privy_wine_bouncer 1.0.4.5

data/spec/dummy/public/500.html

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <div>
+      <h1>We're sorry, but something went wrong.</h1>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/spec/factories/access_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :access_token, class: Doorkeeper::AccessToken do
+    sequence(:resource_owner_id) { |n| n }
+    application
+    expires_in { 2.hours }
+
+    factory :clientless_access_token do
+      application { nil }
+    end
+  end
+end

data/spec/factories/application.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :application, class: Doorkeeper::Application do
+    sequence(:name) { |n| "Application #{n}" }
+    redirect_uri { 'https://app.com/callback' }
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :user do
+    sequence(:name) { |n| "user-#{n}" }
+  end
+end

data/spec/intergration/oauth2_default_strategy_spec.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'json'
+
+describe Api::MountedDefaultApiUnderTest, type: :api do
+  let(:user) { FactoryBot.create :user }
+  let(:token) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'public' }
+  let(:unscoped_token) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: '' }
+  let(:custom_scope) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'custom_scope' } #not a default scope
+
+  before(:example) do
+    WineBouncer.configure do |c|
+      c.auth_strategy = :default
+
+      c.define_resource_owner do
+        User.find(doorkeeper_access_token.resource_owner_id) if doorkeeper_access_token
+      end
+    end
+  end
+
+  context 'tokens and scopes' do
+    it 'gives access when the token and scope are correct' do
+      get '/default_api/protected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+    end
+
+    it 'gives access when tokens are correct and an non doorkeeper default scope is used.' do
+      get '/default_api/oauth2_custom_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('oauth2_custom_scope')
+    end
+
+    it 'raises an authentication error when the token is invalid' do
+      expect { get '/default_api/protected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}-invalid" }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an oauth authentication error when no token is given' do
+      expect { get '/default_api/protected' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an auth forbidden authentication error when the user scope is not correct' do
+      expect { get '/default_api/protected_with_private_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+    end
+  end
+
+  context 'unprotected endpoint' do
+    it 'allows to call an unprotected endpoint without token' do
+      get '/default_api/unprotected'
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('unprotected world')
+    end
+
+    it 'allows to call an unprotected endpoint with token' do
+      get '/default_api/unprotected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('unprotected world')
+    end
+  end
+
+  context 'protected_without_scopes' do
+    it 'allows to call an protected endpoint without scopes' do
+      get '/default_api/protected_without_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('protected unscoped world')
+    end
+
+    it 'raises an error when an protected endpoint without scopes is called without token ' do
+      expect { get '/default_api/protected_without_scope' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an error because the user does not have the default scope' do
+      expect { get '/default_api/protected_without_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{unscoped_token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+    end
+  end
+
+  context 'oauth2_dsl' do
+    it 'allows to call an protected endpoint without scopes' do
+      get '/default_api/oauth2_dsl', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('oauth2 dsl')
+    end
+
+    it 'raises an error when an protected endpoint without scopes is called without token ' do
+      expect { get '/default_api/oauth2_dsl' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    context 'without parameters' do
+      it 'accepts tokens with default scopes' do
+        get '/swagger_api/oauth2_dsl_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('oauth dsl default scopes')
+      end
+
+      it 'raises an error when an protected endpoint without scopes is called without token ' do
+        expect { get '/default_api/oauth2_dsl_default_scopes' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+
+      it 'raises an error when token scopes are not default scopes ' do
+        expect { get '/default_api/oauth2_dsl_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+      end
+    end
+
+    context 'custom scopes' do
+      it 'allows to call custom scopes' do
+        get '/default_api/oauth2_dsl_custom_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('oauth2 dsl custom scope')
+      end
+
+      it 'raises an error when an protected endpoint without scopes is called without token ' do
+        expect { get '/default_api/oauth2_dsl_custom_scope' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+
+      it 'raises an error when token scopes do not match' do
+        expect { get '/default_api/oauth2_dsl_custom_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+      end
+    end
+
+    context 'oauth2_dsl_multiple_scopes' do
+      it 'allows call on the first scope' do
+        scope_token = FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'multiple'
+        get '/default_api/oauth2_dsl_multiple_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{scope_token.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('oauth2 dsl multiple scopes')
+      end
+
+      it 'allows call on the second scope' do
+        scope_token = FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'scopes'
+        get '/default_api/oauth2_dsl_multiple_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{scope_token.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('oauth2 dsl multiple scopes')
+      end
+
+      it 'raises an error scope does not match any of the scopes' do
+        expect { get '/default_api/oauth2_dsl_multiple_scopes' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+    end
+  end
+
+  context 'not_described_world' do
+    it 'allows to call an endpoint without description' do
+      get '/default_api/not_described_world'
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('non described world')
+    end
+  end
+
+  context 'resource_owner' do
+    it 'is available in the endpoint' do
+      get '/default_api/protected_user', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq(user.name)
+    end
+  end
+end

