oauthenticator 0.1.0

data/lib/oauthenticator/config_methods.rb

@@ -0,0 +1,100 @@
+module OAuthenticator
+  # This module contains stubs, or in some cases default values, for implementations of particulars of the OAuth protocol. Applications must implement some of these, and are likely to want to override the default values of others. certain methods will need to use methods of the {OAuthenticator::SignedRequest} class.
+  #
+  # the methods your implementation will need to be used are primarily those from the parsed OAuth Authorization header. these are methods your implementation WILL need to use to implement the required functionality:
+  #
+  # - `#consumer_key`
+  # - `#token`
+  # - `#nonce`
+  # - `#timestamp`
+  #
+  # the following are the other parts of the Authorization, but your implementation will probably NOT need to use these (OAuthenticator does everything that is needed to validate these parts):
+  #
+  # - `#version`
+  # - `#signature_method`
+  # - `#signature`
+  module ConfigMethods
+    # the number of seconds (integer) in both the past and future for which the request is considered valid. 
+    #
+    # if it is desired to have a different period considered valid in the past than in the future, then the methods {#timestamp_valid_past} and {#timestamp_valid_future} may be implemented instead, and this method may remain unimplemented. 
+    #
+    # see the documentation for {#timestamp_valid_past} and {#timestamp_valid_future} for other considerations of the valid period. 
+    #
+    # @return [Integer] period in seconds
+    def timestamp_valid_period
+      config_method_not_implemented
+    end
+
+    # the number of seconds (integer) in the past for which the request is considered valid. 
+    #
+    # if the timestamp is more than this number of seconds less than the current clock time, then the request is considered invalid and the response is an error. 
+    #
+    # this should be large enough to allow for clock skew between your application's server and the requester's clock. 
+    #
+    # nonces older than Time.now - timestamp_valid_past may be discarded.
+    #
+    # this method may remain unimplemented if {#timestamp_valid_period} is implemented. 
+    #
+    # @return [Integer] period in seconds
+    def timestamp_valid_past
+      timestamp_valid_period
+    end
+
+    # the number of seconds (integer) in the future for which the request is considered valid. 
+    #
+    # if the timestamp is more than this number of seconds greater than the current clock time, then the request is considered invalid and the response is an error. 
+    #
+    # this should be large enough to allow for clock skew between your application's server and the requester's clock. 
+    #
+    # this method may remain unimplemented if {#timestamp_valid_period} is implemented. 
+    #
+    # @return [Integer] period in seconds
+    def timestamp_valid_future
+      timestamp_valid_period
+    end
+
+    # the signature methods which the application will accept. this MUST be a subset of the signature methods defined in the OAuth 1.0 protocol: `%w(HMAC-SHA1 RSA-SHA1 PLAINTEXT)`. the default value for this is all allowed signature methods, and may remain unimplemented if you wish to allow all defined signature methods. 
+    #
+    # @return [Array<String>]
+    def allowed_signature_methods
+      OAuthenticator::SignedRequest::VALID_SIGNATURE_METHODS
+    end
+
+    # this should look up the consumer secret in your application's storage corresponding to the request's consumer key, which is available via the `#consumer_key` method. see the README for an example implementation.
+    #
+    # @return [String] the consumer secret for the request's consumer key
+    def consumer_secret
+      config_method_not_implemented
+    end
+
+    # this should look up the access token secret in your application's storage corresponding to the request's access token, which is available via the `#token` method. see the README for an example implementation.
+    #
+    # @return [String] the access token secret for the request's access token
+    def access_token_secret
+      config_method_not_implemented
+    end
+
+    # whether the nonce, available via the `#nonce` method, has already been used. you may wish to use this in conjunction with the timestamp (`#timestamp`), per the OAuth 1.0 spec.
+    #
+    # it's worth noting that if this ever returns true, it may indicate a replay attack under way against your application. the replay attack will fail due to OAuth, but you may wish to log the event.
+    #
+    # @return [Boolean] whether the request's nonce has already been used.
+    def nonce_used?
+      config_method_not_implemented
+    end
+
+    # cause the nonce, available via the `#nonce` method, to be marked as used. you may wish to use this in conjunction with the timestamp (`#timestamp`).
+    #
+    # @return [Void] (return value is ignored / unused)
+    def use_nonce!
+      config_method_not_implemented
+    end
+
+    # whether the access token indicated by the request (via `#token`) belongs to the consumer indicated by the request (via `#consumer_key`). 
+    #
+    # @return [Boolean] whether the request's access token belongs to the request's consumer 
+    def access_token_belongs_to_consumer?
+      config_method_not_implemented
+    end
+  end
+end

data/lib/oauthenticator/middleware.rb

@@ -0,0 +1,61 @@
+require 'rack'
+require 'simple_oauth'
+require 'json'
+require 'oauthenticator/signed_request'
+
+module OAuthenticator
+  # Rack middleware to determine if the incoming request is signed authentically with OAuth 1.0.
+  #
+  # If the request is not authentically signed, then the middleware responds with 401 Unauthorized, with the 
+  # body a JSON object indicating errors encountered authenticating the request. The error object is 
+  # structured like rails / ActiveResource:
+  #
+  #     {'errors': {'attribute1': ['messageA', 'messageB'], 'attribute2': ['messageC']}}
+  class Middleware
+    # options:
+    #
+    # - `:bypass` - a proc which will be called with a Rack::Request, which must have a boolean result. 
+    #   if the result is true, authorization checking is bypassed. if false, the request is authenticated 
+    #   and responds 401 if not authenticated.
+    #
+    # - `:config_methods` - a Module which defines necessary methods for an {OAuthenticator::SignedRequest} to 
+    #   determine if it is validly signed. See documentation for {OAuthenticator::ConfigMethods} 
+    #   for details of what this module must implement.
+    def initialize(app, options={})
+      @app=app
+      @options = options
+      unless @options[:config_methods].is_a?(Module)
+        raise ArgumentError, "options[:config_methods] must be a Module"
+      end
+    end
+
+    # call the middleware!
+    def call(env)
+      request = Rack::Request.new(env)
+
+      if @options[:bypass] && @options[:bypass].call(request)
+        env["oauth.authenticated"] = false
+        @app.call(env, request)
+      else
+        oauth_signed_request_class = OAuthenticator::SignedRequest.including_config(@options[:config_methods])
+        oauth_request = oauth_signed_request_class.from_rack_request(request)
+        if oauth_request.errors
+          unauthorized_response({'errors' => oauth_request.errors})
+        else
+          env["oauth.consumer_key"] = oauth_request.consumer_key
+          env["oauth.access_token"] = oauth_request.token
+          env["oauth.authenticated"] = true
+          @app.call(env)
+        end
+      end
+    end
+
+    # the response for an unauthorized request. the argument will be a hash with the key 'errors', whose value 
+    # is a hash with string keys indicating attributes with errors, and values being arrays of strings 
+    # indicating error messages on the attribute key.. 
+    def unauthorized_response(error_object)
+      response_headers = {"WWW-Authenticate" => %q(OAuth realm="/"), 'Content-Type' => 'application/json'}
+      [401, response_headers, [JSON.pretty_generate(error_object)]]
+    end
+  end
+end

data/lib/oauthenticator/signed_request.rb

@@ -0,0 +1,215 @@
+require 'simple_oauth'
+
+module OAuthenticator
+  # this class represents an OAuth signed request. its primary user-facing method is {#errors}, which returns 
+  # nil if the request is valid and authentic, or a helpful object of error messages describing what was 
+  # invalid if not. 
