anjlab-devise-oauth2-providable 1.1.0

data/devise_oauth2_providable.gemspec

@@ -0,0 +1,30 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise/oauth2_providable/version"
+
+Gem::Specification.new do |s|
+  s.name        = "anjlab-devise-oauth2-providable"
+  s.version     = Devise::Oauth2Providable::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Ryan Sonnek"]
+  s.email       = ["ryan@socialcast.com"]
+  s.homepage    = "https://github.com/anjlab/devise_oauth2_providable"
+  s.summary     = %q{OAuth2 Provider for Rails3 applications with Devise 2.1.0}
+  s.description = %q{Rails3 engine that adds OAuth2 Provider support to any application built with Devise authentication}
+
+  s.add_runtime_dependency "rails", ">= 3.2.0"
+  s.add_runtime_dependency "devise", ">= 2.1.0"
+  s.add_runtime_dependency "rack-oauth2", "~> 0.14.4"
+
+  s.add_development_dependency "rspec-rails", '>= 2.6.2'
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency "shoulda-matchers", ">=1.0.0"
+  s.add_development_dependency "pry-rails"
+  s.add_development_dependency "factory_girl_rspec", '>= 0.0.1'
+  s.add_development_dependency "rake", '>= 0.9.2.2'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/lib/anjlab-devise-oauth2-providable.rb

@@ -0,0 +1 @@
+require 'devise_oauth2_providable'

data/lib/devise/oauth2_providable/engine.rb

@@ -0,0 +1,16 @@
+module Devise
+  module Oauth2Providable
+    class Engine < Rails::Engine
+      config.devise_oauth2_providable = ActiveSupport::OrderedOptions.new
+      config.devise_oauth2_providable.access_token_expires_in       = 15.minutes
+      config.devise_oauth2_providable.refresh_token_expires_in      = 1.month
+      config.devise_oauth2_providable.authorization_code_expires_in = 1.minute
+
+      engine_name 'oauth2'
+      isolate_namespace Devise::Oauth2Providable
+      initializer "devise_oauth2_providable.initialize_application", :before=> :load_config_initializers do |app|
+        app.config.filter_parameters << :client_secret
+      end
+    end
+  end
+end

data/lib/devise/oauth2_providable/expirable_token.rb

@@ -0,0 +1,57 @@
+require 'active_support/concern'
+require 'active_record'
+
+module Devise
+  module Oauth2Providable
+    module ExpirableToken
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def expires_according_to(config_name)
+          cattr_accessor :default_lifetime
+          self.default_lifetime = Rails.application.config.devise_oauth2_providable[config_name]
+
+          belongs_to :user
+          belongs_to :client
+
+          after_initialize :init_token, :on => :create, :unless => :token?
+          after_initialize :init_expires_at, :on => :create, :unless => :expires_at?
+          validates :expires_at, :presence => true
+          validates :client, :presence => true
+          validates :token, :presence => true, :uniqueness => true
+
+          default_scope lambda {
+            where(self.arel_table[:expires_at].gteq(Time.now.utc))
+          }
+
+          include LocalInstanceMethods
+        end
+      end
+
+      module LocalInstanceMethods
+        # number of seconds until the token expires
+        def expires_in
+          (expires_at - Time.now.utc).to_i
+        end
+
+        # forcefully expire the token
+        def expired!
+          self.expires_at = Time.now.utc
+          self.save!
+        end
+
+        private
+
+        def init_token
+          self.token = Devise::Oauth2Providable.random_id
+        end
+        def init_expires_at
+          self.expires_at = self.default_lifetime.from_now
+        end
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.send :include, Devise::Oauth2Providable::ExpirableToken
+

data/lib/devise/oauth2_providable/models/oauth2_authorization_code_grantable.rb

@@ -0,0 +1,6 @@
+module Devise
+  module Models
+    module Oauth2AuthorizationCodeGrantable
+    end
+  end
+end

data/lib/devise/oauth2_providable/models/oauth2_password_grantable.rb

@@ -0,0 +1,6 @@
+module Devise
+  module Models
+    module Oauth2PasswordGrantable
+    end
+  end
+end

data/lib/devise/oauth2_providable/models/oauth2_providable.rb

@@ -0,0 +1,14 @@
+require 'devise/models'
+
+module Devise
+  module Models
+    module Oauth2Providable
+      extend ActiveSupport::Concern
+      included do
+        has_many :access_tokens, class_name: Devise::Oauth2Providable::AccessToken.name
+        has_many :authorization_codes, class_name: Devise::Oauth2Providable::AuthorizationCode.name
+        has_many :clients, class_name: Devise::Oauth2Providable::Client.name
+      end
+    end
+  end
+end

data/lib/devise/oauth2_providable/models/oauth2_refresh_token_grantable.rb

@@ -0,0 +1,6 @@
+module Devise
+  module Models
+    module Oauth2RefreshTokenGrantable
+    end
+  end
+end

data/lib/devise/oauth2_providable/strategies/oauth2_authorization_code_grant_type_strategy.rb

@@ -0,0 +1,21 @@
+require 'devise/oauth2_providable/strategies/oauth2_grant_type_strategy'
+
+module Devise
+  module Strategies
+    class Oauth2AuthorizationCodeGrantTypeStrategy < Oauth2GrantTypeStrategy
+      def grant_type
+        'authorization_code'
+      end
+
+      def authenticate_grant_type(client)
+        if code = client.authorization_codes.find_by_token(params[:code])
+          success! code.user
+        else
+          oauth_error! :invalid_grant, 'invalid authorization code request'
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:oauth2_authorization_code_grantable, Devise::Strategies::Oauth2AuthorizationCodeGrantTypeStrategy)

data/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb

@@ -0,0 +1,38 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    class Oauth2GrantTypeStrategy < Authenticatable
+      def valid?
+        params[:controller] == 'devise/oauth2_providable/tokens' && request.post? && params[:grant_type] == grant_type
+      end
+
+      # defined by subclass
+      def grant_type
+      end
+
+      # defined by subclass
+      def authenticate_grant_type(client)
+      end
+
+      def authenticate!
+        client_id, client_secret = request.authorization ? decode_credentials : [params[:client_id], params[:client_secret]]
+        client = Devise::Oauth2Providable::Client.find_by_identifier client_id
+        if client && client.secret == client_secret
+          env[Devise::Oauth2Providable::CLIENT_ENV_REF] = client
+          authenticate_grant_type(client)
+        else
+          oauth_error! :invalid_client, 'invalid client credentials'
+        end
+      end
+
+      # return custom error response in accordance with the oauth spec
+      # see http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.3
+      def oauth_error!(error_code = :invalid_request, description = nil)
+        body = {:error => error_code}
+        body[:error_description] = description if description
+        custom! [400, {'Content-Type' => 'application/json'}, [body.to_json]]
+      end
+    end
+  end
+end

data/lib/devise/oauth2_providable/strategies/oauth2_password_grant_type_strategy.rb

@@ -0,0 +1,22 @@
+require 'devise/oauth2_providable/strategies/oauth2_grant_type_strategy'
+
+module Devise
+  module Strategies
+    class Oauth2PasswordGrantTypeStrategy < Oauth2GrantTypeStrategy
+      def grant_type
+        'password'
+      end
+
+      def authenticate_grant_type(client)
+        resource = mapping.to.find_for_authentication(mapping.to.authentication_keys.first => params[:username])
+        if resource && validate(resource) { resource.valid_password?(params[:password]) }
+          success! resource
+        else
+          oauth_error! :invalid_grant, 'invalid password authentication request'
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:oauth2_password_grantable, Devise::Strategies::Oauth2PasswordGrantTypeStrategy)

data/lib/devise/oauth2_providable/strategies/oauth2_providable_strategy.rb

@@ -0,0 +1,25 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    class Oauth2Providable < Authenticatable
+      def valid?
+        @req = Rack::OAuth2::Server::Resource::Bearer::Request.new(env)
+        @req.oauth2?
+      end
+      def authenticate!
+        @req.setup!
+        token = Devise::Oauth2Providable::AccessToken.find_by_token @req.access_token
+        env[Devise::Oauth2Providable::CLIENT_ENV_REF] = token.client if token
+        resource = token ? token.user : nil
+        if resource && validate(resource)
+          success! resource
+        else
+          fail(:invalid_token)
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:oauth2_providable, Devise::Strategies::Oauth2Providable)

data/lib/devise/oauth2_providable/strategies/oauth2_refresh_token_grant_type_strategy.rb

@@ -0,0 +1,22 @@
+require 'devise/oauth2_providable/strategies/oauth2_grant_type_strategy'
+
+module Devise
+  module Strategies
+    class Oauth2RefreshTokenGrantTypeStrategy < Oauth2GrantTypeStrategy
+      def grant_type
+        'refresh_token'
+      end
+
+      def authenticate_grant_type(client)
+        if refresh_token = client.refresh_tokens.find_by_token(params[:refresh_token])
+          env[Devise::Oauth2Providable::REFRESH_TOKEN_ENV_REF] = refresh_token
+          success! refresh_token.user
+        else
+          oauth_error! :invalid_grant, 'invalid refresh token'
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:oauth2_refresh_token_grantable, Devise::Strategies::Oauth2RefreshTokenGrantTypeStrategy)

data/lib/devise/oauth2_providable/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module Oauth2Providable
+    VERSION = "1.1.0"
+  end
+end

