couchkeeper 0.6.7

data/spec/requests/applications/applications_request_spec.rb

@@ -0,0 +1,92 @@
+require 'spec_helper_integration'
+
+feature 'Adding applications' do
+  context 'in application form' do
+    background do
+      visit '/oauth/applications/new'
+    end
+
+    scenario 'adding a valid app' do
+      fill_in 'Name', :with => 'My Application'
+      fill_in 'Redirect uri', :with => 'http://example.com'
+      click_button 'Submit'
+      i_should_see 'Application created'
+      i_should_see 'My Application'
+    end
+
+    scenario 'adding invalid app' do
+      click_button 'Submit'
+      i_should_see 'Whoops! Check your form for possible errors'
+    end
+  end
+end
+
+feature 'Listing applications' do
+  background do
+    FactoryGirl.create :application, :name => 'Oauth Dude'
+    FactoryGirl.create :application, :name => 'Awesome App'
+  end
+
+  scenario 'application list' do
+    visit '/oauth/applications'
+    i_should_see 'Awesome App'
+    i_should_see 'Oauth Dude'
+  end
+end
+
+feature 'Show application' do
+  let :app do
+    FactoryGirl.create :application, :name => 'Just another oauth app'
+  end
+
+  scenario 'visiting application page' do
+    visit "/oauth/applications/#{app.id}"
+    i_should_see 'Just another oauth app'
+  end
+end
+
+feature 'Edit application' do
+  let :app do
+    FactoryGirl.create :application, :name => 'OMG my app'
+  end
+
+  background do
+    visit "/oauth/applications/#{app.id}/edit"
+  end
+
+  scenario 'updating a valid app' do
+    fill_in :name, :with => "Serious app"
+    click_button 'Submit'
+    i_should_see "Application updated"
+    i_should_see "Serious app"
+    i_should_not_see "OMG my app"
+  end
+
+  scenario 'updating an invalid app' do
+    fill_in :name, :with => ""
+    click_button 'Submit'
+    i_should_see 'Whoops! Check your form for possible errors'
+  end
+end
+
+feature 'Destroy application' do
+  background do
+    @app = FactoryGirl.create :application
+  end
+
+  scenario 'deleting an application from list' do
+    visit "/oauth/applications"
+    i_should_see @app.name
+    within(:css, "tr#application_#{@app.id}") do
+      click_link "Destroy"
+    end
+    i_should_see "Application deleted"
+    i_should_not_see @app.name
+  end
+
+  scenario 'deleting an application from show' do
+    visit "/oauth/applications/#{@app.id}"
+    click_link 'Remove'
+    i_should_see "Application deleted"
+  end
+end

data/spec/requests/applications/authorized_applications_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper_integration'
+
+feature 'Authorized applications' do
+  background do
+    @user   = User.create!(:name => "Joe", :password => "sekret")
+    @client = client_exists(:name => "Amazing Client App")
+    resource_owner_is_authenticated @user
+    client_is_authorized @client, @user
+  end
+
+  scenario "display user's authorized applications" do
+    visit '/oauth/authorized_applications'
+    i_should_see 'Amazing Client App'
+  end
+
+  scenario "do not display other user's authorized applications" do
+    client = client_exists(:name => "Another Client App")
+    client_is_authorized client, User.create!(:name => "Joe", :password => "sekret")
+    visit '/oauth/authorized_applications'
+    i_should_not_see 'Another Client App'
+  end
+
+  scenario "user revoke access to application" do
+    visit '/oauth/authorized_applications'
+    i_should_see 'Amazing Client App'
+    click_on 'Revoke'
+    i_should_see 'Application revoked'
+    i_should_not_see 'Amazing Client App'
+  end
+end

data/spec/requests/endpoints/authorization_spec.rb

@@ -0,0 +1,47 @@
+require 'spec_helper_integration'
+
+feature 'Authorization endpoint' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists(:name => "MyApp")
+  end
+
+  scenario 'requires resource owner to be authenticated' do
+    visit authorization_endpoint_url(:client => @client)
+    i_should_see "Sign in"
+    i_should_be_on "/"
+  end
+
+  context 'with authenticated resource owner' do
+    background do
+      create_resource_owner
+      sign_in
+    end
+
+    scenario 'displays the authorization form' do
+      visit authorization_endpoint_url(:client => @client)
+      i_should_see "Authorize MyApp to use your account?"
+    end
+
+    scenario "displays all requested scopes" do
+      default_scopes_exist :public
+      optional_scopes_exist :write
+      visit authorization_endpoint_url(:client => @client, :scope => "public write")
+      i_should_see "Access your public data"
+      i_should_see "Update your data"
+    end
+  end
+
+  context 'with a invalid request' do
+    background do
+      create_resource_owner
+      sign_in
+    end
+
+    scenario "displays the related error" do
+      visit authorization_endpoint_url(:client => @client, :response_type => "")
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :unsupported_response_type
+    end
+  end
+end

data/spec/requests/endpoints/token_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper_integration'
+
+feature 'Token endpoint' do
+  background do
+    client_exists
+    authorization_code_exists :application => @client, :scopes => "public"
+  end
+
+  scenario 'respond with correct headers' do
+    post token_endpoint_url(:code => @authorization.token, :client => @client)
+    should_have_header 'Pragma', 'no-cache'
+    should_have_header 'Cache-Control', 'no-store'
+    should_have_header 'Content-Type', 'application/json; charset=utf-8'
+  end
+
+  scenario 'accepts client credentials with basic auth header' do
+    post token_endpoint_url(:code => @authorization.token, :redirect_uri => @client.redirect_uri),
+                            {} ,
+                            { 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client) }
+
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+  end
+
+  scenario 'returns null for expires_in when a permanent token is set' do
+    config_is_set(:access_token_expires_in, nil)
+    post token_endpoint_url(:code => @authorization.token, :client => @client)
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+    should_have_json 'expires_in', nil
+  end
+
+  scenario 'returns unsupported_grant_type for invalid grant_type param' do
+    post token_endpoint_url(:code => @authorization.token, :client => @client, :grant_type => 'nothing')
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'unsupported_grant_type'
+    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
+  end
+
+  scenario 'returns invalid_request if grant_type is missing' do
+    post token_endpoint_url(:code => @authorization.token, :client => @client, :grant_type => '')
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'invalid_request'
+    should_have_json 'error_description', translated_error_message('invalid_request')
+  end
+end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper_integration'
+
+feature 'Authorization Code Flow Errors' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists
+    create_resource_owner
+    sign_in
+  end
+
+  after do
+    access_grant_should_not_exist
+  end
+
+  context 'when access was denied' do
+    scenario 'redirects with error' do
+      visit authorization_endpoint_url(:client => @client)
+      click_on "Deny"
+
+      i_should_be_on_client_callback @client
+      url_should_not_have_param "code"
+      url_should_have_param "error", "access_denied"
+      url_should_have_param "error_description", translated_error_message(:access_denied)
+    end
+
+    scenario 'redirects with state parameter' do
+      visit authorization_endpoint_url(:client => @client, :state => "return-this")
+      click_on "Deny"
+
+      i_should_be_on_client_callback @client
+      url_should_not_have_param "code"
+      url_should_have_param "state", "return-this"
+    end
+  end
+end
+
+feature 'Authorization Code Flow Errors', 'after authorization' do
+  background do
+    client_exists
+    authorization_code_exists :application => @client
+  end
+
+  scenario "returns :invalid_grant error when posting an already revoked grant code" do
+    # First successful request
+    post token_endpoint_url(:code => @authorization.token, :client => @client)
+
+    # Second attempt with same token
+    expect {
+      post token_endpoint_url(:code => @authorization.token, :client => @client)
+    }.to_not change { Doorkeeper::AccessToken.count }
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'invalid_grant'
+    should_have_json 'error_description', translated_error_message('invalid_grant')
+  end
+
+  scenario "returns :invalid_grant error for invalid grant code" do
+    post token_endpoint_url(:code => "invalid", :client => @client)
+
+    access_token_should_not_exist
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'invalid_grant'
+    should_have_json 'error_description', translated_error_message('invalid_grant')
+  end
+end

data/spec/requests/flows/authorization_code_spec.rb

@@ -0,0 +1,135 @@
+require 'spec_helper_integration'
+
+feature 'Authorization Code Flow' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists
+    create_resource_owner
+    sign_in
+  end
+
+  scenario 'resource owner authorizes the client' do
+    visit authorization_endpoint_url(:client => @client)
+    click_on "Authorize"
+
+    access_grant_should_exist_for(@client, @resource_owner)
+
+    i_should_be_on_client_callback(@client)
+
+    url_should_have_param("code", Doorkeeper::AccessGrant.first.token)
+    url_should_not_have_param("state")
+    url_should_not_have_param("error")
+  end
+
+  scenario 'resource owner authorizes using test url' do
+    @client.redirect_uri = Doorkeeper.configuration.test_redirect_uri
+    @client.save!
+    visit authorization_endpoint_url(:client => @client)
+    click_on "Authorize"
+
+    access_grant_should_exist_for(@client, @resource_owner)
+
+    i_should_see 'Authorization code:'
+    i_should_see Doorkeeper::AccessGrant.first.token
+  end
+
+  scenario 'resource owner authorizes the client with state parameter set' do
+    visit authorization_endpoint_url(:client => @client, :state => "return-me")
+    click_on "Authorize"
+    url_should_have_param("code", Doorkeeper::AccessGrant.first.token)
+    url_should_have_param("state", "return-me")
+  end
+
+  scenario 'returns the same token if it is still accessible' do
+    client_is_authorized(@client, @resource_owner)
+    visit authorization_endpoint_url(:client => @client)
+
+    authorization_code = Doorkeeper::AccessGrant.first.token
+    post token_endpoint_url(:code => authorization_code, :client => @client)
+
+    Doorkeeper::AccessToken.count.should be(1)
+
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+  end
+
+  scenario 'revokes and return new token if it is has expired' do
+    client_is_authorized(@client, @resource_owner)
+    token = Doorkeeper::AccessToken.first
+    token.update_column :expires_in, -100
+    visit authorization_endpoint_url(:client => @client)
+
+    authorization_code = Doorkeeper::AccessGrant.first.token
+    post token_endpoint_url(:code => authorization_code, :client => @client)
+
+    token.reload.should be_revoked
+    Doorkeeper::AccessToken.count.should be(2)
+
+    should_have_json 'access_token', Doorkeeper::AccessToken.last.token
+  end
+
+  scenario 'resource owner requests an access token with authorization code' do
+    visit authorization_endpoint_url(:client => @client)
+    click_on "Authorize"
+
+    authorization_code = Doorkeeper::AccessGrant.first.token
+    post token_endpoint_url(:code => authorization_code, :client => @client)
+
+    access_token_should_exist_for(@client, @resource_owner)
+
+    should_not_have_json 'error'
+
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+    should_have_json 'token_type',   "bearer"
+    should_have_json 'expires_in',   Doorkeeper::AccessToken.first.expires_in
+  end
+
+  context 'with scopes' do
+    background do
+      default_scopes_exist  :public
+      optional_scopes_exist :write
+    end
+
+    scenario 'resource owner authorizes the client with default scopes' do
+      visit authorization_endpoint_url(:client => @client)
+      click_on "Authorize"
+      access_grant_should_exist_for(@client, @resource_owner)
+      access_grant_should_have_scopes :public
+    end
+
+    scenario 'resource owner authorizes the client with required scopes' do
+      visit authorization_endpoint_url(:client => @client, :scope => "public write")
+      click_on "Authorize"
+      access_grant_should_have_scopes :public, :write
+    end
+
+    scenario 'resource owner authorizes the client with required scopes (without defaults)' do
+      visit authorization_endpoint_url(:client => @client, :scope => "write")
+      click_on "Authorize"
+      access_grant_should_have_scopes :write
+    end
+
+    scenario 'new access token matches required scopes' do
+      visit authorization_endpoint_url(:client => @client, :scope => "public write")
+      click_on "Authorize"
+
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      post token_endpoint_url(:code => authorization_code, :client => @client)
+
+      access_token_should_exist_for(@client, @resource_owner)
+      access_token_should_have_scopes :public, :write
+    end
+
+    scenario 'returns new token if scopes have changed' do
+      client_is_authorized(@client, @resource_owner, :scopes => "public write")
+      visit authorization_endpoint_url(:client => @client, :scope => "public")
+      click_on "Authorize"
+
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      post token_endpoint_url(:code => authorization_code, :client => @client)
+
+      Doorkeeper::AccessToken.count.should be(2)
+
+      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
+    end
+  end
+end

data/spec/requests/flows/client_credentials_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper_integration'
+
+describe 'Client Credentials Request' do
+  let(:client) { FactoryGirl.create :application }
+
+  context 'a valid request' do
+    it 'authorizes the client and returns the token response' do
+      headers = authorization client.uid, client.secret
+      params  = { :grant_type => 'client_credentials' }
+
+      post '/oauth/token', params, headers
+
+      should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+      should_have_json 'expires_in', Doorkeeper.configuration.access_token_expires_in
+      should_have_json 'scope', ''
+      should_have_json 'refresh_token', nil
+
+      should_not_have_json 'error'
+      should_not_have_json 'error_description'
+    end
+
+    context 'with scopes' do
+      before do
+        optional_scopes_exist :write
+      end
+
+      it 'adds the scope to the token an returns in the response' do
+        headers = authorization client.uid, client.secret
+        params  = { :grant_type => 'client_credentials', :scope => 'write' }
+
+        post '/oauth/token', params, headers
+
+        should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+        should_have_json 'scope', 'write'
+      end
+    end
+  end
+
+  context 'an invalid request' do
+    it 'does not authorize the client and returns the error' do
+      headers = {}
+      params  = { :grant_type => 'client_credentials' }
+
+      post '/oauth/token', params, headers
+
+      should_have_json 'error', 'invalid_client'
+      should_have_json 'error_description', translated_error_message(:invalid_client)
+      should_not_have_json 'access_token'
+
+      response.status.should == 401
+    end
+  end
+
+  def authorization(username, password)
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
+    { 'HTTP_AUTHORIZATION' => credentials }
+  end
+end