+  #
+  # this class is not useful on its own, as various methods must be implemented on a module to be included 
+  # before the implementation is complete enough to use. see the README and the documentation for the module 
+  # {OAuthenticator::ConfigMethods} for details. to pass such a module to 
+  # {OAuthenticator::SignedRequest}, use {.including_config}, like 
+  # `OAuthenticator::SignedRequest.including_config(config_module)`.
+  class SignedRequest
+    class << self
+      # returns a subclass of OAuthenticator::SignedRequest which includes the given config module 
+      #
+      # @param config_methods_module [Module] a module which implements the methods described in the 
+      # documentation for {OAuthenticator::ConfigMethods} and the README
+      #
+      # @return [Class] subclass of SignedRequest with the given module included 
+      def including_config(config_methods_module)
+        @extended_classes ||= Hash.new do |h, confmodule|
+          h[confmodule] = Class.new(::OAuthenticator::SignedRequest).send(:include, confmodule)
+        end
+        @extended_classes[config_methods_module]
+      end
+    end
+
+    ATTRIBUTE_KEYS = %w(request_method url body media_type authorization).map(&:freeze).freeze
+    OAUTH_ATTRIBUTE_KEYS = %w(consumer_key token timestamp nonce version signature_method signature).map(&:to_sym).freeze
+
+    # readers 
+    ATTRIBUTE_KEYS.each { |attribute_key| define_method(attribute_key) { @attributes[attribute_key] } }
+
+    # readers for oauth header parameters 
+    OAUTH_ATTRIBUTE_KEYS.each { |key| define_method(key) { oauth_header_params[key] } }
+
+    # question methods to indicate whether oauth header parameters were included in the Authorization 
+    OAUTH_ATTRIBUTE_KEYS.each { |key| define_method("#{key}?") { oauth_header_params.key?(key) } }
+
+    VALID_SIGNATURE_METHODS = %w(HMAC-SHA1 RSA-SHA1 PLAINTEXT).map(&:freeze).freeze
+
+    class << self
+      # instantiates a `OAuthenticator::SignedRequest` (subclass thereof, more precisely) representing a 
+      # request given as a Rack::Request.
+      #
+      # like {#initialize}, this should be called on a subclass of SignedRequest created with {.including_config}
+      #
+      # @param request [Rack::Request]
+      # @return [subclass of OAuthenticator::SignedRequest]
+      def from_rack_request(request)
+        new({
+          :request_method => request.request_method,
+          :url => request.url,
+          :body => request.body,
+          :media_type => request.media_type,
+          :authorization => request.env['HTTP_AUTHORIZATION'],
+        })
+      end
+    end
+
+    # initialize a {SignedRequest}. this should not be called on OAuthenticator::SignedRequest directly, but 
+    # a subclass made with {.including_config} - see {SignedRequest}'s documentation.
+    def initialize(attributes)
+      @attributes = attributes.inject({}){|acc, (k,v)| acc.update((k.is_a?(Symbol) ? k.to_s : k) => v) }
+      extra_attributes = @attributes.keys - ATTRIBUTE_KEYS
+      if extra_attributes.any?
+        raise ArgumentError, "received unrecognized attribute keys: #{extra_attributes.inspect}"
+      end
+    end
+
+    # inspects the request represented by this instance of SignedRequest. if the request is authentically 
+    # signed with OAuth, returns nil to indicate that there are no errors. if the request is inauthentic or 
+    # invalid for any reason, this returns a hash containing the reason(s) why the request is invalid.
+    #
+    # The error object's structure is a hash with string keys indicating attributes with errors, and values 
+    # being arrays of strings indicating error messages on the attribute key. this structure takes after 
+    # structured rails / ActiveResource, and looks like:
+    #
+    #     {'attribute1': ['messageA', 'messageB'], 'attribute2': ['messageC']}
+    #
+    # @return [nil, Hash<String, Array<String>>] either nil or a hash of errors
+    def errors
+      @errors ||= begin
+        if authorization.nil?
+          {'Authorization' => ["Authorization header is missing"]}
+        elsif authorization !~ /\S/
+          {'Authorization' => ["Authorization header is blank"]}
+        elsif authorization !~ /\Aoauth\s/i
+          {'Authorization' => ["Authorization scheme is not OAuth; received Authorization: #{authorization}"]}
+        else
+          errors = Hash.new { |h,k| h[k] = [] }
+
+          # timestamp
+          if !timestamp?
+            errors['Authorization oauth_timestamp'] << "is missing"
+          elsif timestamp !~ /\A\s*\d+\s*\z/
+            errors['Authorization oauth_timestamp'] << "is not an integer - got: #{timestamp}"
+          else
+            timestamp_i = timestamp.to_i
+            if timestamp_i < Time.now.to_i - timestamp_valid_past
+              errors['Authorization oauth_timestamp'] << "is too old: #{timestamp}"
+            elsif timestamp_i > Time.now.to_i + timestamp_valid_future
+              errors['Authorization oauth_timestamp'] << "is too far in the future: #{timestamp}"
+            end
+          end
+
+          # oauth version
+          if version? && version != '1.0'
+            errors['Authorization oauth_version'] << "must be 1.0; got: #{version}"
+          end
+
+          # she's filled with secrets
+          secrets = {}
+
+          # consumer / client application
+          if !consumer_key?
+            errors['Authorization oauth_consumer_key'] << "is missing"
+          else
+            secrets[:consumer_secret] = consumer_secret
+            if !secrets[:consumer_secret]
+              errors['Authorization oauth_consumer_key'] << 'is invalid'
+            end
+          end
+
+          # access token
+          if token?
+            secrets[:token_secret] = access_token_secret
+            if !secrets[:token_secret]
+              errors['Authorization oauth_token'] << 'is invalid'
+            elsif !access_token_belongs_to_consumer?
+              errors['Authorization oauth_token'] << 'does not belong to the specified consumer'
+            end
+          end
+
+          # nonce
+          if !nonce?
+            errors['Authorization oauth_nonce'] << "is missing"
+          elsif nonce_used?
+            errors['Authorization oauth_nonce'] << "has already been used"
+          end
+
+          # signature method
+          if !signature_method?
+            errors['Authorization oauth_signature_method'] << "is missing"
+          elsif !allowed_signature_methods.any? { |sm| signature_method.downcase == sm.downcase }
+            errors['Authorization oauth_signature_method'] << "must be one of " +
+              "#{allowed_signature_methods.join(', ')}; got: #{signature_method}"
+          end
+
+          # signature
+          if !signature?
+            errors['Authorization oauth_signature'] << "is missing"
+          end
+
+          if errors.any?
+            errors
+          else
+            # proceed to check signature
+            if !simple_oauth_header.valid?(secrets)
+              {'Authorization oauth_signature' => ['is invalid']}
+            else
+              use_nonce!
+              nil
+            end
+          end
+        end
+      end
+    end
+
+    require 'oauthenticator/config_methods'
+    include ConfigMethods
+
+    private
+
+    # hash of header params. keys should be a subset of OAUTH_ATTRIBUTE_KEYS.
+    def oauth_header_params
+      @oauth_header_params ||= SimpleOAuth::Header.parse(authorization)
+    end
+
+    # reads the request body, be it String or IO 
+    def read_body
+      if body.is_a?(String)
+        body
+      elsif body.respond_to?(:read) && body.respond_to?(:rewind)
+        body.rewind
+        body.read.tap do
+          body.rewind
+        end
+      else
+        raise NotImplementedError, "body = #{body.inspect}"
+      end
+    end
+
+    # SimpleOAuth::Header for this request
+    def simple_oauth_header
+      params = media_type == "application/x-www-form-urlencoded" ? CGI.parse(read_body).map{|k,vs| vs.map{|v| [k,v] } }.inject([], &:+) : nil
+      simple_oauth_header = SimpleOAuth::Header.new(request_method, url, params, authorization)
+    end
+
+    # raise a nice error message for a method that needs to be implemented on a module of config methods 
+    def config_method_not_implemented
+      caller_name = caller[0].match(%r(in `(.*?)'))[1]
+      using_middleware = caller.any? { |l| l =~ %r(oauthenticator/middleware.rb:.*`call') }
+      message = "method \##{caller_name} must be implemented on a module of oauth config methods, which is " + begin
+        if using_middleware
+          "passed to OAuthenticator::Middleware using the option :config_methods."
+        else
+          "included in a subclass of OAuthenticator::SignedRequest, typically by passing it to OAuthenticator::SignedRequest.including_config(your_module)."
+        end
+      end + " Please consult the documentation."
+      raise NotImplementedError, message
+    end
+  end
+end

data/lib/oauthenticator/version.rb

@@ -0,0 +1,3 @@
+module OAuthenticator
+  VERSION = "0.1.0"
+end

data/lib/oauthenticator.rb

@@ -0,0 +1,6 @@
+require "oauthenticator/version"
+
+module OAuthenticator
+  autoload :Middleware, 'oauthenticator/middleware'
+  autoload :SignedRequest, 'oauthenticator/signed_request'
+end

data/test/oauthenticator_test.rb

@@ -0,0 +1,430 @@
+# encoding: utf-8
+
+require 'simplecov'
+
+require 'debugger'
+Debugger.start
+
+# NO EXPECTATIONS 
+ENV["MT_NO_EXPECTATIONS"]
+
+require 'minitest/autorun'
+require 'minitest/reporters'
+Minitest::Reporters.use! Minitest::Reporters::SpecReporter.new
+
+require 'rack/test'
+require 'timecop'
+
+require 'oauthenticator'
+
+# config methods for testing OAuthenticator. simple 
+module OAuthenticatorTestConfigMethods
+  class << self
+    # a set of nonces
+    define_method(:nonces) { @nonces ||= Set.new }
+    # a Hash keyed by consumer keys with values of consumer secrets
+    define_method(:consumer_secrets) { @consumer_secrets ||= {} }
+    # a Hash keyed by access tokens with values of access token secrets 
+    define_method(:access_token_secrets) { @access_token_secrets ||= {} }
+    # a Hash keyed by access tokens with values of consumer keys
+    define_method(:access_token_consumers) { @access_token_consumers ||= {} }
+  end
+
+  def nonce_used?
+    OAuthenticatorTestConfigMethods.nonces.include?(oauth_header_params[:nonce])
+  end
+
+  def use_nonce!
+    OAuthenticatorTestConfigMethods.nonces << oauth_header_params[:nonce]
+  end
+
+  def timestamp_valid_period
+    10
+  end
+
+  def allowed_signature_methods
+    %w(HMAC-SHA1 RSA-SHA1 PLAINTEXT)
+  end
+
+  def consumer_secret
+    OAuthenticatorTestConfigMethods.consumer_secrets[oauth_header_params[:consumer_key]]
+  end
+
+  def access_token_secret
+    OAuthenticatorTestConfigMethods.access_token_secrets[oauth_header_params[:token]]
+  end
+
+  def access_token_belongs_to_consumer?
+    OAuthenticatorTestConfigMethods.access_token_consumers[oauth_header_params[:token]] == oauth_header_params[:consumer_key]
+  end
+end
+
+describe OAuthenticator::Middleware do
+  # act like a database cleaner
+  after do
+    [:nonces, :consumer_secrets, :access_token_secrets, :access_token_consumers].each do |db|
+      OAuthenticatorTestConfigMethods.send(db).clear
+    end
+
+    Timecop.return
+  end
+
+  let(:simpleapp) { proc { |env| [200, {}, ['☺']] } }
+  let(:oapp) { OAuthenticator::Middleware.new(simpleapp, :config_methods => OAuthenticatorTestConfigMethods) }
+
+  let(:consumer) do
+    {:key => "test_client_app_key", :secret => "test_client_app_secret"}.tap do |consumer|
+      OAuthenticatorTestConfigMethods.consumer_secrets[consumer[:key]] = consumer[:secret]
+    end
+  end
+  let(:consumer_key) { consumer[:key] }
+  let(:consumer_secret) { consumer[:secret] }
+
+  let(:access_token_hash) do
+    {:token => 'test_access_token', :secret => 'test_access_token_secret', :consumer_key => consumer_key}.tap do |hash|
+      OAuthenticatorTestConfigMethods.access_token_secrets[hash[:token]] = hash[:secret]
+      OAuthenticatorTestConfigMethods.access_token_consumers[hash[:token]] = hash[:consumer_key]
+    end
+  end
+  let(:access_token) { access_token_hash[:token] }
+  let(:access_token_secret) { access_token_hash[:secret] }
+
+  def assert_response(expected_status, expected_body, actual_status, actual_headers, actual_body)
+    actual_body_s = actual_body.to_enum.to_a.join
+    assert_equal expected_status.to_i, actual_status.to_i, "Expected status to be #{expected_status.inspect}" +
+      "; got #{actual_status.inspect}. body was: #{actual_body_s}"
+    assert expected_body === actual_body_s, "Expected match for #{expected_body}; got #{actual_body_s}"
+  end
+
+  it 'makes a valid two-legged signed request (generated)' do
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = SimpleOAuth::Header.new(
+      request.request_method,
+      request.url,
+      nil,
+      {:consumer_key => consumer_key, :consumer_secret => consumer_secret}
+    ).to_s
+    assert_response(200, '☺', *oapp.call(request.env))
+  end
+
+  it 'makes a valid two-legged signed request with a form encoded body (generated)' do
+    request = Rack::Request.new(Rack::MockRequest.env_for('/',
+      :method => 'GET',
+      :input => 'a=b&a=c',
+      'CONTENT_TYPE' => 'application/x-www-form-urlencoded; charset=UTF8',
+    ))
+    request.env['HTTP_AUTHORIZATION'] = SimpleOAuth::Header.new(
+      request.request_method,
+      request.url,
+      [['a', 'b'], ['a', 'c']],
+      {:consumer_key => consumer_key, :consumer_secret => consumer_secret}
+    ).to_s
+    assert_response(200, '☺', *oapp.call(request.env))
+  end
+
+  it 'makes a valid three-legged signed request (generated)' do
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = SimpleOAuth::Header.new(
+      request.request_method,
+      request.url,
+      nil,
+      { :consumer_key => consumer_key,
+        :consumer_secret => consumer_secret,
+        :token => access_token,
+        :token_secret => access_token_secret,
+      }
+    ).to_s
+    assert_response(200, '☺', *oapp.call(request.env))
+  end
+
+  2.times do |i|
+    # run these twice to make sure that the databas cleaner clears out the nonce since we use the same 
+    # nonce across tests 
+    it "makes a valid signed two-legged request (static #{i})" do
+      Timecop.travel Time.at 1391021695
+      consumer # cause this to be created
+      request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+      request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+        %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+        %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+        %q(oauth_signature_method="HMAC-SHA1", ) +
+        %q(oauth_timestamp="1391021695", ) +
+        %q(oauth_version="1.0")
+      assert_response(200, '☺', *oapp.call(request.env))
+    end
+
+    it "makes a valid signed three-legged request (static #{i})" do
+      Timecop.travel Time.at 1391021695
+      consumer # cause this to be created
+      access_token_hash # cause this to be created
+      request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+      request.env['HTTP_AUTHORIZATION'] = %q(OAuth ) +
+        %q(oauth_consumer_key="test_client_app_key", ) +
+        %q(oauth_nonce="6320851a8f4e18b2ac223497b0477f2e", ) +
+        %q(oauth_signature="B0sJjhfiXajEveqgjaRL3L60sCM%3D", ) +
+        %q(oauth_signature_method="HMAC-SHA1", ) +
+        %q(oauth_timestamp="1391021695", ) +
+        %q(oauth_token="test_access_token", ) +
+        %q(oauth_version="1.0")
+      assert_response(200, '☺', *oapp.call(request.env))
+    end
+  end
+
+  it 'complains about a missing Authorization header' do
+    assert_response(401, /Authorization header is missing/, *oapp.call({}))
+  end
+
+  it 'complains about a blank Authorization header' do
+    assert_response(401, /Authorization header is blank/, *oapp.call({'HTTP_AUTHORIZATION' => ' '}))
+  end
+
+  it 'complains about a non-OAuth Authentication header' do
+    assert_response(401, /Authorization scheme is not OAuth/, *oapp.call({'HTTP_AUTHORIZATION' => 'Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=='}))
+  end
+
+  it 'omits timestamp' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      #%q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_timestamp.*is missing/m, *oapp.call(request.env))
+  end
+  it 'has a non-integer timestamp' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="now", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_timestamp.*is not an integer - got: now/m, *oapp.call(request.env))
+  end
+  it 'has a too-old timestamp' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391010893", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_timestamp.*is too old: 1391010893/m, *oapp.call(request.env))
+  end
+  it 'has a timestamp too far in the future' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391032497", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_timestamp.*is too far in the future: 1391032497/m, *oapp.call(request.env))
+  end
+  it 'omits version' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="lCVypLHYc6oKz+vOa6DKEivoyys%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695")
+      #%q(oauth_version="1.0")
+    assert_response(200, '☺', *oapp.call(request.env))
+  end
+  it 'has a wrong version' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="3.14")
+    assert_response(401, /Authorization oauth_version.*must be 1\.0; got: 3\.14/m, *oapp.call(request.env))
+  end
+  it 'omits consumer key' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth ) + #%q(oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_consumer_key.*is missing/m, *oapp.call(request.env))
+  end
+  it 'has an invalid consumer key' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="nonexistent_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_consumer_key.*is invalid/m, *oapp.call(request.env))
+  end
+  it 'has an invalid access token' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    access_token_hash # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth ) +
+      %q(oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="6320851a8f4e18b2ac223497b0477f2e", ) +
+      %q(oauth_signature="B0sJjhfiXajEveqgjaRL3L60sCM%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_token="nonexistent_access_token", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_token.*is invalid/m, *oapp.call(request.env))
+  end
+  it 'has an access token belonging to a different consumer key' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    access_token_hash # cause this to be created
+
+    OAuthenticatorTestConfigMethods.consumer_secrets["different_client_app_key"] = "different_client_app_secret"
+
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth ) +
+      %q(oauth_consumer_key="different_client_app_key", ) +
+      %q(oauth_nonce="6320851a8f4e18b2ac223497b0477f2e", ) +
+      %q(oauth_signature="PVscPDg%2B%2FjAXRiahIggkeBpN5zI%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_token="test_access_token", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_token.*does not belong to the specified consumer/m, *oapp.call(request.env))
+  end
+  it 'omits nonce' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      #%q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_nonce.*is missing/m, *oapp.call(request.env))
+  end
+  it 'has an already-used nonce' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(200, '☺', *oapp.call(request.env))
+    assert_response(401, /Authorization oauth_nonce.*has already been used/m, *oapp.call(request.env))
+  end
+  it 'omits signature' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      #%q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_signature.*is missing/m, *oapp.call(request.env))
+  end
+  it 'omits signature method' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      #%q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_signature_method.*is missing/m, *oapp.call(request.env))
+  end
+  it 'specifies an invalid signature method' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="Xy1s5IUn8x0U2KPyHBw4B2cHZMo%3D", ) +
+      %q(oauth_signature_method="ROT13", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_signature_method.*must be one of HMAC-SHA1, RSA-SHA1, PLAINTEXT; got: ROT13/m, *oapp.call(request.env))
+  end
+  it 'has an invalid signature' do
+    Timecop.travel Time.at 1391021695
+    consumer # cause this to be created
+    request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+    request.env['HTTP_AUTHORIZATION'] = %q(OAuth oauth_consumer_key="test_client_app_key", ) +
+      %q(oauth_nonce="c1c2bd8676d44e48691c8dceffa66a96", ) +
+      %q(oauth_signature="totallylegit", ) +
+      %q(oauth_signature_method="HMAC-SHA1", ) +
+      %q(oauth_timestamp="1391021695", ) +
+      %q(oauth_version="1.0")
+    assert_response(401, /Authorization oauth_signature.*is invalid/m, *oapp.call(request.env))
+  end
+
+  describe :bypass do
+    it 'bypasses with invalid request' do
+      oapp = OAuthenticator::Middleware.new(simpleapp, :bypass => proc { true }, :config_methods => OAuthenticatorTestConfigMethods)
+      env = Rack::MockRequest.env_for('/', :method => 'GET').merge({'HTTP_AUTHORIZATION' => 'oauth ?'})
+      assert_response(200, '☺', *oapp.call(env))
+    end
+
+    it 'does not bypass with invalid request' do
+      oapp = OAuthenticator::Middleware.new(simpleapp, :bypass => proc { false }, :config_methods => OAuthenticatorTestConfigMethods)
+      assert_equal(401, oapp.call({}).first)
+    end
+
+    it 'bypasses with valid request' do
+      was_authenticated = nil
+      bapp = proc { |env| was_authenticated = env['oauth.authenticated']; [200, {}, ['☺']] }
+      boapp = OAuthenticator::Middleware.new(bapp, :bypass => proc { true }, :config_methods => OAuthenticatorTestConfigMethods)
+      request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+      request.env['HTTP_AUTHORIZATION'] = SimpleOAuth::Header.new(
+        request.request_method,
+        request.url,
+        nil,
+        {:consumer_key => consumer_key, :consumer_secret => consumer_secret}
+      ).to_s
+      assert_response(200, '☺', *boapp.call(request.env))
+      assert(was_authenticated == false)
+    end
+
+    it 'does not bypass with valid request' do
+      was_authenticated = nil
+      bapp = proc { |env| was_authenticated = env['oauth.authenticated']; [200, {}, ['☺']] }
+      boapp = OAuthenticator::Middleware.new(bapp, :bypass => proc { false }, :config_methods => OAuthenticatorTestConfigMethods)
+      request = Rack::Request.new(Rack::MockRequest.env_for('/', :method => 'GET'))
+      request.env['HTTP_AUTHORIZATION'] = SimpleOAuth::Header.new(
+        request.request_method,
+        request.url,
+        nil,
+        {:consumer_key => consumer_key, :consumer_secret => consumer_secret}
+      ).to_s
+      assert_response(200, '☺', *boapp.call(request.env))
+      assert(was_authenticated == true)
+    end
+  end
+end

metadata

@@ -0,0 +1,263 @@
+--- !ruby/object:Gem::Specification
+name: oauthenticator
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Ethan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-03-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simple_oauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-reporters
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rdiscount
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+description: OAuthenticator authenticates OAuth 1.0 signed requests, primarily as
+  a middleware, and forms useful error messages when authentication fails.
+email:
+- ethan@dishdigital
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/oauthenticator.rb
+- lib/oauthenticator/middleware.rb
+- lib/oauthenticator/config_methods.rb
+- lib/oauthenticator/signed_request.rb
+- lib/oauthenticator/version.rb
+- test/oauthenticator_test.rb
+homepage: https://github.com/notEthan/oauthenticator
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: OAuth 1.0 request authentication middleware
+test_files:
+- test/oauthenticator_test.rb
+has_rdoc: