mustwin_devise_oauth2_providable 1.1.3

data/.gitignore

@@ -0,0 +1,35 @@
+# rcov generated
+coverage
+
+# rdoc generated
+rdoc
+
+# yard generated
+doc
+.yardoc
+
+# bundler
+.bundle
+Gemfile.lock
+
+# jeweler generated
+pkg
+
+# test files
+test/*.log
+test/*.sqlite3
+
+# For vim:
+*.swp
+
+# For MacOS:
+.DS_Store
+
+# git files
+*.orig
+
+# rails files
+tmp
+log
+*.log
+*.sqlite3

data/.rvmrc

@@ -0,0 +1 @@
+rvm use @devise_oauth2_providable --create

data/CONTRIBUTORS.txt

@@ -0,0 +1,6 @@
+Ryan Sonnek - Original Author
+
+
+Complete list of contributors:
+https://github.com/socialcast/devise_oauth2_providable/contributors
+

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in the .gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License
+
+Copyright (c) 2011 Socialcast, Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,158 @@
+# devise_oauth2_providable
+
+Rails3 engine that brings OAuth2 Provider support to your application.
+
+Current OAuth2 Specification Draft:
+http://tools.ietf.org/html/draft-ietf-oauth-v2-22
+
+## Features
+
+* integrate OAuth2 authentication with Devise authenthentication stack
+* one-stop-shop includes all Models, Controllers and Views to get up and
+  running quickly
+* All server requests support authentication via bearer token included in
+the request.  http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04
+* customizable mount point for oauth2 routes (ex: /oauth2 vs /oauth)
+
+
+## Requirements
+
+* Devise authentication library
+* Rails 3.1 or higher
+
+## Installation
+
+#### Install gem
+```ruby
+# Gemfile
+gem 'devise_oauth2_providable'
+```
+
+#### Migrate database for Oauth2 models
+```
+$ rake devise_oauth2_providable:install:migrations
+$ rake db:migrate
+```
+
+#### Add Oauth2 Routes
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  # oauth routes can be mounted to any path (ex: /oauth2 or /oauth)
+  mount Devise::Oauth2Providable::Engine => '/oauth2'
+end
+```
+
+#### Configure User for supported Oauth2 flows
+```ruby
+class User
+  # NOTE: include :database_authenticatable configuration
+  # if supporting Resource Owner Password Credentials Grant Type
+  devise :oauth2_providable, 
+    :oauth2_password_grantable,
+    :oauth2_refresh_token_grantable,
+    :oauth2_authorization_code_grantable
+end
+```
+
+#### (optional) Configure token expiration settings
+```ruby
+# config/application.rb
+config.devise_oauth2_providable.access_token_expires_in         = 1.second # 15.minute default
+config.devise_oauth2_providable.refresh_token_expires_in        = 1.minute # 1.month default
+config.devise_oauth2_providable.authorization_token_expires_in  = 5.seconds # 1.minute default
+```
+
+## Models
+
+### Client
+registered OAuth2 client for storing the unique client_id and
+client_secret.
+
+### AccessToken
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.3
+
+Short lived token used by clients to perform subsequent requests (see
+bearer token spec)
+
+expires after 15min by default.  to customize the duration of the access token:
+
+```ruby
+Devise::Oauth2Providable::AccessToken.default_lifetime = 1.minute
+```
+
+### RefreshToken
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.5
+
+Long lived token used by clients to request new access tokens without
+requiring user intervention to re-authorize.
+
+expires after 1 month by default. to customize the duration of refresh token:
+
+```ruby
+Devise::Oauth2Providable::RefreshToken.default_lifetime = 1.year
+```
+
+### AuthorizationCode
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-1.4.1
+
+*Very* short lived token created to allow a client to request an access
+token after a user has gone through the authorization flow.
+
+expires after 1min by default. to customize the duration of the
+authorization code:
+
+```ruby
+Devise::Oauth2Providable::AuthorizationCode.default_lifetime = 5.minutes
+```
+
+## Routes
+
+### /oauth2/authorize
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-2.1
+
+Endpoint to start client authorization flow.  Models, controllers and
+views are included for out of the box deployment.
+
+Supports the Authorization Code and Implicit grant types.
+
+### /oauth2/token
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-2.2
+
+Endpoint to request access token.  See grant type documentation for
+supported flows.
+
+## Grant Types
+
+### Resource Owner Password Credentials Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+
+in order to use the Resource Owner Password Credentials Grant Type, your
+Devise model *must* be configured with the :database_authenticatable option
+
+### Client Credentials Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+
+### Authorization Code Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+
+### Implicit Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.2
+
+### Refresh Token Grant Type
+http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6
+
+## Contributing
+ 
+* Fork the project
+* Fix the issue
+* Add unit tests
+* Submit pull request on github
+
+See CONTRIBUTORS.txt for list of project contributors
+
+## Copyright
+
+Copyright (c) 2011 Socialcast, Inc. 
+See LICENSE.txt for further details.
+

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec

data/app/controllers/devise/oauth2_providable/authorizations_controller.rb

@@ -0,0 +1,59 @@
+module Devise
+  module Oauth2Providable
+    class AuthorizationsController < ApplicationController
+      before_filter :authenticate_user!
+
+      rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
+        @error = e
+        render :error, :status => e.status
+      end
+
+      def new
+        respond *authorize_endpoint.call(request.env)
+      end
+
+      def create
+        respond *authorize_endpoint(:allow_approval).call(request.env)
+      end
+
+      private
+
+      def respond(status, header, response)
+        ["WWW-Authenticate"].each do |key|
+          headers[key] = header[key] if header[key].present?
+        end
+        if response.redirect?
+          redirect_to header['Location']
+        else
+          render :new
+        end
+      end
+
+      def authorize_endpoint(allow_approval = false)
+        Rack::OAuth2::Server::Authorize.new do |req, res|
+          @client = Client.find_by_identifier(req.client_id) || req.bad_request!
+          res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@client.redirect_uri)
+          if allow_approval
+            if params[:approve].present?
+              case req.response_type
+              when :code
+                authorization_code = current_user.authorization_codes.create!(:client => @client)
+                res.code = authorization_code.token
+              when :token
+                access_token = current_user.access_tokens.create!(:client => @client).token
+                bearer_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => access_token)
+                res.access_token = bearer_token
+                res.uid = current_user.id
+              end
+              res.approve!
+            else
+              req.access_denied!
+            end
+          else
+            @response_type = req.response_type
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/devise/oauth2_providable/tokens_controller.rb

@@ -0,0 +1,17 @@
+class Devise::Oauth2Providable::TokensController < ApplicationController
+  before_filter :authenticate_user!
+  skip_before_filter :verify_authenticity_token, :only => :create
+
+  def create
+    @refresh_token = oauth2_current_refresh_token || oauth2_current_client.refresh_tokens.create!(:user => current_user)
+    @access_token = @refresh_token.access_tokens.create!(:client => oauth2_current_client, :user => current_user)
+    render :json => @access_token.token_response
+  end
+  private
+  def oauth2_current_client
+   env[Devise::Oauth2Providable::CLIENT_ENV_REF]
+  end
+  def oauth2_current_refresh_token
+    env[Devise::Oauth2Providable::REFRESH_TOKEN_ENV_REF]
+  end
+end

data/app/models/devise/oauth2_providable/access_token.rb

@@ -0,0 +1,24 @@
+class Devise::Oauth2Providable::AccessToken < ActiveRecord::Base
+  expires_according_to :access_token_expires_in
+
+  before_validation :restrict_expires_at, :on => :create, :if => :refresh_token
+  belongs_to :refresh_token
+
+  attr_accessible :refresh_token
+
+  def token_response
+    response = {
+      :access_token => token,
+      :token_type => 'bearer',
+      :expires_in => expires_in
+    }
+    response[:refresh_token] = refresh_token.token if refresh_token
+    response
+  end
+
+  private
+
+  def restrict_expires_at
+    self.expires_at = [self.expires_at, refresh_token.expires_at].compact.min
+  end
+end

