opro 0.1.0 → 0.2.0

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.2.0
+
+- Allow password exchange for access_token using `config.allow_password_exchange = true`
+
 ## 0.1.0
 
 - Refresh Token Support

data/README.md

@@ -41,7 +41,7 @@ Now we're ready to migrate the database
     $ rake db:migrate
 ````
 
-This will add `Oauth::AuthGrant` and `Oauth::ClientApp` to your database. An iPhone app would need to register for a `client_id` and `client_secret` before using Oauth as a ClientApp. Once created they could get authorization from users by going through the oauth flow, thus creating AuthGrants. In other words a ClientApp has many users through AuthGrants.
+This will add `Opro::Oauth::AuthGrant` and `Opro::Oauth::ClientApp` to your database. An iPhone app would need to register for a `client_id` and `client_secret` before using Oauth as a ClientApp. Once created they could get authorization from users by going through the oauth flow, thus creating AuthGrants. In other words a ClientApp has many users through AuthGrants.
 
 ## Setup
 
@@ -79,7 +79,7 @@ That should be all you need to do to get setup, congrats you're now able to auth
 
 ## Use it
 
-Opro comes with built in documentation, so if you start your server you can view them at http://localhost:3000/oauth_docs. If you're reading this on Github you can jump right to the [Quick Start](https://github.com/schneems/opro/blob/master/app/views/oauth/docs/markdown/quick_start.md.erb) guide. This guide will walk you through creating your first OAuth client application, giving access to that app as a logged in user, getting an access token for that user, and using that token to access the server as an authenticated user!
+Opro comes with built in documentation, so if you start your server you can view them at [http://localhost:3000/oauth_docs](http://localhost:3000/oauth_docs). Or you can [view the guide](http://opro-demo.herokuapp.com/oauth_docs) on the example app. This guide will walk you through creating your first OAuth client application, giving access to that app as a logged in user, getting an access token for that user, and using that token to access the server as an authenticated user!
 
 ## Custom Auth
 

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.2.0

data/app/controllers/opro/oauth/token_controller.rb

@@ -16,17 +16,20 @@ class Opro::Oauth::TokenController < OproController
       return
     end
 
-
     if params[:code]
-      auth_grant = Opro::Oauth::AuthGrant.authenticate(params[:code], application.id)
-    else
+      auth_grant = Opro::Oauth::AuthGrant.auth_with_code!(params[:code], application.id)
+    elsif params[:refresh_token]
       auth_grant = Opro::Oauth::AuthGrant.refresh_tokens!(params[:refresh_token], application.id)
+    elsif params[:password] || passwords[:auth_grant] == "password"
+      user       = ::Opro.find_user_for_auth.call(self, params) if Opro.password_exchange_enabled? && oauth_valid_password_auth?(params[:client_id], params[:client_secret])
+      auth_grant = Opro::Oauth::AuthGrant.auth_with_user!(user, application.id) if user.present?
     end
 
-    if auth_grant.nil?
-      msg = "Could not find a user that belongs to this application & "
-      msg << " has a refresh_token=#{params[:refresh_token]}" if params[:refresh_token]
-      msg << " has been granted a code=#{params[:code]}"      if params[:code]
+    if auth_grant.blank?
+      msg = "Could not find a user that belongs to this application"
+      msg << " & has a refresh_token=#{params[:refresh_token]}" if params[:refresh_token]
+      msg << " & has been granted a code=#{params[:code]}"      if params[:code]
+      msg << " using username and password"                   if params[:password]
       render :json => {:error => msg }, :status => :unauthorized
       return
     end

data/app/models/opro/oauth/auth_grant.rb

@@ -50,10 +50,19 @@ class Opro::Oauth::AuthGrant < ActiveRecord::Base
     find_app_for_token.try(:user)
   end
 
-  def self.authenticate(code, application_id)
+  def self.auth_with_code!(code, application_id)
     auth_grant = self.where("code = ? AND application_id = ?", code, application_id).first
   end
 
+  def self.auth_with_user!(user, applicaiton_id, permissions = ::Opro.request_permissions)
+    return false unless user
+    permissions_hash =   permissions.each_with_object({}) {|element, hash| hash[element] = true }
+    auth_grant  =   self.where(:user_id  => user.id, :application_id => applicaiton_id).first
+    auth_grant  ||= self.create(:user_id => user.id, :application_id => applicaiton_id)
+    auth_grant.update_attributes(:permissions => permissions_hash)
+    auth_grant
+  end
+
   def self.refresh_tokens!(refresh_token, application_id)
     auth_grant = self.where("refresh_token = ? AND application_id = ?", refresh_token, application_id).first
     if auth_grant.present?

