devise_oauth2_providable 0.1.6 → 0.2.0

data/README.md

@@ -62,7 +62,7 @@ requiring user intervention to re-authorize.
 
 expires after 1 month by default.
 
-### AthorizationCode
+### AuthorizationCode
 http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.4.1
 
 *Very* short lived token created to allow a client to request an access
@@ -92,8 +92,10 @@ supported flows.
 http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
 
 in order to use the Resource Owner Password Credentials Grant Type, your
-Devise model *must* be configured to support the
-:database_authenticatable option
+Devise model *must* be configured with the :database_authenticatable option
+
+### Client Credentials Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
 
 ### Authorization Code Grant Type
 http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1

data/app/models/access_token.rb

@@ -3,15 +3,13 @@ require 'expirable_token'
 class AccessToken < ActiveRecord::Base
   include ExpirableToken
   self.default_lifetime = 15.minutes
-  attr_accessor :refresh_token
 
-  def to_bearer_token(with_refresh_token = false)
-    bearer_token = Rack::OAuth2::AccessToken::Bearer.new(
-      :access_token => self.token,
-      :expires_in => self.expires_in
-    )
-    if with_refresh_token
-      refresh_token = client.refresh_tokens.create! :user => self.user
+  before_validation :restrict_expires_at, :if => :refresh_token
+  belongs_to :refresh_token
+
+  def to_bearer_token
+    bearer_token = Rack::OAuth2::AccessToken::Bearer.new :access_token => self.token, :expires_in => self.expires_in
+    if refresh_token
       bearer_token.refresh_token = refresh_token.token
     end
     bearer_token
@@ -19,12 +17,7 @@ class AccessToken < ActiveRecord::Base
 
   private
 
-  def setup
-    super
-    if refresh_token
-      self.user = refresh_token.user
-      self.client = refresh_token.client
-      self.expires_at = [self.expires_at, refresh_token.expires_at].min
-    end
+  def restrict_expires_at
+    self.expires_at = [self.expires_at, refresh_token.expires_at].min
   end
 end

data/app/models/client.rb

@@ -2,14 +2,17 @@ class Client < ActiveRecord::Base
   has_many :access_tokens
   has_many :refresh_tokens
 
-  before_validation :setup, :on => :create
+  before_validation :init_identifier, :on => :create, :unless => :identifier?
+  before_validation :init_secret, :on => :create, :unless => :secret?
   validates :name, :website, :redirect_uri, :secret, :presence => true
   validates :identifier, :presence => true, :uniqueness => true
 
   private
 
-  def setup
-    self.identifier = ActiveSupport::SecureRandom.base64(16)
-    self.secret = ActiveSupport::SecureRandom.base64
+  def init_identifier
+    self.identifier = Devise::Oauth2Providable.random_id
+  end
+  def init_secret
+    self.secret = Devise::Oauth2Providable.random_id
   end
 end

data/app/views/oauth2/authorizations/new.html.erb

@@ -1,4 +1,4 @@
-<h2><%= link_to @client.name, @client.website %> is permission to access your resources.</h2>
+<h2><%= link_to @client.name, @client.website %> is requesting permission to access your resources.</h2>
 
 <%= render 'oauth2/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :approve %>
 <%= render 'oauth2/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :deny %>

data/lib/devise_oauth2_providable/schema.rb

@@ -15,7 +15,7 @@ module Devise
         migration.add_index :clients, :identifier
 
         migration.create_table :access_tokens do |t|
-          t.belongs_to :user, :client
+          t.belongs_to :user, :client, :refresh_token
           t.string :token
           t.datetime :expires_at
           t.timestamps

data/lib/devise_oauth2_providable/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Oauth2Providable
-    VERSION = "0.1.6"
+    VERSION = "0.2.0"
   end
 end

data/lib/devise_oauth2_providable.rb

@@ -7,8 +7,11 @@ require 'devise_oauth2_providable/engine'
 
 module Devise
   module Oauth2Providable
-  # Your code goes here...
-    
+    class << self
+      def random_id
+        ActiveSupport::SecureRandom.hex
+      end
+    end
   end
 end
 

data/lib/expirable_token.rb

@@ -7,8 +7,10 @@ module ExpirableToken
       belongs_to :user
       belongs_to :client
 
-      before_validation :setup, :on => :create
-      validates :client, :expires_at, :presence => true
+      before_validation :init_token, :on => :create, :unless => :token?
+      before_validation :init_expires_at, :on => :create, :unless => :expires_at?
+      validates :expires_at, :presence => true
+      validates :client, :presence => true
       validates :token, :presence => true, :uniqueness => true
 
       # TODO: this should be a default scope once rails default_scope supports lambda's
@@ -29,9 +31,11 @@ module ExpirableToken
 
   private
 
-  def setup
-    self.token = ActiveSupport::SecureRandom.base64(16)
-    self.expires_at ||= self.default_lifetime.from_now
+  def init_token
+    self.token = Devise::Oauth2Providable.random_id
+  end
+  def init_expires_at
+    self.expires_at = self.default_lifetime.from_now
   end
 end
 

data/lib/token_endpoint.rb

@@ -1,5 +1,5 @@
 class TokenEndpoint
-
+  class InvalidGrantType < StandardError; end
   def call(env)
     authenticator.call(env)
   end
@@ -8,41 +8,43 @@ class TokenEndpoint
 
   def authenticator
     Rack::OAuth2::Server::Token.new do |req, res|
-      client = Client.find_by_identifier(req.client_id) || req.invalid_client!
-      client.secret == req.client_secret || req.invalid_client!
-
-      token = access_token(req, client)
-      if token && token.save
-        include_bearer_token = [:authorization_code, :password].include?(req.grant_type) ? :with_refresh_token : false
-        res.access_token = token.to_bearer_token include_bearer_token
-      else
+      client = Client.find_by_identifier(req.client_id)
+      req.invalid_client! unless client && client.secret == req.client_secret
+      begin
+        res.access_token = access_token(req, client).to_bearer_token
+      rescue => e
+        puts e.inspect
         req.invalid_grant!
       end
     end
   end
 
-  # NOTE: extended assertion grant_types are not supported yet.
   def access_token(req, client)
+    refresh_token = find_refresh_token(req, client)
+    refresh_token.access_tokens.create!(:client => client, :user => refresh_token.user)
+  end
+
+  # NOTE: extended assertion grant_types are not supported yet.
+  # NOTE: client_credentials grant_types are not yet supported
+  def find_refresh_token(req, client)
     case req.grant_type
     when :authorization_code
       code = AuthorizationCode.valid.find_by_token(req.code)
-      return nil unless code.valid_request?(req)
-      code.access_token.build
+      raise InvalidGrantType.new('invalid authorization code') unless code && code.valid_request?(req)
+      client.refresh_tokens.create! :user => code.user
     when :password
       resource = mapping.to.find_for_authentication(mapping.to.authentication_keys.first => req.username)
-      return nil unless resource && resource.respond_to?(:valid_password?)
+      raise InvalidGrantType.new('user not found') unless resource
+      raise InvalidGrantType.new('user does not support password authentication') unless resource.respond_to?(:valid_password?)
       valid = resource.valid_for_authentication? { resource.valid_password?(req.password) }
-      return nil unless valid.is_a?(TrueClass)
-      resource.access_tokens.build(:client => client)
-    when :client_credentials
-      # NOTE: client is already authenticated here.
-      client.access_tokens.build
+      raise InvalidGrantType.new("authentication failed: #{valid}") unless valid.is_a?(TrueClass)
+      client.refresh_tokens.create! :user => resource
     when :refresh_token
       refresh_token = client.refresh_tokens.valid.find_by_token(req.refresh_token)
-      return nil unless refresh_token.present?
-      refresh_token.access_tokens.build(:client => client, :user => refresh_token.user)
+      raise InvalidGrantType.new('refresh token not found') unless refresh_token
+      refresh_token
     else
-      nil
+      raise InvalidGrantType.new('invalid grant type')
     end
   end
   def mapping

data/spec/rails_app/db/schema.rb

@@ -15,6 +15,7 @@ ActiveRecord::Schema.define(:version => 20110511210926) do
   create_table "access_tokens", :force => true do |t|
     t.integer  "user_id"
     t.integer  "client_id"
+    t.integer  "refresh_token_id"
     t.string   "token"
     t.datetime "expires_at"
     t.datetime "created_at"

data/spec/rails_app/spec/integration/token_endpoint_spec.rb

@@ -1,6 +1,35 @@
 require 'spec_helper'
 
 describe TokenEndpoint do
+  describe 'refresh_token grant type' do
+    context 'with valid params' do
+      before do
+        @user = User.create! :email => 'ryan@socialcast.com', :name => 'ryan sonnek', :password => 'test'
+        @client = Client.create! :name => 'example', :redirect_uri => 'http://localhost', :website => 'http://localhost'
+        @refresh_token = @client.refresh_tokens.create! :user => @user
+        params = {
+          :grant_type => 'refresh_token',
+          :client_id => @client.identifier,
+          :client_secret => @client.secret,
+          :refresh_token => @refresh_token.token
+        }
+
+        post '/oauth2/token', params
+      end
+      it { response.code.to_i.should == 200 }
+      it 'returns json' do
+        token = AccessToken.last
+        refresh_token = @refresh_token
+        expected = {
+          :token_type => 'bearer',
+          :expires_in => 899,
+          :refresh_token => refresh_token.token,
+          :access_token => token.token
+        }
+        response.body.should == expected.to_json
+      end
+    end
+  end
   describe 'password grant type' do
     context 'with valid params' do
       before do
@@ -30,7 +59,6 @@ describe TokenEndpoint do
         response.body.should == expected.to_json
       end
     end
-
     context 'with invalid params' do
       before do
         @user = User.create! :email => 'ryan@socialcast.com', :name => 'ryan sonnek', :password => 'test'

data/spec/rails_app/spec/models/access_token_spec.rb

@@ -12,6 +12,25 @@ describe AccessToken do
     it { should belong_to :client }
     it { should validate_presence_of :client }
     it { should validate_presence_of :expires_at }
+    it { should belong_to :refresh_token }
+    it { should allow_mass_assignment_of :refresh_token }
+    it { should have_db_index :client_id }
+    it { should have_db_index :user_id }
+    it { should have_db_index :token }
+    it { should have_db_index :expires_at }
+  end
+
+  describe 'refresh token expires before access token expires_at' do
+    before do
+      @soon = 1.minute.from_now
+      client = Client.create! :name => 'test', :redirect_uri => 'http://localhost:3000', :website => 'http://localhost'
+      @refresh_token = client.refresh_tokens.create!
+      @refresh_token.expires_at = @soon
+      @access_token = AccessToken.create! :client => client, :refresh_token => @refresh_token
+    end
+    it 'should set the access token expires_at to equal refresh token' do
+      @access_token.expires_at.should eq @soon
+    end
   end
 end
 

data/spec/rails_app/spec/models/refresh_token_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe RefreshToken do
+  describe 'basic refresh token instance' do
+    subject do
+      client = Client.create! :name => 'test', :redirect_uri => 'http://localhost:3000', :website => 'http://localhost'
+      RefreshToken.create! :client => client
+    end
+    it { should validate_presence_of :token }
+    it { should validate_uniqueness_of :token }
+    it { should belong_to :user }
+    it { should belong_to :client }
+    it { should validate_presence_of :client }
+    it { should validate_presence_of :expires_at }
+    it { should have_many :access_tokens }
+    it { should have_db_index :client_id }
+    it { should have_db_index :user_id }
+    it { should have_db_index :token }
+    it { should have_db_index :expires_at }
+  end
+end

metadata

@@ -5,9 +5,9 @@ version: !ruby/object:Gem::Version
   prerelease: 
   segments: 
   - 0
-  - 1
-  - 6
-  version: 0.1.6
+  - 2
+  - 0
+  version: 0.2.0
 platform: ruby
 authors: 
 - Ryan Sonnek
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-05-12 00:00:00 Z
+date: 2011-05-16 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: rails
@@ -163,6 +163,7 @@ files:
 - spec/rails_app/spec/integration/token_endpoint_spec.rb
 - spec/rails_app/spec/models/access_token_spec.rb
 - spec/rails_app/spec/models/client_spec.rb
+- spec/rails_app/spec/models/refresh_token_spec.rb
 - spec/rails_app/spec/models/user_spec.rb
 - spec/rails_app/spec/spec_helper.rb
 - spec/rails_app/vendor/plugins/.gitkeep
@@ -249,6 +250,7 @@ test_files:
 - spec/rails_app/spec/integration/token_endpoint_spec.rb
 - spec/rails_app/spec/models/access_token_spec.rb
 - spec/rails_app/spec/models/client_spec.rb
+- spec/rails_app/spec/models/refresh_token_spec.rb
 - spec/rails_app/spec/models/user_spec.rb
 - spec/rails_app/spec/spec_helper.rb
 - spec/rails_app/vendor/plugins/.gitkeep