anjlab-devise-oauth2-providable 1.1.0

data/.gitignore

@@ -0,0 +1,40 @@
+# rcov generated
+coverage
+
+# rdoc generated
+rdoc
+
+# yard generated
+doc
+.yardoc
+
+# bundler
+.bundle
+Gemfile.lock
+
+# jeweler generated
+pkg
+
+# test files
+test/*.log
+test/*.sqlite3
+
+# For vim:
+*.swp
+
+# For MacOS:
+.DS_Store
+
+# git files
+*.orig
+
+# rails files
+tmp
+log
+*.log
+*.sqlite3
+# EMACS
+\#*
+.\#*
+
+*.gem

data/.rvmrc

@@ -0,0 +1 @@
+rvm use 1.9.3@devise_oauth2_providable --create

data/CONTRIBUTORS.txt

@@ -0,0 +1,6 @@
+Ryan Sonnek - Original Author
+
+
+Complete list of contributors:
+https://github.com/socialcast/devise_oauth2_providable/contributors
+

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in the .gemspec
+gemspec
+
+gem 'sqlite3'
+gem 'shoulda-matchers'
+gem 'factory_girl_rails'

data/LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License
+
+Copyright (c) 2011 Socialcast, Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,158 @@
+# devise_oauth2_providable
+
+Rails3 engine that brings OAuth2 Provider support to your application.
+
+Current OAuth2 Specification Draft:
+http://tools.ietf.org/html/draft-ietf-oauth-v2-22
+
+## Features
+
+* integrate OAuth2 authentication with Devise authenthentication stack
+* one-stop-shop includes all Models, Controllers and Views to get up and
+  running quickly
+* All server requests support authentication via bearer token included in
+the request.  http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04
+* customizable mount point for oauth2 routes (ex: /oauth2 vs /oauth)
+
+
+## Requirements
+
+* Devise authentication library
+* Rails 3.1 or higher
+
+## Installation
+
+#### Install gem
+```ruby
+# Gemfile
+gem 'anjlab-devise-oauth2-providable'
+```
+
+#### Migrate database for Oauth2 models
+```
+$ rake devise_oauth2_providable:install:migrations
+$ rake db:migrate
+```
+
+#### Add Oauth2 Routes
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  # oauth routes can be mounted to any path (ex: /oauth2 or /oauth)
+  mount Devise::Oauth2Providable::Engine => '/oauth2'
+end
+```
+
+#### Configure User for supported Oauth2 flows
+```ruby
+class User
+  # NOTE: include :database_authenticatable configuration
+  # if supporting Resource Owner Password Credentials Grant Type
+  devise :oauth2_providable, 
+    :oauth2_password_grantable,
+    :oauth2_refresh_token_grantable,
+    :oauth2_authorization_code_grantable
+end
+```
+
+#### (optional) Configure token expiration settings
+```ruby
+# config/application.rb
+config.devise_oauth2_providable.access_token_expires_in         = 1.second # 15.minute default
+config.devise_oauth2_providable.refresh_token_expires_in        = 1.minute # 1.month default
+config.devise_oauth2_providable.authorization_token_expires_in  = 5.seconds # 1.minute default
+```
+
+## Models
+
+### Client
+registered OAuth2 client for storing the unique client_id and
+client_secret.
+
+### AccessToken
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.3
+
+Short lived token used by clients to perform subsequent requests (see
+bearer token spec)
+
+expires after 15min by default.  to customize the duration of the access token:
+
+```ruby
+Devise::Oauth2Providable::AccessToken.default_lifetime = 1.minute
+```
+
+### RefreshToken
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.5
+
+Long lived token used by clients to request new access tokens without
+requiring user intervention to re-authorize.
+
+expires after 1 month by default. to customize the duration of refresh token:
+
+```ruby
+Devise::Oauth2Providable::RefreshToken.default_lifetime = 1.year
+```
+
+### AuthorizationCode
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.4.1
+
+*Very* short lived token created to allow a client to request an access
+token after a user has gone through the authorization flow.
+
+expires after 1min by default. to customize the duration of the
+authorization code:
+
+```ruby
+Devise::Oauth2Providable::AuthorizationCode.default_lifetime = 5.minutes
+```
+
+## Routes
+
+### /oauth2/authorize
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-2.1
+
+Endpoint to start client authorization flow.  Models, controllers and
+views are included for out of the box deployment.
+
+Supports the Authorization Code and Implicit grant types.
+
+### /oauth2/token
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-2.2
+
+Endpoint to request access token.  See grant type documentation for
+supported flows.
+
+## Grant Types
+
+### Resource Owner Password Credentials Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+
+in order to use the Resource Owner Password Credentials Grant Type, your
+Devise model *must* be configured with the :database_authenticatable option
+
+### Client Credentials Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+
+### Authorization Code Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+
+### Implicit Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.2
+
+### Refresh Token Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6
+
+## Contributing
+ 
+* Fork the project
+* Fix the issue
+* Add unit tests
+* Submit pull request on github
+
+See CONTRIBUTORS.txt for list of project contributors
+
+## Copyright
+
+Copyright (c) 2011 Socialcast, Inc. 
+See LICENSE.txt for further details.
+

data/Rakefile

@@ -0,0 +1,5 @@
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec

data/app/controllers/devise/oauth2_providable/authorizations_controller.rb

@@ -0,0 +1,58 @@
+module Devise
+  module Oauth2Providable
+    class AuthorizationsController < ApplicationController
+      before_filter :authenticate_user!
+      rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
+        @error = e
+        render :error, :status => e.status, :layout => false
+      end
+
+      def new
+        respond *authorize_endpoint.call(request.env)
+      end
+
+      def create
+        respond *authorize_endpoint(:allow_approval).call(request.env)
+      end
+
+      private
+
+      def respond(status, header, response)
+        ["WWW-Authenticate"].each do |key|
+          headers[key] = header[key] if header[key].present?
+        end
+        if response.redirect?
+          redirect_to header['Location']
+        else
+          render :new, :layout => false
+        end
+      end
+
+      def authorize_endpoint(allow_approval = false)
+        Rack::OAuth2::Server::Authorize.new do |req, res|
+          @client = Client.find_by_identifier(req.client_id) || req.bad_request!
+          res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@client.redirect_uri)
+          if allow_approval
+            if params[:approve].present?
+              case req.response_type
+              when :code
+                authorization_code = current_user.authorization_codes.create!(:client => @client)
+                res.code = authorization_code.token
+              when :token
+                access_token = current_user.access_tokens.create!(:client => @client).token
+                bearer_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => access_token)
+                res.access_token = bearer_token
+                res.uid = current_user.id
+              end
+              res.approve!
+            else
+              req.access_denied!
+            end
+          else
+            @response_type = req.response_type
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/devise/oauth2_providable/tokens_controller.rb

@@ -0,0 +1,19 @@
+class Devise::Oauth2Providable::TokensController < ApplicationController
+  before_filter :authenticate_user!
+  skip_before_filter :verify_authenticity_token, :only => :create
+
+  def create
+    @refresh_token = oauth2_current_refresh_token || oauth2_current_client.refresh_tokens.create!(:user => current_user)
+    @access_token = @refresh_token.access_tokens.create!(:client => oauth2_current_client, :user => current_user)
+    render :json => @access_token.token_response
+  end
+
+  private
+  def oauth2_current_client
+   env[Devise::Oauth2Providable::CLIENT_ENV_REF]
+  end
+  
+  def oauth2_current_refresh_token
+    env[Devise::Oauth2Providable::REFRESH_TOKEN_ENV_REF]
+  end
+end

data/app/models/devise/oauth2_providable/access_token.rb

@@ -0,0 +1,24 @@
+class Devise::Oauth2Providable::AccessToken < ActiveRecord::Base
+  expires_according_to :access_token_expires_in
+
+  before_validation :restrict_expires_at, :on => :create, :if => :refresh_token
+  belongs_to :refresh_token
+
+  attr_accessible :user, :client, :refresh_token
+
+  def token_response
+    response = {
+      :access_token => token,
+      :token_type => 'bearer',
+      :expires_in => expires_in
+    }
+    response[:refresh_token] = refresh_token.token if refresh_token
+    response
+  end
+
+  private
+
+  def restrict_expires_at
+    self.expires_at = [self.expires_at, refresh_token.expires_at].compact.min
+  end
+end

data/app/models/devise/oauth2_providable/authorization_code.rb

@@ -0,0 +1,4 @@
+class Devise::Oauth2Providable::AuthorizationCode < ActiveRecord::Base
+  expires_according_to :authorization_code_expires_in
+  attr_accessible :client  
+end

data/app/models/devise/oauth2_providable/client.rb

@@ -0,0 +1,24 @@
+class Devise::Oauth2Providable::Client < ActiveRecord::Base
+  has_many :access_tokens
+  has_many :refresh_tokens
+  has_many :authorization_codes
+  belongs_to :user
+
+  before_validation :init_identifier, :on => :create, :unless => :identifier?
+  before_validation :init_secret, :on => :create, :unless => :secret?
+
+  validates :website, :secret, :presence => true
+  validates :name, :presence => true, :uniqueness => true
+  validates :identifier, :presence => true, :uniqueness => true
+
+  attr_accessible :name, :website, :redirect_uri, :user
+
+  private
+
+  def init_identifier
+    self.identifier = Devise::Oauth2Providable.random_id
+  end
+  def init_secret
+    self.secret = Devise::Oauth2Providable.random_id
+  end
+end

data/app/models/devise/oauth2_providable/refresh_token.rb

@@ -0,0 +1,7 @@
+class Devise::Oauth2Providable::RefreshToken < ActiveRecord::Base
+  expires_according_to :refresh_token_expires_in
+
+  attr_accessible :user, :client
+
+  has_many :access_tokens
+end

data/app/views/devise/oauth2_providable/authorizations/_form.html.erb

@@ -0,0 +1,7 @@
+<%= form_tag authorizations_path, :class => action do %>
+  <%= hidden_field_tag :client_id, client.identifier %>
+  <%= hidden_field_tag :response_type, response_type %>
+  <%= hidden_field_tag :redirect_uri, redirect_uri %>
+  <%= submit_tag action.to_s.capitalize %>
+  <%= hidden_field_tag action, true %>
+<% end %>

data/app/views/devise/oauth2_providable/authorizations/error.html.erb

@@ -0,0 +1,4 @@
+<h2>Invalid Authorization Request</h2>
+<h3><%= @error.error %></h3>
+<p><%= @error.description %></p>
+

data/app/views/devise/oauth2_providable/authorizations/new.html.erb

@@ -0,0 +1,4 @@
+<h2><%= link_to @client.name, @client.website %> is requesting permission to access your resources.</h2>
+
+<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :approve %>
+<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :deny %>

data/config/routes.rb

@@ -0,0 +1,9 @@
+Devise::Oauth2Providable::Engine.routes.draw do
+  scope defaults: {format: 'json'} do
+    root :to => "authorizations#new"
+
+    resources :authorizations, :only => :create
+    match 'authorize' => 'authorizations#new'
+    resource :token, :only => :create
+  end
+end

data/db/migrate/20111014160714_create_devise_oauth2_providable_schema.rb

@@ -0,0 +1,55 @@
+class CreateDeviseOauth2ProvidableSchema < ActiveRecord::Migration
+  def change
+    create_table :oauth2_clients do |t|
+      t.belongs_to :user
+      t.string :name
+      t.string :redirect_uri
+      t.string :website
+      t.string :identifier
+      t.string :secret
+      t.timestamps
+    end
+    change_table :oauth2_clients do |t|
+      t.index :identifier, :unique => true
+    end
+
+    create_table :oauth2_access_tokens do |t|
+      t.belongs_to :user, :client, :refresh_token
+      t.string :token
+      t.datetime :expires_at
+      t.timestamps
+    end
+    change_table :oauth2_access_tokens do |t|
+      t.index :token, :unique => true
+      t.index :expires_at
+      t.index :user_id
+      t.index :client_id
+    end
+
+    create_table :oauth2_refresh_tokens do |t|
+      t.belongs_to :user, :client
+      t.string :token
+      t.datetime :expires_at
+      t.timestamps
+    end
+    change_table :oauth2_refresh_tokens do |t|
+      t.index :token, :unique => true
+      t.index :expires_at
+      t.index :user_id
+      t.index :client_id
+    end
+
+    create_table :oauth2_authorization_codes do |t|
+      t.belongs_to :user, :client
+      t.string :token
+      t.datetime :expires_at
+      t.timestamps
+    end
+    change_table :oauth2_authorization_codes do |t|
+      t.index :token, :unique => true
+      t.index :expires_at
+      t.index :user_id
+      t.index :client_id
+    end
+  end
+end