opro 0.3.0.pre1 → 0.3.0.pre2

data/CHANGELOG.md

@@ -4,6 +4,8 @@
 - Allow access_token to be passed in header `curl -H "Authorization: token iAmAOaUthToken" http://localhost:3000`
 - Default `config.password_exchange_enabled' to true
 - Allow multiple `find_user_for_auth` calls in setup to allow custom finders for facebook, etc.
+- You can now rate limit incoming client applications.
+- Allow clients to mitigate security threat (http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html)
 
 ## 0.2.0
 

data/README.md

@@ -157,7 +157,7 @@ If you have this feature enabled you can further control what applications can u
       # return user.valid_password?(params[:password]) ? user : false
     end
 
-If you're authenticating exchanging something other than a password (such as a facebook auth token) client's can still enable this functionality by setting `params[:auth_grant] == 'password'` in their initial request. You can then use `find_user_for_auth` method from above and implement your custom behavior. You can call `find_user_for_auth` multiple times and the application will try calling each auth method in order. It is suggested that you return from this block early if the params are missing a vital key like this:
+If you're authenticating exchanging something other than a password (such as a facebook auth token) client's can still enable this functionality by setting `params[:grant_type] == 'password'` in their initial request. You can then use `find_user_for_auth` method from above and implement your custom behavior. You can call `find_user_for_auth` multiple times and the application will try calling each auth method in order. It is suggested that you return from this block early if the params are missing a vital key like this:
 
 
     config.find_user_for_auth do |controller, params|
@@ -166,6 +166,24 @@ If you're authenticating exchanging something other than a password (such as a f
     end
 
 
+## Rate Limiting
+
+If your API becomes a runaway success and people starte abusing your api, you might chose to limit the rate that client applications can access your API. It is common for popular read only API's to have an hourly, or daily rate limit to help prevent abuse. If you want this type of functionality you can use Opro's built in hooks, one to record the number of times a client application has accessed your api. And another to let the application know if the Client app has gone over it's alloted rate.
+
+To record the number of times an application has accessed your site add this method to your ApplicationController:
+
+    def oauth_client_record_access!(client_id, params)
+      # implement your rate counting mechanism here
+    end
+
+Then to let our server know if a given client has reached add this method, the output is expected to be true if the client has gone over their limit, and false if they have not:
+
+    def oauth_client_rate_limited?(client_id, params)
+      # implement your own custom rate limiting logic here
+    end
+
+Rate limited clients will receive an "unsuccessful" response to any query with a message letting them know they've been rate limited. Using redis with a rotating key generator based on (hour, daty, etc.) is one very common way to count rate, and implement the rate limits. Since there are so many different ways to implement this, we decided to give you a blank slate and implement it however you like. The default is that apps are not rate limited, and in general unlimited API access is the way to go, but if you do find abusive behavior you can always easily add in a rate limit.
+
 
 ## Assumptions
 

data/VERSION

@@ -1 +1 @@
-0.3.0.pre1
+0.3.0.pre2

data/app/controllers/opro/oauth/auth_controller.rb

@@ -15,14 +15,14 @@ class Opro::Oauth::AuthController < OproController
   def create
     # find or create an auth_grant for a given user
     application  =   Opro::Oauth::ClientApp.find_by_app_id(params[:client_id])
-    access_grant =   Opro::Oauth::AuthGrant.where( :user_id => current_user.id, :application_id => application.id).first
-    access_grant ||= Opro::Oauth::AuthGrant.create(:user => current_user,       :application => application)
+    auth_grant =   Opro::Oauth::AuthGrant.where( :user_id => current_user.id, :application_id => application.id).first
+    auth_grant ||= Opro::Oauth::AuthGrant.create(:user => current_user,       :application => application)
 
 
     # add permission changes if there are any
-    access_grant.update_attributes(:permissions => params[:permissions]) if access_grant.permissions != params[:permissions]
+    auth_grant.update_attributes(:permissions => params[:permissions]) if auth_grant.permissions != params[:permissions]
 
-    redirect_to access_grant.redirect_uri_for(params[:redirect_uri])
+    redirect_to auth_grant.redirect_uri_for(params[:redirect_uri], params[:state])
   end
 
 
@@ -48,6 +48,7 @@ class Opro::Oauth::AuthController < OproController
 
   def user_granted_access_before?(user, params)
     @client_app ||= Opro::Oauth::ClientApp.find_by_app_id(params[:client_id])
+    return false if user.blank? || @client_app.blank?
     Opro::Oauth::AuthGrant.where(:application_id => @client_app.id, :user_id => user.id).present?
   end
 
@@ -80,4 +81,4 @@ class Opro::Oauth::AuthController < OproController
     referrer_host == self_host
   end
 
-end
+end

data/app/controllers/opro/oauth/token_controller.rb

@@ -20,7 +20,7 @@ class Opro::Oauth::TokenController < OproController
       auth_grant = Opro::Oauth::AuthGrant.auth_with_code!(params[:code], application.id)
     elsif params[:refresh_token]
       auth_grant = Opro::Oauth::AuthGrant.refresh_tokens!(params[:refresh_token], application.id)
-    elsif params[:password] || params[:auth_grant] == "password"
+    elsif params[:password].present? || params[:grant_type] == "password"|| params[:grant_type] == "bearer"
       user       = ::Opro.find_user_for_all_auths!(self, params) if Opro.password_exchange_enabled? && oauth_valid_password_auth?(params[:client_id], params[:client_secret])
       auth_grant = Opro::Oauth::AuthGrant.auth_with_user!(user, application.id) if user.present?
     end
@@ -29,7 +29,7 @@ class Opro::Oauth::TokenController < OproController
       msg = "Could not find a user that belongs to this application"
       msg << " & has a refresh_token=#{params[:refresh_token]}" if params[:refresh_token]
       msg << " & has been granted a code=#{params[:code]}"      if params[:code]
-      msg << " using username and password"                   if params[:password]
+      msg << " using username and password"                     if params[:password]
       render :json => {:error => msg }, :status => :unauthorized
       return
     end

data/app/models/opro/oauth/auth_grant.rb

@@ -3,8 +3,10 @@ class Opro::Oauth::AuthGrant < ActiveRecord::Base
   self.table_name = :opro_auth_grants
 
   belongs_to :user
-  belongs_to :client_application, :class_name => "Oauth::ClientApp"
-  belongs_to :application,        :class_name => "Oauth::ClientApp"
+  belongs_to :client_application, :class_name => "Opro::Oauth::ClientApp", :foreign_key => "application_id"
+  belongs_to :application,        :class_name => "Opro::Oauth::ClientApp", :foreign_key => "application_id"
+  belongs_to :client_app,         :class_name => "Opro::Oauth::ClientApp", :foreign_key => "application_id"
+
 
   validates :application_id, :uniqueness => {:scope => :user_id, :message => "Application is already authed for this user"}, :presence => true
 
@@ -79,11 +81,13 @@ class Opro::Oauth::AuthGrant < ActiveRecord::Base
     self.code, self.access_token, self.refresh_token = SecureRandom.hex(16), SecureRandom.hex(16), SecureRandom.hex(16)
   end
 
-  def redirect_uri_for(redirect_uri)
+  def redirect_uri_for(redirect_uri, state = nil)
     if redirect_uri =~ /\?/
-      redirect_uri + "&code=#{code}&response_type=code"
+      redirect_uri << "&code=#{code}&response_type=code"
     else
-      redirect_uri + "?code=#{code}&response_type=code"
+      redirect_uri << "?code=#{code}&response_type=code"
     end
+    redirect_uri << "&state=#{state}" if state.present?
+    redirect_uri
   end
 end

data/app/views/opro/oauth/docs/index.html.erb

@@ -9,13 +9,18 @@
   <li><%= link_to 'Quick Start',  oauth_doc_path(:quick_start) %></li>
   <li><%= link_to 'Curl',   oauth_doc_path(:curl) %></li>
   <li><%= link_to 'Oauth',  oauth_doc_path(:oauth) %></li>
+
   <% if ::Opro.request_permissions.present? %>
     <li><%= link_to 'Permisions',  oauth_doc_path(:permissions) %></li>
   <% end %>
+
   <% if ::Opro.require_refresh_within.present? %>
     <li><%= link_to 'Refresh Tokens',  oauth_doc_path(:refresh_tokens) %></li>
   <% end %>
 
+  <% if ::Opro.password_exchange_enabled? %>
+    <li><%= link_to 'Password Exchange',  oauth_doc_path(:password_exchange) %></li>
+  <% end %>
 
 </ul>
 

data/app/views/opro/oauth/docs/markdown/curl.md.erb

@@ -20,7 +20,6 @@ You can get the entire contents of a web document by simply issuing curl to that
 
