opro 0.2.1.pre → 0.3.0.pre

data/CHANGELOG.md

@@ -1,7 +1,9 @@
-## 0.2.1
+## 0.3.0
 
 - Properly set attr_accessible for those apps that are requiring all attributes to be whitelisted.
-
+- Allow access_token to be passed in header `curl -H "Authorization: token iAmAOaUthToken" http://localhost:3000`
+- Default `config.allow_password_exchange' to true
+- Allow multiple `find_user_for_auth` calls in setup to allow custom finders for facebook, etc.
 
 ## 0.2.0
 

data/README.md

@@ -7,7 +7,7 @@ A production ready Rails Engine that turns your app into an [Oauth2](http://oaut
 
 ## Why would I use this?
 
-Lets say you've built a Rails app, awesome. Now you want to build a mobile app on say, the iPhone; cool. You start throwing around `#to_json` like nobody's business, but then you realize you need to authenticate users somehow. "Basic Auth!!", you exclaim, but then you realize that's not the most secure solution. You also realize that some users already signed up with Facebook & Twitter so they don't have a username/password combo. What ever shall you do?
+Lets say you've built a Rails app, awesome. Now you want to build a mobile app on say, the iPhone... cool. You start throwing around `#to_json` like nobody's business, but then you realize you need to authenticate users somehow. "Basic Auth!!", you exclaim, but then you realize that's not the most secure solution. You also realize that some users already signed up with Facebook & Twitter so they don't have a username/password combo. What ever shall you do?
 
 Wouldn't it be great if we could have a token exchange where the user goes to a mobile web view and grants permission, and then we return back an auth token just like the big boys (Facebook, Twitter, *cough* Foursquare *cough*). With Opro, we can add this functionality pretty easily. We'll use your existing authentication strategy and provide some end integration points for your clients to use out of the box.
 
@@ -81,6 +81,12 @@ That should be all you need to do to get setup, congrats you're now able to auth
 
 Opro comes with built in documentation, so if you start your server you can view them at [http://localhost:3000/oauth_docs](http://localhost:3000/oauth_docs). Or you can [view the guide](http://opro-demo.herokuapp.com/oauth_docs) on the example app. This guide will walk you through creating your first OAuth client application, giving access to that app as a logged in user, getting an access token for that user, and using that token to access the server as an authenticated user!
 
+
+# Advanced Setup
+
+Opro is simple by default, but easily configurable for a number of common use cases. Check out the options below.
+
+
 ## Custom Auth
 
 If you're not using devise you can manually configure your own auth strategy. In the future I plan on adding more auth strategies, ping me or submit a pull request for your desired authentication scheme.
@@ -120,6 +126,47 @@ You can also skip permissions using `skip_oauth_permissions`. By default permiss
 
 The result is expected to be true or false.
 
+
+## Refresh Tokens
+
+For added security you can require access_tokens be refreshed by client applications. This will help to mitigate risk of a leaked access_token, and enable an all around more secure system. This security comes at a price however, since implemeting the refresh_token functionality in a client can be quite difficult.
+
+By default refresh tokens are disabled, you can enable them in your application and set the timeout period of the tokens by adding this line to your configuration.
+
+
+    config.require_refresh_within = 1.month
+
+
+## Password Token Exchange
+
+If a client application has a user's password and username/email they can exchange these for a token. This is much safer than storing username and password on a local device, but does not offer the traditional OAuth "Flow". Because of this all available permissions will be granted to the client application. If you want to disable this feature you can set the configuration below to false:
+
+    config.allow_password_exchange = true
+
+If you have this feature enabled you can further control what applications can use the feature. Some providers may wish to have "Blessed" client applications that have this ability while restricting all other clients. To accomplish this you can create a method in your ApplicationController called `oauth_valid_password_auth?` that accepts a client_id and client_secret, and returns a true or false based on whether that application can use password auth
+
+    def oauth_valid_password_auth?(client_id, client_secret)
+      BLESSED_APP_IDS.include?(client_id)
+    end
+
+
+ If you are using this password functionality without a supported authorization engine (like devise), you will need to add an additional method that supports validating whether or not a user's credentials are valid. The method for this is called `find_user_for_auth` and accepts a controller and the parameters. The output is expected to be a user. Add this to your config like you did to the other required methods in the Custom Auth section.
+
+    config.find_user_for_auth do |controller, params|
+      # user = User.find(params[:something])
+      # return user.valid_password?(params[:password]) ? user : false
+    end
+
+If you're authenticating exchanging something other than a password (such as a facebook auth token) client's can still enable this functionality by setting `params[:auth_grant] == 'password'` in their initial request. You can then use `find_user_for_auth` method from above and implement your custom behavior. You can call `find_user_for_auth` multiple times and the application will try calling each auth method in order. It is suggested that you return from this block early if the params are missing a vital key like this:
+
+
+    config.find_user_for_auth do |controller, params|
+      return false if params[:fb_token].blank?
+      User.where(:fb_token => params[:fb_token]).first
+    end
+
+
+
 ## Assumptions
 
 * You have a user model and that is what your authenticating

data/VERSION

@@ -1 +1 @@
-0.2.1.pre
+0.3.0.pre

data/app/controllers/opro/oauth/token_controller.rb

@@ -20,8 +20,8 @@ class Opro::Oauth::TokenController < OproController
       auth_grant = Opro::Oauth::AuthGrant.auth_with_code!(params[:code], application.id)
     elsif params[:refresh_token]
       auth_grant = Opro::Oauth::AuthGrant.refresh_tokens!(params[:refresh_token], application.id)
-    elsif params[:password] || passwords[:auth_grant] == "password"
-      user       = ::Opro.find_user_for_auth.call(self, params) if Opro.password_exchange_enabled? && oauth_valid_password_auth?(params[:client_id], params[:client_secret])
+    elsif params[:password] || params[:auth_grant] == "password"
+      user       = ::Opro.find_user_for_all_auths!(self, params) if Opro.password_exchange_enabled? && oauth_valid_password_auth?(params[:client_id], params[:client_secret])
       auth_grant = Opro::Oauth::AuthGrant.auth_with_user!(user, application.id) if user.present?
     end
 

data/app/models/opro/oauth/auth_grant.rb

@@ -17,7 +17,7 @@ class Opro::Oauth::AuthGrant < ActiveRecord::Base
   attr_accessible :code, :access_token, :refresh_token, :access_token_expires_at, :permissions, :user_id, :user, :application_id, :application
 
   def can?(value)
-    permissions[value.to_s]
+    HashWithIndifferentAccess.new(permissions)[value]
   end
 
   def expired?

data/app/views/opro/oauth/docs/markdown/curl.md.erb

@@ -6,6 +6,10 @@
 
 With curl we're able to arbitrarily add parameters to our requests and to send using arbitrary HTTP status codes (GET/POST/DELETE) that are difficult to simulate in the browser. If you need to `POST` data to a url doing so with curl is much easier than constructing a form for testing.
 
+# Hurl
+
+[Hurl](http://hurl.it/) is an open sourced browser based `curl` implementation. If you're going to do quite a few curl requests, using it can be easier than the command line.
+
 ## How do I use it?
 
 On the command line you should be able to get get help by typing `man curl` if your system supports man pages. Below are some simple and common use cases
@@ -32,11 +36,21 @@ You can ask for the headers of a request by adding the `-I` flag to a curl comma
     X-Frame-Options: SAMEORIGIN
     Transfer-Encoding: chunked
 
+### Set Headers
+
+You can set a request header by using `-H` for example if you wanted to send an access_token in a header you could issue this request (assuming your access token is '9693accessTokena7ca570bbaf')
+
+    $ curl -H "Authorization: token 9693accessTokena7ca570bbaf" "http://localhost:3000/oauth_test/show_me_the_money"
+
+
+### HTTP Verb
+
+You can specify the type of request you make in curl (GET, POST, PUT, DELETE, etc.) by specifying `-X`. For example if you wanted to POST to the /products url at localhost:3000/products you could do so like this:
+
+    $ curl -X POST http://localhost:3000
 
 
-# Hurl
 
-[Hurl](http://hurl.it/) is an open sourced browser based `curl` implementation. If you're going to do quite a few curl requests, using it can be easier than the command line.
 
