authorized) && !authorized
        redirect "#{request.env['SCRIPT_NAME']}#{settings.unauthorized_redirect}"
      end
    end
  end
end

.verify_oauth_state(params, session) ⇒ Object

Verify state param from Canvas is the same one originally sent. Otherwise, unauthorized requests can be made by intercepting the redirect from Canvas to app token_path and tricking an authorized user into accessing the link. homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html



167
168
169
170
171
172
 
# File 'lib/sinatra/canvas_auth.rb', line 167

def self.verify_oauth_state(params, session)
  saved_state = session['oauth_state']
  if saved_state != params['state'] || (saved_state && saved_state.empty?)
    raise CanvasAuth::StateError, 'Invalid OAuth state token provided'
  end
end

Instance Method Details

#authenticate(*paths) ⇒ Object

Just a prettier syntax for setting auth_paths



25
26
27
 
# File 'lib/sinatra/canvas_auth.rb', line 25

def authenticate(*paths)
  set :auth_paths, paths
end