     $ curl https://www.google.com
 
-
 ### Get Headers
 
 

data/app/views/opro/oauth/docs/markdown/oauth.md.erb

@@ -1,6 +1,6 @@
 ## Opro Oauth
 
-OAuth comes in a few different flavors, the implementation of OAuth comes from [Version 22 of the OAuth 2.0 protocol](http://tools.ietf.org/html/draft-ietf-oauth-v2-22) and is heavily influenced by [Facebook's Server Side OAuth Authentication](http://developers.facebook.com/docs/authentication/server-side/).
+OAuth comes in a few different flavors, the implementation of OAuth comes from [Version 22 of the OAuth 2.0 protocol](http://tools.ietf.org/html/draft-ietf-oauth-v2-22) and is heavily influenced by [Facebook's Server Side OAuth Authentication](http://developers.facebook.com/docs/authentication/server-side/) and [Github's API](http://developer.github.com/v3/oauth/).
 
 
 ## What is It?

data/app/views/opro/oauth/docs/markdown/password_exchange.md.erb

@@ -0,0 +1,38 @@
+<%= "# Password Exchange is NOT enabled in this App" unless ::Opro.password_exchange_enabled? %>
+
+
+## Password Exchange
+
+If you're building a mobile (iPhone, Android, etc.) app it can be easier to exchange a user's password and email/username for an access token then to send your user throught the traditional OAuth flow.
+
+## Get Started
+
+First obtain a client app id and secret, if you don't have them see the [Quick Start Guide](/oauth_docs/quick_start) and return here. For this example we will use this data:
+
+    Name:       foo
+    client id:  3234myClientId5678
+    Secret:     14321myClientSecret8765
+
+Note you will need to replace the client id and secret with your actual client id and secret.
+
+Once you have your id and secret, you can ask the user of your application to provide you with their username and password. For the purposes of this we will be using the example email address of `foo@example.com` and password of `p4ssw0rd`.
+
+Once you have the email/username and password of your user on the mobile device, you can then send all of this information to the server with your client id & secret. Don't forget to url encode any special characters like `@`, and always transmit this sensitive data using secure https:
+
+
+    <%= "#{request.base_url.gsub('http://', 'https://')}/oauth/token?" %>email=foo%40example.com&password=p4ssw0rd&client_id=3234myClientId5678&client_secret=14321myClientSecret8765
+
+The response should be json with an access_token:
+
+
+    {"access_token":"9693accessTokena7ca570bbaf","refresh_token":"3a3c129ad02b573de78e65af06c293f1","expires_in":null}
+
+You can now use the `access_token` in the parameters of future requests or in the header, see the end of the [Quick Start Guide](/oauth_docs/quick_start) for examples.
+
+
+## Additional Exchange
+
+
+ In addition to username/password the owner of this web service may choose to implement other custom exchanges such as Facebook or Twitter token exchange for an access token. You must contact the owner of this web service to see if they support other data when exchanging tokens.
+
+ When you do this make sure to pass `grant_type=password` or `grant_type=bearer` in the request to `/oauth/token`, in addition to any required parameters.

data/lib/opro.rb

@@ -143,6 +143,7 @@ module Opro
   end
 end
 
+require 'opro/controllers/concerns/rate_limits'
 require 'opro/controllers/concerns/error_messages'
 require 'opro/controllers/concerns/permissions'
 require 'opro/controllers/application_controller_helper'

data/lib/opro/controllers/application_controller_helper.rb

@@ -7,6 +7,7 @@ module Opro
 
       include Opro::Controllers::Concerns::Permissions
       include Opro::Controllers::Concerns::ErrorMessages
+      include Opro::Controllers::Concerns::RateLimits
 
       included do
         around_filter      :oauth_auth!
@@ -32,13 +33,18 @@ module Opro
 
       protected
 
+      def oauth_fail_request!
+        render :json => {:errors => generate_oauth_error_message! }, :status => :unauthorized
+        false
+      end
+
       def allow_oauth?
         @use_oauth ||= false
       end
 
-      # returns boolean if oauth request
+
       def valid_oauth?
-        oauth? && oauth_user.present? && oauth_client_not_expired? && oauth_client_has_permissions?
+        oauth? && oauth_user.present? && oauth_client_not_expired? && oauth_client_has_permissions? && oauth_client_under_rate_limit?
       end
 
       def oauth_client_not_expired?
@@ -57,6 +63,7 @@ module Opro
         params[:access_token] || oauth_access_token_from_header
       end
 
