RubyGems - grape_oauth2 - Versions diffs - 0.1.1 → 0.2.0 - Mend

grape_oauth2 0.1.1 → 0.2.0

Files changed (93) hide show

checksums.yaml +4 -4
data/.gitignore +11 -11
data/Gemfile +23 -23
data/Rakefile +11 -11
data/grape_oauth2.gemspec +26 -27
data/lib/grape_oauth2.rb +129 -129
data/lib/grape_oauth2/configuration.rb +143 -143
data/lib/grape_oauth2/configuration/class_accessors.rb +36 -36
data/lib/grape_oauth2/configuration/validation.rb +71 -71
data/lib/grape_oauth2/endpoints/authorize.rb +34 -34
data/lib/grape_oauth2/endpoints/token.rb +72 -72
data/lib/grape_oauth2/gem_version.rb +24 -24
data/lib/grape_oauth2/generators/authorization.rb +44 -44
data/lib/grape_oauth2/generators/base.rb +26 -26
data/lib/grape_oauth2/generators/token.rb +62 -62
data/lib/grape_oauth2/helpers/access_token_helpers.rb +52 -54
data/lib/grape_oauth2/helpers/oauth_params.rb +41 -41
data/lib/grape_oauth2/mixins/active_record/access_grant.rb +47 -47
data/lib/grape_oauth2/mixins/active_record/access_token.rb +75 -75
data/lib/grape_oauth2/mixins/active_record/client.rb +36 -35
data/lib/grape_oauth2/mixins/mongoid/access_grant.rb +58 -58
data/lib/grape_oauth2/mixins/mongoid/access_token.rb +88 -88
data/lib/grape_oauth2/mixins/mongoid/client.rb +44 -41
data/lib/grape_oauth2/mixins/sequel/access_grant.rb +68 -68
data/lib/grape_oauth2/mixins/sequel/access_token.rb +86 -86
data/lib/grape_oauth2/mixins/sequel/client.rb +54 -46
data/lib/grape_oauth2/responses/authorization.rb +11 -10
data/lib/grape_oauth2/responses/base.rb +56 -56
data/lib/grape_oauth2/responses/token.rb +10 -10
data/lib/grape_oauth2/scopes.rb +74 -74
data/lib/grape_oauth2/strategies/authorization_code.rb +38 -38
data/lib/grape_oauth2/strategies/base.rb +47 -47
data/lib/grape_oauth2/strategies/client_credentials.rb +20 -20
data/lib/grape_oauth2/strategies/password.rb +22 -22
data/lib/grape_oauth2/strategies/refresh_token.rb +47 -47
data/lib/grape_oauth2/unique_token.rb +20 -20
data/lib/grape_oauth2/version.rb +14 -14
data/spec/configuration/config_spec.rb +231 -231
data/spec/configuration/version_spec.rb +12 -12
data/spec/dummy/endpoints/custom_authorization.rb +25 -25
data/spec/dummy/endpoints/custom_token.rb +35 -35
data/spec/dummy/endpoints/status.rb +25 -25
data/spec/dummy/grape_oauth2_config.rb +11 -11
data/spec/dummy/orm/active_record/app/config/db.rb +7 -7
data/spec/dummy/orm/active_record/app/models/access_code.rb +3 -3
data/spec/dummy/orm/active_record/app/models/access_token.rb +3 -3
data/spec/dummy/orm/active_record/app/models/application.rb +3 -3
data/spec/dummy/orm/active_record/app/models/application_record.rb +3 -3
data/spec/dummy/orm/active_record/app/models/user.rb +10 -10
data/spec/dummy/orm/active_record/app/twitter.rb +36 -36
data/spec/dummy/orm/active_record/config.ru +7 -7
data/spec/dummy/orm/active_record/db/schema.rb +53 -53
data/spec/dummy/orm/mongoid/app/config/db.rb +6 -6
data/spec/dummy/orm/mongoid/app/config/mongoid.yml +21 -21
data/spec/dummy/orm/mongoid/app/models/access_code.rb +3 -3
data/spec/dummy/orm/mongoid/app/models/access_token.rb +3 -3
data/spec/dummy/orm/mongoid/app/models/application.rb +3 -3
data/spec/dummy/orm/mongoid/app/models/user.rb +11 -11
data/spec/dummy/orm/mongoid/app/twitter.rb +34 -34
data/spec/dummy/orm/mongoid/config.ru +5 -5
data/spec/dummy/orm/sequel/app/config/db.rb +1 -1
data/spec/dummy/orm/sequel/app/models/access_code.rb +4 -4
data/spec/dummy/orm/sequel/app/models/access_token.rb +4 -4
data/spec/dummy/orm/sequel/app/models/application.rb +4 -4
data/spec/dummy/orm/sequel/app/models/application_record.rb +2 -2
data/spec/dummy/orm/sequel/app/models/user.rb +11 -11
data/spec/dummy/orm/sequel/app/twitter.rb +47 -47
data/spec/dummy/orm/sequel/config.ru +5 -5
data/spec/dummy/orm/sequel/db/schema.rb +50 -50
data/spec/lib/scopes_spec.rb +50 -50
data/spec/mixins/active_record/access_token_spec.rb +185 -185
data/spec/mixins/active_record/client_spec.rb +104 -95
data/spec/mixins/mongoid/access_token_spec.rb +185 -185
data/spec/mixins/mongoid/client_spec.rb +104 -95
data/spec/mixins/sequel/access_token_spec.rb +185 -185
data/spec/mixins/sequel/client_spec.rb +105 -96
data/spec/requests/flows/authorization_code_spec.rb +67 -67
data/spec/requests/flows/client_credentials_spec.rb +101 -101
data/spec/requests/flows/password_spec.rb +210 -210
data/spec/requests/flows/refresh_token_spec.rb +222 -222
data/spec/requests/flows/revoke_token_spec.rb +103 -103
data/spec/requests/protected_resources_spec.rb +64 -64
data/spec/spec_helper.rb +60 -60
data/spec/support/api_helper.rb +11 -11
metadata +50 -52
data/.rspec +0 -2
data/.rubocop.yml +0 -18
data/.travis.yml +0 -42
data/README.md +0 -820
data/gemfiles/active_record.rb +0 -25
data/gemfiles/mongoid.rb +0 -14
data/gemfiles/sequel.rb +0 -24
data/grape_oauth2.png +0 -0

data/spec/requests/flows/password_spec.rb CHANGED

@@ -1,210 +1,210 @@
-require 'spec_helper'
-describe 'Token Endpoint' do
-  let(:application) { Application.create(name: 'App1') }
-  let(:user) { User.create(username: 'test', password: '12345678') }
-  describe 'Resource Owner Password Credentials flow' do
-    describe 'POST /oauth/token' do
-      let(:authentication_url) { '/api/v1/oauth/token' }
-      context 'with valid params' do
-        context 'when request is invalid' do
-          it 'fails without Grant Type' do
-            post authentication_url,
-                 username: user.username,
-                 password: '12345678',
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('invalid_request')
-            expect(last_response.status).to eq 400
-          end
-          it 'fails with invalid Grant Type' do
-            post authentication_url,
-                 grant_type: 'invalid',
-                 username: user.username,
-                 password: '12345678'
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('unsupported_grant_type')
-            expect(last_response.status).to eq 400
-          end
-          it 'fails without Client Credentials' do
-            post authentication_url,
-                 grant_type: 'password',
-                 username: user.username,
-                 password: '12345678'
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('invalid_request')
-            expect(last_response.status).to eq 400
-          end
-          it 'fails with invalid Client Credentials' do
-            post authentication_url,
-                 grant_type: 'password',
-                 username: user.username,
-                 password: '12345678',
-                 client_id: 'blah-blah',
-                 client_secret: application.secret
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('invalid_client')
-            expect(last_response.status).to eq 401
-          end
-          it 'fails without Resource Owner credentials' do
-            post authentication_url,
-                 grant_type: 'password',
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(json_body[:error]).to eq('invalid_request')
-            expect(json_body[:error_description]).not_to be_blank
-            expect(last_response.status).to eq 400
-          end
-          it 'fails with invalid Resource Owner credentials' do
-            post authentication_url,
-                 grant_type: 'password',
-                 username: 'invalid@example.com',
-                 password: 'invalid',
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(json_body[:error]).to eq('invalid_grant')
-            expect(json_body[:error_description]).not_to be_blank
-            expect(last_response.status).to eq 400
-          end
-        end
-        context 'with valid data' do
-          context 'when scopes requested' do
-            it 'returns an Access Token with scopes' do
-              post authentication_url,
-                   grant_type: 'password',
-                   username: user.username,
-                   password: '12345678',
-                   scope: 'read write',
-                   client_id: application.key,
-                   client_secret: application.secret
-              expect(AccessToken.count).to eq 1
-              expect(AccessToken.first.client_id).to eq application.id
-              expect(json_body[:access_token]).to be_present
-              expect(json_body[:token_type]).to eq 'bearer'
-              expect(json_body[:expires_in]).to eq 7200
-              expect(json_body[:refresh_token]).to be_nil
-              expect(json_body[:scope]).to eq('read write')
-              expect(last_response.status).to eq 200
-            end
-          end
-          context 'without scopes' do
-            it 'returns an Access Token without scopes' do
-              post authentication_url,
-                   grant_type: 'password',
-                   username: user.username,
-                   password: '12345678',
-                   client_id: application.key,
-                   client_secret: application.secret
-              expect(AccessToken.count).to eq 1
-              expect(AccessToken.first.client_id).to eq application.id
-              expect(json_body[:access_token]).to be_present
-              expect(json_body[:token_type]).to eq 'bearer'
-              expect(json_body[:expires_in]).to eq 7200
-              expect(json_body[:refresh_token]).to be_nil
-              expect(json_body[:scope]).to be_nil
-              expect(last_response.status).to eq 200
-            end
-          end
-        end
-        context 'when Token endpoint not mounted' do
-          before do
-            Twitter::API.reset!
-            Twitter::API.change!
-            # Mount only Authorization Endpoint
-            Twitter::API.send(:include, Grape::OAuth2.api(:authorize))
-          end
-          after do
-            Twitter::API.reset!
-            Twitter::API.change!
-            Twitter::API.send(:include, Grape::OAuth2.api)
-            Twitter::API.mount(Twitter::Endpoints::Status)
-            Twitter::API.mount(Twitter::Endpoints::CustomToken)
-            Twitter::API.mount(Twitter::Endpoints::CustomAuthorization)
-          end
-          it 'returns 404' do
-            post authentication_url,
-                 grant_type: 'password',
-                 username: user.username,
-                 password: '12345678',
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 404
-          end
-        end
-      end
-    end
-  end
-  describe 'POST /oauth/custom_token' do
-    context 'when block processed successfully' do
-      it 'returns an access token' do
-        application.update(name: 'Admin')
-        post '/api/v1/oauth/custom_token',
-             grant_type: 'password',
-             username: user.username,
-             password: '12345678',
-             client_id: application.key,
-             client_secret: application.secret
-        expect(last_response.status).to eq 200
-        expect(AccessToken.count).to eq 1
-        expect(AccessToken.first.client_id).to eq application.id
-        expect(json_body[:access_token]).to be_present
-        expect(json_body[:token_type]).to eq 'bearer'
-        expect(json_body[:expires_in]).to eq 7200
-      end
-    end
-    context 'when authentication failed' do
-      it 'returns an error' do
-        application.update(name: 'Admin')
-        post '/api/v1/oauth/custom_token',
-             grant_type: 'password',
-             username: 'invalid@example.com',
-             password: 'invalid',
-             client_id: application.key,
-             client_secret: application.secret
-        expect(json_body[:error]).to eq('invalid_grant')
-        expect(json_body[:error_description]).not_to be_blank
-        expect(last_response.status).to eq 400
-      end
-    end
-  end
-end
+require 'spec_helper'
+describe 'Token Endpoint' do
+  let(:application) { Application.create(name: 'App1') }
+  let(:user) { User.create(username: 'test', password: '12345678') }
+  describe 'Resource Owner Password Credentials flow' do
+    describe 'POST /oauth/token' do
+      let(:authentication_url) { '/api/v1/oauth/token' }
+      context 'with valid params' do
+        context 'when request is invalid' do
+          it 'fails without Grant Type' do
+            post authentication_url,
+                 username: user.username,
+                 password: '12345678',
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+          it 'fails with invalid Grant Type' do
+            post authentication_url,
+                 grant_type: 'invalid',
+                 username: user.username,
+                 password: '12345678'
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('unsupported_grant_type')
+            expect(last_response.status).to eq 400
+          end
+          it 'fails without Client Credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: user.username,
+                 password: '12345678'
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+          it 'fails with invalid Client Credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: user.username,
+                 password: '12345678',
+                 client_id: 'blah-blah',
+                 client_secret: application.secret
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('invalid_client')
+            expect(last_response.status).to eq 401
+          end
+          it 'fails without Resource Owner credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(json_body[:error_description]).not_to be_blank
+            expect(last_response.status).to eq 400
+          end
+          it 'fails with invalid Resource Owner credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: 'invalid@example.com',
+                 password: 'invalid',
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(json_body[:error]).to eq('invalid_grant')
+            expect(json_body[:error_description]).not_to be_blank
+            expect(last_response.status).to eq 400
+          end
+        end
+        context 'with valid data' do
+          context 'when scopes requested' do
+            it 'returns an Access Token with scopes' do
+              post authentication_url,
+                   grant_type: 'password',
+                   username: user.username,
+                   password: '12345678',
+                   scope: 'read write',
+                   client_id: application.key,
+                   client_secret: application.secret
+              expect(AccessToken.count).to eq 1
+              expect(AccessToken.first.client_id).to eq application.id
+              expect(json_body[:access_token]).to be_present
+              expect(json_body[:token_type]).to eq 'bearer'
+              expect(json_body[:expires_in]).to eq 7200
+              expect(json_body[:refresh_token]).to be_nil
+              expect(json_body[:scope]).to eq('read write')
+              expect(last_response.status).to eq 200
+            end
+          end
+          context 'without scopes' do
+            it 'returns an Access Token without scopes' do
+              post authentication_url,
+                   grant_type: 'password',
+                   username: user.username,
+                   password: '12345678',
+                   client_id: application.key,
+                   client_secret: application.secret
+              expect(AccessToken.count).to eq 1
+              expect(AccessToken.first.client_id).to eq application.id
+              expect(json_body[:access_token]).to be_present
+              expect(json_body[:token_type]).to eq 'bearer'
+              expect(json_body[:expires_in]).to eq 7200
+              expect(json_body[:refresh_token]).to be_nil
+              expect(json_body[:scope]).to be_nil
+              expect(last_response.status).to eq 200
+            end
+          end
+        end
+        context 'when Token endpoint not mounted' do
+          before do
+            Twitter::API.reset!
+            Twitter::API.change!
+            # Mount only Authorization Endpoint
+            Twitter::API.send(:include, Grape::OAuth2.api(:authorize))
+          end
+          after do
+            Twitter::API.reset!
+            Twitter::API.change!
+            Twitter::API.send(:include, Grape::OAuth2.api)
+            Twitter::API.mount(Twitter::Endpoints::Status)
+            Twitter::API.mount(Twitter::Endpoints::CustomToken)
+            Twitter::API.mount(Twitter::Endpoints::CustomAuthorization)
+          end
+          it 'returns 404' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: user.username,
+                 password: '12345678',
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 404
+          end
+        end
+      end
+    end
+  end
+  describe 'POST /oauth/custom_token' do
+    context 'when block processed successfully' do
+      it 'returns an access token' do
+        application.update(name: 'Admin')
+        post '/api/v1/oauth/custom_token',
+             grant_type: 'password',
+             username: user.username,
+             password: '12345678',
+             client_id: application.key,
+             client_secret: application.secret
+        expect(last_response.status).to eq 200
+        expect(AccessToken.count).to eq 1
+        expect(AccessToken.first.client_id).to eq application.id
+        expect(json_body[:access_token]).to be_present
+        expect(json_body[:token_type]).to eq 'bearer'
+        expect(json_body[:expires_in]).to eq 7200
+      end
+    end
+    context 'when authentication failed' do
+      it 'returns an error' do
+        application.update(name: 'Admin')
+        post '/api/v1/oauth/custom_token',
+             grant_type: 'password',
+             username: 'invalid@example.com',
+             password: 'invalid',
+             client_id: application.key,
+             client_secret: application.secret
+        expect(json_body[:error]).to eq('invalid_grant')
+        expect(json_body[:error_description]).not_to be_blank
+        expect(last_response.status).to eq 400
+      end
+    end
+  end
+end

data/spec/requests/flows/refresh_token_spec.rb CHANGED

@@ -1,222 +1,222 @@
-require 'spec_helper'
-describe 'Token Endpoint' do
-  describe 'POST /oauth/token' do
-    describe 'Refresh Token flow' do
-      context 'with valid params' do
-        let(:api_url) { '/api/v1/oauth/token' }
-        let(:application) { Application.create(name: 'App1') }
-        let(:user) { User.create(username: 'test', password: '12345678') }
-        context 'when request is invalid' do
-          it 'fails without Grant Type' do
-            post api_url,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('invalid_request')
-            expect(last_response.status).to eq 400
-          end
-          it 'fails with invalid Grant Type' do
-            post api_url,
-                 grant_type: 'invalid'
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('unsupported_grant_type')
-            expect(last_response.status).to eq 400
-          end
-          it 'fails without Client Credentials' do
-            post api_url,
-                 grant_type: 'refresh_token'
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('invalid_request')
-            expect(last_response.status).to eq 400
-          end
-          it 'fails with invalid Client Credentials' do
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: SecureRandom.hex(6),
-                 client_id: 'blah-blah',
-                 client_secret: application.secret
-            expect(AccessToken.all).to be_empty
-            expect(json_body[:error]).to eq('invalid_client')
-            expect(last_response.status).to eq 401
-          end
-          it 'fails when Access Token was issued to another client' do
-            allow(Grape::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
-            another_client = Application.create(name: 'Some')
-            token = AccessToken.create_for(another_client, user)
-            expect(token.refresh_token).not_to be_nil
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(json_body[:error]).to eq('unauthorized_client')
-            expect(last_response.status).to eq 400
-            expect(AccessToken.count).to eq(1)
-          end
-        end
-        context 'with valid data' do
-          before { allow(Grape::OAuth2.config).to receive(:issue_refresh_token).and_return(true) }
-          it 'returns a new Access Token' do
-            token = AccessToken.create_for(application, user)
-            expect(token.refresh_token).not_to be_nil
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-            expect(AccessToken.count).to eq 2
-            expect(AccessToken.last.client_id).to eq application.id
-            expect(AccessToken.last.resource_owner_id).to eq user.id
-            expect(json_body[:access_token]).to eq AccessToken.last.token
-            expect(json_body[:token_type]).to eq 'bearer'
-            expect(json_body[:expires_in]).to eq 7200
-            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
-          end
-          it 'revokes old Access Token if it is configured' do
-            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:revoke!)
-            token = AccessToken.create_for(application, user)
-            expect(token.refresh_token).not_to be_nil
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-            expect(AccessToken.count).to eq 2
-            expect(AccessToken.last.client).to eq application
-            expect(AccessToken.last.resource_owner).to eq user
-            expect(token.reload.revoked?).to be_truthy
-            expect(json_body[:access_token]).to eq AccessToken.last.token
-            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
-          end
-          it 'destroy old Access Token if it is configured' do
-            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:destroy)
-            token = AccessToken.create_for(application, user)
-            expect(token.refresh_token).not_to be_nil
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-            expect(AccessToken.count).to eq 1
-            expect(AccessToken.where(token: token.token).first).to be_nil
-          end
-          it 'calls custom block on token refresh if it is configured' do
-            scopes = 'just for test'
-            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(->(token) { token.update(scopes: scopes) })
-            token = AccessToken.create_for(application, user)
-            expect(token.refresh_token).not_to be_nil
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-            expect(AccessToken.count).to eq 2
-            expect(token.reload.scopes).to eq(scopes)
-          end
-          it 'does nothing on token refresh if :on_refresh is equal to :nothing or nil' do
-            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:nothing)
-            token = AccessToken.create_for(application, user)
-            expect(token.refresh_token).not_to be_nil
-            # Check for :nothing
-            expect(Grape::OAuth2::Strategies::RefreshToken).not_to receive(:run_on_refresh_callback)
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(nil)
-            token = AccessToken.create_for(application, user)
-            expect(token.refresh_token).not_to be_nil
-            # Check for nil
-            expect(Grape::OAuth2::Strategies::RefreshToken).not_to receive(:run_on_refresh_callback)
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-          end
-          it 'returns a new Access Token even if used token is expired' do
-            token = AccessToken.create_for(application, user)
-            token.update(expires_at: Time.now - 604800) # - 7 days
-            expect(token.refresh_token).not_to be_nil
-            post api_url,
-                 grant_type: 'refresh_token',
-                 refresh_token: token.refresh_token,
-                 client_id: application.key,
-                 client_secret: application.secret
-            expect(last_response.status).to eq 200
-            expect(AccessToken.count).to eq 2
-            expect(AccessToken.last.client_id).to eq application.id
-            expect(AccessToken.last.resource_owner_id).to eq user.id
-            expect(json_body[:access_token]).to eq AccessToken.last.token
-            expect(json_body[:token_type]).to eq 'bearer'
-            expect(json_body[:expires_in]).to eq 7200
-            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
-          end
-        end
-      end
-    end
-  end
-end
+require 'spec_helper'
+describe 'Token Endpoint' do
+  describe 'POST /oauth/token' do
+    describe 'Refresh Token flow' do
+      context 'with valid params' do
+        let(:api_url) { '/api/v1/oauth/token' }
+        let(:application) { Application.create(name: 'App1') }
+        let(:user) { User.create(username: 'test', password: '12345678') }
+        context 'when request is invalid' do
+          it 'fails without Grant Type' do
+            post api_url,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+          it 'fails with invalid Grant Type' do
+            post api_url,
+                 grant_type: 'invalid'
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('unsupported_grant_type')
+            expect(last_response.status).to eq 400
+          end
+          it 'fails without Client Credentials' do
+            post api_url,
+                 grant_type: 'refresh_token'
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+          it 'fails with invalid Client Credentials' do
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: SecureRandom.hex(6),
+                 client_id: 'blah-blah',
+                 client_secret: application.secret
+            expect(AccessToken.all).to be_empty
+            expect(json_body[:error]).to eq('invalid_client')
+            expect(last_response.status).to eq 401
+          end
+          it 'fails when Access Token was issued to another client' do
+            allow(Grape::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            another_client = Application.create(name: 'Some')
+            token = AccessToken.create_for(another_client, user)
+            expect(token.refresh_token).not_to be_nil
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(json_body[:error]).to eq('unauthorized_client')
+            expect(last_response.status).to eq 400
+            expect(AccessToken.count).to eq(1)
+          end
+        end
+        context 'with valid data' do
+          before { allow(Grape::OAuth2.config).to receive(:issue_refresh_token).and_return(true) }
+          it 'returns a new Access Token' do
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+            expect(AccessToken.count).to eq 2
+            expect(AccessToken.last.client_id).to eq application.id
+            expect(AccessToken.last.resource_owner_id).to eq user.id
+            expect(json_body[:access_token]).to eq AccessToken.last.token
+            expect(json_body[:token_type]).to eq 'bearer'
+            expect(json_body[:expires_in]).to eq 7200
+            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
+          end
+          it 'revokes old Access Token if it is configured' do
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:revoke!)
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+            expect(AccessToken.count).to eq 2
+            expect(AccessToken.last.client).to eq application
+            expect(AccessToken.last.resource_owner).to eq user
+            expect(token.reload.revoked?).to be_truthy
+            expect(json_body[:access_token]).to eq AccessToken.last.token
+            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
+          end
+          it 'destroy old Access Token if it is configured' do
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:destroy)
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+            expect(AccessToken.count).to eq 1
+            expect(AccessToken.where(token: token.token).first).to be_nil
+          end
+          it 'calls custom block on token refresh if it is configured' do
+            scopes = 'just for test'
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(->(token) { token.update(scopes: scopes) })
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+            expect(AccessToken.count).to eq 2
+            expect(token.reload.scopes).to eq(scopes)
+          end
+          it 'does nothing on token refresh if :on_refresh is equal to :nothing or nil' do
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:nothing)
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+            # Check for :nothing
+            expect(Grape::OAuth2::Strategies::RefreshToken).not_to receive(:run_on_refresh_callback)
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(nil)
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+            # Check for nil
+            expect(Grape::OAuth2::Strategies::RefreshToken).not_to receive(:run_on_refresh_callback)
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+          end
+          it 'returns a new Access Token even if used token is expired' do
+            token = AccessToken.create_for(application, user)
+            token.update(expires_at: Time.now - 604800) # - 7 days
+            expect(token.refresh_token).not_to be_nil
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+            expect(last_response.status).to eq 200
+            expect(AccessToken.count).to eq 2
+            expect(AccessToken.last.client_id).to eq application.id
+            expect(AccessToken.last.resource_owner_id).to eq user.id
+            expect(json_body[:access_token]).to eq AccessToken.last.token
+            expect(json_body[:token_type]).to eq 'bearer'
+            expect(json_body[:expires_in]).to eq 7200
+            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
+          end
+        end
+      end
+    end
+  end
+end