g5_authenticatable_api 0.2.0

data/spec/dummy/config/locales/devise.en.yml

@@ -0,0 +1,59 @@
+# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
+
+en:
+  devise:
+    confirmations:
+      confirmed: "Your account was successfully confirmed."
+      send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
+    failure:
+      already_authenticated: "You are already signed in."
+      inactive: "Your account is not activated yet."
+      invalid: "Invalid email or password."
+      locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account will be locked."
+      not_found_in_database: "Invalid email or password."
+      timeout: "Your session expired. Please sign in again to continue."
+      unauthenticated: "You need to sign in or sign up before continuing."
+      unconfirmed: "You have to confirm your account before continuing."
+    mailer:
+      confirmation_instructions:
+        subject: "Confirmation instructions"
+      reset_password_instructions:
+        subject: "Reset password instructions"
+      unlock_instructions:
+        subject: "Unlock Instructions"
+    omniauth_callbacks:
+      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
+      success: "Successfully authenticated from %{kind} account."
+    passwords:
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
+      send_instructions: "You will receive an email with instructions about how to reset your password in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      updated: "Your password was changed successfully. You are now signed in."
+      updated_not_active: "Your password was changed successfully."
+    registrations:
+      destroyed: "Bye! Your account was successfully cancelled. We hope to see you again soon."
+      signed_up: "Welcome! You have signed up successfully."
+      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
+      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
+      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please open the link to activate your account."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and click on the confirm link to finalize confirming your new email address."
+      updated: "You updated your account successfully."
+    sessions:
+      signed_in: "Signed in successfully."
+      signed_out: "Signed out successfully."
+    unlocks:
+      send_instructions: "You will receive an email with instructions about how to unlock your account in a few minutes."
+      send_paranoid_instructions: "If your account exists, you will receive an email with instructions about how to unlock it in a few minutes."
+      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
+  errors:
+    messages:
+      already_confirmed: "was already confirmed, please try signing in"
+      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
+      expired: "has expired, please request a new one"
+      not_found: "not found"
+      not_locked: "was not locked"
+      not_saved:
+        one: "1 error prohibited this %{resource} from being saved:"
+        other: "%{count} errors prohibited this %{resource} from being saved:"

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/spec/dummy/config/routes.rb

@@ -0,0 +1,63 @@
+Dummy::Application.routes.draw do
+  namespace :rails_api do
+    resources :articles, only: :index, defaults: {format: 'json'}
+  end
+
+  devise_for :users
+  mount HelloAPI => '/grape_api'
+
+  # The priority is based upon order of creation: first created -> highest priority.
+  # See how all your routes lay out with "rake routes".
+
+  # You can have the root of your site routed with "root"
+  root 'welcome#index'
+
+  # Example of regular route:
+  #   get 'products/:id' => 'catalog#view'
+
+  # Example of named route that can be invoked with purchase_url(id: product.id)
+  #   get 'products/:id/purchase' => 'catalog#purchase', as: :purchase
+
+  # Example resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Example resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Example resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Example resource route with more complex sub-resources:
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', on: :collection
+  #     end
+  #   end
+
+  # Example resource route with concerns:
+  #   concern :toggleable do
+  #     post 'toggle'
+  #   end
+  #   resources :posts, concerns: :toggleable
+  #   resources :photos, concerns: :toggleable
+
+  # Example resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+end

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application

data/spec/dummy/db/migrate/20140217124048_devise_create_users.rb

@@ -0,0 +1,15 @@
+class DeviseCreateUsers < ActiveRecord::Migration
+  def change
+    create_table(:users) do |t|
+      t.string :email,              null: false, default: ''
+      t.string :provider,           null: false, default: 'g5'
+      t.string :uid,                null: false
+      t.string :g5_access_token
+
+      t.timestamps
+    end
+
+    add_index :users, :email, unique: true
+    add_index :users, [:provider, :uid], unique: true
+  end
+end

data/spec/dummy/db/migrate/20140223194521_create_articles.rb

@@ -0,0 +1,11 @@
+class CreateArticles < ActiveRecord::Migration
+  def change
+    create_table :articles do |t|
+      t.string :title
+      t.text :body
+      t.string :tags
+
+      t.timestamps
+    end
+  end
+end

data/spec/dummy/db/schema.rb

@@ -0,0 +1,39 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 20140223194521) do
+
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "plpgsql"
+
+  create_table "articles", force: true do |t|
+    t.string   "title"
+    t.text     "body"
+    t.string   "tags"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  create_table "users", force: true do |t|
+    t.string   "email",           default: "",   null: false
+    t.string   "provider",        default: "g5", null: false
+    t.string   "uid",                            null: false
+    t.string   "g5_access_token"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree
+  add_index "users", ["provider", "uid"], name: "index_users_on_provider_and_uid", unique: true, using: :btree
+
+end

data/spec/dummy/db/seeds.rb

@@ -0,0 +1,7 @@
+# This file should contain all the record creation needed to seed the database with its default values.
+# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+#
+# Examples:
+#
+#   cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
+#   Mayor.create(name: 'Emanuel', city: cities.first)

data/spec/dummy/public/404.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/dummy/public/422.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/dummy/public/500.html

@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/dummy/public/robots.txt

@@ -0,0 +1,5 @@
+# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
+#
+# To ban all spiders from the entire site uncomment the next two lines:
+# User-agent: *
+# Disallow: /

data/spec/factories/user.rb

@@ -0,0 +1,8 @@
+FactoryGirl.define do
+  factory :user do
+    sequence(:email) { |n| "user.#{n}@test.host" }
+    provider 'g5'
+    sequence(:uid) { |n| "remote-user-#{n}" }
+    sequence(:g5_access_token) { |n| "token-abc123-#{n}" }
+  end
+end

