devise_oauth2_token_bearer_authenticatable 0.0.1

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/.rspec

@@ -0,0 +1,3 @@
+--colour
+--format documentation
+

data/CONTRIBUTORS.txt

@@ -0,0 +1,6 @@
+Ryan Sonnek - Original Author
+
+
+Complete list of contributors:
+https://github.com/socialcast/devise_oauth2_token_bearer_authenticatable/contributors
+

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in devise_oauth2_token_bearer_authenticatable.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License
+
+Copyright (c) 2011 Socialcast, Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,20 @@
+# devise_oauth2_token_bearer_authenticatable
+
+Support OAuth2 authentication for your API.
+
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15
+
+## Contributing
+ 
+* Fork the project
+* Fix the issue
+* Add unit tests
+* Submit pull request on github
+
+See CONTRIBUTORS.txt for list of project contributors
+
+## Copyright
+
+Copyright (c) 2011 Socialcast, Inc. 
+See LICENSE.txt for further details.
+

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec
+

data/app/controllers/oauth2/authorizations_controller.rb

@@ -0,0 +1,52 @@
+class Oauth2::AuthorizationsController < ApplicationController
+  before_filter :authenticate_user!
+
+  rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
+    @error = e
+    render :error, :status => e.status
+  end
+
+  def new
+    respond *authorize_endpoint.call(request.env)
+  end
+
+  def create
+    respond *authorize_endpoint(:allow_approval).call(request.env)
+  end
+
+  private
+
+  def respond(status, header, response)
+    ["WWW-Authenticate"].each do |key|
+      headers[key] = header[key] if header[key].present?
+    end
+    if response.redirect?
+      redirect_to header['Location']
+    else
+      render :new
+    end
+  end
+
+  def authorize_endpoint(allow_approval = false)
+    Rack::OAuth2::Server::Authorize.new do |req, res|
+      @client = Client.find_by_identifier(req.client_id) || req.bad_request!
+      res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@client.redirect_uri)
+      if allow_approval
+        if params[:approve].present?
+          case req.response_type
+          when :code
+            authorization_code = current_user.authorization_codes.create(:client_id => @client, :redirect_uri => @redirect_uri)
+            res.code = authorization_code.token
+          when :token
+            res.access_token = current_user.access_tokens.create(:client_id => @client).to_bearer_token
+          end
+          res.approve!
+        else
+          req.access_denied!
+        end
+      else
+        @response_type = req.response_type
+      end
+    end
+  end
+end

data/app/models/access_token.rb

@@ -0,0 +1,33 @@
+require 'oauth2_token'
+
+class AccessToken < ActiveRecord::Base
+  include Oauth2Token
+  self.default_lifetime = 15.minutes
+  belongs_to :refresh_token
+
+  def to_bearer_token(with_refresh_token = false)
+    bearer_token = Rack::OAuth2::AccessToken::Bearer.new(
+      :access_token => self.token,
+      :expires_in => self.expires_in
+    )
+    if with_refresh_token
+      bearer_token.refresh_token = self.create_refresh_token(
+        :user => self.user,
+        :client => self.client
+      ).token
+    end
+    p bearer_token.token_response
+    bearer_token
+  end
+
+  private
+
+  def setup
+    super
+    if refresh_token
+      self.user = refresh_token.user
+      self.client = refresh_token.client
+      self.expires_at = [self.expires_at, refresh_token.expires_at].min
+    end
+  end
+end

data/app/models/authorization_code.rb

@@ -0,0 +1,9 @@
+require 'oauth2_token'
+
+class AuthorizationCode < ActiveRecord::Base
+  include Oauth2Token
+
+  def access_token
+    @access_token ||= expired! && user.access_tokens.create(:client => client)
+  end
+end

data/app/models/client.rb

@@ -0,0 +1,15 @@
+class Client < ActiveRecord::Base
+  has_many :access_tokens
+  has_many :refresh_tokens
+
+  before_validation :setup, :on => :create
+  validates :name, :website, :redirect_uri, :secret, :presence => true
+  validates :identifier, :presence => true, :uniqueness => true
+
+  private
+
+  def setup
+    self.identifier = ActiveSupport::SecureRandom.base64(16)
+    self.secret = ActiveSupport::SecureRandom.base64
+  end
+end

data/app/models/refresh_token.rb

@@ -0,0 +1,7 @@
+require 'oauth2_token'
+
+class RefreshToken < ActiveRecord::Base
+  include Oauth2Token
+  self.default_lifetime = 1.month
+  has_many :access_tokens
+end

data/app/views/oauth2/authorizations/_form.html.erb

@@ -0,0 +1,7 @@
+<%= form_tag oauth2_authorizations_path, :class => action do %>
+  <%= hidden_field_tag :client_id, client.identifier %>
+  <%= hidden_field_tag :response_type, response_type %>
+  <%= hidden_field_tag :redirect_uri, redirect_uri %>
+  <%= submit_tag action.to_s.capitalize %>
+  <%= hidden_field_tag action, true %>
+<% end %>

data/app/views/oauth2/authorizations/error.html.erb

@@ -0,0 +1,4 @@
+<h2>Invalid Authorization Request</h2>
+<h3><%= @error.error %></h3>
+<p><%= @error.description %></p>
+

data/app/views/oauth2/authorizations/new.html.erb

@@ -0,0 +1,5 @@
+<h2><%= link_to @client.name, @client.website %> is permission to access your resources.</h2>
+
+<%= render 'oauth2/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :approve %>
+<%= render 'oauth2/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :deny %>
+

data/config/routes.rb

@@ -0,0 +1,8 @@
+require 'token_endpoint'
+Rails.application.routes.draw do |map|
+  namespace 'oauth2' do
+    resources :authorizations, :only => :create
+  end
+  match 'oauth2/authorize', :to => 'oauth2/authorizations#new'
+  post 'oauth2/token', :to => proc { |env| TokenEndpoint.new.call(env) }
+end

data/devise_oauth2_token_bearer_authenticatable.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise_oauth2_token_bearer_authenticatable/version"
+
+Gem::Specification.new do |s|
+  s.name        = "devise_oauth2_token_bearer_authenticatable"
+  s.version     = DeviseOauth2TokenBearerAuthenticatable::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Ryan Sonnek"]
+  s.email       = ["ryan@socialcast.com"]
+  s.homepage    = ""
+  s.summary     = %q{OAuth2 Provider for Rails3 applications}
+  s.description = %q{add OAuth2 authentication to rails3 application}
+
+  s.rubyforge_project = "devise_oauth2_token_bearer_authenticatable"
+
+  s.add_runtime_dependency(%q<rails>, ["~> 3.0.7"])
+  s.add_runtime_dependency(%q<devise>, ["~> 1.3.3"])
+  s.add_runtime_dependency(%q<rack-oauth2>, ["~> 0.6.3"])
+  s.add_development_dependency(%q<rspec>, ['>= 2.5.0'])
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/lib/devise_oauth2_token_bearer_authenticatable.rb

@@ -0,0 +1,18 @@
+require 'devise'
+require 'rack/oauth2'
+require 'devise_oauth2_token_bearer_authenticatable/strategy'
+require 'devise_oauth2_token_bearer_authenticatable/model'
+require 'devise_oauth2_token_bearer_authenticatable/schema'
+require 'devise_oauth2_token_bearer_authenticatable/engine'
+
+module Devise
+  module Oauth2TokenBearerAuthenticatable
+  # Your code goes here...
+    
+  end
+end
+
+Devise.add_module(:oauth2_token_bearer_authenticatable,
+  :strategy => true,
+  :model => 'devise_oauth2_token_bearer_authenticatable/model')
+

data/lib/devise_oauth2_token_bearer_authenticatable/engine.rb

@@ -0,0 +1,12 @@
+module Devise
+  module Oauth2TokenBearerAuthenticatable
+    class Engine < Rails::Engine
+      initializer "devise_oauth2_token_bearer_authenticatable.initialize_application" do |app|
+        app.middleware.use Rack::OAuth2::Server::Resource::Bearer, 'OAuth2 Bearer Token Resources' do |req|
+          AccessToken.valid.find_by_token(req.access_token) || req.invalid_token!
+        end
+      end
+    end
+  end
+end
+

data/lib/devise_oauth2_token_bearer_authenticatable/model.rb

@@ -0,0 +1,13 @@
+require 'devise/models'
+
+module Devise
+  module Models
+    module Oauth2TokenBearerAuthenticatable
+      extend ActiveSupport::Concern
+      included do
+        has_many :access_tokens
+        has_many :authorization_codes
+      end
+    end
+  end
+end

data/lib/devise_oauth2_token_bearer_authenticatable/schema.rb

@@ -0,0 +1,54 @@
+require 'devise/schema'
+
+module Devise
+  module Oauth2TokenBearerAuthenticatable
+    module Schema
+      def self.up(migration)
+        migration.create_table :clients do |t|
+          t.string :name
+          t.string :redirect_uri
+          t.string :website
+          t.string :identifier
+          t.string :secret
+          t.timestamps
+        end
+        migration.add_index :clients, :identifier
+
+        migration.create_table :access_tokens do |t|
+          t.belongs_to :user, :client
+          t.string :token
+          t.datetime :expires_at
+          t.timestamps
+        end
+        migration.add_index :access_tokens, :token
+        migration.add_index :access_tokens, :expires_at
+
+        migration.create_table :refresh_tokens do |t|
+          t.belongs_to :user, :client
+          t.string :token
+          t.datetime :expires_at
+          t.timestamps
+        end
+        migration.add_index :refresh_tokens, :token
+        migration.add_index :refresh_tokens, :expires_at
+
+        migration.create_table :authorization_codes do |t|
+          t.belongs_to :user, :client
+          t.string :token
+          t.datetime :expires_at
+          t.string :redirect_uri
+          t.timestamps
+        end
+        migration.add_index :authorization_codes, :token
+        migration.add_index :authorization_codes, :expires_at
+      end
+
+      def self.down(migration)
+        migration.drop_table :refresh_tokens
+        migration.drop_table :access_tokens
+        migration.drop_table :clients
+      end
+    end
+  end
+end
+

data/lib/devise_oauth2_token_bearer_authenticatable/strategy.rb

@@ -0,0 +1,19 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    class Oauth2TokenBearerAuthenticatable < Base
+      def valid?
+        env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN].present?
+      end
+      def authenticate!
+        token = AccessToken.valid.find_by_token env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
+        raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized unless token
+        raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(:invalid_token, 'User token is required') unless token.user
+        success! token.user
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:oauth2_token_bearer_authenticatable, Devise::Strategies::Oauth2TokenBearerAuthenticatable)

data/lib/devise_oauth2_token_bearer_authenticatable/version.rb

@@ -0,0 +1,3 @@
+module DeviseOauth2TokenBearerAuthenticatable
+  VERSION = "0.0.1"
+end

data/lib/oauth2_token.rb

@@ -0,0 +1,37 @@
+module Oauth2Token
+  def self.included(klass)
+    klass.class_eval do
+      cattr_accessor :default_lifetime
+      self.default_lifetime = 1.minute
+
+      belongs_to :user
+      belongs_to :client
+
+      before_validation :setup, :on => :create
+      validates :client, :expires_at, :presence => true
+      validates :token, :presence => true, :uniqueness => true
+
+      # TODO: this should be a default scope once rails default_scope supports lambda's
+      scope :valid, lambda {
+        where(self.arel_table[:expires_at].gteq(Time.now.utc))
+      }
+    end
+  end
+
+  def expires_in
+    (expires_at - Time.now.utc).to_i
+  end
+
+  def expired!
+    self.expires_at = Time.now.utc
+    self.save!
+  end
+
+  private
+
+  def setup
+    self.token = ActiveSupport::SecureRandom.base64(16)
+    self.expires_at ||= self.default_lifetime.from_now
+  end
+end
+

data/lib/token_endpoint.rb

@@ -0,0 +1,37 @@
+class TokenEndpoint
+
+  def call(env)
+    authenticator.call(env)
+  end
+
+  private
+
+  def authenticator
+    Rack::OAuth2::Server::Token.new do |req, res|
+      client = Client.find_by_identifier(req.client_id) || req.invalid_client!
+      client.secret == req.client_secret || req.invalid_client!
+      case req.grant_type
+      when :authorization_code
+        code = AuthorizationCode.valid.find_by_token(req.code)
+        req.invalid_grant! if code.blank? || code.redirect_uri != req.redirect_uri
+        res.access_token = code.access_token.to_bearer_token(:with_refresh_token)
+      when :password
+        user = User.find_by_email(req.username) || req.invalid_grant!
+        req.invalid_grant! unless user.valid_password?(req.password)
+        res.access_token = user.access_tokens.create(:client => client).to_bearer_token(:with_refresh_token)
+      when :client_credentials
+        # NOTE: client is already authenticated here.
+        res.access_token = client.access_tokens.create.to_bearer_token
+      when :refresh_token
+        refresh_token = client.refresh_tokens.valid.find_by_token(req.refresh_token)
+        req.invalid_grant! unless refresh_token
+        res.access_token = refresh_token.access_tokens.create.to_bearer_token
+      else
+        # NOTE: extended assertion grant_types are not supported yet.
+        req.unsupported_grant_type!
+      end
+    end
+  end
+
+end
+

data/spec/devise_oauth2_token_bearer_authenticatable_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe Devise::Oauth2TokenBearerAuthenticatable do
+  it 'should be defined' do
+    # success
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,29 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'devise_oauth2_token_bearer_authenticatable'
+
+# Requires supporting ruby files with custom matchers and macros, etc,
+# in spec/support/ and its subdirectories.
+# Dir[Rails.root.join("spec/support/**/*.rb")].each {|f| require f}
+
+# include Devise::TestHelpers
+
+RSpec.configure do |config|
+  # == Mock Framework
+  #
+  # If you prefer to use mocha, flexmock or RR, uncomment the appropriate line:
+  #
+  # config.mock_with :mocha
+  # config.mock_with :flexmock
+  # config.mock_with :rr
+  config.mock_with :rspec
+
+  # Remove this line if you're not using ActiveRecord or ActiveRecord fixtures
+  # config.fixture_path = "#{::Rails.root}/spec/fixtures"
+
+  # If you're not using ActiveRecord, or you'd prefer not to run each of your
+  # examples within a transaction, remove the following line or assign false
+  # instead of true.
+  # config.use_transactional_fixtures = true
+end

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification 
+name: devise_oauth2_token_bearer_authenticatable
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Ryan Sonnek
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-04-25 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rails
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 9
+        segments: 
+        - 3
+        - 0
+        - 7
+        version: 3.0.7
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: devise
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 29
+        segments: 
+        - 1
+        - 3
+        - 3
+        version: 1.3.3
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rack-oauth2
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 0
+        - 6
+        - 3
+        version: 0.6.3
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 2
+        - 5
+        - 0
+        version: 2.5.0
+  type: :development
+  version_requirements: *id004
+description: add OAuth2 authentication to rails3 application
+email: 
+- ryan@socialcast.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- .rspec
+- CONTRIBUTORS.txt
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- app/controllers/oauth2/authorizations_controller.rb
+- app/models/access_token.rb
+- app/models/authorization_code.rb
+- app/models/client.rb
+- app/models/refresh_token.rb
+- app/views/oauth2/authorizations/_form.html.erb
+- app/views/oauth2/authorizations/error.html.erb
+- app/views/oauth2/authorizations/new.html.erb
+- config/routes.rb
+- devise_oauth2_token_bearer_authenticatable.gemspec
+- lib/devise_oauth2_token_bearer_authenticatable.rb
+- lib/devise_oauth2_token_bearer_authenticatable/engine.rb
+- lib/devise_oauth2_token_bearer_authenticatable/model.rb
+- lib/devise_oauth2_token_bearer_authenticatable/schema.rb
+- lib/devise_oauth2_token_bearer_authenticatable/strategy.rb
+- lib/devise_oauth2_token_bearer_authenticatable/version.rb
+- lib/oauth2_token.rb
+- lib/token_endpoint.rb
+- spec/devise_oauth2_token_bearer_authenticatable_spec.rb
+- spec/spec_helper.rb
+homepage: ""
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: devise_oauth2_token_bearer_authenticatable
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: OAuth2 Provider for Rails3 applications
+test_files: 
+- spec/devise_oauth2_token_bearer_authenticatable_spec.rb
+- spec/spec_helper.rb