grape_oauth2 0.1.1

data/spec/mixins/mongoid/client_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+
+describe 'Grape::OAuth2::Mongoid::Client', skip_if: ENV['ORM'] != 'mongoid' do
+  let(:client) { Application.new }
+
+  let(:key) { SecureRandom.hex(8)  }
+  let(:secret) { SecureRandom.hex(8) }
+
+  it 'generates key on create' do
+    expect(client.key).to be_nil
+    client.save
+    expect(client.key).not_to be_nil
+  end
+
+  it 'generates key on create if an empty string' do
+    client.key = ''
+    client.save
+    expect(client.key).not_to be_blank
+  end
+
+  it 'generates key on create unless one is set' do
+    client.key = key
+    client.save
+    expect(client.key).to eq(key)
+  end
+
+  it 'is invalid without key' do
+    client.save
+    client.key = nil
+    expect(client).not_to be_valid
+  end
+
+  it 'checks uniqueness of key' do
+    app1 = Application.create
+    app2 = Application.create
+    app2.key = app1.key
+    expect(app2).not_to be_valid
+  end
+
+  it 'expects database to throw an error when keys are the same' do
+    app1 = Application.create
+    app2 = Application.create
+    app2.key = app1.key
+    expect { app2.save! }.to raise_error(Mongoid::Errors::Validations)
+  end
+
+  it 'generate secret on create' do
+    expect(client.secret).to be_nil
+    client.save
+    expect(client.secret).not_to be_nil
+  end
+
+  it 'generate secret on create if is blank string' do
+    client.secret = ''
+    client.save
+    expect(client.secret).not_to be_blank
+  end
+
+  it 'generate secret on create unless one is set' do
+    client.secret = secret
+    client.save
+    expect(client.secret).to eq(secret)
+  end
+
+  it 'is invalid without secret' do
+    client.save
+    client.secret = nil
+    expect(client).not_to be_valid
+  end
+
+  describe '#authenticate' do
+    it 'returns a class instance if authenticated successfully' do
+      client.key = key
+      client.secret = secret
+      client.save
+
+      expect(Application.authenticate(key, secret)).to eq(client)
+    end
+
+    it 'returns a class instance if only key specified' do
+      client.key = key
+      client.save
+
+      expect(Application.authenticate(key)).to eq(client)
+    end
+
+    it 'returns nil if authentication failed' do
+      client.key = key
+      client.secret = secret
+      client.save
+
+      expect(Application.authenticate(key, 'invalid-')).to be_nil
+    end
+  end
+end

data/spec/mixins/sequel/access_token_spec.rb

@@ -0,0 +1,185 @@
+require 'spec_helper'
+
+describe 'Grape::OAuth2::Sequel::AccessToken', skip_if: ENV['ORM'] != 'sequel' do
+  let(:application) { Application.create(name: 'Test') }
+  let(:user) { User.create(username: 'test', password: '123123') }
+  let(:access_token) { AccessToken.create(client: application, resource_owner: user) }
+
+  let(:token) { SecureRandom.hex(16) }
+
+  describe 'validations' do
+    it 'validate token uniqueness' do
+      another_token = AccessToken.create(client: application)
+      token = AccessToken.new(client: application, token: another_token.token)
+
+      expect(token).not_to be_valid
+      expect(token.errors).to include(:token)
+    end
+  end
+
+  describe '#to_bearer_token' do
+    context 'config with refresh token' do
+      before do
+        Grape::OAuth2.config.issue_refresh_token = true
+      end
+
+      after do
+        Grape::OAuth2.config.issue_refresh_token = false
+      end
+
+      it 'returns refresh token' do
+        expect(access_token.to_bearer_token[:access_token]).not_to be_blank
+      end
+    end
+
+    context 'config without refresh token' do
+      before do
+        Grape::OAuth2.configure do |config|
+          config.issue_refresh_token = false
+        end
+      end
+
+      it 'returns blank refresh token' do
+        expect(access_token.to_bearer_token[:refresh_token]).to be_blank
+      end
+    end
+  end
+
+  describe '#authenticate' do
+    it 'returns an instance if authenticated successfully' do
+      access_token.token = token
+      access_token.save
+
+      expect(AccessToken.authenticate(token)).to eq(access_token)
+    end
+
+    it 'returns nil if authentication failed' do
+      access_token.token = token
+      access_token.save
+
+      expect(AccessToken.authenticate("invalid-#{token}")).to be_nil
+    end
+
+    it 'returns an instance by refresh token' do
+      refresh_token = SecureRandom.hex(6)
+      token = AccessToken.create(client: application, refresh_token: refresh_token)
+
+      expect(AccessToken.authenticate(refresh_token, type: :refresh_token)).to eq(token)
+      expect(AccessToken.authenticate(refresh_token, type: 'refresh_token')).to eq(token)
+    end
+  end
+
+  describe '#create_for?' do
+    it 'creates a record only for Client' do
+      token = AccessToken.create_for(application, nil)
+
+      expect(token.client).not_to be_nil
+      expect(token.resource_owner).to be_nil
+    end
+
+    it 'creates a record for Client and Resource Owner' do
+      token = AccessToken.create_for(application, user)
+
+      expect(token.client).to eq(application)
+      expect(token.resource_owner).to eq(user)
+    end
+
+    it 'creates a record with scopes' do
+      scopes = 'write read'
+      token = AccessToken.create_for(application, user, scopes)
+
+      expect(token.client).to eq(application)
+      expect(token.resource_owner).to eq(user)
+      expect(token.scopes).to eq(scopes)
+    end
+  end
+
+  describe '#expired?' do
+    it 'return false if expires_at nil' do
+      access_token.update_fields({ expires_at: nil }, [:expires_at])
+
+      expect(access_token.expired?).to be_falsey
+    end
+
+    it 'return false if expires_at < Time.now' do
+      expect(access_token.expired?).to be_falsey
+    end
+
+    it 'return false if expires_at > Time.now' do
+      expires_at = Time.now.utc - Grape::OAuth2.config.access_token_lifetime + 1
+      access_token.update_fields({ expires_at: expires_at }, [:expires_at])
+
+      expect(access_token.expired?).to be_truthy
+    end
+  end
+
+  describe '#revoked?' do
+    it 'return false if revoked_at nil' do
+      access_token.update_fields({ revoked_at: nil }, [:revoked_at])
+
+      expect(access_token.revoked?).to be_falsey
+    end
+
+    it 'return false if revoked_at present' do
+      access_token.update_fields({ revoked_at: Time.now.utc }, [:revoked_at])
+      expect(access_token.revoked?).to be_truthy
+    end
+  end
+
+  describe '#revoke!' do
+    it 'update :revoked_at attribute' do
+      expect { access_token.revoke! }.to change { access_token.revoked? }.from(false).to(true)
+    end
+
+    it 'update :revoked_at attribute with custom value' do
+      custom_time = Time.now - 7200
+      access_token.revoke!(custom_time)
+
+      expect(access_token.revoked_at).to eq(custom_time.utc)
+    end
+  end
+
+  describe 'token generation' do
+    it 'generates a new token before saving if token is blank' do
+      token = AccessToken.new(client: application, resource_owner: user)
+
+      expect(token.token).to be_blank
+
+      token.save
+
+      expect(token.token).not_to be_blank
+    end
+
+    it 'does not change token value on saving if token is present' do
+      token = AccessToken.new(client: application, resource_owner: user, token: 'abcdef')
+
+      expect(token.token).not_to be_blank
+
+      token.save
+
+      expect(token.token).to eq('abcdef')
+    end
+  end
+
+  describe 'expiration' do
+    it 'set to nil if configuration option set to nil' do
+      Grape::OAuth2.config.access_token_lifetime = nil
+
+      token = AccessToken.create(client: application, resource_owner: user)
+      expect(token.expires_at).to be_nil
+
+      Grape::OAuth2.config.access_token_lifetime = Grape::OAuth2::Configuration::DEFAULT_TOKEN_LIFETIME
+    end
+
+    it 'set to specific time if configuration option set to some value' do
+      current_time = Time.now.utc
+      Grape::OAuth2.config.access_token_lifetime = 3500
+
+      token = AccessToken.create(client: application, resource_owner: user)
+      expect(token.expires_at).not_to be_nil
+      expect(token.expires_at).to be_within(1).of(current_time + 3500)
+
+      Grape::OAuth2.config.access_token_lifetime = Grape::OAuth2::Configuration::DEFAULT_TOKEN_LIFETIME
+    end
+  end
+end

data/spec/mixins/sequel/client_spec.rb

@@ -0,0 +1,96 @@
+require 'spec_helper'
+
+describe 'Grape::OAuth2::Sequel::Client', skip_if: ENV['ORM'] != 'sequel' do
+  let(:client) { Application.new(name: 'Test') }
+
+  let(:key) { SecureRandom.hex(8)  }
+  let(:secret) { SecureRandom.hex(8) }
+
+  it 'generates key on create' do
+    expect(client.key).to be_nil
+    client.save
+    expect(client.key).not_to be_nil
+  end
+
+  it 'generates key on create if an empty string' do
+    client.key = ''
+    client.save
+    expect(client.key).not_to be_blank
+  end
+
+  it 'generates key on create unless one is set' do
+    client.key = key
+    client.save
+    expect(client.key).to eq(key)
+  end
+
+  it 'is invalid without key' do
+    client.save
+    client.key = nil
+    expect(client).not_to be_valid
+  end
+
+  it 'checks uniqueness of key' do
+    app1 = Application.create(name: 'app1')
+    app2 = Application.create(name: 'app2')
+    app2.key = app1.key
+    expect(app2).not_to be_valid
+    expect(app2.errors).to include(:key)
+  end
+
+  it 'expects database to throw an error when keys are the same' do
+    app1 = Application.create(name: 'app1')
+    app2 = Application.create(name: 'app2')
+    app2.key = app1.key
+    expect { app2.save }.to raise_error(Sequel::ValidationFailed)
+  end
+
+  it 'generate secret on create' do
+    expect(client.secret).to be_nil
+    client.save
+    expect(client.secret).not_to be_nil
+  end
+
+  it 'generate secret on create if is blank string' do
+    client.secret = ''
+    client.save
+    expect(client.secret).not_to be_blank
+  end
+
+  it 'generate secret on create unless one is set' do
+    client.secret = secret
+    client.save
+    expect(client.secret).to eq(secret)
+  end
+
+  it 'is invalid without secret' do
+    client.save
+    client.secret = nil
+    expect(client).not_to be_valid
+  end
+
+  describe '#authenticate' do
+    it 'returns a class instance if authenticated successfully' do
+      client.key = key
+      client.secret = secret
+      client.save
+
+      expect(Application.authenticate(key, secret)).to eq(client)
+    end
+
+    it 'returns a class instance if only key specified' do
+      client.key = key
+      client.save
+
+      expect(Application.authenticate(key)).to eq(client)
+    end
+
+    it 'returns nil if authentication failed' do
+      client.key = key
+      client.secret = secret
+      client.save
+
+      expect(Application.authenticate(key, 'invalid-')).to be_nil
+    end
+  end
+end

data/spec/requests/flows/authorization_code_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+describe 'Authorization Code flow' do
+  let(:redirect_uri) { 'http://localhost:3000/home' }
+  let(:application) { Application.create(name: 'App1', redirect_uri: redirect_uri) }
+
+  describe 'POST /oauth/authorize' do
+    let(:authorize_url) { '/api/v1/oauth/authorize' }
+
+    context 'with valid params' do
+      context 'when response_type is :code' do
+        it 'should be success' do
+          expect {
+            post authorize_url,
+              client_id: application.key,
+              redirect_uri: redirect_uri,
+              response_type: 'code'
+          }.to change { AccessCode.count }.from(0).to(1)
+
+          expect(last_response.status).to eq 302
+        end
+      end
+
+      context 'when response_type is :token' do
+        it 'should be success' do
+          expect {
+            post authorize_url,
+              client_id: application.key,
+              redirect_uri: redirect_uri,
+              response_type: 'token'
+          }.to change { AccessToken.count }.from(0).to(1)
+        end
+      end
+    end
+
+    context 'with invalid params' do
+      it 'should fail without response_type' do
+        post authorize_url,
+             client_id: application.key
+
+        expect(last_response.status).to eq 400
+        expect(json_body[:error]).to eq('invalid_request')
+      end
+
+      it 'should fail with unsupported response_type' do
+        post authorize_url,
+             client_id: application.key,
+             redirect_uri: redirect_uri,
+             response_type: 'invalid'
+
+        expect(last_response.status).to eq 400
+        expect(json_body[:error]).to eq('unsupported_response_type')
+      end
+    end
+  end
+
+  describe 'POST /oauth/custom_authorize' do
+    it 'invokes custom block' do
+      post '/api/v1/oauth/custom_authorize',
+           client_id: application.key,
+           redirect_uri: redirect_uri,
+           response_type: 'code'
+
+      expect(last_response.status).to eq(400)
+    end
+  end
+end

data/spec/requests/flows/client_credentials_spec.rb

@@ -0,0 +1,101 @@
+require 'spec_helper'
+
+describe 'Token Endpoint' do
+  describe 'POST /oauth/token' do
+    describe 'Client Credentials flow' do
+      context 'with valid params' do
+        let(:authentication_url) { '/api/v1/oauth/token' }
+        let(:application) { Application.create(name: 'App1') }
+        let(:user) { User.create(username: 'test', password: '12345678') }
+
+        context 'when request is invalid' do
+          it 'fails without Grant Type' do
+            post authentication_url,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Grant Type' do
+            post authentication_url,
+                 grant_type: 'invalid'
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('unsupported_grant_type')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails without Client Credentials' do
+            post authentication_url,
+                 grant_type: 'client_credentials'
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Client Credentials' do
+            post authentication_url,
+                 grant_type: 'client_credentials',
+                 client_id: 'blah-blah',
+                 client_secret: application.secret
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_client')
+            expect(last_response.status).to eq 401
+          end
+        end
+
+        context 'with valid data' do
+          context 'when scopes requested' do
+            it 'returns an Access Token with scopes' do
+              post authentication_url,
+                   grant_type: 'client_credentials',
+                   scope: 'read write',
+                   client_id: application.key,
+                   client_secret: application.secret
+
+              expect(AccessToken.count).to eq 1
+              expect(AccessToken.first.client_id).to eq application.id
+
+              expect(json_body[:access_token]).to be_present
+              expect(json_body[:token_type]).to eq 'bearer'
+              expect(json_body[:expires_in]).to eq 7200
+              expect(json_body[:refresh_token]).to be_nil
+              expect(json_body[:scope]).to eq('read write')
+
+              expect(last_response.status).to eq 200
+            end
+          end
+
+          context 'without scopes' do
+            it 'returns an Access Token without scopes' do
+              post authentication_url,
+                   grant_type: 'client_credentials',
+                   client_id: application.key,
+                   client_secret: application.secret
+
+              expect(AccessToken.count).to eq 1
+              expect(AccessToken.first.client_id).to eq application.id
+
+              expect(json_body[:access_token]).to be_present
+              expect(json_body[:token_type]).to eq 'bearer'
+              expect(json_body[:expires_in]).to eq 7200
+              expect(json_body[:refresh_token]).to be_nil
+              expect(json_body[:scope]).to be_nil
+
+              expect(last_response.status).to eq 200
+            end
+          end
+        end
+      end
+    end
+  end
+end