nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

OpenID: remove private profile data claims that are not returned anyway and fix return values for profile and picture

Browse source
This commit is contained in:
Jonne Haß 2019-04-28 17:00:16 +02:00 committed by Jonne Haß
parent dad54db7f4
commit d08b31f2ed
9 changed files with 8 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/models/api/openid_connect/authorization.rb
View file

@ -19,14 +19,11 @@ module Api
scope :with_redirect_uri, ->(given_uri) { where redirect_uri: given_uri } scope :with_redirect_uri, ->(given_uri) { where redirect_uri: given_uri }
SCOPES = %w[ SCOPES = %w[
birthdate
contacts:modify contacts:modify
contacts:read contacts:read
conversations conversations
email email
gender
interactions interactions
locale
name name
nickname nickname
notifications notifications
@ -35,14 +32,12 @@ module Api
private:modify private:modify
private:read private:read
profile profile
profile
profile:modify profile:modify
public:modify public:modify
public:read public:read
sub sub
tags:modify tags:modify
tags:read tags:read
updated_at
].freeze ].freeze
def setup def setup

4
app/serializers/user_info_serializer.rb
View file

@ -17,10 +17,10 @@ class UserInfoSerializer < ActiveModel::Serializer
end end
def profile def profile
File.join(AppConfig.environment.url, "people", object.guid).to_s api_v1_user_url
end end
def picture def picture
File.join(AppConfig.environment.url, object.image_url).to_s object.image_url(fallback_to_default: false)
end end
end end

12
config/locales/diaspora/en.yml
View file

@ -937,18 +937,6 @@ en:
picture: picture:
name: "picture" name: "picture"
description: "This grants read access to user's profile picture data to the application." description: "This grants read access to user's profile picture data to the application."
gender:
name: "gender"
description: "This grants read access to the user's gendere data to the application."
birthdate:
name: "birthdate"
description: "This grants read access ot the user's birthdate to the application."
locale:
name: "locale"
description: "This grants read access ot the user's locale to the application."
updated_at:
name: "updated_at"
description: "This grants read access to the user's profile update time to the application."
'contacts:read': 'contacts:read':
name: "contacts:read" name: "contacts:read"
description: "This grants read permissions to contacts and related data (like aspects) to the application." description: "This grants read permissions to contacts and related data (like aspects) to the application."

2
features/step_definitions/oidc_common_steps.rb
View file

@ -28,7 +28,7 @@ Then /^I should receive "([^\"]*)"'s id, username, and email$/ do |username|
user_info_json = JSON.parse(last_response.body) user_info_json = JSON.parse(last_response.body)
user = User.find_by_username(username) user = User.find_by_username(username)
user_profile_url = File.join(AppConfig.environment.url, "people", user.guid).to_s user_profile_url = File.join(AppConfig.environment.url, "people", user.guid).to_s
expect(user_info_json["profile"]).to have_content(user_profile_url) expect(user_info_json["profile"]).to have_content(api_v1_user_path)
end end
Then /^I should receive an "([^\"]*)" error$/ do |error_message| Then /^I should receive an "([^\"]*)" error$/ do |error_message|

1
lib/api/openid_connect/authorization_point/endpoint.rb
View file

@ -47,7 +47,6 @@ module Api
end end
def build_scopes(req) def build_scopes(req)
replace_profile_scope_with_specific_claims(req)
@scopes = req.scope.map {|scope| @scopes = req.scope.map {|scope|
scope.tap do |scope_name| scope.tap do |scope_name|
req.invalid_scope! I18n.t("api.openid_connect.authorizations.new.unknown_scope") \ req.invalid_scope! I18n.t("api.openid_connect.authorizations.new.unknown_scope") \

4
lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
View file

@ -21,10 +21,6 @@ module Api
end end
end end
def replace_profile_scope_with_specific_claims(_req)
# Empty
end
def build_from_request_object(_req) def build_from_request_object(_req)
# Empty # Empty
end end

6
lib/api/openid_connect/authorization_point/endpoint_start_point.rb
View file

@ -16,12 +16,6 @@ module Api
@response_type = req.response_type @response_type = req.response_type
end end
def replace_profile_scope_with_specific_claims(req)
profile_claims = %w[sub name nickname profile picture gender birthdate locale updated_at]
scopes_as_claims = req.scope.flat_map {|scope| scope == "profile" ? profile_claims : [scope] }.uniq
req.update_param("scope", scopes_as_claims)
end
private private
def build_request_object(req) def build_request_object(req)

4
spec/factories.rb
View file

@ -448,7 +448,7 @@ FactoryGirl.define do
factory :auth_with_read_scopes, class: Api::OpenidConnect::Authorization do factory :auth_with_read_scopes, class: Api::OpenidConnect::Authorization do
o_auth_application o_auth_application
association :user, factory: :user_with_aspect association :user, factory: :user_with_aspect
scopes %w[openid sub name nickname profile picture gender birthdate locale updated_at contacts:read conversations scopes %w[openid sub name nickname profile picture contacts:read conversations
email interactions notifications private:read public:read profile tags:read] email interactions notifications private:read public:read profile tags:read]
after(:build) {|m| after(:build) {|m|
m.redirect_uri = m.o_auth_application.redirect_uris[0] m.redirect_uri = m.o_auth_application.redirect_uris[0]
@ -458,7 +458,7 @@ FactoryGirl.define do
factory :auth_with_read_scopes_not_private, class: Api::OpenidConnect::Authorization do factory :auth_with_read_scopes_not_private, class: Api::OpenidConnect::Authorization do
o_auth_application o_auth_application
association :user, factory: :user_with_aspect association :user, factory: :user_with_aspect
scopes %w[openid sub name nickname profile picture gender birthdate locale updated_at contacts:read conversations scopes %w[openid sub name nickname profile picture gender contacts:read conversations
email interactions notifications public:read profile tags:read] email interactions notifications public:read profile tags:read]
after(:build) {|m| after(:build) {|m|
m.redirect_uri = m.o_auth_application.redirect_uris[0] m.redirect_uri = m.o_auth_application.redirect_uris[0]

4
spec/integration/api/user_info_controller_spec.rb
View file

@ -1,6 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
describe Api::OpenidConnect::UserInfoController do describe Api::OpenidConnect::UserInfoController do
include Rails.application.routes.url_helpers
let!(:auth_with_read_and_ppid) { let!(:auth_with_read_and_ppid) {
FactoryGirl.create(:auth_with_profile_and_ppid) FactoryGirl.create(:auth_with_profile_and_ppid)
} }
@ -19,7 +21,7 @@ describe Api::OpenidConnect::UserInfoController do
@user.pairwise_pseudonymous_identifiers.find_or_create_by(identifier: "https://example.com/uri").guid @user.pairwise_pseudonymous_identifiers.find_or_create_by(identifier: "https://example.com/uri").guid
expect(json_body["sub"]).to eq(expected_sub) expect(json_body["sub"]).to eq(expected_sub)
expect(json_body["nickname"]).to eq(@user.name) expect(json_body["nickname"]).to eq(@user.name)
expect(json_body["profile"]).to eq(File.join(AppConfig.environment.url, "people", @user.guid).to_s) expect(json_body["profile"]).to end_with(api_v1_user_path)
end end
end end
end end