oauth-plugin 0.4.0.pre6 → 0.4.0.pre7

data/.gitignore

@@ -8,3 +8,5 @@ pkg
 .swp
 .idea
 .rvmrc
+
+Gemfile.lock

data/CHANGELOG

@@ -1,3 +1,8 @@
+0.4.0-pre7
+  - OAuth 1 requests using query or form encoded parameters where being interpreted as OAuth2 [pelleb]
+  - OAuth 2 requests were not checking for invalidated tokens. Please upgrade for this if you offer OAuth 2 [rymai]
+  - Handle case where credentials[:options] in consumer plugin was nil [marnen]
+  - Better facebook example [marnen]
 0.4.0-pre6
   - fixes issue with erb generator in rails 3 [pelleb]
   - various cleanups in generators [akonan]

data/Gemfile

@@ -2,3 +2,26 @@ source "http://rubygems.org"
 
 # Specify your gem's dependencies in oauth-plugin.gemspec
 gemspec
+
+require 'rbconfig'
+
+platforms :ruby do
+  if Config::CONFIG['target_os'] =~ /darwin/i
+    gem 'rb-fsevent'
+    gem 'growl'
+  end
+  if Config::CONFIG['target_os'] =~ /linux/i
+    gem 'rb-inotify', '>= 0.5.1'
+    gem 'libnotify',  '~> 0.1.3'
+  end
+end
+
+platforms :jruby do
+  if Config::CONFIG['target_os'] =~ /darwin/i
+    gem 'growl'
+  end
+  if Config::CONFIG['target_os'] =~ /linux/i
+    gem 'rb-inotify', '>= 0.5.1'
+    gem 'libnotify',  '~> 0.1.3'
+  end
+end

data/Guardfile

@@ -1,8 +1,8 @@
 # A sample Guardfile
 # More info at http://github.com/guard/guard#readme
 
-guard 'rspec', :version => 2 do
-  watch('^spec/(.*)_spec.rb')
-  watch('^lib/oauth/(.*)\.rb')                              { |m| "spec/#{m[1]}_spec.rb" }
-  watch('^spec/spec_helper.rb')                       { "spec" }
+guard 'rspec', :version => 2, :cli => '-c' do
+  watch(%r{^spec/(.*)_spec.rb})
+  watch(%r{^lib/oauth/(.+)\.rb}) { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')   { "spec" }
 end

data/generators/oauth_consumer/templates/oauth_config.rb

@@ -25,7 +25,12 @@
 #   },
 #   :facebook => {
 #     :key => "",
-#     :secret => ""
+#     :secret => "",
+#     :oauth_version => 2,
+#     :super_class => 'Oauth2Token' # unnecessary if you have an explicit "class FacebookToken < Oauth2Token",
+#     :options => {
+#       :site => "https://graph.facebook.com"
+#     }
 #   },
 #   :agree2 => {
 #     :key => "",

data/lib/oauth-plugin/version.rb

@@ -1,5 +1,5 @@
 module Oauth
   module Plugin
-    VERSION = "0.4.0.pre6"
+    VERSION = "0.4.0.pre7"
   end
 end

data/lib/oauth/controllers/application_controller_methods.rb

@@ -104,7 +104,7 @@ module OAuth
       end
       
       def current_client_application
-        request.env["oauth.version"]==1 && env["oauth.client_application"] || current_token.try(:client_application)
+        request.env["oauth.version"]==1 && request.env["oauth.client_application"] || current_token.try(:client_application)
       end
       
       def oauth?