data/spec/intergration/oauth2_protected_strategy_spec.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'json'
+
+describe Api::MountedProtectedApiUnderTest, type: :api do
+  let(:user) { FactoryBot.create :user }
+  let(:token) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'public' }
+  let(:unscoped_token) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: '' }
+  let(:custom_scope) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'custom_scope' } #not a default scope
+
+  before(:example) do
+    WineBouncer.configure do |c|
+      c.auth_strategy = :protected
+
+      c.define_resource_owner do
+        User.find(doorkeeper_access_token.resource_owner_id) if doorkeeper_access_token
+      end
+    end
+  end
+
+  context 'when WineBouncer is disabled' do
+    before :all do
+      WineBouncer.configure do |c|
+        c.disable { true }
+      end
+    end
+
+    after :all do
+      WineBouncer.configure do |c|
+        c.disable { false }
+      end
+    end
+
+    it 'allows request to protected resource without token' do
+      get '/protected_api/protected'
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+    end
+  end
+
+  context 'tokens and scopes' do
+    it 'gives access when the token and scope are correct' do
+      get '/protected_api/protected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+    end
+
+    it 'raises an authentication error when the token is invalid' do
+      expect { get '/protected_api/protected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}-invalid" }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an oauth authentication error when no token is given' do
+      expect { get '/protected_api/protected' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an auth forbidden authentication error when the user scope is not correct' do
+      expect { get '/protected_api/protected_with_private_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+    end
+  end
+
+  context 'unprotected endpoint' do
+    it 'allows to call an unprotected endpoint without token' do
+      get '/protected_api/unprotected'
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('unprotected world')
+    end
+
+    it 'allows to call an unprotected endpoint with token' do
+      get '/protected_api/unprotected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('unprotected world')
+    end
+  end
+
+  context 'protected_without_scopes' do
+    it 'does not allow an unauthenticated user to call a protected endpoint' do
+      expect { get '/protected_api/protected_without_scope' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'allows to call an protected endpoint without scopes' do
+      get '/protected_api/protected_without_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('protected unscoped world')
+    end
+
+    it 'raises an error when an protected endpoint without scopes is called without token ' do
+      expect { get '/protected_api/protected_without_scope' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an error because the user does not have the default scope' do
+      expect { get '/protected_api/protected_without_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{unscoped_token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+    end
+  end
+
+  context 'oauth2_dsl' do
+    it 'allows to call an protected endpoint without scopes' do
+      get '/protected_api/oauth2_dsl', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('oauth2_dsl')
+    end
+
+    it 'raises an error when an protected endpoint is called without token' do
+      expect { get '/protected_api/oauth2_dsl' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    context 'without parameters' do
+      it 'allows to call an endpoint with default scopes' do
+        get '/protected_api/oauth2_protected_with_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('default oauth2 dsl')
+      end
+
+      it 'raises an error when an protected endpoint without scopes is called without token ' do
+        expect { get '/protected_api/oauth2_protected_with_default_scopes' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+
+      it 'raises an error when token scopes are not default scopes ' do
+        expect { get '/protected_api/oauth2_protected_with_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+      end
+    end
+
+    context 'custom scopes' do
+      it 'protects endpoints with custom scopes' do
+        get '/protected_api/oauth2_dsl_custom_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('custom scope')
+      end
+
+      it 'raises an error when an protected endpoint without scopes is called without token ' do
+        expect { get '/protected_api/oauth2_dsl_custom_scope' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+
+      it 'raises an error when token scopes do not match' do
+        expect { get '/protected_api/oauth2_dsl_custom_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+      end
+    end
+
+    context 'public endpoint' do
+      it 'allows to call an unprotected endpoint without token' do
+        get '/protected_api/unprotected_endpoint'
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('public oauth2 dsl')
+      end
+
+      it 'allows requests with tokens to public endpoints with tokens' do
+        expect { get '/protected_api/oauth2_protected_with_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.not_to raise_error
+      end
+    end
+  end
+
+  context 'not_described_world' do
+    it 'authentication is required for a non described endpoint' do
+      get '/protected_api/not_described_world', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('non described world')
+    end
+
+    it 'raises an error when an protected endpoint without scopes is called without token ' do
+      expect { get '/protected_api/not_described_world' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+  end
+
+  context 'resource_owner' do
+    it 'is available in the endpoint' do
+      get '/protected_api/protected_user', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq(user.name)
+    end
+  end
+end

