grape_oauth2 0.1.1

data/lib/grape_oauth2/endpoints/authorize.rb

@@ -0,0 +1,34 @@
+module Grape
+  module OAuth2
+    # Grape::OAuth2 endpoints namespace
+    module Endpoints
+      # OAuth2 Grape authorization endpoint.
+      class Authorize < ::Grape::API
+        helpers Grape::OAuth2::Helpers::OAuthParams
+
+        namespace :oauth do
+          desc 'OAuth 2.0 Authorization Endpoint'
+
+          params do
+            use :oauth_authorization_params
+          end
+
+          post :authorize do
+            response = Grape::OAuth2::Generators::Authorization.generate_for(env)
+
+            # Status
+            status response.status
+
+            # Headers
+            response.headers.each do |key, value|
+              header key, value
+            end
+
+            # Body
+            body response.body
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/endpoints/token.rb

@@ -0,0 +1,72 @@
+module Grape
+  module OAuth2
+    # Grape::OAuth2 endpoints namespace
+    module Endpoints
+      # OAuth2 Grape token endpoint.
+      class Token < ::Grape::API
+        helpers Grape::OAuth2::Helpers::OAuthParams
+
+        namespace :oauth do
+          # @see https://tools.ietf.org/html/rfc6749#section-3.2
+          #
+          desc 'OAuth 2.0 Token Endpoint'
+
+          params do
+            use :oauth_token_params
+          end
+
+          post :token do
+            token_response = Grape::OAuth2::Generators::Token.generate_for(env)
+
+            # Status
+            status token_response.status
+
+            # Headers
+            token_response.headers.each do |key, value|
+              header key, value
+            end
+
+            # Body
+            body token_response.body
+          end
+
+          desc 'OAuth 2.0 Token Revocation'
+
+          params do
+            use :oauth_token_revocation_params
+          end
+
+          post :revoke do
+            access_token = Grape::OAuth2.config.access_token_class.authenticate(params[:token],
+                                                                                type: params[:token_type_hint])
+
+            if access_token
+              if access_token.client
+                request = Rack::OAuth2::Server::Token::Request.new(env)
+
+                # The authorization server, if applicable, first authenticates the client
+                # and checks its ownership of the provided token.
+                client = Grape::OAuth2::Strategies::Base.authenticate_client(request)
+                request.invalid_client! if client.nil?
+
+                access_token.revoke! if client && client == access_token.client
+              else
+                # Access token is public
+                access_token.revoke!
+              end
+            end
+
+            # The authorization server responds with HTTP status code 200 if the token
+            # has been revoked successfully or if the client submitted an invalid
+            # token.
+            #
+            # @see https://tools.ietf.org/html/rfc7009#section-2.2 Revocation Response
+            #
+            status 200
+            {}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/gem_version.rb

@@ -0,0 +1,24 @@
+module Grape
+  module OAuth2
+    # Grape::OAuth2 version.
+    # @return [Gem::Version] version of the gem
+    #
+    def self.gem_version
+      Gem::Version.new VERSION::STRING
+    end
+
+    # Grape::OAuth2 semantic versioning module.
+    # Contains detailed info about gem version.
+    module VERSION
+      # Major version of the gem
+      MAJOR = 0
+      # Minor version of the gem
+      MINOR = 1
+      # Tiny version of the gem
+      TINY  = 1
+
+      # Full gem version string
+      STRING = [MAJOR, MINOR, TINY].compact.join('.')
+    end
+  end
+end

data/lib/grape_oauth2/generators/authorization.rb

@@ -0,0 +1,44 @@
+module Grape
+  module OAuth2
+    module Generators
+      # OAuth2 Authorization generator class.
+      # Processes the request and builds the response.
+      class Authorization < Base
+        class << self
+          # Generates Authorization Response based on the request.
+          #
+          # @return [Grape::OAuth2::Responses::Authorization] response
+          #
+          def generate_for(env, &_block)
+            authorization = Rack::OAuth2::Server::Authorize.new do |request, response|
+              if block_given?
+                yield request, response
+              else
+                execute_default(request, response)
+              end
+            end
+
+            Grape::OAuth2::Responses::Authorization.new(authorization.call(env))
+          rescue Rack::OAuth2::Server::Authorize::BadRequest => error
+            error_response(error)
+          end
+
+          private
+
+          def error_response(error)
+            response = Rack::Response.new
+            response.status = error.status
+            response.header['Content-Type'] = 'application/json'
+            response.write(JSON.dump(Rack::OAuth2::Util.compact_hash(error.protocol_params)))
+
+            Grape::OAuth2::Responses::Authorization.new(response.finish)
+          end
+
+          def execute_default(request, response)
+            Grape::OAuth2::Strategies::AuthorizationCode.process(request, response)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/generators/base.rb

@@ -0,0 +1,26 @@
+module Grape
+  module OAuth2
+    module Generators
+      # Base class for Grape::OAuth2 generators.
+      # Grape::OAuth2 generators processes the requests and
+      # generates responses with Access Token or Authorization Code.
+      class Base
+        class << self
+          # Allowed grant types from the Grape::OAuth2 configuration.
+          #
+          # @return [Array]
+          #   allowed grant types
+          #
+          def allowed_grants
+            config.allowed_grant_types
+          end
+
+          # Short getter for Grape::OAuth2 configuration.
+          def config
+            Grape::OAuth2.config
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/generators/token.rb

@@ -0,0 +1,62 @@
+module Grape
+  module OAuth2
+    module Generators
+      # OAuth2 Token generator class.
+      # Processes the request by required Grant Type and builds the response.
+      class Token < Base
+        # Grant type => OAuth2 strategy class
+        STRATEGY_CLASSES = {
+          password: Grape::OAuth2::Strategies::Password,
+          client_credentials: Grape::OAuth2::Strategies::ClientCredentials,
+          refresh_token: Grape::OAuth2::Strategies::RefreshToken
+        }.freeze
+
+        class << self
+          # Generates Token Response based on the request.
+          #
+          # @return [Grape::OAuth2::Responses::Token] response
+          #
+          def generate_for(env, &_block)
+            token = Rack::OAuth2::Server::Token.new do |request, response|
+              request.unsupported_grant_type! unless allowed_grants.include?(request.grant_type.to_s)
+
+              if block_given?
+                yield request, response
+              else
+                execute_default(request, response)
+              end
+            end
+
+            Grape::OAuth2::Responses::Token.new(token.call(env))
+          end
+
+          protected
+
+          # Runs default Grape::OAuth2 functionality for Token endpoint.
+          # In common it authenticates client (or/and any other objects) and
+          # grants the Access Token or Auth Code.
+          #
+          # @param request [Rack::Request] request object
+          # @param response [Rack::Response] response object
+          #
+          def execute_default(request, response)
+            strategy = find_strategy(request.grant_type) || request.invalid_grant!
+            response.access_token = strategy.process(request)
+          end
+
+          # Returns Grape::OAuth2 strategy class by Grant Type.
+          #
+          # @param grant_type [Symbol]
+          #   grant type value
+          #
+          # @return [Password, ClientCredentials, RefreshToken]
+          #   strategy class
+          #
+          def find_strategy(grant_type)
+            STRATEGY_CLASSES[grant_type]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/helpers/access_token_helpers.rb

@@ -0,0 +1,54 @@
+module Grape
+  module OAuth2
+    module Helpers
+      # Set of Grape OAuth2 helpers.
+      module AccessTokenHelpers
+        extend ::Grape::API::Helpers
+
+        # Adds OAuth2 Access Token protection for Grape routes.
+        #
+        # @param scopes [Array]
+        #   set of scopes required to access the endpoint
+        #
+        # @raise [Rack::OAuth2::Server::Resource::Bearer::Unauthorized]
+        #   invalid Access Token value
+        # @raise [Rack::OAuth2::Server::Resource::Bearer::Forbidden]
+        #   Access Token expired, revoked or does't have required scopes
+        #
+        def access_token_required!(*scopes)
+          endpoint_scopes = env['api.endpoint'].options[:route_options][:scopes]
+          required_scopes = endpoint_scopes.presence || scopes
+
+          raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized if current_access_token.nil?
+          raise Rack::OAuth2::Server::Resource::Bearer::Forbidden unless valid_access_token?(required_scopes)
+        end
+
+        # Returns Resource Owner from the Access Token
+        # found by access_token value passed with the request.
+        def current_resource_owner
+          @_current_resource_owner ||= current_access_token.resource_owner
+        end
+
+        # Returns Access Token instance found by
+        # access_token value passed with the request.
+        def current_access_token
+          @_current_access_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
+        end
+
+        private
+
+        # Validate current access token not to be expired or revoked
+        # and has all the requested scopes.
+        #
+        # @return [Boolean]
+        #   true if current Access Token not expired, not revoked and scopes match
+        #   false in other cases.
+        #
+        def valid_access_token?(scopes)
+          !current_access_token.revoked? && !current_access_token.expired? &&
+            Grape::OAuth2.config.scopes_validator.new(scopes).valid_for?(current_access_token)
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/helpers/oauth_params.rb

