atmos · Staswolf · Sep 4, 2013 · Sep 12, 2013 · Mar 24, 2014 · Mar 24, 2014
diff --git a/.travis.yml b/.travis.yml
@@ -1,10 +1,3 @@
 language: ruby
 rvm:
-  - 1.8.7
-  - 1.9.2
-  - 1.9.3
-  - jruby-18mode # JRuby in 1.8 mode
-  - jruby-19mode # JRuby in 1.9 mode
-  - rbx-18mode
-  - ree
-  - ruby-head
+  - 2.4.1
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,16 @@
+v1.2.0 2015/02/18
+
+* Implement single sign out for cookie sessions of GitHub properties
+
+v1.0.3 2014/12/13
+
+* Reintroduce membership caching to reduce API hits for validating team membership.
+
+v1.0.1 2014/03/24
+-----------------
+
+* Handle multiple X-Forwarded-Proto headers when comma delimited
+
 v1.0.0 2013/09/03
 -----------------
 

diff --git a/Gemfile b/Gemfile
@@ -1,7 +1,6 @@
 source "https://rubygems.org"
 
-gem 'debugger',   :platforms => :ruby_19, :require => false
-gem 'ruby-debug', :platforms => :ruby_18, :require => false
+gem 'byebug', require: false
 
 # Specify your gem's dependencies in warden-github.gemspec
 gemspec
diff --git a/README.md b/README.md
@@ -48,14 +48,19 @@ use Warden::Manager do |config|
   config.failure_app = BadAuthentication
   config.default_strategies :github
 
-  config.scope_defaults :default, :config => { :scope => 'user:email' }
-  config.scope_defaults :admin, :config => { :client_id     => 'foobar',
-                                             :client_secret => 'barfoo',
-                                             :scope         => 'user,repo',
-                                             :redirect_uri  => '/admin/oauth/callback' }
+  config.scope_defaults :default, config: { scope: 'user:email' }
+  config.scope_defaults :admin, config: { client_id:     'foobar',
+                                          client_secret: 'barfoo',
+                                          scope:         'user,repo',
+                                          redirect_uri:  '/admin/oauth/callback' }
+
+  config.serialize_from_session { |key| Warden::GitHub::Verifier.load(key) }
+  config.serialize_into_session { |user| Warden::GitHub::Verifier.dump(user) }
 end
 ```
 
+The two serialization methods store the API token in the session securely via the `WARDEN_GITHUB_VERIFIER_SECRET` environmental variable.
+
 ### Parameters
 
 The config parameters and their defaults are listed below.
@@ -116,6 +121,7 @@ user.id          # => The GitHub user id.
 user.login       # => The GitHub username.
 user.name
 user.gravatar_id # => The md5 email hash to construct a gravatar image.
+user.avatar_url
 user.email       # => Requires user:email or user scope.
 user.company
 
@@ -137,6 +143,32 @@ If you're looking for an easy way to integrate this into a Sinatra or Rails appl
 - [sinatra_auth_github](https://github.com/atmos/sinatra_auth_github)
 - [warden-github-rails](https://github.com/fphilipe/warden-github-rails)
 
+## Single Sign Out
+
+OAuth applications owned by the GitHub organization are sent an extra browser parameter to ensure that the user remains logged in to github.com. Taking advantage of this is provided by a small module you include into your controller and a before filter. Your `ApplicationController` should resemble something like this.
+
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Warden::GitHub::SSO
+
+  protect_from_forgery with: :exception
+
+  before_filter :verify_logged_in_user
+
+  private
+
+  def verify_logged_in_user
+    unless github_user && warden_github_sso_session_valid?(github_user, 120)
+      request.env['warden'].logout
+      request.env['warden'].authenticate!
+    end
+  end
+end
+```
+
+You can also see single sign out in action in the example app.
+
 ## Additional Information
 
 - [warden](https://github.com/hassox/warden)

diff --git a/Rakefile b/Rakefile
@@ -3,7 +3,7 @@ require 'rubygems/specification'
 require 'date'
 require 'bundler'
 
-task :default => [:spec]
+task default: [:spec]
 
 require 'rspec/core/rake_task'
 desc "Run specs"

diff --git a/config.ru b/config.ru
@@ -1,19 +1,6 @@
 ENV['RACK_ENV'] ||= 'development'
 
-begin
-  require File.expand_path('../.bundle/environment', __FILE__)
-rescue LoadError
-  require "rubygems"
-  require "bundler"
-  Bundler.setup
-end
-
-begin
-  require 'debugger'
-rescue LoadError
-  require 'ruby-debug'
-end
-
+require "bundler/setup"
 require 'warden/github'
 
 if ENV['MULTI_SCOPE_APP']

diff --git a/example/multi_scope_app.rb b/example/multi_scope_app.rb
@@ -5,15 +5,15 @@ class MultiScopeApp < BaseApp
     enable :inline_templates
 
     GITHUB_CONFIG = {
-      :client_id     => ENV['GITHUB_CLIENT_ID']     || 'test_client_id',
-      :client_secret => ENV['GITHUB_CLIENT_SECRET'] || 'test_client_secret'
+      client_id:     ENV['GITHUB_CLIENT_ID']     || 'test_client_id',
+      client_secret: ENV['GITHUB_CLIENT_SECRET'] || 'test_client_secret'
     }
 
     use Warden::Manager do |config|
       config.failure_app = BadAuthentication
       config.default_strategies :github
-      config.scope_defaults :default, :config => GITHUB_CONFIG
-      config.scope_defaults :admin, :config => GITHUB_CONFIG.merge(:scope => 'user,notifications')
+      config.scope_defaults :default, config: GITHUB_CONFIG
+      config.scope_defaults :admin, config: GITHUB_CONFIG.merge(scope: 'user,notifications')
     end
 
     get '/' do
@@ -26,7 +26,7 @@ class MultiScopeApp < BaseApp
     end
 
     get '/admin/login' do
-      env['warden'].authenticate!(:scope => :admin)
+      env['warden'].authenticate!(scope: :admin)
       redirect '/'
     end
 

diff --git a/example/simple_app.rb b/example/simple_app.rb
@@ -2,30 +2,42 @@
 
 module Example
   class SimpleApp < BaseApp
+    include Warden::GitHub::SSO
+
     enable :inline_templates
 
     GITHUB_CONFIG = {
-      :client_id     => ENV['GITHUB_CLIENT_ID']     || 'test_client_id',
-      :client_secret => ENV['GITHUB_CLIENT_SECRET'] || 'test_client_secret',
-      :scope         => 'user'
+      client_id:     ENV['GITHUB_CLIENT_ID']     || 'test_client_id',
+      client_secret: ENV['GITHUB_CLIENT_SECRET'] || 'test_client_secret',
+      scope:         'user'
     }
 
     use Warden::Manager do |config|
       config.failure_app = BadAuthentication
       config.default_strategies :github
-      config.scope_defaults :default, :config => GITHUB_CONFIG
+      config.scope_defaults :default, config: GITHUB_CONFIG
+      config.serialize_from_session { |key| Warden::GitHub::Verifier.load(key) }
+      config.serialize_into_session { |user| Warden::GitHub::Verifier.dump(user) }
+    end
+
+    def verify_browser_session
+      if env['warden'].user && !warden_github_sso_session_valid?(env['warden'].user, 10)
+        env['warden'].logout
+      end
     end
 
     get '/' do
       erb :index
     end
 
     get '/profile' do
+      verify_browser_session
       env['warden'].authenticate!
       erb :profile
     end
 
     get '/login' do
+      verify_browser_session
       env['warden'].authenticate!
       redirect '/'
     end
@@ -66,7 +78,7 @@ def self.app
 @@ index
 <% if env['warden'].authenticated? %>
   <h2>
-    <img src='http://gravatar.com/avatar/<%= env['warden'].user.gravatar_id %>.png?r=PG&s=50' />
+    <img src='<%= env['warden'].user.avatar_url %>' width='50' height='50' />
     Welcome <%= env['warden'].user.name %>
   </h2>
 <% else %>
@@ -84,4 +96,12 @@ def self.app
   <dd><%= env['warden'].user.team_member?(632) %></dd>
   <dt>GitHub Site Admin:</dt>
   <dd><%= env['warden'].user.site_admin? %></dd>
+  <% if env['warden'].user.using_single_sign_out? %>
+    <dt>GitHub Browser Session ID</dt>
+    <dd><%= env['warden'].user.browser_session_id %></dd>
+    <dt>GitHub Browser Session Valid</dt>
+    <dd><%= warden_github_sso_session_valid?(env['warden'].user, 10) %></dd>
+    <dt>GitHub Browser Session Verified At</dt>
+    <dd><%= Time.at(warden_github_sso_session_verified_at) %></dd>
+  <% end %>
 </dl>
diff --git a/lib/warden/github.rb b/lib/warden/github.rb
@@ -1,11 +1,16 @@
+require 'json'
 require 'warden'
+require 'octokit'
 
+require 'warden/github/sso'
 require 'warden/github/user'
 require 'warden/github/oauth'
 require 'warden/github/version'
 require 'warden/github/strategy'
 require 'warden/github/hook'
 require 'warden/github/config'
 require 'warden/github/membership_cache'
+require 'warden/github/verifier'
 
+require 'active_support/message_verifier'
 require 'securerandom'
