oauth2 1.4.6 → 1.4.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7912a62b5b26c6c8cdedaf620194ef0d2a0adbd92307da9fe29b77d88c984b34
-  data.tar.gz: 83bd964f93de41cd8ede2e8fdcf9aa037ff5d779ba7d922589d5cb666fe8c1c1
+  metadata.gz: 74ca15f9b1935885fe123c9b0801b9f0605c1bfa904bebe371d201a61b559f31
+  data.tar.gz: 3b719ec6748493cba5112dfca8ebff22b13c0c9690330d4422f9d81b1abf5185
 SHA512:
-  metadata.gz: 4b18270faea191ac365fc6c63e350bd94a4180d1d64966c2eb6f59c2fd3131e7175df62e8179dba257661447fa7ec4d222ba166ee5ddab9fec4b29340629ed81
-  data.tar.gz: 8bf6ed52a51b03aba99af5ea24c63a13a6f548708ac05e88f4c19a6813211d01bacc1f60b0505ad7bba1e21425b6ff7817dee2cf1424605eed27b1aaf76e86eb
+  metadata.gz: 7ec3c9c311effac7f8864c2dc3d7332761ee6a986f2924adec3b77620abe3dc63984d1c01e9ca0a1283907a5b2ba23ee31dfd4bd630fa7d803fba116ba1e652d
+  data.tar.gz: 1e1d37d5953bdd7e03e13f697648e56afdb63ea54bbdbaee7ee229302149c5047c533a15d6498a355ef78d17d991d79ce8f94fe8728229431e3fad5c3132a9ad

data/CHANGELOG.md

@@ -3,9 +3,13 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
-## [1.4.6] - 2021-03-18
+## [1.4.7] - 2021-03-18
+
+- [#541](https://github.com/oauth-xx/oauth2/pull/541) - Backport fix to expires_at handling [#533](https://github.com/oauth-xx/oauth2/pull/533) to 1-4-stable branch. (@dobon)
 
+## [1.4.6] - 2021-03-18
 
+- [#540](https://github.com/oauth-xx/oauth2/pull/540) - Add VERSION constant (@pboling)
 - [#537](https://github.com/oauth-xx/oauth2/pull/537) - Fix crash in OAuth2::Client#get_token (@anderscarling)
 - [#538](https://github.com/oauth-xx/oauth2/pull/538) - Remove reliance on globally included OAuth2 in tests for version 1.4 (@anderscarling)
 

data/README.md

@@ -4,6 +4,7 @@ If you need the readme for a released version of the gem please find it below:
 
 | Version  | Release Date | Readme                                                   |
 |----------|--------------|----------------------------------------------------------|
+| 1.4.7    | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.7/README.md |
 | 1.4.6    | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.6/README.md |
 | 1.4.5    | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.5/README.md |
 | 1.4.4    | Feb 12, 2020 | https://github.com/oauth-xx/oauth2/blob/v1.4.4/README.md |

data/lib/oauth2/access_token.rb

@@ -173,11 +173,9 @@ module OAuth2
     end
 
     def convert_expires_at(expires_at)
-      expires_at_i = expires_at.to_i
-      return expires_at_i if expires_at_i > Time.now.utc.to_i
-      return Time.parse(expires_at).to_i if expires_at.is_a?(String)
-
-      expires_at_i
+      Time.iso8601(expires_at.to_s).to_i
+    rescue ArgumentError
+      expires_at.to_i
     end
   end
 end

data/lib/oauth2/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Version
     VERSION = to_s
@@ -22,12 +24,12 @@ module OAuth2
     #
     # @return [Integer]
     def patch
-      6
+      7
     end
 
     # The pre-release version, if any
     #
-    # @return [Integer, NilClass]
+    # @return [String, NilClass]
     def pre
       nil
     end
@@ -55,7 +57,9 @@ module OAuth2
     #
     # @return [String]
     def to_s
-      to_a.join('.')
+      v = [major, minor, patch].compact.join('.')
+      v += "-#{pre}" if pre
+      v
     end
   end
 end

data/spec/helper.rb

@@ -0,0 +1,37 @@
+DEBUG = ENV['DEBUG'] == 'true'
+
+ruby_version = Gem::Version.new(RUBY_VERSION)
+
+if ruby_version >= Gem::Version.new('2.7')
+  require 'simplecov'
+  require 'coveralls'
+
+  SimpleCov.formatters = [SimpleCov::Formatter::HTMLFormatter, Coveralls::SimpleCov::Formatter]
+
+  SimpleCov.start do
+    add_filter '/spec'
+    minimum_coverage(95)
+  end
+end
+
+require 'byebug' if DEBUG && ruby_version >= Gem::Version.new('2.4')
+
+require 'oauth2'
+require 'addressable/uri'
+require 'rspec'
+require 'rspec/stubbed_env'
+require 'silent_stream'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end
+
+Faraday.default_adapter = :test
+
+RSpec.configure do |conf|
+  conf.include SilentStream
+end
+
+VERBS = [:get, :post, :put, :delete].freeze

data/spec/oauth2/access_token_spec.rb

@@ -0,0 +1,216 @@
+describe OAuth2::AccessToken do
+  subject { described_class.new(client, token) }
+
+  let(:token) { 'monkey' }
+  let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => 'refresh_bar') }
+  let(:client) do
+    OAuth2::Client.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+      builder.request :url_encoded
+      builder.adapter :test do |stub|
+        VERBS.each do |verb|
+          stub.send(verb, '/token/header') { |env| [200, {}, env[:request_headers]['Authorization']] }
+          stub.send(verb, "/token/query?access_token=#{token}") { |env| [200, {}, Addressable::URI.parse(env[:url]).query_values['access_token']] }
+          stub.send(verb, '/token/query_string') { |env| [200, {}, CGI.unescape(Addressable::URI.parse(env[:url]).query)] }
+          stub.send(verb, '/token/body') { |env| [200, {}, env[:body]] }
+        end
+        stub.post('/oauth/token') { |env| [200, {'Content-Type' => 'application/json'}, refresh_body] }
+      end
+    end
+  end
+
+  describe '#initialize' do
+    it 'assigns client and token' do
+      expect(subject.client).to eq(client)
+      expect(subject.token).to eq(token)
+    end
+
+    it 'assigns extra params' do
+      target = described_class.new(client, token, 'foo' => 'bar')
+      expect(target.params).to include('foo')
+      expect(target.params['foo']).to eq('bar')
+    end
+
+    def assert_initialized_token(target) # rubocop:disable Metrics/AbcSize
+      expect(target.token).to eq(token)
+      expect(target).to be_expires
+      expect(target.params.keys).to include('foo')
+      expect(target.params['foo']).to eq('bar')
+    end
+
+    it 'initializes with a Hash' do
+      hash = {:access_token => token, :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
+      target = described_class.from_hash(client, hash)
+      assert_initialized_token(target)
+    end
+
+    it 'from_hash does not modify opts hash' do
+      hash = {:access_token => token, :expires_at => Time.now.to_i}
+      hash_before = hash.dup
+      described_class.from_hash(client, hash)
+      expect(hash).to eq(hash_before)
+    end
+
+    it 'initializes with a form-urlencoded key/value string' do
+      kvform = "access_token=#{token}&expires_at=#{Time.now.to_i + 200}&foo=bar"
+      target = described_class.from_kvform(client, kvform)
+      assert_initialized_token(target)
+    end
+
+    it 'sets options' do
+      target = described_class.new(client, token, :param_name => 'foo', :header_format => 'Bearer %', :mode => :body)
+      expect(target.options[:param_name]).to eq('foo')
+      expect(target.options[:header_format]).to eq('Bearer %')
+      expect(target.options[:mode]).to eq(:body)
+    end
+
+    it 'does not modify opts hash' do
+      opts = {:param_name => 'foo', :header_format => 'Bearer %', :mode => :body}
+      opts_before = opts.dup
+      described_class.new(client, token, opts)
+      expect(opts).to eq(opts_before)
+    end
+
+    describe 'expires_at' do
+      let(:expires_at) { 1_361_396_829 }
+      let(:hash) do
+        {
+          :access_token => token,
+          :expires_at => expires_at.to_s,
+          'foo' => 'bar',
+        }
+      end
+
+      it 'initializes with an integer timestamp expires_at' do
+        target = described_class.from_hash(client, hash.merge(:expires_at => expires_at))
+        assert_initialized_token(target)
+        expect(target.expires_at).to eql(expires_at)
+      end
+
+      it 'initializes with a string timestamp expires_at' do
+        target = described_class.from_hash(client, hash)
+        assert_initialized_token(target)
+        expect(target.expires_at).to eql(expires_at)
+      end
+
+      it 'initializes with a string time expires_at' do
+        target = described_class.from_hash(client, hash.merge(:expires_at => Time.at(expires_at).iso8601))
+        assert_initialized_token(target)
+        expect(target.expires_at).to eql(expires_at)
+      end
+    end
+  end
+
+  describe '#request' do
+    context 'with :mode => :header' do
+      before do
+        subject.options[:mode] = :header
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/header').body).to include(token)
+        end
+      end
+    end
+
+    context 'with :mode => :query' do
+      before do
+        subject.options[:mode] = :query
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/query').body).to eq(token)
+        end
+
+        it "sends a #{verb.to_s.upcase} request and options[:param_name] include [number]." do
+          subject.options[:param_name] = 'auth[1]'
+          expect(subject.__send__(verb, '/token/query_string').body).to include("auth[1]=#{token}")
+        end
+      end
+    end
+
+    context 'with :mode => :body' do
+      before do
+        subject.options[:mode] = :body
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/body').body.split('=').last).to eq(token)
+        end
+      end
+    end
+
+    context 'params include [number]' do
+      VERBS.each do |verb|
+        it "sends #{verb.to_s.upcase} correct query" do
+          expect(subject.__send__(verb, '/token/query_string', :params => {'foo[bar][1]' => 'val'}).body).to include('foo[bar][1]=val')
+        end
+      end
+    end
+  end
+
+  describe '#expires?' do
+    it 'is false if there is no expires_at' do
+      expect(described_class.new(client, token)).not_to be_expires
+    end
+
+    it 'is true if there is an expires_in' do
+      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 600)).to be_expires
+    end
+
+    it 'is true if there is an expires_at' do
+      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => Time.now.getutc.to_i + 600)).to be_expires
+    end
+  end
+
+  describe '#expired?' do
+    it 'is false if there is no expires_in or expires_at' do
+      expect(described_class.new(client, token)).not_to be_expired
+    end
+
+    it 'is false if expires_in is in the future' do
+      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 10_800)).not_to be_expired
+    end
+
+    it 'is true if expires_at is in the past' do
+      access = described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 600)
+      @now = Time.now + 10_800
+      allow(Time).to receive(:now).and_return(@now)
+      expect(access).to be_expired
+    end
+  end
+
+  describe '#refresh!' do
+    let(:access) do
+      described_class.new(client, token, :refresh_token => 'abaca',
+                                         :expires_in => 600,
+                                         :param_name => 'o_param')
+    end
+
+    it 'returns a refresh token with appropriate values carried over' do
+      refreshed = access.refresh!
+      expect(access.client).to eq(refreshed.client)
+      expect(access.options[:param_name]).to eq(refreshed.options[:param_name])
+    end
+
+    context 'with a nil refresh_token in the response' do
+      let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => nil) }
+
+      it 'copies the refresh_token from the original token' do
+        refreshed = access.refresh!
+
+        expect(refreshed.refresh_token).to eq(access.refresh_token)
+      end
+    end
+  end
+
+  describe '#to_hash' do
+    it 'return a hash equals to the hash used to initialize access token' do
+      hash = {:access_token => token, :refresh_token => 'foobar', :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
+      access_token = described_class.from_hash(client, hash.clone)
+      expect(access_token.to_hash).to eq(hash)
+    end
+  end
+end