 
 

data/app/views/opro/oauth/docs/markdown/oauth.md.erb

@@ -9,6 +9,14 @@ OAuth is a secure way to grant authorization without having to transfer password
 
 The flow is simple, it is started when a user clicks on an authorization button, they are then directed to the OAuth provider's website, such as Facebook. They are then prompted to confirm with the OAuth provider that they are who they say they are by logging in. The user is then given the opportunity to grant authorization to the OAuth client (where the request was initiated, such as the iPhone). After returning to the client, a code is sent that can be exchanged for a secure token. This secure token can be used to authenticate as the user. This way an iPhone client can ask for personalized content to show to the user, such as a friend list, or messages. This is the mechanism that drives most of the web.
 
+
+## Watch "OAuth: A Tale of 2 Servers"
+
+This video covers a typical flow an OAuth client follows with an OAuth provider for obtaining and using an access_token.
+
+
+<object width="560" height="315"><param name="movie" value="http://www.youtube.com/v/tFYrq3d54Dc?version=3&amp;hl=en_US&amp;rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/tFYrq3d54Dc?version=3&amp;hl=en_US&amp;rel=0" type="application/x-shockwave-flash" width="560" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
+
 ## Not just Mobile
 
 Client and server side web applications can use this type of authorization to add features to their service such as posting things to a timeline, or adding personalization.
@@ -16,7 +24,7 @@ Client and server side web applications can use this type of authorization to ad
 
 ## Alternatives
 
-OAuth is simple in concept, but can be tricky to implement right. Many services also support basic auth. With basic auth you send a user's username and password along with every request. While this is fairly simple it means that the client application has access to your password, which is not very secure. There are other standards such as xAuth, and likely more to come in the future
+OAuth is simple in concept, but can be tricky to implement right. Many services also support basic auth. With basic auth you send a user's username and password along with every request. While this is fairly simple it means that the client application has access to your password, which is not very secure.
 
 
 ## Clients

data/app/views/opro/oauth/docs/markdown/quick_start.md.erb

@@ -63,6 +63,11 @@ Try it out for yourself open up a browser and go to
 
 You should see a successful result ( again don't forget to replace the example access token with yours ). Not all urls will support OAuth authentication.
 
+You can also use a header to pass the oauth token
+
+    <%= %Q{ curl -H "Authorization: token 9693accessTokena7ca570bbaf" "#{request.base_url}/oauth_test/show_me_the_money" } %>
+
+
 ## Security
 
 Don't share your client application's secret or any user's access_token with unknown or untrusted parties. Always use https when available and don't write any of these values to your application's logs.

data/lib/generators/templates/opro.rb

@@ -21,6 +21,6 @@ Opro.setup do |config|
   # password, etc. for an access token.
   # Caution: This bypasses the traditional OAuth flow
   # as a result users cannot opt out of client permissions, all permissions are granted
-  config.allow_password_exchange = false
+  config.allow_password_exchange = true
 
 end

data/lib/opro.rb

@@ -27,14 +27,12 @@ module Opro
       authenticate_user_method { |controller| controller.authenticate_user! }
 
       find_user_for_auth do |controller, params|
+        return false if params[:password].blank?
         find_params = params.each_with_object({}) {|(key,value), hash| hash[key] = value if Devise.authentication_keys.include?(key.to_sym) }
-        user        = User.where(find_params).first
-        if user && user.valid_password?(params[:password])
-          return_user = user
-        else
-          return_user = false
-        end
-        return_user
+        user        = User.where(find_params).first if find_params.present?
+        return false unless user.present?
+        return false unless user.valid_password?(params[:password])
+        user
       end
     else
       # nothing
@@ -107,9 +105,30 @@ module Opro
     end
   end
 
+  # calls all of the different auths made available,
+  def self.find_user_for_all_auths!(controller, params)
+    @user = false
+    find_user_for_auth.each do |auth_block|
+      break if @user.present?
+      @user = auth_block.call(controller, params)
+    end
+    @user
+  end
+
+
+  # Grossssss, don't use, needed to support `return` from the blocks provided to `find_user_for_auth`
+  def self.convert_to_lambda &block
+    obj = Object.new
+    obj.define_singleton_method(:_, &block)
+    return obj.method(:_).to_proc
+  end
+
+  # holds an Array of authentication blocks is called by find_user_for_all_auths! in token controller
+  # can be used for finding users using multiple methods (password, facebook, twitter, etc.)
   def self.find_user_for_auth(&block)
     if block.present?
-      @find_for_authentication = block
+      @find_for_authentication ||= []
+      @find_for_authentication << convert_to_lambda(&block)
     else
       @find_for_authentication or raise 'find_for_authentication not set, please specify Opro auth_strategy'
     end

data/lib/opro/controllers/application_controller_helper.rb

@@ -53,8 +53,19 @@ module Opro
         @use_oauth = true
       end
 
+      def oauth_access_token
+        params[:access_token] || oauth_access_token_from_header
+      end
+
+      def oauth_access_token_from_header
+        auth_header = request.env["HTTP_AUTHORIZATION"]||""
+        match       = auth_header.match(/^token\s(.*)/)
+        return match[1] if match.present?
+        false
+      end
+
       def oauth?
-        allow_oauth? && params[:access_token].present?
+        allow_oauth? && oauth_access_token.present?
       end
 
       # Override with custom logic to exclude or allow applications from exchanging
@@ -64,7 +75,7 @@ module Opro
       end
 
       def oauth_access_grant
-        @oauth_access_grant ||= Opro::Oauth::AuthGrant.find_for_token(params[:access_token])
+        @oauth_access_grant ||= Opro::Oauth::AuthGrant.find_for_token(oauth_access_token)
       end
 
       def oauth_client_app

data/lib/opro/controllers/concerns/error_messages.rb

@@ -3,7 +3,7 @@ module Opro::Controllers::Concerns::ErrorMessages
 
   def generate_oauth_error_message!
     msg = ""
-    msg << ' - No OAuth Token Provided!'    if params[:access_token].blank?
+    msg << ' - No OAuth Token Provided!'    if oauth_access_token.blank?
     msg << ' - Allow OAuth set to false!'   if allow_oauth? == false
     msg << ' - OAuth user not found!'       if oauth_user.blank?
     msg = generate_oauth_permissions_error_message!(msg)

data/lib/opro/controllers/concerns/permissions.rb

@@ -31,6 +31,7 @@ module Opro::Controllers::Concerns::Permissions
   # oauth_client_can_:method? so to over-write a default check for
   # :write permission, you would need to define oauth_client_can_write?
   def oauth_client_has_permissions?
+    return false unless oauth_access_grant.present?
     permissions_valid_array = []
     oauth_required_permissions.each do |permission|
       permissions_valid_array << oauth_client_has_permission?(permission)
@@ -53,6 +54,7 @@ module Opro::Controllers::Concerns::Permissions
   # Returns boolean
   # if client has been granted write permissions or request is a 'GET' returns true
   def oauth_client_can_write?
+    return false unless oauth_access_grant.present?
     return true if env['REQUEST_METHOD'] == 'GET'
     return true if oauth_access_grant.can?(:write)
     false

data/opro.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "opro"
-  s.version = "0.2.1.pre"
+  s.version = "0.3.0.pre"
 
   s.required_rubygems_version = Gem::Requirement.new("> 1.3.1") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
-  s.date = "2012-06-29"
+  s.date = "2012-06-30"
   s.description = " Enable OAuth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [

data/test/integration/action_dispatch/oauth_flow_test.rb

@@ -30,5 +30,20 @@ class OauthTokenTest < ActionDispatch::IntegrationTest
     assert json_hash["refresh_token"], auth_grant.refresh_token
   end
 
+
+  test 'header authorization token' do
+    auth_grant   = create_auth_grant_for_user(@user)
+    auth_grant.update_attributes(:permissions => {:write => true})
+
+    # curl -H "Authorization: token OAUTH-TOKEN" http://localhost:3000
+    # sets request.env["HTTP_AUTHORIZATION"] to "token OAUTH-TOKEN"
+    access_token = auth_grant.access_token
+
+    headers = {"HTTP_AUTHORIZATION" => "token #{access_token}"}
+    post oauth_tests_path, {}, headers
+
+    assert_equal 200, status
+  end
+
 end
 

data/test/integration/action_dispatch/password_token_test.rb

@@ -57,5 +57,25 @@ class PasswordTokenTest < ActionDispatch::IntegrationTest
     assert json_hash['access_token'].blank?
   end
 
+
+  test "Allow multiple definitions of find_user_for_auth (no password)" do
+    Opro.setup do |config|
+      config.find_user_for_auth do |controller, params|
+        return false if params[:special_key].blank?
+        user = User.last if params[:special_key] == "fooBarzyrhaz"
+        user
+      end
+    end
+
+    params = {:client_id      => @client_app.client_id ,
+              :client_secret  => @client_app.client_secret,
+              :special_key    => "fooBarzyrhaz",
+              :auth_grant     => 'password' }
+
+    post oauth_token_path(params)
+    json_hash = JSON.parse(response.body)
+    assert json_hash['access_token'].present?
+  end
+
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opro
 version: !ruby/object:Gem::Version
-  version: 0.2.1.pre
+  version: 0.3.0.pre
   prerelease: 6
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-06-29 00:00:00.000000000Z
+date: 2012-06-30 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70215497549500 !ruby/object:Gem::Requirement
+  requirement: &70196426967100 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70215497549500
+  version_requirements: *70196426967100
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &70215497548240 !ruby/object:Gem::Requirement
+  requirement: &70196426966240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70215497548240
+  version_requirements: *70196426966240
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &70215497547600 !ruby/object:Gem::Requirement
+  requirement: &70196426965380 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70215497547600
+  version_requirements: *70196426965380
 - !ruby/object:Gem::Dependency
   name: mocha
-  requirement: &70215497547000 !ruby/object:Gem::Requirement
+  requirement: &70196426964780 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497547000
+  version_requirements: *70196426964780
 - !ruby/object:Gem::Dependency
   name: timecop
-  requirement: &70215497546400 !ruby/object:Gem::Requirement
+  requirement: &70196426964140 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497546400
+  version_requirements: *70196426964140
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70215497539640 !ruby/object:Gem::Requirement
+  requirement: &70196426963520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -76,10 +76,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70215497539640
+  version_requirements: *70196426963520
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70215497539100 !ruby/object:Gem::Requirement
+  requirement: &70196426962980 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: 1.1.3
   type: :development
   prerelease: false
-  version_requirements: *70215497539100
+  version_requirements: *70196426962980
 - !ruby/object:Gem::Dependency
   name: capybara
-  requirement: &70215497538580 !ruby/object:Gem::Requirement
+  requirement: &70196426962460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: 0.4.0
   type: :development
   prerelease: false
-  version_requirements: *70215497538580
+  version_requirements: *70196426962460
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70215497537940 !ruby/object:Gem::Requirement
+  requirement: &70196426961860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497537940
+  version_requirements: *70196426961860
 - !ruby/object:Gem::Dependency
   name: launchy
-  requirement: &70215497537200 !ruby/object:Gem::Requirement
+  requirement: &70196426961260 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497537200
+  version_requirements: *70196426961260
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &70215497536340 !ruby/object:Gem::Requirement
+  requirement: &70196426960660 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,10 +131,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497536340
+  version_requirements: *70196426960660
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70215497535020 !ruby/object:Gem::Requirement
+  requirement: &70196426960060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -142,10 +142,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497535020
+  version_requirements: *70196426960060
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &70215497534320 !ruby/object:Gem::Requirement
+  requirement: &70196426959380 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -153,7 +153,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70215497534320
+  version_requirements: *70196426959380
 description: ! ' Enable OAuth clients (iphone, android, web sites, etc.) to access
   and use your Rails application, what you do with it is up to you'
 email: richard.schneeman@gmail.com
@@ -275,7 +275,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 920875782846310180
+      hash: 2196355823502899805
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: