oauth-plugin 0.3.14 → 0.4.0.pre1

data/lib/generators/test_unit/templates/oauth_nonce_test.rb

@@ -0,0 +1,26 @@
+require 'oauth/helper'
+require File.dirname(__FILE__) + '/../test_helper'
+
+class ClientNoneTest < ActiveSupport::TestCase
+  include OAuth::Helper
+
+  def setup
+    @oauth_nonce = OauthNonce.remember(generate_key,Time.now.to_i)
+  end
+
+  def test_should_be_valid
+    assert @oauth_nonce.valid?
+  end
+
+  def test_should_not_have_errors
+    assert_equal [], @oauth_nonce.errors.full_messages
+  end
+
+  def test_should_not_be_a_new_record
+    assert !@oauth_nonce.new_record?
+  end
+
+  def test_shuold_not_allow_a_second_one_with_the_same_values
+    assert_equal false, OauthNonce.remember(@oauth_nonce.nonce, @oauth_nonce.timestamp)
+  end
+end

data/lib/generators/test_unit/templates/oauth_nonces.yml

@@ -0,0 +1,13 @@
+# Read about fixtures at http://ar.rubyonrails.org/classes/Fixtures.html
+one:
+  id: 1
+  nonce: a_nonce
+  timestamp: 1
+  created_at: 2007-11-25 17:27:04
+  updated_at: 2007-11-25 17:27:04
+two:
+  id: 2
+  nonce: b_nonce
+  timestamp: 2
+  created_at: 2007-11-25 17:27:04
+  updated_at: 2007-11-25 17:27:04

data/lib/generators/test_unit/templates/oauth_token_test.rb

@@ -0,0 +1,57 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class RequestTokenTest < ActiveSupport::TestCase
+
+  fixtures :client_applications, :users, :oauth_tokens
+
+  def setup
+    @token = RequestToken.create :client_application=>client_applications(:one)
+  end
+
+  def test_should_be_valid
+    assert @token.valid?
+  end
+
+  def test_should_not_have_errors
+    assert @token.errors.empty?
+  end
+
+  def test_should_have_a_token
+    assert_not_nil @token.token
+  end
+
+  def test_should_have_a_secret
+    assert_not_nil @token.secret
+  end
+
+  def test_should_not_be_authorized
+    assert !@token.authorized?
+  end
+
+  def test_should_not_be_invalidated
+    assert !@token.invalidated?
+  end
+
+  def test_should_authorize_request
+    @token.authorize!(users(:quentin))
+    assert @token.authorized?
+    assert_not_nil @token.authorized_at
+    assert_equal users(:quentin), @token.user
+  end
+
+  def test_should_not_exchange_without_approval
+    assert_equal false, @token.exchange!
+    assert_equal false, @token.invalidated?
+  end
+
+  def test_should_not_exchange_without_approval
+    @token.authorize!(users(:quentin))
+    @access = @token.exchange!
+    assert_not_equal false, @access
+    assert @token.invalidated?
+
+    assert_equal users(:quentin), @access.user
+    assert @access.authorized?
+  end
+
+end

data/lib/generators/test_unit/templates/oauth_tokens.yml

@@ -0,0 +1,17 @@
+# Read about fixtures at http://ar.rubyonrails.org/classes/Fixtures.html
+one:
+  id: 1
+  user_id: 1
+  client_application_id: 1
+  token: one
+  secret: MyString
+  created_at: 2007-11-19 07:31:46
+  updated_at: 2007-11-19 07:31:46
+two:
+  id: 2
+  user_id: 1
+  client_application_id: 1
+  token: two
+  secret: MyString
+  created_at: 2007-11-19 07:31:46
+  updated_at: 2007-11-19 07:31:46

data/lib/oauth/controllers/application_controller_methods.rb

@@ -3,6 +3,154 @@ module OAuth
   module Controllers
    
     module ApplicationControllerMethods
+      
+      def self.included(controller)
+        controller.class_eval do  
+          extend ClassMethods
+        end
+      end
+      
+      module ClassMethods
+        def oauthenticate(options={})
+          filter_options = {}
+          filter_options[:only]   = options.delete(:only) if options[:only]
+          filter_options[:except] = options.delete(:except) if options[:except]
+          before_filter Filter.new(options), filter_options
+        end
+      end
+      
+      class Filter
+        def initialize(options={})
+          @options={
+              :interactive=>true,
+              :strategies => [:token,:two_legged]
+            }.merge(options)
+          @strategies = Array(@options[:strategies])
+          @strategies << :interactive if @options[:interactive]
+        end
+        
+        def filter(controller)
+          Authenticator.new(controller,@strategies).allow?
+        end
+      end
+      
+      class Authenticator
+        attr_accessor :controller, :strategies, :strategy
+        def initialize(controller,strategies)
+          @controller = controller
+          @strategies = strategies
+        end
+        
+        def params
+          controller.send :params
+        end
+        def request
+          controller.send :request
+        end
+        
+        def allow?
+          if @strategies.any? do |strategy| 
+              @strategy  = strategy.to_sym
+              send @strategy
+            end
+            true
+          else
+            if @strategies.include?(:interactive) 
+              controller.send :access_denied
+            else
+              controller.send :invalid_oauth_response
+            end
+          end
+        end
+
+        def oauth20_token
+          return false unless defined?(Oauth2Token)
+          token, options = token_and_options
+          token ||= params[:oauth_token] || params[:access_token]
+          if !token.blank?
+            @oauth2_token = Oauth2Token.find_by_token(token)
+            if @oauth2_token && @oauth2_token.authorized?
+              controller.send :current_token=, @oauth2_token
+            end
+          end
+          @oauth2_token!=nil
+        end
+
+        def oauth10_token
+          begin
+            if ClientApplication.verify_request(request) do |request_proxy|
+                @oauth_token = ClientApplication.find_token(request_proxy.token)
+                if @oauth_token.respond_to?(:provided_oauth_verifier=)
+                  @oauth_token.provided_oauth_verifier=request_proxy.oauth_verifier 
+                end
+                # return the token secret and the consumer secret
+                [(@oauth_token.nil? ? nil : @oauth_token.secret), (@oauth_token.client_application.nil? ? nil : @oauth_token.client_application.secret)]
+              end
+              controller.send :current_token=, @oauth_token
+              true
+            else
+              false
+            end
+          rescue
+            false
+          end
+        end
+
+        def oauth10_request_token
+          oauth10_token && @oauth_token.is_a?(::RequestToken)
+        end
+
+        def oauth10_access_token
+          oauth10_token && @oauth_token.is_a?(::AccessToken)
+        end
+        
+        def token
+          oauth20_token || oauth10_access_token
+        end
+        
+        def two_legged
+          begin
+            if ClientApplication.verify_request(request) do |request_proxy|
+                @client_application = ClientApplication.find_by_key(request_proxy.consumer_key)
+
+                # Store this temporarily in client_application object for use in request token generation 
+                @client_application.token_callback_url=request_proxy.oauth_callback if request_proxy.oauth_callback
+
+                # return the token secret and the consumer secret
+                [nil, @client_application.secret]
+              end
+              controller.send :current_client_application=, @client_application
+              true
+            else
+              false
+            end
+          rescue
+            false
+          end
+        end
+        
+        def interactive
+          @controller.send :logged_in?
+        end
+        
+        # Blatantly stolen from http://github.com/technoweenie/http_token_authentication
+        # Parses the token and options out of the OAuth authorization header.  If
+        # the header looks like this:
+        #   Authorization: OAuth abc
+        # Then the returned token is "abc", and the options is {:nonce => "def"}
+        #
+        # request - ActionController::Request instance with the current headers.
+        #
+        # Returns an Array of [String, Hash] if a token is present.
+        # Returns nil if no token is found.
+        def token_and_options
+          if header = (request.respond_to?(:authorization) ? request.authorization : ActionController::HttpAuthentication::Basic.authorization(request)).to_s[/^OAuth (.*)/]
+            [$1.strip, {}]
+          end
+        end
+
+      end
+              
       protected
       
       def current_token
@@ -13,67 +161,28 @@ module OAuth
         @current_client_application
       end
       
-      def oauthenticate
-        verified=verify_oauth_signature 
-        return verified && current_token.is_a?(::AccessToken)
-      end
-      
       def oauth?
         current_token!=nil
       end
       
-      # use in a before_filter
+      # use in a before_filter. Note this is for compatibility purposes. Better to use oauthenticate now
       def oauth_required
-        if oauthenticate
-          if authorized?
-            return true
-          else
-            invalid_oauth_response
-          end
-        else          
-          invalid_oauth_response
-        end
+        Authenticator.new(self,[:oauth10_access_token]).allow?
       end
       
-      # This requies that you have an acts_as_authenticated compatible authentication plugin installed
+      # use in before_filter. Note this is for compatibility purposes. Better to use oauthenticate now
       def login_or_oauth_required
-        if oauthenticate
-          if authorized?
-            return true
-          else
-            invalid_oauth_response
-          end
-        else
-          login_required
-        end
+        Authenticator.new(self,[:oauth10_access_token,:interactive]).allow?
       end
       
-      
-      # verifies a request token request
-      def verify_oauth_consumer_signature
-        begin
-          valid = ClientApplication.verify_request(request) do |request_proxy|
-            @current_client_application = ClientApplication.find_by_key(request_proxy.consumer_key)
-            
-            # Store this temporarily in client_application object for use in request token generation 
-            @current_client_application.token_callback_url=request_proxy.oauth_callback if request_proxy.oauth_callback
-            
-            # return the token secret and the consumer secret
-            [nil, @current_client_application.secret]
-          end
-        rescue
-          valid=false
-        end
-
-        invalid_oauth_response unless valid
-      end
-
-      def verify_oauth_request_token
-        verify_oauth_signature && current_token.is_a?(::RequestToken)
-      end
-
       def invalid_oauth_response(code=401,message="Invalid OAuth Request")
         render :text => message, :status => code
+        false
+      end
+      
+      # override this in your controller
+      def access_denied
+        head 401
       end
 
       private
@@ -82,27 +191,21 @@ module OAuth
         @current_token=token
         if @current_token
           @current_user=@current_token.user
-          @current_client_application=@current_token.client_application 
+          @current_client_application=@current_token.client_application
+        else
+          @current_user = nil
+          @current_client_application = nil
         end
         @current_token
       end
       
-      # Implement this for your own application using app-specific models
-      def verify_oauth_signature
-        begin
-          valid = ClientApplication.verify_request(request) do |request_proxy|
-            self.current_token = ClientApplication.find_token(request_proxy.token)
-            if self.current_token.respond_to?(:provided_oauth_verifier=)
-              self.current_token.provided_oauth_verifier=request_proxy.oauth_verifier 
-            end
-            # return the token secret and the consumer secret
-            [(current_token.nil? ? nil : current_token.secret), (current_client_application.nil? ? nil : current_client_application.secret)]
-          end
-          # reset @current_user to clear state for restful_...._authentication
-          @current_user = nil if (!valid)
-          valid
-        rescue
-          false
+      def current_client_application=(app)
+        if app
+          @current_client_application = app
+          @current_user = app.user
+        else
+          @current_client_application = nil
+          @current_user = nil
         end
       end
     end

data/lib/oauth/controllers/provider_controller.rb

@@ -5,16 +5,16 @@ module OAuth
       def self.included(controller)
         controller.class_eval do
           before_filter :login_required, :only => [:authorize,:revoke]
-          before_filter :login_or_oauth_required, :only => [:test_request]
-          before_filter :oauth_required, :only => [:invalidate,:capabilities]
-          before_filter :verify_oauth_consumer_signature, :only => [:request_token]
-          before_filter :verify_oauth_request_token, :only => [:access_token]
+          oauthenticate :only => [:test_request]
+          oauthenticate :strategies => :token, :interactive => false, :only => [:invalidate,:capabilities]
+          oauthenticate :strategies => :two_legged, :interactive => false, :only => [:request_token]
+          oauthenticate :strategies => :oauth10_request_token, :interactive => false, :only => [:access_token]
           skip_before_filter :verify_authenticity_token, :only=>[:request_token, :access_token, :invalidate, :test_request]
         end
       end
       
       def request_token
-        @token = current_client_application.create_request_token
+        @token = current_client_application.create_request_token params
         if @token
           render :text => @token.to_query
         else
@@ -31,43 +31,29 @@ module OAuth
         end
       end
 
+      def token
+        @client_application = ClientApplication.find_by_key params[:client_id]
+        if @client_application.secret != params[:client_secret]
+          oauth2_error "invalid_client"
+          return
+        end
+        if ["authorization_code","password","none"].include?(params[:grant_type])
+          send "oauth2_token_#{params[:grant_type].underscore}"
+        else 
+          oauth2_error "unsupported_grant_type"
+        end
+      end
+
       def test_request
         render :text => params.collect{|k,v|"#{k}=#{v}"}.join("&")
       end
 
       def authorize
-        @token = ::RequestToken.find_by_token params[:oauth_token]
-        unless @token
-          render :action=>"authorize_failure"
-          return
-        end
-        
-        unless @token.invalidated?    
-          if request.post? 
-            if user_authorizes_token?
-              @token.authorize!(current_user)
-              if @token.oauth10?
-                @redirect_url = params[:oauth_callback] || @token.client_application.callback_url
-              else
-                @redirect_url = @token.oob? ? @token.client_application.callback_url : @token.callback_url
-              end
-              
-              if @redirect_url
-                if @token.oauth10?
-                  redirect_to "#{@redirect_url}?oauth_token=#{@token.token}"
-                else
-                  redirect_to "#{@redirect_url}?oauth_token=#{@token.token}&oauth_verifier=#{@token.verifier}"
-                end
-              else
-                render :action => "authorize_success"
-              end
-            else
-              @token.invalidate!
-              render :action => "authorize_failure"
-            end
-          end
-        else
-          render :action => "authorize_failure"
+        if params[:oauth_token]
+          @token = ::RequestToken.find_by_token params[:oauth_token]
+          oauth1_authorize
+        elsif ["code","token"].include?(params[:response_type]) # pick flow
+          send "oauth2_authorize_#{params[:response_type]}"
         end
       end
 
@@ -102,10 +88,140 @@ module OAuth
 
       protected
       
+      def oauth1_authorize
+        unless @token
+          render :action=>"authorize_failure"
+          return
+        end
+
+        unless @token.invalidated?    
+          if request.post? 
+            if user_authorizes_token?
+              @token.authorize!(current_user)
+              @redirect_url = URI.parse(@token.oob? ? @token.client_application.callback_url : @token.callback_url)
+
+              unless @redirect_url.to_s.blank?
+                @redirect_url.query = @redirect_url.query.blank? ?
+                                      "oauth_token=#{@token.token}&oauth_verifier=#{@token.verifier}" :
+                                      @redirect_url.query + "&oauth_token=#{@token.token}&oauth_verifier=#{@token.verifier}"
+                redirect_to @redirect_url.to_s
+              else
+                render :action => "authorize_success"
+              end
+            else
+              @token.invalidate!
+              render :action => "authorize_failure"
+            end
+          end
+        else
+          render :action => "authorize_failure"
+        end
+      end
+
+      def oauth2_authorize_code
+        @client_application = ClientApplication.find_by_key params[:client_id]
+        if request.post?
+          @redirect_url = URI.parse(params[:redirect_url] || @client_application.callback_url)
+          if user_authorizes_token?
+            @verification_code = Oauth2Verifier.create :client_application=>@client_application, :user=>current_user, :callback_url=>@redirect_url.to_s
+
+            unless @redirect_url.to_s.blank?
+              @redirect_url.query = @redirect_url.query.blank? ?
+                                    "code=#{@verification_code.code}" :
+                                    @redirect_url.query + "&code=#{@verification_code.code}"
+              redirect_to @redirect_url.to_s
+            else
+              render :action => "authorize_success"
+            end
+          else
+            unless @redirect_url.to_s.blank?
+              @redirect_url.query = @redirect_url.query.blank? ?
+                                    "error=user_denied" :
+                                    @redirect_url.query + "&error=user_denied"
+              redirect_to @redirect_url.to_s
+            else
+              render :action => "authorize_failure"
+            end
+          end
+        else
+          render :action => "oauth2_authorize"
+        end
+      end
+
+      def oauth2_authorize_token
+        @client_application = ClientApplication.find_by_key params[:client_id]
+        if request.post?
+          @redirect_url = URI.parse(params[:redirect_url] || @client_application.callback_url)
+          if user_authorizes_token?
+            @token  = Oauth2Token.create :client_application=>@client_application, :user=>current_user, :scope=>params[:scope]
+            unless @redirect_url.to_s.blank?
+              @redirect_url.query = @redirect_url.query.blank? ?
+                                    "access_token=#{@token.token}" :
+                                    @redirect_url.query + "&access_token=#{@token.token}"
+              redirect_to @redirect_url.to_s
+            else
+              render :action => "authorize_success"
+            end
+          else
+            unless @redirect_url.to_s.blank?
+              @redirect_url.query = @redirect_url.query.blank? ?
+                                    "error=user_denied" :
+                                    @redirect_url.query + "&error=user_denied"
+              redirect_to @redirect_url.to_s
+            else
+              render :action => "authorize_failure"
+            end
+          end
+        else
+          render :action => "oauth2_authorize"
+        end
+      end
+
+      # http://tools.ietf.org/html/draft-ietf-oauth-v2-08#section-4.1.1
+      def oauth2_token_authorization_code
+        @verification_code =  @client_application.oauth2_verifiers.find_by_token params[:code]
+        unless @verification_code
+          oauth2_error
+          return
+        end
+        if @verification_code.redirect_url != params[:redirect_url]
+          oauth2_error
+          return
+        end
+        @token = @verification_code.exchange!
+        render :json=>@token    
+      end
+
+      # http://tools.ietf.org/html/draft-ietf-oauth-v2-08#section-4.1.2
+      def oauth2_token_password
+        @user = authenticate_user( params[:username], params[:password])
+        unless @user
+          oauth2_error
+          return
+        end
+        @token = Oauth2Token.create :client_application=>@client_application, :user=>@user, :scope=>params[:scope]
+        render :json=>@token    
+      end
+      
+      # should authenticate and return a user if valid password. Override in your own controller
+      def authenticate_user(username,password)
+        User.authenticate(username,password)
+      end
+
+      # autonomous authorization which creates a token for client_applications user
+      def oauth2_token_none
+        @token = Oauth2Token.create :client_application=>@client_application, :user=>@client_application.user, :scope=>params[:scope]
+        render :json=>@token    
+      end
+
       # Override this to match your authorization page form
       def user_authorizes_token?
         params[:authorize] == '1'
+      end  
+
+      def oauth2_error(error="invalid_grant")
+        render :json=>{:error=>error}.to_json
       end
     end
   end
-end
+end

data/lib/oauth/models/consumers/service_loader.rb

@@ -1,3 +1,5 @@
+require 'oauth/controllers/consumer_controller'
+
 # Goes through the entries in your OAUTH_CREDENTIALS and either loads the class required
 # or subclasses ConsumerToken with the name.
 #

data/lib/oauth/models/consumers/token.rb

@@ -7,7 +7,6 @@ module Oauth
       module Token
         def self.included(model)
           model.class_eval do
-            belongs_to :user
             validates_presence_of :user, :token, :secret                      
           end