opro 0.0.1 → 0.0.2

data/Gemfile

@@ -1,13 +1,14 @@
 source "http://rubygems.org"
 
-gem "activesupport" , ">= 3.0.7"
-gem "rails"         , ">= 3.0.7"
+gem "activesupport" , ">= 3.1.0"
+gem "rails"         , ">= 3.1.0"
 
 
 gem 'bluecloth'
 
 group :development, :test do
   gem 'mocha'
+  gem 'timecop'
   gem 'jeweler',  "~> 1.6.4"
   gem "bundler",  ">= 1.1.3"
 
@@ -17,6 +18,9 @@ group :development, :test do
   gem "launchy"
 end
 
+group :test do
+  gem 'database_cleaner'
+end
 
 group :test, :development do
   gem 'devise'

data/Gemfile.lock

@@ -1,31 +1,31 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.2.3)
-      actionpack (= 3.2.3)
+    actionmailer (3.2.6)
+      actionpack (= 3.2.6)
       mail (~> 2.4.4)
-    actionpack (3.2.3)
-      activemodel (= 3.2.3)
-      activesupport (= 3.2.3)
+    actionpack (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.1)
       rack (~> 1.4.0)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.1.2)
-    activemodel (3.2.3)
-      activesupport (= 3.2.3)
+      sprockets (~> 2.1.3)
+    activemodel (3.2.6)
+      activesupport (= 3.2.6)
       builder (~> 3.0.0)
-    activerecord (3.2.3)
-      activemodel (= 3.2.3)
-      activesupport (= 3.2.3)
+    activerecord (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.3)
-      activemodel (= 3.2.3)
-      activesupport (= 3.2.3)
-    activesupport (3.2.3)
+    activeresource (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+    activesupport (3.2.6)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     addressable (2.2.7)
@@ -42,6 +42,7 @@ GEM
       xpath (~> 0.1.4)
     childprocess (0.3.1)
       ffi (~> 1.0.6)
+    database_cleaner (0.8.0)
     devise (2.0.4)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
@@ -56,8 +57,8 @@ GEM
       bundler (~> 1.0)
       git (>= 1.2.5)
       rake
-    journey (1.0.3)
-    json (1.6.6)
+    journey (1.0.4)
+    json (1.7.3)
     launchy (2.1.0)
       addressable (~> 2.2.6)
     mail (2.4.4)
@@ -68,7 +69,7 @@ GEM
     mime-types (1.18)
     mocha (0.11.4)
       metaclass (~> 0.0.1)
-    multi_json (1.2.0)
+    multi_json (1.3.6)
     nokogiri (1.5.2)
     orm_adapter (0.0.7)
     polyglot (0.3.3)
@@ -79,21 +80,21 @@ GEM
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.2.3)
-      actionmailer (= 3.2.3)
-      actionpack (= 3.2.3)
-      activerecord (= 3.2.3)
-      activeresource (= 3.2.3)
-      activesupport (= 3.2.3)
+    rails (3.2.6)
+      actionmailer (= 3.2.6)
+      actionpack (= 3.2.6)
+      activerecord (= 3.2.6)
+      activeresource (= 3.2.6)
+      activesupport (= 3.2.6)
       bundler (~> 1.0)
-      railties (= 3.2.3)
-    railties (3.2.3)
-      actionpack (= 3.2.3)
-      activesupport (= 3.2.3)
+      railties (= 3.2.6)
+    railties (3.2.6)
+      actionpack (= 3.2.6)
+      activesupport (= 3.2.6)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
-      thor (~> 0.14.6)
+      thor (>= 0.14.6, < 2.0)
     rake (0.9.2.2)
     rcov (1.0.0)
     rdoc (3.12)
@@ -108,13 +109,14 @@ GEM
       multi_json (~> 1.0)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
-    sprockets (2.1.2)
+    sprockets (2.1.3)
       hike (~> 1.2)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.5)
-    thor (0.14.6)
+    thor (0.15.2)
     tilt (1.3.3)
+    timecop (0.3.5)
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
@@ -128,15 +130,17 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  activesupport (>= 3.0.7)
+  activesupport (>= 3.1.0)
   bluecloth
   bundler (>= 1.1.3)
   capybara (>= 0.4.0)
+  database_cleaner
   devise
   jeweler (~> 1.6.4)
   launchy
   mocha
-  rails (>= 3.0.7)
+  rails (>= 3.1.0)
   rcov
   simplecov
   sqlite3
+  timecop

data/README.md

@@ -4,7 +4,10 @@ If you want to use this, do so at your own risk. I'm vetting it on some developm
 
 ## Opro
 
-A Rails Engine that turns your app into an [Oauth](http://oauth.net/2/) Provider.
+A Rails Engine that turns your app into an [Oauth2](http://oauth.net/2/) Provider.
+
+  * [Demo OAuth Provider app with Opro](http://opro-demo.herokuapp.com/) on Heroku
+  * [Built in Opro docs](http://opro-demo.herokuapp.com/oauth_docs)
 
 ## Why would I use this?
 
@@ -18,58 +21,49 @@ Wouldn't it be great if we could have a token exchange where the user goes to a
 Gemfile
 
 ```ruby
-  gem 'opro'
+    gem 'opro'
 ```
 
 Then run
 
 ```shell
-  $ bundle install
+    $ bundle install
 ```
 
 and don't forget
 
 ```shell
-  $ rails g opro:install
+    $ rails g opro:install
 ```
 
-This will put a file in `initializers/opro.rb` and generate some migrations.
+This will put a file in `initializers/opro.rb` and generate some migrations, and add `mount_opro_oauth` to your routes.
 
 
 Now we're ready to migrate the database
 
 ```shell
-  $ rake db:migrate
+    $ rake db:migrate
 ````
 
-This will add `Oauth::AccessGrant` and `Oauth::ClientApplication` to your database
+This will add `Oauth::AuthGrant` and `Oauth::ClientApp` to your database. An iPhone app would need to register for a `client_id` and `client_secret` before using Oauth as a ClientApp. Once created they could get authorization from users by going through the oauth flow, thus creating AuthGrants. In other words a ClientApp has many users through AuthGrants.
 
 ## Setup
 
-Go to `initializers/opro.rb` and configure your app for your authentication scheme.
+Go to `initializers/opro.rb` and configure your app for your authentication scheme, if you're not using devise see "Custom Auth" below.
 
 ```ruby
-  Opro.setup do |config|
-    config.auth_strategy = :devise
-  end
+      Opro.setup do |config|
+        config.auth_strategy = :devise
+      end
 ```
 
-If you're not using devise you can manually configure your own auth strategy. In the future I plan on adding more auth strategies, ping me or submit a pull request for your desired authentication scheme.
-
-```ruby
-  Opro.setup do |config|
-    config.login_method             { |controller, current_user| controller.sign_in(current_user, :bypass => true) }
-    config.logout_method            { |controller, current_user| controller.sign_out(current_user) }
-    config.authenticate_user_method { |controller| controller.authenticate_user! }
-  end
-```
 
 Now in your controllers you can allow OAuth access using the same syntax of the rails `before_filter`
 
 ```ruby
-  class UsersController < ApplicationController
-    allow_oauth!  :only => [:show]
-  end
+      class UsersController < ApplicationController
+        allow_oauth!  :only => [:show]
+      end
 ```
 
 
@@ -77,12 +71,12 @@ You can also disallow OAuth on specific actions. Disallowing will always over-ri
 
 
 ```ruby
-  class ProductsController < ApplicationController
-    disallow_oauth!   :only => [:create]
-  end
+      class ProductsController < ApplicationController
+        disallow_oauth!   :only => [:create]
+      end
 ```
 
-By default all OAuth access is blacklisted. To whitelist all access, add `allow_oauth!` to your `ApplicationController` (this is not recommended). The best practice is to add allow or disallow code to each controller.
+By default all OAuth access is blacklisted. To whitelist all access, add `allow_oauth!` to your `ApplicationController` (this is not recommended). The best practice is to add `allow_oauth!` or `disallow_oauth` to each and every controller.
 
 That should be all you need to do to get setup, congrats you're now able to authenticate users using OAuth!!
 
@@ -91,17 +85,52 @@ That should be all you need to do to get setup, congrats you're now able to auth
 
 Opro comes with built in documentation, so if you start your server you can view them at http://localhost:3000/oauth_docs. If you're reading this on Github you can jump right to the [Quick Start](https://github.com/schneems/opro/blob/master/app/views/oauth/docs/markdown/quick_start.md.erb) guide. This guide will walk you through creating your first OAuth client application, giving access to that app as a logged in user, getting an access token for that user, and using that token to access the server as an authenticated user!
 
+## Custom Auth
+
+If you're not using devise you can manually configure your own auth strategy. In the future I plan on adding more auth strategies, ping me or submit a pull request for your desired authentication scheme.
+
+```ruby
+      Opro.setup do |config|
+        config.login_method             { |controller, current_user| controller.sign_in(current_user, :bypass => true) }
+        config.logout_method            { |controller, current_user| controller.sign_out(current_user) }
+        config.authenticate_user_method { |controller| controller.authenticate_user! }
+      end
+```
+
+## Permissions
+
+When a user auth's with a client they automatically are granting read permission to any action that you `allow_oauth!`. Read only clients are restricted to using GET requests. By default Opro will ask users for write permission on a client by client application. Client apps with `:write` permission can use all HTTP verbs including POST, PATCH, PUT, DESTROY on any url you whitelist using `allow_oauth!`.
+
+
+### Custom Permissions
+
+To remove write permissions comment out this line in the Opro initializer:
+
+      config.request_permissions = [:write]
+
+You can add custom permissions by adding to the array:
+
+      config.request_permissions = [:write, :email, :picture, :whatever]
+
+You can then restrict access using the custom permissions by calling `require_oauth_permissions` which takes the same arguments as `before_filter`
+
+      require_oauth_permissions :email, :only => :index
+
+You can also skip permissions using `skip_oauth_permissions`. By default permissions will just check to see if a client has the permission, and will allow the action if it is present. If you want to implement custom permission checks you can write custom methods using the pattern `oauth_client_can_#{permission}?` for example if you were restricting the `:email` permission, you would create a method.
+
+      def oauth_client_can_email?
+        # ...
+      end
+
+The result is expected to be true or false.
 
 ## Assumptions
 
 * You have a user model and that is what your authenticating
 * You're using Active::Record
 
-If you submit a _good_ pull request for other adapters, or for generalizing the resource we're authenticating, you'll make me pretty happy.
-
-
 ## About
 
-If you have a question file an issue or, find me on the Twitters [@schneems](http://twitter.com/schneems).
+If you have a question file an issue or, find me on the Twitters [@schneems](http://twitter.com/schneems). Another good library for turning your app into an OAuth provider is [Doorkeeper](https://github.com/applicake/doorkeeper), if this project doesn't meet your needs let me know why and use them :)
 
 This project rocks and uses MIT-LICENSE.

data/Rakefile

@@ -32,6 +32,14 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
+namespace :opro do
+  desc "Install opro in dummy app"
+  task :install do
+    cd 'test/dummy'
+    system 'bundle exec rails g opro:install --force'
+  end
+end
+
 
 require 'jeweler'
 Jeweler::Tasks.new do |gem|

data/VERSION

@@ -1 +1 @@
-0.0.1.pre1.0.2
+0.0.2

data/app/controllers/oauth/auth_controller.rb

@@ -1,79 +1,78 @@
-class Oauth::AuthController < ApplicationController
-  before_filter      :opro_authenticate_user!,    :except => [:access_token]
-  skip_before_filter :verify_authenticity_token,  :only => [:access_token, :user]
-  before_filter      :ask_user!,                  :only => :authorize
+class Oauth::AuthController < OproController
+  before_filter      :opro_authenticate_user!
+  before_filter      :ask_user!,                  :only   => [:create]
+
 
   def new
     @redirect_uri = params[:redirect_uri]
-    @client_app   = Oauth::ClientApplication.find_by_app_id(params[:client_id])
+    @client_app   = Oauth::ClientApp.find_by_app_id(params[:client_id])
     @scopes       = scope_from_params(params)
   end
 
-  def authorize
-    application  =   Oauth::ClientApplication.find_by_app_id(params[:client_id])
-    permissions  =   params[:permissions]
-    access_grant =   Oauth::AccessGrant.where( :user_id => current_user.id, :application_id => application.id).first
-    access_grant ||= Oauth::AccessGrant.create(:user => current_user,       :application => application)
-    access_grant.update_attributes(:permissions => permissions) if access_grant.permissions != permissions
-    redirect_to access_grant.redirect_uri_for(params[:redirect_uri])
-  end
 
-  def access_token
-    application = Oauth::ClientApplication.authenticate(params[:client_id], params[:client_secret])
 
-    if application.nil?
-      render :json => {:error => "Could not find application"}
-      return
-    end
+  # :ask_user! is called before creating a new authorization, this allows us to redirect
+  def create
+    # find or create an auth_grant for a given user
+    application  =   Oauth::ClientApp.find_by_app_id(params[:client_id])
+    access_grant =   Oauth::AuthGrant.where( :user_id => current_user.id, :application_id => application.id).first
+    access_grant ||= Oauth::AuthGrant.create(:user => current_user,       :application => application)
 
-    access_grant = Oauth::AccessGrant.authenticate(params[:code], application.id)
 
-    if access_grant.nil?
-      render :json => {:error => "Could not authenticate access code"}
-      return
-    end
+    # add permission changes if there are any
+    access_grant.update_attributes(:permissions => params[:permissions]) if access_grant.permissions != params[:permissions]
 
-    access_grant.start_expiry_period!
-    render :json => {:access_token => access_grant.access_token, :refresh_token => access_grant.refresh_token, :expires_in => access_grant.access_token_expires_at}
+    redirect_to access_grant.redirect_uri_for(params[:redirect_uri])
   end
 
+
+  private
   # When a user is sent to authorize an application they must first accept the authorization
   # if they've already authed the app, they skip this section
   def ask_user!
     if user_granted_access_before?(current_user, params)
       # Re-Authorize the application, do not ask the user
+      params.delete(:permissions) ## Delete permissions supplied by client app, this was a security hole
       return true
     elsif user_authorizes_the_request?(request)
-      # Authorize the application, do not ask the user
+      # The user just authorized the application from the form
       return true
     else
+
       # if the request did not come from a form within the application, render the user form
       @redirect_uri ||= params[:redirect_uri]
-      @client_app   ||= Oauth::ClientApplication.find_by_app_id(params[:client_id])
+      @client_app   ||= Oauth::ClientApp.find_by_app_id(params[:client_id])
       redirect_to oauth_new_path(params)
     end
   end
 
-  private
   def user_granted_access_before?(user, params)
-    @client_app ||= Oauth::ClientApplication.find_by_app_id(params[:client_id])
-    Oauth::AccessGrant.where(:application_id => @client_app.id, :user_id => user.id).present?
+    @client_app ||= Oauth::ClientApp.find_by_app_id(params[:client_id])
+    Oauth::AuthGrant.where(:application_id => @client_app.id, :user_id => user.id).present?
   end
 
+
+  # take params[:scope] = [:write, :read, :etc] or
+  # take params[:scope] = "write, read, etc"
+  # compare against available scopes ::Opro.request_permissions
+  # return the intersecting set. or the default scope if n
   def scope_from_params(params)
-    requested_scope = (params[:scope]||[]).map(&:downcase)
     default_scope   = ::Opro.request_permissions.map(&:to_s).map(&:downcase)
-    return default_scope if requested_scope.blank?
-    requested_scope & default_scope
+    return default_scope if params[:scope].blank?
+
+    scope = params[:scope].is_a?(Array) ? params[:scope] : params[:scope].split(',')
+    raise "Params #{params[:scope]} improperly formatted " unless scope.is_a?(Array)
+    requested_scope = scope.map(&:downcase).map(&:strip)
+    return requested_scope & default_scope
   end
 
 
-  # We're verifying that a post was made from our own site, indicating a user confirmed via form
+  # Verifying that a post was made from our own site, indicating a user confirmed via form
   def user_authorizes_the_request?(request)
     request.post? && referrer_is_self?(request)
   end
 
-  # Ensures that the referrer is also the current host, to prevent spoofing
+  # Ensures that the referrer is the current host, to prevent spoofing
   def referrer_is_self?(request)
     return false if request.referrer.blank?
     referrer_host = URI.parse(request.referrer).host