data/lib/oauth/models/consumers/token.rb

@@ -22,7 +22,8 @@ module Oauth
           end
           
           def consumer
-            @consumer||=OAuth::Consumer.new credentials[:key],credentials[:secret],credentials[:options]
+            options = credentials[:options] || {}
+            @consumer||=OAuth::Consumer.new credentials[:key],credentials[:secret],options
           end
 
           def get_request_token(callback_url)

data/lib/oauth/rack/oauth_filter.rb

@@ -5,7 +5,7 @@ require "oauth/request_proxy/rack_request"
 
 module OAuth
   module Rack
-    
+
     # An OAuth 1.0a filter to be used together with the oauth-plugin for rails.T
     # This is still experimental
     #
@@ -13,39 +13,36 @@ module OAuth
     #
     # require 'oauth/rack/oauth_filter'
     # config.middleware.use OAuth::Rack::OAuthFilter
-    
-    
-    
+
     class OAuthFilter
       def initialize(app)
         @app = app
       end
-      
-      def call(env)        
+
+      def call(env)
         request = ::Rack::Request.new(env)
-        env["oauth_plugin"]=true
+        env["oauth_plugin"] = true
         strategies = []
         if token_string = oauth2_token(request)
-          token = Oauth2Token.find_by_token(token_string) if token_string
-          if token
-            env["oauth.token"] = token
+          if token = Oauth2Token.first(:conditions => ['invalidated_at IS NULL AND authorized_at IS NOT NULL and token = ?', token_string])
+            env["oauth.token"]   = token
             env["oauth.version"] = 2
             strategies << :oauth20_token
-            strategies << :token            
+            strategies << :token
           end
 
         elsif oauth1_verify(request) do |request_proxy|
             client_application = ClientApplication.find_by_key(request_proxy.consumer_key)
             env["oauth.client_application_candidate"] = client_application
-            # Store this temporarily in client_application object for use in request token generation
-            client_application.token_callback_url=request_proxy.oauth_callback if request_proxy.oauth_callback
 
+            # Store this temporarily in client_application object for use in request token generation
+            client_application.token_callback_url = request_proxy.oauth_callback if request_proxy.oauth_callback
             oauth_token = nil
-            
+
             if request_proxy.token
-              oauth_token = client_application.tokens.first(:conditions=>{:token => request_proxy.token})
+              oauth_token = client_application.tokens.first(:conditions => { :token => request_proxy.token })
               if oauth_token.respond_to?(:provided_oauth_verifier=)
-                oauth_token.provided_oauth_verifier=request_proxy.oauth_verifier 
+                oauth_token.provided_oauth_verifier = request_proxy.oauth_verifier
               end
               env["oauth.token_candidate"] = oauth_token
             end
@@ -75,7 +72,7 @@ module OAuth
       end
 
       def oauth1_verify(request, options = {}, &block)
-        begin 
+        begin
           signature = OAuth::Signature.build(request, options, &block)
           return false unless OauthNonce.remember(signature.request.nonce, signature.request.timestamp)
           value = signature.verify
@@ -86,10 +83,10 @@ module OAuth
       end
 
       def oauth2_token(request)
-        request.params["oauth_token"] ||
+        (request.params["oauth_token"] && !request.params["oauth_signature"] ? request.params["oauth_token"] : nil )  ||
           request.env["HTTP_AUTHORIZATION"] &&
-            request.env["HTTP_AUTHORIZATION"][/^(OAuth|Token) ([^\s]*)$/] && $2
+          request.env["HTTP_AUTHORIZATION"][/^(OAuth|Token) ([^\s]*)$/, 2]
       end
-    end      
+    end
   end
 end

data/spec/rack/oauth_filter_spec.rb

@@ -3,14 +3,15 @@ require 'rack/test'
 require 'oauth/rack/oauth_filter'
 require 'multi_json'
 require 'forwardable'
+
 class OAuthEcho
   def call(env)
     response = {}
-    response[:oauth_token] = env["oauth.token"].token if env["oauth.token"]
+    response[:oauth_token]        = env["oauth.token"].token            if env["oauth.token"]
     response[:client_application] = env["oauth.client_application"].key if env["oauth.client_application"]
-    response[:oauth_version] = env["oauth.version"] if env["oauth.version"]
-    response[:strategies] = env["oauth.strategies"] if env["oauth.strategies"]
-     [200 ,{"Accept"=>"application/json"}, [MultiJson.encode(response)] ]
+    response[:oauth_version]      = env["oauth.version"]                if env["oauth.version"]
+    response[:strategies]         = env["oauth.strategies"]             if env["oauth.strategies"]
+     [200, { "Accept" => "application/json" }, [MultiJson.encode(response)]]
   end
 end
 