@@ -0,0 +1,41 @@
+module Grape
+  module OAuth2
+    module Helpers
+      # Grape Helper object for OAuth2 requests params.
+      # Used fin default Grape::OAuth2 gem endpoints and can be used
+      # for custom one.
+      module OAuthParams
+        extend ::Grape::API::Helpers
+
+        # Params are optional in order to process them correctly in accordance
+        # with the RFC 6749 (invalid_client, unsupported_grant_type, etc.)
+        params :oauth_token_params do
+          optional :grant_type, type: String, desc: 'Grant type'
+          optional :client_id, type: String, desc: 'Client ID'
+          optional :client_secret, type: String, desc: 'Client secret'
+          optional :refresh_token, type: String, desc: 'Refresh Token'
+        end
+
+        # Params for authorization request.
+        # @see https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.1 Authorization Request
+        params :oauth_authorization_params do
+          optional :response_type, type: String, desc: 'Response type'
+          optional :client_id, type: String, desc: 'Client ID'
+          optional :redirect_uri, type: String, desc: 'Redirect URI'
+          optional :scope, type: String, desc: 'Authorization scopes'
+          optional :state, type: String, desc: 'State'
+        end
+
+        # Params for token revocation.
+        # @see https://tools.ietf.org/html/rfc7009#section-2.1 OAuth 2.0 Token Revocation
+        params :oauth_token_revocation_params do
+          requires :token, type: String, desc: 'The token that the client wants to get revoked'
+          optional :token_type_hint, type: String,
+                                     values: %w(access_token refresh_token),
+                                     default: 'access_token',
+                                     desc: 'A hint about the type of the token submitted for revocation'
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/mixins/active_record/access_grant.rb

@@ -0,0 +1,47 @@
+module Grape
+  module OAuth2
+    module ActiveRecord
+      # Grape::OAuth2 Authorization Grant role mixin for ActiveRecord.
+      # Includes all the required API, associations, validations and callbacks.
+      module AccessGrant
+        extend ActiveSupport::Concern
+
+        included do
+          belongs_to :client, class_name: Grape::OAuth2.config.client_class_name,
+                              foreign_key: :client_id
+
+          belongs_to :resource_owner, class_name: Grape::OAuth2.config.resource_owner_class_name,
+                                      foreign_key: :resource_owner_id
+
+          # resource_owner_id - required!
+          validates :client_id, :redirect_uri, presence: true
+          validates :token, presence: true, uniqueness: true
+
+          before_validation :generate_token, on: :create
+          before_validation :setup_expiration, on: :create
+
+          class << self
+            def create_for(client, resource_owner, redirect_uri, scopes = nil)
+              create(
+                client_id: client.id,
+                resource_owner_id: resource_owner && resource_owner.id,
+                redirect_uri: redirect_uri,
+                scopes: scopes.to_s
+              )
+            end
+          end
+
+          protected
+
+          def generate_token
+            self.token = Grape::OAuth2.config.token_generator.generate(attributes)
+          end
+
+          def setup_expiration
+            self.expires_at = Time.now.utc + Grape::OAuth2.config.authorization_code_lifetime if expires_at.nil?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/mixins/active_record/access_token.rb

@@ -0,0 +1,75 @@
+module Grape
+  module OAuth2
+    module ActiveRecord
+      # Grape::OAuth2 Access Token role mixin for ActiveRecord.
+      # Includes all the required API, associations, validations and callbacks.
+      module AccessToken
+        extend ActiveSupport::Concern
+
+        included do
+          belongs_to :client, class_name: Grape::OAuth2.config.client_class_name,
+                              foreign_key: :client_id
+
+          belongs_to :resource_owner, class_name: Grape::OAuth2.config.resource_owner_class_name,
+                                      foreign_key: :resource_owner_id
+
+          validates :token, presence: true, uniqueness: true
+
+          before_validation :setup_expiration, on: :create
+          before_validation :generate_tokens, on: :create
+
+          class << self
+            def create_for(client, resource_owner, scopes = nil)
+              create(
+                client: client,
+                resource_owner: resource_owner,
+                scopes: scopes.to_s
+              )
+            end
+
+            def authenticate(token, type: :access_token)
+              if type && type.to_sym == :refresh_token
+                find_by(refresh_token: token.to_s)
+              else
+                find_by(token: token.to_s)
+              end
+            end
+          end
+
+          def expired?
+            !expires_at.nil? && Time.now.utc > expires_at
+          end
+
+          def revoked?
+            !revoked_at.nil? && revoked_at <= Time.now.utc
+          end
+
+          def revoke!(revoked_at = Time.now)
+            update_column :revoked_at, revoked_at.utc
+          end
+
+          def to_bearer_token
+            {
+              access_token: token,
+              expires_in: expires_at && Grape::OAuth2.config.access_token_lifetime.to_i,
+              refresh_token: refresh_token,
+              scope: scopes
+            }
+          end
+
+          protected
+
+          def generate_tokens
+            self.token = Grape::OAuth2.config.token_generator.generate(attributes) if token.blank?
+            self.refresh_token = Grape::OAuth2::UniqueToken.generate if Grape::OAuth2.config.issue_refresh_token
+          end
+
+          def setup_expiration
+            expires_in = Grape::OAuth2.config.access_token_lifetime
+            self.expires_at = Time.now + expires_in if expires_at.nil? && !expires_in.nil?
+          end
+        end
+      end
+    end
+  end
+end