Skip to content

/ omniauth-ebay-oauth

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

omniauth-ebay-oauth implementation #2

Merged
merged 21 commits into from Nov 13, 2017
Merged

omniauth-ebay-oauth implementation #2

merged 21 commits into from Nov 13, 2017

Conversation

@ignat-z
Copy link
Contributor

@ignat-z ignat-z commented Nov 4, 2017

No description provided.

ignat-z added 13 commits Nov 2, 2017
@ignat-z
Add OmniAuth eBay strategy gem basic structure
0102a12
@ignat-z
Configure first two OAuth steps
c38ae1d
@ignat-z
Add user info OmniAuth step
5dcd453
@ignat-z
Add option to run OmniAuth in sandbox mode
877d6b1
@ignat-z
UerInfoRequest -> UserInfo to separate concerns
d9c9fec
@ignat-z
Add valid eBay user to omniauth hash mapping
d6a32a9
@ignat-z
Change name to satisfy Strategy Contribution Guide
94d6297
@ignat-z
Add rubocop to default rake task
4fd94c5
@ignat-z
Add simplecov coverage
1131190
@ignat-z
Add read timout for http requests
e6c23e6
@ignat-z
Update README with information
6e83593
@ignat-z
Add last version to travis config
f7e01b5
@ignat-z
Minor refactoring tip
7e90d80
@palkan
palkan reviewed Nov 5, 2017
View changes
spec/omniauth/ebay-oauth/user_info_request_spec.rb Outdated
let(:failure_result) { File.read('spec/fixtures/result_failure.xml') }
let(:success_result) { File.read('spec/fixtures/result_success.xml') }

before { stub_const("#{described_class}::USER_REQUEST", body) }

This comment has been minimized.

Sign in to view
@palkan

palkan Nov 5, 2017
Member

Why do we have to stub this const and not use it as body?

This comment has been minimized.

Sign in to view
@ignat-z

ignat-z Nov 5, 2017
edited
Author Contributor

The main reason -- it's easier to read when something went wrong, compare:

       You can stub this request with the following snippet:

       stub_request(:post, "https://api.com/endpoint").
         with(:body => "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<GetUserRequest xmlns=\"urn:ebay:apis:eBLBaseComponents\">\n  <ErrorLanguage>en_US</ErrorLanguage>\n  <WarningLevel>High</WarningLevel>\n  <DetailLevel>ReturnAll</DetailLevel>\n</GetUserRequest>\n",
              :headers => {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Content-Type'=>'text/xml', 'Host'=>'api.com', 'User-Agent'=>'Ruby', 'X-Ebay-Api-Call-Name'=>'GetUser', 'X-Ebay-Api-Compatibility-Level'=>'967', 'X-Ebay-Api-Iaf-Token'=>'token+1', 'X-Ebay-Api-Siteid'=>'0'}).
         to_return(:status => 200, :body => "", :headers => {})

       registered request stubs:

       stub_request(:post, "https://api.com/endpoint").
         with(:body => "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<GetUserRequest xmlns=\"urn:ebay:apis:eBLBaseComponents\">\n  <ErrorLanguage>en_US</ErrorLanguage>\n  <WarningLevel>High</WarningLevel>\n  <DetailLevel>ReturnAll</DetailLevel>\n</GetUserRequest>\n",
              :headers => {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Content-Type'=>'text/xml', 'Host'=>'api.com', 'User-Agent'=>'Ruby', 'X-Ebay-Api-Call-Name'=>'GetUser', 'X-Ebay-Api-Compatibility-Level'=>'967', 'X-Ebay-Api-Iaf-Token'=>'token', 'X-Ebay-Api-Siteid'=>'0'})

vs

       You can stub this request with the following snippet:

       stub_request(:post, "https://api.com/endpoint").
         with(:body => "<>",
              :headers => {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Content-Type'=>'text/xml', 'Host'=>'api.com', 'User-Agent'=>'Ruby', 'X-Ebay-Api-Call-Name'=>'GetUser', 'X-Ebay-Api-Compatibility-Level'=>'967', 'X-Ebay-Api-Iaf-Token'=>'token+1', 'X-Ebay-Api-Siteid'=>'0'}).
         to_return(:status => 200, :body => "", :headers => {})

       registered request stubs:

       stub_request(:post, "https://api.com/endpoint").
         with(:body => "<>",
              :headers => {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'Content-Type'=>'text/xml', 'Host'=>'api.com', 'User-Agent'=>'Ruby', 'X-Ebay-Api-Call-Name'=>'GetUser', 'X-Ebay-Api-Compatibility-Level'=>'967', 'X-Ebay-Api-Iaf-Token'=>'token', 'X-Ebay-Api-Siteid'=>'0'})

Seems like it will be nice even stub default headers, to reduce all this mass. Furthermore, we don't depend on this constants as code control structure, so we could stub it for free.

BTW, changed from stub_const to DI.
@ignat-z
Use DI instead of const stubing
12da4a4
@Envek
Envek requested changes Nov 6, 2017
View changes
Copy link
Member

@Envek Envek left a comment

Thank you for quick and clean implementation!

Some things that should be fixed for use in real apps:

  1. eBay username. It's unreliable to use it as user identifier as it may be changed by the user.

    See the code comment for details.

  2. In real apps, it is important to know when refresh_token will expire to send a reminder to the user, asking to log in again. Also, it allows distinguishing between token expiration and token revocation by the user.

    Please add refresh_token_expires_at field into credentials hash.

  3. OAuth scopes. Empty scope list is fine for sign-in purposes, but it should be documented better IMHO.

    Also, an example should be added (should user concatenate the list of scopes with space or can we do it for them?)
lib/omniauth/ebay-oauth/user_info.rb Outdated
# https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema
class UserInfo
MAPPING = {
uid: %w[GetUserResponse User UserID],

This comment has been minimized.

Sign in to view
@Envek

Envek Nov 6, 2017
Member

Unfortunately, eBay username is not reliable value as the user can change it and can change it frequently.

So it's better to use scary EIASToken value because it doesn't change. Username is still important though, so it's better to keep it in nickname field of info hash as per https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later

This comment has been minimized.

Sign in to view
@ignat-z

ignat-z Nov 7, 2017
Author Contributor

Fixed, UserID moved to nickname
lib/omniauth/ebay-oauth/user_info_request.rb Outdated
private

def ensure_success_code
lambda { |response|

This comment has been minimized.

Sign in to view
@Envek

Envek Nov 6, 2017
Member

Style note: you can get rid of lambdas and use just methods by using method method:

def call
  MultiXml.parse().tap(&method(:ensure_success_result))
end

def ensure_success_code(response)
 
end

This comment has been minimized.

Sign in to view
@ignat-z

ignat-z Nov 7, 2017
Author Contributor

A matter of taste, but changed to this way
lib/omniauth/ebay-oauth/user_info_request.rb Outdated
Net::HTTP.new(@url.host, @url.port).tap do |http|
http.read_timeout = @read_timeout
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

This comment has been minimized.

Sign in to view
@Envek

Envek Nov 6, 2017
Member

Please don't do that! This is a security hole!

You may wish to enable bypassing SSL certificate check via an option, but that option must be disabled by default.

This comment has been minimized.

Sign in to view
@ignat-z

ignat-z Nov 7, 2017
Author Contributor

Yep, agree, shame on me, fixed
README.md Outdated

Additional options:
- __sandbox__ - Are you running your application in [sandbox mode](<https://developer.ebay.com/api-docs/static/sandbox-landing.html>), default __`true`__.
- __scope__ - A list of [OAuth scopes](<https://developer.ebay.com/api-docs/static/oauth-details.html#scopes>) that provide access to the interfaces you call.

This comment has been minimized.

Sign in to view
@Envek

Envek Nov 6, 2017
Member

Maybe it worth to note that by default that list of scopes is empty and users should provide it if they will use eBay APIs. Or perhaps it will be good to include public access scope https://api.ebay.com/oauth/api_scope by default.

This comment has been minimized.

Sign in to view
@ignat-z

ignat-z Nov 7, 2017
Author Contributor

Not sure about default value, it's omniauth strategy and eBay returns enough information for simple SSO. Add ability to pass scope as array of scopes or string.
ignat-z added 6 commits Nov 7, 2017
@ignat-z
Change uid to nickname, new field for uid
55a245d
@ignat-z
Use methods reference instead of lambda methods
ea1db0a
@ignat-z
Remove VERIFY_NONE ssl mode
9528ad7
@ignat-z
Add ability to pass scopes as array
f3eb100
@ignat-z
Add refresh_token_expires_at to credentials hash
Loading status checks…
6eab314
@ignat-z
Change const to ref to allow inheritance chain
Loading status checks…
9bfd850
@Envek
Envek approved these changes Nov 7, 2017
View changes
@ignat-z
Fix fragile test with timing
Loading status checks…
4a6254b 
Spec
    Start     Time.now       Expiration time
      |          |___expiration___|
      v          v----------------v
|-----------------------------------| t
       ^       ^----------------^
       |       |___expiration___|
     Start  Time.now       Expiration time
Code
paderinandrey added a commit to paderinandrey/omniauth-ebay-oauth that referenced this pull request Nov 9, 2017
@paderinandrey
fixed evilmartians#2
1ebbbee
@Envek Envek merged commit 4fd58bf into evilmartians:master Nov 13, 2017
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@Envek
Copy link
Member

@Envek Envek commented Nov 13, 2017

Released as v0.1.0. Congratulations and thank you for your work!
This was referenced Nov 13, 2017
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@palkan palkan

@Envek Envek

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
@ignat-z @Envek @palkan