doorkeeper 2.1.3 → 2.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1d2ce14647afc9a16514c9f3b340eb31b8b24f88
-  data.tar.gz: fa3a726152a14c5496abb9433a1ea92f0d588b9f
+  metadata.gz: f81bfc8acb70b14d07f1d1cfa39d608b70488890
+  data.tar.gz: e27b15693c23faf2348358e307757a0cdf088e7d
 SHA512:
-  metadata.gz: f9877675927e23991fd103d4e08480270e1dc5d365f3ba7fd4bf1fd1cce5a27c916a56572c0e5f9083c76be0850f128fa2baf5628679910e3f5efd68a46e4bcd
-  data.tar.gz: 684c840627ac5e3b7a6eeddac43c3ef758222f5b2296021c3686cbb51bdc50a701269cd80bec2164c24fd5be4bb668f5b3ed63ec9bb492fcab1e2406ff229424
+  metadata.gz: f0981eb39aba13e7191309b2d6703d58c175dd28df746867b1b466f9a62c9e5978f705f7df617268d082a210ff4bc5da1206a17849a0e1b0ee87746cf96d77fb
+  data.tar.gz: 207f6e7ec14a8369e3c27ee9af38a87d273556681438938c61c80454dd23628c838b2ff4c8e462e49ce6ed0cdfcf99481fb9c54b5b8752422a598c9bf238d78b

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 2.1.4
+
+- [#595] HTTP spec: Add `scope` for refresh token scope param
+- [#596] Limit scopes in app scopes for client credentials
+- [#567] Add Grape helpers for easier integration with Grape framework
+- [#606] Add custom access token expiration support for Client Credentials flow
+
+
 ## 2.1.3
 
 - [#588] Fixes scopes_match? bug that skipped authorization form in some cases

data/README.md

@@ -5,7 +5,11 @@
 [![Code Climate](https://codeclimate.com/github/applicake/doorkeeper.svg)](https://codeclimate.com/github/applicake/doorkeeper)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
 
-Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider functionality to your application.
+Doorkeeper is a gem that makes it easy to introduce OAuth 2 provider
+functionality to your Rails or Grape application.
+
+[PR 567]: https://github.com/doorkeeper-gem/doorkeeper/pull/567
+
 
 ## Documentation valid for `master` branch
 
@@ -25,6 +29,7 @@ https://github.com/doorkeeper-gem/doorkeeper/releases.
     - [Routes](#routes)
     - [Authenticating](#authenticating)
 - [Protecting resources with OAuth (a.k.a your API endpoint)](#protecting-resources-with-oauth-aka-your-api-endpoint)
+    - [Protect your API with OAuth when using Grape](#protect-your-api-with-oauth-when-using-grape)
     - [Route Constraints and other integrations](#route-constraints-and-other-integrations)
     - [Access Token Scopes](#access-token-scopes)
     - [Authenticated resource owner](#authenticated-resource-owner)
@@ -169,6 +174,36 @@ end
 You can pass any option `before_action` accepts, such as `if`, `only`,
 `except`, and others.
 
+### Protect your API with OAuth when using Grape
+
+As of [PR 567] doorkeeper has helpers for Grape. One of them is
+`doorkeeper_authorize!` and can be used in a similar way as an example above.
+Note that you have to use `require 'doorkeeper/grape/helpers'` and
+`helpers Doorkeeper::Grape::Helpers`.
+
+For more information about integration with Grape see the [Wiki].
+
+[PR 567]: https://github.com/doorkeeper-gem/doorkeeper/pull/567
+[Wiki]: https://github.com/doorkeeper-gem/doorkeeper/wiki/Grape-Integration
+
+``` ruby
+require 'doorkeeper/grape/helpers'
+
+module API
+  module V1
+    class Users < Grape::API
+      helpers Doorkeeper::Grape::Helpers
+
+      before do
+        doorkeeper_authorize!
+      end
+
+      # ...
+    end
+  end
+end
+```
+
 
 ### Route Constraints and other integrations
 

data/gemfiles/Gemfile.common.rb

@@ -1,4 +1,4 @@
-ENV['rails'] ||= '4.2.0.rc2'
+ENV['rails'] ||= '4.2.0'
 
 source 'https://rubygems.org'
 

data/lib/doorkeeper/grape/authorization_decorator.rb

@@ -0,0 +1,17 @@
+module Doorkeeper
+  module Grape
+    class AuthorizationDecorator < SimpleDelegator
+      def parameters
+        params
+      end
+
+      def authorization
+        env = __getobj__.env
+        env['HTTP_AUTHORIZATION'] ||
+          env['X-HTTP_AUTHORIZATION'] ||
+          env['X_HTTP_AUTHORIZATION'] ||
+          env['REDIRECT_X_HTTP_AUTHORIZATION']
+      end
+    end
+  end
+end

data/lib/doorkeeper/grape/helpers.rb

@@ -0,0 +1,46 @@
+require 'doorkeeper/grape/authorization_decorator'
+
+module Doorkeeper
+  module Grape
+    module Helpers
+      extend ::Grape::API::Helpers
+      include Doorkeeper::Rails::Helpers
+
+      # endpoint specific scopes > parameter scopes > default scopes
+      def doorkeeper_authorize!(*scopes)
+        endpoint_scopes = env['api.endpoint'].options[:route_options][:scopes]
+        scopes = if endpoint_scopes
+                   Doorkeeper::OAuth::Scopes.from_array(endpoint_scopes)
+                 elsif scopes && !scopes.empty?
+                   Doorkeeper::OAuth::Scopes.from_array(scopes)
+                 end
+
+        super(*scopes)
+      end
+
+      def doorkeeper_render_error_with(error)
+        status_code = case error.status
+                      when :unauthorized
+                        401
+                      when :forbidden
+                        403
+                      end
+
+        error!({ error: error.description }, status_code)
+      end
+
+      private
+
+      def doorkeeper_token
+        @_doorkeeper_token ||= OAuth::Token.authenticate(
+          decorated_request,
+          *Doorkeeper.configuration.access_token_methods
+        )
+      end
+
+      def decorated_request
+        AuthorizationDecorator.new(request)
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -24,11 +24,13 @@ module Doorkeeper
         private
 
         def create_token(client, scopes, creator)
+          ttl = Authorization::Token.access_token_expires_in(@server, client)
+
           creator.call(
             client,
             scopes,
             use_refresh_token: false,
-            expires_in: @server.access_token_expires_in
+            expires_in: ttl
           )
         end
       end

data/lib/doorkeeper/oauth/client_credentials/validation.rb

@@ -25,7 +25,7 @@ module Doorkeeper
         end
 
         def validate_scopes
-          return true unless @request.original_scopes.present?
+          return true unless @request.scopes.present?
 
           application_scopes = if @client.present?
                                  @client.application.scopes
@@ -34,7 +34,7 @@ module Doorkeeper
                                end
 
           ScopeChecker.valid?(
-            @request.original_scopes,
+            @request.scopes.to_s,
             @server.scopes,
             application_scopes
           )

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -18,7 +18,7 @@ module Doorkeeper
         @server          = server
         @refresh_token   = refresh_token
         @credentials     = credentials
-        @original_scopes = parameters[:scopes]
+        @original_scopes = parameters[:scope] || parameters[:scopes]
         @refresh_token_parameter = parameters[:refresh_token]
 
         if credentials

data/lib/doorkeeper/version.rb

@@ -1,3 +1,3 @@
 module Doorkeeper
-  VERSION = '2.1.3'
+  VERSION = '2.1.4'
 end

data/spec/dummy/app/controllers/full_protected_resources_controller.rb

@@ -1,5 +1,5 @@
 class FullProtectedResourcesController < ApplicationController
-  before_filter -> { doorkeeper_authorize! :admin }, only: :show
+  before_filter -> { doorkeeper_authorize! :write, :admin }, only: :show
   before_filter :doorkeeper_authorize!, only: :index
 
   def index

data/spec/factories.rb

@@ -21,4 +21,6 @@ FactoryGirl.define do
     sequence(:name) { |n| "Application #{n}" }
     redirect_uri 'https://app.com/callback'
   end
+
+  factory :user
 end

data/spec/lib/oauth/client_credentials/issuer_spec.rb

@@ -5,7 +5,13 @@ require 'doorkeeper/oauth/client_credentials/issuer'
 class Doorkeeper::OAuth::ClientCredentialsRequest
   describe Issuer do
     let(:creator) { double :acces_token_creator }
-    let(:server)  { double :server, access_token_expires_in: 100 }
+    let(:server) do
+      double(
+        :server,
+        access_token_expires_in: 100,
+        custom_access_token_expires_in: ->(_app) { nil }
+      )
+    end
     let(:validation) { double :validation, valid?: true }
 
     subject { Issuer.new(server, validation) }
@@ -55,6 +61,26 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
           expect(subject.create(client, scopes, creator)).to be_falsey
         end
       end
+
+      context 'with custom expirations' do
+        let(:custom_ttl) { 1233 }
+        let(:server) do
+          double(
+            :server,
+            custom_access_token_expires_in: ->(_app) { custom_ttl }
+          )
+        end
+
+        it 'creates with correct token parameters' do
+          expect(creator).to receive(:call).with(
+            client,
+            scopes,
+            expires_in: custom_ttl,
+            use_refresh_token: false
+          )
+          subject.create client, scopes, creator
+        end
+      end
     end
   end
 end

data/spec/lib/oauth/client_credentials/validation_spec.rb

@@ -7,7 +7,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
     let(:server)      { double :server, scopes: nil }
     let(:application) { double scopes: nil }
     let(:client)      { double application: application }
-    let(:request)     { double :request, client: client, original_scopes: nil }
+    let(:request)     { double :request, client: client, scopes: nil }
 
     subject { Validation.new(server, request) }
 
@@ -24,7 +24,8 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
       it 'is invalid when scopes are not included in the server' do
         server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email'
         allow(server).to receive(:scopes).and_return(server_scopes)
-        allow(request).to receive(:original_scopes).and_return('invalid')
+        allow(request).to receive(:scopes).and_return(
+          Doorkeeper::OAuth::Scopes.from_string 'invalid')
         expect(subject).not_to be_valid
       end
 
@@ -34,7 +35,7 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
           server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email app'
           allow(application).to receive(:scopes).and_return(application_scopes)
           allow(server).to receive(:scopes).and_return(server_scopes)
-          allow(request).to receive(:original_scopes).and_return('app')
+          allow(request).to receive(:scopes).and_return(application_scopes)
           expect(subject).to be_valid
         end
 
@@ -43,7 +44,8 @@ class Doorkeeper::OAuth::ClientCredentialsRequest
           server_scopes = Doorkeeper::OAuth::Scopes.from_string 'email app'
           allow(application).to receive(:scopes).and_return(application_scopes)
           allow(server).to receive(:scopes).and_return(server_scopes)
-          allow(request).to receive(:original_scopes).and_return('email')
+          allow(request).to receive(:scopes).and_return(
+            Doorkeeper::OAuth::Scopes.from_string 'email')
           expect(subject).not_to be_valid
         end
       end

data/spec/lib/oauth/client_credentials_request_spec.rb

@@ -5,8 +5,14 @@ require 'doorkeeper/oauth/client_credentials_request'
 
 module Doorkeeper::OAuth
   describe ClientCredentialsRequest do
-    let(:server) { double default_scopes: nil }
-    let(:client) { double }
+    let(:server) do
+      double(
+        default_scopes: nil,
+        custom_access_token_expires_in: ->(_app) { nil }
+      )
+    end
+    let(:application)   { double :application, scopes: Scopes.from_string('') }
+    let(:client)        { double :client, application: application }
     let(:token_creator) { double :issuer, create: true, token: double }
 
     subject { ClientCredentialsRequest.new(server, client) }
@@ -60,5 +66,39 @@ module Doorkeeper::OAuth
         subject.authorize
       end
     end
+
+    context 'with restricted client' do
+      let(:default_scopes) do
+        Doorkeeper::OAuth::Scopes.from_string('public email')
+      end
+      let(:server_scopes) do
+        Doorkeeper::OAuth::Scopes.from_string('public email phone')
+      end
+      let(:client_scopes) do
+        Doorkeeper::OAuth::Scopes.from_string('public phone')
+      end
+
+      before do
+        allow(server).to receive(:default_scopes).and_return(default_scopes)
+        allow(server).to receive(:scopes).and_return(server_scopes)
+        allow(server).to receive(:access_token_expires_in).and_return(100)
+        allow(application).to receive(:scopes).and_return(client_scopes)
+        allow(client).to receive(:id).and_return(nil)
+      end
+
+      it 'delegates the error to issuer if no scope was requested' do
+        subject = ClientCredentialsRequest.new(server, client)
+        subject.authorize
+        expect(subject.response).to be_a(Doorkeeper::OAuth::ErrorResponse)
+        expect(subject.error).to eq(:invalid_scope)
+      end
+
+      it 'issues an access token with requested scopes' do
+        subject = ClientCredentialsRequest.new(server, client, scope: 'phone')
+        subject.authorize
+        expect(subject.response).to be_a(Doorkeeper::OAuth::TokenResponse)
+        expect(subject.response.token.scopes_string).to eq('phone')
+      end
+    end
   end
 end

data/spec/lib/oauth/refresh_token_request_spec.rb

@@ -82,6 +82,21 @@ module Doorkeeper::OAuth
         subject.validate
         expect(subject.error).to eq(:invalid_scope)
       end
+
+      it 'uses params[:scope] in favor of scopes if present (valid)' do
+        parameters[:scopes] = 'public update'
+        parameters[:scope] = 'public'
+        subject.authorize
+        expect(Doorkeeper::AccessToken.last.scopes).to eq([:public])
+      end
+
+      it 'uses params[:scope] in favor of scopes if present (invalid)' do
+        parameters[:scopes] = 'public'
+        parameters[:scope] = 'public update'
+
+        subject.validate
+        expect(subject.error).to eq(:invalid_scope)
+      end
     end
 
   end

data/spec/models/doorkeeper/application_spec.rb

@@ -2,8 +2,6 @@ require 'spec_helper_integration'
 
 module Doorkeeper
   describe Application do
-    include OrmHelper
-
     let(:require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', true) }
     let(:unset_require_owner) { Doorkeeper.configuration.instance_variable_set('@confirm_application_owner', false) }
     let(:new_application) { FactoryGirl.build(:application) }
@@ -32,7 +30,7 @@ module Doorkeeper
       context 'application owner is required' do
         before(:each) do
           require_owner
-          @owner = mock_application_owner
+          @owner = FactoryGirl.build_stubbed(:user)
         end
 
         it 'is invalid without an owner' do

data/spec/requests/protected_resources/private_api_spec.rb

@@ -40,19 +40,31 @@ feature 'Private API' do
     expect(page.body).to have_content('index')
   end
 
-  scenario 'access token with no scopes' do
-    optional_scopes_exist :admin
+  scenario 'access token with no allowed scopes' do
     @token.update_attribute :scopes, nil
     with_access_token_header @token.token
     visit '/full_protected_resources/1.json'
     response_status_should_be 403
   end
 
-  scenario 'access token with default scope' do
-    default_scopes_exist :admin
+  scenario 'access token with one of allowed scopes' do
     @token.update_attribute :scopes, 'admin'
     with_access_token_header @token.token
     visit '/full_protected_resources/1.json'
     expect(page.body).to have_content('show')
   end
+
+  scenario 'access token with another of allowed scopes' do
+    @token.update_attribute :scopes, 'write'
+    with_access_token_header @token.token
+    visit '/full_protected_resources/1.json'
+    expect(page.body).to have_content('show')
+  end
+
+  scenario 'access token with both allowed scopes' do
+    @token.update_attribute :scopes, 'write admin'
+    with_access_token_header @token.token
+    visit '/full_protected_resources/1.json'
+    expect(page.body).to have_content('show')
+  end
 end

data/spec/support/orm/active_record.rb

@@ -1,11 +1,3 @@
 # load schema to in memory sqlite
 ActiveRecord::Migration.verbose = false
 load Rails.root + 'db/schema.rb'
-
-module Doorkeeper
-  module OrmHelper
-    def mock_application_owner
-      mock_model 'User', id: 1234
-    end
-  end
-end

data/spec/support/orm/mongo_mapper.rb

@@ -8,18 +8,3 @@ RSpec.configure do |config|
     Doorkeeper::AccessToken.create_indexes
   end
 end
-
-module Doorkeeper
-  class PlaceholderApplicationOwner
-    include MongoMapper::Document
-
-    set_collection_name 'placeholder_application_owners'
-    many :applications, class: Doorkeeper::Application
-  end
-
-  module OrmHelper
-    def mock_application_owner
-      PlaceholderApplicationOwner.new
-    end
-  end
-end

data/spec/support/orm/mongoid.rb

@@ -8,23 +8,3 @@ RSpec.configure do |config|
     Doorkeeper::AccessToken.create_indexes
   end
 end
-
-module Doorkeeper
-  class PlaceholderApplicationOwner
-    include Mongoid::Document
-
-    if ::Mongoid::VERSION >= '3'
-      self.store_in collection: :placeholder_application_owners
-    else
-      self.store_in :placeholder_application_owners
-    end
-
-    has_many :applications
-  end
-
-  module OrmHelper
-    def mock_application_owner
-      PlaceholderApplicationOwner.new
-    end
-  end
-end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 2.1.3
+  version: 2.1.4
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-01 00:00:00.000000000 Z
+date: 2015-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -220,6 +220,8 @@ files:
 - lib/doorkeeper/errors.rb
 - lib/doorkeeper/generators/doorkeeper/mongo_mapper/indexes_generator.rb
 - lib/doorkeeper/generators/doorkeeper/mongo_mapper/templates/indexes.rb
+- lib/doorkeeper/grape/authorization_decorator.rb
+- lib/doorkeeper/grape/helpers.rb
 - lib/doorkeeper/helpers/controller.rb
 - lib/doorkeeper/models/access_grant_mixin.rb
 - lib/doorkeeper/models/access_token_mixin.rb
@@ -444,7 +446,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
 summary: Doorkeeper is an OAuth 2 provider for Rails.