opro 0.0.1.pre → 0.0.1.pre1.0.1

data/README.md

@@ -1,27 +1,17 @@
 ## Stop, Read This
 
-This is my first time writing and Oauth Provider, so there may be buggy or insecure code. If you want to use this, do so at your own risk. I'm vetting it on some development and production applications, when it is ready for consumption and contribution, i'll remove this. If you want to be notified when that happens let me know [@schneems](http://twitter.com/schneems). For now this should be considered a toy, and enjoyed as such :)
+If you want to use this, do so at your own risk. I'm vetting it on some development and production applications, when it is ready for consumption and contribution, I'll remove this. If you want to be notified when that happens let me know [@schneems](http://twitter.com/schneems). For now this should be considered a toy, and enjoyed as such :)
 
 ## Opro
 
 A Rails Engine that turns your app into an [Oauth](http://oauth.net/2/) Provider.
 
-
-## What is an Oauth Provider
-
-Oauth is used all over the web by apps that need to authenticate users or restrict access to information in a secure fashion. Twitter and Facebook are the best known Oauth Providers. Users click "connect to Twitter" in an iPhone app, then they're sent over to Twitter's site where they can accept or deny access. From there they're sent back to the iPhone app where they can do anything through the API that they would be allowed to do in the website.
-
-Most users understand the flow pretty well, it's a fairly standard process, and is secure. While there are plenty of Oauth client libraries unfortunately it's not super easy to implement from a provider standpoint. Since I hate writing code twice, I decided to take an Oauth Provider and turn it into a Rails Engine so anyone could implement an Oauth Provider on their site.
-
 ## Why would I use this?
 
 Lets say you've built a Rails app, awesome. Now you want to build a mobile app on say, the iPhone; cool. You start throwing around `#to_json` like nobody's business, but then you realize you need to authenticate users somehow. "Basic Auth!!", you exclaim, but then you realize that's not the most secure solution. You also realize that some users already signed up with Facebook & Twitter so they don't have a username/password combo. What ever shall you do?
 
 Wouldn't it be great if we could have a token exchange where the user goes to a mobile web view and grants permission, and then we return back an auth token just like the big boys (Facebook, Twitter, *cough* Foursquare *cough*). With Opro, we can add this functionality pretty easily. We'll use your existing authentication strategy and provide some end integration points for your clients to use out of the box.
 
-## Sounds Hard
-
-It's not, just follow the directions below. I'll add a screencast and example app when I get time. Any questions, open an issue or ping me on Twitter.
 
 ## Install
 
@@ -31,16 +21,31 @@ Gemfile
   gem 'opro'
 ```
 
+Then run
+
 ```shell
   $ bundle install
 ```
 
+and don't forget
+
 ```shell
-  $ opro:install
+  $ rails g opro:install
 ```
 
 This will put a file in `initializers/opro.rb` and generate some migrations.
 
+
+Now we're ready to migrate the database
+
+```shell
+  $ rake db:migrate
+````
+
+This will add `Oauth::AccessGrant` and `Oauth::ClientApplication` to your database
+
+## Setup
+
 Go to `initializers/opro.rb` and configure your app for your authentication scheme.
 
 ```ruby
@@ -59,20 +64,32 @@ If you're not using devise you can manually configure your own auth strategy. In
   end
 ```
 
-Now we're ready to migrate the database
+Now in your controllers you can allow OAuth access using the same syntax of the rails `before_filter`
+
+```ruby
+  class UsersController < ApplicationController
+    allow_oauth!  :only => [:show]
+  end
+```
+
+
+You can also disallow OAuth on specific actions. Disallowing will always over-ride allowing.
 
-```shell
-  $ rake db:migrate
-````
 
+```ruby
+  class ProductsController < ApplicationController
+    disallow_oauth!   :only => [:create]
+  end
+```
 
+By default all OAuth access is blacklisted. To whitelist all access, add `allow_oauth!` to your `ApplicationController` (this is not recommended). The best practice is to add allow or disallow code to each controller.
 
 That should be all you need to do to get setup, congrats you're now able to authenticate users using OAuth!!
 
 
 ## Use it
 
-Opro comes with built in documentation, so if you start your server you can view them at `/docs/oauth`. If you're reading this on Github you can jump right to the [Quick Start](/app/views/docs/markdown/quick_start.md) guide. This guide will walk you through creating your first Oauth client application, giving access to that app as a logged in user, getting an access token for that user, and using that token to access the server as an authenticated user!
+Opro comes with built in documentation, so if you start your server you can view them at http://localhost:3000/oauth_docs. If you're reading this on Github you can jump right to the [Quick Start](https://github.com/schneems/opro/blob/master/app/views/oauth/docs/markdown/quick_start.md.erb) guide. This guide will walk you through creating your first OAuth client application, giving access to that app as a logged in user, getting an access token for that user, and using that token to access the server as an authenticated user!
 
 
 ## Assumptions

data/Rakefile

@@ -40,7 +40,7 @@ Jeweler::Tasks.new do |gem|
   gem.homepage    = "http://github.com/schneems/opro"
   gem.license     = "MIT"
   gem.summary     = %Q{ Opro turns your Rails application into an OAuth Provider }
-  gem.description = %Q{ Enable oauth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you}
+  gem.description = %Q{ Enable OAuth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you}
   gem.email       = "richard.schneeman@gmail.com"
   gem.authors     = ["schneems"]
   # dependencies defined in Gemfile

data/VERSION

@@ -1 +1 @@
-0.0.1.pre
+0.0.1.pre1.0.1

data/app/controllers/oauth/tests_controller.rb

@@ -0,0 +1,53 @@
+class Oauth::TestsController < ApplicationController
+  allow_oauth!
+  disallow_oauth! :only => [:destroy]
+
+  def index
+
+  end
+
+  def show
+    result = if valid_oauth?
+      {:status => 200, :message => 'OAuth Worked!!', :params => params, :user_id => oauth_user.id }
+    else
+      {:status => 401, :message => "OAuth Did not Work :(  #{generate_oauth_error_message!}", :params => params}
+    end
+
+    respond_to do |format|
+      format.html do
+        render :text => result.to_json,   :status => result[:status], :layout => true
+      end
+      format.json do
+        render :json => result, :status => result[:status]
+      end
+    end
+  end
+
+  def destroy
+    result = if valid_oauth?
+      {:status => 200, :message => 'OHNO!!! OAuth is Disabled on this Action, this is bad', :params => params}
+    else
+      {:status => 401, :message => "Oauth is Disabled on this Action, this is the correct result!", :params => params}
+    end
+
+    respond_to do |format|
+      format.html do
+        render :text => result.to_json,   :status => result[:status], :layout => true
+      end
+      format.json do
+        render :json => result, :status => result[:status]
+      end
+    end
+  end
+
+  private
+
+  def generate_oauth_error_message!
+    msg = ""
+    msg << ' - No OAuth Token Provided!'  if params[:access_token].blank?
+    msg << ' - Allow OAuth set to false!' if allow_oauth? == false
+    msg << ' - OAuth user not found!'     if oauth_user.blank?
+    msg
+  end
+
+end

data/app/views/oauth/client_application/new.html.erb

@@ -3,7 +3,7 @@
   <%= form_for @client_app do |f| %>
     <%= f.label :name %>:
     <%= f.text_field :name, :placeholder => 'App Name' %>
-    <%= f.submit 'Create Oauth Client', :id => 'submitApp' %>
+    <%= f.submit 'Create OAuth Client', :id => 'submitApp' %>
   <%- end -%>
 </div>
 

data/app/views/oauth/docs/markdown/oauth.md.erb

@@ -1 +1,3 @@
-Oauth is ... TODO
+Oauth is ... TODO
+
+<%= link_to "Facebook's Server Side OAuth Authentication", 'http://developers.facebook.com/docs/authentication/server-side/'%>

data/app/views/oauth/docs/markdown/quick_start.md.erb

@@ -2,6 +2,7 @@
 
 This site is providing OAuth through [Opro](http://github.com/schneems/opro). If this is your first time using Oauth, please visit [What is Oauth]() or follow along with this guide.
 
+
 ## Step 1: Register your Application
 
 Sign in as a registered user then visit the [new client application page](/oauth_client_applications/new). Enter in the name of your application for this example we can use `foo`, you can change this later if you desire. Hit enter and you should see a screen that has your application name along with a `client id` and a `secret`, these behave like a username and password for your OAuth application.
@@ -19,20 +20,19 @@ Once you've registered an app successfully we can start to build an OAuth applic
 
 Now that you have a client id, you'll want to give it access to a  user account. Open a new browser window with your currently logged in account, then give your application permission by visiting the url below (please swap out '3234myClientId5678' for your client id)
 
-    <%= "#{request.base_url}/oauth/authorize?" %>client_id=3234myClientId5678&redirect_uri=/
+    <%= "#{request.base_url}/oauth/authorize?" %>client_id=3234myClientId5678&redirect_uri=%2F
 
 This should land you on a page asking if you would like to grant permission to the application. If not, make sure you're logged in and you put the correct client id in the url.
 
 Once you grant your application permission, you will be redirected back to the url provided. In this case we will go back to the home page of our app.
 
-Once redirected to the home page take a look in the address bar, we should see a `code` parameter. Copy this for use later:
+Once redirected to the home page, take a look in the address bar, we should see a `code` parameter. Copy this for use later:
 
     <%= "#{request.base_url}?" %>?code=4857goldfish827423
 
 In the url above the `code` would be `4857goldfish827423`. This code can be used to obtain an access token for the user. Once you have a user's access token, you can perform actions for the user as if they were logged in. If you accidentally close this page, don't worry just visit first url and we'll show you the code again.
 
 
-
 ## Step 3: Get AccessToken for User with Curl
 
 We'll be using [Curl]() to go through the process of getting an access for our first user, you'll likely use http client libraries in your actual applications, but most systems come with curl and it is a fairly easy way to get started. If you've never used it before read our [curl documentation]()
@@ -52,19 +52,20 @@ You should get back a response that looks like this
 If not, double check the previous steps and ensure you are using the correct values in the query. Copy the `access_token` we'll use it for the rest of our application, in this example it is `9693accessTokena7ca570bbaf`. Treat this access_token as if it were the user's password. It is sensitive information.
 
 
-Step 4: Use the access token
+## Step 4: Use the access token
 
 Now we've gone through all the hard work of getting this token, you can use it to make authenticated requests to the server. You'll just need to include the correct `access_token` parameter in your query and you'll be logged in as that user for that request.
 
-
 Try it out for yourself open up a browser and go to
 
+    <%= "#{request.base_url}/oauth_test/show_me_the_money?access_token=9693accessTokena7ca570bbaf" %>
 
-    <%= "#{request.base_url}/oauth/access_token?" %>
 
+You should see a successful result ( again don't forget to replace the example access token with yours ). Not all urls will support OAuth authentication.
 
 ## Security
 
-
 Don't share your client application's secret or any user's access_token with unknown or untrusted parties. Always use https when available and don't write any of these values to your application's logs.
 
+
+<%= view_context.link_to ' ← back',  oauth_docs_path %>

data/app/views/oauth/tests/index.html.erb

@@ -0,0 +1,31 @@
+<h2>Oauth Test</h2>
+