data/app/models/devise/oauth2_providable/authorization_code.rb

@@ -0,0 +1,3 @@
+class Devise::Oauth2Providable::AuthorizationCode < ActiveRecord::Base
+  expires_according_to :authorization_code_expires_in
+end

data/app/models/devise/oauth2_providable/client.rb

@@ -0,0 +1,24 @@
+class Devise::Oauth2Providable::Client < ActiveRecord::Base
+  has_many :access_tokens
+  has_many :refresh_tokens
+  has_many :authorization_codes
+
+  before_validation :init_identifier, :on => :create, :unless => :identifier?
+  before_validation :init_secret, :on => :create, :unless => :secret?
+  validates :website, :secret, :presence => true
+  validates :name, :presence => true, :uniqueness => true
+  validates :identifier, :presence => true, :uniqueness => true
+
+  attr_accessible :name, :website, :redirect_uri
+
+  private
+
+  def init_identifier
+    self.identifier = Devise::Oauth2Providable.random_id
+  end
+
+  def init_secret
+    self.secret = Devise::Oauth2Providable.random_id
+  end
+
+end

data/app/models/devise/oauth2_providable/refresh_token.rb

@@ -0,0 +1,8 @@
+class Devise::Oauth2Providable::RefreshToken < ActiveRecord::Base
+  expires_according_to :refresh_token_expires_in
+
+  attr_accessible :access_tokens
+
+  has_many :access_tokens
+
+end

data/app/views/devise/oauth2_providable/authorizations/_form.html.erb

@@ -0,0 +1,7 @@
+<%= form_tag authorizations_path, :class => action do %>
+  <%= hidden_field_tag :client_id, client.identifier %>
+  <%= hidden_field_tag :response_type, response_type %>
+  <%= hidden_field_tag :redirect_uri, redirect_uri %>
+  <%= submit_tag action.to_s.capitalize %>
+  <%= hidden_field_tag action, true %>
+<% end %>

data/app/views/devise/oauth2_providable/authorizations/error.html.erb

@@ -0,0 +1,4 @@
+<h2>Invalid Authorization Request</h2>
+<h3><%= @error.error %></h3>
+<p><%= @error.description %></p>
+

data/app/views/devise/oauth2_providable/authorizations/new.html.erb

@@ -0,0 +1,4 @@
+<h2><%= link_to @client.name, @client.website %> is requesting permission to access your resources.</h2>
+
+<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :approve %>
+<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :deny %>

data/config/routes.rb

@@ -0,0 +1,7 @@
+Devise::Oauth2Providable::Engine.routes.draw do
+  root :to => "authorizations#new"
+
+  resources :authorizations, :only => :create
+  match 'authorize' => 'authorizations#new', :via => [:get, :post]
+  resource :token, :only => :create
+end

data/db/migrate/20111014160714_create_devise_oauth2_providable_schema.rb

@@ -0,0 +1,54 @@
+class CreateDeviseOauth2ProvidableSchema < ActiveRecord::Migration
+  def change
+    create_table :oauth2_clients do |t|
+      t.string :name
+      t.string :redirect_uri
+      t.string :website
+      t.string :identifier
+      t.string :secret
+      t.timestamps
+    end
+    change_table :oauth2_clients do |t|
+      t.index :identifier, :unique => true
+    end
+
+    create_table :oauth2_access_tokens do |t|
+      t.belongs_to :user, :client, :refresh_token
+      t.string :token
+      t.datetime :expires_at
+      t.timestamps
+    end
+    change_table :oauth2_access_tokens do |t|
+      t.index :token, :unique => true
+      t.index :expires_at
+      t.index :user_id
+      t.index :client_id
+    end
+
+    create_table :oauth2_refresh_tokens do |t|
+      t.belongs_to :user, :client
+      t.string :token
+      t.datetime :expires_at
+      t.timestamps
+    end
+    change_table :oauth2_refresh_tokens do |t|
+      t.index :token, :unique => true
+      t.index :expires_at
+      t.index :user_id
+      t.index :client_id
+    end
+
+    create_table :oauth2_authorization_codes do |t|
+      t.belongs_to :user, :client
+      t.string :token
+      t.datetime :expires_at
+      t.timestamps
+    end
+    change_table :oauth2_authorization_codes do |t|
+      t.index :token, :unique => true
+      t.index :expires_at
+      t.index :user_id
+      t.index :client_id
+    end
+  end
+end

data/devise_oauth2_providable.gemspec

@@ -0,0 +1,32 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise/oauth2_providable/version"
+
+Gem::Specification.new do |s|
+  s.name        = "mustwin_devise_oauth2_providable"
+  s.version     = Devise::Oauth2Providable::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Ryan Sonnek"]
+  s.email       = ["ryan@socialcast.com"]
+  s.homepage    = ""
+  s.summary     = %q{OAuth2 Provider for Rails3 applications}
+  s.description = %q{Rails3 engine that adds OAuth2 Provider support to any application built with Devise authentication}
+
+  s.rubyforge_project = "devise_oauth2_providable"
+
+  s.add_runtime_dependency(%q<rails>, [">= 3.1.0"])
+  s.add_runtime_dependency(%q<devise>, [">= 1.4.3"])
+  s.add_runtime_dependency(%q<rack-oauth2>, ["~> 0.11.0"])
+  s.add_development_dependency(%q<rspec-rails>, ['2.6.1'])
+  s.add_development_dependency(%q<sqlite3>, ['1.3.5'])
+  s.add_development_dependency(%q<shoulda-matchers>, ['1.0.0.beta3'])
+  s.add_development_dependency(%q<pry>, ['0.9.6.2'])
+  s.add_development_dependency(%q<factory_girl>, ['2.2.0'])
+  s.add_development_dependency(%q<factory_girl_rspec>, ['0.0.1'])
+  s.add_development_dependency(%q<rake>, ['0.9.2.2'])
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/lib/devise/oauth2_providable/engine.rb

@@ -0,0 +1,16 @@
+module Devise
+  module Oauth2Providable
+    class Engine < Rails::Engine
+      config.devise_oauth2_providable = ActiveSupport::OrderedOptions.new
+      config.devise_oauth2_providable.access_token_expires_in       = 15.minutes
+      config.devise_oauth2_providable.refresh_token_expires_in      = 1.month
+      config.devise_oauth2_providable.authorization_code_expires_in = 1.minute
+
+      engine_name 'oauth2'
+      isolate_namespace Devise::Oauth2Providable
+      initializer "devise_oauth2_providable.initialize_application", :before=> :load_config_initializers do |app|
+        app.config.filter_parameters << :client_secret
+      end
+    end
+  end
+end

data/lib/devise/oauth2_providable/expirable_token.rb

@@ -0,0 +1,58 @@
+require 'active_support/concern'
+require 'active_record'
+
+module Devise
+  module Oauth2Providable
+    module ExpirableToken
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def expires_according_to(config_name)
+          cattr_accessor :default_lifetime
+          self.default_lifetime = Rails.application.config.devise_oauth2_providable[config_name]
+
+          belongs_to :user
+          belongs_to :client
+
+          attr_accessible :user, :client
+
+          after_initialize :init_token, :on => :create, :unless => :token?
+          after_initialize :init_expires_at, :on => :create, :unless => :expires_at?
+          validates :expires_at, :presence => true
+          validates :client, :presence => true
+          validates :token, :presence => true, :uniqueness => true
+
+          default_scope lambda {
+            where(self.arel_table[:expires_at].gteq(Time.now.utc))
+          }
+
+          include LocalInstanceMethods
+        end
+      end
+
+      module LocalInstanceMethods
+        # number of seconds until the token expires
+        def expires_in
+          (expires_at - Time.now.utc).to_i
+        end
+
+        # forcefully expire the token
+        def expired!
+          self.expires_at = Time.now.utc
+          self.save!
+        end
+
+        private
+
+        def init_token
+          self.token = Devise::Oauth2Providable.random_id
+        end
+        def init_expires_at
+          self.expires_at = self.default_lifetime.from_now
+        end
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.send :include, Devise::Oauth2Providable::ExpirableToken

data/lib/devise/oauth2_providable/models/oauth2_authorization_code_grantable.rb

@@ -0,0 +1,6 @@
+module Devise
+  module Models
+    module Oauth2AuthorizationCodeGrantable
+    end
+  end
+end

data/lib/devise/oauth2_providable/models/oauth2_password_grantable.rb

@@ -0,0 +1,6 @@
+module Devise
+  module Models
+    module Oauth2PasswordGrantable
+    end
+  end
+end

data/lib/devise/oauth2_providable/models/oauth2_providable.rb

@@ -0,0 +1,13 @@
+require 'devise/models'
+
+module Devise
+  module Models
+    module Oauth2Providable
+      extend ActiveSupport::Concern
+      included do
+        has_many :access_tokens, :class_name => 'Devise::Oauth2Providable::AccessToken'
+        has_many :authorization_codes, :class_name => 'Devise::Oauth2Providable::AuthorizationCode'
+      end
+    end
+  end
+end

data/lib/devise/oauth2_providable/models/oauth2_refresh_token_grantable.rb

@@ -0,0 +1,6 @@
+module Devise
+  module Models
+    module Oauth2RefreshTokenGrantable
+    end
+  end
+end

data/lib/devise/oauth2_providable/strategies/oauth2_authorization_code_grant_type_strategy.rb

@@ -0,0 +1,21 @@
+require 'devise/oauth2_providable/strategies/oauth2_grant_type_strategy'
+
+module Devise
+  module Strategies
+    class Oauth2AuthorizationCodeGrantTypeStrategy < Oauth2GrantTypeStrategy
+      def grant_type
+        'authorization_code'
+      end
+
+      def authenticate_grant_type(client)
+        if code = client.authorization_codes.find_by_token(params[:code])
+          success! code.user
+        else
+          oauth_error! :invalid_grant, 'invalid authorization code request'
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:oauth2_authorization_code_grantable, Devise::Strategies::Oauth2AuthorizationCodeGrantTypeStrategy)

data/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb

@@ -0,0 +1,39 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    class Oauth2GrantTypeStrategy < Authenticatable
+      def valid?
+        params[:controller] == 'devise/oauth2_providable/tokens' && request.post? && params[:grant_type] == grant_type
+      end
+
+      # defined by subclass
+      def grant_type
+      end
+
+      # defined by subclass
+      def authenticate_grant_type(client)
+      end
+
+      def authenticate!
+        client_id, client_secret = request.authorization ? decode_credentials : [params[:client_id], params[:client_secret]]
+        client = Devise::Oauth2Providable::Client.find_by_identifier client_id
+        if client && client.secret == client_secret
+          env[Devise::Oauth2Providable::CLIENT_ENV_REF] = client
+          authenticate_grant_type(client)
+        else
+          oauth_error! :invalid_client, 'invalid client credentials'
+        end
+      end
+
+      # return custom error response in accordance with the oauth spec
+      # see http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.3
+      def oauth_error!(error_code = :invalid_request, description = nil)
+        body = {:error => error_code}
+        body[:error_description] = description if description
+        custom! [400, {'Content-Type' => 'application/json'}, [body.to_json]]
+        throw :warden
+      end
+    end
+  end
+end