devise_oauth 2.0.0 → 2.0.1

data/.gitignore

@@ -0,0 +1,7 @@
+.bundle/
+log/*.log
+pkg/
+spec/dummy/db/*.sqlite3
+spec/dummy/log/*.log
+spec/dummy/tmp/
+spec/dummy/.sass-cache

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/Gemfile

@@ -0,0 +1,17 @@
+source 'http://rubygems.org'
+
+# Declare your gem's dependencies in devise_oauth.gemspec.
+# Bundler will treat runtime dependencies like base dependencies, and
+# development dependencies will be added by default to the :development group.
+gemspec
+
+# jquery-rails is used by the dummy application
+gem 'jquery-rails'
+gem 'devise'
+
+gem 'database_cleaner'
+gem 'factory_girl_rails'
+gem 'rspec-rails', '>= 2.0'
+gem 'shoulda-matchers'
+
+gem 'cancan'

data/Gemfile.lock

@@ -0,0 +1,136 @@
+PATH
+  remote: .
+  specs:
+    devise_oauth (2.0.1)
+      devise (>= 2.1)
+      rails (>= 3.2.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.2.6)
+      actionpack (= 3.2.6)
+      mail (~> 2.4.4)
+    actionpack (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.1)
+      rack (~> 1.4.0)
+      rack-cache (~> 1.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.1.3)
+    activemodel (3.2.6)
+      activesupport (= 3.2.6)
+      builder (~> 3.0.0)
+    activerecord (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activeresource (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+    activesupport (3.2.6)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.2)
+    bcrypt-ruby (3.0.1)
+    builder (3.0.0)
+    cancan (1.6.7)
+    database_cleaner (0.8.0)
+    devise (2.1.0)
+      bcrypt-ruby (~> 3.0)
+      orm_adapter (~> 0.0.7)
+      railties (~> 3.1)
+      warden (~> 1.1.1)
+    diff-lcs (1.1.3)
+    erubis (2.7.0)
+    factory_girl (3.4.0)
+      activesupport (>= 3.0.0)
+    factory_girl_rails (3.4.0)
+      factory_girl (~> 3.4.0)
+      railties (>= 3.0.0)
+    hike (1.2.1)
+    i18n (0.6.0)
+    journey (1.0.4)
+    jquery-rails (2.0.2)
+      railties (>= 3.2.0, < 5.0)
+      thor (~> 0.14)
+    json (1.7.3)
+    mail (2.4.4)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.19)
+    multi_json (1.3.6)
+    orm_adapter (0.0.7)
+    polyglot (0.3.3)
+    rack (1.4.1)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.2.6)
+      actionmailer (= 3.2.6)
+      actionpack (= 3.2.6)
+      activerecord (= 3.2.6)
+      activeresource (= 3.2.6)
+      activesupport (= 3.2.6)
+      bundler (~> 1.0)
+      railties (= 3.2.6)
+    railties (3.2.6)
+      actionpack (= 3.2.6)
+      activesupport (= 3.2.6)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (>= 0.14.6, < 2.0)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.10.0)
+      rspec-core (~> 2.10.0)
+      rspec-expectations (~> 2.10.0)
+      rspec-mocks (~> 2.10.0)
+    rspec-core (2.10.1)
+    rspec-expectations (2.10.0)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.10.1)
+    rspec-rails (2.10.1)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec (~> 2.10.0)
+    shoulda-matchers (1.2.0)
+      activesupport (>= 3.0.0)
+    sprockets (2.1.3)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sqlite3 (1.3.6)
+    thor (0.15.3)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.33)
+    warden (1.1.1)
+      rack (>= 1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  cancan
+  database_cleaner
+  devise
+  devise_oauth!
+  factory_girl_rails
+  jquery-rails
+  rspec-rails (>= 2.0)
+  shoulda-matchers
+  sqlite3

data/README.md

@@ -1,3 +1,80 @@
 # Devise::Oauth
 
+## Installation
+
+Add it to your Gemfile
+
+```ruby
+gem 'devise_oauth'
+```
+
+Mount engine in your routes.rb file
+
+```ruby
+mount Devise::Oauth::Engine => '/oauth'
+```
+
+Define possible scopes in your application.rb
+
+```ruby
+Devise::Oauth.scopes = [:read, :write]
+```
+
+Add strategies to your User model
+
+```ruby
+class User < ActiveRecord::Base
+  devise :database_authenticatable,
+         #:registerable,
+         #:recoverable,
+         #:rememberable,
+         #:trackable,
+         #:omniauthable,
+
+         # OAuth provider
+         :access_token_authenticatable,
+         :client_ownable,
+         :resource_ownable
+```
+
+Create migration [TODO: write generator]
+
+look at `db/migrate/20120622164619_devise_create_oauth.rb` for now
+
+## CanCan support
+
+if your app is accessed with `access_token` then we set it as `oauth_token` to current_user
+
+```ruby
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    user ||= User.new # guest user (not logged in)
+    if user.oauth_token?
+      # has access_token, so we set access rights with scope
+      setup_client(user)
+    else
+      # normal user access rights setup
+      setup(user)
+    end
+
+    # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
+  end
+
+  private
+
+  def setup_client(user)
+    if user.oauth_scope? :write
+      can :create, :protected_resource
+    end
+  end
+
+  def setup(user)
+
+  end
+end
+```
+
+
 This project rocks and uses MIT-LICENSE.

data/devise_oauth.gemspec

@@ -0,0 +1,27 @@
+$:.push File.expand_path("../lib", __FILE__)
+
+require "devise/oauth/version"
+
+Gem::Specification.new do |s|
+  s.name        = "devise_oauth"
+  s.version     = Devise::Oauth::VERSION
+  s.authors     = ["Yury Korolev"]
+  s.email       = ["yury.korolev@gmail.com"]
+  s.homepage    = "https://github.com/anjlab/devise_oauth"
+  s.summary     = "Oauth 2.0 provider implementation on top of devise."
+  s.description = "The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-28 implementation on top of devise."
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency "rails", ">= 3.2.0"
+  s.add_dependency "devise", ">= 2.1"
+
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency "factory_girl_rails"
+  s.add_development_dependency "rspec-rails", ">= 2.0"
+  s.add_development_dependency "database_cleaner"
+  s.add_development_dependency "shoulda-matchers"
+end

data/lib/devise/oauth/engine.rb

@@ -1,13 +1,18 @@
 module Devise::Oauth
   class Engine < ::Rails::Engine
+
+    NAME = "oauth"
+
     def table_name_prefix
-      "oauth"
+      NAME
     end
 
     def self.generate_railtie_name(mod)
-      "oauth"
+      NAME
     end
 
+    engine_name NAME
+
     isolate_namespace Devise::Oauth
 
     initializer "devise_oauth.initialize_application", before: :load_config_initializers do |app|

data/lib/devise/oauth/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Oauth
-    VERSION = "2.0.0"
+    VERSION = "2.0.1"
   end
 end

data/script/rails

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('../..', __FILE__)
+ENGINE_PATH = File.expand_path('../../lib/devise/oauth/engine', __FILE__)
+
+require 'rails/all'
+require 'rails/engine/commands'

data/spec/controllers/access_tokens_controller_spec.rb

@@ -0,0 +1,208 @@
+require 'spec_helper'
+
+shared_examples "client is blocked flow" do
+  before do
+    client.block!
+    post :create, attributes
+  end
+
+  it { should respond_with :unprocessable_entity }
+  it { should respond_with_content_type :json }
+  it "should have error 'invalid_request'" do
+    res = JSON.load(response.body)
+    res['error'].should == "invalid_request"
+    res['error_description'].should == "Client Blocked"
+  end
+end
+
+shared_examples "access is blocked (resource owner block a client) flow" do
+  before do
+    access.block!
+    post :create, attributes
+  end
+  it { should respond_with :unprocessable_entity }
+  it { should respond_with_content_type :json }
+end
+
+shared_examples "invalid client_id flow" do
+  before do
+    attributes.merge!(client_id: "not_existing")
+    post :create, attributes
+  end
+
+  it { should respond_with :unprocessable_entity }
+  it { should respond_with_content_type :json }
+
+  it "should have error 'invalid_request'" do
+    res = JSON.load(response.body)
+    res['error'].should == "invalid_request"
+    res['error_description'].should == "Client not found"
+  end
+end
+
+describe Devise::Oauth::AccessTokensController do
+  before(:each) { 
+    @routes = Devise::Oauth::Engine.routes
+    @user   = create(:user)
+    @client = create(:client)
+    @authorization = create(:authorization, client: @client, resource_owner: @user)
+    @access = create(:access, client: @client, resource_owner: @user) 
+  }
+
+  let(:user)          { @user }
+  let(:client)        { @client }
+  let(:authorization) { @authorization }
+  let(:access)        { @access}
+  
+  context "Authorization code" do
+    let(:attributes) { 
+      { 
+        grant_type: "authorization_code",
+        client_id: client.identifier,
+        client_secret: client.secret,
+        code: authorization.code,
+        redirect_uri: client.redirect_uris.first
+      }
+    }
+
+    context "main flow" do
+      before do
+        post :create, attributes
+      end
+      let (:access_token) { @access_token = Devise::Oauth::AccessToken.last }
+
+      it { should respond_with :ok }
+      it { should respond_with_content_type :json }
+      it "should create new access token" do
+        access_token.should be_present
+      end
+
+      it "has valid access token in response" do
+        response.body.should match_json(access_token.token_response)
+      end
+    end
+
+    context "not valid code flow" do
+      before do
+        attributes.merge!(code: "not_existing")
+        post :create, attributes
+      end
+
+      it { should respond_with :unprocessable_entity }
+      it { should respond_with_content_type :json }
+      it "should have error 'invalid_request'" do
+        res = JSON.load(response.body)
+        res['error'].should == "invalid_request"
+        res['error_description'].should == "Authorization not found"
+      end
+    end
+
+    context "authorization is expired flow" do
+      before do
+        authorization.expire!
+        post :create, attributes
+      end
+
+      it { should respond_with :unprocessable_entity }
+      it { should respond_with_content_type :json }
+
+      it "should have error 'invalid_request'" do
+        res = JSON.load(response.body)
+        res['error'].should == "invalid_request"
+        res['error_description'].should == 'Authorization expired'
+      end
+    end
+
+    it_behaves_like "client is blocked flow"
+    it_behaves_like "access is blocked (resource owner block a client) flow"
+    it_behaves_like "invalid client_id flow"
+  end
+
+  context "Password credentials" do
+    let(:attributes) {
+      { 
+        grant_type: "password",
+        client_id: client.identifier,
+        client_secret: client.secret,
+        username: user.email,
+        password: user.password,
+        scope: ""
+      }
+    }
+
+    context "main flow" do
+      before do 
+        post :create, attributes
+      end
+      let (:access_token) { @access_token = Devise::Oauth::AccessToken.last }
+
+      it { should respond_with :ok }
+      it { should respond_with_content_type :json }
+      it "should create new access token" do
+        access_token.should be_present
+      end
+
+      it "has valid access token in response" do
+        response.body.should match_json(access_token.token_response)
+      end
+    end
+
+    context "not valid user password flow" do
+      before do
+        attributes.merge!(password: "not_existing")
+        post :create, attributes
+      end
+      ## TODO: bad request? or may be unauthorized?
+      it { should respond_with :bad_request }
+      it { should respond_with_content_type :json }
+    end
+
+    it_behaves_like "client is blocked flow"
+    it_behaves_like "access is blocked (resource owner block a client) flow"
+    it_behaves_like "invalid client_id flow"
+  end
+
+  context "Refresh Token" do
+    let(:token) { create(:access_token, resource_owner: user, client: client) }
+
+    let(:attributes) {
+      { 
+        grant_type: "refresh_token",
+        refresh_token: token.refresh_token,
+        client_id: client.identifier,
+        client_secret: client.secret 
+      }
+    }
+
+    context "main flow" do
+      before do 
+        post :create, attributes
+      end
+      let (:access_token) { @access_token = Devise::Oauth::AccessToken.last }
+
+      it { should respond_with :ok }
+      it { should respond_with_content_type :json }
+      it "should create new access token" do
+        access_token.should be_present
+      end
+
+      it "has valid access token in response" do
+        response.body.should match_json(access_token.token_response)
+      end
+    end
+
+    context "no valid refresh token flow" do
+      before do
+        attributes.merge!(refresh_token: "not_existing")
+        post :create, attributes
+      end
+      it { should respond_with :bad_request }
+      it { should respond_with_content_type :json }
+      # page.should have_content "Refresh token not found"
+    end
+
+    it_behaves_like "client is blocked flow"
+    it_behaves_like "access is blocked (resource owner block a client) flow"
+    it_behaves_like "invalid client_id flow"
+  end
+end