grape_oauth2 0.1.1

data/spec/requests/flows/password_spec.rb

@@ -0,0 +1,210 @@
+require 'spec_helper'
+
+describe 'Token Endpoint' do
+  let(:application) { Application.create(name: 'App1') }
+  let(:user) { User.create(username: 'test', password: '12345678') }
+
+  describe 'Resource Owner Password Credentials flow' do
+    describe 'POST /oauth/token' do
+      let(:authentication_url) { '/api/v1/oauth/token' }
+
+      context 'with valid params' do
+        context 'when request is invalid' do
+          it 'fails without Grant Type' do
+            post authentication_url,
+                 username: user.username,
+                 password: '12345678',
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Grant Type' do
+            post authentication_url,
+                 grant_type: 'invalid',
+                 username: user.username,
+                 password: '12345678'
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('unsupported_grant_type')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails without Client Credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: user.username,
+                 password: '12345678'
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Client Credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: user.username,
+                 password: '12345678',
+                 client_id: 'blah-blah',
+                 client_secret: application.secret
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_client')
+            expect(last_response.status).to eq 401
+          end
+
+          it 'fails without Resource Owner credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(json_body[:error_description]).not_to be_blank
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Resource Owner credentials' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: 'invalid@example.com',
+                 password: 'invalid',
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(json_body[:error]).to eq('invalid_grant')
+            expect(json_body[:error_description]).not_to be_blank
+            expect(last_response.status).to eq 400
+          end
+        end
+
+        context 'with valid data' do
+          context 'when scopes requested' do
+            it 'returns an Access Token with scopes' do
+              post authentication_url,
+                   grant_type: 'password',
+                   username: user.username,
+                   password: '12345678',
+                   scope: 'read write',
+                   client_id: application.key,
+                   client_secret: application.secret
+
+              expect(AccessToken.count).to eq 1
+              expect(AccessToken.first.client_id).to eq application.id
+
+              expect(json_body[:access_token]).to be_present
+              expect(json_body[:token_type]).to eq 'bearer'
+              expect(json_body[:expires_in]).to eq 7200
+              expect(json_body[:refresh_token]).to be_nil
+              expect(json_body[:scope]).to eq('read write')
+
+              expect(last_response.status).to eq 200
+            end
+          end
+
+          context 'without scopes' do
+            it 'returns an Access Token without scopes' do
+              post authentication_url,
+                   grant_type: 'password',
+                   username: user.username,
+                   password: '12345678',
+                   client_id: application.key,
+                   client_secret: application.secret
+
+              expect(AccessToken.count).to eq 1
+              expect(AccessToken.first.client_id).to eq application.id
+
+              expect(json_body[:access_token]).to be_present
+              expect(json_body[:token_type]).to eq 'bearer'
+              expect(json_body[:expires_in]).to eq 7200
+              expect(json_body[:refresh_token]).to be_nil
+              expect(json_body[:scope]).to be_nil
+
+              expect(last_response.status).to eq 200
+            end
+          end
+        end
+
+        context 'when Token endpoint not mounted' do
+          before do
+            Twitter::API.reset!
+            Twitter::API.change!
+
+            # Mount only Authorization Endpoint
+            Twitter::API.send(:include, Grape::OAuth2.api(:authorize))
+          end
+
+          after do
+            Twitter::API.reset!
+            Twitter::API.change!
+
+            Twitter::API.send(:include, Grape::OAuth2.api)
+            Twitter::API.mount(Twitter::Endpoints::Status)
+            Twitter::API.mount(Twitter::Endpoints::CustomToken)
+            Twitter::API.mount(Twitter::Endpoints::CustomAuthorization)
+          end
+
+          it 'returns 404' do
+            post authentication_url,
+                 grant_type: 'password',
+                 username: user.username,
+                 password: '12345678',
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 404
+          end
+        end
+      end
+    end
+  end
+
+  describe 'POST /oauth/custom_token' do
+    context 'when block processed successfully' do
+      it 'returns an access token' do
+        application.update(name: 'Admin')
+
+        post '/api/v1/oauth/custom_token',
+             grant_type: 'password',
+             username: user.username,
+             password: '12345678',
+             client_id: application.key,
+             client_secret: application.secret
+
+        expect(last_response.status).to eq 200
+
+        expect(AccessToken.count).to eq 1
+        expect(AccessToken.first.client_id).to eq application.id
+
+        expect(json_body[:access_token]).to be_present
+        expect(json_body[:token_type]).to eq 'bearer'
+        expect(json_body[:expires_in]).to eq 7200
+      end
+    end
+
+    context 'when authentication failed' do
+      it 'returns an error' do
+        application.update(name: 'Admin')
+
+        post '/api/v1/oauth/custom_token',
+             grant_type: 'password',
+             username: 'invalid@example.com',
+             password: 'invalid',
+             client_id: application.key,
+             client_secret: application.secret
+
+        expect(json_body[:error]).to eq('invalid_grant')
+        expect(json_body[:error_description]).not_to be_blank
+        expect(last_response.status).to eq 400
+      end
+    end
+  end
+end

data/spec/requests/flows/refresh_token_spec.rb

@@ -0,0 +1,222 @@
+require 'spec_helper'
+
+describe 'Token Endpoint' do
+  describe 'POST /oauth/token' do
+    describe 'Refresh Token flow' do
+      context 'with valid params' do
+        let(:api_url) { '/api/v1/oauth/token' }
+        let(:application) { Application.create(name: 'App1') }
+        let(:user) { User.create(username: 'test', password: '12345678') }
+
+        context 'when request is invalid' do
+          it 'fails without Grant Type' do
+            post api_url,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Grant Type' do
+            post api_url,
+                 grant_type: 'invalid'
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('unsupported_grant_type')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails without Client Credentials' do
+            post api_url,
+                 grant_type: 'refresh_token'
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_request')
+            expect(last_response.status).to eq 400
+          end
+
+          it 'fails with invalid Client Credentials' do
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: SecureRandom.hex(6),
+                 client_id: 'blah-blah',
+                 client_secret: application.secret
+
+            expect(AccessToken.all).to be_empty
+
+            expect(json_body[:error]).to eq('invalid_client')
+            expect(last_response.status).to eq 401
+          end
+
+          it 'fails when Access Token was issued to another client' do
+            allow(Grape::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+
+            another_client = Application.create(name: 'Some')
+            token = AccessToken.create_for(another_client, user)
+            expect(token.refresh_token).not_to be_nil
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(json_body[:error]).to eq('unauthorized_client')
+            expect(last_response.status).to eq 400
+
+            expect(AccessToken.count).to eq(1)
+          end
+        end
+
+        context 'with valid data' do
+          before { allow(Grape::OAuth2.config).to receive(:issue_refresh_token).and_return(true) }
+
+          it 'returns a new Access Token' do
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+
+            expect(AccessToken.count).to eq 2
+            expect(AccessToken.last.client_id).to eq application.id
+            expect(AccessToken.last.resource_owner_id).to eq user.id
+
+            expect(json_body[:access_token]).to eq AccessToken.last.token
+            expect(json_body[:token_type]).to eq 'bearer'
+            expect(json_body[:expires_in]).to eq 7200
+            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
+          end
+
+          it 'revokes old Access Token if it is configured' do
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:revoke!)
+
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+
+            expect(AccessToken.count).to eq 2
+            expect(AccessToken.last.client).to eq application
+            expect(AccessToken.last.resource_owner).to eq user
+
+            expect(token.reload.revoked?).to be_truthy
+
+            expect(json_body[:access_token]).to eq AccessToken.last.token
+            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
+          end
+
+          it 'destroy old Access Token if it is configured' do
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:destroy)
+
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+
+            expect(AccessToken.count).to eq 1
+            expect(AccessToken.where(token: token.token).first).to be_nil
+          end
+
+          it 'calls custom block on token refresh if it is configured' do
+            scopes = 'just for test'
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(->(token) { token.update(scopes: scopes) })
+
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+
+            expect(AccessToken.count).to eq 2
+            expect(token.reload.scopes).to eq(scopes)
+          end
+
+          it 'does nothing on token refresh if :on_refresh is equal to :nothing or nil' do
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(:nothing)
+
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+
+            # Check for :nothing
+            expect(Grape::OAuth2::Strategies::RefreshToken).not_to receive(:run_on_refresh_callback)
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+
+            allow(Grape::OAuth2.config).to receive(:on_refresh).and_return(nil)
+
+            token = AccessToken.create_for(application, user)
+            expect(token.refresh_token).not_to be_nil
+
+            # Check for nil
+            expect(Grape::OAuth2::Strategies::RefreshToken).not_to receive(:run_on_refresh_callback)
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+          end
+
+          it 'returns a new Access Token even if used token is expired' do
+            token = AccessToken.create_for(application, user)
+            token.update(expires_at: Time.now - 604800) # - 7 days
+            expect(token.refresh_token).not_to be_nil
+
+            post api_url,
+                 grant_type: 'refresh_token',
+                 refresh_token: token.refresh_token,
+                 client_id: application.key,
+                 client_secret: application.secret
+
+            expect(last_response.status).to eq 200
+
+            expect(AccessToken.count).to eq 2
+            expect(AccessToken.last.client_id).to eq application.id
+            expect(AccessToken.last.resource_owner_id).to eq user.id
+
+            expect(json_body[:access_token]).to eq AccessToken.last.token
+            expect(json_body[:token_type]).to eq 'bearer'
+            expect(json_body[:expires_in]).to eq 7200
+            expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token
+          end
+        end
+      end
+    end
+  end
+end

data/spec/requests/flows/revoke_token_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+
+describe 'Token Endpoint' do
+  describe 'POST /oauth/revoke' do
+    describe 'Revoke Token flow' do
+      context 'with valid params' do
+        let(:api_url) { '/api/v1/oauth/revoke' }
+        let(:application) { Application.create(name: 'App1') }
+        let(:user) { User.create(username: 'test', password: '12345678') }
+
+        let(:headers) { { 'HTTP_AUTHORIZATION' => ('Basic ' + Base64::encode64("#{application.key}:#{application.secret}")) } }
+
+        describe 'for public token' do
+          context 'when request is invalid' do
+            before { AccessToken.create_for(application, user) }
+
+            it 'does nothing' do
+              expect {
+                post api_url, { token: 'invalid token' }, headers
+              }.not_to change { AccessToken.count }
+
+              expect(json_body).to eq({})
+              expect(last_response.status).to eq 200
+
+              expect(AccessToken.last).not_to be_revoked
+            end
+
+            it 'returns an error with invalid token_type_hint' do
+              expect {
+                post api_url, { token: AccessToken.last.token, token_type_hint: 'undefined' }, headers
+              }.not_to change { AccessToken.count }
+
+              expect(last_response.status).to eq 400
+            end
+          end
+
+          context 'with valid data' do
+            # Token doesn't belongs to anybody
+            before { AccessToken.create_for(nil, nil)  }
+
+            it 'revokes Access Token by its token' do
+              expect {
+                post api_url, { token: AccessToken.last.token }, headers
+              }.to change { AccessToken.where(revoked_at: nil).count }.from(1).to(0)
+
+              expect(json_body).to eq({})
+              expect(last_response.status).to eq 200
+
+              expect(AccessToken.last).to be_revoked
+            end
+
+            it 'revokes Access Token by its refresh token' do
+              refresh_token = SecureRandom.hex(16)
+              AccessToken.last.update(refresh_token: refresh_token)
+
+              expect {
+                post api_url, { token: refresh_token, token_type_hint: 'refresh_token' }, headers
+              }.to change { AccessToken.where(revoked_at: nil).count }.from(1).to(0)
+
+              expect(json_body).to eq({})
+              expect(last_response.status).to eq 200
+
+              expect(AccessToken.last).to be_revoked
+            end
+          end
+        end
+
+        describe 'for private token' do
+          before { AccessToken.create_for(application, user)  }
+
+          context 'with valid data' do
+            it 'revokes token with client authorization' do
+              expect {
+                post api_url, { token: AccessToken.last.token}, headers
+              }.to change { AccessToken.where(revoked_at: nil).count }.from(1).to(0)
+            end
+          end
+
+          context 'with invalid data' do
+            it 'does not revokes Access Token when credentials is invalid' do
+              expect {
+                post api_url, token: AccessToken.last.token
+              }.to_not change { AccessToken.where(revoked_at: nil).count }
+
+              expect(json_body[:error]).to eq('invalid_client')
+            end
+
+            it 'does not revokes Access Token when token was issued to another client' do
+              another_client = Application.create(name: 'Some')
+              AccessToken.last.update(client_id: another_client.id)
+
+              expect {
+                post api_url, token: AccessToken.last.token
+              }.to_not change { AccessToken.where(revoked_at: nil).count }
+
+              expect(json_body[:error]).to eq('invalid_client')
+            end
+          end
+        end
+      end
+    end
+  end
+end