g5_authenticatable_api 0.3.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 12624771940d7daf4727fa08cf7befcc04883458
-  data.tar.gz: d247b5ed06aa6e2b82c6c99b48916edc0e2962fc
+  metadata.gz: b5149507d4b4decc9cea0ecbf91c3ff2ed948188
+  data.tar.gz: 6e2cb01e5217b1e7b3ed6991048cd5242e026147
 SHA512:
-  metadata.gz: 2f8d08300206e3a3eacbff455df57cbf336199695887fb32fffee241c2856f0b81bd572f412e71fb0c96ec32fe3194df2b8f9c5f09ff6e85e8fc283bd15ee1e0
-  data.tar.gz: 08d6b7e24da4e71f447c26925265fd60efd8e3efec9145028a78a35989d5a7fe6db7e57909502c8a442a72266989cf8b3ad52c3c162211c9bf505c629b145852
+  metadata.gz: 33415eef9d07b90e5dbad1f898691b82b85800810378a25126e6a5f47121c6e76929b5c912ec55df3f5ab45c927901c70b790d6b79148c1205e3fc2739dbfc30
+  data.tar.gz: 7f271c4ab903a38f76671f3a0ca7d30b5443d2c4627be86a0413c814135a0116f7ce28f01dde2ebaa592fdb218e1c8f7a03aeb738227848376fa7d81668aafd2

data/.ruby-version

@@ -1 +1 @@
-2.1.5
+2.1.6

data/.travis.yml

@@ -0,0 +1,13 @@
+language: ruby
+rvm:
+  - 2.0.0
+  - 2.1.6
+  - 2.2.2
+script:
+  - (cd spec/dummy; RAILS_ENV=test bundle exec rake db:drop db:create db:schema:load)
+  - bundle exec rspec spec
+before_script:
+  - cp spec/dummy/config/database.yml.ci spec/dummy/config/database.yml
+env:
+  global:
+    - DEVISE_SECRET_KEY=foo

data/CHANGELOG.md

@@ -1,3 +1,14 @@
+## v0.4.0 (2015-05-22)
+
+* Add helpers for retrieving current API user as well as more detailed token
+  information
+  ([#8](https://github.com/G5/g5_authenticatable_api/pull/8))
+
+## v0.3.2 (2015-04-20)
+
+* Fix for case-insensitive authorization request header
+  ([#7](https://github.com/G5/g5_authenticatable_api/pull/7))
+
 ## v0.3.1 (2015-01-20)
 
 * Disable strict token validation for session-authenticated users by

data/Gemfile

@@ -26,6 +26,7 @@ group :test do
   gem 'webmock'
   gem 'shoulda-matchers', '~> 2.6'
   gem 'rspec-http', require: false
+  gem 'rack-test'
 end
 
 # Declare any dependencies that are still in development here instead of in

data/README.md

@@ -9,7 +9,7 @@ service using token-based authentication.
 
 ## Current Version
 
-0.3.1
+0.4.0
 
 ## Requirements
 
@@ -106,6 +106,58 @@ class MyResourceController < ApplicationController
 end
 ```
 
+After authenticating an API user, you can retrieve the current token data as a
+[`G5AuthenticationClient::TokenInfo`](https://github.com/G5/g5_authentication_client/blob/master/lib/g5_authentication_client/token_info.rb)
+using the `token_data` helper:
+
+```ruby
+class MyResourceController < ApplicationController
+  before_filter :authenticate_api_user!
+
+  respond_to :json
+
+  def index
+    token_expiration = token_data.expires_in_seconds
+    # ...
+  end
+end
+```
+
+You can retrieve the current user data using the `current_api_user` helper,
+which will attempt to retrieve the data from
+[warden](https://github.com/hassox/warden) if possible. Otherwise it will return
+a [`G5AuthenticationClient::User`](https://github.com/G5/g5_authentication_client/blob/master/lib/g5_authentication_client/user.rb):
+
+```ruby
+class MyResourceController < ApplicationController
+  before_filter :authenticate_api_user!
+
+  respond_to :json
+
+  def index
+    user = current_api_user
+    # ...
+  end
+end
+```
+
+
+Finally, you can retrieve the value of the access token in use for this request
+by using the `access_token` helper:
+
+```ruby
+class MyResourceController < ApplicationController
+  before_filter :authenticate_api_user!
+
+  respond_to :json
+
+  def index
+    token = access_token
+    # ...
+  end
+end
+```
+
 ### Grape
 
 To require authentication for all endpoints exposed by your API:
@@ -138,6 +190,57 @@ class MyApi < Grape::API
 end
 ```
 
+After authenticating an API user, you can retrieve the current token data as a
+[`G5AuthenticationClient::TokenInfo`](https://github.com/G5/g5_authentication_client/blob/master/lib/g5_authentication_client/token_info.rb)
+using the `token_data` helper:
+
+```ruby
+class MyApi < Grape::API
+  helpers G5AuthenticatableApi::Helpers::Grape
+
+  before { authenticate_user! }
+
+  get :index do
+    token_expiration = token_data.expires_in_seconds
+    # ...
+  end
+end
+```
+
+You can retrieve the current user data using the `current_user` helper,
+which will attempt to retrieve the data from
+[warden](https://github.com/hassox/warden) if possible. Otherwise it will return
+a [`G5AuthenticationClient::User`](https://github.com/G5/g5_authentication_client/blob/master/lib/g5_authentication_client/user.rb):
+
+```ruby
+class MyApi < Grape::API
+  helpers G5AuthenticatableApi::Helpers::Grape
+
+  before { authenticate_user! }
+
+  get :index do
+    user = current_user
+    # ...
+  end
+end
+```
+
+You can retrieve the value of the access token in use for this request with the
+`access_token` helper:
+
+```ruby
+class MyApi < Grape::API
+  helpers G5AuthenticatableApi::Helpers::Grape
+
+  before { authenticate_user! }
+
+  get :index do
+    token = access_token
+    # ...
+  end
+end
+```
+
 ### Submitting a token
 
 Authenticated requests follow the requirements described by

data/g5_authenticatable_api.gemspec

@@ -19,6 +19,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'rack'
-  spec.add_dependency 'g5_authentication_client', '~> 0.2'
+  spec.add_dependency 'g5_authentication_client', '~> 0.4'
   spec.add_dependency 'activesupport', '>= 3.2'
 end

data/lib/g5_authenticatable_api/helpers/grape.rb

@@ -1,4 +1,5 @@
-require 'g5_authenticatable_api/token_validator'
+require 'g5_authenticatable_api/services/token_validator'
+require 'g5_authenticatable_api/services/user_fetcher'
 
 module G5AuthenticatableApi
   module Helpers
@@ -7,14 +8,37 @@ module G5AuthenticatableApi
         raise_auth_error if !token_validator.valid?
       end
 
+      def token_data
+        @token_data ||= token_info.token_data
+      end
+
+      def current_user
+        @current_user ||= user_fetcher.current_user
+      end
+
+      def access_token
+        @access_token ||= token_info.access_token
+      end
+
       def warden
         env['warden']
       end
 
       private
+      def request
+        Rack::Request.new(env)
+      end
+
+      def token_info
+        @token_info ||= Services::TokenInfo.new(request.params, headers, warden)
+      end
+
       def token_validator
-        request = Rack::Request.new(env)
-        @token_validator ||= TokenValidator.new(request.params, headers, warden)
+        @token_validator ||= Services::TokenValidator.new(request.params, headers, warden)
+      end
+
+      def user_fetcher
+        @user_fetcher ||= Services::UserFetcher.new(request.params, headers, warden)
       end
 
       def raise_auth_error

data/lib/g5_authenticatable_api/helpers/rails.rb

@@ -1,4 +1,5 @@
-require 'g5_authenticatable_api/token_validator'
+require 'g5_authenticatable_api/services/token_validator'
+require 'g5_authenticatable_api/services/user_fetcher'
 
 module G5AuthenticatableApi
   module Helpers
@@ -7,13 +8,33 @@ module G5AuthenticatableApi
         raise_auth_error if !token_validator.valid?
       end
 
+      def token_data
+        @token_data ||= token_info.token_data
+      end
+
+      def current_api_user
+        @current_api_user ||= user_fetcher.current_user
+      end
+
+      def access_token
+        @access_token ||= token_info.access_token
+      end
+
       def warden
         request.env['warden']
       end
 
       private
+      def token_info
+        @token_info ||= Services::TokenInfo.new(request.params, request.headers, warden)
+      end
+
       def token_validator
-        @token_validator ||= TokenValidator.new(request.params, request.headers, warden)
+        @token_validator ||= Services::TokenValidator.new(request.params, request.headers, warden)
+      end
+
+      def user_fetcher
+        @user_fetcher ||= Services::UserFetcher.new(request.params, request.headers, warden)
       end
 
       def raise_auth_error

data/lib/g5_authenticatable_api/services/token_info.rb

@@ -0,0 +1,40 @@
+module G5AuthenticatableApi
+  module Services
+    class TokenInfo
+      attr_reader :params, :headers, :warden
+
+      def initialize(params={},headers={},warden=nil)
+        @params = params || {}
+        @headers = headers || {}
+        @warden = warden
+      end
+
+      def access_token
+        @access_token ||= (extract_token_from_header ||
+                           params['access_token'] ||
+                           warden.try(:user).try(:g5_access_token))
+      end
+
+      def token_data
+        auth_client.token_info
+      end
+
+      def auth_client
+        @auth_client ||= G5AuthenticationClient::Client.new(allow_password_credentials: 'false',
+                                                            access_token: access_token)
+      end
+
+      private
+      def extract_token_from_header
+        if authorization_header
+          parts = authorization_header.match(/Bearer (?<access_token>\S+)/)
+          parts['access_token']
+        end
+      end
+
+      def authorization_header
+        @headers['Authorization'] || @headers['AUTHORIZATION']
+      end
+    end
+  end
+end

data/lib/g5_authenticatable_api/services/token_validator.rb

@@ -0,0 +1,54 @@
+require 'g5_authenticatable_api/services/token_info'
+
+module G5AuthenticatableApi
+  module Services
+    class TokenValidator < TokenInfo
+      attr_reader :error
+
+      def validate!
+        begin
+          token_data unless skip_validation?
+        rescue StandardError => @error
+          raise error
+        end
+      end
+
+      def valid?
+        begin
+          validate!
+          true
+        rescue StandardError => e
+          false
+        end
+      end
+
+      def auth_response_header
+        if error
+          auth_header = "Bearer"
+
+          if access_token
+            auth_header << " error=\"#{error_code}\""
+            auth_header << ",error_description=\"#{error_description}\"" if error_description
+          end
+
+          auth_header
+        end
+      end
+
+      private
+      def error_code
+        error_code = error.code if error.respond_to?(:code)
+        error_code || 'invalid_request'
+      end
+
+      def error_description
+        error_description = error.description if error.respond_to?(:description)
+        error_description
+      end
+
+      def skip_validation?
+        @warden.try(:user) && !G5AuthenticatableApi.strict_token_validation
+      end
+    end
+  end
+end

data/lib/g5_authenticatable_api/services/user_fetcher.rb

@@ -0,0 +1,15 @@
+require 'g5_authenticatable_api/services/token_info'
+
+module G5AuthenticatableApi
+  module Services
+    class UserFetcher < TokenInfo
+      def current_user
+        if access_token == @warden.try(:user).try(:g5_access_token)
+          @warden.user
+        else
+          auth_client.me
+        end
+      end
+    end
+  end
+end

data/lib/g5_authenticatable_api/version.rb

@@ -1,3 +1,3 @@
 module G5AuthenticatableApi
-  VERSION = '0.3.2'
+  VERSION = '0.4.0'
 end

data/spec/dummy/config/database.yml.ci

@@ -2,5 +2,4 @@ test:
   adapter: postgresql
   encoding: unicode
   database: g5_authenticatable_api_test
-  pool: 5
-  username: ubuntu
+  username: postgres

data/spec/lib/g5_authenticatable_api/helpers/grape_spec.rb

@@ -0,0 +1,156 @@
+require 'spec_helper'
+
+describe G5AuthenticatableApi::Helpers::Grape do
+  include Rack::Test::Methods
+
+  def app
+    Class.new(Grape::API) do
+      helpers G5AuthenticatableApi::Helpers::Grape
+
+      get :authenticate do
+        authenticate_user!
+        { hello: 'world' }
+      end
+
+      get :token_data do
+        token_data.to_json
+      end
+
+      get :current_user do
+        current_user.to_json
+      end
+
+      get :access_token do
+        [access_token]
+      end
+    end
+  end
+
+  let(:env) { {'warden' => warden} }
+  let(:warden) { double(:warden) }
+
+  let(:params) { {'access_token' => token_value} }
+  let(:token_value) { 'abc123' }
+
+  let(:headers) { {'Host'=>'example.org', 'Cookie'=>''} }
+
+  describe '#authenticate_user!' do
+    subject(:authenticate_user!) { get '/authenticate', params, env }
+
+    let(:token_validator) do
+      double(:token_validator, valid?: valid,
+                               auth_response_header: auth_response_header,
+                               access_token: token_value)
+    end
+    before do
+      allow(G5AuthenticatableApi::Services::TokenValidator).to receive(:new).
+        and_return(token_validator)
+    end
+
+    context 'when token is valid' do
+      let(:valid) { true }
+      let(:auth_response_header) {}
+
+      it 'initializes the token validator correctly' do
+        authenticate_user!
+        expect(G5AuthenticatableApi::Services::TokenValidator).to have_received(:new).
+          with(params, headers, warden)
+      end
+
+      it 'is successful' do
+        authenticate_user!
+        expect(last_response).to be_http_ok
+      end
+
+      it 'does not set the authenticate response header' do
+        authenticate_user!
+        expect(last_response).to_not have_header('WWW-Authenticate')
+      end
+    end
+
+    context 'when token is invalid' do
+      let(:valid) { false }
+      let(:auth_response_header) { 'whatever' }
+
+      it 'is unauthorized' do
+        authenticate_user!
+        expect(last_response).to be_http_unauthorized
+      end
+
+      it 'renders an error message' do
+        authenticate_user!
+        expect(last_response.body).to eq('Unauthorized')
+      end
+
+      it 'sets the authenticate response header' do
+        authenticate_user!
+        expect(last_response).to have_header('WWW-Authenticate' => auth_response_header)
+      end
+    end
+  end
+
+  describe '#token_data' do
+    subject(:token_data) { get '/token_data', params, env }
+
+    before do
+      allow(G5AuthenticatableApi::Services::TokenInfo).to receive(:new).
+        and_return(token_info)
+    end
+    let(:token_info) { double(:token_info, token_data: mock_token_data) }
+    let(:mock_token_data) { double(:token_data, to_json: '{result: mock_token_data_json}') }
+
+    it 'initializes the token info service correctly' do
+      token_data
+      expect(G5AuthenticatableApi::Services::TokenInfo).to have_received(:new).
+        with(params, headers, warden)
+    end
+
+    it 'returns the token info from the service' do
+      token_data
+      expect(last_response.body).to eq(mock_token_data.to_json)
+    end
+  end
+
+  describe '#current_user' do
+    subject(:current_user) { get '/current_user', params, env }
+
+    before do
+      allow(G5AuthenticatableApi::Services::UserFetcher).to receive(:new).
+        and_return(user_fetcher)
+    end
+    let(:user_fetcher) { double(:user_fetcher, current_user: user) }
+    let(:user) { double(:user, to_json: '{result: mock_user_json}') }
+
+    it 'initializes the user fetcher service correctly' do
+      current_user
+      expect(G5AuthenticatableApi::Services::UserFetcher).to have_received(:new).
+        with(params, headers, warden)
+    end
+
+    it 'returns the user from the service' do
+      current_user
+      expect(last_response.body).to eq(user.to_json)
+    end
+  end
+
+  describe '#access_token' do
+    subject(:access_token) { get '/access_token', params, env }
+
+    before do
+      allow(G5AuthenticatableApi::Services::TokenInfo).to receive(:new).
+        and_return(token_info)
+    end
+    let(:token_info) { double(:token_info, access_token: token_value) }
+
+    it 'initializes the token info service correctly' do
+      access_token
+      expect(G5AuthenticatableApi::Services::TokenInfo).to have_received(:new).
+        with(params, headers, warden)
+    end
+
+    it 'returns the access token from the service' do
+      access_token
+      expect(last_response.body).to eq([token_value].to_json)
+    end
+  end
+end

data/spec/lib/g5_authenticatable_api/helpers/rails_spec.rb

@@ -0,0 +1,148 @@
+require 'spec_helper'
+
+describe G5AuthenticatableApi::Helpers::Rails, type: :controller do
+  controller(ActionController::Base) do
+    before_action :authenticate_api_user!, only: :index
+
+    def index
+      render json: [], status: :ok
+    end
+
+    def new
+      render json: [], status: :ok
+    end
+  end
+
+  let(:warden) { double(:warden) }
+  before { request.env['warden'] = warden }
+
+  describe '#authenticate_api_user!' do
+    subject(:authenticate_api_user!) { get :index, access_token: token_value }
+
+    let(:token_value) { 'abc123' }
+
+    let(:token_validator) do
+      double(:token_validator, valid?: valid,
+                               auth_response_header: auth_response_header,
+                               access_token: token_value)
+    end
+    before do
+      allow(G5AuthenticatableApi::Services::TokenValidator).to receive(:new).
+        and_return(token_validator)
+    end
+
+    context 'when token is valid' do
+      let(:valid) { true }
+      let(:auth_response_header) {}
+
+      it 'initializes the token validator correctly' do
+        authenticate_api_user!
+        expect(G5AuthenticatableApi::Services::TokenValidator).to have_received(:new).
+          with(request.params,
+               an_instance_of(ActionDispatch::Http::Headers),
+               warden)
+      end
+
+      it 'is successful' do
+        authenticate_api_user!
+        expect(response).to be_success
+      end
+
+      it 'does not set the authenticate response header' do
+        authenticate_api_user!
+        expect(response).to_not have_header('WWW-Authenticate')
+      end
+
+    end
+
+    context 'when token is invalid' do
+      let(:valid) { false }
+      let(:auth_response_header) { 'whatever' }
+
+      it 'is unauthorized' do
+        authenticate_api_user!
+        expect(response).to be_unauthorized
+      end
+
+      it 'renders an error message' do
+        authenticate_api_user!
+        expect(JSON.parse(response.body)).to eq('error' => 'Unauthorized')
+      end
+    end
+  end
+
+  describe '#token_data' do
+    subject(:token_data) { controller.token_data }
+
+    before do
+      allow(G5AuthenticatableApi::Services::TokenInfo).to receive(:new).
+        and_return(token_info)
+    end
+    let(:token_info) { double(:user_fetcher, token_data: mock_token_data) }
+    let(:mock_token_data) { double(:token_info) }
+
+    before { get :new, access_token: 'abc123' }
+
+    it 'initializes the token info service correctly' do
+      token_data
+      expect(G5AuthenticatableApi::Services::TokenInfo).to have_received(:new).
+        with(request.params,
+             an_instance_of(ActionDispatch::Http::Headers),
+             warden)
+    end
+
+    it 'returns the token data from the service' do
+      expect(token_data).to eq(mock_token_data)
+    end
+  end
+
+  describe '#access_token' do
+    subject(:access_token) { controller.access_token }
+
+    before do
+      allow(G5AuthenticatableApi::Services::TokenInfo).to receive(:new).
+        and_return(token_info)
+    end
+    let(:token_info) { double(:token_info, access_token: token_value) }
+    let(:token_value) { 'abc123' }
+
+    before { get :new, access_token: token_value }
+
+    it 'initializes the token info service correctly' do
+      access_token
+      expect(G5AuthenticatableApi::Services::TokenInfo).to have_received(:new).
+        with(request.params,
+             an_instance_of(ActionDispatch::Http::Headers),
+             warden)
+    end
+
+    it 'returns the access token from the service' do
+      expect(access_token).to eq(token_value)
+    end
+  end
+
+  describe '#current_api_user' do
+    subject(:current_api_user) { controller.current_api_user }
+
+    before do
+      allow(G5AuthenticatableApi::Services::UserFetcher).to receive(:new).
+        and_return(user_fetcher)
+    end
+    let(:user_fetcher) { double(:user_fetcher, current_user: user) }
+    let(:user) { double(:user) }
+
+    before { get :new, access_token: 'abc123' }
+
+    it 'initializes the user fetcher service correctly' do
+      current_api_user
+      expect(G5AuthenticatableApi::Services::UserFetcher).to have_received(:new).
+        with(request.params,
+             an_instance_of(ActionDispatch::Http::Headers),
+             warden)
+    end
+
+    it 'returns the user from the service' do
+      expect(current_api_user).to eq(user)
+    end
+  end
+end

data/spec/lib/g5_authenticatable_api/services/token_info_spec.rb

@@ -0,0 +1,158 @@
+require 'spec_helper'
+
+describe G5AuthenticatableApi::Services::TokenInfo do
+  subject(:token_info) { described_class.new(params, headers, warden) }
+  let(:params) { {'access_token' => token_value} }
+  let(:headers) { Hash.new }
+  let(:warden) {}
+
+  let(:token_value) { 'abc123' }
+
+  describe '#initialize' do
+    let(:params) { {'foo' => 'bar'} }
+    let(:headers) { {'Content-Type' => 'application/json'} }
+
+    context 'with warden' do
+      let(:warden) { double(:warden) }
+
+      it 'sets the params' do
+        expect(token_info.params).to eq(params)
+      end
+
+      it 'sets the headers' do
+        expect(token_info.headers).to eq(headers)
+      end
+
+      it 'sets warden' do
+        expect(token_info.warden).to eq(warden)
+      end
+    end
+
+    context 'without warden' do
+      let(:token_info) { described_class.new(params, headers) }
+
+      it 'sets the params' do
+        expect(token_info.params).to eq(params)
+      end
+
+      it 'sets the headers' do
+        expect(token_info.headers).to eq(headers)
+      end
+
+      it 'defaults warden to nil' do
+        expect(token_info.warden).to be_nil
+      end
+    end
+  end
+
+  describe '#access_token' do
+    subject(:access_token) { token_info.access_token }
+
+    context 'with auth header' do
+      let(:headers) { {'Authorization' => "Bearer #{token_value}"} }
+      let(:params) {}
+
+      it 'should extract the token value from the header' do
+        expect(access_token).to eq(token_value)
+      end
+    end
+
+    context 'with all caps authorization key' do
+      let(:headers) { {'AUTHORIZATION' => "Bearer #{token_value}"} }
+      let(:params) {}
+
+      it 'should extract the token value from the header' do
+        expect(access_token).to eq(token_value)
+      end
+    end
+
+    context 'with auth param' do
+      let(:params) { {'access_token' => token_value} }
+      let(:headers) {}
+
+      it 'should extract the token value from the access_token parameter' do
+        expect(access_token).to eq(token_value)
+      end
+    end
+
+    context 'with warden user' do
+      let(:warden) { double(:warden, user: user) }
+      let(:user) { FactoryGirl.build_stubbed(:user) }
+
+      context 'without token on request' do
+        let(:params) {}
+        let(:headers) {}
+
+        it 'should extract the token value from the session user' do
+          expect(access_token).to eq(user.g5_access_token)
+        end
+      end
+
+      context 'with auth param' do
+        let(:params) { {'access_token' => token_value} }
+        let(:headers) {}
+
+        it 'should give precedence to the token on the request' do
+          expect(access_token).to eq(token_value)
+        end
+      end
+    end
+  end
+
+  describe '#token_data' do
+    subject(:token_data) { token_info.token_data }
+
+    context 'when token is valid' do
+      include_context 'valid access token'
+
+      it 'includes the resource_owner_id' do
+        expect(token_data.resource_owner_id).to eq(raw_token_info['resource_owner_id'])
+      end
+
+      it 'includes the expires_in_seconds' do
+        expect(token_data.expires_in_seconds).to eq(raw_token_info['expires_in_seconds'])
+      end
+
+      it 'includes the application_uid' do
+        expect(token_data.application_uid).to eq(raw_token_info['application']['uid'])
+      end
+
+      it 'includes the scopes' do
+        expect(token_data.scopes). to eq(raw_token_info['scopes'])
+      end
+    end
+
+    context 'when token is invalid' do
+      include_context 'invalid access token'
+
+      it 'raises an error' do
+        expect { token_data }.to raise_error
+      end
+    end
+  end
+
+  describe '#auth_client' do
+    subject(:auth_client) { token_info.auth_client }
+
+    let(:client) { double(:auth_client) }
+    before do
+      allow(G5AuthenticationClient::Client).to receive(:new).and_return(client)
+    end
+
+    it 'returns the initialized client' do
+      expect(auth_client).to eq(client)
+    end
+
+    it 'initializes the client with the token' do
+      auth_client
+      expect(G5AuthenticationClient::Client).to have_received(:new).
+        with(hash_including(access_token: token_value))
+    end
+
+    it 'disables password access on the client' do
+      auth_client
+      expect(G5AuthenticationClient::Client).to have_received(:new).
+        with(hash_including(allow_password_credentials: 'false'))
+    end
+  end
+end

data/spec/lib/g5_authenticatable_api/{token_validator_spec.rb → services/token_validator_spec.rb}

@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-describe G5AuthenticatableApi::TokenValidator do
+describe G5AuthenticatableApi::Services::TokenValidator do
   subject { validator }
 
   let(:validator) { described_class.new(params, headers, warden) }
@@ -10,60 +10,6 @@ describe G5AuthenticatableApi::TokenValidator do
   let(:token_value) { 'abc123' }
   let(:warden) {}
 
-  describe '#access_token' do
-    subject(:access_token) { validator.access_token }
-
-    context 'with auth header' do
-      let(:headers) { {'Authorization' => "Bearer #{token_value}"} }
-      let(:params) {}
-
-      it 'should extract the token value from the header' do
-        expect(access_token).to eq(token_value)
-      end
-    end
-
-    context 'with all caps authorization key' do
-      let(:headers) { {'AUTHORIZATION' => "Bearer #{token_value}"} }
-      let(:params) {}
-
-      it 'should extract the token value from the header' do
-        expect(access_token).to eq(token_value)
-      end
-    end
-
-    context 'with auth param' do
-      let(:params) { {'access_token' => token_value} }
-      let(:headers) {}
-
-      it 'should extract the token value from the access_token parameter' do
-        expect(access_token).to eq(token_value)
-      end
-    end
-
-    context 'with warden user' do
-      let(:warden) { double(:warden, user: user) }
-      let(:user) { FactoryGirl.build_stubbed(:user) }
-
-      context 'without token on request' do
-        let(:params) {}
-        let(:headers) {}
-
-        it 'should extract the token value from the session user' do
-          expect(access_token).to eq(user.g5_access_token)
-        end
-      end
-
-      context 'with auth param' do
-        let(:params) { {'access_token' => token_value} }
-        let(:headers) {}
-
-        it 'should give precedence to the token on the request' do
-          expect(access_token).to eq(token_value)
-        end
-      end
-    end
-  end
-
   describe '#validate!' do
     subject(:validate!) { validator.validate! }
 

data/spec/lib/g5_authenticatable_api/services/user_fetcher_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe G5AuthenticatableApi::Services::UserFetcher do
+  subject(:user_fetcher) { described_class.new(params, headers, warden) }
+  let(:params) { {'access_token' => token_value} }
+  let(:token_value) { 'abc123' }
+  let(:headers) {}
+  let(:warden) {}
+
+  describe '#current_user' do
+    include_context 'current auth user'
+
+    subject(:current_user) { user_fetcher.current_user }
+
+    context 'when there is no warden user' do
+      it_behaves_like 'an auth user' do
+        let(:user) { current_user }
+      end
+    end
+
+    context 'when there is a warden user' do
+      let(:warden) { double(:warden, user: warden_user) }
+
+      context 'when the access_token is for the warden user' do
+        let(:warden_user) { double(:user, g5_access_token: token_value) }
+
+        it 'returns the warden user' do
+          expect(current_user).to eq(warden_user)
+        end
+      end
+
+      context 'when the access token is for a different user' do
+        let(:warden_user) { double(:user, g5_access_token: "#{token_value}42") }
+
+        it_behaves_like 'an auth user' do
+          let(:user) { current_user }
+        end
+      end
+    end
+  end
+end

data/spec/support/shared_contexts/current_auth_user.rb

@@ -0,0 +1,33 @@
+shared_context 'current auth user' do
+  before do
+    stub_request(:get, 'auth.g5search.com/v1/me').
+      with(headers: {'Authorization'=>"Bearer #{token_value}"}).
+      to_return(status: 200,
+                body: raw_user_info.to_json,
+                headers: {'Content-Type' => 'application/json'})
+  end
+
+  let(:raw_user_info) do
+    {
+      'id' => 42,
+      'email' => 'fred.rogers@thehood.net',
+      'first_name' => 'Fred',
+      'last_name' => 'Rogers',
+      'phone_number' => '(555) 555-1212',
+      'organization_name' => 'The Neighborhood',
+      'title' => 'Head Cardigan Wearer',
+      'roles' => [
+        {
+          'name' => 'viewer',
+          'type' => 'GLOBAL',
+          'urn' => nil
+        },
+        {
+          'name' => 'admin',
+          'type' => 'G5Updatable::Client',
+          'urn' => 'g5-c-some-randomly-generated-string'
+        }
+      ]
+    }
+  end
+end

data/spec/support/shared_contexts/valid_access_token.rb

@@ -2,6 +2,17 @@ shared_context 'valid access token' do
   before do
     stub_request(:get, 'auth.g5search.com/oauth/token/info').
       with(headers: {'Authorization'=>"Bearer #{token_value}"}).
-         to_return(status: 200, body: '', headers: {})
+      to_return(status: 200,
+                body: raw_token_info.to_json,
+                headers: {'Content-Type' => 'application/json'})
+  end
+
+  let(:raw_token_info) do
+    {
+      'resource_owner_id' => '42',
+      'scopes' => [],
+      'expires_in_seconds' => 120,
+      'application' => {'uid' => 'abcdefg112358'}
+    }
   end
 end

data/spec/support/shared_examples/auth_user.rb

@@ -0,0 +1,33 @@
+shared_examples_for 'an auth user' do
+  it 'has the correct id' do
+    expect(user.id).to eq(raw_user_info['id'])
+  end
+
+  it 'has the correct email' do
+    expect(user.email).to eq(raw_user_info['email'])
+  end
+
+  it 'has the correct first_name' do
+    expect(user.first_name).to eq(raw_user_info['first_name'])
+  end
+
+  it 'has the correct last_name' do
+    expect(user.last_name).to eq(raw_user_info['last_name'])
+  end
+
+  it 'has the correct phone_number' do
+    expect(user.phone_number).to eq(raw_user_info['phone_number'])
+  end
+
+  it 'has the correct title' do
+    expect(user.title).to eq(raw_user_info['title'])
+  end
+
+  it 'has the correct organization_name' do
+    expect(user.organization_name).to eq(raw_user_info['organization_name'])
+  end
+
+  it 'has the correct number of roles' do
+    expect(user.roles.count).to eq(raw_user_info['roles'].count)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: g5_authenticatable_api
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
 platform: ruby
 authors:
 - Maeve Revels
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-20 00:00:00.000000000 Z
+date: 2015-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '0.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '0.4'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -62,18 +62,20 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".ruby-version"
+- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
-- circle.yml
 - g5_authenticatable_api.gemspec
 - lib/g5_authenticatable_api.rb
 - lib/g5_authenticatable_api/helpers/grape.rb
 - lib/g5_authenticatable_api/helpers/rails.rb
 - lib/g5_authenticatable_api/railtie.rb
-- lib/g5_authenticatable_api/token_validator.rb
+- lib/g5_authenticatable_api/services/token_info.rb
+- lib/g5_authenticatable_api/services/token_validator.rb
+- lib/g5_authenticatable_api/services/user_fetcher.rb
 - lib/g5_authenticatable_api/version.rb
 - spec/dummy/README.rdoc
 - spec/dummy/Rakefile
@@ -132,14 +134,20 @@ files:
 - spec/dummy/vendor/assets/javascripts/.keep
 - spec/dummy/vendor/assets/stylesheets/.keep
 - spec/factories/user.rb
-- spec/lib/g5_authenticatable_api/token_validator_spec.rb
+- spec/lib/g5_authenticatable_api/helpers/grape_spec.rb
+- spec/lib/g5_authenticatable_api/helpers/rails_spec.rb
+- spec/lib/g5_authenticatable_api/services/token_info_spec.rb
+- spec/lib/g5_authenticatable_api/services/token_validator_spec.rb
+- spec/lib/g5_authenticatable_api/services/user_fetcher_spec.rb
 - spec/lib/g5_authenticatable_api/version_spec.rb
 - spec/requests/grape_api_spec.rb
 - spec/requests/rails_api_spec.rb
 - spec/spec_helper.rb
 - spec/support/factory_girl.rb
+- spec/support/shared_contexts/current_auth_user.rb
 - spec/support/shared_contexts/invalid_access_token.rb
 - spec/support/shared_contexts/valid_access_token.rb
+- spec/support/shared_examples/auth_user.rb
 - spec/support/shared_examples/token_authenticatable_api.rb
 - spec/support/shared_examples/token_validation.rb
 - spec/support/shared_examples/warden_authenticatable_api.rb
@@ -164,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.2.3
 signing_key: 
 specification_version: 4
 summary: Helpers for securing APIs with G5
@@ -226,14 +234,20 @@ test_files:
 - spec/dummy/vendor/assets/javascripts/.keep
 - spec/dummy/vendor/assets/stylesheets/.keep
 - spec/factories/user.rb
-- spec/lib/g5_authenticatable_api/token_validator_spec.rb
+- spec/lib/g5_authenticatable_api/helpers/grape_spec.rb
+- spec/lib/g5_authenticatable_api/helpers/rails_spec.rb
+- spec/lib/g5_authenticatable_api/services/token_info_spec.rb
+- spec/lib/g5_authenticatable_api/services/token_validator_spec.rb
+- spec/lib/g5_authenticatable_api/services/user_fetcher_spec.rb
 - spec/lib/g5_authenticatable_api/version_spec.rb
 - spec/requests/grape_api_spec.rb
 - spec/requests/rails_api_spec.rb
 - spec/spec_helper.rb
 - spec/support/factory_girl.rb
+- spec/support/shared_contexts/current_auth_user.rb
 - spec/support/shared_contexts/invalid_access_token.rb
 - spec/support/shared_contexts/valid_access_token.rb
+- spec/support/shared_examples/auth_user.rb
 - spec/support/shared_examples/token_authenticatable_api.rb
 - spec/support/shared_examples/token_validation.rb
 - spec/support/shared_examples/warden_authenticatable_api.rb

data/circle.yml

@@ -1,4 +0,0 @@
-database:
-  override:
-    - cp spec/dummy/config/database.yml.ci spec/dummy/config/database.yml
-    - (cd spec/dummy; RAILS_ENV=test bundle exec rake db:drop db:create db:schema:load)

data/lib/g5_authenticatable_api/token_validator.rb

@@ -1,78 +0,0 @@
-module G5AuthenticatableApi
-  class TokenValidator
-    attr_reader :error
-
-    def initialize(params={},headers={},warden=nil)
-      @params = params || {}
-      @headers = headers || {}
-      @warden = warden
-    end
-
-    def validate!
-      begin
-        auth_client.token_info unless skip_validation?
-      rescue StandardError => @error
-        raise error
-      end
-    end
-
-    def valid?
-      begin
-        validate!
-        true
-      rescue StandardError => e
-        false
-      end
-    end
-
-    def access_token
-      @access_token ||= (extract_token_from_header ||
-                         @params['access_token'] ||
-                         @warden.try(:user).try(:g5_access_token))
-    end
-
-    def auth_response_header
-      if error
-        auth_header = "Bearer"
-
-        if access_token
-          auth_header << " error=\"#{error_code}\""
-          auth_header << ",error_description=\"#{error_description}\"" if error_description
-        end
-
-        auth_header
-      end
-    end
-
-    def auth_client
-      @auth_client ||= G5AuthenticationClient::Client.new(allow_password_credentials: 'false',
-                                                          access_token: access_token)
-    end
-
-    private
-    def error_code
-      error_code = error.code if error.respond_to?(:code)
-      error_code || 'invalid_request'
-    end
-
-    def error_description
-      error_description = error.description if error.respond_to?(:description)
-      error_description
-    end
-
-    def extract_token_from_header
-      if authorization_header
-        parts = authorization_header.match(/Bearer (?<access_token>\S+)/)
-        parts['access_token']
-      end
-    end
-
-    def skip_validation?
-      @warden.try(:user) && !G5AuthenticatableApi.strict_token_validation
-    end
-
-    def authorization_header
-      @headers['Authorization'] || @headers['AUTHORIZATION']
-    end
-  end
-end