opro 0.3.3 → 0.4.0

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.0
+
+- Enable configurable authorization headers based on regex.
+
 ## 0.3.3
 
 - [#8] Fix Doc urls (@robe5)

data/README.md

@@ -9,7 +9,7 @@ A production ready Rails Engine that turns your app into an [Oauth2](http://oaut
 
 Lets say you've built a Rails app, awesome. Now you want to build a mobile app on say, the iPhone... cool. You start throwing around `#to_json` like nobody's business, but then you realize you need to authenticate users somehow. "Basic Auth!!", you exclaim, but then you realize that's not the most secure solution. You also realize that some users already signed up with Facebook & Twitter so they don't have a username/password combo. What ever shall you do?
 
-Wouldn't it be great if we could have a token exchange where the user goes to a mobile web view and grants permission, and then we return back an auth token just like the big boys (Facebook, Twitter, *cough* Foursquare *cough*). With Opro, we can add this functionality pretty easily. We'll use your existing authentication strategy and provide some end integration points for your clients to use out of the box.
+Wouldn't it be great if we could have a token exchange where the user goes to a mobile web view and grants permission, and then we return back an auth token just like the big boys (Facebook, Twitter, *cough* Foursquare *cough*). With Opro, we can add this functionality pretty easily. We'll use your existing authentication strategy and provide some integration end points for your clients to use out of the box.
 
 
 ## Install
@@ -91,13 +91,12 @@ Opro is simple by default, but easily configurable for a number of common use ca
 
 If you're not using devise you can manually configure your own auth strategy. In the future I plan on adding more auth strategies, ping me or submit a pull request for your desired authentication scheme.
 
-```ruby
+
       Opro.setup do |config|
         config.login_method             { |controller, current_user| controller.sign_in(current_user, :bypass => true) }
         config.logout_method            { |controller, current_user| controller.sign_out(current_user) }
         config.authenticate_user_method { |controller| controller.authenticate_user! }
       end
-```
 
 ## Permissions
 
@@ -129,14 +128,15 @@ The result is expected to be true or false.
 
 ## Refresh Tokens
 
-For added security you can require access_tokens be refreshed by client applications. This will help to mitigate risk of a leaked access_token, and enable an all around more secure system. This security comes at a price however, since implemeting the refresh_token functionality in a client can be quite difficult.
-
-By default refresh tokens are disabled, you can enable them in your application and set the timeout period of the tokens by adding this line to your configuration.
+For added security you can require access_tokens be refreshed by client applications. This will help to mitigate risk of a leaked access_token, and enable an all around more secure system. This security comes at a price however, since implementing the `refresh_token` functionality in a client can be more difficult.
 
+By default refresh tokens are enabled, you can disable them in your application and set the timeout period of the tokens by adding this line to your configuration.
 
     config.require_refresh_within = 1.month
 
 
+
+
 ## Password Token Exchange
 
 If a client application has a user's password and username/email they can exchange these for a token. This is much safer than storing username and password on a local device, but does not offer the traditional OAuth "Flow". Because of this all available permissions will be granted to the client application. If you want to disable this feature you can set the configuration below to false:
@@ -185,6 +185,29 @@ Then to let our server know if a given client has reached add this method, the o
 Rate limited clients will receive an "unsuccessful" response to any query with a message letting them know they've been rate limited. Using redis with a rotating key generator based on (hour, daty, etc.) is one very common way to count rate, and implement the rate limits. Since there are so many different ways to implement this, we decided to give you a blank slate and implement it however you like. The default is that apps are not rate limited, and in general unlimited API access is the way to go, but if you do find abusive behavior you can always easily add in a rate limit.
 
 
+## Configurable Authorization Header
+
+By default oPRO allows clients to send their authorization token in a header. For example someone using an auth token of `9693accessTokena7ca570bbaf` could set the `Authorization` header in a request like this:
+
+    $ curl -H "Authorization: Bearer 9693accessTokena7ca570bbaf" "http://localhost:3000/oauth_test/show_me_the_money"
+
+By default oPRO will accept `Bearer` and `token` in the authorization header, but if your client needs to send a custom auth header, you can add a custom extra regular expression to parse parse and return the token. For example if a client was setting the auth header like this:
+
+    $ curl -H "Authorization: cUsTomAuthHeader 9693accessTokena7ca570bbaf" "http://localhost:3000/oauth_test/show_me_the_money"
+
+You could pull out the auth token using this regular expression `/cUsTomAuthHeader\s(.*)/`. If you're not great with regular expressions I highly recommend using [Rubular](http://rubular.com) to test regex matches. It is very important that we are "capturing" data with in between the `()` characters. The data returned inside of the parens are expected to be the auth token with no spaces or special characters such as new lines or quotes. To set parse this auth header in oPRO, you can specify the `header_auth_regex` in an initializer like this:
+
+
+      Opro.setup do |config|
+        config.auth_strategy = :devise
+
+        config.header_auth_regex = /cUsTomAuthHeader\s(.*)/
+      end
+
+Now when a client sends your custom auth header it will be parsed correctly. Custom authorization headers should not be used for security through obscurity. They may be exposed in the docs or tests in a later iteration of oPRO, if you have strong feelings against this, then please open a pull request or send me a message stating your case.
+
+
+
 ## Assumptions
 
 * You have a user model and that is what your authenticating

data/VERSION

@@ -1 +1 @@
-0.3.3
+0.4.0

data/lib/opro.rb

@@ -121,6 +121,18 @@ module Opro
   end
 
 
+  # default to no match
+  def self.header_auth_regex
+    @header_auth_regex || /$^/
+  end
+
+  # Allows a user to set define a custom authorization regular expression
+  def self.header_auth_regex=(regexstring)
+    raise "not a regex" unless regexstring.is_a? Regexp
+    @header_auth_regex = regexstring
+  end
+
+
   # Grossssss, don't use, needed to support `return` from the blocks provided to `find_user_for_auth`
   def self.convert_to_lambda &block
     obj = Object.new

data/lib/opro/controllers/application_controller_helper.rb

@@ -66,7 +66,7 @@ module Opro
       # grabs access_token from header if one is present
       def oauth_access_token_from_header
         auth_header = request.env["HTTP_AUTHORIZATION"]||""
-        match       = auth_header.match(/^token\s(.*)/) || auth_header.match(/^Bearer\s(.*)/)
+        match       = auth_header.match(/token\W*([^\W]*)/) || auth_header.match(/^Bearer\s(.*)/) || auth_header.match(Opro.header_auth_regex)
         return match[1] if match.present?
         false
       end

data/opro.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "opro"
-  s.version = "0.3.3"
+  s.version = "0.4.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["schneems"]
-  s.date = "2012-08-01"
+  s.date = "2012-08-09"
   s.description = " Enable OAuth clients (iphone, android, web sites, etc.) to access and use your Rails application, what you do with it is up to you"
   s.email = "richard.schneeman@gmail.com"
   s.extra_rdoc_files = [

data/test/integration/action_dispatch/oauth_flow_test.rb

@@ -47,6 +47,16 @@ class OauthTokenTest < ActionDispatch::IntegrationTest
     post oauth_tests_path, {}, headers
 
     assert_equal 200, status
+
+    headers = {"HTTP_AUTHORIZATION" => "token=\"#{access_token}\""}
+    post oauth_tests_path, {}, headers
+
+    Opro.setup {|config| config.header_auth_regex = /Zoro\s(.*)/ }
+
+    headers = {"HTTP_AUTHORIZATION" => "Zoro #{access_token}"}
+    post oauth_tests_path, {}, headers
+
+    assert_equal 200, status
   end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opro
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-01 00:00:00.000000000Z
+date: 2012-08-09 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70221194337460 !ruby/object:Gem::Requirement
+  requirement: &70236452285760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70221194337460
+  version_requirements: *70236452285760
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &70221194339080 !ruby/object:Gem::Requirement
+  requirement: &70236452291300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *70221194339080
+  version_requirements: *70236452291300
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &70221194340700 !ruby/object:Gem::Requirement
+  requirement: &70236452293960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70221194340700
+  version_requirements: *70236452293960
 - !ruby/object:Gem::Dependency
   name: mocha
-  requirement: &70221194342280 !ruby/object:Gem::Requirement
+  requirement: &70236452295480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194342280
+  version_requirements: *70236452295480
 - !ruby/object:Gem::Dependency
   name: timecop
-  requirement: &70221194351740 !ruby/object:Gem::Requirement
+  requirement: &70236452297460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194351740
+  version_requirements: *70236452297460
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &70221194350540 !ruby/object:Gem::Requirement
+  requirement: &70236456034720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -76,10 +76,10 @@ dependencies:
         version: 1.6.4
   type: :development
   prerelease: false
-  version_requirements: *70221194350540
+  version_requirements: *70236456034720
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &70221194349660 !ruby/object:Gem::Requirement
+  requirement: &70236456033900 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +87,10 @@ dependencies:
         version: 1.1.3
   type: :development
   prerelease: false
-  version_requirements: *70221194349660
+  version_requirements: *70236456033900
 - !ruby/object:Gem::Dependency
   name: capybara
-  requirement: &70221194348900 !ruby/object:Gem::Requirement
+  requirement: &70236456033180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: 0.4.0
   type: :development
   prerelease: false
-  version_requirements: *70221194348900
+  version_requirements: *70236456033180
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70221194348160 !ruby/object:Gem::Requirement
+  requirement: &70236456032180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194348160
+  version_requirements: *70236456032180
 - !ruby/object:Gem::Dependency
   name: launchy
-  requirement: &70221194347460 !ruby/object:Gem::Requirement
+  requirement: &70236456031660 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194347460
+  version_requirements: *70236456031660
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &70221194346840 !ruby/object:Gem::Requirement
+  requirement: &70236456030960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,10 +131,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194346840
+  version_requirements: *70236456030960
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &70221194346340 !ruby/object:Gem::Requirement
+  requirement: &70236456030160 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -142,10 +142,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194346340
+  version_requirements: *70236456030160
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &70221194345800 !ruby/object:Gem::Requirement
+  requirement: &70236456029360 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -153,7 +153,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70221194345800
+  version_requirements: *70236456029360
 description: ! ' Enable OAuth clients (iphone, android, web sites, etc.) to access
   and use your Rails application, what you do with it is up to you'
 email: richard.schneeman@gmail.com
@@ -280,7 +280,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2666856507921880303
+      hash: -2359912822064241279
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: