devise_oauth_token_authenticatable 0.0.1 → 0.0.2

data/.gitignore

@@ -3,6 +3,7 @@
 .bundle
 .config
 .yardoc
+.DS_Store
 Gemfile.lock
 InstalledFiles
 _yardoc
@@ -15,3 +16,6 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+log
+*.log
+*.sqlite3

data/README.md

@@ -17,11 +17,6 @@ there is a need for it anyway.
 
 Comments and suggestions are welcome.
 
-## HERE BE DRAGONS!
-This gem is an extraction from another project, and I'm ashamed to say does not
-have any test coverage yet. If you have any suggestions for how to properly
-test a Devise module like this, please drop me a line.
-
 ## Requirements
 
 * Devise authentication library
@@ -107,8 +102,7 @@ based on the session or cookie, it's based on the Access Token!
 
 ## To Do
 
-* Add tests!
-* Remove the dependency on `rack-oauth2`
+* Add more tests!
 * Better error handling
 
 ## Contributing

data/Rakefile

@@ -1,2 +1,6 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec

data/devise_oauth_token_authenticatable.gemspec

@@ -29,5 +29,11 @@ official OAuth 2 spec, but there is a need for it anyway.
   gem.add_runtime_dependency("rails", [">= 3.1.0"])
   gem.add_runtime_dependency("devise", [">= 2.1.0"])
   gem.add_runtime_dependency("oauth2", ["~> 0.6.1"])
-  gem.add_runtime_dependency("rack-oauth2", [">= 0.14.0"])
+  gem.add_development_dependency('rspec-rails', ['>= 2.6.1'])
+  gem.add_development_dependency('sqlite3', ['>= 1.3.5'])
+  gem.add_development_dependency('shoulda-matchers', ['>= 1.0.0.beta3'])
+  gem.add_development_dependency('factory_girl', ['>= 2.2.0'])
+  gem.add_development_dependency('factory_girl_rspec', ['>= 0.0.1'])
+  gem.add_development_dependency('rake', ['>= 0.9.2.2'])
+  gem.add_development_dependency('webmock', ['>= 1.8.8'])
 end

data/lib/devise/oauth_token_authenticatable/strategies/oauth_token_authenticatable_strategy.rb

@@ -11,20 +11,33 @@ module Devise
   module Strategies
     class OauthTokenAuthenticatable < Authenticatable
 
+      # Return true or false, indicating if this strategy is applicable
       def valid?
-        @req = Rack::OAuth2::Server::Resource::Bearer::Request.new(env)
-        @req.oauth2?
+        @token = setup!
+        @token.present?
       end
 
       def authenticate!
-        @req.setup!
-        resource = mapping.to.find_for_oauth_token_authentication( @req.access_token )
+        resource = mapping.to.find_for_oauth_token_authentication( @token )
         if validate(resource)
           resource.after_oauth_token_authentication
           success! resource
         elsif !halted?
           fail(:invalid_token)
         end
+      rescue ::OAuth2::Error
+        oauth_error! :invalid_token, 'invalid access token'
+      end
+
+      # This method copied in from 'devise_oauth2_providable'
+      # lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb
+      # return custom error response in accordance with the oauth spec
+      # see http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.3
+      def oauth_error!(error_code = :invalid_request, description = nil)
+        body = {:error => error_code}
+        body[:error_description] = description if description
+        custom! [401, {'Content-Type' => 'application/json'}, [body.to_json]]
+        throw :warden
       end
 