+<p>Use this url scheme to test your OAuth application</p>
+
+<h2>Test OAuth Allow</h2>
+
+<p>
+  If you send a valid OAuth request to any oauth_test url such as <%= link_to oauth_test_path(:show_me_the_money), oauth_test_path(:show_me_the_money) %> you should see a response like this
+</p>
+  <pre>
+    <code>
+      <%= {:status => 200, :message => 'Oauth Worked!! ', :params => {:id => 'show_me_the_money', :access_token => '3948fuAlo10gnsu'} }.to_json %>
+    </code>
+  </pre>
+<p>
+  If the request is not valid you will receive a message detailing the errors.
+</p>
+
+<h2>Test OAuth Disallow</h2>
+<p>
+  If you send a valid OAuth request using the 'DELETE' HTTP method to <%=  oauth_test_path(:show_me_the_money) %> you should see a response like below.</p>
+  <%= button_to oauth_test_path(:show_me_the_money), oauth_test_path(:show_me_the_money), :method => :delete %>
+  <pre>
+    <code>
+      <%= {:status => 401, :message => 'Oauth is Disabled on this Action, this is the correct result!', :params => {:id => 'show_me_the_money', :access_token => '3948fuAlo10gnsu'}}.to_json %>
+    </code>
+  </pre>
+
+<p>
+  If you get a 200 result, then there is something configured incorrectly on the server, please contact the administrator.
+</p>

data/config/routes.rb

@@ -5,5 +5,6 @@ Rails.application.routes.draw do
   match '/oauth/access_token' => 'oauth/auth#access_token', :as => 'oauth_token'
 
   resources :oauth_docs,                :controller => 'oauth/docs'
+  resources :oauth_tests,               :controller => 'oauth/tests'
   resources :oauth_client_applications, :controller => 'oauth/client_application'
 end

data/lib/opro/controllers/application_controller_helper.rb

@@ -4,7 +4,7 @@ module Opro
   module Controllers
     module ApplicationControllerHelper
       extend ActiveSupport::Concern
-      
+
       included do
         around_filter      :oauth_auth!
         skip_before_filter :verify_authenticity_token, :if => :valid_oauth?
@@ -14,9 +14,33 @@ module Opro
         Opro.authenticate_user_method.call(self)
       end
 
+      module ClassMethods
+        def allow_oauth!(options = {})
+          prepend_before_filter :allow_oauth, options
+        end
+
+        def disallow_oauth!(options = {})
+          prepend_before_filter :disallow_oauth,  options
+          skip_before_filter    :allow_oauth,     options
+        end
+      end
+
       protected
+
+      def allow_oauth?
+        @use_oauth ||= false
+      end
+
+      def disallow_oauth
+        @use_oauth = false
+      end
+
+      def allow_oauth
+        @use_oauth = true
+      end
+
       def oauth?
-        params[:access_token].present?
+        allow_oauth? && params[:access_token].present?
       end
 
       def oauth_user

data/opro.gemspec

@@ -5,12 +5,12 @@
 
 Gem::Specification.new do |s|
   s.name = "opro"
-  s.version = "0.0.1.pre"
+  s.version = "0.0.1.pre1.0.1"
 
   s.required_rubygems_version = Gem::Requirement.new("> 1.3.1") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
   s.date = "2012-04-10"
-  s.description = " Enable oauth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you"
+  s.description = " Enable OAuth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [
     "README.md"
@@ -26,6 +26,7 @@ Gem::Specification.new do |s|
     "app/controllers/oauth/auth_controller.rb",
     "app/controllers/oauth/client_application_controller.rb",
     "app/controllers/oauth/docs_controller.rb",
+    "app/controllers/oauth/tests_controller.rb",
     "app/controllers/opro_application_controller.rb",
     "app/models/oauth/access_grant.rb",
     "app/models/oauth/client_application.rb",
@@ -38,6 +39,7 @@ Gem::Specification.new do |s|
     "app/views/oauth/docs/markdown/oauth.md.erb",
     "app/views/oauth/docs/markdown/quick_start.md.erb",
     "app/views/oauth/docs/show.html.erb",
+    "app/views/oauth/tests/index.html.erb",
     "config/routes.rb",
     "lib/generators/active_record/opro_generator.rb",
     "lib/generators/active_record/templates/access_grants.rb",

data/test/dummy/app/controllers/application_controller.rb

@@ -1,3 +1,6 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
+
+  allow_oauth!
+
 end

data/test/integration/oauth_test.rb

@@ -14,4 +14,8 @@ class OauthTest < ActiveSupport::IntegrationCase
     visit "/?access_token=#{access_token}"
     assert has_content?('User is logged in')
   end
+
+  test 'blacklisted route should not show user logged in' do
+    #TODO
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opro
 version: !ruby/object:Gem::Version
-  version: 0.0.1.pre
+  version: 0.0.1.pre1.0.1
   prerelease: 6
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ date: 2012-04-10 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70329431198240 !ruby/object:Gem::Requirement
+  requirement: &70203502493160 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 3.0.7
   type: :runtime
   prerelease: false
-  version_requirements: *70329431198240
+  version_requirements: *70203502493160
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &70329431197140 !ruby/object:Gem::Requirement
+  requirement: &70203502491540 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 3.0.7
   type: :runtime
   prerelease: false
-  version_requirements: *70329431197140
+  version_requirements: *70203502491540
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &70329431196460 !ruby/object:Gem::Requirement
+  requirement: &70203502490520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70329431196460
+  version_requirements: *70203502490520
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70329431195780 !ruby/object:Gem::Requirement
+  requirement: &70203502489320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70329431195780
+  version_requirements: *70203502489320
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70329431195160 !ruby/object:Gem::Requirement
+  requirement: &70203502488240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: 1.1.3
   type: :development
   prerelease: false
-  version_requirements: *70329431195160
+  version_requirements: *70203502488240
 - !ruby/object:Gem::Dependency
   name: capybara
-  requirement: &70329431194500 !ruby/object:Gem::Requirement
+  requirement: &70203502486620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: 0.4.0
   type: :development
   prerelease: false
-  version_requirements: *70329431194500
+  version_requirements: *70203502486620
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70329431193900 !ruby/object:Gem::Requirement
+  requirement: &70203502485440 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70329431193900
+  version_requirements: *70203502485440
 - !ruby/object:Gem::Dependency
   name: launchy
-  requirement: &70329431193160 !ruby/object:Gem::Requirement
+  requirement: &70203502466260 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70329431193160
+  version_requirements: *70203502466260
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &70329431192520 !ruby/object:Gem::Requirement
+  requirement: &70203502464720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70329431192520
+  version_requirements: *70203502464720
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70329431191660 !ruby/object:Gem::Requirement
+  requirement: &70203502462100 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70329431191660
+  version_requirements: *70203502462100
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &70329431190860 !ruby/object:Gem::Requirement
+  requirement: &70203502460760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,8 +131,8 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70329431190860
-description: ! ' Enable oauth clients (iphone, android, web sites, etc.) to access
+  version_requirements: *70203502460760
+description: ! ' Enable OAuth clients (iphone, android, web sites, etc.) to access
   and use your Rails application, what you do with it is up to you'
 email: richard.schneeman@gmail.com
 executables: []
@@ -150,6 +150,7 @@ files:
 - app/controllers/oauth/auth_controller.rb
 - app/controllers/oauth/client_application_controller.rb
 - app/controllers/oauth/docs_controller.rb
+- app/controllers/oauth/tests_controller.rb
 - app/controllers/opro_application_controller.rb
 - app/models/oauth/access_grant.rb
 - app/models/oauth/client_application.rb
@@ -162,6 +163,7 @@ files:
 - app/views/oauth/docs/markdown/oauth.md.erb
 - app/views/oauth/docs/markdown/quick_start.md.erb
 - app/views/oauth/docs/show.html.erb
+- app/views/oauth/tests/index.html.erb
 - config/routes.rb
 - lib/generators/active_record/opro_generator.rb
 - lib/generators/active_record/templates/access_grants.rb
@@ -235,7 +237,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3465543543531569023
+      hash: -607479715438649741
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: