Name: warden-github
Owner: HuBoard
Description: :lock: warden strategy for github oauth
Created: 2016-05-09 16:58:06.0
Updated: 2016-05-09 16:58:07.0
Pushed: 2016-09-07 18:45:10.0
Size: 183
Language: Ruby
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
A warden strategy that provides OAuth authentication to GitHub.
To play with the extension, follow these steps:
Check out a copy of the source.
Create an application on GitHub and set the callback URL to http://localhost:9292
Run the following command with the client id and client secret obtained from the previous step:
GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup
This will run the example app example/simple_app.rb.
If you wish to see multiple user scopes in action, run the above command with an additional variable:
MULTI_SCOPE_APP=1 GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup
This will run the example app example/multi_scope_app.rb.
Point your browser at http://localhost:9292/ and enjoy!
In order to use this strategy, simply tell warden about it.
This is done by using Warden::Manager as a rack middleware and passing a config block to it.
Read more about warden setup at the warden wiki.
For simple usage without customization, simply specify it as the default strategy.
Warden::Manager do |config|
nfig.failure_app = BadAuthentication
nfig.default_strategies :github
In order to pass custom configurations, you need to configure a warden scope.
Note that the default warden scope (i.e. when not specifying any explicit scope) is :default.
Here's an example that specifies configs for the default scope and a custom admin scope. Using multiple scopes allows you to have different user types.
Warden::Manager do |config|
nfig.failure_app = BadAuthentication
nfig.default_strategies :github
nfig.scope_defaults :default, :config => { :scope => 'user:email' }
nfig.scope_defaults :admin, :config => { :client_id => 'foobar',
:client_secret => 'barfoo',
:scope => 'user,repo',
:redirect_uri => '/admin/oauth/callback' }
nfig.serialize_from_session { |key| Warden::GitHub::Verifier.load(key) }
nfig.serialize_into_session { |user| Warden::GitHub::Verifier.dump(user) }
The two serialization methods store the API token in the session securely via the WARDEN_GITHUB_VERIFIER_SECRET environmental variable.
The config parameters and their defaults are listed below. Please refer to the GitHub OAuth documentation for an explanation of their meaning.
ENV['GITHUB_CLIENT_ID'] and raises if not present.ENV['GITHUB_CLIENT_SECRET'] and raises if not present.nil.GitHub API communication is done entirely through the octokit gem.
For the OAuth process (which uses another endpoint than the API), the web endpoint is read from octokit.
In order to configure octokit for GitHub Enterprise you can either define the two environment variables OCTOKIT_API_ENDPOINT and OCTOKIT_WEB_ENDPOINT, or configure the Octokit module as specified in their README.
This gem and its dependencies do not explicitly depend on any JSON library. If you're on ruby 1.8.7 you'll have to include one explicitly. ruby 1.9 comes with a json library that will be used if no other is specified.
Some warden methods that you will need:
'warden'].authenticate! # => Uses the configs from the default scope.
'warden'].authenticate!(:scope => :admin) # => Uses the configs from the admin scope.
alogous to previous lines, but does not halt if authentication does not succeed.
'warden'].authenticate
'warden'].authenticate(:scope => :admin)
'warden'].authenticated? # => Checks whether the default scope is logged in.
'warden'].authenticated?(:admin) # => Checks whether the admin scope is logged in.
'warden'].user # => The user for the default scope.
'warden'].user(:admin) # => The user for the admin scope.
'warden'].session # => Namespaced session accessor for the default scope.
'warden'].session(:admin) # => Namespaced session accessor for the admin scope.
'warden'].logout # => Logs out all scopes.
'warden'].logout(:default) # => Logs out the default scope.
'warden'].logout(:admin) # => Logs out the admin scope.
For further documentation, refer to the warden wiki.
The user object (Warden::GitHub::User) responds to the following methods:
= env['warden'].user
.id # => The GitHub user id.
.login # => The GitHub username.
.name
.gravatar_id # => The md5 email hash to construct a gravatar image.
.avatar_url
.email # => Requires user:email or user scope.
.company
ese require user scope.
.organization_member?('rails') # => Checks 'rails' organization membership.
.organization_public_member?('github') # => Checks publicly disclosed 'github' organization membership.
.team_member?(1234) # => Checks membership in team with id 1234.
I access
.api # => Authenticated Octokit::Client for the user.
For more information on API access, refer to the octokit documentation.
If you're looking for an easy way to integrate this into a Sinatra or Rails application, take a look at the following gems:
OAuth applications owned by the GitHub organization are sent an extra browser parameter to ensure that the user remains logged in to github.com. Taking advantage of this is provided by a small module you include into your controller and a before filter. Your ApplicationController should resemble something like this.
s ApplicationController < ActionController::Base
clude Warden::GitHub::SSO
otect_from_forgery with: :exception
fore_filter :verify_logged_in_user
ivate
f verify_logged_in_user
unless github_user && warden_github_sso_session_valid?(github_user, 120)
request.env['warden'].logout
request.env['warden'].authenticate!
end
d
You can also see single sign out in action in the example app.