       # Do not store OauthToken validation in session.
@@ -35,6 +48,31 @@ module Devise
 
     private
 
+      def setup!
+        tokens = [access_token_in_header, access_token_in_payload].compact
+        return case Array(tokens).size
+        when 0
+          nil
+        when 1
+          tokens.first
+        else
+          invalid_request!('Both Authorization header and payload includes access token.')
+        end
+      end
+
+      def access_token_in_header
+        @auth_header = Rack::Auth::AbstractRequest.new(env)
+        if @auth_header.provided? && @auth_header.scheme == :bearer
+          @auth_header.params
+        else
+          nil
+        end
+      end
+
+      def access_token_in_payload
+        params['access_token']
+      end
+
       # Do not use remember_me behavior with token.
       def remember_me?
         false

data/lib/devise/oauth_token_authenticatable/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OauthTokenAuthenticatable
-    VERSION = "0.0.1"
+    VERSION = "0.0.2"
   end
 end

data/lib/devise_oauth_token_authenticatable.rb

@@ -3,7 +3,6 @@
 
 require 'devise'
 require 'oauth2'
-require 'rack/oauth2'
 require 'devise/oauth_token_authenticatable/strategies/oauth_token_authenticatable_strategy'
 require 'devise/oauth_token_authenticatable/models/oauth_token_authenticatable'
 require 'devise/oauth_token_authenticatable/version'

data/spec/controllers/protected_controller_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+describe ProtectedController do
+
+  describe 'get :index' do
+    before do
+      @token = '1234'
+      stub_request(:get, "http://oauth-test.com/api/getUserInfoByAccessToken?access_token=#{@token}&client_id=this-is-a-client-id").
+        to_return(
+          body: lambda {|request| "{\"access_token\":\"#{@token}\",\"token_type\":\"bearer\"}" },
+          # body: lambda {|request| "{\"access_token\":\"#{@token}\",\"token_type\":\"bearer\",\"email\":\"#{user.email}\"}" },
+          headers: { "content-type"=>"application/json; charset=UTF-8" },
+          status: 200
+        )
+      
+      stub_request(:get, "http://oauth-test.com/api/getUserInfoByAccessToken?access_token=invalid&client_id=this-is-a-client-id").
+        to_return(:status => 200, :body => "", :headers => {})
+    end
+
+    context 'with valid bearer token in header' do
+      before do
+        @request.env['HTTP_AUTHORIZATION'] = "Bearer #{@token}"
+        get :index, :format => 'json'
+      end
+      it { should respond_with :ok }
+    end
+
+    context 'with valid bearer token in query string' do
+      before do
+        get :index, :access_token => @token, :format => 'json'
+      end
+      it { should respond_with :ok }
+    end
+
+    context 'with invalid bearer token in query param' do
+      before do
+        get :index, :access_token => 'invalid', :format => 'json'
+      end
+      it { should respond_with :unauthorized }
+    end
+
+    context 'with valid bearer token in header and query string' do
+      before do
+      end
+      it 'raises error' do
+        lambda {
+          @request.env['HTTP_AUTHORIZATION'] = "Bearer #{@token}"
+          get :index, :access_token => @token, :format => 'json'
+        }.should raise_error
+      end
+    end
+
+    context 'with no token anywhere' do
+      before do
+        get :index, :format => 'json'
+      end
+      it { should respond_with :unauthorized }
+    end
+
+  end
+end

data/spec/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,7 @@
+// This is a manifest file that'll be compiled into including all the files listed below.
+// Add new JavaScript/Coffee code in separate files in this directory and they'll automatically
+// be included in the compiled file accessible from http://example.com/assets/application.js
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,7 @@
+/*
+ * This is a manifest file that'll automatically include all the stylesheets available in this directory
+ * and any sub-directories. You're free to add application-wide styles to this file and they'll appear at
+ * the top of the compiled file, but it's generally better to create a new file per style scope.
+ *= require_self
+ *= require_tree . 
+*/

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/spec/dummy/app/controllers/protected_controller.rb

@@ -0,0 +1,6 @@
+class ProtectedController < ApplicationController
+  before_filter :authenticate_user!
+  def index
+    render :nothing => true, :status => :ok
+  end
+end

data/spec/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/spec/dummy/app/models/user.rb

@@ -0,0 +1,12 @@
+class User < ActiveRecord::Base
+  devise :database_authenticatable, :oauth_token_authenticatable
+  
+  def self.find_for_oauth_token_authentication(conditions)
+    access_token = validate_oauth_token(conditions)
+    return nil unless access_token
+    
+    user = User.find_or_create_by_email( access_token.params['email'] )
+    
+    user
+  end
+end

data/spec/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Dummy</title>
+  <%= stylesheet_link_tag    "application" %>
+  <%= javascript_include_tag "application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application

data/spec/dummy/config/application.rb

@@ -0,0 +1,51 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails/all'
+
+Bundler.require
+require "devise_oauth_token_authenticatable"
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Custom directories with classes and modules you want to be autoloadable.
+    # config.autoload_paths += %W(#{config.root}/extras)
+
+    # Only load the plugins named here, in the order given (default is alphabetical).
+    # :all can be used as a placeholder for all plugins not explicitly named.
+    # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+
+    # Activate observers that should always be running.
+    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
+    # Configure sensitive parameters which will be filtered from the log file.
+    config.filter_parameters += [:password]
+
+    # Enable the asset pipeline
+    config.assets.enabled = true
+
+    # Version of your assets, change this if you want to expire all your assets
+    config.assets.version = '1.0'
+
+
+    # (optional) configure token expiration
+    # config.devise_oauth2_providable.access_token_expires_in         = 1.second # 15.minute default
+    # config.devise_oauth2_providable.refresh_token_expires_in        = 1.minute # 1.month default
+    # config.devise_oauth2_providable.authorization_token_expires_in  = 5.seconds # 1.minute default
+  end
+end
+

data/spec/dummy/config/boot.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+gemfile = File.expand_path('../../../../Gemfile', __FILE__)
+
+if File.exist?(gemfile)
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+end
+
+$:.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/config/database.yml

@@ -0,0 +1,25 @@
+# SQLite version 3.x
+#   gem install sqlite3
+#
+#   Ensure the SQLite 3 gem is defined in your Gemfile
+#   gem 'sqlite3'
+development:
+  adapter: sqlite3
+  database: db/development.sqlite3
+  pool: 5
+  timeout: 5000
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+  adapter: sqlite3
+  database: db/test.sqlite3
+  pool: 5
+  timeout: 5000
+
+production:
+  adapter: sqlite3
+  database: db/production.sqlite3
+  pool: 5
+  timeout: 5000

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Dummy::Application.initialize!

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,30 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # In the development environment your application's code is reloaded on
+  # every request.  This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Log error messages when you accidentally call methods on nil.
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger
+  config.active_support.deprecation = :log
+
+  # Only use best-standards-support built into browsers
+  config.action_dispatch.best_standards_support = :builtin
+
+  # Do not compress assets
+  config.assets.compress = false
+
+  # Expands the lines which load the assets
+  config.assets.debug = true
+end

data/spec/dummy/config/environments/production.rb

@@ -0,0 +1,60 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # Code is not reloaded between requests
+  config.cache_classes = true
+
+  # Full error reports are disabled and caching is turned on
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this)
+  config.serve_static_assets = false
+
+  # Compress JavaScripts and CSS
+  config.assets.compress = true
+
+  # Don't fallback to assets pipeline if a precompiled asset is missed
+  config.assets.compile = false
+
+  # Generate digests for assets URLs
+  config.assets.digest = true
+
+  # Defaults to Rails.root.join("public/assets")
+  # config.assets.manifest = YOUR_PATH
+
+  # Specifies the header that your server uses for sending files
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # See everything in the log (default is :info)
+  # config.log_level = :debug
+
+  # Use a different logger for distributed setups
+  # config.logger = SyslogLogger.new
+
+  # Use a different cache store in production
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
+  # config.assets.precompile += %w( search.js )
+
+  # Disable delivery errors, bad email addresses will be ignored
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable threaded mode
+  # config.threadsafe!
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation can not be found)
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners
+  config.active_support.deprecation = :notify
+end