data/lib/generators/templates/opro.rb

@@ -2,7 +2,7 @@ Opro.setup do |config|
   ## Configure the auth_strategy or use set :login_method, :logout_method, & :authenticate_user_method
   config.auth_strategy = :devise
 
-  ## Add or remove application permissions
+  ## Add or Remove Application Permissions
   # Read permission (any request with [GET]) is turned on by default
   # Write permission (any request other than [GET]) is requestable by default
   # Custom permissions can be configured by adding them to `config.request_permissions`
@@ -10,8 +10,17 @@ Opro.setup do |config|
   # `require_oauth_permissions` in the controller
   config.request_permissions = [:write]
 
-  ## Refresh Token config
+  ## Refresh Token Config
   # uncomment `config.require_refresh_within` to require refresh tokens
-  # this will expire tokens within the given time duration
+  # this will expire tokens within the given time duration, having it enabled
+  # is more secure, but harder to use.
   # config.require_refresh_within = 1.month
+
+  ## Allow Password Exchange
+  # You can allow client applications to exchange a user's credentials
+  # password, etc. for an access token.
+  # Caution: This bypasses the traditional OAuth flow
+  # as a result users cannot opt out of client permissions, all permissions are granted
+  config.allow_password_exchange = false
+
 end

data/lib/opro.rb

@@ -25,6 +25,17 @@ module Opro
       login_method             { |controller, current_user| controller.sign_in(current_user, :bypass => true) }
       logout_method            { |controller, current_user| controller.sign_out(current_user) }
       authenticate_user_method { |controller| controller.authenticate_user! }
+
+      find_user_for_auth do |controller, params|
+        find_params = params.each_with_object({}) {|(key,value), hash| hash[key] = value if Devise.authentication_keys.include?(key.to_sym) }
+        user        = User.where(find_params).first
+        if user && user.valid_password?(params[:password])
+          return_user = user
+        else
+          return_user = false
+        end
+        return_user
+      end
     else
       # nothing
     end
@@ -92,9 +103,25 @@ module Opro
     if block.present?
       @authenticate_user_method = block
     else
-      @authenticate_user_method or raise 'authenticate user method not set, please specify Opro auth_strategy'
+      @authenticate_user_method or raise 'authenticate_user_method not set, please specify Opro auth_strategy'
+    end
+  end
+
+  def self.find_user_for_auth(&block)
+    if block.present?
+      @find_for_authentication = block
+    else
+      @find_for_authentication or raise 'find_for_authentication not set, please specify Opro auth_strategy'
     end
   end
+
+  def self.password_exchange_enabled=(password_exchange_enabled)
+    @password_exchange_enabled = password_exchange_enabled
+  end
+
+  def self.password_exchange_enabled?
+    @password_exchange_enabled
+  end
 end
 
 require 'opro/controllers/concerns/error_messages'

data/lib/opro/controllers/application_controller_helper.rb

@@ -57,6 +57,12 @@ module Opro
         allow_oauth? && params[:access_token].present?
       end
 
+      # Override with custom logic to exclude or allow applications from exchanging
+      # passwords for access_tokens
+      def oauth_valid_password_auth?(client_id, client_secret)
+        true
+      end
+
       def oauth_access_grant
         @oauth_access_grant ||= Opro::Oauth::AuthGrant.find_for_token(params[:access_token])
       end

data/opro.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "opro"
-  s.version = "0.1.0"
+  s.version = "0.2.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
-  s.date = "2012-06-19"
+  s.date = "2012-06-20"
   s.description = " Enable OAuth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [
@@ -104,6 +104,7 @@ Gem::Specification.new do |s|
     "test/dummy/script/rails",
     "test/integration/action_dispatch/auth_controller_test.rb",
     "test/integration/action_dispatch/oauth_flow_test.rb",
+    "test/integration/action_dispatch/password_token_test.rb",
     "test/integration/action_dispatch/refresh_token_test.rb",
     "test/integration/auth_controller_test.rb",
     "test/integration/client_app_controller_test.rb",

data/test/integration/action_dispatch/password_token_test.rb

@@ -0,0 +1,61 @@
+## NOT CAPYBARA
+#  ActionDispatch::IntegrationTest
+#  http://guides.rubyonrails.org/testing.html#integration-testing
+#  used so we can test POST actions ^_^
+
+require 'test_helper'
+
+class PasswordTokenTest < ActionDispatch::IntegrationTest
+
+  setup do
+    @user         = create_user
+    @client_app   = create_client_app
+    @password     = "password"
+    Opro.setup {|config| config.password_exchange_enabled = true}
+  end
+
+
+  test "exchange a password and email for an access_token" do
+    params = {:client_id      => @client_app.client_id ,
+              :client_secret  => @client_app.client_secret,
+              :password       => @password,
+              :email          => @user.email }
+
+    post oauth_token_path(params)
+
+    json_hash = JSON.parse(response.body)
+    assert json_hash['access_token'].present?
+  end
+
+  test "do not provide access_token for invalid password or email" do
+    params = {:client_id      => @client_app.client_id ,
+              :client_secret  => @client_app.client_secret,
+              :password       => @password,
+              :email          => @user.email }
+
+    post oauth_token_path(params.merge(:password => @password + "invalid"))
+    json_hash = JSON.parse(response.body)
+    assert json_hash['access_token'].blank?
+
+    post oauth_token_path(params.merge(:email    => "invalid" + @user.email ))
+    json_hash = JSON.parse(response.body)
+    assert json_hash['access_token'].blank?
+  end
+
+  test "Only allow authenticated apps" do
+    Opro::Oauth::TokenController.any_instance.stubs(:oauth_valid_password_auth?).
+                          with(@client_app.client_id, @client_app.client_secret).
+                          returns(false)
+
+    params = {:client_id      => @client_app.client_id ,
+              :client_secret  => @client_app.client_secret,
+              :password       => @password,
+              :email          => @user.email }
+
+    post oauth_token_path(params)
+    json_hash = JSON.parse(response.body)
+    assert json_hash['access_token'].blank?
+  end
+
+end
+

data/test/integration/oauth_test.rb

@@ -20,7 +20,6 @@ class CapybaraOauthTest < ActiveSupport::IntegrationCase
     auth_grant   = create_auth_grant_for_user(user)
     access_token = auth_grant.access_token + "foo"
     visit "/?access_token=#{access_token}"
-    save_and_open_page
     assert has_content?('NO logged in users')
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opro
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-06-19 00:00:00.000000000Z
+date: 2012-06-20 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70273794750300 !ruby/object:Gem::Requirement
+  requirement: &70339795418460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70273794750300
+  version_requirements: *70339795418460
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &70273794749360 !ruby/object:Gem::Requirement
+  requirement: &70339795417860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70273794749360
+  version_requirements: *70339795417860
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &70273794748420 !ruby/object:Gem::Requirement
+  requirement: &70339795417120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70273794748420
+  version_requirements: *70339795417120
 - !ruby/object:Gem::Dependency
   name: mocha
-  requirement: &70273794747460 !ruby/object:Gem::Requirement
+  requirement: &70339795416500 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794747460
+  version_requirements: *70339795416500
 - !ruby/object:Gem::Dependency
   name: timecop
-  requirement: &70273794746540 !ruby/object:Gem::Requirement
+  requirement: &70339795415860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794746540
+  version_requirements: *70339795415860
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70273794745720 !ruby/object:Gem::Requirement
+  requirement: &70339795415100 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -76,10 +76,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70273794745720
+  version_requirements: *70339795415100
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70273794745020 !ruby/object:Gem::Requirement
+  requirement: &70339795414500 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: 1.1.3
   type: :development
   prerelease: false
-  version_requirements: *70273794745020
+  version_requirements: *70339795414500
 - !ruby/object:Gem::Dependency
   name: capybara
-  requirement: &70273794744280 !ruby/object:Gem::Requirement
+  requirement: &70339780154620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: 0.4.0
   type: :development
   prerelease: false
-  version_requirements: *70273794744280
+  version_requirements: *70339780154620
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70273794743560 !ruby/object:Gem::Requirement
+  requirement: &70339780153680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794743560
+  version_requirements: *70339780153680
 - !ruby/object:Gem::Dependency
   name: launchy
-  requirement: &70273794742780 !ruby/object:Gem::Requirement
+  requirement: &70339780152320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794742780
+  version_requirements: *70339780152320
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &70273794742200 !ruby/object:Gem::Requirement
+  requirement: &70339780151320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,10 +131,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794742200
+  version_requirements: *70339780151320
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70273794741600 !ruby/object:Gem::Requirement
+  requirement: &70339780150240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -142,10 +142,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794741600
+  version_requirements: *70339780150240
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &70273794740720 !ruby/object:Gem::Requirement
+  requirement: &70339780149400 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -153,7 +153,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70273794740720
+  version_requirements: *70339780149400
 description: ! ' Enable OAuth clients (iphone, android, web sites, etc.) to access
   and use your Rails application, what you do with it is up to you'
 email: richard.schneeman@gmail.com
@@ -250,6 +250,7 @@ files:
 - test/dummy/script/rails
 - test/integration/action_dispatch/auth_controller_test.rb
 - test/integration/action_dispatch/oauth_flow_test.rb
+- test/integration/action_dispatch/password_token_test.rb
 - test/integration/action_dispatch/refresh_token_test.rb
 - test/integration/auth_controller_test.rb
 - test/integration/client_app_controller_test.rb
@@ -274,7 +275,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -4287808992153183066
+      hash: -921611140833646542
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: