doorkeeper 0.5.0 → 0.6.0.rc1

data/lib/doorkeeper/models/{mongoid → mongoid2}/access_token.rb

@@ -18,6 +18,12 @@ module Doorkeeper
     index :token, :unique => true
     index :refresh_token, :unique => true, :sparse => true
 
+    def self.delete_all_for(application_id, resource_owner)
+      where(:application_id => application_id,
+            :resource_owner_id => resource_owner.id).delete_all
+    end
+    private_class_method :delete_all_for
+
     def self.last_authorized_token_for(application, resource_owner_id)
       where(:application_id => application.id,
             :resource_owner_id => resource_owner_id,

data/lib/doorkeeper/models/{mongoid → mongoid2}/application.rb

@@ -5,8 +5,6 @@ module Doorkeeper
 
     self.store_in :oauth_applications
 
-    has_many :authorized_tokens, :class_name => "Doorkeeper::AccessToken"
-
     field :name, :type => String
     field :uid, :type => String
     field :secret, :type => String
@@ -14,6 +12,8 @@ module Doorkeeper
 
     index :uid, :unique => true
 
+    has_many :authorized_tokens, :class_name => "Doorkeeper::AccessToken"
+
     def self.authorized_for(resource_owner)
       ids = AccessToken.where(:resource_owner_id => resource_owner.id, :revoked_at => nil).map(&:application_id)
       find(ids)

data/lib/doorkeeper/models/mongoid3/access_grant.rb

@@ -0,0 +1,22 @@
+require 'doorkeeper/models/mongoid/revocable'
+require 'doorkeeper/models/mongoid/scopes'
+
+module Doorkeeper
+  class AccessGrant
+    include Mongoid::Document
+    include Mongoid::Timestamps
+    include Doorkeeper::Models::Mongoid::Revocable
+    include Doorkeeper::Models::Mongoid::Scopes
+
+    self.store_in collection: :oauth_access_grants
+
+    field :resource_owner_id, :type => Moped::BSON::ObjectId
+    field :application_id, :type => Hash
+    field :token, :type => String
+    field :expires_in, :type => Integer
+    field :redirect_uri, :type => String
+    field :revoked_at, :type => DateTime
+
+    index({ token: 1 }, { unique: true })
+  end
+end

data/lib/doorkeeper/models/mongoid3/access_token.rb

@@ -0,0 +1,41 @@
+require 'doorkeeper/models/mongoid/revocable'
+require 'doorkeeper/models/mongoid/scopes'
+
+module Doorkeeper
+  class AccessToken
+    include Mongoid::Document
+    include Mongoid::Timestamps
+    include Doorkeeper::Models::Mongoid::Revocable
+    include Doorkeeper::Models::Mongoid::Scopes
+
+    self.store_in collection: :oauth_access_tokens
+
+    field :resource_owner_id, :type => Moped::BSON::ObjectId
+    field :token, :type => String
+    field :expires_in, :type => Integer
+    field :revoked_at, :type => DateTime
+
+    index({ token: 1 }, { unique: true })
+    index({ refresh_token: 1 }, { unique: true, sparse: true })
+
+    def self.delete_all_for(application_id, resource_owner)
+      where(:application_id => application_id,
+            :resource_owner_id => resource_owner.id).delete_all
+    end
+    private_class_method :delete_all_for
+
+    def self.last_authorized_token_for(application, resource_owner_id)
+      where(:application_id => application.id,
+            :resource_owner_id => resource_owner_id,
+            :revoked_at => nil).
+      order_by([:created_at, :desc]).
+      limit(1).
+      first
+    end
+    private_class_method :last_authorized_token_for
+
+    def refresh_token
+      self[:refresh_token]
+    end
+  end
+end

data/lib/doorkeeper/models/mongoid3/application.rb

@@ -0,0 +1,22 @@
+module Doorkeeper
+  class Application
+    include Mongoid::Document
+    include Mongoid::Timestamps
+
+    self.store_in collection: :oauth_applications
+
+    field :name, :type => String
+    field :uid, :type => String
+    field :secret, :type => String
+    field :redirect_uri, :type => String
+
+    index({ uid: 1 }, { unique: true })
+
+    has_many :authorized_tokens, :class_name => "Doorkeeper::AccessToken"
+
+    def self.authorized_for(resource_owner)
+      ids = AccessToken.where(:resource_owner_id => resource_owner.id, :revoked_at => nil).map(&:application_id)
+      find(ids)
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -2,31 +2,23 @@ module Doorkeeper
   module OAuth
     module Authorization
       class Code
-        include URIBuilder
+        attr_accessor :pre_auth, :resource_owner, :token
 
-        attr_accessor :authorization, :grant
-
-        def initialize(authorization)
-          @authorization = authorization
+        def initialize(pre_auth, resource_owner)
+          @pre_auth       = pre_auth
+          @resource_owner = resource_owner
         end
 
         def issue_token
-          @grant ||= AccessGrant.create!(
-            :application_id    => authorization.client.id,
-            :resource_owner_id => authorization.resource_owner.id,
+          @token ||= AccessGrant.create!(
+            :application_id    => pre_auth.client.id,
+            :resource_owner_id => resource_owner.id,
             :expires_in        => configuration.authorization_code_expires_in,
-            :redirect_uri      => authorization.redirect_uri,
-            :scopes            => authorization.scopes.to_s
+            :redirect_uri      => pre_auth.redirect_uri,
+            :scopes            => pre_auth.scopes.to_s
           )
         end
 
-        def callback
-          uri_with_query(authorization.redirect_uri, {
-            :code  => grant.token,
-            :state => authorization.state
-          })
-        end
-
         def configuration
           Doorkeeper.configuration
         end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -2,28 +2,18 @@ module Doorkeeper
   module OAuth
     module Authorization
       class Token
-        include URIBuilder
+        attr_accessor :pre_auth, :resource_owner, :token
 
-        attr_accessor :authorization, :access_token
-
-        def initialize(authorization)
-          @authorization = authorization
-        end
-
-        def callback
-          uri_with_fragment(authorization.redirect_uri, {
-            :access_token => access_token.token,
-            :token_type   => access_token.token_type,
-            :expires_in   => access_token.expires_in,
-            :state => authorization.state
-          })
+        def initialize(pre_auth, resource_owner)
+          @pre_auth       = pre_auth
+          @resource_owner = resource_owner
         end
 
         def issue_token
-          @access_token ||= AccessToken.create!({
-            :application_id    => authorization.client.id,
-            :resource_owner_id => authorization.resource_owner.id,
-            :scopes            => authorization.scopes.to_s,
+          @token ||= AccessToken.create!({
+            :application_id    => pre_auth.client.id,
+            :resource_owner_id => resource_owner.id,
+            :scopes            => pre_auth.scopes.to_s,
             :expires_in        => configuration.access_token_expires_in,
             :use_refresh_token => false
           })

data/lib/doorkeeper/oauth/authorization/uri_builder.rb

@@ -4,6 +4,8 @@ module Doorkeeper
       module URIBuilder
         include Rack::Utils
 
+        extend self
+
         def uri_with_query(url, parameters = {})
           uri            = URI.parse(url)
           original_query = parse_query(uri.query)

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -0,0 +1,82 @@
+module Doorkeeper
+  module OAuth
+    class AuthorizationCodeRequest
+      include Doorkeeper::Validations
+
+      validate :attributes,   :error => :invalid_request
+      validate :client,       :error => :invalid_client
+      validate :grant,        :error => :invalid_grant
+      validate :redirect_uri, :error => :invalid_grant
+
+      attr_accessor :server, :grant, :client, :redirect_uri
+
+      def initialize(server, grant, client, parameters = {})
+        @server = server
+        @client = client
+        @grant  = grant
+        @redirect_uri = parameters[:redirect_uri]
+      end
+
+      def authorize
+        validate
+        @response = if valid?
+          grant.revoke
+          find_or_create_access_token
+          TokenResponse.new access_token
+        else
+          ErrorResponse.from_request self
+        end
+      end
+
+      def valid?
+        self.error.nil?
+      end
+
+      def access_token
+        @access_token ||= Doorkeeper::AccessToken.matching_token_for client, grant.resource_owner_id, grant.scopes
+      end
+
+      private
+
+      def find_or_create_access_token
+        if access_token
+          access_token.expired? ? revoke_and_create_access_token : access_token
+        else
+          create_access_token
+        end
+      end
+
+      def revoke_and_create_access_token
+        access_token.revoke
+        create_access_token
+      end
+
+      def create_access_token
+        @access_token = Doorkeeper::AccessToken.create!({
+          :application_id    => grant.application_id,
+          :resource_owner_id => grant.resource_owner_id,
+          :scopes            => grant.scopes_string,
+          :expires_in        => server.access_token_expires_in,
+          :use_refresh_token => server.refresh_token_enabled?
+        })
+      end
+
+      def validate_attributes
+        redirect_uri.present?
+      end
+
+      def validate_client
+        !!client
+      end
+
+      def validate_grant
+        return false unless grant && grant.application_id == client.id
+        grant.accessible?
+      end
+
+      def validate_redirect_uri
+        grant.redirect_uri == redirect_uri
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/client_credentials_request.rb

@@ -1,9 +1,9 @@
 require 'doorkeeper/oauth/error'
 require 'doorkeeper/oauth/error_response'
 require 'doorkeeper/oauth/scopes'
+require 'doorkeeper/oauth/token_response'
 require 'doorkeeper/oauth/client_credentials/creator'
 require 'doorkeeper/oauth/client_credentials/issuer'
-require 'doorkeeper/oauth/client_credentials/response'
 require 'doorkeeper/oauth/client_credentials/validation'
 
 module Doorkeeper
@@ -11,7 +11,6 @@ module Doorkeeper
     class ClientCredentialsRequest
       attr_accessor :issuer, :server, :client, :original_scopes, :scopes
       attr_reader   :response
-      alias         :authorization :response  # Remove this when API is consistent
       alias         :error_response :response
 
       delegate :error, :to => :issuer
@@ -29,11 +28,10 @@ module Doorkeeper
       def authorize
         status = issuer.create(client, scopes)
         @response = if status
-          Response.new(issuer.token)
+          TokenResponse.new(issuer.token)
         else
           ErrorResponse.from_request(self)
         end
-        status
       end
 
       # TODO: duplicated code in all flows

data/lib/doorkeeper/oauth/code_request.rb

@@ -0,0 +1,28 @@
+module Doorkeeper
+  module OAuth
+    class CodeRequest
+      attr_accessor :pre_auth, :resource_owner, :client
+
+      def initialize(pre_auth, resource_owner)
+        @pre_auth       = pre_auth
+        @client         = pre_auth.client
+        @resource_owner = resource_owner
+      end
+
+      def authorize
+        @response = if pre_auth.authorizable?
+          auth = Authorization::Code.new(pre_auth, resource_owner)
+          auth.issue_token
+          CodeResponse.new pre_auth, auth
+        else
+          ErrorResponse.from_request pre_auth
+        end
+      end
+
+      def deny
+        pre_auth.error = :access_denied
+        ErrorResponse.from_request(pre_auth, :redirect_uri => pre_auth.redirect_uri)
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/code_response.rb

@@ -0,0 +1,37 @@
+module Doorkeeper
+  module OAuth
+    class CodeResponse
+      include Doorkeeper::OAuth::Authorization::URIBuilder
+      include Doorkeeper::OAuth::Helpers
+
+      attr_accessor :pre_auth, :auth, :response_on_fragment
+
+      def initialize(pre_auth, auth, options = {})
+        @pre_auth, @auth      = pre_auth, auth
+        @response_on_fragment = options[:response_on_fragment]
+      end
+
+      def redirectable?
+        true
+      end
+
+      # TODO: configure the test oauth path?
+      def redirect_uri
+        if URIChecker.test_uri? pre_auth.redirect_uri
+          "/oauth/authorize/#{auth.token.token}"
+        else
+          if response_on_fragment
+            uri_with_fragment(pre_auth.redirect_uri, {
+              :access_token => auth.token.token,
+              :token_type   => auth.token.token_type,
+              :expires_in   => auth.token.expires_in,
+              :state        => pre_auth.state
+            })
+          else
+            uri_with_query pre_auth.redirect_uri, :code => auth.token.token, :state => pre_auth.state
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/error_response.rb

@@ -1,30 +1,44 @@
 module Doorkeeper
   module OAuth
     class ErrorResponse
-      include ActiveModel::Serializers::JSON
+      include Doorkeeper::OAuth::Authorization::URIBuilder
 
-      self.include_root_in_json = false
-
-      def self.from_request(request)
+      def self.from_request(request, attributes = {})
         state = request.state if request.respond_to?(:state)
-        new(:name => request.error, :state => state)
+        new(attributes.merge(:name => request.error, :state => state))
       end
 
       delegate :name, :description, :state, :to => :@error
-      alias    :error :name
-      alias    :error_description :description
 
       def initialize(attributes = {})
         @error = Doorkeeper::OAuth::Error.new(*attributes.values_at(:name, :state))
+        @redirect_uri = attributes[:redirect_uri]
+        @response_on_fragment = attributes[:response_on_fragment]
       end
 
-      def attributes
-        { 'error' => name, 'error_description' => description, 'state' => state }.reject { |k, v| v.blank? }
+      def body
+        { :error => name, :error_description => description, :state => state }.reject { |k, v| v.blank? }
       end
 
       def status
         :unauthorized
       end
+
+      def redirectable?
+        (name != :invalid_redirect_uri) && (name != :invalid_client)
+      end
+
+      def redirect_uri
+        if @response_on_fragment
+          uri_with_fragment @redirect_uri, body
+        else
+          uri_with_query @redirect_uri, body
+        end
+      end
+
+      def headers
+        { 'Cache-Control' => 'no-store', 'Pragma' => 'no-cache' }
+      end
     end
   end
 end