oauth2-provider 0.0.16

data/lib/oauth2/provider/models/mongoid/access_token.rb

@@ -0,0 +1,40 @@
+class OAuth2::Provider::Models::Mongoid::AccessToken
+  module Behaviour
+    extend ActiveSupport::Concern
+
+    included do
+      include ::Mongoid::Document
+      include OAuth2::Provider::Models::AccessToken
+
+      field :access_token
+      field :expires_at, :type => Time
+      field :refresh_token
+
+      referenced_in(:authorization,
+        :class_name => OAuth2::Provider.authorization_class_name,
+        :foreign_key => :oauth_authorization_id
+      )
+
+      referenced_in(:client,
+        :class_name => OAuth2::Provider.client_class_name,
+        :foreign_key => :oauth_client_id
+      )
+
+      before_save do
+        self.client ||= authorization.client
+      end
+    end
+
+    module ClassMethods
+      def find_by_refresh_token(refresh_token)
+        where(:refresh_token => refresh_token).first
+      end
+
+      def find_by_access_token(access_token)
+        where(:access_token => access_token).first
+      end
+    end
+  end
+
+  include Behaviour
+end

data/lib/oauth2/provider/models/mongoid/authorization.rb

@@ -0,0 +1,32 @@
+class OAuth2::Provider::Models::Mongoid::Authorization
+  module Behaviour
+    extend ActiveSupport::Concern
+
+    included do
+      include ::Mongoid::Document
+      include OAuth2::Provider::Models::Authorization
+
+      field :scope
+      field :expires_at, :type => Time
+      field :resource_owner_id
+      field :resource_owner_type
+
+      referenced_in(:client,
+        :class_name => OAuth2::Provider.client_class_name,
+        :foreign_key => :oauth_client_id
+      )
+
+      references_many(:access_tokens,
+        :class_name => OAuth2::Provider.access_token_class_name,
+        :foreign_key => :oauth_authorization_id
+      )
+
+      references_many(:authorization_codes,
+        :class_name => OAuth2::Provider.authorization_code_class_name,
+        :foreign_key => :oauth_authorization_id
+      )
+    end
+  end
+
+  include Behaviour
+end

data/lib/oauth2/provider/models/mongoid/authorization_code.rb

@@ -0,0 +1,43 @@
+class OAuth2::Provider::Models::Mongoid::AuthorizationCode
+  module Behaviour
+    extend ActiveSupport::Concern
+
+    included do
+      include ::Mongoid::Document
+      include OAuth2::Provider::Models::AuthorizationCode
+
+      field :code
+      field :expires_at, :type => Time
+
+      referenced_in(:authorization,
+        :class_name => OAuth2::Provider.authorization_class_name,
+        :foreign_key => :oauth_authorization_id
+      )
+
+      referenced_in(:client,
+        :class_name => OAuth2::Provider.client_class_name,
+        :foreign_key => :oauth_client_id
+      )
+
+      before_save do
+        self.client ||= authorization.client
+      end
+    end
+
+    module ClassMethods
+      def find_by_code_and_redirect_uri(code, redirect_uri)
+        where(:code => code, :redirect_uri => redirect_uri).first
+      end
+
+      def find_by_id(id)
+        where(:id => id).first
+      end
+
+      def find_by_code(code)
+        where(:code => code).first
+      end
+    end
+  end
+
+  include Behaviour
+end

data/lib/oauth2/provider/models/mongoid/client.rb

@@ -0,0 +1,40 @@
+class OAuth2::Provider::Models::Mongoid::Client
+  module Behaviour
+    extend ActiveSupport::Concern
+
+    included do
+      include ::Mongoid::Document
+      include OAuth2::Provider::Models::Client
+
+      field :oauth_secret
+      field :oauth_identifier
+
+      references_many(:authorizations,
+        :class_name => OAuth2::Provider.authorization_class_name,
+        :foreign_key => :oauth_client_id
+      )
+
+      references_many(:access_tokens,
+        :class_name => OAuth2::Provider.access_token_class_name,
+        :foreign_key => :oauth_client_id
+      )
+
+      references_many(:authorization_codes,
+        :class_name => OAuth2::Provider.authorization_code_class_name,
+        :foreign_key => :oauth_client_id
+      )
+    end
+
+    module ClassMethods
+      def find_by_oauth_identifier(identifier)
+        where(:oauth_identifier => identifier).first
+      end
+
+      def find_by_oauth_identifier_and_oauth_secret(identifier, secret)
+        where(:oauth_identifier => identifier, :oauth_secret => secret).first
+      end
+    end
+  end
+
+  include Behaviour
+end

data/lib/oauth2/provider/rack.rb

@@ -0,0 +1,11 @@
+module OAuth2::Provider::Rack
+  autoload :AccessTokenHandler, 'oauth2/provider/rack/access_token_handler'
+  autoload :AuthenticationHandler, 'oauth2/provider/rack/authentication_handler'
+  autoload :AuthenticationMediator, 'oauth2/provider/rack/authentication_mediator'
+  autoload :AuthorizationCodeRequest, 'oauth2/provider/rack/authorization_code_request'
+  autoload :Middleware, 'oauth2/provider/rack/middleware'
+  autoload :Request, 'oauth2/provider/rack/request'
+  autoload :ResourceRequest, 'oauth2/provider/rack/resource_request'
+  autoload :Responses, 'oauth2/provider/rack/responses'
+  autoload :AuthorizationCodesSupport, 'oauth2/provider/rack/authorization_codes_support'
+end

data/lib/oauth2/provider/rack/access_token_handler.rb

@@ -0,0 +1,103 @@
+module OAuth2::Provider::Rack
+  class AccessTokenHandler
+    attr_reader :app, :env, :request
+
+    def initialize(app, env)
+      @app = app
+      @env = env
+      @request = env['oauth2']
+    end
+
+    def process
+      if request.post?
+        block_unsupported_grant_types || block_invalid_clients || handle_grant_type
+      else
+        Responses.only_supported 'POST'
+      end
+    end
+
+    def handle_grant_type
+      send grant_type_handler_method(request.params["grant_type"])
+    end
+
+    def handle_password_grant_type
+      with_required_params 'username', 'password' do |username, password|
+        if resource_owner = OAuth2::Provider.resource_owner_class.authenticate_with_username_and_password(username, password)
+          token_response OAuth2::Provider.access_token_class.create!(
+            :authorization => OAuth2::Provider.authorization_class.create!(:resource_owner => resource_owner, :client => oauth_client)
+          )
+        else
+          Responses.json_error 'invalid_grant'
+        end
+      end
+    end
+
+    def handle_authorization_code_grant_type
+      with_required_params 'code', 'redirect_uri' do |code, redirect_uri|
+        if token = oauth_client.authorization_codes.claim(code, redirect_uri)
+          token_response token
+        else
+          Responses.json_error 'invalid_grant'
+        end
+      end
+    end
+
+    def handle_refresh_token_grant_type
+      with_required_params 'refresh_token' do |refresh_token|
+        if token = oauth_client.access_tokens.refresh_with(refresh_token)
+          token_response token
+        else
+          Responses.json_error 'invalid_grant'
+        end
+      end
+    end
+
+    def with_required_params(*names, &block)
+      missing_params = names - request.params.keys
+      if missing_params.empty?
+        yield *request.params.values_at(*names)
+      else
+        if missing_params.size == 1
+          Responses.json_error 'invalid_request', :description => "missing '#{missing_params.join}' parameter"
+        else
+          describe_parameters = missing_params.map{|x| "'#{x}'"}.join(", ")
+          Responses.json_error 'invalid_request', :description => "missing #{describe_parameters} parameters"
+        end
+      end
+    end
+
+    def token_response(token)
+      json = token.as_json.tap do |json|
+        json[:state] = request.params['state'] if request.params['state']
+      end
+      [200, {'Content-Type' => 'application/json', 'Cache-Control' => 'no-cache, no-store, max-age=0, must-revalidate'}, [ActiveSupport::JSON.encode(json)]]
+    end
+
+    def block_unsupported_grant_types
+      with_required_params 'grant_type' do |grant_type|
+        unless respond_to?(grant_type_handler_method(grant_type), true)
+          Responses.json_error 'unsupported_grant_type'
+        end
+      end
+    end
+
+    def block_invalid_clients
+      with_required_params 'grant_type', 'client_id', 'client_secret' do |grant_type, client_id, client_secret|
+        @oauth_client = OAuth2::Provider.client_class.find_by_oauth_identifier_and_oauth_secret(client_id, client_secret)
+        if @oauth_client.nil?
+          Responses.json_error 'invalid_client'
+        elsif !@oauth_client.allow_grant_type?(grant_type)
+          Responses.json_error 'unauthorized_client'
+        end
+      end
+    end
+
+    def oauth_client
+      @oauth_client
+    end
+
+    def grant_type_handler_method(grant_type)
+      "handle_#{grant_type}_grant_type"
+    end
+  end
+end

data/lib/oauth2/provider/rack/authorization_code_request.rb

@@ -0,0 +1,74 @@
+module OAuth2::Provider::Rack
+  class AuthorizationCodeRequest
+    def initialize(env, params)
+      @env = env
+      @params = params
+    end
+
+    def validate!
+      unless redirect_uri
+        throw_response [400, {}, ['No redirect_uri provided']]
+      end
+
+      unless redirect_uri_valid?
+        throw_response [400, {}, ['Provided redirect_uri is invalid']]
+      end
+
+      unless client_id
+        throw_response Responses.redirect_with_error('invalid_request', redirect_uri)
+      end
+
+      unless client
+        throw_response Responses.redirect_with_error('invalid_client', redirect_uri)
+      end
+    end
+
+    def grant!(resource_owner = nil, authorization_expires_at = nil)
+      grant = client.authorizations.create!(
+        :resource_owner => resource_owner,
+        :client => client,
+        :scope => scope,
+        :expires_at => authorization_expires_at
+      )
+      code = grant.authorization_codes.create! :redirect_uri => redirect_uri
+      throw_response Responses.redirect_with_code(code.code, redirect_uri)
+    end
+
+    def deny!
+      throw_response Responses.redirect_with_error('access_denied', redirect_uri)
+    end
+
+    def invalid_scope!
+      throw_response Responses.redirect_with_error('invalid_scope', redirect_uri)
+    end
+
+    def client_id
+      @params['client_id']
+    end
+
+    def client
+      @client ||= OAuth2::Provider.client_class.from_param(client_id)
+    end
+
+    def redirect_uri
+      @params['redirect_uri']
+    end
+
+    def redirect_uri_valid?
+      Addressable::URI.parse(redirect_uri)
+    rescue
+      nil
+    end
+
+    def scope
+      @params['scope']
+    end
+
+    private
+
+    def throw_response(response)
+      @env['oauth2.response'] = response
+      throw :oauth2
+    end
+  end
+end

data/lib/oauth2/provider/rack/authorization_codes_support.rb

@@ -0,0 +1,25 @@
+require 'addressable/uri'
+
+module OAuth2::Provider::Rack::AuthorizationCodesSupport
+  protected
+
+  def oauth2_authorization_request
+    request.env['oauth2.authorization_request'] ||= OAuth2::Provider::Rack::AuthorizationCodeRequest.new(request.env, request.params)
+  end
+
+  def block_invalid_authorization_code_requests
+    oauth2_authorization_request.validate!
+  end
+
+  def grant_authorization_code(resource_owner = nil, authorization_expires_at = nil)
+    oauth2_authorization_request.grant! resource_owner, authorization_expires_at
+  end
+
+  def deny_authorization_code
+    oauth2_authorization_request.deny!
+  end
+
+  def declare_oauth_scope_invalid
+    oauth2_authorization_request.invalid_scope!
+  end
+end

data/lib/oauth2/provider/rack/middleware.rb

@@ -0,0 +1,28 @@
+module OAuth2::Provider::Rack
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      request = env['oauth2'] = ResourceRequest.new(env)
+
+      response = catch :oauth2 do
+        if request.path == "/oauth/access_token"
+          AccessTokenHandler.new(@app, env).process
+        else
+          @app.call(env)
+        end
+      end
+
+      thrown_response(env) || response
+    end
+
+    def thrown_response(env)
+      if env['oauth2.response']
+        env['warden'] && env['warden'].custom_failure!
+        env['oauth2.response']
+      end
+    end
+  end
+end

data/lib/oauth2/provider/rack/resource_request.rb

@@ -0,0 +1,91 @@
+require 'rack/auth/abstract/request'
+
+module OAuth2::Provider::Rack
+  class ResourceRequest < Rack::Request
+   delegate :has_scope?, :to => :authorization
+
+    def token
+      token_from_param || token_from_header
+    end
+
+    def has_token?
+      !token.nil?
+    end
+
+    def token_from_param
+      params["oauth_token"]
+    end
+
+    def token_from_header
+      if @env[authorization_key] =~ /OAuth (.*)/
+        $1
+      end
+    end
+
+    def authorization_key
+      @authorization_key ||= Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.detect do |key|
+        @env.has_key?(key)
+      end
+    end
+
+    def authenticate_request!(options, &block)
+      if authenticated?
+        if options[:scope].nil? || has_scope?(options[:scope])
+          yield
+        else
+          insufficient_scope!
+        end
+      else
+        authentication_required!
+      end
+    end
+
+    def authorization
+      validate_token!
+      @authorization
+    end
+
+    def authenticated?
+      authorization.present?
+    end
+
+    def resource_owner
+      authorization && authorization.resource_owner
+    end
+
+    def authentication_required!
+      throw_response Responses.unauthorized
+    end
+
+    def insufficient_scope!
+      throw_response Responses.json_error('insufficient_scope', :status => 403)
+    end
+
+    def validate_token!
+      if has_token? && @token_validated.nil?
+        @token_validated = true
+        block_bad_request
+        block_invalid_token
+      end
+    end
+
+    def block_bad_request
+      if token_from_param && token_from_header && (token_from_param != token_from_header)
+        throw_response Responses.json_error('invalid_request', :description => 'both authorization header and oauth_token provided, with conflicting tokens')
+      end
+    end
+
+    def block_invalid_token
+      access_token = OAuth2::Provider.access_token_class.find_by_access_token(token)
+      @authorization = access_token.authorization if access_token
+      throw_response Responses.unauthorized('invalid_token') if access_token.nil? || access_token.expired?
+    end
+
+    private
+
+    def throw_response(response)
+      @env['oauth2.response'] = response
+      throw :oauth2
+    end
+  end
+end