oauth2-provider 0.0.16

data/spec/models/client_spec.rb

@@ -0,0 +1,75 @@
+require 'spec_helper'
+
+describe OAuth2::Provider.client_class do
+  describe "any instance" do
+    subject do
+      OAuth2::Provider.client_class.new :name => 'client'
+    end
+
+    it "is valid with a name, oauth identifier and oauth secret" do
+      subject.should be_valid
+    end
+
+    it "is invalid without a name" do
+      subject.name = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid without an oauth identifier" do
+      subject.oauth_identifier = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid without an oauth secret" do
+      subject.oauth_secret = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid if oauth_identifier not unique" do
+      duplicate = OAuth2::Provider.client_class.create! :name => 'client2'
+      subject.oauth_identifier = duplicate.oauth_identifier
+      subject.should_not be_valid
+    end
+
+    it "allows any grant type (custom subclasses can override this)" do
+      subject.allow_grant_type?('password').should be_true
+      subject.allow_grant_type?('authorization_code').should be_true
+    end
+  end
+
+  describe "a new instance" do
+    subject do
+      OAuth2::Provider.client_class.new :name => 'client'
+    end
+
+    it "is assigned a randomly generated oauth identifier" do
+      subject.oauth_identifier.should_not be_nil
+      OAuth2::Provider.client_class.new.oauth_identifier.should_not be_nil
+      subject.oauth_identifier.should_not == OAuth2::Provider.client_class.new.oauth_identifier
+    end
+
+    it "is assigned a randomly generated oauth secret" do
+      subject.oauth_secret.should_not be_nil
+      OAuth2::Provider.client_class.new.oauth_secret.should_not be_nil
+      subject.oauth_secret.should_not == OAuth2::Provider.client_class.new.oauth_secret
+    end
+
+    it "returns nil when to_param called" do
+      subject.to_param.should be_nil
+    end
+  end
+
+  describe "a saved instance" do
+    subject do
+      OAuth2::Provider.client_class.create! :name => 'client'
+    end
+
+    it "returns oauth_identifer when to_param called" do
+      subject.to_param.should == subject.oauth_identifier
+    end
+
+    it "is findable by calling from_param with its oauth_identifier" do
+      subject.should == OAuth2::Provider.client_class.from_param(subject.oauth_identifier)
+    end
+  end
+end

data/spec/requests/access_tokens_controller_spec.rb

@@ -0,0 +1,360 @@
+require 'spec_helper'
+
+class CustomClient < OAuth2::Provider.client_class
+end
+
+class NotAllowedGrantTypeClient < OAuth2::Provider.client_class
+  def allow_grant_type?(grant_type)
+    false
+  end
+end
+
+describe "POSTs to /oauth/access_token" do
+  before :each do
+    @code = create_authorization_code
+    @client = @code.authorization.client
+    @valid_params = {
+      :grant_type => 'authorization_code',
+      :client_id => @code.authorization.client.oauth_identifier,
+      :client_secret => @code.authorization.client.oauth_secret,
+      :code => @code.code,
+      :redirect_uri => @code.redirect_uri
+    }
+  end
+
+  describe "Any request without a client_id parameter" do
+    before :each do
+      post "/oauth/access_token", @valid_params.except(:client_id)
+    end
+
+    responds_with_json_error 'invalid_request', :description => "missing 'client_id' parameter", :status => 400
+  end
+
+  describe "Any request without a client_secret parameter" do
+    before :each do
+      post "/oauth/access_token", @valid_params.except(:client_secret)
+    end
+
+    responds_with_json_error 'invalid_request', :description => "missing 'client_secret' parameter", :status => 400
+  end
+
+  describe "Any request without a grant_type parameter" do
+    before :each do
+      post "/oauth/access_token", @valid_params.except(:grant_type)
+    end
+
+    responds_with_json_error 'invalid_request', :description => "missing 'grant_type' parameter", :status => 400
+  end
+
+  describe "Any request without several required parameters" do
+    before :each do
+      post "/oauth/access_token", @valid_params.except(:client_id, :client_secret)
+    end
+
+    responds_with_json_error 'invalid_request', :description => "missing 'client_id', 'client_secret' parameters", :status => 400
+  end
+
+  describe "Any request with an unsupported grant_type" do
+    before :each do
+      post "/oauth/access_token", @valid_params.merge(:grant_type => 'unsupported')
+    end
+
+    responds_with_json_error 'unsupported_grant_type', :status => 400
+  end
+
+  describe "Any request where the client_id is unknown" do
+    before :each do
+      post "/oauth/access_token", @valid_params.merge(:client_id => 'unknown')
+    end
+
+    responds_with_json_error 'invalid_client', :status => 400
+  end
+
+  describe "Any request where the client_secret is wrong" do
+    before :each do
+      post "/oauth/access_token", @valid_params.merge(:client_secret => 'wrongvalue')
+    end
+
+    responds_with_json_error 'invalid_client', :status => 400
+  end
+
+  describe "Any request which doesn't use POST" do
+    before :each do
+      get "/oauth/access_token", @valid_params
+    end
+
+    it "responds with Method Not Allowed (405), and POST in the Allow header" do
+      response.status.should == 405
+      response.headers["Allow"].should == "POST"
+    end
+  end
+
+  describe "Any request where the client isn't allowed to use the requested grant type" do
+    before :each do
+      @original_client_class_name = OAuth2::Provider.client_class_name
+      OAuth2::Provider.client_class_name = NotAllowedGrantTypeClient.name
+      @client = NotAllowedGrantTypeClient.create! :name => 'client'
+      @code = create_authorization_code(:authorization => create_authorization(:client => @client))
+      @valid_params = {
+        :grant_type => 'authorization_code',
+        :client_id => @code.authorization.client.oauth_identifier,
+        :client_secret => @code.authorization.client.oauth_secret,
+        :code => @code.code,
+        :redirect_uri => @code.redirect_uri
+      }
+      post "/oauth/access_token", @valid_params
+    end
+
+    after :each do
+      OAuth2::Provider.client_class_name = @original_client_class_name
+    end
+
+    responds_with_json_error 'unauthorized_client', :status => 400
+  end
+
+  describe "A request using the authorization_code grant type" do
+    describe "with valid client, code and redirect_uri" do
+      before :each do
+        post "/oauth/access_token", @valid_params
+      end
+
+      it "responds with claimed access token, refresh token and expiry time in JSON" do
+        token = OAuth2::Provider.access_token_class.find_by_access_token(json_from_response["access_token"])
+        token.should_not be_nil
+        json_from_response["expires_in"].should == token.expires_in
+        json_from_response["refresh_token"].should == token.refresh_token
+      end
+
+      it "sets cache-control header to no-store, as response is sensitive" do
+        response.headers["Cache-Control"].should =~ /no-store/
+      end
+
+      it "destroys the claimed code, so it can't be used a second time" do
+        OAuth2::Provider.authorization_code_class.find_by_id(@code.id).should be_nil
+      end
+
+      it "doesn't include a state in the JSON response" do
+        json_from_response.keys.include?("state").should be_false
+      end
+    end
+
+    describe "with valid client, code and redirect_uri and an additional state parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:state => 'some-state-goes-here')
+      end
+
+      it "includes the state in the JSON response" do
+        json_from_response["state"].should == 'some-state-goes-here'
+      end
+    end
+
+    describe "with an unknown code" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:code => 'unknown')
+      end
+
+      responds_with_json_error 'invalid_grant', :status => 400
+    end
+
+    describe "with an incorrect redirect uri" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:redirect_uri => 'https://wrong.example.com')
+      end
+
+      responds_with_json_error 'invalid_grant', :status => 400
+    end
+
+    describe "without a code parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.except(:code)
+      end
+
+      responds_with_json_error 'invalid_request', :status => 400
+    end
+
+    describe "without a redirect_uri parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.except(:redirect_uri)
+      end
+
+      responds_with_json_error 'invalid_request', :status => 400
+    end
+  end
+
+  describe "A request using the password grant type" do
+    before :each do
+      @resource_owner = ExampleResourceOwner.create!(:username => 'name', :password => 'password')
+      @valid_params = {
+        :grant_type => 'password',
+        :client_id => @client.to_param,
+        :client_secret => @client.oauth_secret,
+        :username => @resource_owner.username,
+        :password => @resource_owner.password
+      }
+    end
+
+    describe "with valid username and password" do
+      before :each do
+        post "/oauth/access_token", @valid_params
+      end
+
+      it "responds with access token, refresh token and expiry time in JSON" do
+        token = OAuth2::Provider.access_token_class.find_by_access_token(json_from_response["access_token"])
+        token.should_not be_nil
+        json_from_response["expires_in"].should == token.expires_in
+        json_from_response["refresh_token"].should == token.refresh_token
+      end
+
+      it "sets cache-control header to no-store, as response is sensitive" do
+        response.headers["Cache-Control"].should =~ /no-store/
+      end
+
+      it "doesn't include a state in the JSON response" do
+        json_from_response.keys.include?("state").should be_false
+      end
+    end
+
+    describe "with valid username and password and an additional state parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:state => 'some-state-goes-here')
+      end
+
+      it "includes the state in the JSON response" do
+        json_from_response["state"].should == 'some-state-goes-here'
+      end
+    end
+
+    describe "with an incorrect username" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:username => 'wrong')
+      end
+
+      responds_with_json_error 'invalid_grant', :status => 400
+    end
+
+    describe "with an incorrect password" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:password => 'wrong')
+      end
+
+      responds_with_json_error 'invalid_grant', :status => 400
+    end
+
+    describe "without a username parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.except(:username)
+      end
+
+      responds_with_json_error 'invalid_request', :status => 400
+    end
+
+    describe "without a password parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.except(:password)
+      end
+
+      responds_with_json_error 'invalid_request', :status => 400
+    end
+  end
+
+  describe "A request using the refresh token grant type" do
+    before :each do
+      @token = create_access_token
+
+      @client = @token.authorization.client
+      @valid_params = {
+        :grant_type => 'refresh_token',
+        :refresh_token => @token.refresh_token,
+        :client_id => @client.oauth_identifier,
+        :client_secret => @client.oauth_secret
+      }
+    end
+
+    describe "with a valid refresh token" do
+      before :each do
+        post "/oauth/access_token", @valid_params
+      end
+
+      it "responds with refreshed access token, refresh token and expiry time in JSON" do
+        token = OAuth2::Provider.access_token_class.find_by_access_token(json_from_response["access_token"])
+        token.should_not be_nil
+        token.should_not == @token
+        json_from_response["expires_in"].should == token.expires_in
+        json_from_response["refresh_token"].should == token.refresh_token
+      end
+    end
+
+    describe "when the token belongs to a different client" do
+      before :each do
+        @other_client = OAuth2::Provider.client_class.create! :name => 'client'
+        post "/oauth/access_token", @valid_params.merge(:client_id => @other_client.oauth_identifier, :client_secret => @other_client.oauth_secret)
+      end
+
+      responds_with_json_error 'invalid_grant', :status => 400
+    end
+
+    describe "when the token is incorrect" do
+      before :each do
+        post "/oauth/access_token", @valid_params.merge(:refresh_token => 'incorrect')
+      end
+
+      responds_with_json_error 'invalid_grant', :status => 400
+    end
+
+    describe "without a refresh_token parameter" do
+      before :each do
+        post "/oauth/access_token", @valid_params.except(:refresh_token)
+      end
+
+      responds_with_json_error 'invalid_request', :status => 400
+    end
+  end
+
+  describe "When using a custom client class" do
+    before :each do
+      @original_client_class_name = OAuth2::Provider.client_class_name
+      OAuth2::Provider.client_class_name = "CustomClient"
+      @client = CustomClient.create! :name => 'client'
+      @client_params = {
+        :client_id => @client.to_param,
+        :client_secret => @client.oauth_secret,
+      }
+    end
+
+    after :each do
+      OAuth2::Provider.client_class_name = @original_client_class_name
+    end
+
+    describe "requests using authorization code grant type" do
+      before :each do
+        @code = create_authorization_code(:authorization => create_authorization(:client => @client))
+        @valid_params = @client_params.merge(
+          :grant_type => 'authorization_code',
+          :code => @code.code,
+          :redirect_uri => @code.redirect_uri
+        )
+        post "/oauth/access_token", @valid_params
+      end
+
+      it "are still successful" do
+        response.should be_successful
+      end
+    end
+
+    describe "requests using password grant type" do
+      before :each do
+        @resource_owner = ExampleResourceOwner.create!(:username => 'name', :password => 'password')
+        @valid_params = @client_params.merge(
+          :grant_type => 'password',
+          :username => @resource_owner.username,
+          :password => @resource_owner.password
+        )
+        post "/oauth/access_token", @valid_params
+      end
+
+      it "are still successful" do
+        response.should be_successful
+      end
+    end
+  end
+end

data/spec/requests/authentication_spec.rb

@@ -0,0 +1,150 @@
+require 'spec_helper'
+
+describe "A request for a protected resource" do
+  action do |env|
+    env['oauth2'].authenticate_request!(:scope => nil) do
+      successful_response
+    end
+  end
+
+  before :each do
+    @token = create_access_token(
+      :authorization => create_authorization(
+        :scope => "protected write"
+      )
+    )
+  end
+
+  describe "with no token passed" do
+    before :each do
+      get "/protected"
+    end
+
+    responds_with_status 401
+    responds_with_header 'WWW-Authenticate', 'OAuth2'
+  end
+
+  describe "with a token passed as an oauth_token parameter" do
+    before :each do
+      get "/protected", :oauth_token => @token.access_token
+    end
+
+    it "is successful" do
+      response.should be_successful
+    end
+
+    it "makes the access token available to the requested action" do
+      response.body.should == "Success"
+    end
+  end
+
+  describe "with a token passed in an Authorization header" do
+    before :each do
+      get "/protected", {}, {"HTTP_AUTHORIZATION" => "OAuth #{@token.access_token}"}
+    end
+
+    it "is successful" do
+      response.should be_successful
+    end
+
+    it "makes the access token available to the requested action" do
+      response.body.should == "Success"
+    end
+  end
+
+  describe "with same token passed in both the Authorization header and oauth_token parameter" do
+    before :each do
+      get "/protected", {:oauth_token => @token.access_token}, {"HTTP_AUTHORIZATION" => "OAuth #{@token.access_token}"}
+    end
+
+    it "is successful" do
+      response.should be_successful
+    end
+
+    it "makes the access token available to the requested action" do
+      response.body.should == "Success"
+    end
+  end
+
+  describe "with different tokens passed in both the Authorization header and oauth_token parameter" do
+    before :each do
+      get "/protected", {:oauth_token => @token.access_token}, {"HTTP_AUTHORIZATION" => "OAuth DifferentToken"}
+    end
+
+    responds_with_json_error 'invalid_request', :description => 'both authorization header and oauth_token provided, with conflicting tokens', :status => 400
+  end
+
+  describe "with an invalid token" do
+    before :each do
+      get "/protected", :oauth_token => 'invalid-token'
+    end
+
+    responds_with_status 401
+    responds_with_header 'WWW-Authenticate', 'OAuth2 error="invalid_token"'
+  end
+
+  describe "with an expired token that can be refreshed" do
+    before :each do
+      @token.update_attributes(:expires_at => 1.day.ago)
+      get "/protected", :oauth_token => @token.access_token
+    end
+
+    responds_with_status 401
+    responds_with_header 'WWW-Authenticate', 'OAuth2 error="invalid_token"'
+  end
+
+  describe "with an expired token that can't be refreshed" do
+    before :each do
+      @token.update_attributes(:expires_at => 1.day.ago, :refresh_token => nil)
+      get "/protected", :oauth_token => @token.access_token
+    end
+
+    responds_with_status 401
+    responds_with_header 'WWW-Authenticate', 'OAuth2 error="invalid_token"'
+  end
+
+  describe "when warden is part of the stack" do
+    it "bypasses warden when no token is passed" do
+      warden = "warden"
+      warden.should_receive(:custom_failure!)
+      get "/protected", {}, {'warden' => warden}
+    end
+
+    it "bypasses warden when token invalid" do
+      warden = "warden"
+      warden.should_receive(:custom_failure!)
+      get "/protected", {:oauth_token => 'invalid_token'}, {'warden' => warden}
+    end
+  end
+end
+
+describe "A request for a protected resource requiring a specific scope" do
+  action do |env|
+    env['oauth2'].authenticate_request!(:scope => 'omnipotent') do
+      successful_response
+    end
+  end
+
+  before :each do
+    @token = create_access_token(:authorization => create_authorization(:scope => "omnipotent admin"))
+    @insufficient_token = create_access_token(:authorization => create_authorization(:scope => "impotent admin"))
+  end
+
+  describe "made with a token with sufficient scope" do
+    before :each do
+      get '/protected_by_scope', :oauth_token => @token.access_token
+    end
+
+    it "is successful" do
+      response.should be_successful
+    end
+  end
+
+  describe "made with a token with insufficient scope" do
+    before :each do
+      get '/protected_by_scope', :oauth_token => @insufficient_token.access_token
+    end
+
+    responds_with_json_error 'insufficient_scope', :status => 403
+  end
+end