rack-oauth2-revibe 1.0.7

data/lib/rack/oauth2/server/resource/bearer.rb

@@ -0,0 +1,47 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class Bearer < Resource
+          def call(env)
+            self.request = Request.new(env)
+            super
+          end
+
+          private
+
+          class Request < Resource::Request
+            def setup!
+              tokens = [access_token_in_header, access_token_in_payload].compact
+              @access_token = case Array(tokens).size
+              when 1
+                tokens.first
+              else
+                invalid_request!('Both Authorization header and payload includes access token.')
+              end
+              self
+            end
+
+            def oauth2?
+              (access_token_in_header || access_token_in_payload).present?
+            end
+
+            def access_token_in_header
+              if @auth_header.provided? && !@auth_header.parts.first.nil? && @auth_header.scheme.to_s == 'bearer'
+                @auth_header.params
+              else
+                nil
+              end
+            end
+
+            def access_token_in_payload
+              params['access_token']
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/server/resource/bearer/error'

data/lib/rack/oauth2/server/resource/bearer/error.rb

@@ -0,0 +1,24 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class Bearer
+          class Unauthorized < Resource::Unauthorized
+            def scheme
+              :Bearer
+            end
+          end
+
+          module ErrorMethods
+            include Resource::ErrorMethods
+            def unauthorized!(error = nil, description = nil, options = {})
+              raise Unauthorized.new(error, description, options)
+            end
+          end
+
+          Request.send :include, ErrorMethods
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/resource/error.rb

@@ -0,0 +1,81 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class BadRequest < Abstract::BadRequest
+        end
+
+        class Unauthorized < Abstract::Unauthorized
+          def scheme
+            raise 'Define me!'
+          end
+
+          def finish
+            super do |response|
+              self.realm ||= DEFAULT_REALM
+              header = response.header['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
+              if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
+                header << ", error=\"#{error}\""
+                header << ", error_description=\"#{description}\"" if description.present?
+                header << ", error_uri=\"#{uri}\""                 if uri.present?
+              end
+            end
+          end
+        end
+
+        class Forbidden < Abstract::Forbidden
+          attr_accessor :scope
+
+          def initialize(error = :forbidden, description = nil, options = {})
+            super
+            @scope = options[:scope]
+          end
+
+          def protocol_params
+            super.merge(:scope => Array(scope).join(' '))
+          end
+        end
+
+        module ErrorMethods
+          DEFAULT_DESCRIPTION = {
+            :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.",
+            :invalid_token => "The access token provided is expired, revoked, malformed or invalid for other reasons.",
+            :insufficient_scope => "The request requires higher privileges than provided by the access token."
+          }
+
+          def self.included(klass)
+            DEFAULT_DESCRIPTION.each do |error, default_description|
+              error_method = case error
+              when :invalid_request
+                :bad_request!
+              when :insufficient_scope
+                :forbidden!
+              else
+                :unauthorized!
+              end
+              klass.class_eval <<-ERROR
+                def #{error}!(description = "#{default_description}", options = {})
+                  #{error_method} :#{error}, description, options
+                end
+              ERROR
+            end
+          end
+
+          def bad_request!(error, description = nil, options = {})
+            raise BadRequest.new(error, description, options)
+          end
+
+          def unauthorized!(error = nil, description = nil, options = {})
+            raise 'Define me!'
+          end
+
+          def forbidden!(error, description = nil, options = {})
+            raise Forbidden.new(error, description, options)
+          end
+        end
+
+        Request.send :include, ErrorMethods
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/resource/mac.rb

@@ -0,0 +1,36 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class MAC < Resource
+          def call(env)
+            self.request = Request.new(env)
+            super
+          end
+
+          private
+
+          class Request < Resource::Request
+            attr_reader :nonce, :ts, :ext, :signature
+
+            def setup!
+              auth_params = Rack::Auth::Digest::Params.parse(@auth_header.params).with_indifferent_access
+              @access_token = auth_params[:id]
+              @nonce = auth_params[:nonce]
+              @ts = auth_params[:ts]
+              @ext = auth_params[:ext]
+              @signature = auth_params[:mac]
+              self
+            end
+
+            def oauth2?
+              @auth_header.provided? && @auth_header.scheme.to_s == 'mac'
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/server/resource/mac/error'

data/lib/rack/oauth2/server/resource/mac/error.rb

@@ -0,0 +1,24 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class MAC
+          class Unauthorized < Resource::Unauthorized
+            def scheme
+              :MAC
+            end
+          end
+
+          module ErrorMethods
+            include Resource::ErrorMethods
+            def unauthorized!(error = nil, description = nil, options = {})
+              raise Unauthorized.new(error, description, options)
+            end
+          end
+
+          Request.send :include, ErrorMethods
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/token.rb

@@ -0,0 +1,87 @@
+require 'rack/auth/basic'
+
+module Rack
+  module OAuth2
+    module Server
+      class Token < Abstract::Handler
+        def call(env)
+          request = Request.new(env)
+          grant_type_for(request).new(&@authenticator).call(env).finish
+        rescue Rack::OAuth2::Server::Abstract::Error => e
+          e.finish
+        end
+
+        private
+
+        def grant_type_for(request)
+          case request.grant_type
+          when 'authorization_code'
+            AuthorizationCode
+          when 'password'
+            Password
+          when 'facebook_token'
+            FacebookToken
+          when 'client_credentials'
+            ClientCredentials
+          when 'refresh_token'
+            RefreshToken
+          when ''
+            request.attr_missing!
+          else
+            extensions.detect do |extension|
+              extension.grant_type_for? request.grant_type
+            end || request.unsupported_grant_type!
+          end
+        end
+
+        def extensions
+          Extension.constants.sort.collect do |key|
+            Extension.const_get key
+          end
+        end
+
+        class Request < Abstract::Request
+          attr_required :grant_type
+          attr_optional :client_secret
+
+          def initialize(env)
+            auth = Rack::Auth::Basic::Request.new(env)
+            if auth.provided? && auth.basic?
+              @client_id, @client_secret = auth.credentials
+              super
+            else
+              super
+              @client_secret = params['client_secret']
+            end
+            @grant_type = params['grant_type'].to_s
+          end
+        end
+
+        class Response < Abstract::Response
+          attr_required :access_token
+
+          def protocol_params
+            access_token.token_response
+          end
+
+          def finish
+            attr_missing!
+            write MultiJson.dump(Util.compact_hash(protocol_params))
+            header['Content-Type'] = 'application/json'
+            header['Cache-Control'] = 'no-store'
+            header['Pragma'] = 'no-cache'
+            super
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/server/token/authorization_code'
+require 'rack/oauth2/server/token/password'
+require 'rack/oauth2/server/token/facebook_token'
+require 'rack/oauth2/server/token/client_credentials'
+require 'rack/oauth2/server/token/refresh_token'
+require 'rack/oauth2/server/token/extension'
+require 'rack/oauth2/server/token/error'

data/lib/rack/oauth2/server/token/authorization_code.rb

@@ -0,0 +1,28 @@
+module Rack
+  module OAuth2
+    module Server
+      class Token
+        class AuthorizationCode < Abstract::Handler
+          def call(env)
+            @request  = Request.new(env)
+            @response = Response.new(request)
+            super
+          end
+
+          class Request < Token::Request
+            attr_required :code
+            attr_optional :redirect_uri
+
+            def initialize(env)
+              super
+              @grant_type   = :authorization_code
+              @code         = params['code']
+              @redirect_uri = params['redirect_uri']
+              attr_missing!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/token/client_credentials.rb

@@ -0,0 +1,23 @@
+module Rack
+  module OAuth2
+    module Server
+      class Token
+        class ClientCredentials < Abstract::Handler
+          def call(env)
+            @request  = Request.new(env)
+            @response = Response.new(request)
+            super
+          end
+
+          class Request < Token::Request
+            def initialize(env)
+              super
+              @grant_type = :client_credentials
+              attr_missing!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/token/error.rb

@@ -0,0 +1,54 @@
+module Rack
+  module OAuth2
+    module Server
+      class Token
+        class BadRequest < Abstract::BadRequest
+        end
+
+        class Unauthorized < Abstract::Unauthorized
+          def finish
+            super do |response|
+              response.header['WWW-Authenticate'] = 'Basic realm="OAuth2 Token Endpoint"'
+            end
+          end
+        end
+
+        module ErrorMethods
+          DEFAULT_DESCRIPTION = {
+            :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.",
+            :invalid_client => "The client identifier provided is invalid, the client failed to authenticate, the client did not include its credentials, provided multiple client credentials, or used unsupported credentials type.",
+            :invalid_grant => "The provided access grant is invalid, expired, or revoked (e.g. invalid assertion, expired authorization token, bad end-user password credentials, or mismatching authorization code and redirection URI).",
+            :unauthorized_client => "The authenticated client is not authorized to use the access grant type provided.",
+            :unsupported_grant_type => "The access grant included - its type or another attribute - is not supported by the authorization server.",
+            :invalid_scope => "The requested scope is invalid, unknown, malformed, or exceeds the previously granted scope."
+          }
+
+          def self.included(klass)
+            DEFAULT_DESCRIPTION.each do |error, default_description|
+              error_method = if error == :invalid_client
+                :unauthorized!
+              else
+                :bad_request!
+              end
+              klass.class_eval <<-ERROR
+                def #{error}!(description = "#{default_description}", options = {})
+                  #{error_method} :#{error}, description, options
+                end
+              ERROR
+            end
+          end
+
+          def bad_request!(error, description = nil, options = {})
+            raise BadRequest.new(error, description, options)
+          end
+
+          def unauthorized!(error, description = nil, options = {})
+            raise Unauthorized.new(error, description, options)
+          end
+        end
+
+        Request.send :include, ErrorMethods
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/token/extension.rb

@@ -0,0 +1,12 @@
+module Rack
+  module OAuth2
+    module Server
+      class Token
+        module Extension
+          # Define your extension in this namespace and load it explicitly.
+          # extension/assertion/jwt.rb would be good example for you.
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/token/extension/jwt.rb

@@ -0,0 +1,37 @@
+module Rack
+  module OAuth2
+    module Server
+      class Token
+        module Extension
+          class JWT < Abstract::Handler
+            GRANT_TYPE_URN = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
+
+            class << self
+              def grant_type_for?(grant_type)
+                grant_type == GRANT_TYPE_URN
+              end
+            end
+
+            def call(env)
+              @request  = Request.new env
+              @response = Response.new request
+              super
+            end
+
+            class Request < Token::Request
+              attr_required :assertion
+              attr_optional :client_id
+
+              def initialize(env)
+                super
+                @grant_type = GRANT_TYPE_URN
+                @assertion = params['assertion']
+                attr_missing!
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end