Google Git
Sign in
dart / oauth2 / refs/heads/master
commit22e97a46099dc81d7f3cd89e23b0255c9f342460[log] [tgz]
authordependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>Mon Apr 01 00:50:29 2024 +0000
committerGitHub <noreply@github.com>Mon Apr 01 00:50:29 2024 +0000
tree90a7f6a699be946bbfdeeefdba0c56f2caca5211
parent9e42483a73b736894f48ad3afdb9d04cbaaa213c [diff]
Bump actions/checkout from 4.1.1 to 4.1.2 (#169)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p>
<blockquote>
<h2>v4.1.2</h2>
<p>We are investigating the following issue with this release and have rolled-back the <code>v4</code> tag to point to <code>v4.1.1</code></p>
<ul>
<li><code>sparse-checkout</code> is not available on git versions prior to 2.27.0 (see <a href="https://redirect.github.com/actions/checkout/issues/1651">actions/checkout#1651</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code> option is not present <a href="https://github.com/dscho"><code>@​dscho</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
<li>Bump tough-cookie from 4.0.0 to 4.1.3 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1406">actions/checkout#1406</a></li>
<li>Bump <code>@​babel/traverse</code> from 7.20.5 to 7.24.0 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1642">actions/checkout#1642</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/jww3"><code>@​jww3</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1616">actions/checkout#1616</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.1.1...v4.1.2">https://github.com/actions/checkout/compare/v4.1.1...v4.1.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v4.1.2</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code> option is not present <a href="https://github.com/dscho"><code>@​dscho</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
</ul>
<h2>v4.1.1</h2>
<ul>
<li>Correct link to GitHub Docs by <a href="https://github.com/peterbe"><code>@​peterbe</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
<li>Link to release page from what's new section by <a href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li>
</ul>
<h2>v4.1.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1396">Add support for partial checkout filters</a></li>
</ul>
<h2>v4.0.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1067">Support fetching without the --progress option</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1436">Update to node20</a></li>
</ul>
<h2>v3.6.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1377">Fix: Mark test scripts with Bash'isms to be run via Bash</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/579">Add option to fetch tags even if fetch-depth &gt; 0</a></li>
</ul>
<h2>v3.5.3</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1196">Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1287">Fix typos found by codespell</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1369">Add support for sparse checkouts</a></li>
</ul>
<h2>v3.5.2</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1289">Fix api endpoint for GHES</a></li>
</ul>
<h2>v3.5.1</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1246">Fix slow checkout on Windows</a></li>
</ul>
<h2>v3.5.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1237">Add new public key for known_hosts</a></li>
</ul>
<h2>v3.4.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1209">Upgrade codeql actions to v2</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1210">Upgrade dependencies</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1225">Upgrade <code>@​actions/io</code></a></li>
</ul>
<h2>v3.3.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1045">Implement branch list using callbacks from exec function</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1050">Add in explicit reference to private checkout options</a></li>
<li>[Fix comment typos (that got added in <a href="https://redirect.github.com/actions/checkout/issues/770">#770</a>)](<a href="https://redirect.github.com/actions/checkout/pull/1057">actions/checkout#1057</a>)</li>
</ul>
<h2>v3.2.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/942">Add GitHub Action to perform release</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/967">Fix status badge</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1002">Replace datadog/squid with ubuntu/squid Docker image</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/964">Wrap pipeline commands for submoduleForeach in quotes</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1029">Update <code>@​actions/io</code> to 1.1.2</a></li>
</ul>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/actions/checkout/commit/9bb56186c3b09b4f86b1c65136769dd318469633"><code>9bb5618</code></a> Prep for release of  v4.1.2  (<a href="https://redirect.github.com/actions/checkout/issues/1649">#1649</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/8eb1f6a495037164bea451156472f35fdd6bafc0"><code>8eb1f6a</code></a> Bump <code>@​babel/traverse</code> from 7.20.5 to 7.24.0 (<a href="https://redirect.github.com/actions/checkout/issues/1642">#1642</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/556e4c3cb0b8b54b734286d5439adadcb0a8cb92"><code>556e4c3</code></a> Bump tough-cookie from 4.0.0 to 4.1.3 (<a href="https://redirect.github.com/actions/checkout/issues/1406">#1406</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/b32f140b0c872d58512e0a66172253c302617b90"><code>b32f140</code></a> Warn on attempts to publish <code>test-ubuntu-git</code> from non-main branch. (<a href="https://redirect.github.com/actions/checkout/issues/1623">#1623</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/2650dbd060003e3b5ae211e4358852f336b682a7"><code>2650dbd</code></a> Give <code>test-ubuntu-git</code> its own <code>README</code> (<a href="https://redirect.github.com/actions/checkout/issues/1620">#1620</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/aadec899646c8e0f34c52d9219c2faac36626b55"><code>aadec89</code></a> Explicitly disable sparse checkout unless asked for (<a href="https://redirect.github.com/actions/checkout/issues/1598">#1598</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/df0bcddf6d6823307c716b56a7ef9c3b25078874"><code>df0bcdd</code></a> Refine workflow for generating <code>test-ubuntu-git</code> (<a href="https://redirect.github.com/actions/checkout/issues/1617">#1617</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/473055ba18d6d2da209cd46110aadb9275e3194e"><code>473055b</code></a> Create <code>test-ubuntu-git</code> Docker Container for Proxy Tests (<a href="https://redirect.github.com/actions/checkout/issues/1616">#1616</a>)</li>
<li>See full diff in <a href="https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=4.1.1&new-version=4.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
1 file changed
tree: 90a7f6a699be946bbfdeeefdba0c56f2caca5211
  1. .github/
  2. example/
  3. lib/
  4. test/
  5. .gitignore
  6. analysis_options.yaml
  7. CHANGELOG.md
  8. LICENSE
  9. pubspec.yaml
  10. README.md
README.md

Dart CI pub package package publisher

A client library for authenticating with a remote service via OAuth2 on behalf of a user, and making authorized HTTP requests with the user's OAuth2 credentials.

About OAuth2

OAuth2 allows a client (the program using this library) to access and manipulate a resource that's owned by a resource owner (the end user) and lives on a remote server. The client directs the resource owner to an authorization server (usually but not always the same as the server that hosts the resource), where the resource owner tells the authorization server to give the client an access token. This token serves as proof that the client has permission to access resources on behalf of the resource owner.

OAuth2 provides several different methods for the client to obtain authorization. At the time of writing, this library only supports the Authorization Code Grant, Client Credentials Grant and Resource Owner Password Grant flows, but more may be added in the future.

Authorization Code Grant

Resources: Class summary, OAuth documentation

import 'dart:io';

import 'package:oauth2/oauth2.dart' as oauth2;

// These URLs are endpoints that are provided by the authorization
// server. They're usually included in the server's documentation of its
// OAuth2 API.
final authorizationEndpoint =
    Uri.parse('http://example.com/oauth2/authorization');
final tokenEndpoint = Uri.parse('http://example.com/oauth2/token');

// The authorization server will issue each client a separate client
// identifier and secret, which allows the server to tell which client
// is accessing it. Some servers may also have an anonymous
// identifier/secret pair that any client may use.
//
// Note that clients whose source code or binary executable is readily
// available may not be able to make sure the client secret is kept a
// secret. This is fine; OAuth2 servers generally won't rely on knowing
// with certainty that a client is who it claims to be.
final identifier = 'my client identifier';
final secret = 'my client secret';

// This is a URL on your application's server. The authorization server
// will redirect the resource owner here once they've authorized the
// client. The redirection will include the authorization code in the
// query parameters.
final redirectUrl = Uri.parse('http://my-site.com/oauth2-redirect');

/// A file in which the users credentials are stored persistently. If the server
/// issues a refresh token allowing the client to refresh outdated credentials,
/// these may be valid indefinitely, meaning the user never has to
/// re-authenticate.
final credentialsFile = File('~/.myapp/credentials.json');

/// Either load an OAuth2 client from saved credentials or authenticate a new
/// one.
Future<oauth2.Client> createClient() async {
  var exists = await credentialsFile.exists();

  // If the OAuth2 credentials have already been saved from a previous run, we
  // just want to reload them.
  if (exists) {
    var credentials =
        oauth2.Credentials.fromJson(await credentialsFile.readAsString());
    return oauth2.Client(credentials, identifier: identifier, secret: secret);
  }

  // If we don't have OAuth2 credentials yet, we need to get the resource owner
  // to authorize us. We're assuming here that we're a command-line application.
  var grant = oauth2.AuthorizationCodeGrant(
      identifier, authorizationEndpoint, tokenEndpoint,
      secret: secret);

  // A URL on the authorization server (authorizationEndpoint with some additional
  // query parameters). Scopes and state can optionally be passed into this method.
  var authorizationUrl = grant.getAuthorizationUrl(redirectUrl);