+      # grabs access_token from header if one is present
       def oauth_access_token_from_header
         auth_header = request.env["HTTP_AUTHORIZATION"]||""
         match       = auth_header.match(/^token\s(.*)/)

data/lib/opro/controllers/concerns/error_messages.rb

@@ -6,6 +6,7 @@ module Opro::Controllers::Concerns::ErrorMessages
     msg << ' - No OAuth Token Provided!'    if oauth_access_token.blank?
     msg << ' - Allow OAuth set to false!'   if allow_oauth? == false
     msg << ' - OAuth user not found!'       if oauth_user.blank?
+    msg << ' - OAuth client has been rate limited' if oauth_client_over_rate_limit?
     msg = generate_oauth_permissions_error_message!(msg)
     msg
   end

data/lib/opro/controllers/concerns/rate_limits.rb

@@ -0,0 +1,34 @@
+module Opro::Controllers::Concerns::RateLimits
+  extend ActiveSupport::Concern
+
+  included do
+    before_filter :oauth_record_rate_limit!,  :if => :valid_oauth?
+    before_filter :oauth_fail_request!,       :if => :oauth_client_over_rate_limit?
+  end
+
+  def oauth_client_record_access!(client_id, params)
+    # implement your access counting mechanism here
+  end
+
+  def oauth_client_rate_limited?(client_id, params)
+
+
+  end
+
+
+  # override to implement custom rate limits
+  def oauth_client_over_rate_limit?
+    return oauth_client_rate_limited?(oauth_client_app.id, params) unless oauth_client_app.blank?
+    false
+  end
+
+  def oauth_record_rate_limit!
+    return false if oauth_client_app.blank?
+    oauth_client_record_access!(oauth_client_app.id, params)
+  end
+
+  def oauth_client_under_rate_limit?
+    !oauth_client_over_rate_limit?
+  end
+
+end

data/opro.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "opro"
-  s.version = "0.3.0.pre1"
+  s.version = "0.3.0.pre2"
 
   s.required_rubygems_version = Gem::Requirement.new("> 1.3.1") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
-  s.date = "2012-07-01"
+  s.date = "2012-07-05"
   s.description = " Enable OAuth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [
@@ -39,6 +39,7 @@ Gem::Specification.new do |s|
     "app/views/opro/oauth/docs/index.html.erb",
     "app/views/opro/oauth/docs/markdown/curl.md.erb",
     "app/views/opro/oauth/docs/markdown/oauth.md.erb",
+    "app/views/opro/oauth/docs/markdown/password_exchange.md.erb",
     "app/views/opro/oauth/docs/markdown/permissions.md.erb",
     "app/views/opro/oauth/docs/markdown/quick_start.md.erb",
     "app/views/opro/oauth/docs/markdown/refresh_tokens.md.erb",
@@ -54,6 +55,7 @@ Gem::Specification.new do |s|
     "lib/opro/controllers/application_controller_helper.rb",
     "lib/opro/controllers/concerns/error_messages.rb",
     "lib/opro/controllers/concerns/permissions.rb",
+    "lib/opro/controllers/concerns/rate_limits.rb",
     "lib/opro/engine.rb",
     "lib/opro/rails/routes.rb",
     "opro.gemspec",
@@ -105,6 +107,7 @@ Gem::Specification.new do |s|
     "test/integration/action_dispatch/auth_controller_test.rb",
     "test/integration/action_dispatch/oauth_flow_test.rb",
     "test/integration/action_dispatch/password_token_test.rb",
+    "test/integration/action_dispatch/rate_limits_test.rb",
     "test/integration/action_dispatch/refresh_token_test.rb",
     "test/integration/auth_controller_test.rb",
     "test/integration/client_app_controller_test.rb",

data/test/dummy/config/initializers/opro.rb

@@ -14,4 +14,11 @@ Opro.setup do |config|
   # uncomment `config.require_refresh_within` to require refresh tokens
   # this will expire tokens within the given time duration
   # config.require_refresh_within = 1.month
+
+  ## Allow Password Exchange
+  # You can allow client applications to exchange a user's credentials
+  # password, etc. for an access token.
+  # Caution: This bypasses the traditional OAuth flow
+  # as a result users cannot opt out of client permissions, all permissions are granted
+  config.password_exchange_enabled = true
 end

data/test/integration/action_dispatch/auth_controller_test.rb

@@ -27,6 +27,28 @@ class AuthControllerTest < ActionDispatch::IntegrationTest
     assert_equal @redirect_uri, path
   end
 
+  # Tests against common OAuth Security issue
+  # http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html
+  # still relies on client to submit :status param
+  test "oauth auth jacking is can be avoided by clients" do
+    auth_grant  = create_auth_grant_for_user(@user, @client_app)
+    state = SecureRandom.hex(16)
+    params = { :client_id     => @client_app.client_id ,
+               :client_secret => @client_app.client_secret,
+               :redirect_uri  => @redirect_uri,
+               :state         => state }
+
+    as_user(@user).post oauth_authorize_path(params)
+
+    assert response["Location"].include?("state=#{state}")
+
+    assert_equal 302, status
+    follow_redirect!
+
+    assert_equal @redirect_uri, path
+    assert_equal 200, status
+  end
+
 
   test "AUTHORIZE: app cannot force permissions change for previously authed user" do
     auth_grant  = create_auth_grant_for_user(@user, @client_app)

data/test/integration/action_dispatch/oauth_flow_test.rb

@@ -12,8 +12,7 @@ class OauthTokenTest < ActionDispatch::IntegrationTest
 
 
   test "exchange a code for a token" do
-    user         = create_user
-    auth_grant   = create_auth_grant_for_user(user)
+    auth_grant   = create_auth_grant_for_user(@user)
     client       = auth_grant.application
     params = {:code           => auth_grant.code,
               :client_id      => client.client_id,
@@ -24,10 +23,10 @@ class OauthTokenTest < ActionDispatch::IntegrationTest
 
     json_hash = JSON.parse(response.body)
     assert json_hash["access_token"]
-    assert json_hash["access_token"], auth_grant.access_token
+    assert_equal json_hash["access_token"], auth_grant.access_token
 
     assert json_hash["refresh_token"]
-    assert json_hash["refresh_token"], auth_grant.refresh_token
+    assert_equal json_hash["refresh_token"], auth_grant.refresh_token
   end
 
 

data/test/integration/action_dispatch/password_token_test.rb

@@ -70,7 +70,7 @@ class PasswordTokenTest < ActionDispatch::IntegrationTest
     params = {:client_id      => @client_app.client_id ,
               :client_secret  => @client_app.client_secret,
               :special_key    => "fooBarzyrhaz",
-              :auth_grant     => 'password' }
+              :grant_type     => 'password' }
 
     post oauth_token_path(params)
     json_hash = JSON.parse(response.body)

data/test/integration/action_dispatch/rate_limits_test.rb

@@ -0,0 +1,37 @@
+## NOT CAPYBARA
+#  ActionDispatch::IntegrationTest
+#  http://guides.rubyonrails.org/testing.html#integration-testing
+#  used so we can test POST actions ^_^
+
+require 'test_helper'
+
+class RateLimitTest < ActionDispatch::IntegrationTest
+
+  setup do
+    @user         = create_user
+    @auth_grant   = create_auth_grant_for_user(@user)
+    @client_app   = @auth_grant.application
+    @params       = {:client_id      => @client_app.client_id ,
+                     :client_secret  => @client_app.client_secret,
+                     :access_token   => @auth_grant.access_token}
+    @auth_grant.update_attributes(:permissions => {:write => true})
+  end
+
+  test "A rate limited app does not get a valid user" do
+    Opro::Oauth::TestsController.any_instance.stubs(:oauth_client_over_rate_limit?).returns(true)
+
+    post oauth_tests_path(@params)
+
+    assert_equal 401, status
+  end
+
+    test "A NON rate limited app does get a valid user" do
+    Opro::Oauth::TestsController.any_instance.expects(:oauth_client_record_access!).at_least_once
+    Opro::Oauth::TestsController.any_instance.stubs(:oauth_client_over_rate_limit?).returns(false)
+
+    post oauth_tests_path(@params)
+
+    assert_equal 200, status
+  end
+
+end

data/test/integration/docs_controller_test.rb

@@ -1,13 +1,16 @@
 require 'test_helper'
 
 class DocsControllerTest < ActiveSupport::IntegrationCase
+  DOCS_PATH = File.join(File.dirname(__FILE__), '../../app/views/opro/oauth/docs/markdown/*.md.erb')
+
   test 'renders index' do
     visit oauth_docs_path
     assert_equal '/oauth_docs', current_path
   end
 
   test 'renders show' do
-    [:curl, :oauth, :quick_start].each do |doc|
+    Dir[DOCS_PATH].each do |file|
+      doc =  file.split('/').last.gsub('.md.erb', '')
       doc_path = oauth_doc_path(:id => doc)
       visit doc_path
       assert_equal doc_path, current_path

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opro
 version: !ruby/object:Gem::Version
-  version: 0.3.0.pre1
+  version: 0.3.0.pre2
   prerelease: 6
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-07-01 00:00:00.000000000Z
+date: 2012-07-05 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70236297859480 !ruby/object:Gem::Requirement
+  requirement: &70279061895320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70236297859480
+  version_requirements: *70279061895320
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &70236297858660 !ruby/object:Gem::Requirement
+  requirement: &70279061894660 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70236297858660
+  version_requirements: *70279061894660
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &70236297857420 !ruby/object:Gem::Requirement
+  requirement: &70279061893760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70236297857420
+  version_requirements: *70279061893760
 - !ruby/object:Gem::Dependency
   name: mocha
-  requirement: &70236297856460 !ruby/object:Gem::Requirement
+  requirement: &70279061893060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297856460
+  version_requirements: *70279061893060
 - !ruby/object:Gem::Dependency
   name: timecop
-  requirement: &70236297855480 !ruby/object:Gem::Requirement
+  requirement: &70279061892280 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297855480
+  version_requirements: *70279061892280
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70236297854520 !ruby/object:Gem::Requirement
+  requirement: &70279061891440 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -76,10 +76,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70236297854520
+  version_requirements: *70279061891440
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70236297849720 !ruby/object:Gem::Requirement
+  requirement: &70279061886220 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: 1.1.3
   type: :development
   prerelease: false
-  version_requirements: *70236297849720
+  version_requirements: *70279061886220
 - !ruby/object:Gem::Dependency
   name: capybara
-  requirement: &70236297849140 !ruby/object:Gem::Requirement
+  requirement: &70279061885480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: 0.4.0
   type: :development
   prerelease: false
-  version_requirements: *70236297849140
+  version_requirements: *70279061885480
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70236297848460 !ruby/object:Gem::Requirement
+  requirement: &70279061884480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297848460
+  version_requirements: *70279061884480
 - !ruby/object:Gem::Dependency
   name: launchy
-  requirement: &70236297847820 !ruby/object:Gem::Requirement
+  requirement: &70279061883420 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297847820
+  version_requirements: *70279061883420
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &70236297847060 !ruby/object:Gem::Requirement
+  requirement: &70279061882240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,10 +131,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297847060
+  version_requirements: *70279061882240
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70236297846500 !ruby/object:Gem::Requirement
+  requirement: &70279061880620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -142,10 +142,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297846500
+  version_requirements: *70279061880620
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &70236297845900 !ruby/object:Gem::Requirement
+  requirement: &70279061878840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -153,7 +153,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70236297845900
+  version_requirements: *70279061878840
 description: ! ' Enable OAuth clients (iphone, android, web sites, etc.) to access
   and use your Rails application, what you do with it is up to you'
 email: richard.schneeman@gmail.com
@@ -185,6 +185,7 @@ files:
 - app/views/opro/oauth/docs/index.html.erb
 - app/views/opro/oauth/docs/markdown/curl.md.erb
 - app/views/opro/oauth/docs/markdown/oauth.md.erb
+- app/views/opro/oauth/docs/markdown/password_exchange.md.erb
 - app/views/opro/oauth/docs/markdown/permissions.md.erb
 - app/views/opro/oauth/docs/markdown/quick_start.md.erb
 - app/views/opro/oauth/docs/markdown/refresh_tokens.md.erb
@@ -200,6 +201,7 @@ files:
 - lib/opro/controllers/application_controller_helper.rb
 - lib/opro/controllers/concerns/error_messages.rb
 - lib/opro/controllers/concerns/permissions.rb
+- lib/opro/controllers/concerns/rate_limits.rb
 - lib/opro/engine.rb
 - lib/opro/rails/routes.rb
 - opro.gemspec
@@ -251,6 +253,7 @@ files:
 - test/integration/action_dispatch/auth_controller_test.rb
 - test/integration/action_dispatch/oauth_flow_test.rb
 - test/integration/action_dispatch/password_token_test.rb
+- test/integration/action_dispatch/rate_limits_test.rb
 - test/integration/action_dispatch/refresh_token_test.rb
 - test/integration/auth_controller_test.rb
 - test/integration/client_app_controller_test.rb
@@ -275,7 +278,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3624448401310655652
+      hash: 68018896701439782
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: