doorkeeper-device_authorization_grant 0.1.0

data/lib/doorkeeper/device_authorization_grant/oauth/device_code_request.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module OAuth
+      # Doorkeeper request object for handling OAuth 2.0 Device Access Token Requests.
+      #
+      # @see https://tools.ietf.org/html/rfc8628#section-3.4 RFC 8628, sect. 3.4
+      class DeviceCodeRequest < ::Doorkeeper::OAuth::BaseRequest
+        attr_accessor :server
+        attr_accessor :client
+
+        # @return [DeviceGrant]
+        attr_accessor :device_grant
+
+        attr_accessor :access_token
+
+        validate :client, error: :invalid_client
+        validate :device_grant, error: :invalid_grant
+
+        # @param server
+        # @param client
+        # @param device_grant [DeviceGrant]
+        def initialize(server, client, device_grant)
+          @server = server
+          @client = client
+          @device_grant = device_grant
+
+          # this should be `urn:ietf:params:oauth:grant-type:device_code`
+          @grant_type = 'device_code'
+        end
+
+        def before_successful_response
+          check_grant_errors!
+          check_user_interaction!
+
+          device_grant.transaction do
+            device_grant.lock!
+            device_grant.destroy!
+            generate_access_token
+          end
+
+          super
+        end
+
+        private
+
+        def generate_access_token
+          find_or_create_access_token(
+            device_grant.application,
+            device_grant.resource_owner_id,
+            device_grant.scopes,
+            server
+          )
+        end
+
+        def check_grant_errors!
+          return unless device_grant.expired?
+
+          device_grant.destroy!
+          raise Errors::ExpiredToken
+        end
+
+        def check_user_interaction!
+          raise Errors::SlowDown if polling_too_fast?
+
+          device_grant.update!(last_polling_at: Time.now)
+
+          raise Errors::AuthorizationPending if authorization_pending?
+        end
+
+        # @return [Boolean]
+        def polling_too_fast?
+          !device_grant.last_polling_at.nil? &&
+            device_grant.last_polling_at > device_code_polling_interval.ago
+        end
+
+        # @return [Boolean]
+        def authorization_pending?
+          !device_grant.user_code.nil?
+        end
+
+        # @return [Boolean]
+        def validate_client
+          client.present?
+        end
+
+        # @return [Boolean]
+        def validate_device_grant
+          device_grant.present? && device_grant.application_id == client.id
+        end
+
+        # @return [ActiveSupport::Duration]
+        def device_code_polling_interval
+          configuration.device_code_polling_interval.seconds
+        end
+
+        # @return [::Doorkeeper::DeviceAuthorizationGrant::Config]
+        def configuration
+          Doorkeeper::DeviceAuthorizationGrant.configuration
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/oauth/helpers/user_code.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module OAuth
+      module Helpers
+        # Simple module providing a method to generate a user code for device verification.
+        module UserCode
+          # @private
+          # @return [Integer] virtually includes the range `0-9` _plus_ `a-z`
+          BASE = 36
+          private_constant :BASE
+
+          # @private
+          # @return [Integer]
+          MAX_LENGTH = 8
+          private_constant :MAX_LENGTH
+
+          # @private
+          # @return [Integer]
+          MAX_NUMBER = BASE**MAX_LENGTH
+          private_constant :MAX_NUMBER
+
+          # Generates an alphanumeric user code for device verification, using `SecureRandom` generator.
+          # @return [String]
+          def self.generate
+            SecureRandom
+              .random_number(MAX_NUMBER)
+              .to_s(BASE)
+              .upcase
+              .rjust(MAX_LENGTH, '0')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/orm/active_record.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'active_support/lazy_load_hooks'
+
+module Doorkeeper # rubocop:disable Style/Documentation
+  module DeviceAuthorizationGrant
+    module Orm
+      # @deprecated Doorkeeper `active_record_options` is deprecated: customize Doorkeeper models instead.
+      module ActiveRecord
+        def self.initialize_models!
+          super
+
+          ActiveSupport.on_load(:active_record) do
+            require_relative 'active_record/device_grant'
+
+            options = Doorkeeper.configuration.active_record_options
+            establish_connection_option = options[:establish_connection]
+
+            DeviceGrant.establish_connection(establish_connection_option) if establish_connection_option
+          end
+        end
+      end
+    end
+  end
+
+  Orm::ActiveRecord.singleton_class.prepend(DeviceAuthorizationGrant::Orm::ActiveRecord)
+end

data/lib/doorkeeper/device_authorization_grant/orm/active_record/device_grant.rb

@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    # Model class, similar to Doorkeeper `AccessGrant`, but specific for
+    # handling OAuth 2.0 Device Authorization Grant.
+    class DeviceGrant < ActiveRecord::Base
+      self.table_name = "#{table_name_prefix}oauth_device_grants#{table_name_suffix}"
+
+      include ::Doorkeeper::Models::Expirable
+
+      delegate :secret_strategy, :fallback_secret_strategy, to: :class
+
+      belongs_to :application, class_name: Doorkeeper.configuration.application_class, optional: true
+
+      before_validation :generate_device_code, on: :create
+
+      validates :application_id, presence: true
+      validates :expires_in, presence: true
+      validates :device_code, presence: true, uniqueness: true
+
+      validates :user_code, presence: true, uniqueness: true, if: -> { resource_owner_id.blank? }
+      validates :user_code, absence: true, if: -> { resource_owner_id.present? }
+
+      validates :resource_owner_id, presence: true, if: -> { user_code.blank? }
+      validates :resource_owner_id, absence: true, if: -> { user_code.present? }
+
+      scope(
+        :expired,
+        lambda do
+          exp_in = DeviceAuthorizationGrant.configuration.device_code_expires_in
+          where('created_at <= :expiration_date', expiration_date: exp_in.seconds.ago)
+        end
+      )
+
+      scope(
+        :unexpired,
+        lambda do
+          exp_in = DeviceAuthorizationGrant.configuration.device_code_expires_in
+          where('created_at > :expiration_date', expiration_date: exp_in.seconds.ago)
+        end
+      )
+
+      # @!attribute application_id
+      #   @return [Integer]
+
+      # @!attribute resource_owner_id
+      #   @return [Integer, nil]
+
+      # @!attribute expires_in
+      #   @return [Integer]
+
+      # @!attribute scopes
+      #   @return [String]
+
+      # @!attribute device_code
+      #   @return [String]
+
+      # @!attribute user_code
+      #   @return [String, nil]
+
+      # @!attribute created_at
+      #   @return [Time]
+
+      # @!attribute last_polling_at
+      #   @return [Time, nil]
+
+      class << self
+        # Returns an instance of the DeviceGrant with specific device code
+        # value.
+        #
+        # @param device_code [#to_s] device code value
+        # @return [Doorkeeper::DeviceAuthorizationGrant::DeviceGrant, nil]
+        #   DeviceGrant object, or nil if there is no record with such code
+        def find_by_plaintext_device_code(device_code)
+          device_code = device_code.to_s
+
+          find_by(device_code: secret_strategy.transform_secret(device_code)) ||
+            find_by_fallback_device_code(device_code)
+        end
+
+        alias by_device_code find_by_plaintext_device_code
+
+        # Allow looking up previously plain device codes as a fallback IFF a
+        # fallback strategy has been defined
+        #
+        # @param plain_secret [#to_s] plain secret value
+        # @return [Doorkeeper::DeviceAuthorizationGrant::DeviceGrant, nil]
+        #   DeviceGrant object or nil if there is no record with such code
+        def find_by_fallback_device_code(plain_secret)
+          return nil unless fallback_secret_strategy
+
+          # Use the previous strategy to look up
+          stored_code = fallback_secret_strategy.transform_secret(plain_secret)
+          find_by(device_code: stored_code).tap do |resource|
+            upgrade_fallback_value(resource, plain_secret) if resource
+          end
+        end
+
+        # Allows to replace a plain value fallback, to avoid it remaining as
+        # plain text.
+        #
+        # @param instance [Doorkeeper::DeviceAuthorizationGrant::DeviceGrant]
+        #   An instance of this model with a plain value device code.
+        # @param plain_secret [String] The plain secret to upgrade.
+        def upgrade_fallback_value(instance, plain_secret)
+          upgraded =
+            secret_strategy.store_secret(instance, :device_code, plain_secret)
+          instance.update(device_code: upgraded)
+        end
+
+        # Determines the secret storing transformer
+        # Unless configured otherwise, uses the plain secret strategy
+        def secret_strategy
+          ::Doorkeeper.configuration.token_secret_strategy
+        end
+
+        # Determine the fallback storing strategy
+        # Unless configured, there will be no fallback
+        def fallback_secret_strategy
+          ::Doorkeeper.configuration.token_secret_fallback_strategy
+        end
+      end
+
+      # We keep a volatile copy of the raw device code for initial
+      # communication.
+      #
+      # Some strategies allow restoring stored secrets (e.g. symmetric
+      # encryption) while hashing strategies do not, so you cannot rely on
+      # this value returning a present value for persisted device codes.
+      def plaintext_device_code
+        if secret_strategy.allows_restoring_secrets?
+          secret_strategy.restore_secret(self, :device_code)
+        else
+          @raw_device_code
+        end
+      end
+
+      private
+
+      # Generates a device code value with UniqueToken class.
+      #
+      # @return [String] device code value
+      def generate_device_code
+        @raw_device_code = Doorkeeper::OAuth::Helpers::UniqueToken.generate
+        secret_strategy.store_secret(self, :device_code, @raw_device_code)
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/rails/routes.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require_relative 'routes/mapper'
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module Rails
+      class Routes # rubocop:disable Style/Documentation
+        module Helper # rubocop:disable Style/Documentation
+          # @param options [Hash]
+          def use_doorkeeper_device_authorization_grant(options = {}, &block)
+            ::Doorkeeper::DeviceAuthorizationGrant::Rails::Routes
+              .new(self, &block).generate_routes!(options)
+          end
+        end
+
+        def self.install!
+          ::ActionDispatch::Routing::Mapper.include(
+            ::Doorkeeper::DeviceAuthorizationGrant::Rails::Routes::Helper
+          )
+        end
+
+        attr_accessor :routes
+
+        def initialize(routes, &block)
+          @routes = routes
+          @block = block
+        end
+
+        # @param options [Hash]
+        def generate_routes!(options)
+          @mapping = Mapper.new.map(&@block)
+
+          routes.scope(options[:scope] || 'oauth', as: 'oauth') do
+            map_route(:device_codes, :device_code_routes)
+            map_route(:device_authorizations, :device_authorization_routes)
+          end
+        end
+
+        private
+
+        # @param name [Symbol]
+        # @param method [Symbol]
+        def map_route(name, method)
+          return if @mapping.skipped?(name)
+
+          mapping = @mapping[name]
+
+          routes.scope(controller: mapping[:controller], as: mapping[:as]) do
+            __send__(method)
+          end
+        end
+
+        def device_authorization_routes
+          routes.get(:index, path: 'device')
+          routes.post(:authorize, path: 'device')
+        end
+
+        def device_code_routes
+          routes.post(:create, path: 'authorize_device')
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/rails/routes/mapper.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative 'mapping'
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module Rails
+      class Routes
+        class Mapper # rubocop:disable Style/Documentation
+          # @param mapping [Mapping]
+          def initialize(mapping = Mapping.new)
+            @mapping = mapping
+          end
+
+          # @return [Mapping]
+          def map(&block)
+            instance_eval(&block) if block
+            @mapping
+          end
+
+          # @param controller_names [Hash{Symbol => String}]
+          # @return [Hash{Symbol => String}]
+          def controller(controller_names = {})
+            @mapping.controllers.merge!(controller_names)
+          end
+
+          # @param controller_names [Array<Symbol>]
+          def skip_controllers(*controller_names)
+            @mapping.skips = controller_names
+          end
+
+          # @param alias_names [Hash{Symbol => Symbol}]
+          def as(alias_names = {})
+            @mapping.as.merge!(alias_names)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/device_authorization_grant/rails/routes/mapping.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module DeviceAuthorizationGrant
+    module Rails
+      class Routes
+        class Mapping # rubocop:disable Style/Documentation
+          # @return [Hash{Symbol => String}]
+          attr_accessor :controllers
+
+          # @return [Hash{Symbol => Symbol}]
+          attr_accessor :as
+
+          # @return [Array<Symbol>]
+          attr_accessor :skips
+
+          def initialize
+            @controllers = {
+              device_authorizations: 'doorkeeper/device_authorization_grant/device_authorizations',
+              device_codes: 'doorkeeper/device_authorization_grant/device_codes'
+            }
+
+            @as = {
+              device_authorizations: :device_authorizations,
+              device_codes: :device_codes
+            }
+
+            @skips = []
+          end
+
+          # @param routes [Symbol]
+          # @return [Hash]
+          def [](routes)
+            {
+              controller: @controllers[routes],
+              as: @as[routes]
+            }
+          end
+
+          # @param controller [Symbol]
+          # @return [Boolean]
+          def skipped?(controller)
+            @skips.include?(controller)
+          end
+        end
+      end
+    end
+  end
+end