oauth3 1.0.3 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4151158493b6c0035e630b0e188339a4c7b05c34
-  data.tar.gz: 59f10fd777ffebec56190c0c180b49e97c301973
+  metadata.gz: b450936d14db6f539be592a4352d6874c0837eb9
+  data.tar.gz: 2ccf0d609255eb79501b39d27e4d7880d9976a00
 SHA512:
-  metadata.gz: 6d64fc1d31adc1ebc771916af940382e152ef9a8e846c9829f07b1171f9cd004196cde2e22eedca277314780ecb5386cf43bf712bbaf8a0ef172e0c584217a1d
-  data.tar.gz: 44566e908c777ca01c949a35aca115f3dde3ed74253c85efa2ac62c48a8575dd0f65ba8e70de5af36eb25b7209192e01cd3944d4e44c90560e5b34aae534ea07
+  metadata.gz: 8377043e6978b8eea92c1ef387d5c0708d7dc49ba9bb854fa53d11862668760e0b81936f53b5bc89852736f10899acbb07ae2c144dd48a92ea6bef0a9a62ef62
+  data.tar.gz: f0bc11d2dc4f342660b3226e6c621be42ceb11877b645b44615dce74bb5ead9108d3a8e1ced022802a54df6d9fc949254a867f961e082c0a2b3f2c272a4512b5

data/lib/oauth3.rb

@@ -6,6 +6,14 @@ class Oauth3
   #attr_reader :client
   #attr_accessor :options
 
+  OAuth2::Response.register_parser(:text, 'text/plain') do |body|
+    if '{' == body[0] or '[' == body[0]
+      MultiJson.load(body) rescue body
+    else
+      Rack::Utils.parse_query(body)
+    end
+  end
+
   def initialize(registrar, options={})
     # make sure all options for the OAuth module and faraday
     # pass all the way down
@@ -25,14 +33,25 @@ class Oauth3
       return @providers[provider_uri][:directive]
     end
 
-    # TODO if there's no prefix (https://), add it first
-    # TODO if the directive is stale, refresh it
-    http = HTTPClient.new()
-    response = http.get_content("#{provider_uri}/oauth3.json")
+    registration = @registrar.get(provider_uri)
+    dynamic = true
+
+    if registration and registration['directives']
+      directives = registration['directives']
+      dynamic = false
+    else
+      # TODO if there's no prefix (https://), add it first
+      # TODO if the directive is stale, refresh it
+      http = HTTPClient.new()
+      response = http.get_content("#{provider_uri}/oauth3.json")
+      directives = JSON.parse(response)
+    end
+
     @providers[provider_uri] = {
       provider_uri: provider_uri,
-      directive: JSON.parse(response),
-      timestamp: Time.now
+      directive: directives,
+      timestamp: Time.now,
+      dynamic: dynamic
     }
     @providers[provider_uri][:directive]
   end
@@ -47,6 +66,8 @@ class Oauth3
     client_options[:site] = ""
     client_options[:authorize_url] = get_directive(provider_uri)['authorization_dialog']['url']
     client_options[:token_url] = get_directive(provider_uri)['access_token']['url']
+    token_method = (get_directive(provider_uri)['access_token']['method'] || 'POST').downcase.to_sym
+    client_options[:token_method] = token_method
 
     @clients[provider_uri] = OAuth2::Client.new(
       @registrar.get(provider_uri)['id'],
@@ -60,19 +81,91 @@ class Oauth3
     (0...50).map { ('a'..'z').to_a[rand(26)] }.join
   end
 
-  def authorize_url(provider_uri)
-    redirect_uri = @options[:redirect_uri]
+  def authorize_url(provider_uri, params)
+    provider_uri = @@oauth3.normalize_provider_uri(provider_uri)
+    authorization_code_callback_uri = @options[:authorization_code_callback_uri] || @options[:redirect_uri]
     rnd = random_string()
-    @states[rnd] = Time.now
-
-    # TODO state should go in params to the provider, not the redirect directly
-    # ... but ultimately it has the same effect, so whatever
-    get_oauth2_client(provider_uri).auth_code.authorize_url(
-      # TODO (change ? to & if there's already a ?)
-      redirect_uri: redirect_uri +
-        "?provider_uri=" + URI.encode_www_form_component(provider_uri) +
-        "&state=" + rnd
-    )
+
+    @states[rnd] = {
+      created_at: Time.now,
+      provider_uri: provider_uri,
+      params: params
+    }
+
+    get_oauth2_client(provider_uri).auth_code.authorize_url({
+      # Note that no parameters can be passed tothis redirect
+      # It is required to be verbatim for Facebook and probably many other providers
+      redirect_uri: authorization_code_callback_uri,
+      scope: params[:scope],
+      state: rnd
+    })
+  end
+
+  def authorization_code_callback(params)
+    # TODO needs error handling function to make this DRY
+
+    server_state = params[:state] or params[:server_state]
+    if not server_state
+      if params[:error]
+        return params
+      else
+        return { error: "E_NO_STATE", error_description: "provider_did_not_return_state" }
+      end
+    end
+
+    meta_state = @@oauth3.get_state(server_state)
+    if not meta_state
+      return { error: "E_INVALID_SERVER_STATE", error_description: "server_state_missing_or_expired" }
+    end
+
+    # TODO provider_uri should not be necessary because we have state
+    # (but I don't think oauth3.html implements that completely yet)
+    # meta_state = { created_at, provider_uri, params }
+    browser_params = meta_state[:params].merge({ provider_uri: meta_state[:provider_uri] })
+    if not browser_params
+      browser_params = { error: "E_SANITY_FAIL", error_description: "sanity fail: server_state missing browser_params" }
+      params.delete(:state)
+      return params.merge(browser_params)
+    end
+
+    browser_state = browser_params[:state] or browser_params[:browser_state]
+    if not browser_state
+      browser_params[:error] = "E_INVALID_BROWSER_STATE"
+      browser_params[:error_description] = "server_state missing or expired"
+      return browser_params
+    end
+
+    # TODO decide on one or the other. Favor explicit to avoid confusion?
+    result_params = { browser_state: browser_state, state: browser_state }
+    if params[:error]
+      params.delete(:state)
+      return params.merge(result_params)
+    end
+
+    code = params[:code]
+
+    if not code
+      result_params[:error] = "E_INVALID_BROWSER_STATE"
+      result_params[:error_description] = "state_missing_or_expired"
+      params.delete(:state)
+      return params.merge(result_params)
+    end
+
+    provider_uri = browser_params[:provider_uri]
+    if token = @@oauth3.get_token(provider_uri, code).token
+      result_params[:access_token] = token
+    end
+
+    # Note in the future the server will send back
+    #   granted_scopes=foo,bar,baz,etc
+    #   expires_at=2015-04-01T12:30:00.000Z
+    #   app_scoped_id=<<default-account-app-scoped-id>>
+    params.delete(:state)
+    params.merge(result_params)
+  end
+
+  def get_state(state)
+    @states.delete(state)
   end
 
   def validate_state(provider_uri, state)
@@ -81,7 +174,9 @@ class Oauth3
   end
 
   def get_token(provider_uri, code)
-    get_oauth2_client(provider_uri).auth_code.get_token(code)
+    get_oauth2_client(provider_uri).auth_code.get_token(code, {
+      redirect_uri: @options[:authorization_code_callback_uri]
+    })
   end
 
   def get_profile(provider_uri, token)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauth3
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.1.2
 platform: ruby
 authors:
 - AJ ONeal
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-01 00:00:00.000000000 Z
+date: 2015-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -52,7 +52,8 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 1.8.2
-description: 
+description: OAuth3 (backwards compatible with OAuth2) authentication strategy for
+  connecting to any OAuth2 / OAuth3 provider in Ruby / Sinatra / etc
 email: coolaj86@gmail.com
 executables: []
 extensions: []