rack-oauth2-server 1.2.2 → 1.3.0

data/lib/rack/oauth2/admin/views/client.tmpl

@@ -0,0 +1,48 @@
+<div class="client">
+  <div class="details">
+    <a href="${link}" class="name">{{if imageUrl}}<img src="${imageUrl}">{{/if}} ${displayName}</a>
+    <a href="#/client/${id}/edit" rel="edit">Edit</a>
+    {{if !revoked}}
+      <a href="${revoke}" data-method="post" data-confirm="There is no undo. Are you really really sure?" rel="revoke">Revoke</a>
+    {{/if}}
+    <div class="meta">
+      Created {{html $.shortdate(revoked)}}
+      {{if revoked}}Revoked {{html $.shortdate(revoked)}}{{/if}}
+    </div>
+  </div>
+  <ul class="badges">
+    <li title="Access tokens granted, lifetime total"><big>${$.thousands(tokens.total)}</big><small>Granted</small></li>
+    <li title="Access tokens granted, last 7 days"><big>${$.thousands(tokens.week)}</big><small>This Week</small></li>
+    <li title="Access tokens revoked, last 7 days"><big>${$.thousands(tokens.revoked)}</big><small>Revoked (Week)</small></li>
+  </ul>
+  <table class="tokens">
+    <thead>
+      <th>Token</th>
+      <th>Identity</th>
+      <th>Scope</th>
+      <th>Created</th>
+      <th>Revoked</th>
+    </thead>
+    <tbody>
+      {{each tokens.list}}
+      <tr>
+        <td class="token">${token}</td>
+        <td class="identity">${identity}</td>
+        <td class="scope">${scope}</td>
+        <td class="created">{{html $.shortdate(created)}}</td>
+        <td class="revoke">
+          {{if revoked}}
+            {{html $.shortdate(revoked)}}
+          {{else}}
+            <a href="${revoke}" data-method="post" data-confirm="Are you sure?" rel="revoke">Revoke</a>
+          {{/if}}
+        </td>
+      </tr>
+      {{/each}}
+    </tbody>
+  </table>
+  <div class="pagination">
+    {{if tokens.previous}}<a href="#/client/${id}/${tokens.page - 1}" rel="previous">Previous</a>{{/if}}
+    {{if tokens.next}}<a href="#/client/${id}/${tokens.page + 1}" rel="next">Next</a>{{/if}}
+  </div>
+</div>

data/lib/rack/oauth2/admin/views/clients.tmpl

@@ -0,0 +1,36 @@
+<div class="client">
+  <a href="#/new" style="float:left">Add New Client</a>
+  <ul class="badges">
+    <li title="Access tokens granted, lifetime total"><big>${$.thousands(tokens.total)}</big><small>Granted</small></li>
+    <li title="Access tokens granted, last 7 days"><big>${$.thousands(tokens.week)}</big><small>This Week</small></li>
+    <li title="Access tokens revoked, last 7 days"><big>${$.thousands(tokens.revoked)}</big><small>Revoked (Week)</small></li>
+  </ul>
+  <table class="clients">
+    <thead>
+      <th>Application</th>
+      <th>ID/Secret</th>
+      <th>Created</th>
+      <th>Revoked</th>
+    </thead>
+    {{each clients}}
+    <tr class="${revoked ? "revoked" : "active"}">
+      <td class="name">
+        <a href="#/client/${id}">
+          {{if imageUrl}}<img src="${imageUrl}">{{/if}}
+          ${displayName}
+        </a>
+      </td>
+      <td class="secrets">
+        <a href="" rel="toggle">Reveal</a>
+        <dl>
+          <dt>ID</dt><dd>${id}</dd>
+          <dt>Secret</dt><dd>${secret}</dd>
+          <dt>Redirect</dt><dd>${redirectUri}</dd>
+        </dl>
+      </td>
+      <td class="created">{{html $.shortdate(created)}}</td>
+      <td class="revoke">{{if revoked}}{{html $.shortdate(revoked)}}{{/if}}</td>
+    </tr>
+    {{/each}}
+  </table>
+</div>

data/lib/rack/oauth2/admin/views/edit.tmpl

@@ -0,0 +1,57 @@
+{{if id}}<form action="#/client/${id}" method="put" class="client edit">
+{{else}}<form action="#/clients" method="post" class="client new">{{/if}}
+  <img id="image">
+  <label>Display Name
+    <input type="text" name="displayName" value="${displayName}" size="30" autofocus>
+    <p class="hint">This is the application name that users see when asked to authorize.</p>
+  </label>
+  <label>Site URL
+    <input type="text" name="link" value="${link}" size="30">
+    <p class="hint">This is a link to the application's site.</p>
+  </label>
+  <label>Image URL
+    <input type="text" name="imageUrl" value="${imageUrl}" size="30">
+    <p class="hint">This is a link to the application's icon (48x48).</p>
+  </label>
+  <label>Redirect URI
+    <input type="text" name="redirectUri" value="${redirectUri}" size="30">
+    <p class="hint">Users redirected back to this URL on successful authorization.</p>
+  </label>
+  {{if id}}<button>Save Changes</button>
+  {{else}}<button>Create Client</button>{{/if}}
+</form>
+<script type="text/javascript">
+  $(function() {
+    var image = $("#image");
+    image.load(function() {
+      image.show().removeClass("loading");
+    }).error(function() {
+      if (image.attr("src"))
+        image.removeClass("loading");
+    });
+
+    var imageUrl = $("input[name=imageUrl]");
+    imageUrl.change(function() {
+      var url = $(this).val().trim();
+      if (url == "") {
+        image.hide();
+      } else {
+        image.attr("src", "admin/images/loading.gif").show().addClass("loading");
+        setTimeout(function() { image.attr("src", url); }, 10);
+      }
+    }).trigger("change");
+
+    $("input[name=link]").change(function() {
+      if (imageUrl.val().trim() == "") {
+        $("#image").show().addClass("loading").attr("src", null);
+        var image = new Image();
+        image.src = $(this).val().trim().replace(/^(https?:\/\/)(.+?)(\/.*|$)/, "$1$2/favicon.ico");
+        image.onload = function() {
+          if (imageUrl.val().trim() == "") {
+            imageUrl.val(image.src).trigger("change");
+          } 
+        }
+      }
+    });
+  })
+</script>

data/lib/rack/oauth2/admin/views/index.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>OAuth Console</title>
+    <link href="admin/css/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
+    <script src="admin/js/jquery.js" type="text/javascript"></script>
+    <script src="admin/js/jquery.tmpl.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.tmpl.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.json.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.storage.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.title.js" type="text/javascript"></script>
+    <script src="admin/js/underscore.js" type="text/javascript"></script>
+    <script src="admin/js/application.js" type="text/javascript"></script>
+  </head>
+  <body>
+    <div id="notice" style="display:none"></div>
+    <div id="header"><a href="#/" class="title">OAuth Console</a></div>
+    <div id="main"></div>
+    <script>
+      var loading = new Image();
+      loading.src = "admin/images/loading.gif";
+      $(function() { Sammy("#main").run("#/"); });
+    </script>
+  </body>
+</html>

data/lib/rack/oauth2/models/access_grant.rb

@@ -13,8 +13,9 @@ module Rack
 
           # Create a new access grant.
           def create(identity, scope, client_id, redirect_uri)
-            fields = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope, :client_id=>BSON::ObjectId(client_id.to_s),
-                       :redirect_uri=>redirect_uri, :created_at=>Time.now.utc, :granted_at=>nil, :access_token=>nil, :revoked=>nil }
+            fields = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
+                       :client_id=>BSON::ObjectId(client_id.to_s), :redirect_uri=>redirect_uri,
+                       :created_at=>Time.now.utc.to_i, :granted_at=>nil, :access_token=>nil, :revoked=>nil }
             collection.insert fields
             Server.new_instance self, fields
           end
@@ -54,7 +55,7 @@ module Rack
           raise InvalidGrantError if self.access_token || self.revoked
           access_token = AccessToken.get_token_for(identity, scope, client_id)
           self.access_token = access_token.token
-          self.granted_at = Time.now.utc
+          self.granted_at = Time.now.utc.to_i
           self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)
           reload = self.class.collection.find_one({ :_id=>code, :revoked=>nil }, { :fields=>%w{access_token} })
           raise InvalidGrantError unless reload && reload["access_token"] == access_token.token
@@ -62,7 +63,8 @@ module Rack
         end
 
         def revoke!
-          self.class.collection.update({ :_id=>code, :revoked=>nil }, { :$set=>{ :revoked=>Time.now.utc } })
+          self.revoked = Time.now.utc.to_i
+          self.class.collection.update({ :_id=>code, :revoked=>nil }, { :$set=>{ :revoked=>revoked } })
         end
 
