danski-ooh-auth 0.1.2

data/spec/controllers/authenticating_clients_spec.rb

@@ -0,0 +1,119 @@
+require File.join(File.dirname(__FILE__), '..', 'spec_helper.rb')
+
+describe OohAuth::AuthenticatingClients do
+ 
+  before :all do
+    Merb::Router.prepare do 
+      add_slice(:OohAuth)
+    end if standalone?
+    @controller = dispatch_to(OohAuth::AuthenticatingClients, :index)
+    @prefix = OohAuth[:path_prefix]
+  end
+  
+  after :all do
+    Merb::Router.reset! if standalone?
+  end
+
+  describe "index action" do
+    it "should render successfully without authentication" do
+      @controller.should be_successful
+      lambda {@controller = dispatch_to(OohAuth::AuthenticatingClients, :new)}.should raise_error(Merb::Controller::Unauthenticated)
+    end
+    it "should show a list of clients when authenticated"
+  end
+  
+  describe "new/create action" do 
+    before :each do
+      @user = user_class.gen
+
+      @bad_authenticating_client_attrs = OohAuth::AuthenticatingClient.gen.attributes
+      [:name, :user_id].each  {|a| @bad_authenticating_client_attrs.delete(a) }
+      
+      @good_authenticating_client_attrs = OohAuth::AuthenticatingClient.gen(:kind=>"desktop").attributes
+      [:id, :secret, :api_key, :user_id].each  {|a| @good_authenticating_client_attrs.delete(a) }
+      @good_authenticating_client_attrs[:name] = "unique fo realz"
+      
+      @controller = OohAuth::AuthenticatingClients.new(Merb::Test::RequestHelper::FakeRequest.new)
+      @controller.request.session.user = @user
+    end
+    
+    it "should show validation messages when creation is attempted with bad data" do
+      ac_count = OohAuth::AuthenticatingClient.count
+      @controller.create(@bad_authenticating_client_attrs)
+      @controller.status.should == 200
+      @controller.assigns(:authenticating_client).user_id.should == @user.id
+      ac_count.should == OohAuth::AuthenticatingClient.count
+    end
+    it "should create the registration and display the app details when good data is entered" do
+      ac_count = OohAuth::AuthenticatingClient.count
+      @controller.create(@good_authenticating_client_attrs)
+      @controller.assigns(:authenticating_client).should be_valid
+      @controller.assigns(:authenticating_client).user_id.should == @user.id
+      @controller.status.should == 201
+      @controller.headers['Location'].should == @controller.slice_url(:authenticating_client, @controller.assigns(:authenticating_client))
+      (ac_count + 1).should == OohAuth::AuthenticatingClient.count
+    end
+  end
+  
+  describe "show action" do
+    before :each do
+      @user = user_class.gen
+      @authenticating_client = OohAuth::AuthenticatingClient.gen(:user=>@user)
+      @other_authenticating_client = OohAuth::AuthenticatingClient.gen
+      @controller = OohAuth::AuthenticatingClients.new(Merb::Test::RequestHelper::FakeRequest.new)
+      @controller.request.session.user = @user
+    end
+    
+    it "should raise NotFound for users other than the app's owning user" do
+      lambda { @controller.show(@other_authenticating_client.id)}.should raise_error(Merb::Controller::NotFound)
+    end
+    it "should successfully show the app data for the app's owning user" do
+      @controller.show(@authenticating_client.id)
+      @controller.should be_successful
+    end
+  end
+
+  describe "edit/update action" do
+    before :each do
+      @user = user_class.gen
+      @authenticating_client = OohAuth::AuthenticatingClient.gen(:user=>@user)
+      @other_authenticating_client = OohAuth::AuthenticatingClient.gen
+      @controller = OohAuth::AuthenticatingClients.new(Merb::Test::RequestHelper::FakeRequest.new)
+      @controller.request.session.user = @user
+    end
+    
+    it "should raise NotFound for the wrong user on GET" do
+      lambda {@controller.edit(@other_authenticating_client.id)}.should raise_error(Merb::Controller::NotFound)
+    end
+    it "should raise NotFound for the wrong user on POST/PUT" do
+      lambda {@controller.update(@other_authenticating_client.id, {:name=>"renamed!"})}.should raise_error(Merb::Controller::NotFound)
+    end
+    it "should show a form to the app's owning user" do
+      @controller.edit(@authenticating_client.id)
+      @controller.should be_successful
+    end
+    it "cannot be used to reassign apps to other users" #do
+    # Waiting on ticket: http://wm.lighthouseapp.com/projects/4819/tickets/669-problem-with-protected-attribute-mass-assignment#ticket-669-1
+    # related to problems preventing mass-assignment.
+    #  @controller.update(@authenticating_client.id, {:user_id=>@user.id+50})
+    #  @controller.assigns(:authenticating_client).user_id.should == @user.id
+    #end
+    it "should show a form with errors when given bad input" do
+      @controller.update(@authenticating_client.id, {:name=>""})
+      @controller.should be_successful
+      @controller.assigns(:authenticating_client).should_not be_valid
+    end
+    it "should redirect to the resource on successful update" do
+      @controller.update(@authenticating_client.id, {:name=>"renamed renamed renamed"})
+      @controller.status.should == 302
+      @controller.should redirect_to(@controller.slice_url(:authenticating_client, @controller.assigns(:authenticating_client)))
+      @controller.assigns(:authenticating_client).should be_valid      
+    end
+  end
+  
+  describe "delete action" do 
+    it "should not be destroyable by any user other than the owning user"
+  end
+
+end
+

data/spec/controllers/tokens_spec.rb

@@ -0,0 +1,173 @@
+require File.join(File.dirname(__FILE__), '..', 'spec_helper.rb')
+
+describe OohAuth::Tokens do
+
+  before :each do
+    @user = user_class.gen
+    @authenticating_client =        OohAuth::AuthenticatingClient.gen
+    @other_authenticating_client =  OohAuth::AuthenticatingClient.gen
+    @receipt =                      OohAuth::Token.create_request_key(@authenticating_client, 1.hour.since)
+    @token =                        OohAuth::Token.create_request_key(@authenticating_client, 1.hour.since)
+    @token.activate!(@user)
+    @bad_receipt =                  OohAuth::Token.create_request_key(@other_authenticating_client, 1.hour.since)
+    @controller =                   dispatch_to(OohAuth::Public, :index)
+  end
+  
+  before :all do
+    Merb::Router.prepare do 
+      add_slice(:OohAuth)
+    end if standalone?
+  end
+  
+  after :all do
+    Merb::Router.reset! if standalone?
+  end
+
+  describe "index action" do
+    %w(js yaml xml html).each do |format|
+      it "#{format} requests should generate an anonymous receipt when sent GET with a consumer and no other information." do
+        @controller = get(sign_url_with(@authenticating_client, @controller.slice_url(:tokens, :format=>format)))
+        @controller.should be_successful
+        request_token = @controller.assigns(:token)
+        request_token.should be_kind_of(OohAuth::Token)
+        request_token.activated?.should be_false
+        request_token.new_record?.should be_false
+      end
+    end
+    
+    it "should return OAuth-format key responses if no format is specified" do
+      @controller = get(sign_url_with(@authenticating_client, @controller.slice_url(:tokens, :format=>"html")))
+      request_token = @controller.assigns(:token)
+      @controller.body.should == "oauth_token=#{request_token.token_key}&oauth_token_secret=#{request_token.secret}"
+    end
+    
+  
+    it "should generate nothing and return a 406 not acceptable when the request is not signed or contains an incorrect API key" do
+      lambda {get(@controller.slice_url(:tokens, :oauth_consumer_key=>@authenticating_client.api_key))}.should raise_error(Merb::Controller::NotAcceptable)
+    end
+
+    it "should generate an authorised access key when sent GET with a consumer key and unauthorized request key when the request key is activated." do
+      @controller = OohAuth::Tokens.new(
+        request_signed_by(@authenticating_client, {:oauth_token=>@token.token_key}, {}, {:request_uri=>@controller.slice_url(:tokens)})
+      )
+      @controller.index
+      @controller.should be_successful
+      auth = @controller.assigns(:token)
+      auth.should be_kind_of(OohAuth::Token)
+      auth.activated?.should be_true
+    end
+    it "should not generate an auth token if the given token does not belong to the given application" do
+      @controller = OohAuth::Tokens.new(
+        request_signed_by(@authenticating_client, {:oauth_token=>@bad_receipt.token_key}, {}, {:request_uri=>@controller.slice_url(:tokens)})
+      )
+      lambda {@controller.index}.should raise_error(Merb::Controller::NotAcceptable)
+    end
+  end
+
+  
+  describe "new action" do
+    before :all  do
+      @user =         user_class.gen
+      @desktop_app =  OohAuth::AuthenticatingClient.gen(:kind=>"desktop")
+      @request_key =  OohAuth::Token.create_request_key(@desktop_app, 1.hour.since)
+    end
+    
+    it "should require a login" do
+      lambda {@controller = get(sign_url_with(@desktop_app, @controller.slice_url(:new_token), :oauth_token=>@request_key.token_key)) }.
+      should raise_error(Merb::Controller::Unauthenticated)
+    end
+    
+    it "should display a form to the user and locate the correct receipt from the database on GET" do
+      request = fake_request(:query_string=>"oauth_token=#{@request_key.token_key}&oauth_callback=http://www.feesh.com/index.php")
+      request.session.user = @user
+      @controller = OohAuth::Tokens.new(request)
+      doc = @controller.new
+      @controller.should be_successful
+      @controller.assigns(:authenticating_client).should == @desktop_app
+      @controller.assigns(:token).activated?.should be_false
+      doc.should contain(@controller.assigns(:authenticating_client).name)
+    end
+    it "should display nothing and return a 406 when the params contain an request key which is invalid" do
+      lambda do 
+        @controller = get(sign_url_with(@authenticating_client, @controller.slice_url(:new_token), :oauth_consumer_key=>"DIDDLYSQUAT"))
+      end.should raise_error(Merb::Controller::NotAcceptable)
+    end
+    it "should raise unauthenticated when a client attempts to render the page using oauth credentials" do
+      @token.activated?.should be_true
+      @token.authenticating_client.should == @authenticating_client
+      lambda do 
+        @controller = get(sign_url_with(@authenticating_client, @controller.slice_url(:new_token), :oauth_token=>@token.token_key))
+      end.should raise_error(Merb::Controller::Unauthenticated)
+    end
+  end
+  
+  describe "create action" do
+    before :each  do
+      @user =         user_class.gen
+      @desktop_app =  OohAuth::AuthenticatingClient.gen(:kind=>"desktop")
+      @request_key =  OohAuth::Token.create_request_key(@desktop_app, 1.hour.since)
+      @access_key =   OohAuth::Token.create_request_key(@desktop_app, 1.hour.since)
+      @access_key.activate!(@user)
+      @date =         Date.today + 5.years
+    end
+    
+    it "should not activate a valid request token when any button other than 'allow' was clicked to submit the auth form" do
+      request = fake_request({}, {:post_body=>"oauth_token=#{@request_key.token_key}&commit=deny&"})
+      request.session.user = @user
+      @controller = OohAuth::Tokens.new(request)
+      response = @controller.create({})
+      auth = @controller.assigns(:token)
+      auth.user.should be_nil
+      auth.activated?.should be_false
+      response.should contain("You denied")
+    end
+    it "should activate a request token on POST when the 'allow' button was clicked to submit the auth form" do
+      request = fake_request({}, {:post_body=>"oauth_token=#{@request_key.token_key}&commit=allow&"})
+      request.session.user = @user
+      @controller = OohAuth::Tokens.new(request)
+      response = @controller.create({:expires=>@date.strftime("%Y-%m-%d"), :permissions=>"delete"})
+      auth = @controller.assigns(:token)
+      auth.user.should == @user
+      auth.authenticating_client.should == @desktop_app
+      auth.expires.should >= Date.today + 4.years + 364.days
+      auth.expires.should <= Date.today + 5.years + 1.days
+      auth.activated?.should be_true
+      response.should contain("You successfully authorized")
+    end
+    it "should redirect to the callback URL on successful activation if a callback url is given, appending oauth_token to the callback URL's parameters" do
+      request = fake_request({}, {:post_body=>"oauth_token=#{@request_key.token_key}&commit=allow&oauth_callback=#{Merb::Parse.escape("http://www.test.com/noflags")}"})
+      request.session.user = @user
+      @controller = OohAuth::Tokens.new(request)
+      response = @controller.create({})
+      @controller.assigns(:token).activated?.should be_true
+      @controller.should redirect_to("http://www.test.com/noflags?oauth_token=#{@controller.assigns(:token).token_key}")
+    end
+    it "should gracefully handle existing GET parameters on the callback url" do
+      request = fake_request({}, {:post_body=>"oauth_token=#{@request_key.token_key}&commit=allow&oauth_callback=#{Merb::Parse.escape("http://www.test.com/flags?foo=bar")}"})
+      request.session.user = @user
+      @controller = OohAuth::Tokens.new(request)
+      response = @controller.create({})
+      @controller.assigns(:token).activated?.should be_true
+      @controller.should redirect_to("http://www.test.com/flags?foo=bar&oauth_token=#{@controller.assigns(:token).token_key}")
+    end
+  
+    it "should require a user to be logged in via session" do
+      lambda do 
+        @controller = post(sign_url_with(@authenticating_client, @controller.slice_url(:new_token), :oauth_token=>@access_key.token_key))
+      end.should raise_error(Merb::Controller::Unauthenticated)
+    end
+  end
+  #
+  #describe "edit/update action" do
+  #  it "should only be accessible by the token's owning user"
+  #  it "should return 404 not found for other users"
+  #  it "should only allow the expiry and permission level to be altered"
+  #end
+  #
+  #describe "delete/destroy action" do
+  #  it "should only be accessible by the token's owning user"
+  #  it "should return a 404 not found for other users"
+  #  it "should remove all authentications for this user/application if multiple records are present"
+  #end
+  
+end

data/spec/merb-auth-slice-fullfat_spec.rb

@@ -0,0 +1,41 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe "OohAuth" do
+
+  describe "::KeyGenerators" do
+    
+    before(:each) { @module = OohAuth::KeyGenerators }
+    
+    it "should generate a different memorable password every time" do
+      past_items = []
+      100.times do |i|
+        key = @module::Password.gen
+        key.should =~ /^\d+[a-z]+[A-Z][a-z]+$/
+        past_items.should_not include(key)
+        past_items << key
+      end
+    end
+    it "should be able to generate long-form passphrases" do
+      past_items = []
+      100.times do |i|
+        key = @module::Passphrase.gen(5)
+        key.should =~ /^([a-z]+\s){4}([a-z]+)$/
+        key.split(" ").length.should == 5
+        past_items.should_not include(key)
+        past_items << key
+      end
+    end
+    it "should be able to generate alphanumeric nonmemorable keys" do
+      past_items = []
+      100.times do |i|
+        key = @module::Alphanum.gen(50)
+        key.should =~ /^[a-zA-Z0-9]{50}$/
+        key.length.should == 50
+        past_items.should_not include(key)
+        past_items << key
+      end
+    end
+    
+  end
+
+end

data/spec/models/authenticating_client_spec.rb

@@ -0,0 +1,44 @@
+require File.join( File.dirname(__FILE__), '..', "spec_helper" )
+
+describe OohAuth::AuthenticatingClient do
+
+  before(:each) do
+    OohAuth::AuthenticatingClient.all.destroy!
+    @user = user_class.gen
+    @authenticating_clients = 10.of {OohAuth::AuthenticatingClient.gen}
+  end
+
+  it "should generate a unique API key and a non-unique secret upon saving" do
+    keys = []
+    10.times do |i|
+      @authenticating_client = OohAuth::AuthenticatingClient.gen
+      @authenticating_client.api_key = nil
+      @authenticating_client.secret = nil
+      @authenticating_client.save
+      @authenticating_client.api_key.should be_kind_of(String)
+      @authenticating_client.api_key.length.should >= 10
+      keys << @authenticating_client.api_key
+      keys.uniq.length.should == keys.length
+      @authenticating_client.secret.length.should == 40
+    end
+  end
+  
+  it "should not change API keys when they are set" do
+    @authenticating_client = OohAuth::AuthenticatingClient.gen
+    @authenticating_client.new_record?.should be_false
+    @authenticating_client.name = "changed"
+    ak = @authenticating_client.api_key
+    ss = @authenticating_client.secret
+    @authenticating_client.save.should be_true
+    @authenticating_client.api_key.should == ak
+    @authenticating_client.secret.should == ss
+  end
+  
+  it "should not allow internal URLs to be given as callback URLs"
+
+  it "should return an empty array when find_for_user is called with nil" do
+    arr = OohAuth::AuthenticatingClient.find_for_user(nil)
+    arr.length.should == 0
+  end
+
+end

data/spec/models/oauth_strategy_spec.rb

@@ -0,0 +1,48 @@
+require File.join( File.dirname(__FILE__), '..', "spec_helper" )
+
+describe Merb::Authentication::Strategies::OAuth do
+  
+  before :all do
+    # Create a client and a user, and authorise the client against the user by creating a token
+    @authenticating_client = OohAuth::AuthenticatingClient.gen
+    @user = user_class.gen
+    @access = OohAuth::Token.create_request_key(@authenticating_client, 1.hour.since)
+    @access.activate!(@user).should be_true
+    @request = OohAuth::Token.create_request_key(@authenticating_client, 1.hour.since)
+    @request.activated?.should be_false
+    
+    Merb::Router.prepare do 
+      add_slice(:OohAuth)
+      match("/secrets").to(:controller=>"ooh_auth/secrets", :action=>"index").name(:secrets)
+    end if standalone?
+  end
+  
+  after :all do
+    Merb::Router.reset! if standalone?
+  end
+  
+  it "should not authenticate with an unsigned request even if the given token is correct" do
+    request = fake_request(:request_uri=>"/secrets", :query_string=>"oauth_token=#{@access.token_key}&oauth_consumer_key=#{@authenticating_client.api_key}")
+    request.authentication_token.activated?.should be_true
+    request.consumer_key.should == @authenticating_client.api_key
+    request.token.should == @access.token_key
+    strat = Merb::Authentication::Strategies::OAuth.new(request, {})
+    strat.run!.should be_nil
+  end
+  it "should authenticate a signed request with a valid token" do
+    request = request_signed_by(@authenticating_client, {:oauth_token=>@access.token_key, :other_param=>"CHEEESE"})
+    request.authentication_token.activated?.should be_true
+    request.consumer_key.should == @authenticating_client.api_key
+    request.token.should == @access.token_key
+    strat = Merb::Authentication::Strategies::OAuth.new(request, {})
+    strat.run!.should == @user
+  end
+  it "should not authenticate a signed request with an expired token"
+  it "should not authenticate a signed request with a receipt but no token" do
+    request = request_signed_by(@authenticating_client, {:oauth_token=>@request.token_key})
+    request.authentication_token.activated?.should be_false
+    strat = Merb::Authentication::Strategies::OAuth.new(request, {})
+    strat.run!.should be_nil
+  end
+  
+end

data/spec/models/request_verification_mixin_spec.rb

@@ -0,0 +1,121 @@
+require File.join( File.dirname(__FILE__), '..', "spec_helper" )
+
+require 'hmac-sha1'
+require 'hmac-md5'
+
+describe OohAuth::Request::VerificationMixin do
+  
+  before :all do
+    Merb::Router.prepare do 
+      add_slice(:OohAuth)
+      match("/secrets").to(:controller=>"ooh_auth/secrets", :action=>"index").name(:secrets)
+    end if standalone?
+  end
+  
+  after :all do
+    Merb::Router.reset! if standalone?
+  end
+  
+  it "should be included in the Merb::Request and FakeRequest classes on slice initialisation" do
+    Merb::Request.include?(OohAuth::Request::VerificationMixin).should be_true
+    Merb::Test::RequestHelper::FakeRequest.include?(OohAuth::Request::VerificationMixin).should be_true
+  end
+    
+  describe "Signature verification" do
+    before :each do 
+      @authenticating_client = OohAuth::AuthenticatingClient.gen
+    end
+    
+    it "should verify that a correctly-signed GET request is signed using GET parameters" do
+      req = request_signed_by(@authenticating_client, { :a=>"1", :b=>"3", :c=>"2"})
+      req.method.should == :get
+      req.authenticating_client.should == @authenticating_client
+      req.signed?.should be_true
+    end
+  
+    it "should include POST parameters when signing POST requests" do
+      req = request_signed_by(@authenticating_client, {}, {:post_me => "a_var" }, {:request_method=>"POST"})
+      req.method.should == :post
+      req.authenticating_client.should == @authenticating_client
+      req.signature_base_string.should match(/a_var/)
+      req.signed?.should be_true    
+    end
+    it "should fail to verify that a request is signed if the signature is in any way wrong" do
+      get_params = {
+        :a=>"1", 
+        :oauth_consumer_key=>@authenticating_client.api_key,
+        :oauth_signature=>"I R HACKIN YOO LOL"
+      }
+      param_string = get_params.collect{|k,v| "#{k}=#{v}"}.join("&")
+      req = fake_request(:query_string => param_string, :http_host => "test.fullfat.com", :request_uri=>"/secrets/")
+      req.authenticating_client.should == @authenticating_client
+      req.signed?.should be_false
+    end
+    it "should properly construct the baseline signature string" do
+      req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", foo=\"bar\", bar=\"baz\", overridden=\"no\"", :query_string=>"get=yes&overridden=yes")
+      req.signature_base_string.should == "GET&http://test.fullfat.com/secrets&bar=baz&foo=bar&get=yes&overridden=no"
+    end
+  end
+  
+  describe "OAuth headers" do
+    before :each do 
+      @authenticating_client = OohAuth::AuthenticatingClient.gen
+    end
+    
+    it "should successfully parse OAuth HTTP headers" do
+      # Make a real nasty header example with carriage returns and other gremlins
+      oauth_headers = "OAuth realm=\"FOO\", foo=\"bar\",
+                       bar=\"baz\""
+      req = fake_request("Authorization"=>oauth_headers)
+      req.env["AUTHORIZATION"].should == oauth_headers
+      req.oauth_headers.should == {:realm=>"FOO", :foo=>"bar", :bar=>"baz"}
+    end
+    it "should remove the OAuth realm from the signature headers" do
+      # Make a real nasty header example with carriage returns and other gremlins
+      req = fake_request(:request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", foo=\"bar\", bar=\"baz\"")
+      req.signature_oauth_headers.should == {:foo=>"bar", :bar=>"baz"}
+      req.oauth_headers.should == {:realm=>"FOO", :foo=>"bar", :bar=>"baz"}    
+    end
+    it "should merge POST/GET params into auth header params, giving auth header params priority" do
+      req = fake_request(:request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", foo=\"bar\", bar=\"baz\", overridden=\"no\"", :query_string=>"get=yes&overridden=yes")
+      req.normalise_signature_params.should == "bar=baz&foo=bar&get=yes&overridden=no"
+    end
+    it "should recognise OAuth requests" do
+      req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", oauth_consumer_key=\"DSFARGEG\"", :query_string=>"get=yes&overridden=yes")
+      req.oauth_request?.should be_true
+      req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\"", :query_string=>"get=yes&overridden=yes")
+      req.oauth_request?.should be_false
+    end
+  end
+  
+  describe "signature encryption" do
+    before :each do
+      @authenticating_client = OohAuth::AuthenticatingClient.gen
+      @req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", oauth_consumer_key=\"#{@authenticating_client.api_key}\", foo=\"bar\", bar=\"baz\", overridden=\"no\"", :query_string=>"get=yes&overridden=yes")
+      @req.authenticating_client.should == @authenticating_client
+      @token = OohAuth::Token.create_request_key(@authenticating_client)
+      @req.signed?.should be_false
+    end
+  
+    it "should properly compare the encrypted HMAC-SHA1 signature strings when a valid consumer key is given" do
+      req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", oauth_signature=\"#{@req.build_signature}\", oauth_consumer_key=\"#{@authenticating_client.api_key}\", foo=\"bar\", bar=\"baz\", overridden=\"no\"", :query_string=>"get=yes&overridden=yes")
+      req.signed?.should be_true
+    end  
+    it "should properly compare the encrypted HMAC-MD5 signature strings when a valid consumer key is given" do
+      @req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", oauth_signature_method=\"HMAC-MD5\", oauth_consumer_key=\"#{@authenticating_client.api_key}\"")
+      req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", oauth_signature_method=\"HMAC-MD5\", oauth_signature=\"#{@req.build_signature}\", oauth_consumer_key=\"#{@authenticating_client.api_key}\"")
+      req.signature_method.should == "HMAC-MD5"
+      req.signed?.should be_true
+    end
+    it "should omit the token secret from the signature key if no token was given" do
+      @req.signature_secret.should == "#{@authenticating_client.secret}&"
+    end
+    it "should include the token secret in the signature key when a token is present" do
+      @req = fake_request(:http_host=>"test.fullfat.com", :request_uri=>"/secrets", "Authorization"=>"OAuth realm=\"FOO\", oauth_signature_method=\"HMAC-MD5\", oauth_token=\"#{@token.token_key}\", oauth_signature=\"#{@req.build_signature}\", oauth_consumer_key=\"#{@authenticating_client.api_key}\"")
+      @req.signature_secret.should == "#{@authenticating_client.secret}&#{@token.secret}"
+    end
+  end
+
+  
+  
+end