data/spec/intergration/oauth2_swagger_strategy_spec.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'json'
+
+describe Api::MountedSwaggerApiUnderTest, type: :api do
+  let(:user) { FactoryBot.create :user }
+  let(:token) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'public' }
+  let(:unscoped_token) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: '' }
+  let(:custom_scope) { FactoryBot.create :clientless_access_token, resource_owner_id: user.id, scopes: 'custom_scope' } #not a default scope
+
+  before(:example) do
+    WineBouncer.configure do |c|
+      c.auth_strategy = :swagger
+
+      c.define_resource_owner do
+        User.find(doorkeeper_access_token.resource_owner_id) if doorkeeper_access_token
+      end
+    end
+  end
+
+  context 'tokens and scopes' do
+    it 'gives access when the token and scope are correct' do
+      get '/swagger_api/protected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+    end
+
+    it 'raises an authentication error when the token is invalid' do
+      expect { get '/swagger_api/protected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}-invalid" }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an oauth authentication error when no token is given' do
+      expect { get '/swagger_api/protected' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an auth forbidden authentication error when the user scope is not correct' do
+      expect { get '/swagger_api/protected_with_private_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+    end
+  end
+
+  context 'unprotected endpoint' do
+    it 'allows to call an unprotected endpoint without token' do
+      get '/swagger_api/unprotected'
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('unprotected world')
+    end
+
+    it 'allows to call an unprotected endpoint with token' do
+      get '/swagger_api/unprotected', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('unprotected world')
+    end
+  end
+
+  context 'protected_without_scopes' do
+    it 'allows to call an protected endpoint without scopes' do
+      get '/swagger_api/protected_without_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('protected unscoped world')
+    end
+
+    it 'raises an error when an protected endpoint without scopes is called without token ' do
+      expect { get '/swagger_api/protected_without_scope' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    it 'raises an error because the user does not have the default scope' do
+      expect { get '/swagger_api/protected_without_scope', nil, 'HTTP_AUTHORIZATION' => "Bearer #{unscoped_token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+    end
+  end
+
+  context 'oauth2 dsl' do
+    it 'allows to call an protected endpoint without scopes' do
+      get '/swagger_api/oauth2_dsl', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('oauth2_dsl')
+    end
+
+    it 'raises an error when an protected endpoint without scopes is called without token ' do
+      expect { get '/swagger_api/oauth2_dsl' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+    end
+
+    context 'without parameters' do
+      it 'accepts tokens with default scopes' do
+        get '/swagger_api/oauth2_dsl_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('oauth dsl default scopes')
+      end
+
+      it 'raises an error when an protected endpoint without scopes is called without token ' do
+        expect { get '/swagger_api/oauth2_dsl_default_scopes' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+
+      it 'raises an error when token scopes are not default scopes ' do
+        expect { get '/swagger_api/oauth2_dsl_default_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+      end
+    end
+
+    context 'custom scopes' do
+      it 'accepts tokens with default scopes' do
+        get '/swagger_api/oauth2_dsl_custom_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{custom_scope.token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json).to have_key('hello')
+        expect(json['hello']).to eq('oauth dsl custom scopes')
+      end
+
+      it 'raises an error when an protected endpoint without scopes is called without token ' do
+        expect { get '/swagger_api/oauth2_dsl_custom_scopes' }.to raise_exception(WineBouncer::Errors::OAuthUnauthorizedError)
+      end
+
+      it 'raises an error when token scopes do not match' do
+        expect { get '/swagger_api/oauth2_dsl_custom_scopes', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}" }.to raise_exception(WineBouncer::Errors::OAuthForbiddenError)
+      end
+    end
+  end
+
+  context 'not_described_world' do
+    it 'allows to call an endpoint without description' do
+      get '/swagger_api/not_described_world'
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq('non described world')
+    end
+  end
+
+  context 'resource_owner' do
+    it 'is available in the endpoint' do
+      get '/swagger_api/protected_user', nil, 'HTTP_AUTHORIZATION' => "Bearer #{token.token}"
+
+      expect(last_response.status).to eq(200)
+      json = JSON.parse(last_response.body)
+
+      expect(json).to have_key('hello')
+      expect(json['hello']).to eq(user.name)
+    end
+  end
+end

data/spec/lib/generators/wine_bouncer/initializer_generator_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'generator_spec'
+require 'rails_helper'
+require 'spec_helper'
+require 'generators/wine_bouncer/initializer_generator'
+
+describe WineBouncer::Generators::InitializerGenerator, type: :generator do
+  destination '/tmp/wine_bouncer'
+
+  before do
+    prepare_destination
+    run_generator
+  end
+
+  it 'creates a test initializer' do
+    assert_file 'config/initializers/wine_bouncer.rb', /WineBouncer\.configure/
+  end
+end