lib/sinatra/auth/github.rb in sinatra_auth_github-0.1.1 vs lib/sinatra/auth/github.rb in sinatra_auth_github-0.1.2
- old
+ new
@@ -3,18 +3,21 @@
require 'rest_client'
module Sinatra
module Auth
module Github
- VERSION = "0.1.1"
+ VERSION = "0.1.2"
+ # Simple way to serve an image early in the stack and not get blocked by
+ # application level before filters
class AccessDenied < Sinatra::Base
get '/_images/securocat.png' do
send_file(File.join(File.dirname(__FILE__), "views", "securocat.png"))
end
end
+ # The default failure application, this is overridable from the extension config
class BadAuthentication < Sinatra::Base
helpers do
def unauthorized_template
@unauthenticated_template ||= File.read(File.join(File.dirname(__FILE__), "views", "401.html"))
end
@@ -41,10 +44,13 @@
def logout!
warden.logout
end
+ # The authenticated user object
+ #
+ # Supports a variety of methods, name, full_name, email, etc
def github_user
warden.user
end
# Send a V3 API GET request to path
@@ -79,11 +85,11 @@
#
# Returns: true if the uesr has access, false otherwise
def github_organization_access?(name)
orgs = github_request("orgs/#{name}/members")
orgs.map { |org| org["login"] }.include?(github_user.login)
- rescue RestClient::Unauthorized, RestClient::ResourceNotFound => e
+ rescue RestClient::Forbidden, RestClient::Unauthorized, RestClient::ResourceNotFound => e
false
end
# See if the user is a member of the team id
#
@@ -91,20 +97,29 @@
#
# Returns: true if the uesr has access, false otherwise
def github_team_access?(team_id)
members = github_request("teams/#{team_id}/members")
members.map { |user| user["login"] }.include?(github_user.login)
- rescue RestClient::Unauthorized, RestClient::ResourceNotFound => e
+ rescue RestClient::Forbidden, RestClient::Unauthorized, RestClient::ResourceNotFound => e
false
end
- # Auth only certain individuals
+ # Enforce user membership to the named organization
+ #
+ # name - the organization to test membership against
+ #
+ # Returns an execution halt if the user is not a member of the named org
def github_organization_authenticate!(name)
authenticate!
halt([401, "Unauthorized User"]) unless github_organization_access?(name)
end
+ # Enforce user membership to the team id
+ #
+ # team_id - the team_id to test membership against
+ #
+ # Returns an execution halt if the user is not a member of the team
def github_team_authenticate!(team_id)
authenticate!
halt([401, "Unauthorized User"]) unless github_team_access?(team_id)
end
@@ -118,23 +133,22 @@
app.use Warden::Manager do |manager|
manager.default_strategies :github
manager.failure_app = app.github_options[:failure_app] || BadAuthentication
- manager[:github_secret] = app.github_options[:secret]
- manager[:github_scopes] = app.github_options[:scopes] || 'email,offline_access'
- manager[:github_client_id] = app.github_options[:client_id]
- manager[:github_organization] = app.github_options[:organization] || nil
+ manager[:github_secret] = app.github_options[:secret] || ENV['GITHUB_CLIENT_SECRET']
+ manager[:github_scopes] = app.github_options[:scopes] || 'email,offline_access'
+ manager[:github_client_id] = app.github_options[:client_id] || ENV['GITHUB_CLIENT_ID']
manager[:github_callback_url] = app.github_options[:callback_url] || '/auth/github/callback'
end
app.helpers Helpers
app.get '/auth/github/callback' do
authenticate!
- redirect _relative_url_for('/')
+ return_to = session.delete('return_to') || _relative_url_for('/')
+ redirect return_to
end
-
end
end
end
end