data/lib/devise_oauth2_providable.rb

@@ -0,0 +1,41 @@
+require 'devise'
+require 'rack/oauth2'
+require 'devise/oauth2_providable/engine'
+require 'devise/oauth2_providable/expirable_token'
+require 'devise/oauth2_providable/strategies/oauth2_providable_strategy'
+require 'devise/oauth2_providable/strategies/oauth2_password_grant_type_strategy'
+require 'devise/oauth2_providable/strategies/oauth2_refresh_token_grant_type_strategy'
+require 'devise/oauth2_providable/strategies/oauth2_authorization_code_grant_type_strategy'
+require 'devise/oauth2_providable/models/oauth2_providable'
+require 'devise/oauth2_providable/models/oauth2_password_grantable'
+require 'devise/oauth2_providable/models/oauth2_refresh_token_grantable'
+require 'devise/oauth2_providable/models/oauth2_authorization_code_grantable'
+
+module Devise
+  module Oauth2Providable
+    CLIENT_ENV_REF = 'oauth2.client'
+    REFRESH_TOKEN_ENV_REF = "oauth2.refresh_token"
+
+    class << self
+      def random_id
+        SecureRandom.hex
+      end
+      def table_name_prefix
+        'oauth2_'
+      end
+    end
+  end
+end
+
+Devise.add_module(:oauth2_providable,
+  :strategy => true,
+  :model => 'devise/oauth2_providable/models/oauth2_providable')
+Devise.add_module(:oauth2_password_grantable, 
+  :strategy => true,
+  :model => 'devise/oauth2_providable/models/oauth2_password_grantable')
+Devise.add_module(:oauth2_refresh_token_grantable, 
+  :strategy => true,
+  :model => 'devise/oauth2_providable/models/oauth2_refresh_token_grantable')
+Devise.add_module(:oauth2_authorization_code_grantable,
+  :strategy => true,
+  :model => 'devise/oauth2_providable/models/oauth2_authorization_code_grantable')

data/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+ENGINE_PATH = File.expand_path('../..',  __FILE__)
+load File.expand_path('../../spec/dummy/script/rails',  __FILE__)

data/spec/controllers/authorizations_controller_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe Devise::Oauth2Providable::AuthorizationsController do
+  describe 'GET #new' do
+    context 'with valid redirect_uri' do
+      let(:user) { create(:user) }
+      let(:client) { create(:client) }
+      let(:redirect_uri) { client.redirect_uri }
+      before do
+        sign_in user
+        get :new, :client_id => client.identifier, :redirect_uri => redirect_uri, :response_type => 'code', :use_route => 'devise_oauth2_providable'
+      end
+      it { should respond_with :ok }
+      it { should respond_with_content_type :html }
+      it { should assign_to(:redirect_uri).with(redirect_uri) }
+      it { should assign_to(:response_type) }
+      it { should render_template 'devise/oauth2_providable/authorizations/new' }
+      # it { should render_with_layout 'application' }
+    end
+    context 'with invalid redirect_uri' do
+      let(:user) { create(:user) }
+      let(:client) { create(:client) }
+      let(:redirect_uri) { 'http://example.com/foo/bar' }
+      before do
+        sign_in user
+        get :new, :client_id => client.identifier, :redirect_uri => redirect_uri, :response_type => 'code', :use_route => 'devise_oauth2_providable'
+      end
+      it { should respond_with :bad_request }
+      it { should respond_with_content_type :html }
+    end
+  end
+end

data/spec/controllers/protected_controller_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe ProtectedController do
+
+  describe 'get :index' do
+    let(:user) { create(:user) }
+    let(:client) { create(:client) }
+    before do
+      @token = Devise::Oauth2Providable::AccessToken.create! :client => client, :user => user
+    end
+    context 'with valid bearer token in header' do
+      before do
+        @request.env['HTTP_AUTHORIZATION'] = "Bearer #{@token.token}"
+        get :index, :format => 'json'
+      end
+      it { should respond_with :ok }
+    end
+    context 'with valid bearer token in query string' do
+      before do
+        get :index, :access_token => @token.token, :format => 'json'
+      end
+      it { should respond_with :ok }
+    end
+
+    context 'with invalid bearer token in query param' do
+      before do
+        get :index, :access_token => 'invalid', :format => 'json'
+      end
+      it { should respond_with :unauthorized }
+    end
+    context 'with valid bearer token in header and query string' do
+      before do
+      end
+      it 'raises error' do
+        lambda {
+          @request.env['HTTP_AUTHORIZATION'] = "Bearer #{@token.token}"
+          get :index, :access_token => @token.token, :format => 'json'
+        }.should raise_error
+      end
+    end
+  end
+end

data/spec/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,7 @@
+// This is a manifest file that'll be compiled into including all the files listed below.
+// Add new JavaScript/Coffee code in separate files in this directory and they'll automatically
+// be included in the compiled file accessible from http://example.com/assets/application.js
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,7 @@
+/*
+ * This is a manifest file that'll automatically include all the stylesheets available in this directory
+ * and any sub-directories. You're free to add application-wide styles to this file and they'll appear at
+ * the top of the compiled file, but it's generally better to create a new file per style scope.
+ *= require_self
+ *= require_tree . 
+*/