data/spec/oauth2/authenticator_spec.rb

@@ -0,0 +1,84 @@
+describe OAuth2::Authenticator do
+  subject do
+    described_class.new(client_id, client_secret, mode)
+  end
+
+  let(:client_id) { 'foo' }
+  let(:client_secret) { 'bar' }
+  let(:mode) { :undefined }
+
+  it 'raises NotImplementedError for unknown authentication mode' do
+    expect { subject.apply({}) }.to raise_error(NotImplementedError)
+  end
+
+  describe '#apply' do
+    context 'with parameter-based authentication' do
+      let(:mode) { :request_body }
+
+      it 'adds client_id and client_secret to params' do
+        output = subject.apply({})
+        expect(output).to eq('client_id' => 'foo', 'client_secret' => 'bar')
+      end
+
+      it 'does not overwrite existing credentials' do
+        input = {'client_secret' => 's3cr3t'}
+        output = subject.apply(input)
+        expect(output).to eq('client_id' => 'foo', 'client_secret' => 's3cr3t')
+      end
+
+      it 'preserves other parameters' do
+        input = {'state' => '42', :headers => {'A' => 'b'}}
+        output = subject.apply(input)
+        expect(output).to eq(
+          'client_id' => 'foo',
+          'client_secret' => 'bar',
+          'state' => '42',
+          :headers => {'A' => 'b'}
+        )
+      end
+
+      context 'using tls client authentication' do
+        let(:mode) { :tls_client_auth }
+
+        it 'does not add client_secret' do
+          output = subject.apply({})
+          expect(output).to eq('client_id' => 'foo')
+        end
+      end
+
+      context 'using private key jwt authentication' do
+        let(:mode) { :private_key_jwt }
+
+        it 'does not add client_secret or client_id' do
+          output = subject.apply({})
+          expect(output).to eq({})
+        end
+      end
+    end
+
+    context 'with Basic authentication' do
+      let(:mode) { :basic_auth }
+      let(:header) { 'Basic ' + Base64.encode64("#{client_id}:#{client_secret}").delete("\n") }
+
+      it 'encodes credentials in headers' do
+        output = subject.apply({})
+        expect(output).to eq(:headers => {'Authorization' => header})
+      end
+
+      it 'does not overwrite existing credentials' do
+        input = {:headers => {'Authorization' => 'Bearer abc123'}}
+        output = subject.apply(input)
+        expect(output).to eq(:headers => {'Authorization' => 'Bearer abc123'})
+      end
+
+      it 'does not overwrite existing params or headers' do
+        input = {'state' => '42', :headers => {'A' => 'b'}}
+        output = subject.apply(input)
+        expect(output).to eq(
+          'state' => '42',
+          :headers => {'A' => 'b', 'Authorization' => header}
+        )
+      end
+    end
+  end
+end

data/spec/oauth2/client_spec.rb

@@ -0,0 +1,506 @@
+# coding: utf-8
+
+require 'helper'
+require 'nkf'
+
+describe OAuth2::Client do
+  subject do
+    described_class.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+      builder.adapter :test do |stub|
+        stub.get('/success')             { |env| [200, {'Content-Type' => 'text/awesome'}, 'yay'] }
+        stub.get('/reflect')             { |env| [200, {}, env[:body]] }
+        stub.post('/reflect')            { |env| [200, {}, env[:body]] }
+        stub.get('/unauthorized')        { |env| [401, {'Content-Type' => 'application/json'}, MultiJson.encode(:error => error_value, :error_description => error_description_value)] }
+        stub.get('/conflict')            { |env| [409, {'Content-Type' => 'text/plain'}, 'not authorized'] }
+        stub.get('/redirect')            { |env| [302, {'Content-Type' => 'text/plain', 'location' => '/success'}, ''] }
+        stub.post('/redirect')           { |env| [303, {'Content-Type' => 'text/plain', 'location' => '/reflect'}, ''] }
+        stub.get('/error')               { |env| [500, {'Content-Type' => 'text/plain'}, 'unknown error'] }
+        stub.get('/empty_get')           { |env| [204, {}, nil] }
+        stub.get('/different_encoding')  { |env| [500, {'Content-Type' => 'application/json'}, NKF.nkf('-We', MultiJson.encode(:error => error_value, :error_description => '∞'))] }
+        stub.get('/ascii_8bit_encoding') { |env| [500, {'Content-Type' => 'application/json'}, MultiJson.encode(:error => 'invalid_request', :error_description => 'é').force_encoding('ASCII-8BIT')] }
+      end
+    end
+  end
+
+  let!(:error_value) { 'invalid_token' }
+  let!(:error_description_value) { 'bad bad token' }
+
+  describe '#initialize' do
+    it 'assigns id and secret' do
+      expect(subject.id).to eq('abc')
+      expect(subject.secret).to eq('def')
+    end
+
+    it 'assigns site from the options hash' do
+      expect(subject.site).to eq('https://api.example.com')
+    end
+
+    it 'assigns Faraday::Connection#host' do
+      expect(subject.connection.host).to eq('api.example.com')
+    end
+
+    it 'leaves Faraday::Connection#ssl unset' do
+      expect(subject.connection.ssl).to be_empty
+    end
+
+    it 'is able to pass a block to configure the connection' do
+      connection = double('connection')
+      builder = double('builder')
+      allow(connection).to receive(:build).and_yield(builder)
+      allow(Faraday::Connection).to receive(:new).and_return(connection)
+
+      expect(builder).to receive(:adapter).with(:test)
+
+      described_class.new('abc', 'def') do |client|
+        client.adapter :test
+      end.connection
+    end
+
+    it 'defaults raise_errors to true' do
+      expect(subject.options[:raise_errors]).to be true
+    end
+
+    it 'allows true/false for raise_errors option' do
+      client = described_class.new('abc', 'def', :site => 'https://api.example.com', :raise_errors => false)
+      expect(client.options[:raise_errors]).to be false
+      client = described_class.new('abc', 'def', :site => 'https://api.example.com', :raise_errors => true)
+      expect(client.options[:raise_errors]).to be true
+    end
+
+    it 'allows override of raise_errors option' do
+      client = described_class.new('abc', 'def', :site => 'https://api.example.com', :raise_errors => true) do |builder|
+        builder.adapter :test do |stub|
+          stub.get('/notfound') { |env| [404, {}, nil] }
+        end
+      end
+      expect(client.options[:raise_errors]).to be true
+      expect { client.request(:get, '/notfound') }.to raise_error(OAuth2::Error)
+      response = client.request(:get, '/notfound', :raise_errors => false)
+      expect(response.status).to eq(404)
+    end
+
+    it 'allows get/post for access_token_method option' do
+      client = described_class.new('abc', 'def', :site => 'https://api.example.com', :access_token_method => :get)
+      expect(client.options[:access_token_method]).to eq(:get)
+      client = described_class.new('abc', 'def', :site => 'https://api.example.com', :access_token_method => :post)
+      expect(client.options[:access_token_method]).to eq(:post)
+    end
+
+    it 'does not mutate the opts hash argument' do
+      opts = {:site => 'http://example.com/'}
+      opts2 = opts.dup
+      described_class.new 'abc', 'def', opts
+      expect(opts).to eq(opts2)
+    end
+  end
+
+  %w[authorize token].each do |url_type|
+    describe ":#{url_type}_url option" do
+      it "defaults to a path of /oauth/#{url_type}" do
+        expect(subject.send("#{url_type}_url")).to eq("https://api.example.com/oauth/#{url_type}")
+      end
+
+      it "is settable via the :#{url_type}_url option" do
+        subject.options[:"#{url_type}_url"] = '/oauth/custom'
+        expect(subject.send("#{url_type}_url")).to eq('https://api.example.com/oauth/custom')
+      end
+
+      it 'allows a different host than the site' do
+        subject.options[:"#{url_type}_url"] = 'https://api.foo.com/oauth/custom'
+        expect(subject.send("#{url_type}_url")).to eq('https://api.foo.com/oauth/custom')
+      end
+    end
+  end
+
+  describe ':redirect_uri option' do
+    let(:auth_code_params) do
+      {
+        'client_id' => 'abc',
+        'client_secret' => 'def',
+        'code' => 'code',
+        'grant_type' => 'authorization_code',
+      }
+    end
+
+    context 'when blank' do
+      it 'there is no redirect_uri param added to authorization URL' do
+        expect(subject.authorize_url('a' => 'b')).to eq('https://api.example.com/oauth/authorize?a=b')
+      end
+
+      it 'does not add the redirect_uri param to the auth_code token exchange request' do
+        client = described_class.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+          builder.adapter :test do |stub|
+            stub.post('/oauth/token', auth_code_params) do
+              [200, {'Content-Type' => 'application/json'}, '{"access_token":"token"}']
+            end
+          end
+        end
+        client.auth_code.get_token('code')
+      end
+    end
+
+    context 'when set' do
+      before { subject.options[:redirect_uri] = 'https://site.com/oauth/callback' }
+
+      it 'adds the redirect_uri param to authorization URL' do
+        expect(subject.authorize_url('a' => 'b')).to eq('https://api.example.com/oauth/authorize?a=b&redirect_uri=https%3A%2F%2Fsite.com%2Foauth%2Fcallback')
+      end
+
+      it 'adds the redirect_uri param to the auth_code token exchange request' do
+        client = described_class.new('abc', 'def', :redirect_uri => 'https://site.com/oauth/callback', :site => 'https://api.example.com') do |builder|
+          builder.adapter :test do |stub|
+            stub.post('/oauth/token', auth_code_params.merge('redirect_uri' => 'https://site.com/oauth/callback')) do
+              [200, {'Content-Type' => 'application/json'}, '{"access_token":"token"}']
+            end
+          end
+        end
+        client.auth_code.get_token('code')
+      end
+    end
+
+    describe 'custom headers' do
+      context 'string key headers' do
+        it 'adds the custom headers to request' do
+          client = described_class.new('abc', 'def', :site => 'https://api.example.com', :auth_scheme => :request_body) do |builder|
+            builder.adapter :test do |stub|
+              stub.post('/oauth/token') do |env|
+                expect(env.request_headers).to include({'CustomHeader' => 'CustomHeader'})
+                [200, {'Content-Type' => 'application/json'}, '{"access_token":"token"}']
+              end
+            end
+          end
+          header_params = {'headers' => {'CustomHeader' => 'CustomHeader'}}
+          client.auth_code.get_token('code', header_params)
+        end
+      end
+
+      context 'symbol key headers' do
+        it 'adds the custom headers to request' do
+          client = described_class.new('abc', 'def', :site => 'https://api.example.com', :auth_scheme => :request_body) do |builder|
+            builder.adapter :test do |stub|
+              stub.post('/oauth/token') do |env|
+                expect(env.request_headers).to include({'CustomHeader' => 'CustomHeader'})
+                [200, {'Content-Type' => 'application/json'}, '{"access_token":"token"}']
+              end
+            end
+          end
+          header_params = {:headers => {'CustomHeader' => 'CustomHeader'}}
+          client.auth_code.get_token('code', header_params)
+        end
+      end
+
+      context 'string key custom headers with basic auth' do
+        it 'adds the custom headers to request' do
+          client = described_class.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+            builder.adapter :test do |stub|
+              stub.post('/oauth/token') do |env|
+                expect(env.request_headers).to include({'CustomHeader' => 'CustomHeader'})
+                [200, {'Content-Type' => 'application/json'}, '{"access_token":"token"}']
+              end
+            end
+          end
+          header_params = {'headers' => {'CustomHeader' => 'CustomHeader'}}
+          client.auth_code.get_token('code', header_params)
+        end
+      end
+
+      context 'symbol key custom headers with basic auth' do
+        it 'adds the custom headers to request' do
+          client = described_class.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+            builder.adapter :test do |stub|
+              stub.post('/oauth/token') do |env|
+                expect(env.request_headers).to include({'CustomHeader' => 'CustomHeader'})
+                [200, {'Content-Type' => 'application/json'}, '{"access_token":"token"}']
+              end
+            end
+          end
+          header_params = {:headers => {'CustomHeader' => 'CustomHeader'}}
+          client.auth_code.get_token('code', header_params)
+        end
+      end
+    end
+  end
+
+  describe '#request' do
+    it 'works with a null response body' do
+      expect(subject.request(:get, 'empty_get').body).to eq('')
+    end
+
+    it 'returns on a successful response' do
+      response = subject.request(:get, '/success')
+      expect(response.body).to eq('yay')
+      expect(response.status).to eq(200)
+      expect(response.headers).to eq('Content-Type' => 'text/awesome')
+    end
+
+    it 'posts a body' do
+      response = subject.request(:post, '/reflect', :body => 'foo=bar')
+      expect(response.body).to eq('foo=bar')
+    end
+
+    it 'follows redirects properly' do
+      response = subject.request(:get, '/redirect')
+      expect(response.body).to eq('yay')
+      expect(response.status).to eq(200)
+      expect(response.headers).to eq('Content-Type' => 'text/awesome')
+    end
+
+    it 'redirects using GET on a 303' do
+      response = subject.request(:post, '/redirect', :body => 'foo=bar')
+      expect(response.body).to be_empty
+      expect(response.status).to eq(200)
+    end
+
+    it 'obeys the :max_redirects option' do
+      max_redirects = subject.options[:max_redirects]
+      subject.options[:max_redirects] = 0
+      response = subject.request(:get, '/redirect')
+      expect(response.status).to eq(302)
+      subject.options[:max_redirects] = max_redirects
+    end
+
+    it 'returns if raise_errors is false' do
+      subject.options[:raise_errors] = false
+      response = subject.request(:get, '/unauthorized')
+
+      expect(response.status).to eq(401)
+      expect(response.headers).to eq('Content-Type' => 'application/json')
+      expect(response.error).not_to be_nil
+    end
+
+    %w[/unauthorized /conflict /error /different_encoding /ascii_8bit_encoding].each do |error_path|
+      it "raises OAuth2::Error on error response to path #{error_path}" do
+        expect { subject.request(:get, error_path) }.to raise_error(OAuth2::Error)
+      end
+    end
+
+    # rubocop:disable Style/RedundantBegin
+    it 're-encodes response body in the error message' do
+      begin
+        subject.request(:get, '/ascii_8bit_encoding')
+      rescue StandardError => e
+        expect(e.message.encoding.name).to eq('UTF-8')
+        expect(e.message).to eq("invalid_request: é\n{\"error\":\"invalid_request\",\"error_description\":\"��\"}")
+      end
+    end
+
+    it 'parses OAuth2 standard error response' do
+      begin
+        subject.request(:get, '/unauthorized')
+      rescue StandardError => e
+        expect(e.code).to eq(error_value)
+        expect(e.description).to eq(error_description_value)
+        expect(e.to_s).to match(/#{error_value}/)
+        expect(e.to_s).to match(/#{error_description_value}/)
+      end
+    end
+
+    it 'provides the response in the Exception' do
+      begin
+        subject.request(:get, '/error')
+      rescue StandardError => e
+        expect(e.response).not_to be_nil
+        expect(e.to_s).to match(/unknown error/)
+      end
+    end
+    # rubocop:enable Style/RedundantBegin
+
+    context 'with ENV' do
+      include_context 'with stubbed env'
+      before do
+        stub_env('OAUTH_DEBUG' => 'true')
+      end
+
+      it 'outputs to $stdout when OAUTH_DEBUG=true' do
+        output = capture(:stdout) do
+          subject.request(:get, '/success')
+        end
+        logs = [
+          '-- request: GET https://api.example.com/success',
+          '-- response: Status 200',
+          '-- response: Content-Type: "text/awesome"',
+        ]
+        expect(output).to include(*logs)
+      end
+    end
+  end
+
+  describe '#get_token' do
+    it 'returns a configured AccessToken' do
+      client = stubbed_client do |stub|
+        stub.post('/oauth/token') do
+          [200, {'Content-Type' => 'application/json'}, MultiJson.encode('access_token' => 'the-token')]
+        end
+      end
+
+      token = client.get_token({})
+      expect(token).to be_a OAuth2::AccessToken
+      expect(token.token).to eq('the-token')
+    end
+
+    it 'authenticates with request parameters' do
+      client = stubbed_client(:auth_scheme => :request_body) do |stub|
+        stub.post('/oauth/token', 'client_id' => 'abc', 'client_secret' => 'def') do |env|
+          [200, {'Content-Type' => 'application/json'}, MultiJson.encode('access_token' => 'the-token')]
+        end
+      end
+      client.get_token({})
+    end
+
+    it 'authenticates with Basic auth' do
+      client = stubbed_client(:auth_scheme => :basic_auth) do |stub|
+        stub.post('/oauth/token') do |env|
+          raise Faraday::Adapter::Test::Stubs::NotFound unless env[:request_headers]['Authorization'] == OAuth2::Authenticator.encode_basic_auth('abc', 'def')
+
+          [200, {'Content-Type' => 'application/json'}, MultiJson.encode('access_token' => 'the-token')]
+        end
+      end
+      client.get_token({})
+    end
+
+    describe 'extract_access_token option' do
+      let(:client) do
+        client = stubbed_client(:extract_access_token => extract_access_token) do |stub|
+          stub.post('/oauth/token') do
+            [200, {'Content-Type' => 'application/json'}, MultiJson.encode('data' => {'access_token' => 'the-token'})]
+          end
+        end
+      end
+
+      context 'with proc extract_access_token' do
+        let(:extract_access_token) do
+          proc do |client, hash|
+            token = hash['data']['access_token']
+            OAuth2::AccessToken.new(client, token, hash)
+          end
+        end
+
+        it 'returns a configured AccessToken' do
+          token = client.get_token({})
+          expect(token).to be_a OAuth2::AccessToken
+          expect(token.token).to eq('the-token')
+        end
+      end
+
+      context 'with depracted Class.from_hash option' do
+        let(:extract_access_token) do
+          CustomAccessToken = Class.new(OAuth2::AccessToken)
+          CustomAccessToken.define_singleton_method(:from_hash) do |client, hash|
+            token = hash['data']['access_token']
+            OAuth2::AccessToken.new(client, token, hash)
+          end
+          CustomAccessToken
+        end
+
+        it 'returns a configured AccessToken' do
+          token = client.get_token({})
+          expect(token).to be_a OAuth2::AccessToken
+          expect(token.token).to eq('the-token')
+        end
+      end
+    end
+
+    describe ':raise_errors flag' do
+      let(:options) { {} }
+      let(:token_response) { nil }
+
+      let(:client) do
+        stubbed_client(options.merge(:raise_errors => raise_errors)) do |stub|
+          stub.post('/oauth/token') do
+            # stub 200 response so that we're testing the get_token handling of :raise_errors flag not request
+            [200, {'Content-Type' => 'application/json'}, token_response]
+          end
+        end
+      end
+
+      context 'when set to false' do
+        let(:raise_errors) { false }
+
+        context 'when the request body is nil' do
+          it 'returns a nil :access_token' do
+            expect(client.get_token({})).to eq(nil)
+          end
+        end
+
+        context 'when the request body is missing the access_token' do
+          let(:token_response) { MultiJson.encode('unexpected_access_token' => 'the-token') }
+
+          it 'returns a nil :access_token' do
+            expect(client.get_token({})).to eq(nil)
+          end
+        end
+
+        context 'when extract_access_token raises an exception' do
+          let(:options) do
+            {
+              :extract_access_token => proc { |client, hash| raise ArgumentError },
+            }
+          end
+
+          it 'returns a nil :access_token' do
+            expect(client.get_token({})).to eq(nil)
+          end
+        end
+      end
+
+      context 'when set to true' do
+        let(:raise_errors) { true }
+
+        context 'when the request body is nil' do
+          it 'raises an error' do
+            expect { client.get_token({}) }.to raise_error OAuth2::Error
+          end
+        end
+
+        context 'when the request body is missing the access_token' do
+          let(:token_response) { MultiJson.encode('unexpected_access_token' => 'the-token') }
+
+          it 'raises an error' do
+            expect { client.get_token({}) }.to raise_error OAuth2::Error
+          end
+        end
+
+        context 'when extract_access_token raises an exception' do
+          let(:options) do
+            {
+              :extract_access_token => proc { |client, hash| raise ArgumentError },
+            }
+          end
+
+          it 'raises an error' do
+            expect { client.get_token({}) }.to raise_error OAuth2::Error
+          end
+        end
+      end
+    end
+
+    def stubbed_client(params = {}, &stubs)
+      params = {:site => 'https://api.example.com'}.merge(params)
+      OAuth2::Client.new('abc', 'def', params) do |builder|
+        builder.adapter :test, &stubs
+      end
+    end
+  end
+
+  it 'instantiates an AuthCode strategy with this client' do
+    expect(subject.auth_code).to be_kind_of(OAuth2::Strategy::AuthCode)
+  end
+
+  it 'instantiates an Implicit strategy with this client' do
+    expect(subject.implicit).to be_kind_of(OAuth2::Strategy::Implicit)
+  end
+
+  context 'with SSL options' do
+    subject do
+      cli = described_class.new('abc', 'def', :site => 'https://api.example.com', :ssl => {:ca_file => 'foo.pem'})
+      cli.connection.build do |b|
+        b.adapter :test
+      end
+      cli
+    end
+
+    it 'passes the SSL options along to Faraday::Connection#ssl' do
+      expect(subject.connection.ssl.fetch(:ca_file)).to eq('foo.pem')
+    end
+  end
+end