doorkeeper-sequel 1.2.1

data/spec/controllers/authorizations_controller_spec.rb

@@ -0,0 +1,189 @@
+require 'spec_helper_integration'
+
+describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
+  include AuthorizationRequestHelper
+
+  def fragments(param)
+    fragment = URI.parse(response.location).fragment
+    Rack::Utils.parse_query(fragment)[param]
+  end
+
+  def translated_error_message(key)
+    I18n.translate key, scope: [:doorkeeper, :errors, :messages]
+  end
+
+  let(:client) { FactoryGirl.create :application }
+  let(:user)   { User.create!(name: 'Joe', password: 'sekret') }
+
+  before do
+    allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["implicit"])
+    allow(controller).to receive(:current_resource_owner).and_return(user)
+  end
+
+  describe 'POST #create' do
+    before do
+      post :create, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+    end
+
+    it 'redirects after authorization' do
+      expect(response).to be_redirect
+    end
+
+    it 'redirects to client redirect uri' do
+      expect(response.location).to match(%r{^#{client.redirect_uri}})
+    end
+
+    it 'includes access token in fragment' do
+      expect(fragments('access_token')).to eq(Doorkeeper::AccessToken.first.token)
+    end
+
+    it 'includes token type in fragment' do
+      expect(fragments('token_type')).to eq('bearer')
+    end
+
+    it 'includes token expiration in fragment' do
+      expect(fragments('expires_in').to_i).to eq(2.hours.to_i)
+    end
+
+    it 'issues the token for the current client' do
+      expect(Doorkeeper::AccessToken.first.application_id).to eq(client.id)
+    end
+
+    it 'issues the token for the current resource owner' do
+      expect(Doorkeeper::AccessToken.first.resource_owner_id).to eq(user.id)
+    end
+  end
+
+  describe 'POST #create with errors' do
+    before do
+      default_scopes_exist :public
+      post :create, client_id: client.uid, response_type: 'token', scope: 'invalid', redirect_uri: client.redirect_uri
+    end
+
+    it 'redirects after authorization' do
+      expect(response).to be_redirect
+    end
+
+    it 'redirects to client redirect uri' do
+      expect(response.location).to match(%r{^#{client.redirect_uri}})
+    end
+
+    it 'does not include access token in fragment' do
+      expect(fragments('access_token')).to be_nil
+    end
+
+    it 'includes error in fragment' do
+      expect(fragments('error')).to eq('invalid_scope')
+    end
+
+    it 'includes error description in fragment' do
+      expect(fragments('error_description')).to eq(translated_error_message(:invalid_scope))
+    end
+
+    it 'does not issue any access token' do
+      expect(Doorkeeper::AccessToken.all).to be_empty
+    end
+  end
+
+  describe 'POST #create with application already authorized' do
+    it 'returns the existing access token in a fragment'
+  end
+
+  describe 'GET #new token request with native url and skip_authorization true' do
+    before do
+      allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
+        true
+      end)
+      client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob'
+      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+    end
+
+    it 'should redirect immediately' do
+      expect(response).to be_redirect
+      expect(response.location).to match(/oauth\/token\/info\?access_token=/)
+    end
+
+    it 'should not issue a grant' do
+      expect(Doorkeeper::AccessGrant.count).to be 0
+    end
+
+    it 'should issue a token' do
+      expect(Doorkeeper::AccessToken.count).to be 1
+    end
+  end
+
+  describe 'GET #new code request with native url and skip_authorization true' do
+    before do
+      allow(Doorkeeper.configuration).to receive(:grant_flows).
+        and_return(%w(authorization_code))
+      allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
+        true
+      end)
+      client.update_attribute :redirect_uri, 'urn:ietf:wg:oauth:2.0:oob'
+      get :new, client_id: client.uid, response_type: 'code', redirect_uri: client.redirect_uri
+    end
+
+    it 'should redirect immediately' do
+      expect(response).to be_redirect
+      expect(response.location).to match(/oauth\/authorize\//)
+    end
+
+    it 'should issue a grant' do
+      expect(Doorkeeper::AccessGrant.count).to be 1
+    end
+
+    it 'should not issue a token' do
+      expect(Doorkeeper::AccessToken.count).to be 0
+    end
+  end
+
+  describe 'GET #new with skip_authorization true' do
+    before do
+      allow(Doorkeeper.configuration).to receive(:skip_authorization).and_return(proc do
+        true
+      end)
+      get :new, client_id: client.uid, response_type: 'token', redirect_uri: client.redirect_uri
+    end
+
+    it 'should redirect immediately' do
+      expect(response).to be_redirect
+      expect(response.location).to match(%r{^#{client.redirect_uri}})
+    end
+
+    it 'should issue a token' do
+      expect(Doorkeeper::AccessToken.count).to be 1
+    end
+
+    it 'includes token type in fragment' do
+      expect(fragments('token_type')).to eq('bearer')
+    end
+
+    it 'includes token expiration in fragment' do
+      expect(fragments('expires_in').to_i).to eq(2.hours.to_i)
+    end
+
+    it 'issues the token for the current client' do
+      expect(Doorkeeper::AccessToken.first.application_id).to eq(client.id)
+    end
+
+    it 'issues the token for the current resource owner' do
+      expect(Doorkeeper::AccessToken.first.resource_owner_id).to eq(user.id)
+    end
+  end
+
+  describe 'GET #new with errors' do
+    before do
+      default_scopes_exist :public
+      get :new, an_invalid: 'request'
+    end
+
+    it 'does not redirect' do
+      expect(response).to_not be_redirect
+    end
+
+    it 'does not issue any token' do
+      expect(Doorkeeper::AccessGrant.count).to eq 0
+      expect(Doorkeeper::AccessToken.count).to eq 0
+    end
+  end
+end

data/spec/controllers/protected_resources_controller_spec.rb

@@ -0,0 +1,300 @@
+require 'spec_helper_integration'
+
+module ControllerActions
+  def index
+    render plain: 'index'
+  end
+
+  def show
+    render plain: 'show'
+  end
+
+  def doorkeeper_unauthorized_render_options(*)
+  end
+
+  def doorkeeper_forbidden_render_options(*)
+  end
+end
+
+describe 'doorkeeper authorize filter' do
+  context 'accepts token code specified as' do
+    controller do
+      before_action :doorkeeper_authorize!
+
+      def index
+        render plain: 'index'
+      end
+    end
+
+    let(:token_string) { '1A2BC3' }
+    let(:token) do
+      double(Doorkeeper::AccessToken,
+             acceptable?: true, previous_refresh_token: "",
+             revoke_previous_refresh_token!: true)
+    end
+
+    it 'access_token param' do
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
+      get :index, access_token: token_string
+    end
+
+    it 'bearer_token param' do
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
+      get :index, bearer_token: token_string
+    end
+
+    it 'Authorization header' do
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
+      request.env['HTTP_AUTHORIZATION'] = "Bearer #{token_string}"
+      get :index
+    end
+
+    it 'different kind of Authorization header' do
+      expect(Doorkeeper::AccessToken).not_to receive(:by_token)
+      request.env['HTTP_AUTHORIZATION'] = "MAC #{token_string}"
+      get :index
+    end
+
+    it 'does not change Authorization header value' do
+      expect(Doorkeeper::AccessToken).to receive(:by_token).exactly(2).times.and_return(token)
+      request.env['HTTP_AUTHORIZATION'] = "Bearer #{token_string}"
+      get :index
+      controller.send(:remove_instance_variable, :@_doorkeeper_token)
+      get :index
+    end
+  end
+
+  context 'defined for all actions' do
+    controller do
+      before_action :doorkeeper_authorize!
+
+      include ControllerActions
+    end
+
+    context 'with valid token', token: :valid do
+      it 'allows into index action' do
+        get :index, access_token: token_string
+        expect(response).to be_success
+      end
+
+      it 'allows into show action' do
+        get :show, id: '4', access_token: token_string
+        expect(response).to be_success
+      end
+    end
+
+    context 'with invalid token', token: :invalid do
+      it 'does not allow into index action' do
+        get :index, access_token: token_string
+        expect(response.status).to eq 401
+        expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
+      end
+
+      it 'does not allow into show action' do
+        get :show, id: '4', access_token: token_string
+        expect(response.status).to eq 401
+        expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
+      end
+    end
+  end
+
+  context 'defined with scopes' do
+    controller do
+      before_action -> { doorkeeper_authorize! :write }
+
+      include ControllerActions
+    end
+
+    let(:token_string) { '1A2DUWE' }
+
+    it 'allows if the token has particular scopes' do
+      token = double(Doorkeeper::AccessToken,
+                     accessible?: true, scopes: %w(write public),
+                     previous_refresh_token: "",
+                     revoke_previous_refresh_token!: true)
+      expect(token).to receive(:acceptable?).with([:write]).and_return(true)
+      expect(
+        Doorkeeper::AccessToken
+      ).to receive(:by_token).with(token_string).and_return(token)
+      get :index, access_token: token_string
+      expect(response).to be_success
+    end
+
+    it 'does not allow if the token does not include given scope' do
+      token = double(Doorkeeper::AccessToken,
+                     accessible?: true, scopes: ['public'], revoked?: false,
+                     expired?: false, previous_refresh_token: "",
+                     revoke_previous_refresh_token!: true)
+      expect(
+        Doorkeeper::AccessToken
+      ).to receive(:by_token).with(token_string).and_return(token)
+      expect(token).to receive(:acceptable?).with([:write]).and_return(false)
+      get :index, access_token: token_string
+      expect(response.status).to eq 403
+      expect(response.header).to_not include('WWW-Authenticate')
+    end
+  end
+
+  context 'when custom unauthorized render options are configured' do
+    controller do
+      before_action :doorkeeper_authorize!
+
+      include ControllerActions
+    end
+
+    context 'with a JSON custom render', token: :invalid do
+      before do
+        module ControllerActions
+          remove_method :doorkeeper_unauthorized_render_options
+          def doorkeeper_unauthorized_render_options(error: nil)
+            { json: ActiveSupport::JSON.encode(error_message: error.description) }
+          end
+        end
+      end
+      after do
+        module ControllerActions
+          remove_method :doorkeeper_unauthorized_render_options
+          def doorkeeper_unauthorized_render_options(error: nil)
+          end
+        end
+      end
+
+      it 'it renders a custom JSON response', token: :invalid do
+        get :index, access_token: token_string
+        expect(response.status).to eq 401
+        expect(response.content_type).to eq('application/json')
+        expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
+        parsed_body = JSON.parse(response.body)
+        expect(parsed_body).not_to be_nil
+        expect(parsed_body['error_message']).to match('token is invalid')
+      end
+    end
+
+    context 'with a text custom render', token: :invalid do
+      before do
+        module ControllerActions
+          remove_method :doorkeeper_unauthorized_render_options
+          def doorkeeper_unauthorized_render_options(error: nil)
+            { plain: 'Unauthorized' }
+          end
+        end
+      end
+      after do
+        module ControllerActions
+          remove_method :doorkeeper_unauthorized_render_options
+          def doorkeeper_unauthorized_render_options(error: nil)
+          end
+        end
+      end
+
+      it 'it renders a custom text response', token: :invalid do
+        get :index, access_token: token_string
+        expect(response.status).to eq 401
+        expect(response.content_type).to eq('text/plain')
+        expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
+        expect(response.body).to eq('Unauthorized')
+      end
+    end
+  end
+
+  context 'when custom forbidden render options are configured' do
+    before do
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
+      expect(token).to receive(:acceptable?).with([:write]).and_return(false)
+    end
+
+    after do
+      module ControllerActions
+        remove_method :doorkeeper_forbidden_render_options
+        def doorkeeper_forbidden_render_options(*)
+        end
+      end
+    end
+
+    controller do
+      before_action -> { doorkeeper_authorize! :write }
+
+      include ControllerActions
+    end
+
+    let(:token) do
+      double(Doorkeeper::AccessToken,
+             accessible?: true, scopes: ['public'], revoked?: false,
+             expired?: false, previous_refresh_token: "",
+             revoke_previous_refresh_token!: true)
+    end
+    let(:token_string) { '1A2DUWE' }
+
+    context 'with a JSON custom render' do
+      before do
+        module ControllerActions
+          remove_method :doorkeeper_forbidden_render_options
+          def doorkeeper_forbidden_render_options(*)
+            { json: { error_message: 'Forbidden' } }
+          end
+        end
+      end
+
+      it 'renders a custom JSON response' do
+        get :index, access_token: token_string
+        expect(response.header).to_not include('WWW-Authenticate')
+        expect(response.content_type).to eq('application/json')
+        expect(response.status).to eq 403
+        parsed_body = JSON.parse(response.body)
+        expect(parsed_body).not_to be_nil
+        expect(parsed_body['error_message']).to match('Forbidden')
+      end
+    end
+
+    context 'with a status and JSON custom render' do
+      before do
+        module ControllerActions
+          remove_method :doorkeeper_forbidden_render_options
+          def doorkeeper_forbidden_render_options(*)
+            { json: { error_message: 'Not Found' },
+              respond_not_found_when_forbidden: true }
+          end
+        end
+      end
+
+      it 'overrides the default status code' do
+        get :index, access_token: token_string
+        expect(response.status).to eq 404
+      end
+    end
+
+    context 'with a text custom render' do
+      before do
+        module ControllerActions
+          remove_method :doorkeeper_forbidden_render_options
+          def doorkeeper_forbidden_render_options(*)
+            { plain: 'Forbidden' }
+          end
+        end
+      end
+
+      it 'renders a custom status code and text response' do
+        get :index, access_token: token_string
+        expect(response.header).to_not include('WWW-Authenticate')
+        expect(response.status).to eq 403
+        expect(response.body).to eq('Forbidden')
+      end
+    end
+
+    context 'with a status and text custom render' do
+      before do
+        module ControllerActions
+          remove_method :doorkeeper_forbidden_render_options
+          def doorkeeper_forbidden_render_options(*)
+            { respond_not_found_when_forbidden: true, plain: 'Not Found' }
+          end
+        end
+      end
+
+      it 'overrides the default status code' do
+        get :index, access_token: token_string
+        expect(response.status).to eq 404
+      end
+    end
+  end
+end

data/spec/controllers/token_info_controller_spec.rb

@@ -0,0 +1,52 @@
+require 'spec_helper_integration'
+
+describe Doorkeeper::TokenInfoController do
+  describe 'when requesting tokeninfo with valid token' do
+    let(:doorkeeper_token) { FactoryGirl.create(:access_token) }
+
+    before(:each) do
+      allow(controller).to receive(:doorkeeper_token) { doorkeeper_token }
+    end
+
+    def do_get
+      get :show
+    end
+
+    describe 'successful request' do
+
+      it 'responds with tokeninfo' do
+        do_get
+        expect(response.body).to eq(doorkeeper_token.to_json)
+      end
+
+      it 'responds with a 200 status' do
+        do_get
+        expect(response.status).to eq 200
+      end
+    end
+
+    describe 'invalid token response' do
+      before(:each) do
+        allow(controller).to receive(:doorkeeper_token).and_return(nil)
+      end
+      it 'responds with 401 when doorkeeper_token is not valid' do
+        do_get
+        expect(response.status).to eq 401
+        expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
+      end
+
+      it 'responds with 401 when doorkeeper_token is invalid, expired or revoked' do
+        allow(controller).to receive(:doorkeeper_token).and_return(doorkeeper_token)
+        allow(doorkeeper_token).to receive(:accessible?).and_return(false)
+        do_get
+        expect(response.status).to eq 401
+        expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
+      end
+
+      it 'responds body message for error' do
+        do_get
+        expect(response.body).to eq(Doorkeeper::OAuth::ErrorResponse.new(name: :invalid_request, status: :unauthorized).body.to_json)
+      end
+    end
+  end
+end

data/spec/controllers/tokens_controller_spec.rb

@@ -0,0 +1,88 @@
+require 'spec_helper_integration'
+
+describe Doorkeeper::TokensController do
+  describe 'when authorization has succeeded' do
+    let :token do
+      double(:token, authorize: true)
+    end
+
+    before do
+      allow(controller).to receive(:token) { token }
+    end
+
+    it 'returns the authorization' do
+      skip 'verify need of these specs'
+
+      expect(token).to receive(:authorization)
+
+      post :create
+    end
+  end
+
+  describe 'when authorization has failed' do
+    it 'returns the error response' do
+      token = double(:token, authorize: false)
+      allow(controller).to receive(:token) { token }
+
+      post :create
+
+      expect(response.status).to eq 401
+      expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
+    end
+  end
+
+  describe 'when there is a failure due to a custom error' do
+    it 'returns the error response with a custom message' do
+      # I18n looks for `doorkeeper.errors.messages.custom_message` in locale files
+      custom_message = "my_message"
+      allow(I18n).to receive(:translate).
+        with(
+          custom_message,
+          hash_including(scope: [:doorkeeper, :errors, :messages]),
+        ).
+        and_return('Authorization custom message')
+
+      doorkeeper_error = Doorkeeper::Errors::DoorkeeperError.new(custom_message)
+
+      strategy = double(:strategy)
+      request = double(token_request: strategy)
+      allow(strategy).to receive(:authorize).and_raise(doorkeeper_error)
+      allow(controller).to receive(:server).and_return(request)
+
+      post :create
+
+      expected_response_body = {
+        "error"             => custom_message,
+        "error_description" => "Authorization custom message"
+      }
+      expect(response.status).to eq 401
+      expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
+      expect(JSON.load(response.body)).to eq expected_response_body
+    end
+  end
+
+  describe 'when revoke authorization has failed' do
+    # http://tools.ietf.org/html/rfc7009#section-2.2
+    it 'returns no error response' do
+      token = double(:token, authorize: false, application_id?: true)
+      allow(controller).to receive(:token) { token }
+
+      post :revoke
+
+      expect(response.status).to eq 200
+    end
+  end
+
+  describe 'authorize response memoization' do
+    it "memoizes the result of the authorization" do
+      strategy = double(:strategy, authorize: true)
+      expect(strategy).to receive(:authorize).once
+      allow(controller).to receive(:strategy) { strategy }
+      allow(controller).to receive(:create) do
+        controller.send :authorize_response
+      end
+
+      post :create
+    end
+  end
+end

data/spec/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/spec/dummy/app/controllers/custom_authorizations_controller.rb

@@ -0,0 +1,7 @@
+class CustomAuthorizationsController < ::ApplicationController
+  %w(index show new create edit update destroy).each do |action|
+    define_method action do
+      render nothing: true
+    end
+  end
+end

data/spec/dummy/app/controllers/full_protected_resources_controller.rb

@@ -0,0 +1,12 @@
+class FullProtectedResourcesController < ApplicationController
+  before_action -> { doorkeeper_authorize! :write, :admin }, only: :show
+  before_action :doorkeeper_authorize!, only: :index
+
+  def index
+    render plain: 'index'
+  end
+
+  def show
+    render plain: 'show'
+  end
+end

data/spec/dummy/app/controllers/home_controller.rb

@@ -0,0 +1,17 @@
+class HomeController < ApplicationController
+  def index
+  end
+
+  def sign_in
+    session[:user_id] = if Rails.env.development?
+                          User.first || User.create!(name: 'Joe', password: 'sekret')
+                        else
+                          User.first
+                        end
+    redirect_to '/'
+  end
+
+  def callback
+    render plain: 'ok'
+  end
+end

data/spec/dummy/app/controllers/metal_controller.rb

@@ -0,0 +1,11 @@
+class MetalController < ActionController::Metal
+  include AbstractController::Callbacks
+  include ActionController::Head
+  include Doorkeeper::Rails::Helpers
+
+  before_action :doorkeeper_authorize!
+
+  def index
+    self.response_body = { ok: true }.to_json
+  end
+end