Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Yahoo OAuth2 Strategy for OmniAuth.
Supports OAuth 2.0 client-side flow. Read about it at: https://developer.yahoo.com/oauth2/guide/
Add to your Gemfile
:
gem 'omniauth-yahoo_auth'
Then bundle install
.
Create an app
. Give an application name, callback domain and Api Permissions.get 'auth/:provider/callback', to: 'sessions#custom'
in your routes.rb fileRails.application.config.middleware.use OmniAuth::Builder do
provider :yahoo_auth, ENV['YAHOO_APP_ID'], ENV['YAHOO_APP_SECRET']
end
/auth/yahoo_auth
.env["omniauth.auth"]
inside your session#custom method.NOTE: While developing your application, if you change the scope in the initializer you will need to restart your app server.
You can configure several options, which you pass in to the provider
method via a Hash
:
Option name | Default | Explanation |
---|---|---|
name | yahoo_auth | It can be changed to any value, for example yahoo . The OmniAuth URL will thus change to /auth/yahoo . |
redirect_uri | /auth/yahoo/callback | Specify a custom callback URL used during the server-side flow. Default is https://www.your_callback_domain/auth/yahoo/callback |
For example:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :yahoo_auth,
ENV['YAHOO_APP_ID'],
ENV['YAHOO_APP_SECRET'],
name: "yahoo",
redirect_uri: "https://www.your_callback_domain/auth/yahoo/callback"
end
Here's an example Auth Hash available in request.env['omniauth.auth']
:
{
info: {
nickname: 'Harvey',
email: 'harvey@suits.com',
first_name: 'Harvey',
last_name: 'Specter',
image: 'https://s.yimg.com/wm/modern/images/default_user_profile_pic_192.png',
},
credentials: {
token: 'HnEU9cep1...', # OAuth 2.0 ACCESS_TOKEN.
refresh_token: 'AFBTm...', # REFRESH_TOKEN to to get a new OAuth 2.0 access_token when the previous one expires.
expires_at: 1503232413, # Time at which your OAuth 2.0 access_token expires.
expires: true # this will always be true.
},
extra: {
sub: '',
name: '',
middle_name: '',
nickname: '',
gender: 'M',
language: 'en-IN',
website: '',
birth_date: '',
zone_info: '',
updated_at: '',
email_verified: true,
address: '',
phone_number: '',
phone_number_verified: false,
}
}
The precise information available will depend on your request.
First define your application id and secret in config/initializers/devise.rb
. Do not use the snippet mentioned in the Usage section.
Configuration options can be passed as the last parameter here as key/value pairs.
config.omniauth :yahoo_auth, 'YAHOO_APP_ID', 'YAHOO_APP_SECRET', {}
Then add the following to 'config/routes.rb' so the callback routes are defined.
devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
Make sure your model is omniauthable. Generally this is "/app/models/user.rb"
devise :omniauthable, omniauth_providers: [:yahoo_auth]
Then make sure your callbacks controller is setup.
# app/controllers/users/omniauth_callbacks_controller.rb
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def yahoo_auth
# You need to implement the method below in your model (e.g. app/models/user.rb)
@user = User.from_omniauth(request.env['omniauth.auth'])
if @user.persisted?
flash[:notice] = I18n.t 'devise.omniauth_callbacks.success', kind: 'Yahoo'
sign_in_and_redirect @user, event: :authentication
else
session['devise.yahoo_data'] = request.env['omniauth.auth']
redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n")
end
end
end
and bind to or create the user
# app/models/user.rb
def self.from_omniauth(access_token)
data = access_token.info
user = User.where(email: data['email']).first
# Uncomment the section below if you want users to be created if they don't exist
# unless user
# user = User.create(name: data['nickname'],
# email: data['email'],
# password: Devise.friendly_token[0,20]
# )
# end
user
end
For your views you can login using:
<%= link_to "Sign in with Yahoo", user_yahoo_auth_omniauth_authorize_path %>
<%# Devise prior 4.1.0: %>
<%= link_to "Sign in with Yahoo", user_omniauth_authorize_path(:yahoo_auth) %>
Yahoo doesn't allow localhost or 127.0.0.1
as callback domain while making an app.
So, you can follow below steps to test this gem on your local environment.
127.0.0.1 mywebsite.dev
in /etc/hosts
(you need have the line which is similar to the one mentioned here in the file)rvmsudo rails s -p 80
Bug reports and pull requests are welcome on GitHub at https://github.com/creative-karan/omniauth-yahoo_auth. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
FAQs
Unknown package
We found that omniauth-yahoo_auth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.