rack-oauth2-server 1.3.0 → 1.3.1

data/CHANGELOG

@@ -1,3 +1,13 @@
+2010-11-07 version 1.3.1
+
+Added command line tool, helps you get started and setup:
+  $ oauth2-server setup --db my_db
+
+Added a touch of color to the UI and ability to delete a client.
+
+You can not sign out of the Web console.
+
+
 2010-11-07 version 1.3.0
 
 Added OAuth authorization console.

data/Gemfile

@@ -15,6 +15,5 @@ group :test do
   gem "rails", "~>2.3"
   gem "shoulda"
   gem "sinatra"
-  gem "therubyracer", "~>0.8.0.pre"
   gem "timecop"
 end

data/README.rdoc

@@ -281,7 +281,13 @@ Clients can also register a redirect URL. This is optional but highly
 recommended for better security, preventing other applications from hijackin
 the client's ID/secret.
 
-For example:
+You can register clients using the command line tool +oauth2-server+:
+
+  $ oauth2-server register --db my_db
+
+Or you can register clients using the Web-based OAuth console, see below.
+
+Programatically, registering a new client is as simple as:
 
   $ ./script/console
   Loading development environment (Rails 2.3.8)
@@ -332,6 +338,10 @@ when making POST request, as a form field:
   $ curl -i http://localhost:3000/api/read?oauth_token=e57807eb99f8c29f60a27a75a80fec6e
   $ curl -i http://localhost:3000/api/update -F name=Superman -F oauth_token=e57807eb99f8c29f60a27a75a80fec6e
 
+You'll need to set the option +param_authentication+ to true. Watch out, since
+this query parameter could conflict with OAuth 1.0 authorization responses that
+also use +oauth_token+ for a different purpose.
+
 Here's a neat trick. You can create a +.curlrc+ file and load it using the +-K+ option:
 
   $ cat .curlrc
@@ -344,6 +354,67 @@ server you +curl+. Useful for development, testing, just don't use it with any
 production access tokens.
 
 
+== OAuth Web Console
+
+We haz it, and it's pretty rad:
+
+http://github.com/downloads/flowtown/rack-oauth2-server/OAuth%20Console%20-%20All%20Clients.png
+
+To get the console running, you'll need to do the following. First, you'll need
+to register a new client application that can access the OAuth console, with a
+redirect_uri that points to where you plan the Web console to live. This URL
+must end with "/admin", for example, "http://example.com/oauth/admin".
+
+The easiest way to do this is to run the +oauth2-sever+ command line tool:
+
+  $ oauth2-server setup --db my_db
+
+Next, in your application, make sure to ONLY AUTHORIZE ADMINISTRATORS to access
+the console, by granting them access to the +oauth-admin+ scope. For example:
+
+  def authorize
+    # Only admins allowed to authorize the scope oauth-admin
+    if oauth.scope.include?("oauth-admin") && !current_user.admin?
+      oauth.deny! oauth.authorization
+    end
+  end
+
+Make sure you do that, or you'll allow anyone access to the OAuth Web console.
+
+Next, mount the OAuth Web console as part of your application, and feed it the
+client ID/secret. For example, for Rails add this to +config/environment.rb+:
+
+  Rails::Initializer.run do |config|
+    . . .
+    config.middleware.use Rack::OAuth2::Server::Admin.mount
+    Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
+    Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
+  end
+
+For Sinatra, Padrino and other Rack-based applications, you'll want to mount
+like so (e.g. in +config.ru+):
+
+  Rack::Builder.new do
+    map("/oauth/admin") { run Rack::OAuth2::Server::Admin }
+    map("/") { run MyApp }
+  end
+  Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
+  Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
+
+Next, open your browser to http://example.com/oauth/admin, or wherever you
+mounted the console.
+
+The OAuth Web console is a single-page client application that operates by
+accessing the OAuth API. The API is mounted at /oauth/admin/api (basically /api
+relative to the console), you can access it yourself if you have an access
+token with the scope +oauth-admin+.
+
+To get the access token, the console first redirects you to the path
++/oauth/authorize+, which it expects to be the OAuth 2.0 authorization
+endpoint. If you need to use a different endpoint, simply set the :authorize
+option to that URL.
+
+
 == Mandatory ASCII Diagram
 
 This is briefly what the authorization flow looks like, how the workload is

data/VERSION

@@ -1 +1 @@
-1.3.0
+1.3.1

data/bin/oauth2-server

@@ -0,0 +1,107 @@
+#!/usr/bin/env ruby
+$LOAD_PATH.unshift File.expand_path(File.dirname(__FILE__) + '/../lib')
+require "rack/oauth2/models"
+require "uri"
+include Rack::OAuth2
+
+
+if (i = ARGV.index("--db")) && ARGV[i+1]
+  url = ARGV[i + 1]
+  uri = URI.parse(url)
+  uri = URI.parse("mongo://#{url}") if uri.opaque
+  db = uri.path.sub(/^\//, "")
+  conn = Mongo::Connection.new(uri.host, uri.port)
+  coon.add_auth db, uri.user, uri.password if uri.user
+  Server.database = conn[db]
+  ARGV[i,2] = []
+end
+
+
+case ARGV[0]
+when "list"
+  fail "No database. Use the --db option to tell us which database to use" unless Server.database
+  Server::Client.all.each do |client|
+    next if client.revoked
+    print "%-30s\t%s\n" % [client.display_name, client.link]
+    print "  ID %s\tSecret %s\n" % [client.id, client.secret]
+    print "\n"
+  end
+when "register"
+  fail "No database. Use the --db option to tell us which database to use" unless Server.database
+  begin
+    print "Application name:\t"
+    display_name = $stdin.gets
+    print "Application URL:\t"
+    link = $stdin.gets
+    print "Redirect URI:\t\t"
+    redirect_uri = $stdin.gets
+    client = Server::Client.create(:display_name=>display_name, :link=>link, :redirect_uri=>redirect_uri)
+  rescue
+    puts "\nFailed to register client: #{$1}"
+    exit -1
+  end
+  puts "Registered #{client.display_name}"
+  puts "ID\t#{client.id}"
+  puts "Secret\t#{client.secret}"
+when "setup"
+  fail "No database. Use the --db option to tell us which database to use" unless Server.database
+  puts "Where would you mount the Web console? This is a URL that must end with /admin,"
+  puts "for example, http://example.com/oauth/admin"
+  uri = URI.parse($stdin.gets)
+  begin
+    uri.normalize!
+    fail "No an HTTP/S URL" unless uri.absolute? && %{http https}.include?(uri.scheme)
+    fail "Path must end with /admin" unless uri.path[/\/admin$/]
+    client = Server::Client.create(:display_name=>"OAuth Console", :link=>uri.to_s,
+                                   :image_url=>"#{uri.to_s}/images/oauth-2.png", :redirect_uri=>uri.to_s)
+  rescue
+    puts "\nFailed to register client: #{$!}"
+    exit -1
+  end
+  print <<-TEXT
+Make sure you ONLY authorize administrators to use the oauth-admin scope.
+For example:
+
+  def authorize
+    # Only admins allowed to authorize the scope oauth-admin
+    if oauth.scope.include?("oauth-admin") && !current_user.admin?
+      oauth.deny! oauth.authorization
+    end
+  end
+
+Rails 2.x, add the following to config/environment.rb:
+
+  config.middleware.use Rack::OAuth2::Server::Admin.mount "#{uri.path}"
+  Rack::OAuth2::Server::Admin.set :client_id, "#{client.id}"
+  Rack::OAuth2::Server::Admin.set :client_secret, "#{client.secret}"
+
+Sinatra, Padrino and other Rack applications, mount the console:
+
+  Rack::Builder.new do
+    map("#{uri.path}") { run Rack::OAuth2::Server::Admin }
+    map("/") { run MyApp }
+  end
+  Rack::OAuth2::Server::Admin.set :client_id, "#{client.id}"
+  Rack::OAuth2::Server::Admin.set :client_secret, "#{client.secret}"
+
+The console will authorize access by redirecting to
+  https://#{uri.host}/oauth/authorize
+
+If this is not your OAuth 2.0 authorization endpoint, you can change it by
+setting the :authorize option.
+  TEXT
+else
+  print <<-TEXT
+Usage: oauth2-server [options] COMMAND [args]
+
+Commands:
+  list            Lists all active clients
+  register        Register a new client application
+  setup           Create new admin account and help you
+                  setup the OAuth Web console
+
+Options:
+  --db database   Database name or connection URL
+  TEXT
+  exit -1
+end

data/lib/rack/oauth2/admin/css/screen.css

@@ -1,5 +1,9 @@
+html {
+  background: #eee;
+}
 body {
   margin: 0;
+  padding: 0;
   width: 100%;
   font: 12pt "Helvetica", "Lucida Sans", "Verdana";
 }
@@ -75,20 +79,45 @@ button:active { background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgba(0
 }
 
 #header {
-  margin: 0 2em;
+  margin: 0;
+  padding: 2em;
+  background: #fff;
+  background: -webkit-gradient(linear, left top, left bottom, from(#ccf), to(#fff));
+  background: -moz-linear-gradient(top,  #ccf,  #fff);
 }
 #header .title {
-  font-size: 1.4em;
+  font-size: 18pt;
   font-weight: bold;
-  color: #000;
-  text-decoration: none;
-  margin: 0.6em 0;
   display: block;
   text-align: right;
+  line-height: 32px;
+}
+#header .title a {
+  color: #000;
+  text-decoration: none;
+}
+#header .title img {
+  width: 32px;
+  height: 32px;
+  vertical-align: bottom;
+}
+#header .signout {
+  float: right;
+  font-size: 11pt;
 }
 
 #main {
-  margin: 0 2em;
+  padding: 0 2em 4em 2em;
+  background: #fff;
+}
+#footer {
+  background: #eee;
+  background: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#eee));
+  background: -moz-linear-gradient(top,  #fff,  #eee);
+  color: #666;
+  border-top: 1px solid transparent;
+  font-size: 90%;
+  padding: 0 2em 2em 2em;
 }
 
 table {
@@ -97,6 +126,7 @@ table {
   empty-cells: show;
   border-collapse: separate;
   border-spacing: 0px;
+  margin-top: 2em;
 }
 table th {
   text-align: left;
@@ -177,7 +207,7 @@ table.tokens td.scope {
 
 .badges {
   list-style: none;
-  margin: 1.1em 0;
+  margin:  0;
   padding: 0;
   text-align: right;
   width: 100%;
@@ -211,13 +241,19 @@ table.tokens td.scope {
   height: 24px;
   vertical-align: bottom;
 }
-.client .details a[rel=edit] {
-  margin: 0 0.3em 0 1em;
+.client .details a {
+  margin: 0 0.3em 0 0;
 }
 .client .details .meta {
   color: #888;
   font-size: 10pt;
 }
+
+.client.new, .client.edit {
+  margin: 0;
+  padding: 1em;
+  border: 1px solid #eee;
+}
 .client.new>#image, .client.edit>#image {
   float: left;
   margin: 0 12px 0 0;

data/lib/rack/oauth2/admin/js/application.js

@@ -64,6 +64,20 @@ Sammy("#main", function(app) {
       }
     })
   });
+  // Delete/revoke client
+  this.del("#/client/:id", function(context) {
+    $.ajax({ type: "post", url: api + "/client/" + context.params.id,
+      data: { _method: "delete" },
+      success: function() { context.redirect("#/") }
+    });
+  });
+  this.post("#/client/:id/revoke", function(context) {
+    $.post(api + "/client/" + context.params.id + "/revoke", function() { app.refresh() });
+  });
+  // Revoke token
+  this.post("#/token/:id/revoke", function(context) {
+    $.post(api + "/token/" + context.params.id + "/revoke", function() { app.refresh() });
+  });
   // View single client
   this.get("#/client/:id", function(context) {
     $.getJSON(api + "/client/" + context.params.id, function(client) {
@@ -101,29 +115,22 @@ Sammy("#main", function(app) {
       }
     });
   });
+  // Signout
+  this.get("#/signout", function(context) {
+    app.session("oauth.token", null);
+    context.redirect(document.location.protocol + "//" + document.location.host);
+  });
 
-  // Client/token revoke buttons do this.
-  $("a[data-method=post]").live("click", function(evt) {
+  // Links that use forms for various methods (i.e. post, delete).
+  $("a[data-method]").live("click", function(evt) {
     evt.preventDefault();
     var link = $(this);
     if (link.attr("data-confirm") && !confirm(link.attr("data-confirm")))
-      return;
-    $.post(link.attr("href"), function(success) {
-      app.trigger("notice", "Revoked!");
-      app.refresh();
-    });
-  });
-  // Link to reveal/hide client ID/secret
-  $("td.secrets a[rel=toggle]").live("click", function(evt) {
-    evt.preventDefault();
-    var dl = $(this).next("dl");
-    if (dl.is(":visible")) {
-      $(this).html("Reveal");
-      dl.hide();
-    } else {
-      $(this).html("Hide");
-      dl.show();
-    }
+      return fasle;
+    var method = link.attr("data-method") || "get",
+        form = $("<form>", { style: "display:none", method: method, action: link.attr("href") });
+    app.$element().append(form);
+    form.submit();
   });
   // Error/notice at top of screen
   var noticeTimeout;

data/lib/rack/oauth2/admin/views/client.tmpl

@@ -3,8 +3,9 @@
     <a href="${link}" class="name">{{if imageUrl}}<img src="${imageUrl}">{{/if}} ${displayName}</a>
     <a href="#/client/${id}/edit" rel="edit">Edit</a>
     {{if !revoked}}
-      <a href="${revoke}" data-method="post" data-confirm="There is no undo. Are you really really sure?" rel="revoke">Revoke</a>
+      <a href="#/client/${id}/revoke" data-method="post" data-confirm="There is no undo. Are you really really sure?" rel="revoke">Revoke</a>
     {{/if}}
+    <a href="#/client/${id}" data-method="delete" data-confirm="There is no undo. Are you really really sure?" rel="delete">Delete</a>
     <div class="meta">
       Created {{html $.shortdate(revoked)}}
       {{if revoked}}Revoked {{html $.shortdate(revoked)}}{{/if}}
@@ -34,7 +35,7 @@
           {{if revoked}}
             {{html $.shortdate(revoked)}}
           {{else}}
-            <a href="${revoke}" data-method="post" data-confirm="Are you sure?" rel="revoke">Revoke</a>
+            <a href="#/token/${token}/revoke" data-method="post" data-confirm="Are you sure?" rel="revoke">Revoke</a>
           {{/if}}
         </td>
       </tr>

data/lib/rack/oauth2/admin/views/clients.tmpl

@@ -17,7 +17,7 @@
       <td class="name">
         <a href="#/client/${id}">
           {{if imageUrl}}<img src="${imageUrl}">{{/if}}
-          ${displayName}
+          ${displayName.trim() == "" ? "untitled" : displayName}
         </a>
       </td>
       <td class="secrets">
@@ -34,3 +34,16 @@
     {{/each}}
   </table>
 </div>
+<script type="text/javascript">
+  $("td.secrets a[rel=toggle]").click(function(evt) {
+    evt.preventDefault();
+    var dl = $(this).next("dl");
+    if (dl.is(":visible")) {
+      $(this).html("Reveal");
+      dl.hide();
+    } else {
+      $(this).html("Hide");
+      dl.show();
+    }
+  });
+</script>

data/lib/rack/oauth2/admin/views/index.html

@@ -12,11 +12,20 @@
     <script src="admin/js/sammy.title.js" type="text/javascript"></script>
     <script src="admin/js/underscore.js" type="text/javascript"></script>
     <script src="admin/js/application.js" type="text/javascript"></script>
+    <link rel="shortcut icon" href="admin/images/oauth-2.png">
   </head>
   <body>
     <div id="notice" style="display:none"></div>
-    <div id="header"><a href="#/" class="title">OAuth Console</a></div>
+    <div id="header">
+      <div class="title">
+        <a href="#/"><img src="admin/images/oauth-2.png"> OAuth Console</a>
+      </div>
+      <a href="#/signout" class="signout">Sign out</a>
+    </div>
     <div id="main"></div>
+    <div id="footer">
+      <p>Powered by <a href="http://github.com/flowtown/rack-oauth2-server">Rack::OAuth2::Server</a></p>
+    </div>
     <script>
       var loading = new Image();
       loading.src = "admin/images/loading.gif";