Merge pull request #139 from solidusio-contrib/revert-127

Revert #129 and #127 due to security implications

Author: tvdeyen

Gemfile

@@ -3,8 +3,8 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-solidus_branch = ENV.fetch('SOLIDUS_BRANCH', 'main')
-gem 'solidus', github: 'solidusio/solidus', branch: solidus_branch
+branch = ENV.fetch('SOLIDUS_BRANCH', 'main')
+gem 'solidus', github: 'solidusio/solidus', branch: branch
 
 # The solidus_frontend gem has been pulled out since v3.2
 gem 'solidus_frontend'

README.md

@@ -6,8 +6,7 @@ SolidusSocial
 
 Social login support for Solidus. Solidus Social handles authorization, account
 creation and association through third-party services.
-Currently Google, Facebook, Github and X (formely Twitter) are available out of the box.
-Support for Apple ID and Microsoft (Entra and O365) might be offered down the road. 
+Currently Facebook, Github and Google OAuth2 are available out of the box.
 
 Installation
 ------------
@@ -26,15 +25,12 @@ bundle exec rails g solidus_social:install
 bundle exec rails db:migrate
 ```
 
-Preference(optional): By default the login path will be `/users/auth/:provider`. If you wish to modify the url to: 
-`/member/auth/:provider`, `/profile/auth/:provider`, or `/auth/:provider` then you can do this accordingly in 
-your **config/initializers/spree.rb** file as described below:
+This will install a new initializer `config/initializers/solidus_social.rb` into
+your project that allows you to setup the services you want configured for your app.
+
+Optional: By default the login path will be '/users/auth/:provider'. If you
+want something else, configure it in `config/initializers/solidus_social.rb`.
 
-```ruby
-Spree::SocialConfig[:path_prefix] = 'member'  # for /member/auth/:provider
-Spree::SocialConfig[:path_prefix] = 'profile' # for /profile/auth/:provider
-Spree::SocialConfig[:path_prefix] = ''        # for /auth/:provider
-```
 
 Using OAuth Sources
 -------------------
@@ -43,29 +39,12 @@ Login as an admin user and navigate to Configuration > Social Authentication Met
 
 Click "New Authentication Method" and choose one of your configured providers.
 
-Click on the New Authentication Method button to enter the key obtained from their respective source, (See below for instructions on setting up the various providers).
-
-Multiple key entries can now be entered based on the rails environment. This allows for portability and the lack of need to check in your key to your repository. You also have the ability to enable and disable sources. These setting will be reflected on the client UI as well.
-
-Alternatively you can ship keys as environment variables and create these Authentication Method records on application boot via an initializer. Below is an example for facebook.
-
-```ruby
-# Ensure our environment is bootstrapped with a facebook connect app
-if ActiveRecord::Base.connection.data_source_exists? 'spree_authentication_methods'
-  Spree::AuthenticationMethod.where(environment: Rails.env, provider: 'facebook').first_or_create do |auth_method|
-    auth_method.api_key = ENV['FACEBOOK_APP_ID']
-    auth_method.api_secret = ENV['FACEBOOK_APP_SECRET']
-    auth_method.active = true
-  end
-end
-```
-
 **You MUST restart your application after configuring or updating an authentication method.**
 
 Registering Your Application
 ----------------------------
 
-OAuth Applications @ Facebook, Twitter, Google and / or Github are supported out of the
+Facebook, Github and Google OAuth2 are supported out of the
 box but, you will need to register your application with each of the sites you
 want to use.
 
@@ -107,46 +86,72 @@ Make sure you specifity the right IP address.
 
 > More info: [https://developers.google.com/identity/protocols/OAuth2](https://developers.google.com/identity/protocols/OAuth2)
 
-### Twitter
-[Twitter / Application Management / Create an application](https://docs.x.com/resources/fundamentals/authentication/oauth-2-0/overview)
+### Other OAuth Providers
 
-1. Name and Description must be filled in with something
-2. Configure user authentication setting with:
- - App permissions: Read (default) and enable Request email from users option.
- - Application Website: http://your_computer.local:3000 for development / http://your-site.com for production
- - Application Type: Web App, Automated App or Bot
- - Callback URL: http://your_computer.local:3000 for development / http://your-site.com for production
-3. Save Application
+Other OAuth providers are supported, given that there is an [OmniAuth
+strategy][12] for them. (If there isn't, you can [write one][13].)
 
-### Adding other OAuth sources
+#### LinkedIn Example
 
-It is easy to add any OAuth source, given there is an OmniAuth strategy gem for it (and if not, you can easily write one by yourself). For instance, if you want to add authorization via LinkedIn, the steps will be:
-1. Add gem `"omniauth-linkedin"` to your Gemfile, run `bundle install`.
-2. In an initializer file, e.g. `config/initializers/devise.rb`, add and init a new provider for SolidusSocial:
+1. Add `gem "omniauth-linkedin"` to your Gemfile and run `bundle install`.
+2. In `config/initializers/solidus_social.rb` add and initialize a new provider
+   for SolidusSocial:
 
-**Optional:** If you want to skip the sign up phase where the user has to provide an email and a password, add a third parameter to the provider entry and the Spree user will be created directly using the email field in the [Auth Hash Schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema):
+   ```ruby
 
-```ruby
-Provider = Struct.new(:title, :key, :skip_signup)
-SolidusSocial::OAUTH_PROVIDERS << Provider.new("LinkedIn", "linkedin", true)
-SolidusSocial.init_provider('linkedin')
-```
-3. Activate your provider as usual (via initializer or admin interface).
+     config.providers = {
+       # The configuration key has to match your omniauth strategy.
+       linkedin: {
+         api_key: ENV['LINKEDIN_API_KEY'],
+         api_secret: ENV['LINKEDIN_API_SECRET'],
+       },
+       # More providers here
+   ```
+3. Activate your provider as usual.
 4. Do **one** of the following:
 
-   - For legacy frontend, override the `spree/users/social` view to render OAuth links to display
-     your LinkedIn link and for starter frontend override `spree/starter_frontend/shared/social`.
+   - Override the `spree/users/social` view to render OAuth links to display
+     your LinkedIn link.
    - Include in your CSS a definition for `.icon-spree-linkedin-circled` and an
-     embedded icon font for LinkedIn from [Fontello](12) (the way existing
+     embedded icon font for LinkedIn from [Fontello][14] (the way existing
      icons for Facebook etc are implemented). You can also override
      CSS classes for other providers, `.icon-spree-<provider>-circled`, to use
      different font icons or classic background images, without having to
      override views.
 
+#### Apple Id Example
+
+1. Add `gem "omniauth-apple"` to your Gemfile and run `bundle install`.
+2. In `config/initializers/solidus_social.rb` add and initialize a new provider
+   for SolidusSocial:
+
+   ```ruby
+
+     config.providers = {
+        apple:          {
+          icon:   'fa-apple',
+          title:  'Apple'
+        },
+       # More providers here
+   ```
+   add its configuration after `SolidusSocial.init_providers` line:
+   ```ruby
+   
+     Devise.setup do |config|
+       # The configuration key has to match your omniauth strategy.
+       config.omniauth :apple, ENV['APPLE_CLIENT_ID'], '',
+                       scope:    'email',
+                       team_id:  ENV['APPLE_TEAM_ID'],
+                       key_id:   ENV['APPLE_KEY_ID'],
+                       pem:      ENV['APPLE_PRIVATE_KEY'].gsub('\n', "\n")
+     end
+   ```
+   Notice: APPLE_PRIVATE_KEY should consist from one-line p8-file content, like this `'\n-----BEGIN PRIVATE KEY-----\nsecret\n-----END PRIVATE KEY-----\n'`
+
 Documentation
 -------------
 
-API documentation is available [on RubyDoc.info][13].
+API documentation is available [on RubyDoc.info][15].
 
 Contributing
 ------------

app/assets/stylesheets/spree/frontend/solidus_social.css

@@ -1,4 +1,4 @@
 /*
- *= require spree/frontend/fontello
+ *= require spree/frontend
  *= require_tree .
 */

app/controllers/concerns/route_resolver.rb

@@ -3,13 +3,6 @@
 module Spree
   module Admin
     class AuthenticationMethodsController < ResourceController
-      private
-
-      def build_resource
-        model_class.new(
-          store_ids: [Spree::Store.default.id].compact
-        )
-      end
     end
   end
 end

app/controllers/spree/admin/authentication_methods_controller.rb

@@ -5,7 +5,6 @@ class Spree::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include Spree::Core::ControllerHelpers::Order
   include Spree::Core::ControllerHelpers::Auth
   include Spree::Core::ControllerHelpers::Store
-  include RouteResolver
 
   class << self
     def provides_callback_for(*providers)
@@ -15,16 +14,14 @@ def provides_callback_for(*providers)
     end
   end
 
-  SolidusSocial::OAUTH_PROVIDERS.each do |provider|
-    provides_callback_for provider.key.to_sym
+  Spree::SocialConfig.providers.keys.each do |provider|
+    provides_callback_for provider
   end
 
-  after_action :set_current_order, only: SolidusSocial::OAUTH_PROVIDERS.map(&:key)
-
   def omniauth_callback
     if request.env['omniauth.error'].present?
       flash[:error] = I18n.t('devise.omniauth_callbacks.failure', kind: auth_hash['provider'], reason: I18n.t('spree.user_was_not_valid'))
-      redirect_back_or_default(resolve_route_for(:root_url))
+      redirect_back_or_default(root_url)
       return
     end
 
@@ -37,7 +34,7 @@ def omniauth_callback
       spree_current_user.apply_omniauth(auth_hash)
       spree_current_user.save!
       flash[:notice] = I18n.t('devise.sessions.signed_in')
-      redirect_back_or_default(resolve_route_for(:account_url))
+      redirect_back_or_default(account_url)
     else
       user = Spree.user_class.find_by(email: auth_hash['info']['email']) || Spree.user_class.new
       user.apply_omniauth(auth_hash)
@@ -47,7 +44,7 @@ def omniauth_callback
       else
         session[:omniauth] = auth_hash.except('extra')
         flash[:notice] = I18n.t('spree.one_more_step', kind: auth_hash['provider'].capitalize)
-        redirect_to resolve_route_for(:new_spree_user_registration_url)
+        redirect_to new_spree_user_registration_url
         return
       end
     end
@@ -61,7 +58,7 @@ def omniauth_callback
 
   def failure
     set_flash_message :alert, :failure, kind: failed_strategy.name.to_s.humanize, reason: failure_message
-    redirect_to resolve_route_for(:login_path)
+    redirect_to spree.login_path
   end
 
   def passthru
@@ -71,8 +68,4 @@ def passthru
   def auth_hash
     request.env['omniauth.auth']
   end
-
-  def after_sign_in_path_for(resource_or_scope)
-    stored_location_for(resource_or_scope) || resolve_route_for(:account_path)
-  end
 end

app/controllers/spree/omniauth_callbacks_controller.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-class Spree::UserAuthenticationsController < Spree::BaseController
-  include RouteResolver
-
+class Spree::UserAuthenticationsController < Spree::StoreController
   def index
     @authentications = spree_current_user.user_authentications if spree_current_user
   end
@@ -11,6 +9,6 @@ def destroy
     @authentication = spree_current_user.user_authentications.find(params[:id])
     @authentication.destroy
     flash[:notice] = I18n.t('spree.destroy', scope: :authentications)
-    redirect_to resolve_route_for(:account_path)
+    redirect_to spree.account_path
   end
 end

app/controllers/spree/user_authentications_controller.rb

@@ -20,12 +20,8 @@ def build_resource(*args)
       def clear_omniauth
         session[:omniauth] = nil unless @spree_user.new_record?
       end
+
+      ::Spree::UserRegistrationsController.prepend self
     end
   end
 end
-
-if defined?(::UserRegistrationsController)
-  ::UserRegistrationsController.prepend SolidusSocial::Spree::UserRegistrationsControllerDecorator
-else
-  ::Spree::UserRegistrationsController.prepend SolidusSocial::Spree::UserRegistrationsControllerDecorator
-end

app/decorators/controllers/solidus_social/spree/user_registrations_controller_decorator.rb

@@ -12,9 +12,8 @@ def self.prepended(base)
       end
 
       def apply_omniauth(omniauth)
-        skip_signup_providers = SolidusSocial::OAUTH_PROVIDERS.select { |provider| provider.skip_signup }.map(&:key)
-        if skip_signup_providers.include?(omniauth['provider']) && email.blank?
-          self.email = omniauth['info']['email']
+        if omniauth.fetch('info', {})['email'].present?
+          self.email = omniauth['info']['email'] if email.blank?
         end
         user_authentications.build(provider: omniauth['provider'], uid: omniauth['uid'])
       end