diff --git a/lib/warden/github/config.rb b/lib/warden/github/config.rb
@@ -43,10 +43,10 @@ module GitHub
     #
     #     # This configures an additional scope that uses the github strategy
     #     # with custom configuration.
-    #     config.scope_defaults :admin, :config => { :client_id => 'foobar',
-    #                                                :client_secret => 'barfoo',
-    #                                                :scope => 'user,repo',
-    #                                                :redirect_uri => '/admin/oauth/callback' }
+    #     config.scope_defaults :admin, config: { client_id: 'foobar',
+    #                                             client_secret: 'barfoo',
+    #                                             scope: 'user,repo',
+    #                                             redirect_uri: '/admin/oauth/callback' }
     #   end
     class Config
       BadConfig = Class.new(StandardError)
@@ -88,10 +88,10 @@ def scope
       end
 
       def to_hash
-        { :client_id     => client_id,
-          :client_secret => client_secret,
-          :redirect_uri  => redirect_uri,
-          :scope         => scope }
+        { client_id:     client_id,
+          client_secret: client_secret,
+          redirect_uri:  redirect_uri,
+          scope:         scope }
       end
 
       private
@@ -131,16 +131,21 @@ def extract_path(uri)
         end
       end
 
+      def https_forwarded_proto?
+        env['HTTP_X_FORWARDED_PROTO'] &&
+          env['HTTP_X_FORWARDED_PROTO'].split(',')[0] == "https"
+      end
+
       def correct_scheme(uri)
-        if uri.scheme != 'https' && env['HTTP_X_FORWARDED_PROTO'] == 'https'
-          uri.port   = nil if uri.port == 80
+        if uri.scheme != 'https' && https_forwarded_proto?
           uri.scheme = 'https'
           # Reparsing will use a different URI subclass, namely URI::HTTPS which
           # knows the default port for https and strips it if present.
           uri = URI(uri.to_s)
         end
+        uri.port = nil if uri.port == 80
 
-        uri
+        URI(uri.to_s)
       end
     end
   end

diff --git a/lib/warden/github/hook.rb b/lib/warden/github/hook.rb
@@ -4,3 +4,10 @@
 
   strategy.finalize_flow!  if strategy.class == Warden::GitHub::Strategy
 end
+
+Warden::Manager.after_set_user do |user, auth, opts|
+  if user.is_a?(Warden::GitHub::User)
+    session = auth.session(opts.fetch(:scope))
+    user.memberships = session[:_memberships] ||= {}
+  end
+end
diff --git a/lib/warden/github/membership_cache.rb b/lib/warden/github/membership_cache.rb
@@ -3,16 +3,20 @@ module GitHub
     # A hash subclass that acts as a cache for organization and team
     # membership states. Only membership states that are true are cached. These
     # are invalidated after a certain time.
-    class MembershipCache < ::Hash
+    class MembershipCache
       CACHE_TIMEOUT = 60 * 5
 
+      def initialize(data)
+        @data = data
+      end
+
       # Fetches a membership status by type and id (e.g. 'org', 'my_company')
       # from cache. If no cached value is present or if the cached value
       # expired, the block will be invoked and the return value, if true,
       # cached for e certain time.
       def fetch_membership(type, id)
         type = type.to_s
-        id = id.to_s if id.is_a?(Symbol)
+        id = id.to_s
 
         if cached_membership_valid?(type, id)
           true
@@ -27,10 +31,10 @@ def fetch_membership(type, id)
       private
 
       def cached_membership_valid?(type, id)
-        timestamp = fetch(type).fetch(id)
+        timestamp = @data.fetch(type).fetch(id)
 
         if Time.now.to_i > timestamp + CACHE_TIMEOUT
-          fetch(type).delete(id)
+          @data.fetch(type).delete(id)
           false
         else
           true
@@ -40,7 +44,7 @@ def cached_membership_valid?(type, id)
       end
 
       def cache_membership(type, id)
-        hash = self[type] ||= {}
+        hash = @data[type] ||= {}
         hash[id] = Time.now.to_i
       end
     end

diff --git a/lib/warden/github/oauth.rb b/lib/warden/github/oauth.rb
@@ -25,10 +25,10 @@ def initialize(attrs={})
       def authorize_uri
         @authorize_uri ||= build_uri(
           '/login/oauth/authorize',
-          :client_id => client_id,
-          :redirect_uri => redirect_uri,
-          :scope => scope,
-          :state => state)
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          scope: scope,
+          state: state)
       end
 
       def access_token
@@ -53,9 +53,9 @@ def load_access_token
       def access_token_uri
         @access_token_uri ||= build_uri(
           '/login/oauth/access_token',
-          :client_id => client_id,
-          :client_secret => client_secret,
-          :code => code)
+          client_id: client_id,
+          client_secret: client_secret,
+          code: code)
       end
 
       def build_uri(path, params)