  // Redirect the resource owner to the authorization URL. Once the resource
  // owner has authorized, they'll be redirected to `redirectUrl` with an
  // authorization code. The `redirect` should cause the browser to redirect to
  // another URL which should also have a listener.
  //
  // `redirect` and `listen` are not shown implemented here. See below for the
  // details.
  await redirect(authorizationUrl);
  var responseUrl = await listen(redirectUrl);

  // Once the user is redirected to `redirectUrl`, pass the query parameters to
  // the AuthorizationCodeGrant. It will validate them and extract the
  // authorization code to create a new Client.
  return await grant.handleAuthorizationResponse(responseUrl.queryParameters);
}

void main() async {
  var client = await createClient();

  // Once you have a Client, you can use it just like any other HTTP client.
  print(await client.read('http://example.com/protected-resources.txt'));

  // Once we're done with the client, save the credentials file. This ensures
  // that if the credentials were automatically refreshed while using the
  // client, the new credentials are available for the next run of the
  // program.
  await credentialsFile.writeAsString(client.credentials.toJson());
}

There is not a universal example for implementing redirect and listen, because different options exist for each platform.

For Flutter apps, there's two popular approaches:

  1. Launch a browser using url_launcher and listen for a redirect using uni_links.

      if (await canLaunch(authorizationUrl.toString())) {
    await launch(authorizationUrl.toString()); }

  // ------- 8< -------

  final linksStream = getLinksStream().listen((Uri uri) async {
   if (uri.toString().startsWith(redirectUrl)) {
     responseUrl = uri;
   }
 });

  2. Launch a WebView inside the app and listen for a redirect using webview_flutter.

      WebView(
    javascriptMode: JavascriptMode.unrestricted,
    initialUrl: authorizationUrl.toString(),
    navigationDelegate: (navReq) {
      if (navReq.url.startsWith(redirectUrl)) {
        responseUrl = Uri.parse(navReq.url);
        return NavigationDecision.prevent;
      }
      return NavigationDecision.navigate;
    },
    // ------- 8< -------
  );

For Dart apps, the best approach depends on the available options for accessing a browser. In general, you‘ll need to launch the authorization URL through the client’s browser and listen for the redirect URL.

Client Credentials Grant

Resources: Method summary, OAuth documentation

// This URL is an endpoint that's provided by the authorization server. It's
// usually included in the server's documentation of its OAuth2 API.
final authorizationEndpoint =
    Uri.parse('http://example.com/oauth2/authorization');

// The OAuth2 specification expects a client's identifier and secret
// to be sent when using the client credentials grant.
//
// Because the client credentials grant is not inherently associated with a user,
// it is up to the server in question whether the returned token allows limited
// API access.
//
// Either way, you must provide both a client identifier and a client secret:
final identifier = 'my client identifier';
final secret = 'my client secret';

// Calling the top-level `clientCredentialsGrant` function will return a
// [Client] instead.
var client = await oauth2.clientCredentialsGrant(
    authorizationEndpoint, identifier, secret);

// With an authenticated client, you can make requests, and the `Bearer` token
// returned by the server during the client credentials grant will be attached
// to any request you make.
var response =
    await client.read('https://example.com/api/some_resource.json');

// You can save the client's credentials, which consists of an access token, and
// potentially a refresh token and expiry date, to a file. This way, subsequent runs
// do not need to reauthenticate, and you can avoid saving the client identifier and
// secret.
await credentialsFile.writeAsString(client.credentials.toJson());

Resource Owner Password Grant

Resources: Method summary, OAuth documentation

// This URL is an endpoint that's provided by the authorization server. It's
// usually included in the server's documentation of its OAuth2 API.
final authorizationEndpoint =
    Uri.parse('http://example.com/oauth2/authorization');

// The user should supply their own username and password.
final username = 'example user';
final password = 'example password';

// The authorization server may issue each client a separate client
// identifier and secret, which allows the server to tell which client
// is accessing it. Some servers may also have an anonymous
// identifier/secret pair that any client may use.
//
// Some servers don't require the client to authenticate itself, in which case
// these should be omitted.
final identifier = 'my client identifier';
final secret = 'my client secret';

// Make a request to the authorization endpoint that will produce the fully
// authenticated Client.
var client = await oauth2.resourceOwnerPasswordGrant(
    authorizationEndpoint, username, password,
    identifier: identifier, secret: secret);

// Once you have the client, you can use it just like any other HTTP client.
var result = await client.read('http://example.com/protected-resources.txt');

// Once we're done with the client, save the credentials file. This will allow
// us to re-use the credentials and avoid storing the username and password
// directly.
File('~/.myapp/credentials.json').writeAsString(client.credentials.toJson());