         Server.create_indexes do

data/lib/rack/oauth2/models/access_token.rb

@@ -8,6 +8,7 @@ module Rack
       # and scope. It may be revoked, or expire after a certain period.
       class AccessToken
         class << self
+
           # Find AccessToken from token. Does not return revoked tokens.
           def from_token(token)
             Server.new_instance self, collection.find_one({ :_id=>token, :revoked=>nil })
@@ -16,9 +17,11 @@ module Rack
           # Get an access token (create new one if necessary).
           def get_token_for(identity, scope, client_id)
             scope = scope.split.sort.join(" ") # Make sure always in same order.
-            unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>BSON::ObjectId(client_id.to_s) })
-              token = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope, :client_id=>BSON::ObjectId(client_id.to_s),
-                        :created_at=>Time.now.utc, :expires_at=>nil, :revoked=>nil }
+            client_id = BSON::ObjectId(client_id.to_s)
+            unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>client_id })
+              token = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
+                        :client_id=>client_id, :created_at=>Time.now.utc.to_i,
+                        :expires_at=>nil, :revoked=>nil }
               collection.insert token
             end
             Server.new_instance self, token
@@ -29,6 +32,35 @@ module Rack
             collection.find({ :identity=>identity }).map { |fields| Server.new_instance self, fields }
           end
 
+          # Returns all access tokens for a given client, Use limit and offset
+          # to return a subset of tokens, sorted by creation date.
+          def for_client(client_id, offset = 0, limit = 100)
+            client_id = BSON::ObjectId(client_id.to_s)
+            collection.find({ :client_id=>client_id }, { :sort=>[[:created_at, Mongo::ASCENDING]], :skip=>offset, :limit=>limit }).
+              map { |token| Server.new_instance self, token }
+          end
+
+          # Returns count of access tokens.
+          #
+          # @param [Hash] filter Count only a subset of access tokens
+          # @option filter [Integer] days Only count that many days (since now)
+          # @option filter [Boolean] revoked Only count revoked (true) or non-revoked (false) tokens; count all tokens if nil
+          # @option filter [String, ObjectId] client_id Only tokens grant to this client
+          def count(filter = {})
+            select = {}
+            if filter[:days]
+              now = Time.now.utc.to_i
+              select[:created_at] = { :$gt=>now - filter[:days] * 86400, :$lte=>now }
+            end
+            if filter.has_key?(:revoked)
+              select[:revoked] = filter[:revoked] ? { :$ne=>nil } : { :$eq=>nil }
+            end
+            if filter[:client_id]
+              select[:client_id] = BSON::ObjectId(filter[:client_id].to_s)
+            end
+            collection.find(select).count
+          end
+
           def collection
             Server.database["oauth2.access_tokens"]
           end
@@ -52,7 +84,7 @@ module Rack
 
         # Revokes this access token.
         def revoke!
-          self.revoked = Time.now.utc
+          self.revoked = Time.now.utc.to_i
           AccessToken.collection.update({ :_id=>token }, { :$set=>{ :revoked=>revoked } })
         end
         

data/lib/rack/oauth2/models/auth_request.rb

@@ -18,7 +18,8 @@ module Rack
           # and any state value to pass back in that redirect.
           def create(client_id, scope, redirect_uri, response_type, state)
             fields = { :client_id=>BSON::ObjectId(client_id.to_s), :scope=>scope, :redirect_uri=>redirect_uri, :state=>state,
-                       :response_type=>response_type, :created_at=>Time.now.utc, :grant_code=>nil, :authorized_at=>nil, :revoked=>nil }
+                       :response_type=>response_type, :created_at=>Time.now.utc.to_i, :grant_code=>nil,
+                       :authorized_at=>nil, :revoked=>nil }
             fields[:_id] = collection.insert(fields)
             Server.new_instance self, fields
           end
@@ -56,7 +57,7 @@ module Rack
         def grant!(identity)
           raise ArgumentError, "Must supply a identity" unless identity
           return if revoked
-          self.authorized_at = Time.now.utc
+          self.authorized_at = Time.now.utc.to_i
           if response_type == "code" # Requested authorization code
             access_grant = AccessGrant.create(identity, scope, client_id, redirect_uri)
             self.grant_code = access_grant.code
@@ -71,7 +72,7 @@ module Rack
 
         # Deny access.
         def deny!
-          self.authorized_at = Time.now.utc
+          self.authorized_at = Time.now.utc.to_i
           self.class.collection.update({ :_id=>id }, { :$set=>{ :authorized_at=>authorized_at } })
         end
 

data/lib/rack/oauth2/models/client.rb

@@ -25,7 +25,8 @@ module Rack
           def create(args)
             redirect_uri = Server::Utils.parse_redirect_uri(args[:redirect_uri]).to_s if args[:redirect_uri]
             fields =  { :secret=>Server.secure_random, :display_name=>args[:display_name], :link=>args[:link],
-                        :image_url=>args[:image_url], :redirect_uri=>redirect_uri, :created_at=>Time.now.utc, :revoked=>nil }
+                        :image_url=>args[:image_url], :redirect_uri=>redirect_uri, :created_at=>Time.now.utc.to_i,
+                        :revoked=>nil }
             fields[:_id] = collection.insert(fields)
             Server.new_instance self, fields
           end
@@ -38,6 +39,12 @@ module Rack
             Server.new_instance self, collection.find_one({ :display_name=>field }) || collection.find_one({ :link=>field })
           end
 
+          # Returns all the clients in the database, sorted alphabetically.
+          def all
+            collection.find({}, { :sort=>[[:display_name, Mongo::ASCENDING]] }).
+              map { |fields| Server.new_instance self, fields }
+          end
+
           def collection
             Server.database["oauth2.clients"]
           end
@@ -65,13 +72,19 @@ module Rack
         # Revoke all authorization requests, access grants and access tokens for
         # this client. Ward off the evil.
         def revoke!
-          self.revoked = Time.now.utc
+          self.revoked = Time.now.utc.to_i
           Client.collection.update({ :_id=>id }, { :$set=>{ :revoked=>revoked } })
           AuthRequest.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
           AccessGrant.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
           AccessToken.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
         end
 
+        def update(args)
+          fields = [:display_name, :link, :image_url].inject({}) { |h,k| v = args[k]; h[k] = v if v; h }
+          fields[:redirect_uri] = Server::Utils.parse_redirect_uri(args[:redirect_uri]).to_s if args[:redirect_uri]
+          self.class.collection.update({ :_id=>id }, { :$set=>fields })
+        end
+
         Server.create_indexes do
           # For quickly returning clients sorted by display name, or finding
           # client from a URL.

data/lib/rack/oauth2/server.rb

@@ -2,7 +2,6 @@ require "rack/oauth2/models"
 require "rack/oauth2/server/errors"
 require "rack/oauth2/server/utils"
 require "rack/oauth2/server/helper"
-require "rack/oauth2/server/version"
 
 
 module Rack
@@ -11,6 +10,9 @@ module Rack
     # Implements an OAuth 2 Authorization Server, based on http://tools.ietf.org/html/draft-ietf-oauth-v2-10
     class Server
 
+      # Same as gem version number.
+      VERSION = IO.read(::File.expand_path("../../../VERSION", ::File.dirname(__FILE__)))
+
       class << self
         # Return AuthRequest from authorization request handle.
         def get_auth_request(authorization)
@@ -46,13 +48,17 @@ module Rack
       # - :authorize_path --  Path for requesting end-user authorization. By
       #   convention defaults to /oauth/authorize.
       # - :database -- Mongo::DB instance.
+      # - :host -- Only check requests sent to this host.
+      # - :path -- Only check requests for resources under this path.
+      # - :param_authentication -- If true, supports authentication using
+      #   query/form parameters.
       # - :realm -- Authorization realm that will show up in 401 responses.
       #   Defaults to use the request host name.
       # - :scopes -- Array listing all supported scopes, e.g. %w{read write}.
       # - :logger -- The logger to use. Under Rails, defaults to use the Rails
       #   logger.  Will use Rack::Logger if available.
       Options = Struct.new(:access_token_path, :authenticator, :authorization_types,
-        :authorize_path, :database, :realm, :scopes, :logger)
+        :authorize_path, :database, :host, :param_authentication, :path, :realm, :scopes, :logger)
 
       def initialize(app, options = Options.new, &authenticator)
         @app = app
@@ -61,76 +67,83 @@ module Rack
         @options.access_token_path ||= "/oauth/access_token"
         @options.authorize_path ||= "/oauth/authorize"
         @options.authorization_types ||=  %w{code token}
+        @options.param_authentication = false
       end
 
       # @see Options
       attr_reader :options
 
       def call(env)
-        # Use options.database if specified.
-        org_database, Server.database = Server.database, options.database || Server.database
-        logger = options.logger || env["rack.logger"]
         request = OAuthRequest.new(env)
+        return @app.call(env) if options.host && options.host != request.host
+        return @app.call(env) if options.path && request.path.index(options.path) != 0
 
-        # 3.  Obtaining End-User Authorization
-        # Flow starts here.
-        return request_authorization(request, logger) if request.path == options.authorize_path
-        # 4.  Obtaining an Access Token
-        return respond_with_access_token(request, logger) if request.path == options.access_token_path
-
-        # 5.  Accessing a Protected Resource
-        if request.authorization
-          # 5.1.1.  The Authorization Request Header Field
-          token = request.credentials if request.oauth?
-        else
-          # 5.1.2.  URI Query Parameter
-          # 5.1.3.  Form-Encoded Body Parameter
-          token = request.GET["oauth_token"] || request.POST["oauth_token"]
-        end
+        begin
+          # Use options.database if specified.
+          org_database, Server.database = Server.database, options.database || Server.database
+          logger = options.logger || env["rack.logger"]
 
-        if token
-          begin
-            access_token = AccessToken.from_token(token)
-            raise InvalidTokenError if access_token.nil? || access_token.revoked
-            raise ExpiredTokenError if access_token.expires_at && access_token.expires_at <= Time.now.utc
-            request.env["oauth.access_token"] = token
-            request.env["oauth.identity"] = access_token.identity
-            logger.info "Authorized #{access_token.identity}" if logger
-          rescue Error=>error
-            # 5.2.  The WWW-Authenticate Response Header Field
-            logger.info "HTTP authorization failed #{error.code}" if logger
-            return unauthorized(request, error)
-          rescue =>ex
-            logger.info "HTTP authorization failed #{ex.message}" if logger
-            return unauthorized(request)
+          # 3.  Obtaining End-User Authorization
+          # Flow starts here.
+          return request_authorization(request, logger) if request.path == options.authorize_path
+          # 4.  Obtaining an Access Token
+          return respond_with_access_token(request, logger) if request.path == options.access_token_path
+
+          # 5.  Accessing a Protected Resource
+          if request.authorization
+            # 5.1.1.  The Authorization Request Header Field
+            token = request.credentials if request.oauth?
+          elsif options.param_authentication && !request.GET["oauth_verifier"] # Ignore OAuth 1.0 callbacks
+            # 5.1.2.  URI Query Parameter
+            # 5.1.3.  Form-Encoded Body Parameter
+            token = request.GET["oauth_token"] || request.POST["oauth_token"]
           end
 
-          # We expect application to use 403 if request has insufficient scope,
-          # and return appropriate WWW-Authenticate header.
-          response = @app.call(env)
-          if response[0] == 403
-            scope = response[1]["oauth.no_scope"] || ""
-            scope = scope.join(" ") if scope.respond_to?(:join)
-            challenge = 'OAuth realm="%s", error="insufficient_scope", scope="%s"' % [(options.realm || request.host), scope]
-            return [403, { "WWW-Authenticate"=>challenge }, []]
-          else
-            return response
-          end
-        else
-          response = @app.call(env)
-          if response[1] && response[1]["oauth.no_access"]
-            # OAuth access required.
-            return unauthorized(request)
-          elsif response[1] && response[1]["oauth.authorization"]
-            # 3.  Obtaining End-User Authorization
-            # Flow ends here.
-            return authorization_response(response, logger)
+          if token
+            begin
+              access_token = AccessToken.from_token(token)
+              raise InvalidTokenError if access_token.nil? || access_token.revoked
+              raise ExpiredTokenError if access_token.expires_at && access_token.expires_at <= Time.now.utc
+              request.env["oauth.access_token"] = token
+              request.env["oauth.identity"] = access_token.identity
+              logger.info "Authorized #{access_token.identity}" if logger
+            rescue Error=>error
+              # 5.2.  The WWW-Authenticate Response Header Field
+              logger.info "HTTP authorization failed #{error.code}" if logger
+              return unauthorized(request, error)
+            rescue =>ex
+              logger.info "HTTP authorization failed #{ex.message}" if logger
+              return unauthorized(request)
+            end
+
+            # We expect application to use 403 if request has insufficient scope,
+            # and return appropriate WWW-Authenticate header.
+            response = @app.call(env)
+            if response[0] == 403
+              scope = response[1]["oauth.no_scope"] || ""
+              scope = scope.join(" ") if scope.respond_to?(:join)
+              challenge = 'OAuth realm="%s", error="insufficient_scope", scope="%s"' % [(options.realm || request.host), scope]
+              response[1]["WWW-Authenticate"] = challenge
+              return response
+            else
+              return response
+            end
           else
-            return response
+            response = @app.call(env)
+            if response[1] && response[1].delete("oauth.no_access")
+              # OAuth access required.
+              return unauthorized(request)
+            elsif response[1] && response[1]["oauth.authorization"]
+              # 3.  Obtaining End-User Authorization
+              # Flow ends here.
+              return authorization_response(response, logger)
+            else
+              return response
+            end
           end
+        ensure
+          Server.database = org_database
         end
-      ensure
-        Server.database = org_database
       end
 
     protected