devise_oauth_token_authenticatable 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_oauth_token_authenticatable.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Marc Leglise
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,125 @@
+# Devise OauthTokenAuthenticatable
+
+Ruby gem that allows Rails 3 + Devise to authenticate users via an OAuth Access
+Token from a 3rd party provider.
+
+There are plenty of gems out there that deal with being an OAuth2 "consumer",
+where you redirect users to an OAuth2 "provider", allowing you to hand off
+authentication to a separate service. There are also plenty of gems that set
+you up as your own OAuth2 provider. ***BUT***, what happens when you want to
+separate your "authentication" server from your "resource" server?
+
+This gem is meant to be used on an API "resource" server, where you want to
+accept OAuth Access Tokens from a client, and validate them against a separate
+"authentication" server. This communication is outside the scope of the
+official [OAuth 2 spec](http://tools.ietf.org/html/draft-ietf-oauth-v2-27), but
+there is a need for it anyway.
+
+Comments and suggestions are welcome.
+
+## HERE BE DRAGONS!
+This gem is an extraction from another project, and I'm ashamed to say does not
+have any test coverage yet. If you have any suggestions for how to properly
+test a Devise module like this, please drop me a line.
+
+## Requirements
+
+* Devise authentication library
+* Rails 3.1 or higher
+
+## Installation
+
+### Add this line to your application's Gemfile:
+
+    gem 'devise_oauth_token_authenticatable'
+
+And then execute:
+
+    $ bundle
+
+### Configure Devise to point to your OAuth authorization server
+
+```ruby
+# config/initializers/devise.rb
+Devise.setup do |config|
+  # ==> Configuration for :oauth_token_authenticatable
+  config.oauth_client_id             = "app-id-goes-here"
+  config.oauth_client_secret         = "secret-key-goes-here"
+  config.oauth_token_validation_url  = "/oauth/verify_credentials"
+  config.oauth_client_options        = {
+    site: "https://your.oauth.host.com",
+    token_method: :get
+  }
+end
+```
+
+### Configure User to support Access Token authentication
+
+You must define the class method `find_for_oauth_token_authentication`, which
+will be called by Devise when trying to lookup the user record. It will receive
+one string parameter, the Access Token string, as provided by the client.
+
+Your method can then call `validate_oauth_token`, which will do the heavy
+lifting of contacting your OAuth Authentication Server at the
+token_validation_url and returning an
+[OAuth2::AccessToken](https://github.com/intridea/oauth2) object. Your method
+can then act as appropriate with the returned data, including using the object
+to make additional calls to the Authentication Server.
+
+Your method should return `nil` if the user cannot be authenticated, or an
+initialized (and persisted) User object if successful.
+
+NOTE: The docs all refer to the `User` model, but it can be whatever model you
+use with Devise.
+
+```ruby
+class User
+  devise :oauth_token_authenticatable
+  
+  def self.find_for_oauth_token_authentication(token_str)
+    access_token = validate_oauth_token(token_str)
+    return nil unless access_token
+    User.find_or_create_by_email( access_token.params['email'] )
+  end
+end
+```
+
+## Practical Application
+
+So what does this give you?
+
+A client application can now make calls to your app, providing an access token
+in either of two ways.
+
+### Option 1: Query string param
+
+    http://your.app.com/api/cool_stuff?access_token=1234abc
+
+### Option 2: Header param
+
+    GET /api/cool_stuff HTTP/1.1
+    Authorization: Bearer 1234abc
+    Host: your.app.com
+
+Then, anywhere you would normally call `current_user` with Devise, it will be
+automatically interpreted and turned into a real user object. But it's not
+based on the session or cookie, it's based on the Access Token!
+
+## To Do
+
+* Add tests!
+* Remove the dependency on `rack-oauth2`
+* Better error handling
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## Credits
+
+This gem was developed by Marc Leglise.
+It borrows heavily from [devise\_oauth2\_providable](https://github.com/socialcast/devise_oauth2_providable)

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/devise_oauth_token_authenticatable.gemspec

@@ -0,0 +1,33 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/devise/oauth_token_authenticatable/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name          = "devise_oauth_token_authenticatable"
+  gem.version       = Devise::OauthTokenAuthenticatable::VERSION
+  gem.authors       = ["Marc Leglise"]
+  gem.email         = ["mleglise@gmail.com"]
+  gem.summary       = %q{Allows Rails 3 + Devise to authenticate users via an OAuth Access Token from a 3rd party provider.}
+  gem.description   = %q{
+There are plenty of gems out there that deal with being an OAuth2 "consumer",
+where you redirect users to an OAuth2 "provider", allowing you to hand off
+authentication to a separate service. There are also plenty of gems that set
+you up as your own OAuth2 provider. ***BUT***, what happens when you want to
+separate your "authentication" server from your "resource" server?
+
+This gem is meant to be used on an API "resource" server, where you want to
+accept OAuth Access Tokens from a client, and validate them against a separate
+"authentication" server. This communication is outside the scope of the
+official OAuth 2 spec, but there is a need for it anyway.
+  }
+  gem.homepage      = "https://github.com/mleglise/devise_oauth_token_authenticatable"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_runtime_dependency("rails", [">= 3.1.0"])
+  gem.add_runtime_dependency("devise", [">= 2.1.0"])
+  gem.add_runtime_dependency("oauth2", ["~> 0.6.1"])
+  gem.add_runtime_dependency("rack-oauth2", [">= 0.14.0"])
+end

data/lib/devise/oauth_token_authenticatable/models/oauth_token_authenticatable.rb

@@ -0,0 +1,67 @@
+# Originally based on:
+# https://github.com/socialcast/devise_oauth2_providable/blob/master/lib/devise/oauth2_providable/models/oauth2_password_grantable.rb
+
+require 'devise/models'
+
+module Devise
+  module Models
+    # The OauthTokenAuthenticatable module is responsible for validating an authentication token
+    # and returning basic data about the account.
+    #
+    # == Options
+    #
+    # OauthTokenAuthenticatable adds the following options to devise_for:
+    #
+    #   * +oauth_token_validation_url+: Defines the relative URL path to validate a given Access Token. E.g. /api/getUserInfoByAccessToken
+    #   * +oauth_client_id+: Your app ID, as registered with your authentication server.
+    #   * +oauth_client_secret+: Your app secret, provided by your authentication server.
+    #   * +oauth_client_options+: A hash of options passed to the OAuth2::Client. Should include the 'site' param.
+    #
+    module OauthTokenAuthenticatable
+      extend ActiveSupport::Concern
+
+      # Hook called after oauth token authentication.
+      def after_oauth_token_authentication
+      end
+
+      module ClassMethods
+        def find_for_oauth_token_authentication(conditions)
+          raise NotImplementedError, "You must define find_for_oauth_token_authentication in your User model"
+        end
+
+        def validate_oauth_token(token_str)
+          # Make a new OAuth2 client and call the validation URL
+          @@client ||= ::OAuth2::Client.new(oauth_client_id, oauth_client_secret, oauth_client_options)
+          params = {                # Params for client.request
+            client_id: oauth_client_id,
+            access_token: token_str
+          }
+          access_token_opts = {}    # Params initializing AccessToken object
+
+          opts = {}
+          if @@client.options[:token_method] == :post
+            headers = params.delete(:headers)
+            opts[:body] = params
+            opts[:headers] =  {'Content-Type' => 'application/x-www-form-urlencoded'}
+            opts[:headers].merge!(headers) if headers
+          else
+            opts[:params] = params
+          end
+
+          response = @@client.request(@@client.options[:token_method], oauth_token_validation_url, opts)
+          # Return the OAuth2::AccessToken object
+          raise ::OAuth2::Error.new(response) if @@client.options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+          ::OAuth2::AccessToken.from_hash(@@client, response.parsed.merge(access_token_opts))
+        end
+
+        Devise::Models.config(self,
+          :oauth_token_validation_url,
+          :oauth_client_id,
+          :oauth_client_secret,
+          :oauth_client_options
+        )
+      end
+
+    end # OauthTokenAuthenticatable
+  end # Models
+end # Devise

data/lib/devise/oauth_token_authenticatable/strategies/oauth_token_authenticatable_strategy.rb

@@ -0,0 +1,47 @@
+# Originally based on:
+# https://github.com/socialcast/devise_oauth2_providable/blob/master/lib/devise/oauth2_providable/strategies/oauth2_providable_strategy.rb
+
+require 'devise/strategies/base'
+
+# TODO: Specify a failure app that's custom for this strategy.
+# If the strategy was valid (because it had an access token in the header or params)
+# but it failed, then the responses should be in the 4XX range, not 3XX redirects
+
+module Devise
+  module Strategies
+    class OauthTokenAuthenticatable < Authenticatable
+
+      def valid?
+        @req = Rack::OAuth2::Server::Resource::Bearer::Request.new(env)
+        @req.oauth2?
+      end
+
+      def authenticate!
+        @req.setup!
+        resource = mapping.to.find_for_oauth_token_authentication( @req.access_token )
+        if validate(resource)
+          resource.after_oauth_token_authentication
+          success! resource
+        elsif !halted?
+          fail(:invalid_token)
+        end
+      end
+
+      # Do not store OauthToken validation in session.
+      # This forces the strategy to check the token on every request.
+      def store?
+        false
+      end
+
+    private
+
+      # Do not use remember_me behavior with token.
+      def remember_me?
+        false
+      end
+
+    end # OauthTokenAuthenticatable
+  end # Strategies
+end # Devise
+
+Warden::Strategies.add(:oauth_token_authenticatable, Devise::Strategies::OauthTokenAuthenticatable)

data/lib/devise/oauth_token_authenticatable/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module OauthTokenAuthenticatable
+    VERSION = "0.0.1"
+  end
+end

data/lib/devise_oauth_token_authenticatable.rb

@@ -0,0 +1,47 @@
+# Originally based on:
+# https://github.com/socialcast/devise_oauth2_providable/blob/master/lib/devise_oauth2_providable.rb
+
+require 'devise'
+require 'oauth2'
+require 'rack/oauth2'
+require 'devise/oauth_token_authenticatable/strategies/oauth_token_authenticatable_strategy'
+require 'devise/oauth_token_authenticatable/models/oauth_token_authenticatable'
+require 'devise/oauth_token_authenticatable/version'
+
+module Devise
+  module OauthTokenAuthenticatable
+    CLIENT_ENV_REF = 'oauth2.client'
+  end
+
+  # Relative URL path to validate a given Access Token. E.g. /oauth/verify_credentials
+  mattr_accessor :oauth_token_validation_url
+  @@oauth_token_validation_url = nil
+
+  # Client ID for connecting to the authentication server.
+  mattr_accessor :oauth_client_id
+  @@oauth_client_id = nil
+
+  # Client Secret for connecting to the authentication server.
+  mattr_accessor :oauth_client_secret
+  @@oauth_client_secret = nil
+
+  # Client options hash, passed directly to ::OAuth2::Client.new
+  # From the OAuth2 documentation...
+  # @param [Hash] opts the options to create the client with
+  # @option opts [String] :site the OAuth2 provider site host
+  # @option opts [String] :authorize_url ('/oauth/authorize') absolute or relative URL path to the Authorization endpoint
+  # @option opts [String] :token_url ('/oauth/token') absolute or relative URL path to the Token endpoint
+  # @option opts [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
+  # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
+  # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
+  # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error
+  #  on responses with 400+ status codes
+  mattr_accessor :oauth_client_options
+  @@oauth_client_options = {}
+
+end
+
+Devise.add_module(:oauth_token_authenticatable,
+  :strategy => true,
+  :model => 'devise/oauth_token_authenticatable/models/oauth_token_authenticatable'
+)

metadata

@@ -0,0 +1,149 @@
+--- !ruby/object:Gem::Specification 
+name: devise_oauth_token_authenticatable
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Marc Leglise
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-07-09 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rails
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 3
+        - 1
+        - 0
+        version: 3.1.0
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: devise
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 2
+        - 1
+        - 0
+        version: 2.1.0
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: oauth2
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 0
+        - 6
+        - 1
+        version: 0.6.1
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rack-oauth2
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 39
+        segments: 
+        - 0
+        - 14
+        - 0
+        version: 0.14.0
+  type: :runtime
+  version_requirements: *id004
+description: "\n\
+  There are plenty of gems out there that deal with being an OAuth2 \"consumer\",\n\
+  where you redirect users to an OAuth2 \"provider\", allowing you to hand off\n\
+  authentication to a separate service. There are also plenty of gems that set\n\
+  you up as your own OAuth2 provider. ***BUT***, what happens when you want to\n\
+  separate your \"authentication\" server from your \"resource\" server?\n\n\
+  This gem is meant to be used on an API \"resource\" server, where you want to\n\
+  accept OAuth Access Tokens from a client, and validate them against a separate\n\
+  \"authentication\" server. This communication is outside the scope of the\n\
+  official OAuth 2 spec, but there is a need for it anyway.\n  "
+email: 
+- mleglise@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- devise_oauth_token_authenticatable.gemspec
+- lib/devise/oauth_token_authenticatable/models/oauth_token_authenticatable.rb
+- lib/devise/oauth_token_authenticatable/strategies/oauth_token_authenticatable_strategy.rb
+- lib/devise/oauth_token_authenticatable/version.rb
+- lib/devise_oauth_token_authenticatable.rb
+has_rdoc: true
+homepage: https://github.com/mleglise/devise_oauth_token_authenticatable
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.2
+signing_key: 
+specification_version: 3
+summary: Allows Rails 3 + Devise to authenticate users via an OAuth Access Token from a 3rd party provider.
+test_files: []
+