@@ -55,32 +56,122 @@ describe OAuth::Rack::OAuthFilter do
     response.should == {"client_application" => "my_consumer", "oauth_token"=>"my_token","oauth_version"=>1, "strategies"=>["oauth10_token","oauth10_request_token"]}
   end
 
-  it "should authenticate with oauth2 auth header" do
-    get '/',{},{"HTTP_AUTHORIZATION"=>"OAuth my_token"}
-    last_response.should be_ok
-    response = MultiJson.decode(last_response.body)
-    response.should == {"oauth_token" => "my_token", "oauth_version"=>2, "strategies"=>["oauth20_token","token"]}
-  end
+  describe "OAuth2" do
+    describe "token given through a HTTP Auth Header" do
+      context "authorized and non-invalidated token" do
+        it "authenticates" do
+          get '/', {}, { "HTTP_AUTHORIZATION" => "OAuth valid_token" }
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == { "oauth_token" => "valid_token", "oauth_version" => 2, "strategies"=> ["oauth20_token", "token"] }
+        end
+      end
+
+      context "non-authorized token" do
+        it "doesn't authenticate" do
+          get '/', {}, { "HTTP_AUTHORIZATION" => "OAuth not_authorized" }
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+
+      context "authorized and invalidated token" do
+        it "doesn't authenticate with an invalidated token" do
+          get '/', {}, { "HTTP_AUTHORIZATION" => "OAuth invalidated" }
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+    end
 
-  it "should authenticate with pre draft 10 oauth2 auth header" do
-    get '/',{},{"HTTP_AUTHORIZATION"=>"Token my_token"}
-    last_response.should be_ok
-    response = MultiJson.decode(last_response.body)
-    response.should == {"oauth_token" => "my_token", "oauth_version"=>2, "strategies"=>["oauth20_token","token"]}
-  end
+    describe "token given through a HTTP Auth Header following the OAuth2 pre draft" do
+      context "authorized and non-invalidated token" do
+        it "authenticates" do
+          get '/', {}, { "HTTP_AUTHORIZATION" => "Token valid_token" }
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == { "oauth_token" => "valid_token", "oauth_version" => 2, "strategies"=> ["oauth20_token", "token"] }
+        end
+      end
+
+      context "non-authorized token" do
+        it "doesn't authenticate" do
+          get '/', {}, { "HTTP_AUTHORIZATION" => "Token not_authorized" }
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+
+      context "authorized and invalidated token" do
+        it "doesn't authenticate with an invalidated token" do
+          get '/', {}, { "HTTP_AUTHORIZATION" => "Token invalidated" }
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+    end
 
-  it "should authenticate with oauth2 query parameter" do
-    get '/?oauth_token=my_token'
-    last_response.should be_ok
-    response = MultiJson.decode(last_response.body)
-    response.should == {"oauth_token" => "my_token", "oauth_version"=>2, "strategies"=>["oauth20_token","token"]}
-  end
+    describe "token given through a query parameter" do
+      context "authorized and non-invalidated token" do
+        it "authenticates" do
+          get '/?oauth_token=valid_token'
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == { "oauth_token" => "valid_token", "oauth_version" => 2, "strategies"=> ["oauth20_token", "token"] }
+        end
+      end
+
+      context "non-authorized token" do
+        it "doesn't authenticate" do
+          get '/?oauth_token=not_authorized'
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+
+      context "authorized and invalidated token" do
+        it "doesn't authenticate with an invalidated token" do
+          get '/?oauth_token=invalidated'
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+    end
 
-  it "should authenticate with oauth2 post parameter" do
-    post '/', :oauth_token=>'my_token'
-    last_response.should be_ok
-    response = MultiJson.decode(last_response.body)
-    response.should == {"oauth_token" => "my_token", "oauth_version"=>2, "strategies"=>["oauth20_token","token"]}
+    describe "token given through a post parameter" do
+      context "authorized and non-invalidated token" do
+        it "authenticates" do
+          post '/', :oauth_token => 'valid_token'
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == { "oauth_token" => "valid_token", "oauth_version" => 2, "strategies"=> ["oauth20_token", "token"] }
+        end
+      end
+
+      context "non-authorized token" do
+        it "doesn't authenticate" do
+          post '/', :oauth_token => 'not_authorized'
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+
+      context "authorized and invalidated token" do
+        it "doesn't authenticate with an invalidated token" do
+          post '/', :oauth_token => 'invalidated'
+          last_response.should be_ok
+          response = MultiJson.decode(last_response.body)
+          response.should == {}
+        end
+      end
+    end
   end
 
 
@@ -108,8 +199,13 @@ describe OAuth::Rack::OAuthFilter do
   class OauthToken
     attr_accessor :token
 
-    def self.find_by_token(token)
-      OauthToken.new(token)
+    def self.first(conditions_hash)
+      case conditions_hash[:conditions].last
+      when "not_authorized", "invalidated"
+        nil
+      else
+        OauthToken.new(conditions_hash[:conditions].last)
+      end
     end
 
     def initialize(token)
@@ -132,5 +228,4 @@ describe OAuth::Rack::OAuthFilter do
     end
   end
 
-
 end

metadata

@@ -2,7 +2,7 @@
 name: oauth-plugin
 version: !ruby/object:Gem::Version 
   prerelease: 6
-  version: 0.4.0.pre6
+  version: 0.4.0.pre7
 platform: ruby
 authors: 
 - Pelle Braendgaard
@@ -145,7 +145,6 @@ files:
 - .gitignore
 - CHANGELOG
 - Gemfile
-- Gemfile.lock
 - Guardfile
 - MIT-LICENSE
 - README.rdoc

data/Gemfile.lock

@@ -1,66 +0,0 @@
-PATH
-  remote: .
-  specs:
-    oauth-plugin (0.4.0.pre5)
-      multi_json
-      oauth (~> 0.4.4)
-      oauth2
-      rack
-
-GEM
-  remote: http://rubygems.org/
-  specs:
-    addressable (2.2.6)
-    diff-lcs (1.1.2)
-    fakeweb (1.3.0)
-    faraday (0.6.1)
-      addressable (~> 2.2.4)
-      multipart-post (~> 1.1.0)
-      rack (>= 1.1.0, < 2)
-    fuubar (0.0.5)
-      rspec (~> 2.0)
-      rspec-instafail (~> 0.1.4)
-      ruby-progressbar (~> 0.0.10)
-    growl (1.0.3)
-    guard (0.3.4)
-      thor (~> 0.14.6)
-    guard-rspec (0.3.1)
-      guard (>= 0.2.2)
-    multi_json (1.0.3)
-    multi_xml (0.2.2)
-    multipart-post (1.1.2)
-    oauth (0.4.4)
-    oauth2 (0.4.1)
-      faraday (~> 0.6.1)
-      multi_json (>= 0.0.5)
-    opentransact (0.1.2)
-      multi_json
-      multi_xml
-      oauth (~> 0.4.4)
-    rack (1.3.0)
-    rack-test (0.6.0)
-      rack (>= 1.0)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-instafail (0.1.7)
-    rspec-mocks (2.4.0)
-    ruby-progressbar (0.0.10)
-    thor (0.14.6)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  fakeweb
-  fuubar
-  growl
-  guard-rspec
-  oauth-plugin!
-  opentransact
-  rack-test
-  rspec (~> 2.4.0)