doorkeeper 0.5.0 → 0.6.0.rc1

data/lib/doorkeeper/oauth/authorization_request.rb

@@ -1,114 +0,0 @@
-module Doorkeeper::OAuth
-  class AuthorizationRequest
-    include Doorkeeper::Validations
-    include Doorkeeper::OAuth::Authorization::URIBuilder
-    include Doorkeeper::OAuth::Helpers
-
-    ATTRIBUTES = [
-      :response_type,
-      :redirect_uri,
-      :scope,
-      :state
-    ]
-
-    validate :client,        :error => :invalid_client
-    validate :redirect_uri,  :error => :invalid_redirect_uri
-    validate :attributes,    :error => :invalid_request
-    validate :response_type, :error => :unsupported_response_type
-    validate :scope,         :error => :invalid_scope
-
-    attr_accessor *ATTRIBUTES
-    attr_accessor :resource_owner, :client, :error
-
-    def initialize(client, resource_owner, attributes)
-      ATTRIBUTES.each { |attr| instance_variable_set("@#{attr}", attributes[attr]) }
-      @resource_owner = resource_owner
-      @client         = client
-      validate
-    end
-
-    def authorize
-      return false unless valid?
-      @authorization = authorization_method.new(self)
-      @authorization.issue_token
-    end
-
-    def access_token_exists?
-      Doorkeeper::AccessToken.matching_token_for(client, resource_owner, scopes).present?
-    end
-
-    def deny
-      self.error = :access_denied
-    end
-
-    def error_response
-      Doorkeeper::OAuth::ErrorResponse.from_request(self)
-    end
-
-    def success_redirect_uri
-      @authorization.callback
-    end
-
-    def invalid_redirect_uri
-      uri_builder = is_token_request? ? :uri_with_fragment : :uri_with_query
-      send(uri_builder, redirect_uri, error_response.attributes)
-    end
-
-    def redirect_on_error?
-      (error != :invalid_redirect_uri) && (error != :invalid_client)
-    end
-
-    def scopes
-      @scopes ||= if scope.present?
-        Doorkeeper::OAuth::Scopes.from_string(scope)
-      else
-        Doorkeeper.configuration.default_scopes
-      end
-    end
-
-    def client_id
-      client.uid
-    end
-
-    private
-
-    def validate_attributes
-      response_type.present?
-    end
-
-    def validate_client
-      !!client
-    end
-
-    def validate_redirect_uri
-      return false unless redirect_uri
-      URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
-    end
-
-    def validate_response_type
-      is_code_request? || is_token_request?
-    end
-
-    def validate_scope
-      return true unless scope.present?
-      ScopeChecker.valid?(scope, configuration.scopes)
-    end
-
-    def is_code_request?
-      response_type == "code"
-    end
-
-    def is_token_request?
-      response_type == "token"
-    end
-
-    def configuration
-      Doorkeeper.configuration
-    end
-
-    def authorization_method
-      klass = is_code_request? ? "Code" : "Token"
-      "Doorkeeper::OAuth::Authorization::#{klass}".constantize
-    end
-  end
-end

data/lib/doorkeeper/oauth/client_credentials/response.rb

@@ -1,42 +0,0 @@
-require 'active_model'
-
-module Doorkeeper
-  module OAuth
-    class ClientCredentialsRequest
-      class Response
-        include ActiveModel::Serializers::JSON
-
-        self.include_root_in_json = false
-
-        delegate :token, :expires_in, :scopes_string, :to => :@token
-        alias    :access_token :token
-        alias    :scope :scopes_string
-
-        def initialize(token)
-          @token = token
-        end
-
-        def attributes
-          {
-            'access_token' => token,
-            'token_type'   => token_type,
-            'expires_in'   => expires_in,
-            'scope'        => scopes_string
-          }
-        end
-
-        def status
-          :success
-        end
-
-        def token_type
-          'bearer'
-        end
-
-        def headers
-          { 'Cache-Control' => 'no-store', 'Pragma' => 'no-cache' }
-        end
-      end
-    end
-  end
-end

data/spec/lib/oauth/access_token_request_spec.rb

@@ -1,246 +0,0 @@
-require 'spec_helper_integration'
-
-module Doorkeeper::OAuth
-  describe AccessTokenRequest do
-    let(:client) { FactoryGirl.create(:application) }
-    let(:grant)  { FactoryGirl.create(:access_grant, :application => client) }
-    let(:params) {
-      {
-        :code          => grant.token,
-        :grant_type    => "authorization_code",
-        :redirect_uri  => client.redirect_uri
-      }
-    }
-
-    describe "with a valid authorization code and client" do
-      subject { AccessTokenRequest.new(client, params) }
-
-      before { subject.authorize }
-
-      it { should be_valid }
-      its(:token_type)    { should == "bearer" }
-      its(:error)         { should be_nil }
-      its(:refresh_token) { should be_nil }
-
-      it "has an access token" do
-        subject.access_token.token.should =~ /\w+/
-      end
-    end
-
-    describe "creating the access token" do
-      subject { AccessTokenRequest.new(client, params) }
-
-      it "creates with correct params" do
-        Doorkeeper::AccessToken.should_receive(:create!).with({
-          :application_id    => client.id,
-          :resource_owner_id => grant.resource_owner_id,
-          :expires_in        => 2.hours,
-          :scopes            =>"public write",
-          :use_refresh_token => false,
-        })
-        subject.authorize
-      end
-    end
-
-    describe "with a valid authorization code, client and existing valid access token" do
-      subject { AccessTokenRequest.new(client, params) }
-
-      before { subject.authorize }
-      it { should be_valid }
-      its(:error)         { should be_nil }
-
-      it "will not create a new token" do
-        subject.should_not_receive(:create_access_token)
-        subject.authorize
-      end
-    end
-
-    describe "with a valid authorization code, client and existing expired access token" do
-      before do
-        AccessTokenRequest.new(client, params).authorize
-        last_token = Doorkeeper::AccessToken.last
-        # TODO: make this better, maybe with an expire! method?
-        last_token.update_column :created_at, 10.days.ago
-      end
-
-      it "will create a new token" do
-        grant = FactoryGirl.create(:access_grant, :application => client)
-        authorization = AccessTokenRequest.new(client, params.merge(:code => grant.token))
-        expect {
-          authorization.authorize
-        }.to change { Doorkeeper::AccessToken.count }.by(1)
-      end
-    end
-
-    describe "finding the current access token" do
-      subject { AccessTokenRequest.new(client, params) }
-      it { should be_valid }
-      its(:error)         { should be_nil }
-
-      before { subject.authorize }
-
-      it "should find the access token and not create a new one" do
-        subject.should_not_receive(:create_access_token)
-        access_token = subject.authorize
-        subject.access_token.should eq(access_token)
-      end
-    end
-
-    describe "creating the first access_token" do
-      subject { AccessTokenRequest.new(client, params) }
-      it { should be_valid }
-      its(:error)         { should be_nil }
-
-      it "should create a new access token" do
-        subject.should_receive(:create_access_token)
-        subject.authorize
-      end
-    end
-
-    describe "with errors" do
-      def token(params)
-        AccessTokenRequest.new(client, params)
-      end
-
-      it "includes the error in the response" do
-        access_token = token(params.except(:grant_type))
-        access_token.error_response.name.should == :invalid_request
-      end
-
-      [:grant_type, :code, :redirect_uri].each do |param|
-        describe "when :#{param} is missing" do
-          subject     { token(params.except(param)) }
-          its(:error) { should == :invalid_request }
-        end
-      end
-
-      describe "when client is not present" do
-        subject     { AccessTokenRequest.new(nil, params) }
-        its(:error) { should == :invalid_client }
-      end
-
-      describe "when :code does not exist" do
-        subject     { token(params.merge(:code => "inexistent")) }
-        its(:error) { should == :invalid_grant }
-      end
-
-      describe "when :redirect_uri does not match with grant's one" do
-        subject     { token(params.merge(:redirect_uri => "another")) }
-        its(:error) { should == :invalid_grant }
-      end
-
-      describe "when :grant_type is not 'authorization_code'" do
-        subject     { token(params.merge(:grant_type => "invalid")) }
-        its(:error) { should == :unsupported_grant_type }
-      end
-
-      describe "when granted application does not match" do
-        subject { token(params) }
-
-        before do
-          grant.application = FactoryGirl.create(:application)
-          grant.save!
-        end
-
-        its(:error) { should == :invalid_grant }
-      end
-
-      describe "when :code is expired" do
-        it "error is :invalid_grant" do
-          grant # create grant instance
-          Timecop.freeze(Time.now + 700.seconds) do
-            expired = token(params)
-            expired.error.should == :invalid_grant
-          end
-        end
-      end
-    end
-  end
-
-  describe AccessTokenRequest, "refresh token" do
-    let(:client) { FactoryGirl.create(:application) }
-    let(:access) { FactoryGirl.create(:access_token, :application => client, :use_refresh_token => true) }
-    let(:params) {
-      {
-        :refresh_token => access.refresh_token,
-        :grant_type    => "refresh_token",
-      }
-    }
-
-    before do
-      Doorkeeper.configure { 
-        orm DOORKEEPER_ORM
-        use_refresh_token 
-      }
-    end
-
-    describe "with a valid authorization code and client" do
-      subject { AccessTokenRequest.new(client, params) }
-
-      before do
-        subject.authorize
-      end
-
-      it { should be_valid }
-      its(:token_type)    { should == "bearer" }
-      its(:error)         { should be_nil }
-      its(:refresh_token) { should_not be_nil }
-
-      it "has an access token" do
-        subject.access_token.token.should =~ /\w+/
-      end
-    end
-
-    describe "with errors" do
-      def token(params)
-        AccessTokenRequest.new(client, params)
-      end
-
-      it "includes the error in the response" do
-        access_token = token(params.except(:grant_type))
-        access_token.error_response.name.should == :invalid_request
-      end
-
-      [:grant_type, :refresh_token].each do |param|
-        describe "when :#{param} is missing" do
-          subject     { token(params.except(param)) }
-          its(:error) { should == :invalid_request }
-        end
-      end
-
-      describe "when client is not present" do
-        subject     { AccessTokenRequest.new(nil, params) }
-        its(:error) { should == :invalid_client }
-      end
-
-      describe "when :refresh_token does not exist" do
-        subject     { token(params.merge(:refresh_token => "inexistent")) }
-        its(:error) { should == :invalid_grant }
-      end
-
-      describe "when :grant_type is not 'refresh_token'" do
-        subject     { token(params.merge(:grant_type => "invalid")) }
-        its(:error) { should == :invalid_request }
-      end
-
-      describe "when granted application does not match" do
-        subject { token(params) }
-
-        before do
-          access.application = FactoryGirl.create(:application)
-          access.save!
-        end
-
-        its(:error) { should == :invalid_grant }
-      end
-
-      describe "when :refresh_token is revoked" do
-        it "error is :invalid_grant" do
-          access.revoke # create grant instance
-          revoked = token(params)
-          revoked.error.should == :invalid_grant
-        end
-      end
-    end
-  end
-end

data/spec/lib/oauth/authorization_request_spec.rb

@@ -1,287 +0,0 @@
-require 'spec_helper_integration'
-
-module Doorkeeper::OAuth
-  describe AuthorizationRequest do
-    let(:resource_owner) { double(:resource_owner, :id => 1) }
-    let(:client)         { FactoryGirl.create(:application) }
-    let(:base_attributes) do
-      {
-        :redirect_uri  => client.redirect_uri,
-        :scope         => "public write",
-        :state         => "return-this"
-      }
-    end
-
-    before :each do
-      Doorkeeper.configuration.stub(:confirm_application_owner?).and_return(false)
-      Doorkeeper.configuration.stub(:default_scopes).and_return(Doorkeeper::OAuth::Scopes.from_string('public write'))
-    end
-
-    describe "with a code response_type" do
-      let(:attributes) { base_attributes.merge!(:response_type => "code") }
-
-      describe "with valid attributes" do
-        subject { AuthorizationRequest.new(client, resource_owner, attributes) }
-
-        describe "after authorization" do
-          before { subject.authorize }
-
-          its(:response_type) { should == "code" }
-          its(:client_id)     { should == client.uid }
-          its(:scope)         { should == "public write" }
-          its(:state)         { should == "return-this" }
-          its(:error)         { should be_nil }
-
-          describe ".success_redirect_uri" do
-            let(:query) { URI.parse(subject.success_redirect_uri).query }
-
-            it "includes the grant code" do
-              query.should =~ %r{code=\w+}
-            end
-
-            it "includes the state previous assumed" do
-              query.should =~ %r{state=return-this}
-            end
-          end
-        end
-
-        describe :authorize do
-          let(:authorization_request) { AuthorizationRequest.new(client, resource_owner, attributes) }
-          subject { authorization_request.authorize }
-
-          it "returns Doorkeeper::AccessGrant object" do
-            subject.is_a? Doorkeeper::AccessGrant
-          end
-
-          it "returns instance saved in the database" do
-            subject.should be_persisted
-          end
-
-          it "returns object that has scopes attribute same as scope attribute of authorization request" do
-            subject.scopes == authorization_request.scope
-          end
-        end
-      end
-
-      describe "with a redirect_uri with query params" do
-        let(:original_query_params) { "abc=123&def=456" }
-        let(:attributes_with_query_params) {
-          u = URI.parse(client.redirect_uri)
-          u.query = original_query_params
-          attributes[:redirect_uri] = u.to_s
-          attributes
-        }
-        subject { AuthorizationRequest.new(client, resource_owner, attributes_with_query_params) }
-
-        it "preservers the original query when error"
-
-        describe "after authorization" do
-          before { subject.authorize }
-
-          describe ".success_redirect_uri" do
-            let(:query) { URI.parse(subject.success_redirect_uri).query }
-
-            it "includes the grant code" do
-              query.should =~ %r{code=\w+}
-            end
-
-            it "includes the state previous assumed" do
-              query.should =~ %r{state=return-this}
-            end
-
-            it "preserves the original query parameters" do
-              query.should =~ /abc=123/
-              query.should =~ /def=456/
-            end
-          end
-        end
-      end
-
-      describe "if no scope given" do
-        it "sets the scope to the default one" do
-          request = AuthorizationRequest.new(client, resource_owner, attributes.except(:scope))
-          request.scopes.to_s.should == "public write"
-        end
-      end
-
-      describe "with errors" do
-        before do
-          Doorkeeper::AccessGrant.should_not_receive(:create)
-        end
-
-        describe "when :response_type is missing" do
-          subject     { auth(attributes.except(:response_type)) }
-          its(:error) { should == :invalid_request }
-        end
-
-        describe "when :redirect_uri is missing" do
-          subject     { auth(attributes.except(:redirect_uri)) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when client is not present" do
-          subject     { AuthorizationRequest.new(nil, resource_owner, attributes) }
-          its(:error) { should == :invalid_client }
-        end
-
-        describe "when :redirect_uri mismatches" do
-          subject     { auth(attributes.merge(:redirect_uri => "http://example.com/mismatch")) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :redirect_uri contains a fragment" do
-          subject     { auth(attributes.merge(:redirect_uri => (client.redirect_uri + "#abc"))) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :redirect_uri is not a valid URI" do
-          subject     { auth(attributes.merge(:redirect_uri => "invalid")) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :response_type is not 'code' or 'token'" do
-          subject     { auth(attributes.merge(:response_type => "invalid")) }
-          its(:error) { should == :unsupported_response_type }
-        end
-
-        describe "when :scope contains scopes that are note registered in the provider" do
-          subject     { auth(attributes.merge(:scope => "public strange")) }
-          its(:error) { should == :invalid_scope }
-        end
-      end
-    end
-
-    describe "with a token response_type" do
-      before do
-        Doorkeeper.configuration.stub(:access_token_expires_in).and_return(7200)
-      end
-
-      let(:attributes) { base_attributes.merge!(:response_type => "token") }
-
-      describe "with valid attributes" do
-        subject { AuthorizationRequest.new(client, resource_owner, attributes) }
-
-        describe "after authorization" do
-          before { subject.authorize }
-
-          its(:response_type) { should == "token" }
-          its(:scope)         { should == "public write" }
-          its(:state)         { should == "return-this" }
-          its(:error)         { should be_nil }
-
-          describe ".success_redirect_uri" do
-            let(:fragment) { URI.parse(subject.success_redirect_uri).fragment }
-
-            it "has a fragment" do
-              fragment.should_not be_nil
-            end
-
-            it "doesn't have query parameters" do
-              URI.parse(subject.success_redirect_uri).query.should be_nil
-            end
-
-            it "includes the access token" do
-              fragment.should =~ %r{access_token=\w+}
-            end
-
-            it "includes the token type" do
-              fragment.should =~ %r{token_type=bearer}
-            end
-
-            it "includes the expires in" do
-              fragment.should =~ %r{expires_in=\w+}
-            end
-
-            it "includes the state previous assumed" do
-              fragment.should =~ %r{state=return-this}
-            end
-          end
-        end
-
-        describe :authorize do
-          let(:authorization_request) { AuthorizationRequest.new(client, resource_owner, attributes) }
-          subject { authorization_request.authorize }
-
-          it "returns Doorkeeper::AccessGrant object" do
-            subject.is_a? Doorkeeper::AccessGrant
-          end
-
-          it "returns instance saved in the database" do
-            subject.should be_persisted
-          end
-
-          it "returns object that has scopes attribute same as scope attribute of authorization request" do
-            subject.scopes == authorization_request.scope
-          end
-        end
-      end
-
-      describe "if no scope given" do
-        it "sets the scope to the default one" do
-          request = AuthorizationRequest.new(client, resource_owner, attributes.except(:scope))
-          request.scopes.to_s.should == "public write"
-        end
-      end
-
-      describe "with errors" do
-        before do
-          Doorkeeper::AccessGrant.should_not_receive(:create)
-        end
-
-        describe "when :response_type is missing" do
-          subject     { auth(attributes.except(:response_type)) }
-          its(:error) { should == :invalid_request }
-        end
-
-        describe "when :redirect_uri is missing" do
-          subject     { auth(attributes.except(:redirect_uri)) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when client is not present" do
-          subject     { AuthorizationRequest.new(nil, resource_owner, attributes) }
-          its(:error) { should == :invalid_client }
-        end
-
-        describe "when :redirect_uri has a fragment" do
-          subject { auth(attributes.merge(:redirect_uri => client.redirect_uri + "#xyz")) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :redirect_uri is a relative URI" do
-          subject { auth(attributes.merge(:redirect_uri => "/abcdef")) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :redirect_uri mismatches" do
-          subject     { auth(attributes.merge(:redirect_uri => "http://example.com/mismatch")) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :redirect_uri contains a fragment" do
-          subject     { auth(attributes.merge(:redirect_uri => (client.redirect_uri + "#abc"))) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :redirect_uri is not a valid URI" do
-          subject     { auth(attributes.merge(:redirect_uri => "invalid")) }
-          its(:error) { should == :invalid_redirect_uri }
-        end
-
-        describe "when :response_type is not 'code' or 'token'" do
-          subject     { auth(attributes.merge(:response_type => "invalid")) }
-          its(:error) { should == :unsupported_response_type }
-        end
-
-        describe "when :scope contains scopes that are note registered in the provider" do
-          subject     { auth(attributes.merge(:scope => "public strange")) }
-          its(:error) { should == :invalid_scope }
-        end
-      end
-    end
-
-    def auth(attributes)
-      AuthorizationRequest.new(client, resource_owner, attributes)
-    end
-  end
-end