danski-ooh-auth 0.1.20 → 0.3
Sign up to get free protection for your applications and to get access to all the features.
- data/README +0 -0
- data/Rakefile +2 -2
- data/TODO +0 -0
- data/app/controllers/tokens.rb +30 -19
- data/app/models/authenticating_client/dm_authenticating_client.rb +6 -1
- data/app/models/token/dm_token.rb +5 -0
- data/app/views/authenticating_clients/_help.html.haml +1 -0
- data/app/views/authenticating_clients/edit.html.haml +18 -0
- data/app/views/authenticating_clients/index.html.erb +1 -1
- data/app/views/authenticating_clients/index.html.haml +16 -0
- data/app/views/authenticating_clients/new.html.haml +45 -0
- data/app/views/authenticating_clients/show.html.haml +38 -0
- data/app/views/layout/ooh_auth.html.haml +17 -0
- data/app/views/tokens/create.html.haml +33 -0
- data/app/views/tokens/edit.html.haml +6 -0
- data/app/views/tokens/index.html.erb +9 -0
- data/app/views/tokens/new.html.haml +47 -0
- data/app/views/tokens/show.html.haml +1 -0
- data/lib/ooh-auth.rb +2 -2
- data/spec/controllers/authenticating_clients_spec.rb +29 -7
- data/spec/controllers/tokens_spec.rb +33 -5
- data/spec/models/authenticating_client_spec.rb +0 -2
- metadata +20 -16
- data/readme.markdown +0 -43
data/README
ADDED
File without changes
|
data/Rakefile
CHANGED
@@ -16,8 +16,8 @@ GEM_NAME = "ooh-auth"
|
|
16
16
|
AUTHOR = "Dan Glegg"
|
17
17
|
EMAIL = "dan@angryamoeba.co.uk"
|
18
18
|
HOMEPAGE = "http://github.com/danski/ooh-auth"
|
19
|
-
SUMMARY = "Merb Slice that
|
20
|
-
GEM_VERSION = "0.
|
19
|
+
SUMMARY = "Merb Slice that adds a full OAuth provider strategy to your application."
|
20
|
+
GEM_VERSION = "0.3"
|
21
21
|
|
22
22
|
spec = Gem::Specification.new do |s|
|
23
23
|
s.rubyforge_project = 'merb'
|
data/TODO
ADDED
File without changes
|
data/app/controllers/tokens.rb
CHANGED
@@ -18,23 +18,34 @@ class OohAuth::Tokens < OohAuth::Application
|
|
18
18
|
# Define other formats
|
19
19
|
provides :js, :xml, :yaml
|
20
20
|
|
21
|
-
#
|
22
|
-
before :
|
21
|
+
# Ensure the user is signed in
|
22
|
+
before :ensure_authenticated, :exclude=>[:index]
|
23
23
|
# All other actions require that the user be authenticated directly, rather than through the api.
|
24
24
|
before :forbid_authentication_with_oauth, :exclude=>[:index]
|
25
25
|
|
26
26
|
# Main action used for starting the authorisation process (desktop clients) and finishing it (web clients)
|
27
27
|
def index
|
28
|
-
|
29
|
-
|
30
|
-
#
|
31
|
-
|
28
|
+
if session.authenticated?
|
29
|
+
only_provides :html
|
30
|
+
# Authenticated requests should show the list
|
31
|
+
@tokens = OohAuth::Token.find_for_user(session.user)
|
32
|
+
render :index
|
33
|
+
elsif request.signed?
|
34
|
+
# Unauthenticated but signed requests should provision tokens
|
35
|
+
raise NotAcceptable unless @authenticating_client = request.authenticating_client
|
36
|
+
if @token = request.authentication_token
|
37
|
+
# If client and request key, give the activated token if it was activated.
|
38
|
+
raise NotAcceptable unless @token.authenticating_client == @authenticating_client
|
39
|
+
else
|
40
|
+
# Generate a request key
|
41
|
+
@token = OohAuth::Token.create_request_key(@authenticating_client)
|
42
|
+
end
|
43
|
+
# # Okay, no error raised. Gogo render.
|
44
|
+
display @token, :show, :layout=>false
|
32
45
|
else
|
33
|
-
#
|
34
|
-
|
46
|
+
# All other requests we DO NOT WANT
|
47
|
+
raise NotAcceptable
|
35
48
|
end
|
36
|
-
# # Okay, no error raised. Gogo render.
|
37
|
-
display @token, :show, :layout=>false
|
38
49
|
end
|
39
50
|
|
40
51
|
def new
|
@@ -81,14 +92,14 @@ class OohAuth::Tokens < OohAuth::Application
|
|
81
92
|
# end
|
82
93
|
#end
|
83
94
|
#
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
95
|
+
def destroy(id)
|
96
|
+
@token = OohAuth::Token.get(id)
|
97
|
+
raise NotFound unless @token and @token.user_id == session.user.id
|
98
|
+
if @token.destroy
|
99
|
+
redirect slice_url(:tokens)
|
100
|
+
else
|
101
|
+
raise InternalServerError
|
102
|
+
end
|
103
|
+
end
|
93
104
|
|
94
105
|
end # OohAuth::Tokens
|
@@ -10,7 +10,7 @@ class OohAuth::AuthenticatingClient
|
|
10
10
|
# Key it
|
11
11
|
property :id, Serial
|
12
12
|
# The registration will belong to a user, who will be able to edit the client properties.
|
13
|
-
property :user_id, Integer, :writer => :
|
13
|
+
property :user_id, Integer, :writer => :private
|
14
14
|
# Timestamp it
|
15
15
|
property :created_at, DateTime
|
16
16
|
|
@@ -64,6 +64,11 @@ class OohAuth::AuthenticatingClient
|
|
64
64
|
self.user_id = user.id
|
65
65
|
end
|
66
66
|
|
67
|
+
# LOCK user id after save
|
68
|
+
def user_id=(arg)
|
69
|
+
(new_record?)? attribute_set(:user_id, arg) : arg
|
70
|
+
end
|
71
|
+
|
67
72
|
def editable_by?(user)
|
68
73
|
user.id == self.user_id
|
69
74
|
end
|
@@ -59,6 +59,11 @@ class OohAuth::Token
|
|
59
59
|
o
|
60
60
|
end
|
61
61
|
|
62
|
+
# Get all tokens for a single user
|
63
|
+
def self.find_for_user(user)
|
64
|
+
all :user_id=>user.id
|
65
|
+
end
|
66
|
+
|
62
67
|
# Fetch a request_key given the request_key code
|
63
68
|
def self.get_request_key_for_client(client, request_key)
|
64
69
|
first :token_key=>request_key, :authenticating_client_id=>client.id, :expires.gt=>DateTime.now, :activated=>false
|
@@ -0,0 +1 @@
|
|
1
|
+
%h2 Developer Documentation partial
|
@@ -0,0 +1,18 @@
|
|
1
|
+
%h1 Edit your Application
|
2
|
+
|
3
|
+
=form_for @authenticating_client, :action=>slice_url(:authenticating_client, @authenticating_client), :method=>"put", :class=>"authenticating_client" do
|
4
|
+
|
5
|
+
=error_messages_for @authenticating_client
|
6
|
+
|
7
|
+
%fieldset
|
8
|
+
%legend Application information
|
9
|
+
%dl
|
10
|
+
%dt
|
11
|
+
%label{:for => "ooh_auth_authenticating_clients_name"} Application name
|
12
|
+
%dd= text_field :name, :name=>"authenticating_client[name]", :value=>h(@authenticating_client.name)
|
13
|
+
%dt
|
14
|
+
%label{:for => "ooh_auth_authenticating_clients_name"} Web URL
|
15
|
+
%dd= text_field :web_url, :name=>"authenticating_client[web_url]", :value=>h(@authenticating_client.web_url)
|
16
|
+
%fieldset.buttons
|
17
|
+
%input{:type => "hidden", :name => "_method", :value => "put"}
|
18
|
+
= submit "Submit changes"
|
@@ -0,0 +1,16 @@
|
|
1
|
+
%h1 Developer API
|
2
|
+
|
3
|
+
-if session.user
|
4
|
+
%h2 Your Applications
|
5
|
+
|
6
|
+
%ul.authenticating_clients
|
7
|
+
%li.new= link_to "Register a new Application", slice_url(:new_authenticating_client), :class=>"new"
|
8
|
+
-@authenticating_clients.each do |ac|
|
9
|
+
%li
|
10
|
+
=link_to h(ac.name), slice_url(:authenticating_client, ac), :class=>"show"
|
11
|
+
=link_to "Edit", slice_url(:edit_authenticating_client, ac), :class=>"edit"
|
12
|
+
=link_to "Unregister", slice_url(:delete_authenticating_client, ac), :class=>"delete"
|
13
|
+
-else
|
14
|
+
%p In order to use the Developer API, you'll need to register for an API key. Please log in to begin the process.
|
15
|
+
|
16
|
+
= partial "help"
|
@@ -0,0 +1,45 @@
|
|
1
|
+
%h1 Register for a new API Key
|
2
|
+
|
3
|
+
%p
|
4
|
+
%strong Important!
|
5
|
+
Upon successfully adding your application, you will be shown two pieces of information.
|
6
|
+
You'll be given your
|
7
|
+
%strong API Key
|
8
|
+
, which will allow you to interact with the API, and you'll be given a
|
9
|
+
%strong shared secret
|
10
|
+
which will allow you to verify your requests to the API.
|
11
|
+
%strong Note both of these down.
|
12
|
+
|
13
|
+
|
14
|
+
= form_for @authenticating_client, :action=>resource(:ooh_auth, :authenticating_clients), :class=>"authenticating_client" do
|
15
|
+
= error_messages_for @authenticating_client
|
16
|
+
%fieldset
|
17
|
+
%legend Some information about your application
|
18
|
+
%dl
|
19
|
+
%dt
|
20
|
+
%label{:for=>"ooh_auth_authenticating_clients_name"} Application name
|
21
|
+
%dd= text_field :name, :name => "authenticating_client[name]", :value=>h(@authenticating_client.name)
|
22
|
+
|
23
|
+
%dt
|
24
|
+
%label{:for=>"ooh_auth_authenticating_clients_name"} Web URL
|
25
|
+
%dd= text_field :web_url, :name=>"authenticating_client[web_url]", :value=>h(@authenticating_client.web_url)
|
26
|
+
|
27
|
+
%fieldset
|
28
|
+
%legend Application type
|
29
|
+
|
30
|
+
%dl.checkboxes
|
31
|
+
%dt
|
32
|
+
%label{:for => "ooh_auth_authenticating_clients_kind_web"} This is a web-based application
|
33
|
+
%dd= radio_button :kind, :value=>"web", :name=>"authenticating_client[kind]", :id=>"ooh_auth_authenticating_clients_kind_web", :checked=>@authenticating_client.is_webapp?
|
34
|
+
|
35
|
+
%dt
|
36
|
+
%label{:for=>"ooh_auth_authenticating_clients_kind_desktop"} This is a desktop or mobile application
|
37
|
+
%dd= radio_button :kind, :value=>"desktop", :name=>"authenticating_client[kind]", :id=>"ooh_auth_authenticating_clients_kind_desktop", :checked=>!@authenticating_client.is_webapp?
|
38
|
+
|
39
|
+
%fieldset.buttons
|
40
|
+
%p
|
41
|
+
When you submit this form, we will generate both two pieces of information for you - an <strong>API Key</strong> and a
|
42
|
+
%strong Shared Secret
|
43
|
+
They will be shown on the next page. Be sure to record them.
|
44
|
+
|
45
|
+
= submit "Get my API Key"
|
@@ -0,0 +1,38 @@
|
|
1
|
+
-ac = @authenticating_client
|
2
|
+
|
3
|
+
%h1=h ac.name
|
4
|
+
|
5
|
+
#facts
|
6
|
+
%h2 About your application:
|
7
|
+
|
8
|
+
%ul
|
9
|
+
%li
|
10
|
+
This application was registered on
|
11
|
+
= ac.created_at.strftime("%d/%b/%Y")
|
12
|
+
|
13
|
+
|
14
|
+
#api_secrets
|
15
|
+
%h2
|
16
|
+
Your API key details for
|
17
|
+
%em= ac.name
|
18
|
+
%p
|
19
|
+
Your
|
20
|
+
%strong Consumer Key
|
21
|
+
will for the most part be public, although it is useless without the
|
22
|
+
%strong Consumer Secret
|
23
|
+
that goes with it.
|
24
|
+
You should under no circumstances make your Consumer Secret known by another party, as it can be used to sign the authorization requests that your application will send.
|
25
|
+
|
26
|
+
%dl
|
27
|
+
%dt Your OAuth Consumer Key
|
28
|
+
%dd
|
29
|
+
%a{:href=>"#api_key", :onclick => "this.style.display = 'none'; document.getElementById('api_key').style.display = 'block'; return false;"} Show my API Key
|
30
|
+
%span#api_key.secret.shared{:style => "display: none;"}= ac.api_key
|
31
|
+
|
32
|
+
%dt Your OAuth Consumer Secret
|
33
|
+
%dd
|
34
|
+
%a.shared_secret_toggle{:href => "#shared_secret", :onclick="this.style.display = 'none'; document.getElementById('shared_secret').style.display = 'block'; return false;"}
|
35
|
+
Nobody but myself can see. I have closed my doors, shuttered my windows and, just for today, shunned my loved ones. It is safe to show my Consumer Secret.
|
36
|
+
%span#shared_secret.secret.shared{:style => "display: none;"}= ac.secret
|
37
|
+
|
38
|
+
=partial "help"
|
@@ -0,0 +1,17 @@
|
|
1
|
+
!!!
|
2
|
+
%html{ :xmlns => 'http://www.w3.org/1999/xhtml', :'xml:lang' => "en-us", :lang => 'en-us' }
|
3
|
+
%head
|
4
|
+
%meta{ :'http-equiv' => "content-type", :content => "text/html; charset=utf-8" }
|
5
|
+
%title OohAuth Slice
|
6
|
+
|
7
|
+
/ you can override this layout at slices/ooh-auth/app/views/layout/ooh-auth.html.erb
|
8
|
+
%body.ooh-auth
|
9
|
+
#root
|
10
|
+
%h1 OohAuth Slice
|
11
|
+
|
12
|
+
-unless message.blank?
|
13
|
+
%div{:id=>"_message"}
|
14
|
+
=message
|
15
|
+
|
16
|
+
#main
|
17
|
+
=catch_content :for_layout
|
@@ -0,0 +1,33 @@
|
|
1
|
+
-ac = @authenticating_client
|
2
|
+
|
3
|
+
|
4
|
+
-if @activated
|
5
|
+
%h1.win
|
6
|
+
You successfully authorized
|
7
|
+
=ac.name
|
8
|
+
|
9
|
+
%div{:id=>"win facts"}
|
10
|
+
%h2 To access your account:
|
11
|
+
|
12
|
+
%ul
|
13
|
+
%li
|
14
|
+
Until
|
15
|
+
=@token.expires.strftime("%d/%b/%Y")
|
16
|
+
%li
|
17
|
+
With permission to
|
18
|
+
= OohAuth[:client_permission_levels][@token.permissions.to_sym][:able_to]
|
19
|
+
.
|
20
|
+
%p
|
21
|
+
%strong You may now close this window or navigate away from this page.
|
22
|
+
|
23
|
+
-else
|
24
|
+
|
25
|
+
%h1.fail
|
26
|
+
You denied
|
27
|
+
=ac.name
|
28
|
+
access to your content
|
29
|
+
|
30
|
+
%div{:id=>"fail facts"}
|
31
|
+
%h2 This application will not be able to access your account.
|
32
|
+
%p
|
33
|
+
%strong You may now close this window or navigate away from this page.
|
@@ -0,0 +1,6 @@
|
|
1
|
+
%h1 Authentications controller, edit action
|
2
|
+
|
3
|
+
%p Edit this file in
|
4
|
+
%tt app/views/authentications/edit.html.erb
|
5
|
+
%p For more information and examples of CRUD views read
|
6
|
+
%a{:href=>"http://wiki.merbivore.com/howto/crud_view_example_with_merb_using_erb"} this wiki page
|
@@ -0,0 +1,47 @@
|
|
1
|
+
%h1= "#{@authenticating_client.name} wants access to your account!"
|
2
|
+
|
3
|
+
%p.abstract
|
4
|
+
The application
|
5
|
+
= link_to h(@authenticating_client.name), @authenticating_client.web_url
|
6
|
+
wants access to your content.
|
7
|
+
|
8
|
+
%h2 Grant this application access to your account
|
9
|
+
=form_for @authenticating_client, :action=>slice_url(:tokens), :class=>"authentication" do
|
10
|
+
%fieldset
|
11
|
+
%p.confirmation
|
12
|
+
=h @authenticating_client.name
|
13
|
+
will be granted access to your data.
|
14
|
+
The application will
|
15
|
+
%strong not
|
16
|
+
have the ability to grant access to other applications.
|
17
|
+
You will be able to revoke this access at a later date if you so choose.
|
18
|
+
|
19
|
+
|
20
|
+
%input{:type=>"hidden", :name => "oauth_token", :value =>"#{@token.token_key}"}
|
21
|
+
-if request.callback
|
22
|
+
%input{:type => "hidden", :name => "oauth_callback", :value=>"#{@request.callback}"}
|
23
|
+
|
24
|
+
%fieldset
|
25
|
+
%legend Options
|
26
|
+
%dl
|
27
|
+
%dt
|
28
|
+
%label{:for=>"token_expires"} Allow access until
|
29
|
+
%dd
|
30
|
+
%select.token_expires{:name=>"token[expires]"}
|
31
|
+
%option{:value => "2999-12-31"} Further notice
|
32
|
+
/ or when Philip J. Fry wakes up
|
33
|
+
%option{:value => (Date.today + 1.year).strftime("%Y-%m-%d")} 1 year from now
|
34
|
+
%option{:value => (Date.today + 1.month).strftime("%Y-%m-%d")} 1 month from now
|
35
|
+
%option{:value => (Date.today + 1.week).strftime("%Y-%m-%d")} 1 week from now
|
36
|
+
%option{:value => (Date.today + 1.day).strftime("%Y-%m-%d")} 1 day from now
|
37
|
+
|
38
|
+
%dt
|
39
|
+
%label{:for=>"token_permissions"} Allow this application to
|
40
|
+
%dd
|
41
|
+
%select.token_permissions{:name=>"token[permissions]"}
|
42
|
+
-OohAuth[:client_permission_levels].each do |name, opts|
|
43
|
+
%option{:value => "#{name}"}= opts[:able_to]
|
44
|
+
|
45
|
+
%fieldset.buttons
|
46
|
+
=submit "Grant access", :name=>"commit", :value=>"allow"
|
47
|
+
=submit "Deny access", :name=>"commit", :value=>"deny"
|
@@ -0,0 +1 @@
|
|
1
|
+
="oauth_token=#{@token.token_key}&oauth_token_secret=#{@token.secret}"
|
data/lib/ooh-auth.rb
CHANGED
@@ -46,8 +46,8 @@ if defined?(Merb::Plugins)
|
|
46
46
|
module OohAuth
|
47
47
|
|
48
48
|
# Slice metadata
|
49
|
-
self.description = "OohAuth is Merb slice that extends merb-auth-more with
|
50
|
-
self.version = "0.1.
|
49
|
+
self.description = "OohAuth is Merb slice that extends merb-auth-more with a full OAuth provider"
|
50
|
+
self.version = "0.1.3"
|
51
51
|
self.author = "Dan Glegg"
|
52
52
|
self.identifier = "ooh-auth"
|
53
53
|
|
@@ -19,7 +19,13 @@ describe OohAuth::AuthenticatingClients do
|
|
19
19
|
@controller.should be_successful
|
20
20
|
lambda {@controller = dispatch_to(OohAuth::AuthenticatingClients, :new)}.should raise_error(Merb::Controller::Unauthenticated)
|
21
21
|
end
|
22
|
-
it "should
|
22
|
+
it "should successfully render a list when authenticated" do
|
23
|
+
@user = user_class.gen
|
24
|
+
@controller = OohAuth::AuthenticatingClients.new(Merb::Test::RequestHelper::FakeRequest.new)
|
25
|
+
@controller.request.session.user = @user
|
26
|
+
@controller.index
|
27
|
+
@controller.should be_successful
|
28
|
+
end
|
23
29
|
end
|
24
30
|
|
25
31
|
describe "new/create action" do
|
@@ -92,12 +98,12 @@ describe OohAuth::AuthenticatingClients do
|
|
92
98
|
@controller.edit(@authenticating_client.id)
|
93
99
|
@controller.should be_successful
|
94
100
|
end
|
95
|
-
it "cannot be used to reassign apps to other users"
|
101
|
+
it "cannot be used to reassign apps to other users" do
|
96
102
|
# Waiting on ticket: http://wm.lighthouseapp.com/projects/4819/tickets/669-problem-with-protected-attribute-mass-assignment#ticket-669-1
|
97
103
|
# related to problems preventing mass-assignment.
|
98
|
-
|
99
|
-
|
100
|
-
|
104
|
+
@controller.update(@authenticating_client.id, {:user_id=>@user.id+50})
|
105
|
+
@controller.assigns(:authenticating_client).user_id.should == @user.id
|
106
|
+
end
|
101
107
|
it "should show a form with errors when given bad input" do
|
102
108
|
@controller.update(@authenticating_client.id, {:name=>""})
|
103
109
|
@controller.should be_successful
|
@@ -111,8 +117,24 @@ describe OohAuth::AuthenticatingClients do
|
|
111
117
|
end
|
112
118
|
end
|
113
119
|
|
114
|
-
describe "delete action" do
|
115
|
-
|
120
|
+
describe "delete action" do
|
121
|
+
before :each do
|
122
|
+
@user = user_class.gen
|
123
|
+
@bad_user = user_class.gen
|
124
|
+
@authenticating_client = OohAuth::AuthenticatingClient.gen(:user=>@user)
|
125
|
+
@other_authenticating_client = OohAuth::AuthenticatingClient.gen
|
126
|
+
@controller = OohAuth::AuthenticatingClients.new(Merb::Test::RequestHelper::FakeRequest.new)
|
127
|
+
@controller.request.session.user = @bad_user
|
128
|
+
end
|
129
|
+
|
130
|
+
it "should not be destroyable by any user other than the owning user" do
|
131
|
+
c = OohAuth::AuthenticatingClient.count
|
132
|
+
lambda {@controller.destroy(@authenticating_client.id)}.should raise_error(Merb::Controller::NotFound)
|
133
|
+
@controller.request.session.user = @user
|
134
|
+
c.should == OohAuth::AuthenticatingClient.count
|
135
|
+
lambda {@controller.destroy(@authenticating_client.id)}.should_not raise_error(Merb::Controller::NotFound)
|
136
|
+
(c-1).should == OohAuth::AuthenticatingClient.count
|
137
|
+
end
|
116
138
|
end
|
117
139
|
|
118
140
|
end
|
@@ -62,6 +62,15 @@ describe OohAuth::Tokens do
|
|
62
62
|
)
|
63
63
|
lambda {@controller.index}.should raise_error(Merb::Controller::NotAcceptable)
|
64
64
|
end
|
65
|
+
|
66
|
+
it "should show a list of tokens for a user when the user is authenticated" do
|
67
|
+
@user = user_class.gen
|
68
|
+
@controller = OohAuth::Tokens.new(Merb::Test::RequestHelper::FakeRequest.new)
|
69
|
+
@controller.request.session.user = @user
|
70
|
+
@controller.index
|
71
|
+
@controller.should be_successful
|
72
|
+
@controller.assigns(:tokens).should be_kind_of(Array)
|
73
|
+
end
|
65
74
|
end
|
66
75
|
|
67
76
|
|
@@ -164,10 +173,29 @@ describe OohAuth::Tokens do
|
|
164
173
|
# it "should only allow the expiry and permission level to be altered"
|
165
174
|
#end
|
166
175
|
#
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
176
|
+
describe "delete/destroy action" do
|
177
|
+
before :each do
|
178
|
+
@user = user_class.gen
|
179
|
+
@bad_user = user_class.gen
|
180
|
+
@desktop_app = OohAuth::AuthenticatingClient.gen(:kind=>"desktop")
|
181
|
+
@access_key = OohAuth::Token.create_request_key(@desktop_app, 1.hour.since)
|
182
|
+
@access_key.activate!(@user)
|
183
|
+
@date = Date.today + 5.years
|
184
|
+
@controller = OohAuth::Tokens.new(Merb::Test::RequestHelper::FakeRequest.new)
|
185
|
+
end
|
186
|
+
|
187
|
+
it "should require authentication" do
|
188
|
+
lambda {dispatch_to(OohAuth::Tokens, :destroy)}.should raise_error(Merb::Controller::Unauthenticated)
|
189
|
+
end
|
190
|
+
it "should only be accessible by the token's owning user" do
|
191
|
+
c = OohAuth::Token.count
|
192
|
+
@controller.request.session.user = @bad_user
|
193
|
+
lambda {@controller.destroy(@access_key.id)}.should raise_error(Merb::Controller::NotFound)
|
194
|
+
@controller.request.session.user = @user
|
195
|
+
c.should == OohAuth::Token.count
|
196
|
+
lambda {@controller.destroy(@access_key.id)}.should_not raise_error(Merb::Controller::NotFound)
|
197
|
+
(c-1).should == OohAuth::Token.count
|
198
|
+
end
|
199
|
+
end
|
172
200
|
|
173
201
|
end
|
@@ -34,8 +34,6 @@ describe OohAuth::AuthenticatingClient do
|
|
34
34
|
@authenticating_client.secret.should == ss
|
35
35
|
end
|
36
36
|
|
37
|
-
it "should not allow internal URLs to be given as callback URLs"
|
38
|
-
|
39
37
|
it "should return an empty array when find_for_user is called with nil" do
|
40
38
|
arr = OohAuth::AuthenticatingClient.find_for_user(nil)
|
41
39
|
arr.length.should == 0
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: danski-ooh-auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: "0.3"
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dan Glegg
|
@@ -9,18 +9,9 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
11
|
|
12
|
-
date:
|
12
|
+
date: 2009-01-15 00:00:00 -08:00
|
13
13
|
default_executable:
|
14
14
|
dependencies:
|
15
|
-
- !ruby/object:Gem::Dependency
|
16
|
-
name: ruby-hmac
|
17
|
-
version_requirement:
|
18
|
-
version_requirements: !ruby/object:Gem::Requirement
|
19
|
-
requirements:
|
20
|
-
- - ">="
|
21
|
-
- !ruby/object:Gem::Version
|
22
|
-
version: 0.3.2
|
23
|
-
version:
|
24
15
|
- !ruby/object:Gem::Dependency
|
25
16
|
name: merb-slices
|
26
17
|
version_requirement:
|
@@ -30,19 +21,21 @@ dependencies:
|
|
30
21
|
- !ruby/object:Gem::Version
|
31
22
|
version: 0.9.10
|
32
23
|
version:
|
33
|
-
description: Merb
|
34
|
-
email: dan@
|
24
|
+
description: Merb Slice that adds a full OAuth provider strategy to your application.
|
25
|
+
email: dan@angryamoeba.co.uk
|
35
26
|
executables: []
|
36
27
|
|
37
28
|
extensions: []
|
38
29
|
|
39
30
|
extra_rdoc_files:
|
40
|
-
-
|
31
|
+
- README
|
41
32
|
- LICENSE
|
33
|
+
- TODO
|
42
34
|
files:
|
43
35
|
- LICENSE
|
44
|
-
-
|
36
|
+
- README
|
45
37
|
- Rakefile
|
38
|
+
- TODO
|
46
39
|
- lib/ooh-auth
|
47
40
|
- lib/ooh-auth/authentication_mixin.rb
|
48
41
|
- lib/ooh-auth/controller_mixin.rb
|
@@ -84,17 +77,28 @@ files:
|
|
84
77
|
- app/views
|
85
78
|
- app/views/authenticating_clients
|
86
79
|
- app/views/authenticating_clients/_help.html.erb
|
80
|
+
- app/views/authenticating_clients/_help.html.haml
|
87
81
|
- app/views/authenticating_clients/edit.html.erb
|
82
|
+
- app/views/authenticating_clients/edit.html.haml
|
88
83
|
- app/views/authenticating_clients/index.html.erb
|
84
|
+
- app/views/authenticating_clients/index.html.haml
|
89
85
|
- app/views/authenticating_clients/new.html.erb
|
86
|
+
- app/views/authenticating_clients/new.html.haml
|
90
87
|
- app/views/authenticating_clients/show.html.erb
|
88
|
+
- app/views/authenticating_clients/show.html.haml
|
91
89
|
- app/views/layout
|
92
90
|
- app/views/layout/ooh_auth.html.erb
|
91
|
+
- app/views/layout/ooh_auth.html.haml
|
93
92
|
- app/views/tokens
|
94
93
|
- app/views/tokens/create.html.erb
|
94
|
+
- app/views/tokens/create.html.haml
|
95
95
|
- app/views/tokens/edit.html.erb
|
96
|
+
- app/views/tokens/edit.html.haml
|
97
|
+
- app/views/tokens/index.html.erb
|
96
98
|
- app/views/tokens/new.html.erb
|
99
|
+
- app/views/tokens/new.html.haml
|
97
100
|
- app/views/tokens/show.html.erb
|
101
|
+
- app/views/tokens/show.html.haml
|
98
102
|
- public/javascripts
|
99
103
|
- public/javascripts/master.js
|
100
104
|
- public/stylesheets
|
@@ -128,6 +132,6 @@ rubyforge_project: merb
|
|
128
132
|
rubygems_version: 1.2.0
|
129
133
|
signing_key:
|
130
134
|
specification_version: 2
|
131
|
-
summary: Merb Slice that
|
135
|
+
summary: Merb Slice that adds a full OAuth provider strategy to your application.
|
132
136
|
test_files: []
|
133
137
|
|
data/readme.markdown
DELETED
@@ -1,43 +0,0 @@
|
|
1
|
-
There's Auth, there's OAuth, and there's OohAuth.
|
2
|
-
=================================================
|
3
|
-
|
4
|
-
OohAuth extends merb-auth-more with a functionally-complete approach to OAuth, turning your merb-auth applications into full OAuth providers.
|
5
|
-
|
6
|
-
OAuth at a glance:
|
7
|
-
==================
|
8
|
-
|
9
|
-
* Your users won't have to give their names and passwords to client applications
|
10
|
-
* Your users can revoke or limit access from a particular client at any time
|
11
|
-
* Your users do not have to give client applications everything they need to steal their account
|
12
|
-
* Your developer community can authenticate using a solid authentication schema endorsed by [industry giants](http://google.com)
|
13
|
-
* Resilient to both man-in-the-middle and signature replay attacks.
|
14
|
-
|
15
|
-
OohAuth gives you:
|
16
|
-
========================
|
17
|
-
|
18
|
-
* Integration with merb-auth and your application's own User model
|
19
|
-
* RESTful creation of API keys for client apps
|
20
|
-
* RESTful creation of request and access tokens to allow client apps to authenticate on behalf of users
|
21
|
-
* merb-auth strategies for both web-based and non web-based API authentication.
|
22
|
-
|
23
|
-
It depends on:
|
24
|
-
==============
|
25
|
-
|
26
|
-
* merb-slices
|
27
|
-
* merb-action-args
|
28
|
-
* merb-auth-core
|
29
|
-
* merb-auth-more
|
30
|
-
* nokogiri (tests only)
|
31
|
-
* ruby-hmac
|
32
|
-
* Erb **(we need your help to get started on HAML support)**
|
33
|
-
* datamapper **(we need your help to become ORM-agnostic)**
|
34
|
-
|
35
|
-
You should read:
|
36
|
-
================
|
37
|
-
|
38
|
-
* [Why we wrote it](http://singlecell.angryamoeba.co.uk/post/62022487/the-api-antipattern-twitter-and-the-fail-whales-new)
|
39
|
-
* [OohAuth on github](http://github.com/danski/ooh-auth)
|
40
|
-
* [OAuth 1.0 specification](http://oauth.net/core/1.0) a hefty spec document containing instructions for authenticating with OAuth apps and more.
|
41
|
-
* [securing.markdown](http://github.com/danski/ooh-auth/tree/master/securing.markdown), your guide to properly securing an application using OohAuth.
|
42
|
-
* [OohAuth's bugtracker on Tails](http://www.bugtails.com/projects/171)
|
43
|
-
|