doorkeeper-sequel 1.2.1

data/spec/requests/endpoints/authorization_spec.rb

@@ -0,0 +1,72 @@
+require 'spec_helper_integration'
+
+feature 'Authorization endpoint' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists(name: 'MyApp')
+  end
+
+  scenario 'requires resource owner to be authenticated' do
+    visit authorization_endpoint_url(client: @client)
+    i_should_see 'Sign in'
+    i_should_be_on '/'
+  end
+
+  context 'with authenticated resource owner' do
+    background do
+      create_resource_owner
+      sign_in
+    end
+
+    scenario 'displays the authorization form' do
+      visit authorization_endpoint_url(client: @client)
+      i_should_see 'Authorize MyApp to use your account?'
+    end
+
+    scenario 'displays all requested scopes' do
+      default_scopes_exist :public
+      optional_scopes_exist :write
+      visit authorization_endpoint_url(client: @client, scope: 'public write')
+      i_should_see 'Access your public data'
+      i_should_see 'Update your data'
+    end
+  end
+
+  context 'with a invalid request' do
+    background do
+      create_resource_owner
+      sign_in
+    end
+
+    scenario 'displays the related error' do
+      visit authorization_endpoint_url(client: @client, response_type: '')
+      i_should_not_see 'Authorize'
+      i_should_see_translated_error_message :unsupported_response_type
+    end
+
+    scenario "displays unsupported_response_type error when using a disabled response type" do
+      config_is_set(:grant_flows, ['implicit'])
+      visit authorization_endpoint_url(client: @client, response_type: 'code')
+      i_should_not_see "Authorize"
+      i_should_see_translated_error_message :unsupported_response_type
+    end
+  end
+
+  context 'forgery protection enabled' do
+    background do
+      create_resource_owner
+      sign_in
+    end
+
+    scenario 'raises exception on forged requests' do
+      skip 'TODO: need to add request helpers to this feature spec'
+      allow_any_instance_of(ActionController::Base).to receive(:handle_unverified_request)
+      allowing_forgery_protection do
+        post "/oauth/authorize",
+          client_id:      @client.uid,
+          redirect_uri:   @client.redirect_uri,
+          response_type:  'code'
+      end
+    end
+  end
+end

data/spec/requests/endpoints/token_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helper_integration'
+
+describe 'Token endpoint' do
+  before do
+    client_exists
+    authorization_code_exists application: @client, scopes: 'public'
+  end
+
+  it 'respond with correct headers' do
+    post token_endpoint_url(code: @authorization.token, client: @client)
+    should_have_header 'Pragma', 'no-cache'
+    should_have_header 'Cache-Control', 'no-store'
+    should_have_header 'Content-Type', 'application/json; charset=utf-8'
+  end
+
+  it 'accepts client credentials with basic auth header' do
+    post token_endpoint_url(
+      code: @authorization.token,
+      redirect_uri: @client.redirect_uri
+    ), {}, 'HTTP_AUTHORIZATION' => basic_auth_header_for_client(@client)
+
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+  end
+
+  it 'returns null for expires_in when a permanent token is set' do
+    config_is_set(:access_token_expires_in, nil)
+    post token_endpoint_url(code: @authorization.token, client: @client)
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+    should_not_have_json 'expires_in'
+  end
+
+  it 'returns unsupported_grant_type for invalid grant_type param' do
+    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'nothing')
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'unsupported_grant_type'
+    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
+  end
+
+  it 'returns unsupported_grant_type for disabled grant flows' do
+    config_is_set(:grant_flows, ['implicit'])
+    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'authorization_code')
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'unsupported_grant_type'
+    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
+  end
+
+  it 'returns unsupported_grant_type when refresh_token is not in use' do
+    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: 'refresh_token')
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'unsupported_grant_type'
+    should_have_json 'error_description', translated_error_message('unsupported_grant_type')
+  end
+
+  it 'returns invalid_request if grant_type is missing' do
+    post token_endpoint_url(code: @authorization.token, client: @client, grant_type: '')
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'invalid_request'
+    should_have_json 'error_description', translated_error_message('invalid_request')
+  end
+end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper_integration'
+
+feature 'Authorization Code Flow Errors' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists
+    create_resource_owner
+    sign_in
+  end
+
+  after do
+    access_grant_should_not_exist
+  end
+
+  context 'when access was denied' do
+    scenario 'redirects with error' do
+      visit authorization_endpoint_url(client: @client)
+      click_on 'Deny'
+
+      i_should_be_on_client_callback @client
+      url_should_not_have_param 'code'
+      url_should_have_param 'error', 'access_denied'
+      url_should_have_param 'error_description', translated_error_message(:access_denied)
+    end
+
+    scenario 'redirects with state parameter' do
+      visit authorization_endpoint_url(client: @client, state: 'return-this')
+      click_on 'Deny'
+
+      i_should_be_on_client_callback @client
+      url_should_not_have_param 'code'
+      url_should_have_param 'state', 'return-this'
+    end
+  end
+end
+
+describe 'Authorization Code Flow Errors', 'after authorization' do
+  before do
+    client_exists
+    authorization_code_exists application: @client
+  end
+
+  it 'returns :invalid_grant error when posting an already revoked grant code' do
+    # First successful request
+    post token_endpoint_url(code: @authorization.token, client: @client)
+
+    # Second attempt with same token
+    expect do
+      post token_endpoint_url(code: @authorization.token, client: @client)
+    end.to_not change { Doorkeeper::AccessToken.count }
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'invalid_grant'
+    should_have_json 'error_description', translated_error_message('invalid_grant')
+  end
+
+  it 'returns :invalid_grant error for invalid grant code' do
+    post token_endpoint_url(code: 'invalid', client: @client)
+
+    access_token_should_not_exist
+
+    should_not_have_json 'access_token'
+    should_have_json 'error', 'invalid_grant'
+    should_have_json 'error_description', translated_error_message('invalid_grant')
+  end
+end

data/spec/requests/flows/authorization_code_spec.rb

@@ -0,0 +1,156 @@
+require 'spec_helper_integration'
+
+feature 'Authorization Code Flow' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists
+    create_resource_owner
+    sign_in
+  end
+
+  scenario 'resource owner authorizes the client' do
+    visit authorization_endpoint_url(client: @client)
+    click_on 'Authorize'
+
+    access_grant_should_exist_for(@client, @resource_owner)
+
+    i_should_be_on_client_callback(@client)
+
+    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
+    url_should_not_have_param('state')
+    url_should_not_have_param('error')
+  end
+
+  scenario 'resource owner authorizes using test url' do
+    @client.redirect_uri = Doorkeeper.configuration.native_redirect_uri
+    @client.save!
+    visit authorization_endpoint_url(client: @client)
+    click_on 'Authorize'
+
+    access_grant_should_exist_for(@client, @resource_owner)
+
+    i_should_see 'Authorization code:'
+    i_should_see Doorkeeper::AccessGrant.first.token
+  end
+
+  scenario 'resource owner authorizes the client with state parameter set' do
+    visit authorization_endpoint_url(client: @client, state: 'return-me')
+    click_on 'Authorize'
+    url_should_have_param('code', Doorkeeper::AccessGrant.first.token)
+    url_should_have_param('state', 'return-me')
+  end
+
+  scenario 'resource owner requests an access token with authorization code' do
+    skip 'TODO: need to add request helpers to this feature spec'
+
+    visit authorization_endpoint_url(client: @client)
+    click_on 'Authorize'
+
+    authorization_code = Doorkeeper::AccessGrant.first.token
+    post token_endpoint_url(code: authorization_code, client: @client)
+
+    access_token_should_exist_for(@client, @resource_owner)
+
+    should_not_have_json 'error'
+
+    should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+    should_have_json 'token_type', 'bearer'
+    should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
+  end
+
+  context 'with scopes' do
+    background do
+      default_scopes_exist :public
+      optional_scopes_exist :write
+    end
+
+    scenario 'resource owner authorizes the client with default scopes' do
+      visit authorization_endpoint_url(client: @client)
+      click_on 'Authorize'
+      access_grant_should_exist_for(@client, @resource_owner)
+      access_grant_should_have_scopes :public
+    end
+
+    scenario 'resource owner authorizes the client with required scopes' do
+      visit authorization_endpoint_url(client: @client, scope: 'public write')
+      click_on 'Authorize'
+      access_grant_should_have_scopes :public, :write
+    end
+
+    scenario 'resource owner authorizes the client with required scopes (without defaults)' do
+      visit authorization_endpoint_url(client: @client, scope: 'write')
+      click_on 'Authorize'
+      access_grant_should_have_scopes :write
+    end
+
+    scenario 'new access token matches required scopes' do
+      skip 'TODO: need to add request helpers to this feature spec'
+
+      visit authorization_endpoint_url(client: @client, scope: 'public write')
+      click_on 'Authorize'
+
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      post token_endpoint_url(code: authorization_code, client: @client)
+
+      access_token_should_exist_for(@client, @resource_owner)
+      access_token_should_have_scopes :public, :write
+    end
+
+    scenario 'returns new token if scopes have changed' do
+      skip 'TODO: need to add request helpers to this feature spec'
+
+      client_is_authorized(@client, @resource_owner, scopes: 'public write')
+      visit authorization_endpoint_url(client: @client, scope: 'public')
+      click_on 'Authorize'
+
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      post token_endpoint_url(code: authorization_code, client: @client)
+
+      expect(Doorkeeper::AccessToken.count).to be(2)
+
+      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
+    end
+
+    scenario 'resource owner authorizes the client with extra scopes' do
+      skip 'TODO: need to add request helpers to this feature spec'
+
+      client_is_authorized(@client, @resource_owner, scopes: 'public')
+      visit authorization_endpoint_url(client: @client, scope: 'public write')
+      click_on 'Authorize'
+
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      post token_endpoint_url(code: authorization_code, client: @client)
+
+      expect(Doorkeeper::AccessToken.count).to be(2)
+
+      should_have_json 'access_token', Doorkeeper::AccessToken.last.token
+      access_token_should_have_scopes :public, :write
+    end
+  end
+end
+
+describe 'Authorization Code Flow' do
+  before do
+    Doorkeeper.configure do
+      orm DOORKEEPER_ORM
+      use_refresh_token
+    end
+    client_exists
+  end
+
+  context 'issuing a refresh token' do
+    before do
+      authorization_code_exists application: @client
+    end
+
+    it 'second of simultaneous client requests get an error for revoked acccess token' do
+      authorization_code = Doorkeeper::AccessGrant.first.token
+      allow_any_instance_of(Doorkeeper::AccessGrant).to receive(:revoked?).and_return(false, true)
+
+      post token_endpoint_url(code: authorization_code, client: @client)
+
+      should_not_have_json 'access_token'
+      should_have_json 'error', 'invalid_grant'
+    end
+  end
+end

data/spec/requests/flows/client_credentials_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper_integration'
+
+describe 'Client Credentials Request' do
+  let(:client) { FactoryGirl.create :application }
+
+  context 'a valid request' do
+    it 'authorizes the client and returns the token response' do
+      headers = authorization client.uid, client.secret
+      params  = { grant_type: 'client_credentials' }
+
+      post '/oauth/token', params, headers
+
+      should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+      should_have_json_within 'expires_in', Doorkeeper.configuration.access_token_expires_in, 1
+      should_not_have_json 'scope'
+      should_not_have_json 'refresh_token'
+
+      should_not_have_json 'error'
+      should_not_have_json 'error_description'
+    end
+
+    context 'with scopes' do
+      before do
+        optional_scopes_exist :write
+      end
+
+      it 'adds the scope to the token an returns in the response' do
+        headers = authorization client.uid, client.secret
+        params  = { grant_type: 'client_credentials', scope: 'write' }
+
+        post '/oauth/token', params, headers
+
+        should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+        should_have_json 'scope', 'write'
+      end
+    end
+  end
+
+  context 'an invalid request' do
+    it 'does not authorize the client and returns the error' do
+      headers = {}
+      params  = { grant_type: 'client_credentials' }
+
+      post '/oauth/token', params, headers
+
+      should_have_json 'error', 'invalid_client'
+      should_have_json 'error_description', translated_error_message(:invalid_client)
+      should_not_have_json 'access_token'
+
+      expect(response.status).to eq(401)
+    end
+  end
+
+  def authorization(username, password)
+    credentials = ActionController::HttpAuthentication::Basic.encode_credentials username, password
+    { 'HTTP_AUTHORIZATION' => credentials }
+  end
+end

data/spec/requests/flows/implicit_grant_errors_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper_integration'
+
+feature 'Implicit Grant Flow Errors' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    config_is_set(:grant_flows, ["implicit"])
+    client_exists
+    create_resource_owner
+    sign_in
+  end
+
+  after do
+    access_token_should_not_exist
+  end
+
+  [
+    [:client_id,     :invalid_client],
+    [:redirect_uri,  :invalid_redirect_uri]
+  ].each do |error|
+    scenario "displays #{error.last.inspect} error for invalid #{error.first.inspect}" do
+      visit authorization_endpoint_url(client: @client, error.first => 'invalid', response_type: 'token')
+      i_should_not_see 'Authorize'
+      i_should_see_translated_error_message error.last
+    end
+
+    scenario "displays #{error.last.inspect} error when #{error.first.inspect} is missing" do
+      visit authorization_endpoint_url(client: @client, error.first => '', response_type: 'token')
+      i_should_not_see 'Authorize'
+      i_should_see_translated_error_message error.last
+    end
+  end
+end

data/spec/requests/flows/implicit_grant_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper_integration'
+
+feature 'Implicit Grant Flow (feature spec)' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    config_is_set(:grant_flows, ["implicit"])
+    client_exists
+    create_resource_owner
+    sign_in
+  end
+
+  scenario 'resource owner authorizes the client' do
+    visit authorization_endpoint_url(client: @client, response_type: 'token')
+    click_on 'Authorize'
+
+    access_token_should_exist_for @client, @resource_owner
+
+    i_should_be_on_client_callback @client
+  end
+end
+
+describe 'Implicit Grant Flow (request spec)' do
+  before do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    config_is_set(:grant_flows, ["implicit"])
+    client_exists
+    create_resource_owner
+  end
+
+  context 'token reuse' do
+    it 'should return a new token each request' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
+
+      token = client_is_authorized(@client, @resource_owner)
+
+      post "/oauth/authorize",
+           client_id: @client.uid,
+           state: '',
+           redirect_uri: @client.redirect_uri,
+           response_type: 'token',
+           commit: 'Authorize'
+
+      expect(response.location).not_to include(token.token)
+    end
+
+    it 'should return the same token if it is still accessible' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+
+      token = client_is_authorized(@client, @resource_owner)
+
+      post "/oauth/authorize",
+           client_id: @client.uid,
+           state: '',
+           redirect_uri: @client.redirect_uri,
+           response_type: 'token',
+           commit: 'Authorize'
+
+      expect(response.location).to include(token.token)
+    end
+  end
+end

data/spec/requests/flows/password_spec.rb

@@ -0,0 +1,115 @@
+require 'spec_helper_integration'
+
+describe 'Resource Owner Password Credentials Flow not set up' do
+  before do
+    client_exists
+    create_resource_owner
+  end
+
+  context 'with valid user credentials' do
+    it 'doesn\'t issue new token' do
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+  end
+end
+
+describe 'Resource Owner Password Credentials Flow' do
+  before do
+    config_is_set(:grant_flows, ["password"])
+    config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
+    client_exists
+    create_resource_owner
+  end
+
+  context 'with valid user credentials' do
+    it 'should issue new token with confidential client' do
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+    end
+
+    it 'should issue new token with public client (only client_id present)' do
+      expect do
+        post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to eq @client.id
+      should_have_json 'access_token', token.token
+    end
+
+    it 'should issue new token without client credentials' do
+      expect do
+        post password_token_endpoint_url(resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+      token = Doorkeeper::AccessToken.first
+
+      expect(token.application_id).to be_nil
+      should_have_json 'access_token', token.token
+    end
+
+    it 'should issue a refresh token if enabled' do
+      config_is_set(:refresh_token_enabled, true)
+
+      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+
+      token = Doorkeeper::AccessToken.first
+
+      should_have_json 'refresh_token', token.refresh_token
+    end
+
+    it 'should return the same token if it is still accessible' do
+      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
+
+      client_is_authorized(@client, @resource_owner)
+
+      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+
+      expect(Doorkeeper::AccessToken.count).to be(1)
+      should_have_json 'access_token', Doorkeeper::AccessToken.first.token
+    end
+  end
+
+  context 'with invalid user credentials' do
+    it 'should not issue new token with bad password' do
+      expect do
+        post password_token_endpoint_url(client: @client,
+                                         resource_owner_username: @resource_owner.name,
+                                         resource_owner_password: 'wrongpassword')
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+
+    it 'should not issue new token without credentials' do
+      expect do
+        post password_token_endpoint_url(client: @client)
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+  end
+
+  context 'with invalid confidential client credentials' do
+    it 'should not issue new token with bad client credentials' do
+      expect do
+        post password_token_endpoint_url(client_id: @client.uid,
+                                         client_secret: 'bad_secret',
+                                         resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+  end
+
+  context 'with invalid public client id' do
+    it 'should not issue new token with bad client id' do
+      expect do
+        post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
+    end
+  end
+end