doorkeeper-device_authorization_grant 0.1.0

data/app/controllers/doorkeeper/device_authorization_grant/device_codes_controller.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    # Device authorization endpoint for OAuth 2.0 Device Authorization Grant.
+    #
+    # @see https://tools.ietf.org/html/rfc8628#section-3.1 RFC 8628, section 3.1
+    class DeviceCodesController < ApplicationMetalController
+      def create
+        headers.merge!(authorize_response.headers)
+        render(json: authorize_response.body, status: authorize_response.status)
+      rescue Errors::DoorkeeperError => e
+        handle_token_exception(e)
+      end
+
+      private
+
+      def authorize_response
+        @authorize_response ||= strategy.authorize
+      end
+
+      # @return [Request::DeviceAuthorization]
+      def strategy
+        @strategy ||= Request::DeviceAuthorization.new(server)
+      end
+    end
+  end
+end

data/app/views/doorkeeper/device_authorization_grant/device_authorizations/index.html.erb

@@ -0,0 +1,19 @@
+<div class="border-bottom mb-4">
+  <h1><%= t('.title') %></h1>
+</div>
+
+<%= form_with(url: oauth_device_authorizations_authorize_url) do %>
+  <div class="form-group row">
+    <%= label_tag(:user_code, t('.user_code'), class: 'col-sm-2 col-form-label font-weight-bold') %>
+    <div class="col-sm-10">
+      <%= text_field_tag(:user_code, params[:user_code], class: 'form-control') %>
+    </div>
+  </div>
+
+  <div class="form-group">
+    <div class="col-sm-offset-2 col-sm-10">
+      <%= submit_tag(t('.authorize'), class: 'btn btn-primary') %>
+      <%= link_to t('.cancel'), oauth_device_authorizations_index_path, class: 'btn btn-secondary' %>
+    </div>
+  </div>
+<% end %>

data/config/locales/en.yml

@@ -0,0 +1,15 @@
+en:
+  doorkeeper:
+    device_authorization_grant:
+      device_authorizations:
+        index:
+          title: 'Authorize device'
+          user_code: 'User code'
+          authorize: 'Authorize'
+          cancel: 'Cancel'
+    flash:
+      device_codes:
+        authorize:
+          invalid_user_code: 'The user code is invalid'
+          expired_user_code: 'The user code is expired'
+          success: 'Device successfully authorized'

data/db/migrate/20200629094624_create_doorkeeper_device_grants.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class CreateDoorkeeperDeviceGrants < ActiveRecord::Migration[6.0]
+  def change
+    create_table :oauth_device_grants do |t|
+      t.references :resource_owner, null: true
+      t.references :application, null: false
+      t.string :device_code, null: false
+      t.string :user_code, null: true
+      t.integer :expires_in, null: false
+      t.datetime :created_at, null: false
+      t.datetime :last_polling_at, null: true
+      t.string :scopes, null: false, default: ''
+    end
+
+    add_index :oauth_device_grants, :device_code, unique: true
+    add_index :oauth_device_grants, :user_code, unique: true
+
+    add_foreign_key(
+      :oauth_device_grants,
+      :oauth_applications,
+      column: :application_id
+    )
+
+    # Uncomment below to ensure a valid reference to the resource owner's table
+    # add_foreign_key :oauth_device_grants, <model>, column: :resource_owner_id
+  end
+end

data/lib/doorkeeper/device_authorization_grant.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'doorkeeper'
+require 'active_model'
+require 'doorkeeper/device_authorization_grant/config'
+require 'doorkeeper/device_authorization_grant/engine'
+
+module Doorkeeper
+  # OAuth 2.0 Device Authorization Grant extension for Doorkeeper.
+  module DeviceAuthorizationGrant
+    autoload :DeviceGrant, 'doorkeeper/device_authorization_grant/orm/active_record/device_grant'
+    autoload :Errors, 'doorkeeper/device_authorization_grant/errors'
+    autoload :VERSION, 'doorkeeper/device_authorization_grant/version'
+
+    # Namespace for device authorization request strategies
+    module Request
+      autoload :DeviceAuthorization, 'doorkeeper/device_authorization_grant/request/device_authorization'
+    end
+
+    # Namespace for device authorization requests and responses
+    module OAuth
+      autoload :DeviceAuthorizationRequest, 'doorkeeper/device_authorization_grant/oauth/device_authorization_request'
+      autoload :DeviceAuthorizationResponse, 'doorkeeper/device_authorization_grant/oauth/device_authorization_response'
+      autoload :DeviceCodeRequest, 'doorkeeper/device_authorization_grant/oauth/device_code_request'
+
+      # Helper modules for device authorization
+      module Helpers
+        autoload :UserCode, 'doorkeeper/device_authorization_grant/oauth/helpers/user_code'
+      end
+    end
+
+    # Namespace for ORM integrations
+    module Orm
+      autoload :ActiveRecord, 'doorkeeper/device_authorization_grant/orm/active_record'
+    end
+
+    # Namespace for Rails integrations
+    module Rails
+      autoload :Routes, 'doorkeeper/device_authorization_grant/rails/routes'
+    end
+  end
+
+  # Doorkeeper Request namespace
+  module Request
+    autoload :DeviceCode, 'doorkeeper/request/device_code'
+  end
+end

data/lib/doorkeeper/device_authorization_grant/config.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant # rubocop:disable Style/Documentation
+    def self.configure(&block)
+      if ::Doorkeeper.configuration.orm != :active_record
+        raise UnsupportedConfiguration, 'Doorkeeper::DeviceAuthorizationGrant only supports ActiveRecord ORM'
+      end
+
+      @config = Config::Builder.new(Config.new, &block).build
+    end
+
+    # @return [::Doorkeeper::DeviceAuthorizationGrant::Config]
+    def self.configuration
+      @config || (raise MissingConfiguration)
+    end
+
+    # Error raised in case of missing configuration
+    class MissingConfiguration < StandardError
+      def initialize
+        super('Configuration for Doorkeeper::DeviceAuthorizationGrant missing. ' \
+              'Do you have Doorkeeper::DeviceAuthorizationGrant initializer?')
+      end
+    end
+
+    # Error raised when an unsupported configuration parameter is encountered
+    class UnsupportedConfiguration < StandardError; end
+
+    # Configuration model for Doorkeeper DeviceAuthorizationGrant
+    class Config
+      class Builder < Doorkeeper::Config::AbstractBuilder
+      end
+
+      def self.builder_class
+        Config::Builder
+      end
+
+      extend Doorkeeper::Config::Option
+
+      # @!attribute [r] device_code_polling_interval
+      #   Minimum device code polling interval expected from the client, expressed in seconds.
+      #   @return [Integer]
+      option :device_code_polling_interval, default: 5
+
+      # @!attribute [r] device_code_expires_in
+      #   Device code expiration time, in seconds.
+      #   @return [Integer]
+      option :device_code_expires_in, default: 300
+
+      # @!attribute [r] device_grant_class
+      #   Customizable reference to the DeviceGrant model.
+      #   @return [String]
+      option :device_grant_class, default: 'Doorkeeper::DeviceAuthorizationGrant::DeviceGrant'
+
+      # @!attribute [r] user_code_generator
+      #   Reference to a model (or class) for user code generation.
+      #
+      #   It must implement a `.generate` method, which can be invoked without
+      #   arguments, to obtain a String user code value.
+      #   @return [String]
+      option :user_code_generator, default: 'Doorkeeper::DeviceAuthorizationGrant::OAuth::Helpers::UserCode'
+
+      # @!attribute [r] verification_uri
+      #   A Proc returning the end-user verification URI on the authorization server.
+      #   @return [Proc]
+      option :verification_uri, default: ->(host_name) { "#{host_name}/oauth/device" }
+
+      # @!attribute [r] verification_uri_complete
+      #   A Proc returning the verification URI that includes the "user_code"
+      #   (or other information with the same function as the "user_code"), which is
+      #   designed for non-textual transmission. This is optional, so the Proc can
+      #   also return `nil`.
+      #   @return [Proc]
+      option(
+        :verification_uri_complete,
+        default: lambda do |verification_uri, _host_name, device_grant|
+          "#{verification_uri}?user_code=#{CGI.escape(device_grant.user_code)}"
+        end
+      )
+
+      # @return [Class]
+      def device_grant_model
+        @device_grant_model ||= device_grant_class.constantize
+      end
+
+      # @return [Class, Module]
+      def user_code_generator_class
+        @user_code_generator_class ||= user_code_generator.constantize
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/engine.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    # Doorkeeper DeviceAuthorizationGrant Rails Engine
+    class Engine < ::Rails::Engine
+      initializer 'doorkeeper.device_authorization_grant.routes' do
+        ::Doorkeeper::DeviceAuthorizationGrant::Rails::Routes.install!
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/errors.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module Errors
+      # The authorization request is still pending as the end user hasn't
+      # yet completed the user-interaction steps.
+      #
+      # The client SHOULD repeat the access token request to the token endpoint
+      # (a process known as polling). Before each new request, the client MUST
+      # wait at least the number of seconds specified by the "interval"
+      # parameter of the device authorization response, or 5 seconds if none
+      # was provided, and respect any increase in the polling interval
+      # required by the "slow_down" error.
+      class AuthorizationPending < ::Doorkeeper::Errors::DoorkeeperError
+        def type
+          :authorization_pending
+        end
+      end
+
+      # A variant of "authorization_pending", the authorization request is
+      # still pending and polling should continue, but the interval MUST be
+      # increased by 5 seconds for this and all subsequent requests.
+      class SlowDown < ::Doorkeeper::Errors::DoorkeeperError
+        def type
+          :slow_down
+        end
+      end
+
+      # The "device_code" has expired, and the device authorization session has
+      # concluded.
+      #
+      # The client MAY commence a new device authorization request but SHOULD
+      # wait for user interaction before restarting to avoid unnecessary
+      # polling.
+      class ExpiredToken < ::Doorkeeper::Errors::DoorkeeperError
+        def type
+          :expired_token
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/oauth/device_authorization_request.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module OAuth
+      # Doorkeeper request object for handling OAuth 2.0 Device Authorization Requests.
+      #
+      # @see https://tools.ietf.org/html/rfc8628#section-3.1 RFC 8628, sect. 3.1
+      class DeviceAuthorizationRequest < Doorkeeper::OAuth::BaseRequest
+        attr_accessor :server
+        attr_accessor :client
+
+        # @return [String]
+        attr_accessor :host_name
+
+        validate :client, error: :invalid_client
+
+        # @param server
+        # @param client
+        # @param host_name [String]
+        def initialize(server, client, host_name)
+          @server = server
+          @client = client
+          @host_name = host_name
+        end
+
+        # @return [DeviceAuthorizationResponse, Doorkeeper::OAuth::ErrorResponse]
+        def authorize
+          validate
+
+          @response =
+            if valid?
+              destroy_expired_device_grants!
+              create_successful_response
+            else
+              Doorkeeper::OAuth::ErrorResponse.from_request(self)
+            end
+        end
+
+        private
+
+        delegate :device_grant_model, to: :configuration
+
+        def destroy_expired_device_grants!
+          device_grant_model.expired.destroy_all
+        end
+
+        # @return [DeviceAuthorizationResponse]
+        def create_successful_response
+          before_successful_response
+          response = DeviceAuthorizationResponse.new(device_grant, host_name)
+          after_successful_response
+          response
+        end
+
+        # @return [Boolean]
+        def validate_client
+          client.present?
+        end
+
+        # @return [Doorkeeper::DeviceAuthorizationGrant::DeviceGrant]
+        def device_grant
+          @device_grant ||= device_grant_model.create!(device_grant_attributes)
+        end
+
+        # @return [Hash]
+        def device_grant_attributes
+          {
+            application_id: client.id,
+            expires_in: configuration.device_code_expires_in,
+            scopes: scopes.to_s,
+            user_code: generate_user_code
+          }
+        end
+
+        # @return [String]
+        def generate_user_code
+          configuration.user_code_generator_class.generate
+        end
+
+        # @return [::Doorkeeper::DeviceAuthorizationGrant::Config]
+        def configuration
+          @configuration ||= DeviceAuthorizationGrant.configuration
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/oauth/device_authorization_response.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module OAuth
+      # Doorkeeper response object for handling OAuth 2.0 Device Authorization Responses.
+      #
+      # @see https://tools.ietf.org/html/rfc8628#section-3.2 RFC 8628, sect. 3.2
+      class DeviceAuthorizationResponse < Doorkeeper::OAuth::BaseResponse
+        # @return [DeviceGrant]
+        attr_accessor :device_grant
+
+        # @return [String]
+        attr_accessor :host_name
+
+        # @param device_grant [DeviceGrant]
+        # @param host_name [String]
+        def initialize(device_grant, host_name)
+          @device_grant = device_grant
+          @host_name = host_name
+        end
+
+        # @return [Symbol]
+        def status
+          :ok
+        end
+
+        # @return [Hash]
+        def body
+          {
+            'device_code' => device_grant.device_code,
+            'user_code' => device_grant.user_code,
+            'verification_uri' => verification_uri,
+            'verification_uri_complete' => verification_uri_complete,
+            'expires_in' => device_grant.expires_in,
+            'interval' => interval
+          }.reject { |_, value| value.blank? }
+        end
+
+        # @return [Hash]
+        def headers
+          {
+            'Cache-Control' => 'no-store',
+            'Pragma' => 'no-cache',
+            'Content-Type' => 'application/json; charset=utf-8'
+          }
+        end
+
+        private
+
+        # @return [String]
+        def verification_uri
+          configuration.verification_uri.call(host_name)
+        end
+
+        # @return [String, nil]
+        def verification_uri_complete
+          configuration.verification_uri_complete.call(verification_uri, host_name, device_grant)
+        end
+
+        # @return [Integer, nil]
+        def interval
+          configuration.device_code_polling_interval&.seconds&.to_i
+        end
+
+        # @return [::Doorkeeper::DeviceAuthorizationGrant::Config]
+        def configuration
+          @configuration ||= Doorkeeper::DeviceAuthorizationGrant.configuration
+        end
+      end
+    end
+  end
+end