data/spec/lib/g5_authenticatable_api/token_validator_spec.rb

@@ -0,0 +1,199 @@
+require 'spec_helper'
+
+describe G5AuthenticatableApi::TokenValidator do
+  subject { validator }
+
+  let(:validator) { described_class.new(params, headers) }
+
+  let(:headers) {}
+  let(:params) { {'access_token' => token_value} }
+  let(:token_value) { 'abc123' }
+
+  describe '#access_token' do
+    subject(:access_token) { validator.access_token }
+
+    context 'with auth header' do
+      let(:headers) { {'Authorization' => "Bearer #{token_value}"} }
+      let(:params) {}
+
+      it 'should extract the token value from the header' do
+        expect(access_token).to eq(token_value)
+      end
+    end
+
+    context 'with auth param' do
+      let(:params) { {'access_token' => token_value} }
+      let(:headers) {}
+
+      it 'should extract the token value from the access_token parameter' do
+        expect(access_token).to eq(token_value)
+      end
+    end
+  end
+
+  describe '#validate!' do
+    subject(:validate!) { validator.validate! }
+
+    context 'when token is valid' do
+      include_context 'valid access token'
+
+      it 'should initialize the auth client with the access token' do
+        validate!
+        expect(a_request(:get, 'auth.g5search.com/oauth/token/info').
+               with(headers: {'Authorization' => "Bearer #{token_value}"})).to have_been_made
+      end
+
+      it 'should not raise errors during validation' do
+        expect { validate! }.to_not raise_error
+      end
+
+      it 'should not set an error on the validator' do
+        validate!
+        expect(validator.error).to be_nil
+      end
+    end
+
+    context 'when token is invalid' do
+      include_context 'invalid access token'
+
+      it 'should re-raise the OAuth error' do
+        expect { validate! }.to raise_error(OAuth2::Error)
+      end
+
+      it 'should set the error on the validator' do
+        begin
+          validate!
+        rescue StandardError => validation_error
+          expect(validator.error).to eq(validation_error)
+        end
+      end
+    end
+
+    context 'when there is no token' do
+      let(:params) {}
+      let(:headers) {}
+
+      it 'should raise an error' do
+        expect { validate! }.to raise_error(RuntimeError)
+      end
+
+      it 'should set an error on the validator' do
+        begin
+          validate!
+        rescue RuntimeError => validation_error
+          expect(validator.error).to eq(validation_error)
+        end
+      end
+    end
+  end
+
+  describe '#valid?' do
+    subject(:valid?) { validator.valid? }
+
+    context 'when token is valid' do
+      include_context 'valid access token'
+
+      it 'should be valid' do
+        expect(validator).to be_valid
+      end
+
+      it 'should not set an error on the validator' do
+        valid?
+        expect(validator.error).to be_nil
+      end
+    end
+
+    context 'when token is invalid' do
+      include_context 'invalid access token'
+
+      it 'should not be valid' do
+        expect(validator).to_not be_valid
+      end
+
+      it 'should set an error on the validator' do
+        expect { valid? }.to change { validator.error }.from(nil).to(an_instance_of(OAuth2::Error))
+      end
+    end
+
+    context 'without token' do
+      let(:params) {}
+      let(:headers) {}
+
+      it 'should not be valid' do
+        expect(validator).to_not be_valid
+      end
+
+      it 'should set an error on the validator' do
+        expect { valid? }.to change { validator.error }.
+          from(nil).to(an_instance_of(RuntimeError))
+      end
+    end
+  end
+
+  describe '#auth_response_header' do
+    subject(:auth_response_header) { validator.auth_response_header }
+
+    let(:header_parts) { auth_response_header.match(auth_header_regex) }
+
+    context 'with invalid token error' do
+      include_context 'invalid access token'
+      before { validator.valid? }
+
+      let(:auth_header_regex) do
+        /Bearer error="(?<error>.+)",error_description="(?<error_description>.*)"/
+      end
+
+      it 'should be in the expected format' do
+        expect(auth_response_header).to match(auth_header_regex)
+      end
+
+      it 'should have the correct error code' do
+        expect(header_parts['error']).to eq(error_code)
+      end
+
+      it 'should have the correct error description' do
+        expect(header_parts['error_description']).to eq(error_description)
+      end
+    end
+
+    context 'with generic auth server error' do
+      include_context 'OAuth2 error'
+      before { validator.valid? }
+
+      let(:auth_header_regex) do
+        /Bearer error="(?<error>.+)"/
+      end
+
+      it 'should be in the expected format' do
+        expect(auth_response_header).to match(auth_header_regex)
+      end
+
+      it 'should have the default error code' do
+        expect(header_parts['error']).to eq('invalid_request')
+      end
+
+      it 'should not have an error description' do
+        expect(auth_response_header).to_not match(/error_description/)
+      end
+    end
+
+    context 'without token' do
+      let(:params) {}
+      let(:headers) {}
+      before { validator.valid? }
+
+      it 'should not include any error data' do
+        expect(auth_response_header).to eq('Bearer')
+      end
+    end
+
+    context 'with valid token' do
+      include_context 'valid access token'
+      before { validator.valid? }
+
+      it 'should be nil' do
+        expect(auth_response_header).to be_nil
+      end
+    end
+  end
+end

data/spec/lib/g5_authenticatable_api/version_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe G5AuthenticatableApi do
+  it 'should have a version' do
+    expect(G5AuthenticatableApi::VERSION).to be
+  end
+end

data/spec/requests/grape_api_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe 'a secure Grape API endpoint' do
+  let(:endpoint) { '/grape_api/hello' }
+  let(:params) {}
+  let(:headers) {}
+
+  describe 'GET request' do
+    subject(:api_call) { get endpoint, params, headers }
+
+    it_should_behave_like 'a warden authenticatable api'
+    it_should_behave_like 'a token authenticatable api'
+  end
+
+  describe 'POST request' do
+    subject(:api_call) { post endpoint, params, headers }
+
+    it_should_behave_like 'a warden authenticatable api'
+    it_should_behave_like 'a token authenticatable api'
+  end
+end

data/spec/requests/rails_api_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe 'A Secure Rails API endpoint' do
+  let(:params) {}
+  let(:headers) {}
+
+  describe 'GET request' do
+    subject(:api_call) { get '/rails_api/articles', params, headers }
+
+    it_should_behave_like 'a warden authenticatable api'
+    it_should_behave_like 'a token authenticatable api'
+  end
+end