doorkeeper-sequel 1.2.1

data/spec/requests/flows/refresh_token_spec.rb

@@ -0,0 +1,174 @@
+require 'spec_helper_integration'
+
+describe 'Refresh Token Flow' do
+  before do
+    Doorkeeper.configure do
+      orm DOORKEEPER_ORM
+      use_refresh_token
+    end
+    client_exists
+  end
+
+  context 'issuing a refresh token' do
+    before do
+      authorization_code_exists application: @client
+    end
+
+    it 'client gets the refresh token and refreshses it' do
+      post token_endpoint_url(code: @authorization.token, client: @client)
+
+      token = Doorkeeper::AccessToken.first
+
+      should_have_json 'access_token',  token.token
+      should_have_json 'refresh_token', token.refresh_token
+
+      expect(@authorization.reload).to be_revoked
+
+      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
+
+      new_token = Doorkeeper::AccessToken.last
+      should_have_json 'access_token',  new_token.token
+      should_have_json 'refresh_token', new_token.refresh_token
+
+      expect(token.token).not_to         eq(new_token.token)
+      expect(token.refresh_token).not_to eq(new_token.refresh_token)
+    end
+  end
+
+  context 'refreshing the token' do
+    before do
+      @token = FactoryGirl.create(
+        :access_token,
+        application: @client,
+        resource_owner_id: 1,
+        use_refresh_token: true
+      )
+    end
+
+    context "refresh_token revoked on use" do
+      it 'client request a token with refresh token' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).not_to be_revoked
+      end
+
+      it 'client request a token with expired access token' do
+        @token.update_attribute :expires_in, -100
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).not_to be_revoked
+      end
+    end
+
+    context "refresh_token revoked on refresh_token request" do
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+      end
+
+      it 'client request a token with refresh token' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).to be_revoked
+      end
+
+      it 'client request a token with expired access token' do
+        @token.update_attribute :expires_in, -100
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+        should_have_json(
+          'refresh_token', Doorkeeper::AccessToken.last.refresh_token
+        )
+        expect(@token.reload).to be_revoked
+      end
+    end
+
+    it 'client gets an error for invalid refresh token' do
+      post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
+      should_not_have_json 'refresh_token'
+      should_have_json 'error', 'invalid_grant'
+    end
+
+    it 'client gets an error for revoked acccess token' do
+      @token.revoke
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
+      should_not_have_json 'refresh_token'
+      should_have_json 'error', 'invalid_grant'
+    end
+
+    it 'second of simultaneous client requests get an error for revoked acccess token' do
+      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
+
+      should_not_have_json 'refresh_token'
+      should_have_json 'error', 'invalid_request'
+    end
+  end
+
+  context 'refreshing the token with multiple sessions (devices)' do
+    before do
+      # enable password auth to simulate other devices
+      config_is_set(:grant_flows, ["password"])
+      config_is_set(:resource_owner_from_credentials) do
+        User.authenticate! params[:username], params[:password]
+      end
+      create_resource_owner
+      _another_token = post password_token_endpoint_url(
+        client: @client, resource_owner: @resource_owner
+      )
+      last_token.update_attribute :created_at, 5.seconds.ago
+
+      @token = FactoryGirl.create(
+        :access_token,
+        application: @client,
+        resource_owner_id: @resource_owner.id,
+        use_refresh_token: true
+      )
+      @token.update_attribute :expires_in, -100
+    end
+
+    context "refresh_token revoked on use" do
+      it 'client request a token after creating another token with the same user' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+
+        should_have_json 'refresh_token', last_token.refresh_token
+        expect(@token.reload).not_to be_revoked
+      end
+    end
+
+    context "refresh_token revoked on refresh_token request" do
+      before do
+        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
+      end
+
+      it 'client request a token after creating another token with the same user' do
+        post refresh_token_endpoint_url(
+          client: @client, refresh_token: @token.refresh_token
+        )
+
+        should_have_json 'refresh_token', last_token.refresh_token
+        expect(@token.reload).to be_revoked
+      end
+    end
+
+    def last_token
+      Doorkeeper::AccessToken.last_authorized_token_for(
+        @client.id, @resource_owner.id
+      )
+    end
+  end
+end

data/spec/requests/flows/revoke_token_spec.rb

@@ -0,0 +1,157 @@
+require 'spec_helper_integration'
+
+describe 'Revoke Token Flow' do
+  before do
+    Doorkeeper.configure { orm DOORKEEPER_ORM }
+  end
+
+  context 'with default parameters' do
+    let(:client_application) { FactoryGirl.create :application }
+    let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
+    let(:access_token) do
+      FactoryGirl.create(:access_token,
+                         application: client_application,
+                         resource_owner_id: resource_owner.id,
+                         use_refresh_token: true)
+    end
+
+    context 'with authenticated, confidential OAuth 2.0 client/application' do
+      let(:headers) do
+        client_id = client_application.uid
+        client_secret = client_application.secret
+        credentials = Base64.encode64("#{client_id}:#{client_secret}")
+        { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
+      end
+
+      it 'should revoke the access token provided' do
+        post revocation_token_endpoint_url, { token: access_token.token }, headers
+
+        access_token.reload
+
+        expect(response).to be_success
+        expect(access_token.revoked?).to be_truthy
+      end
+
+      it 'should revoke the refresh token provided' do
+        post revocation_token_endpoint_url, { token: access_token.refresh_token }, headers
+
+        access_token.reload
+
+        expect(response).to be_success
+        expect(access_token.revoked?).to be_truthy
+      end
+
+      context 'with invalid token to revoke' do
+        it 'should not revoke any tokens and respond successfully' do
+          num_prev_revoked_tokens = Doorkeeper::AccessToken.where(revoked_at: nil).count
+          post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALID_TOKEN' }, headers
+
+          # The authorization server responds with HTTP status code 200 even if
+          # token is invalid
+          expect(response).to be_success
+          expect(Doorkeeper::AccessToken.where(revoked_at: nil).count).to eq(num_prev_revoked_tokens)
+        end
+      end
+
+      context 'with bad credentials and a valid token' do
+        let(:headers) do
+          client_id = client_application.uid
+          credentials = Base64.encode64("#{client_id}:poop")
+          { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
+        end
+        it 'should not revoke any tokens and respond successfully' do
+          post revocation_token_endpoint_url, { token: access_token.token }, headers
+
+          access_token.reload
+
+          expect(response).to be_success
+          expect(access_token.revoked?).to be_falsey
+        end
+      end
+
+      context 'with no credentials and a valid token' do
+        it 'should not revoke any tokens and respond successfully' do
+          post revocation_token_endpoint_url, { token: access_token.token }
+
+          access_token.reload
+
+          expect(response).to be_success
+          expect(access_token.revoked?).to be_falsey
+        end
+      end
+
+      context 'with valid token for another client application' do
+        let(:other_client_application) { FactoryGirl.create :application }
+        let(:headers) do
+          client_id = other_client_application.uid
+          client_secret = other_client_application.secret
+          credentials = Base64.encode64("#{client_id}:#{client_secret}")
+          { 'HTTP_AUTHORIZATION' => "Basic #{credentials}" }
+        end
+
+        it 'should not revoke the token as its unauthorized' do
+          post revocation_token_endpoint_url, { token: access_token.token }, headers
+
+          access_token.reload
+
+          expect(response).to be_success
+          expect(access_token.revoked?).to be_falsey
+        end
+      end
+    end
+
+    context 'with public OAuth 2.0 client/application' do
+      let(:access_token) do
+        FactoryGirl.create(:access_token,
+                           application: nil,
+                           resource_owner_id: resource_owner.id,
+                           use_refresh_token: true)
+      end
+
+      it 'should revoke the access token provided' do
+        post revocation_token_endpoint_url, { token: access_token.token }
+
+        access_token.reload
+
+        expect(response).to be_success
+        expect(access_token.revoked?).to be_truthy
+      end
+
+      it 'should revoke the refresh token provided' do
+        post revocation_token_endpoint_url, { token: access_token.refresh_token }
+
+        access_token.reload
+
+        expect(response).to be_success
+        expect(access_token.revoked?).to be_truthy
+      end
+
+      context 'with a valid token issued for a confidential client' do
+        let(:access_token) do
+          FactoryGirl.create(:access_token,
+                             application: client_application,
+                             resource_owner_id: resource_owner.id,
+                             use_refresh_token: true)
+        end
+
+        it 'should not revoke the access token provided' do
+          post revocation_token_endpoint_url, { token: access_token.token }
+
+          access_token.reload
+
+          expect(response).to be_success
+          expect(access_token.revoked?).to be_falsey
+        end
+
+        it 'should not revoke the refresh token provided' do
+          post revocation_token_endpoint_url, { token: access_token.token }
+
+          access_token.reload
+
+          expect(response).to be_success
+          expect(access_token.revoked?).to be_falsey
+        end
+      end
+    end
+  end
+end

data/spec/requests/flows/skip_authorization_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper_integration'
+
+feature 'Skip authorization form' do
+  background do
+    config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
+    client_exists
+    default_scopes_exist  :public
+    optional_scopes_exist :write
+  end
+
+  context 'for previously authorized clients' do
+    background do
+      create_resource_owner
+      sign_in
+    end
+
+    scenario 'skips the authorization and return a new grant code' do
+      client_is_authorized(@client, @resource_owner, scopes: 'public')
+      visit authorization_endpoint_url(client: @client)
+
+      i_should_not_see 'Authorize'
+      client_should_be_authorized @client
+      i_should_be_on_client_callback @client
+      url_should_have_param 'code', Doorkeeper::AccessGrant.first.token
+    end
+
+    scenario 'does not skip authorization when scopes differ (new request has fewer scopes)' do
+      client_is_authorized(@client, @resource_owner, scopes: 'public write')
+      visit authorization_endpoint_url(client: @client, scope: 'public')
+      i_should_see 'Authorize'
+    end
+
+    scenario 'does not skip authorization when scopes differ (new request has more scopes)' do
+      client_is_authorized(@client, @resource_owner, scopes: 'public write')
+      visit authorization_endpoint_url(client: @client, scopes: 'public write email')
+      i_should_see 'Authorize'
+    end
+
+    scenario 'creates grant with new scope when scopes differ' do
+      client_is_authorized(@client, @resource_owner, scopes: 'public write')
+      visit authorization_endpoint_url(client: @client, scope: 'public')
+      click_on 'Authorize'
+      access_grant_should_have_scopes :public
+    end
+
+    scenario 'doesn not skip authorization when scopes are greater' do
+      client_is_authorized(@client, @resource_owner, scopes: 'public')
+      visit authorization_endpoint_url(client: @client, scope: 'public write')
+      i_should_see 'Authorize'
+    end
+
+    scenario 'creates grant with new scope when scopes are greater' do
+      client_is_authorized(@client, @resource_owner, scopes: 'public')
+      visit authorization_endpoint_url(client: @client, scope: 'public write')
+      click_on 'Authorize'
+      access_grant_should_have_scopes :public, :write
+    end
+  end
+end

data/spec/requests/protected_resources/metal_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper_integration'
+
+describe 'ActionController::Metal API' do
+  before do
+    @client   = FactoryGirl.create(:application)
+    @resource = User.create!(name: 'Joe', password: 'sekret')
+    @token    = client_is_authorized(@client, @resource)
+  end
+
+  it 'client requests protected resource with valid token' do
+    get "/metal.json?access_token=#{@token.token}"
+    should_have_json 'ok', true
+  end
+end

data/spec/requests/protected_resources/private_api_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper_integration'
+
+feature 'Private API' do
+  background do
+    @client   = FactoryGirl.create(:application)
+    @resource = User.create!(name: 'Joe', password: 'sekret')
+    @token    = client_is_authorized(@client, @resource)
+  end
+
+  scenario 'client requests protected resource with valid token' do
+    with_access_token_header @token.token
+    visit '/full_protected_resources'
+    expect(page.body).to have_content('index')
+  end
+
+  scenario 'client requests protected resource with disabled header authentication' do
+    config_is_set :access_token_methods, [:from_access_token_param]
+    with_access_token_header @token.token
+    visit '/full_protected_resources'
+    response_status_should_be 401
+  end
+
+  scenario 'client attempts to request protected resource with invalid token' do
+    with_access_token_header 'invalid'
+    visit '/full_protected_resources'
+    response_status_should_be 401
+  end
+
+  scenario 'client attempts to request protected resource with expired token' do
+    @token.update_attribute :expires_in, -100 # expires token
+    with_access_token_header @token.token
+    visit '/full_protected_resources'
+    response_status_should_be 401
+  end
+
+  scenario 'client requests protected resource with permanent token' do
+    @token.update_attribute :expires_in, nil # never expires
+    with_access_token_header @token.token
+    visit '/full_protected_resources'
+    expect(page.body).to have_content('index')
+  end
+
+  scenario 'access token with no default scopes' do
+    Doorkeeper.configuration.instance_eval {
+      @default_scopes = Doorkeeper::OAuth::Scopes.from_array([:public])
+      @scopes = default_scopes + optional_scopes
+    }
+    @token.update_attribute :scopes, 'dummy'
+    with_access_token_header @token.token
+    visit '/full_protected_resources'
+    response_status_should_be 403
+  end
+
+  scenario 'access token with no allowed scopes' do
+    @token.update_attribute :scopes, nil
+    with_access_token_header @token.token
+    visit '/full_protected_resources/1.json'
+    response_status_should_be 403
+  end
+
+  scenario 'access token with one of allowed scopes' do
+    @token.update_attribute :scopes, 'admin'
+    with_access_token_header @token.token
+    visit '/full_protected_resources/1.json'
+    expect(page.body).to have_content('show')
+  end
+
+  scenario 'access token with another of allowed scopes' do
+    @token.update_attribute :scopes, 'write'
+    with_access_token_header @token.token
+    visit '/full_protected_resources/1.json'
+    expect(page.body).to have_content('show')
+  end
+
+  scenario 'access token with both allowed scopes' do
+    @token.update_attribute :scopes, 'write admin'
+    with_access_token_header @token.token
+    visit '/full_protected_resources/1.json'
+    expect(page.body).to have_content('show')
+  end
+end

data/spec/routing/custom_controller_routes_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper_integration'
+
+describe 'Custom controller for routes' do
+  it 'GET /space/scope/authorize routes to custom authorizations controller' do
+    expect(get('/inner_space/scope/authorize')).to route_to('custom_authorizations#new')
+  end
+
+  it 'POST /space/scope/authorize routes to custom authorizations controller' do
+    expect(post('/inner_space/scope/authorize')).to route_to('custom_authorizations#create')
+  end
+
+  it 'DELETE /space/scope/authorize routes to custom authorizations controller' do
+    expect(delete('/inner_space/scope/authorize')).to route_to('custom_authorizations#destroy')
+  end
+
+  it 'POST /space/scope/token routes to tokens controller' do
+    expect(post('/inner_space/scope/token')).to route_to('custom_authorizations#create')
+  end
+
+  it 'GET /space/scope/applications routes to applications controller' do
+    expect(get('/inner_space/scope/applications')).to route_to('custom_authorizations#index')
+  end
+
+  it 'GET /space/scope/token/info routes to the token_info controller' do
+    expect(get('/inner_space/scope/token/info')).to route_to('custom_authorizations#show')
+  end
+
+  it 'GET /space/oauth/authorize routes to custom authorizations controller' do
+    expect(get('/space/oauth/authorize')).to route_to('custom_authorizations#new')
+  end
+
+  it 'POST /space/oauth/authorize routes to custom authorizations controller' do
+    expect(post('/space/oauth/authorize')).to route_to('custom_authorizations#create')
+  end
+
+  it 'DELETE /space/oauth/authorize routes to custom authorizations controller' do
+    expect(delete('/space/oauth/authorize')).to route_to('custom_authorizations#destroy')
+  end
+
+  it 'POST /space/oauth/token routes to tokens controller' do
+    expect(post('/space/oauth/token')).to route_to('custom_authorizations#create')
+  end
+
+  it 'POST /space/oauth/revoke routes to tokens controller' do
+    expect(post('/space/oauth/revoke')).to route_to('custom_authorizations#revoke')
+  end
+
+  it 'GET /space/oauth/applications routes to applications controller' do
+    expect(get('/space/oauth/applications')).to route_to('custom_authorizations#index')
+  end
+
+  it 'GET /space/oauth/token/info routes to the token_info controller' do
+    expect(get('/space/oauth/token/info')).to route_to('custom_authorizations#show')
+  end
+
+  it 'POST /outer_space/oauth/token is not be routable' do
+    expect(post('/outer_space/oauth/token')).not_to be_routable
+  end
+
+  it 'GET /outer_space/oauth/authorize routes to custom authorizations controller' do
+    expect(get('/outer_space/oauth/authorize')).to be_routable
+  end
+
+  it 'GET /outer_space/oauth/applications is not routable' do
+    expect(get('/outer_space/oauth/applications')).not_to be_routable
+  end
+
+  it 'GET /outer_space/oauth/token_info is not routable' do
+    expect(get('/outer_space/oauth/token/info')).not_to be_routable
+  end
+end

data/spec/routing/default_routes_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper_integration'
+
+describe 'Default routes' do
+  it 'GET /oauth/authorize routes to authorizations controller' do
+    expect(get('/oauth/authorize')).to route_to('doorkeeper/authorizations#new')
+  end
+
+  it 'POST /oauth/authorize routes to authorizations controller' do
+    expect(post('/oauth/authorize')).to route_to('doorkeeper/authorizations#create')
+  end
+
+  it 'DELETE /oauth/authorize routes to authorizations controller' do
+    expect(delete('/oauth/authorize')).to route_to('doorkeeper/authorizations#destroy')
+  end
+
+  it 'POST /oauth/token routes to tokens controller' do
+    expect(post('/oauth/token')).to route_to('doorkeeper/tokens#create')
+  end
+
+  it 'POST /oauth/revoke routes to tokens controller' do
+    expect(post('/oauth/revoke')).to route_to('doorkeeper/tokens#revoke')
+  end
+
+  it 'GET /oauth/applications routes to applications controller' do
+    expect(get('/oauth/applications')).to route_to('doorkeeper/applications#index')
+  end
+
+  it 'GET /oauth/authorized_applications routes to authorized applications controller' do
+    expect(get('/oauth/authorized_applications')).to route_to('doorkeeper/authorized_applications#index')
+  end
+
+  it 'GET /oauth/token/info route to authorzed tokeninfo controller' do
+    expect(get('/oauth/token/info')).to route_to('doorkeeper/token_info#show')
+  end
+end

data/spec/routing/scoped_routes_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper_integration'
+
+describe 'Scoped routes' do
+  it 'GET /scope/authorize routes to authorizations controller' do
+    expect(get('/scope/authorize')).to route_to('doorkeeper/authorizations#new')
+  end
+
+  it 'POST /scope/authorize routes to authorizations controller' do
+    expect(post('/scope/authorize')).to route_to('doorkeeper/authorizations#create')
+  end
+
+  it 'DELETE /scope/authorize routes to authorizations controller' do
+    expect(delete('/scope/authorize')).to route_to('doorkeeper/authorizations#destroy')
+  end
+
+  it 'POST /scope/token routes to tokens controller' do
+    expect(post('/scope/token')).to route_to('doorkeeper/tokens#create')
+  end
+
+  it 'GET /scope/applications routes to applications controller' do
+    expect(get('/scope/applications')).to route_to('doorkeeper/applications#index')
+  end
+
+  it 'GET /scope/authorized_applications routes to authorized applications controller' do
+    expect(get('/scope/authorized_applications')).to route_to('doorkeeper/authorized_applications#index')
+  end
+
+  it 'GET /scope/token/info route to authorzed tokeninfo controller' do
+    expect(get('/scope/token/info')).to route_to('doorkeeper/token_info#show')
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+$LOAD_PATH.unshift File.expand_path(File.join(File.dirname(__FILE__), '../lib'))
+$LOAD_PATH.unshift File.expand_path(File.join(File.dirname(__FILE__), '../app'))

data/spec/spec_helper_integration.rb

@@ -0,0 +1,50 @@
+ENV['RAILS_ENV'] ||= 'test'
+
+DOORKEEPER_ORM = :sequel
+
+$LOAD_PATH.unshift File.dirname(__FILE__)
+
+require 'capybara/rspec'
+require 'dummy/config/environment'
+require 'rspec/rails'
+require 'generator_spec/test_case'
+require 'timecop'
+
+# Load JRuby SQLite3 if in that platform
+begin
+  require 'jdbc/sqlite3'
+  Jdbc::SQLite3.load_driver
+rescue LoadError
+end
+
+Rails.logger.info "====> Doorkeeper.orm = #{Doorkeeper.configuration.orm.inspect}"
+Rails.logger.info "====> Rails version: #{Rails.version}"
+Rails.logger.info "====> Ruby version: #{RUBY_VERSION}"
+
+require "support/orm/#{DOORKEEPER_ORM}"
+
+ENGINE_RAILS_ROOT = File.join(File.dirname(__FILE__), '../')
+
+Dir["#{File.dirname(__FILE__)}/support/{dependencies,helpers,shared}/*.rb"].each { |f| require f }
+
+# Remove after dropping support of Rails 4.2
+require "#{File.dirname(__FILE__)}/support/http_method_shim.rb"
+
+RSpec.configure do |config|
+  config.infer_spec_type_from_file_location!
+  config.mock_with :rspec
+
+  config.infer_base_class_for_anonymous_controllers = false
+
+  config.include RSpec::Rails::RequestExampleGroup, type: :request
+
+  config.before do
+    Doorkeeper.configure { orm DOORKEEPER_ORM }
+  end
+
+  config.around(:each) do |example|
+    DB.transaction(rollback: :always, auto_savepoint: true) { example.run }
+  end
+
+  config.order = 'random'
+end