devise_oauth 2.0.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 Yury Korolev
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+# Devise::Oauth
+
+This project rocks and uses MIT-LICENSE.

data/Rakefile

@@ -0,0 +1,24 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Devise::Oauth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+

data/app/controllers/oauth/access_tokens_controller.rb

@@ -0,0 +1,183 @@
+class Devise::Oauth::AccessTokensController < ApplicationController
+
+  include Devise::Oauth::Helpers
+
+  # create access_token flows
+  cattr_accessor :flows
+  @@flows = {
+    ## section 4.1.3 (authorization code flow)
+    authorization_code: [
+      :find_auth_by_code,
+      :normalize_scope,
+      :access_blocked?,
+      :create_token_from_auth
+    ],
+
+    ## section 4.3.2 (Resource Owner Password Credentials flow)
+    password: [
+      :authenticate_resource_owner,
+      :normalize_scope,
+      :access_blocked?,
+      :create_token
+    ],
+    # section 6.0 (refresh token)
+    refresh_token: [
+      :find_refresh_token,
+      :normalize_scope,
+      :access_blocked?,
+      :create_token_from_refresh
+    ]
+  }
+  
+  ## common flow
+  before_filter :find_client,      only: :create
+  before_filter :client_blocked?,  only: :create
+  before_filter :find_grant_type,  only: :create
+  before_filter :execute_flow,     only: :create
+
+  def create
+    render json: @token_response
+    @authorization.used! if @authorization
+  end
+
+  def destroy
+  end
+
+  private
+
+  def find_client
+    client_id, client_secret = request.authorization ?
+      decode_credentials : [params[:client_id], params[:client_secret]]
+
+    if client_id.blank? || client_secret.blank? 
+      return invalid_request
+    end    
+
+    @client = Devise::Oauth::Client.where(identifier: client_id).first
+
+    return client_not_found if @client.blank? || @client.secret != client_secret
+  end
+
+
+  def find_grant_type
+    @grant_type = case params[:grant_type]
+    when "authorization_code" 
+      :authorization_code
+    when "password" 
+      :password
+    when "refresh_token" 
+      :refresh_token
+    when "client_credentials"
+      :client_credentials
+    else      
+      :unsupported
+    end
+
+    return invalid_grant_type(params[:grant_type]) if !Devise::Oauth.supported_grant_types.include?(@grant_type)
+  end
+
+  def execute_flow
+    flow = self.class.flows[@grant_type]
+    flow.each do |method|
+      break if response_body
+      send(method)
+    end
+  end
+
+  def resource_owner_credentials_flow?
+    @grant_type == :password
+  end
+
+  # tokens responses
+
+  def create_token_from_auth
+    @token_response = @authorization.create_access_token.token_response
+  end
+
+  def create_token_from_refresh
+    @token_response = @refresh_token.refresh!
+  end
+
+  def create_token
+    @token_response = Devise::Oauth::AccessToken.create(client: @client, resource_owner: @resource_owner, scope: @scope).token_response
+  end
+
+  def find_auth_by_code
+    code = params[:code]
+    
+    @authorization = @client.authorizations.where(code: code).first
+    return auth_not_found if @authorization.blank?
+    return access_denied if @authorization.used?
+    return invalid_request if !@authorization.valid_redirect_uri?(params[:redirect_uri])
+    return auth_expired if @authorization.expired?
+    @resource_owner = @authorization.resource_owner
+  end
+
+  def find_refresh_token
+    refresh_token = params[:refresh_token]
+
+    return invalid_request if refresh_token.blank? 
+
+    @refresh_token = @client.access_tokens.where(refresh_token: params[:refresh_token]).first
+
+    return invalid_request if @refresh_token.blank?
+    @resource_owner = @refresh_token.resource_owner
+  end
+
+  def authenticate_resource_owner
+    owner_class = Devise::Oauth.resource_owner.constantize
+    owner = owner_class.find_for_authentication(owner_class.authentication_keys.first => params[:username])
+    if owner && owner.valid_password?(params[:password])
+      @resource_owner = owner
+    else
+      invalid_request
+    end
+  end
+
+  
+
+  # errors
+
+  def auth_not_found
+    render_error :unprocessable_entity, error: "invalid_request", error_description: "Authorization not found"
+  end
+
+  def auth_expired
+    render_error :unprocessable_entity, error: "invalid_request", error_description: "Authorization expired"
+  end
+
+  def client_not_found
+    render_error :unprocessable_entity, error: "invalid_request", error_description: "Client not found"
+  end
+
+  def access_denied
+    render_error :unauthorized, error: "invalid_request"
+  end
+
+  def invalid_request
+    render_error :bad_request, error: "invalid_request"
+  end
+
+  def invalid_client
+    render_error :unauthorized, error: "invalid_client"
+    ## TODO: check authorization
+  end
+
+  def blocked_client
+    render_error :unprocessable_entity, error: "invalid_request", error_description: "Client Blocked"
+  end
+
+  def blocked_token
+    render_error :unprocessable_entity, error: "invalid_request", error_description: "Client blocked from the user"
+  end
+
+  def invalid_grant
+    render_error :bad_request, error: "invalid_grant"
+  end
+
+  def render_error status, info
+    render json: info, status: status
+  end
+
+
+end

data/app/controllers/oauth/accesses_controller.rb

@@ -0,0 +1,7 @@
+class AccessesController < ApplicationController
+  def index
+  end
+
+  def show
+  end
+end

data/app/controllers/oauth/authorizations_controller.rb

@@ -0,0 +1,84 @@
+class Devise::Oauth::AuthorizationsController < ApplicationController 
+  include Devise::Oauth::Helpers
+
+  before_filter :authenticate_user! # TODO: use devise scope here
+  before_filter :find_client
+  before_filter :find_resource_owner
+  before_filter :normalize_scope
+  # before_filter :check_scope          # check if the access is authorized
+  before_filter :client_blocked?      # check if the client is blocked
+  before_filter :access_blocked?      # check if user has blocked the client
+
+  # before_filter :token_blocked?, only: :show   # check for an existing token
+  # before_filter :refresh_token,  only: :show   # create a new token
+
+  def show
+  end
+
+  def create
+    @client.granted!
+
+    # section 4.1.1 - authorization code flow
+    if params[:response_type] == "code"
+      @authorization = Devise::Oauth::Authorization.create(client: @client, resource_owner: @resource_owner, scope: @scope)
+      redirect_to authorization_redirect_uri(@client, @authorization, params[:state])
+    end
+
+    # section 4.2.1 - implicit grant flow
+    if params[:response_type] == "token"
+      @token = Devise::Oauth::AccessToken.create(client: @client, resource_owner: @resource_owner, scope: scope)
+      redirect_to implicit_redirect_uri(@client, @token, params[:state])
+    end
+  end
+
+  def destroy
+    @client.revoked!
+    redirect_to deny_redirect_uri(params[:response_type], params[:state])
+  end
+
+  private
+
+  def authorization_redirect_uri(client, authorization, state)
+    uri  = client.redirect_uris.first
+    uri += "?code="  + authorization.code
+    uri += "&state=" + state if state
+    uri
+  end
+
+  def implicit_redirect_uri(client, token, state)
+    uri  = client.redirect_uris.first
+    uri += "#token=" + token.token
+    uri += "&expires_in=" + Oauth.settings["token_expires_in"]
+    uri += "&state=" + state if state
+    return uri
+  end
+
+  def deny_redirect_uri(response_type, state)
+    uri = @client.redirect_uris.first
+    uri += (response_type == "code") ? "?" : "#"
+    uri += "error=access_denied"
+    uri += "&state=" + state if state
+    return uri
+  end
+
+  def find_resource_owner
+    @resource_owner = current_user
+  end
+
+  def find_client
+    client_id = params[:client_id]
+
+    @client = Devise::Oauth::Client.where(identifier: client_id).first
+
+    client_not_found if @client.blank?
+  end
+
+  def invalid_request
+    raise "sd"
+  end
+
+  def client_not_found
+    rails "bla"
+  end
+
+end

data/app/controllers/oauth/clients_controller.rb

@@ -0,0 +1,24 @@
+class Devise::Oauth::ClientsController < ApplicationController
+  load_and_authorize_resource if respond_to? :load_and_authorize_resource
+
+  def index
+  end
+
+  def show
+  end
+
+  def update
+  end
+
+  def edit
+  end
+
+  def new
+  end
+
+  def create
+  end
+
+  def destroy
+  end
+end

data/app/helpers/devise/oauth/helpers.rb

@@ -0,0 +1,24 @@
+module Devise::Oauth::Helpers
+
+  def normalize_scope
+    scope = (params[:scope] || "").split(" ")
+    scope_mask = Devise::Oauth::AccessToken.scope_to_mask(scope)
+    @requested_scope = Devise::Oauth::AccessToken.mask_to_scope(scope_mask)
+
+    scope_mask = @client.scope_mask & scope_mask
+    scope_mask = @authorization.scope_mask & scope_mask if @authorization
+    scope_mask = @refresh_token.scope_mask & scope_mask if @refresh_token
+
+    @scope = Devise::Oauth::AccessToken.mask_to_scope(scope_mask)
+  end
+
+  def client_blocked?
+    blocked_client if @client.blocked?
+  end
+
+  def access_blocked?
+    @access = Devise::Oauth::Access.find_or_create_by_client_id_and_resource_owner_id(@client.id, @resource_owner.id)
+    blocked_token if @access.blocked?
+  end
+
+end

data/app/models/oauth/access.rb

@@ -0,0 +1,19 @@
+class Devise::Oauth::Access < ActiveRecord::Base
+  belongs_to :client,         class_name: "Devise::Oauth::Client"
+  belongs_to :resource_owner, class_name: Devise::Oauth.resource_owner
+
+  validates :client_id,         presence: true
+  validates :resource_owner_id, presence: true
+
+  include Devise::Oauth::Blockable
+
+  def block!
+    super
+    Devise::Oauth::AccessToken.block_access!(client_id, resource_owner_id)
+    Devise::Oauth::Authorization.block_access!(client_id, resource_owner_id)
+  end
+
+  def accessed!
+    self.class.update_counters(id, accessed_times: 1)
+  end
+end

data/app/models/oauth/access_token.rb

@@ -0,0 +1,61 @@
+class Devise::Oauth::AccessToken < ActiveRecord::Base
+  belongs_to :client,         class_name: "Devise::Oauth::Client"
+  belongs_to :resource_owner, class_name: Devise::Oauth.resource_owner
+
+  validates :client_id,         presence: true
+  validates :resource_owner_id, presence: true
+
+  attr_accessible :client, :resource_owner, :scope
+
+  before_create :generate_refresh_token if Devise::Oauth.generate_refresh_token
+
+  before_create :generate_value
+  before_create :setup_expiration
+
+  include Devise::Oauth::Scopable
+  include Devise::Oauth::Blockable
+
+  def expired?(at = Time.now)
+    self.expires_at < at
+  end
+
+  def refresh!
+    generate_refresh_token if Devise::Oauth.regenerate_refresh_token
+
+    generate_value
+    setup_expiration
+    
+    save
+    token_response(Devise::Oauth.regenerate_refresh_token)
+  end
+
+  def refresh_token_expired?
+    self.refresh_token_expires_at < Time.now
+  end
+
+  def token_response(generated_refresh_token=true)
+    res = {
+      access_token: value,
+      token_type: 'bearer'
+    }
+    res[:scope]         = scope_to_response if scope.present?
+    res[:expires_in]    = Devise::Oauth.access_token_expires_in if Devise::Oauth.access_token_expires_in
+    res[:refresh_token] = refresh_token if generated_refresh_token
+    res
+  end
+
+  private
+
+  def generate_value
+    self.value = Devise.friendly_token
+  end
+
+  def setup_expiration
+    self.expires_at = Time.now + Devise::Oauth.access_token_expires_in
+  end
+
+  def generate_refresh_token
+    self.refresh_token = Devise::Oauth.friendly_token
+  end
+
+end

data/app/models/oauth/authorization.rb

@@ -0,0 +1,58 @@
+class Devise::Oauth::Authorization < ActiveRecord::Base
+  belongs_to :client,         class_name: "Devise::Oauth::Client"
+  belongs_to :resource_owner, class_name: Devise::Oauth.resource_owner
+
+  validates :client_id,         presence: true
+  validates :resource_owner_id, presence: true
+
+  before_create :generate_code
+  before_create :create_expiration
+
+  include Devise::Oauth::Scopable
+  include Devise::Oauth::Blockable
+
+  attr_accessible :client, :resource_owner, :scope
+
+  def expired?(at = Time.now)
+    self.expires_at < at
+  end
+
+  def expire!(at = Time.now)
+    self.expires_at = at
+    save
+  end
+
+  def used!(at = Time.now)
+    self.used_at = at
+    save
+    # TODO: May be we should destroy it instead?
+  end
+
+  def used?
+    !!self.used_at
+  end
+
+  def valid_redirect_uri? uri
+    if redirect_uri.blank?
+      client.redirect_uris.include? uri
+    else
+      self.redirect_uri = uri
+    end
+  end
+
+  def create_access_token
+    Devise::Oauth::AccessToken.create client: client, resource_owner: resource_owner, scope: scope
+  end
+
+  private
+
+  def generate_code
+    self.code = Devise::Oauth.friendly_token
+  end
+
+  def create_expiration
+    self.expires_at = Time.now + Devise::Oauth.authorization_code_expires_in
+  end
+
+  
+end

data/app/models/oauth/client.rb

@@ -0,0 +1,49 @@
+module Devise::Oauth 
+  class Client < ActiveRecord::Base
+    def self.client_ownable?
+      Devise::Oauth.client_owner.constantize.devise_modules.include? :client_ownable
+    end
+   
+    belongs_to :owner, class_name: Devise::Oauth.client_owner if self.client_ownable?
+    
+    has_many :access_tokens,  class_name: "Devise::Oauth::AccessToken",   dependent: :destroy
+    has_many :authorizations, class_name: "Devise::Oauth::Authorization", dependent: :destroy
+    has_many :accesses,       class_name: "Devise::Oauth::Access",        dependent: :destroy
+
+    validates :name,     presence: true
+    validates :owner_id, presence: true
+    validates :site_uri, presence: true
+
+    serialize :redirect_uris, Array
+
+    include Devise::Oauth::Scopable
+    include Devise::Oauth::Blockable
+
+    def block!
+      super
+      AccessToken.block_client!  id
+      Authorization.block_client! id
+    end
+
+    before_create :generate_identifier
+    before_create :generate_secret
+
+    def granted!
+      self.class.update_counters(id, granted_times: 1)
+    end
+
+    def revoked!
+      self.class.update_counters(id, revoked_times: 1)
+    end
+
+    private
+
+    def generate_identifier
+      self.identifier = Devise::Oauth.friendly_token
+    end
+
+    def generate_secret
+      self.secret = Devise::Oauth.friendly_token
+    end 
+  end
+end

data/app/views/devise/oauth/authorizations/show.html.erb

@@ -0,0 +1,34 @@
+<% unless flash.alert %>
+  <h2>Authorization request</h2>
+  <div>
+    <b>The application <em><%=@client.name%></em> would like to access your resources</b>
+    <div>You are giving access to <%= @scope.join(", ") %></div>
+  </div>
+
+  <div>
+    <form method="POST" action="/oauth/authorization">
+      <input type="hidden" name="response_type" value="<%=params[:response_type]%>">
+      <input type="hidden" name="client_id" value="<%=params[:client_id]%>">
+      <input type="hidden" name="redirect_uri" value="<%=params[:redirect_uri]%>">
+      <input type="hidden" name="scope" value="<%=@scope.join(" ")%>">
+      <% if params[:state] %>
+        <input type="hidden" name="state" value="<%=params[:state]%>">
+      <% end %>
+      <button>Grant Access</button>
+    </form>
+  </div>
+
+  <div>
+    <form method="POST" action="/oauth/authorization">
+      <input type="hidden" name="_method" value="delete">
+      <input type="hidden" name="response_type" value="<%=params[:response_type]%>">
+      <input type="hidden" name="client_id" value="<%=params[:client_id]%>">
+      <input type="hidden" name="redirect_uri" value="<%=params[:redirect_uri]%>">
+      <input type="hidden" name="scope" value="<%=@scope.join(" ")%>">
+      <% if params[:state] %>
+        <input type="hidden"name="state" value="<%=params[:state]%>">
+      <% end %>
+      <button>Deny Access</button>
+    </form>
+  </div>
+<% end %>

data/config/routes.rb

@@ -0,0 +1,14 @@
+Devise::Oauth::Engine.routes.draw do
+  resource :authorization, path: :authorize, only: [:create, :show, :destroy], defaults: {format: :html}
+  resource :access_token,  path: :token,     only: [:create, :destroy], defaults: {format: :json}
+
+  resources :clients do
+    put :block,   on: :member
+    put :unblock, on: :member
+  end
+
+  resources :access, only: [:index, :show] do
+    put :block,   on: :member
+    put :unblock, on: :member
+  end
+end

data/db/migrate/20120622164619_devise_create_oauth.rb

@@ -0,0 +1,76 @@
+class DeviseCreateOauth < ActiveRecord::Migration
+  def change
+    create_table :oauth_clients do |t|
+      # client_ownable devise strategy
+      t.integer  :owner_id
+
+      t.string   :identifier, null: false
+      t.string   :name, null: false
+      t.string   :secret, null: false
+      t.string   :site_uri, null: false
+      t.text     :redirect_uris
+      t.text     :info
+      t.integer  :scope_mask, null: false, default: 0
+
+      t.integer  :granted_times, null: false, default: 0
+      t.integer  :revoked_times, null: false, default: 0
+
+      t.datetime :blocked_at
+      t.timestamps
+    end
+
+    add_index :oauth_clients, :identifier, unique: true
+    add_index :oauth_clients, :secret, unique: true
+    add_index :oauth_clients, :owner_id
+
+    create_table :oauth_authorizations do |t|
+      t.integer  :client_id, null: false
+      t.integer  :resource_owner_id, null: false
+      t.integer  :scope_mask, null: false, default: 0
+      t.string   :redirect_uri
+      t.string   :code, null: false
+      t.datetime :expires_at, null: false
+
+      t.datetime :used_at
+
+      t.datetime :blocked_at
+      t.timestamps
+    end
+
+    add_index :oauth_authorizations, :client_id
+    add_index :oauth_authorizations, :resource_owner_id
+    add_index :oauth_authorizations, :code, unique: true
+
+    # for authorization and access tokens
+    create_table :oauth_access_tokens do |t|
+      t.integer  :client_id, null: false
+      t.integer  :resource_owner_id, null: false
+      t.integer  :scope_mask, null: false, default: 0
+      t.string   :value, null: false
+      t.datetime :expires_at, null: false
+
+      t.string   :refresh_token
+
+      t.datetime :blocked_at
+      t.timestamps
+    end
+
+    add_index :oauth_access_tokens, :client_id
+    add_index :oauth_access_tokens, :resource_owner_id
+    add_index :oauth_access_tokens, :value, unique: true
+    add_index :oauth_access_tokens, :refresh_token, unique: true
+
+    create_table :oauth_accesses do |t|
+      t.integer  :client_id, null: false
+      t.integer  :resource_owner_id, null: false
+
+      t.integer  :accessed_times, null: false, default: 0
+
+      t.datetime :blocked_at
+      t.timestamps
+    end
+
+    add_index :oauth_accesses, :client_id
+    add_index :oauth_accesses, :resource_owner_id
+  end
+end

data/lib/devise/models/access_token_authenticatable.rb

@@ -0,0 +1,9 @@
+module Devise
+  module Models
+    module AccessTokenAuthenticatable
+      extend ActiveSupport::Concern
+      included do
+      end
+    end
+  end
+end

data/lib/devise/models/client_ownable.rb

@@ -0,0 +1,14 @@
+module Devise
+  module Models
+    module ClientOwnable
+      extend ActiveSupport::Concern
+      included do
+        
+        has_many :oauth_clients,
+                     class_name: "Devise::Oauth::Client",
+                    foreign_key: "owner_id",
+                      dependent: :destroy
+      end
+    end
+  end
+end

data/lib/devise/models/resource_ownable.rb

@@ -0,0 +1,36 @@
+module Devise
+  module Models
+    module ResourceOwnable
+      extend ActiveSupport::Concern
+      included do
+
+        has_many :oauth_access_tokens,
+                 class_name: "Devise::Oauth::AccessToken",
+                foreign_key: "resource_owner_id",
+                  dependent: :destroy
+
+        has_many :oauth_authorizations,
+                 class_name: "Devise::Oauth::Authorization",
+                foreign_key: "resource_owner_id",
+                  dependent: :destroy
+        
+        has_many :oauth_accesses,
+                     class_name: "Devise::Oauth::Access",
+                    foreign_key: "resource_owner_id",
+                      dependent: :destroy
+
+        attr_accessor :oauth_token
+      end
+
+      def oauth_token?
+        oauth_token.present?
+      end
+
+      def oauth_scope? *scope
+        return false if oauth_token.nil?
+
+        oauth_token.has_scope? scope
+      end
+    end
+  end
+end

data/lib/devise/oauth/blockable.rb

@@ -0,0 +1,27 @@
+module Devise::Oauth::Blockable
+  extend ActiveSupport::Concern
+
+  def block!(at = Time.now)
+    self.blocked_at = at
+    save
+  end
+
+  def blocked?
+    blocked_at.present?
+  end
+
+  def unblock!
+    self.blocked_at = nil
+    save
+  end
+
+  module ClassMethods
+    def block_access!(client_id, resource_owner_id)
+      update_all({ blocked_at: Time.now }, { client_id: client_id, resource_owner_id: resource_owner_id })
+    end
+
+    def block_client!(client_id)
+      update_all({ blocked_at: Time.now }, { client_id: client_id })
+    end
+  end
+end

data/lib/devise/oauth/engine.rb

@@ -0,0 +1,18 @@
+module Devise::Oauth
+  class Engine < ::Rails::Engine
+    def table_name_prefix
+      "oauth"
+    end
+
+    def self.generate_railtie_name(mod)
+      "oauth"
+    end
+
+    isolate_namespace Devise::Oauth
+
+    initializer "devise_oauth.initialize_application", before: :load_config_initializers do |app|
+      app.config.filter_parameters << :client_secret
+      app.config.filter_parameters << :refresh_token
+    end
+  end
+end

data/lib/devise/oauth/scopable.rb

@@ -0,0 +1,43 @@
+module Devise::Oauth::Scopable
+  extend ActiveSupport::Concern
+
+  def scope=(scope)
+    self.scope_mask = self.class.scope_to_mask(scope)
+  end
+
+  def scope
+    self.class.mask_to_scope(scope_mask)
+  end
+
+  def has_scope?(scope)
+    self.scope_mask & self.class.scope_to_mask(scope) > 0
+  end
+
+  def scope_to_response
+    scope.join(" ")
+  end
+
+  module ClassMethods
+    def scopes
+      @@scopes ||= Devise::Oauth.scopes.map {|s| s.to_s}
+    end
+
+    def scope_to_mask(scope=[])
+      return 0 if scope.blank?
+      (scope.map(&:to_s) & scopes).map { |r| 2**scopes.index(r) }.sum
+    end
+
+    def mask_to_scope(mask)
+      return [] if mask == 0
+      scopes.reject {|r| (mask & 2**scopes.index(r)).zero? }
+    end
+
+    def where_scope(scope=[])
+      if scope.blank?
+        where "scope_mask = 0"
+      else
+        where "scope_mask & ? > 0", scope_to_mask(scope)
+      end
+    end
+  end
+end

data/lib/devise/oauth/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module Oauth
+    VERSION = "2.0.0"
+  end
+end

data/lib/devise/strategies/access_token_authenticatable.rb

@@ -0,0 +1,69 @@
+require 'devise/strategies/base'
+module Devise
+  module Strategies
+    class AccessTokenAuthenticatable < Authenticatable
+      def store?
+        false # no no for session here
+      end
+
+      def valid?
+        @access_tokens = [access_token_in_header, access_token_in_payload].compact
+        @access_tokens.present?
+      end
+
+      def authenticate!
+        return oauth_error! if @access_tokens.length > 1
+
+        access_token = Devise::Oauth::AccessToken.where(value: @access_tokens.first).first
+
+        return oauth_error!(403, :access_denied) unless access_token
+        return oauth_error!(403, :access_denied) if access_token.expired?
+
+        resource = access_token.resource_owner
+        if validate(resource)
+          env["devise.oauth.access_token"] = access_token
+          resource.oauth_token = access_token
+          success!(resource)
+        else
+          oauth_error!
+        end
+      end
+
+    private
+      def oauth_error!(status = 400, error_code = :invalid_request, description = nil)
+        body = {error: error_code}
+        body[:error_description] = description if description
+
+        headers = {"Content-Type" => "application/json; charset=utf-8"}
+        
+        custom! [status, headers, [body.to_json]]
+      end
+
+      # Access Token Authenticatable can be authenticated with params in any controller and any verb.
+      def valid_params_request?
+        true
+      end
+
+      # Do not use remember_me behavior with token.
+      def remember_me?
+        false
+      end
+
+      def access_token_in_payload
+        params['access_token']
+      end
+
+      def access_token_in_header
+        auth_header = ::Rack::Auth::AbstractRequest.new(env)
+        if auth_header.provided? && auth_header.scheme == :bearer
+          auth_header.params
+        else
+          nil
+        end
+      end
+
+    end
+  end
+end
+
+Warden::Strategies.add(:access_token_authenticatable, Devise::Strategies::AccessTokenAuthenticatable)

data/lib/devise_oauth.rb

@@ -0,0 +1,52 @@
+require 'active_support/core_ext'
+require 'devise'
+
+module Devise
+  module Oauth
+    mattr_accessor :resource_owner
+    @@resource_owner = "User"
+
+    mattr_accessor :client_owner
+    @@client_owner = self.resource_owner
+
+    mattr_accessor :scopes
+    @@scopes = []
+
+    mattr_accessor :access_token_expires_in
+    @@access_token_expires_in = 1.hour
+
+    mattr_accessor :authorization_code_expires_in
+    @@authorization_code_expires_in = 1.minute
+
+    mattr_accessor :generate_refresh_token
+    @@generate_refresh_token = true
+
+    mattr_accessor :regenerate_refresh_token
+    @@regenerate_refresh_token = true
+
+    mattr_accessor :supported_grant_types
+    @@supported_grant_types = [:authorization_code, :password, :refresh_token]
+
+    def self.friendly_token(length = 20)
+      SecureRandom.base64(length).tr('+/=lIO0', 'pqrsxyz')
+    end
+  end
+end
+
+require "devise/oauth/scopable"
+require "devise/oauth/blockable"
+
+require "devise/models/client_ownable"
+require "devise/models/resource_ownable"
+
+require "devise/strategies/access_token_authenticatable"
+require "devise/models/access_token_authenticatable"
+
+
+require "devise/oauth/engine"
+
+Devise.add_module(
+  :access_token_authenticatable,
+  :strategy => true,
+  :model => 'devise/models/access_token_authenticatable'
+)

data/lib/tasks/devise_oauth_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :devise_oauth do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,154 @@
+--- !ruby/object:Gem::Specification
+name: devise_oauth
+version: !ruby/object:Gem::Version
+  version: 2.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Yury Korolev
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-06-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: &70245897777140 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *70245897777140
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: &70245897776200 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70245897776200
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: &70245897775620 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70245897775620
+- !ruby/object:Gem::Dependency
+  name: factory_girl_rails
+  requirement: &70245897774900 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70245897774900
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: &70245897773960 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: *70245897773960
+- !ruby/object:Gem::Dependency
+  name: database_cleaner
+  requirement: &70245897773500 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70245897773500
+- !ruby/object:Gem::Dependency
+  name: shoulda-matchers
+  requirement: &70245897772840 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70245897772840
+description: The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-28 implementation
+  on top of devise.
+email:
+- yury.korolev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/controllers/oauth/access_tokens_controller.rb
+- app/controllers/oauth/accesses_controller.rb
+- app/controllers/oauth/authorizations_controller.rb
+- app/controllers/oauth/clients_controller.rb
+- app/helpers/devise/oauth/helpers.rb
+- app/models/oauth/access.rb
+- app/models/oauth/access_token.rb
+- app/models/oauth/authorization.rb
+- app/models/oauth/client.rb
+- app/views/devise/oauth/authorizations/show.html.erb
+- config/routes.rb
+- db/migrate/20120622164619_devise_create_oauth.rb
+- lib/devise/models/access_token_authenticatable.rb
+- lib/devise/models/client_ownable.rb
+- lib/devise/models/resource_ownable.rb
+- lib/devise/oauth/blockable.rb
+- lib/devise/oauth/engine.rb
+- lib/devise/oauth/scopable.rb
+- lib/devise/oauth/version.rb
+- lib/devise/strategies/access_token_authenticatable.rb
+- lib/devise_oauth.rb
+- lib/tasks/devise_oauth_tasks.rake
+- MIT-LICENSE
+- Rakefile
+- README.md
+homepage: https://github.com/anjlab/devise_oauth
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2188440318074512588
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2188440318074512588
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.17
+signing_key: 
+specification_version: 3
+summary: Oauth 2.0 provider implementation on top of devise.
+test_files: []