
Security News
Follow-up and Clarification on Recent Malicious Ruby Gems Campaign
A clarification on our recent research investigating 60 malicious Ruby gems.
Get access to Gmail IMAP and SMTP via OAuth2 and OAuth 1.0a, using the standard Ruby Net libraries.
The gem supports 3-legged OAuth, and 2-legged OAuth for Google Apps Business or Education account owners.
$ gem install gmail_xoauth
You can generate and validate your OAuth 2.0 tokens thanks to the oauth2.py tool.
Create your API project in the Google APIs console, from the menu "APIs and auth > Credentials". Click on "Create new Client ID", choose "Installed Application" and "Other".
Then go to the menu "APIs and auth > Consent screen" and enter an email address and product name.
$ python oauth2.py --generate_oauth2_token --client_id=423906513574-o9v6kqt89lefrbfv1f3394u9rebfgv6n.apps.googleusercontent.com --client_secret=5SfdvZsYagblukE5VAhERjxZ
require 'gmail_xoauth'
imap = Net::IMAP.new('imap.gmail.com', 993, usessl = true, certs = nil, verify = false)
imap.authenticate('XOAUTH2', 'myemail@gmail.com', my_oauth2_token)
messages_count = imap.status('INBOX', ['MESSAGES'])['MESSAGES']
puts "Seeing #{messages_count} messages in INBOX"
require 'gmail_xoauth'
smtp = Net::SMTP.new('smtp.gmail.com', 587)
smtp.enable_starttls_auto
smtp.start('gmail.com', 'myemail@gmail.com', my_oauth2_token, :xoauth2)
smtp.finish
== OAuth 1.0 has been officially deprecated as of April 20, 2012. ==
For testing, you can generate and validate your OAuth tokens thanks to the awesome xoauth.py tool.
$ python xoauth.py --generate_oauth_token --user=myemail@gmail.com
Or if you want some webapp code, check the gmail-oauth-sinatra project.
For your tests, Gmail allows to set 'anonymous' as the consumer key and secret.
require 'gmail_xoauth'
imap = Net::IMAP.new('imap.gmail.com', 993, usessl = true, certs = nil, verify = false)
imap.authenticate('XOAUTH', 'myemail@gmail.com',
:consumer_key => 'anonymous',
:consumer_secret => 'anonymous',
:token => '4/nM2QAaunKUINb4RrXPC55F-mix_k',
:token_secret => '41r18IyXjIvuyabS/NDyW6+m'
)
messages_count = imap.status('INBOX', ['MESSAGES'])['MESSAGES']
puts "Seeing #{messages_count} messages in INBOX"
Note that the Net::IMAP#login method does not use support custom authenticators, so you have to use the Net::IMAP#authenticate method.
require 'gmail_xoauth'
imap = Net::IMAP.new('imap.gmail.com', 993, usessl = true, certs = nil, verify = false)
imap.authenticate('XOAUTH', 'myemail@mydomain.com',
:two_legged => true,
:consumer_key => 'a',
:consumer_secret => 'b'
)
For your tests, Gmail allows to set 'anonymous' as the consumer key and secret.
require 'gmail_xoauth'
smtp = Net::SMTP.new('smtp.gmail.com', 587)
smtp.enable_starttls_auto
secret = {
:consumer_key => 'anonymous',
:consumer_secret => 'anonymous',
:token => '4/nM2QAaunKUINb4RrXPC55F-mix_k',
:token_secret => '41r18IyXjIvuyabS/NDyW6+m'
}
smtp.start('gmail.com', 'myemail@gmail.com', secret, :xoauth)
smtp.finish
Note that Net::SMTP#enable_starttls_auto
is not defined in Ruby 1.8.6.
require 'gmail_xoauth'
smtp = Net::SMTP.new('smtp.gmail.com', 587)
smtp.enable_starttls_auto
secret = {
:two_legged => true,
:consumer_key => 'a',
:consumer_secret => 'b'
}
smtp.start('gmail.com', 'myemail@mydomain.com', secret, :xoauth)
smtp.finish
Tested on Ruby MRI 1.8.6, 1.8.7, 1.9.x and 2.1.x. Feel free to send me a message if you tested this code with other implementations of Ruby.
The only external dependency is the oauth gem.
See LICENSE for details.
FAQs
Unknown package
We found that gmail_xoauth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A clarification on our recent research investigating 60 malicious Ruby gems.
Security News
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.
Research
/Security News
A malicious Go module posing as an SSH brute forcer exfiltrates stolen credentials to a Telegram bot controlled by a Russian-speaking threat actor.