rack-oauth2-server 2.0.0.beta → 2.0.0.beta2

data/CHANGELOG

@@ -1,4 +1,4 @@
-2010-11-15 version 2.0.0
+2010-11-16 version 2.0.0
 
 Major change: you are no longer able to get an access token with the scope if
 the client is not registered to have this scope. The global setting scopes is
@@ -7,6 +7,9 @@ clients, e.g. in mogno console:
 
   db.oauth2.clients.update({}, { $set: { scopes: ["read", "write"] } }, true, true)
 
+Rack::OAuth2::Server class methods get register -- for registering and updating
+client application record -- and get_token_for -- to obtain new/existing token.
+
 Web console now allows you to set/unset individual scopes for each client
 application.
 

data/README.rdoc

@@ -291,14 +291,27 @@ Programatically, registering a new client is as simple as:
 
   $ ./script/console
   Loading development environment (Rails 2.3.8)
-  > uber_client = Rack::OAuth2::Server::Client.create(:display_name=>"UberClient",
-     :link=>"http://uberclient.dot/",
+  > Rack::OAuth2::Server.register(:display_name=>"UberClient",
+     :link=>"http://example.com/",
      :image_url=>"http://farm5.static.flickr.com/4122/4890273282_58f7c345f4.jpg",
      :scopes=>%{read write},
-     :redirect_uri=>"http://uberclient.dot/oauth/callback")
+     :redirect_uri=>"http://example.com/oauth/callback")
   > puts "Your client identifier: #{client.id}"
   > puts "Your client secret: #{client.secret}"
 
+You may want your application to register its own client application, always
+with the same client ID and secret, which are also stored in a configuration
+file. For example, your +db/seed.rb+ may contain:
+
+  oauth2 = YAML.load_file(Rails.root + "config/oauth2.yml")
+  Rack::OAuth2::Server.register(id: oauth2["client_id"], secret: oauth2["client_secret"],
+    display_name: "UberClient", link: "http://example.com",
+    redirect_uri: "http://example.com/oauth/callback", scopes: oauth2["scopes"].split)
+
+When you call +register+ with +id+ and +secret+ parameters it either registers a
+new client with these specific ID and sceret, or if a client already exists,
+updates its other properties.
+
 
 === Step 6: Pimp Your API
 

data/VERSION

@@ -1 +1 @@
-2.0.0.beta
+2.0.0.beta2

data/lib/rack/oauth2/admin/js/sammy.oauth2.js

@@ -4,6 +4,11 @@
   // Sammy.OAuth2 is a plugin for using OAuth 2.0 to authenticate users and
   // access your application's API. Requires Sammy.Session.
   //
+  // Triggers the following events:
+  // - oauth.connected -- Access token set and ready to use
+  // - oauth.disconnected -- Access token reset
+  // - oauth.denied -- Authorization attempt rejected
+  //
   // ### Example
   // this.use(Sammy.Storage);
   // this.use(Sammy.OAuth2);
@@ -33,8 +38,8 @@
   //   context.redirect("#/");
   // });
   //
-  Sammy.OAuth2 = function(options) {
-    this.options  = options || {};
+  Sammy.OAuth2 = function(app) {
+    app.use(Sammy.JSON);
     this.authorize = "/oauth/authorize";
 
     // Use this on request that require OAuth token. You can use this in a
@@ -71,20 +76,20 @@
     // Stores the access token in the session.
     this.setAccessToken = function(token) {
       this.session("oauth.token", token);
+      this.trigger("oauth.connected");
     }
     // Lose access token: use this to sign out.
     this.loseAccessToken = function() {
       this.session("oauth.token", null);
+      this.trigger("oauth.disconnected");
     }
 
     // Add OAuth 2.0 access token to all XHR requests.
-    $(document).ajaxSend(function(oauth) {
-      return function(evt, xhr) {
-        var token = oauth.getAccessToken();
-        if (token)
-          xhr.setRequestHeader("Authorization", "OAuth " + token);
-      }
-    }(this));
+    $(document).ajaxSend(function(evt, xhr) {
+      var token = app.getAccessToken();
+      if (token)
+        xhr.setRequestHeader("Authorization", "OAuth " + token);
+    });
 
     // Converts query string parameters in fragment identifier to object.
     function parseParams(hash) {
@@ -101,6 +106,8 @@
     // redirection.
     this.bind("run", function(evt, params) {
       start_url = params.start_url || "#";
+      if (this.app.getAccessToken())
+        this.trigger("oauth.connected");
     });
 
     // Intercept OAuth authorization response with access token, stores it and

data/lib/rack/oauth2/models/access_grant.rb

@@ -53,7 +53,7 @@ module Rack
         # InvalidGrantError.
         def authorize!
           raise InvalidGrantError if self.access_token || self.revoked
-          access_token = AccessToken.get_token_for(identity, scope, client_id)
+          access_token = AccessToken.get_token_for(identity, client_id, scope)
           self.access_token = access_token.token
           self.granted_at = Time.now.utc.to_i
           self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)

data/lib/rack/oauth2/models/access_token.rb

@@ -15,7 +15,7 @@ module Rack
           end
 
           # Get an access token (create new one if necessary).
-          def get_token_for(identity, scope, client_id)
+          def get_token_for(identity, client_id, scope)
             scope = Utils.normalize_scopes(scope)
             client_id = BSON::ObjectId(client_id.to_s)
             unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>client_id, :revoked=>nil })

data/lib/rack/oauth2/models/auth_request.rb

@@ -63,7 +63,7 @@ module Rack
             self.grant_code = access_grant.code
             self.class.collection.update({ :_id=>id, :revoked=>nil }, { :$set=>{ :grant_code=>access_grant.code, :authorized_at=>authorized_at } })
           else # Requested access token
-            access_token = AccessToken.get_token_for(identity, scope, client_id)
+            access_token = AccessToken.get_token_for(identity, client_id, scope)
             self.access_token = access_token.token
             self.class.collection.update({ :_id=>id, :revoked=>nil, :access_token=>nil }, { :$set=>{ :access_token=>access_token.token, :authorized_at=>authorized_at } })
           end

data/lib/rack/oauth2/models/client.rb

@@ -26,10 +26,16 @@ module Rack
           def create(args)
             redirect_uri = Server::Utils.parse_redirect_uri(args[:redirect_uri]).to_s if args[:redirect_uri]
             scopes = Server::Utils.normalize_scopes(args[:scopes])
-            fields =  { :secret=>Server.secure_random, :display_name=>args[:display_name], :link=>args[:link],
+            fields =  { :display_name=>args[:display_name], :link=>args[:link],
                         :image_url=>args[:image_url], :redirect_uri=>redirect_uri, :scopes=>scopes,
                         :created_at=>Time.now.utc.to_i, :revoked=>nil }
-            fields[:_id] = collection.insert(fields)
+            if args[:id] && args[:secret]
+              fields[:_id], fields[:secret] = args[:id], args[:secret]
+              collection.insert(fields)
+            else
+              fields[:secret] = Server.secure_random
+              fields[:_id] = collection.insert(fields)
+            end
             Server.new_instance self, fields
           end
 

data/lib/rack/oauth2/server.rb

@@ -16,21 +16,85 @@ module Rack
 
       class << self
         # Return AuthRequest from authorization request handle.
+        #
+        # @param [String] authorization Authorization handle (e.g. from
+        # oauth.authorization)
+        # @return [AuthReqeust]
         def get_auth_request(authorization)
           AuthRequest.find(authorization)
         end
 
         # Returns Client from client identifier.
+        #
+        # @param [String] client_id Client identifier (e.g. from oauth.client.id)
+        # @return [Client]
         def get_client(client_id)
           Client.find(client_id)
         end
 
+        # Registers and returns a new Client. Can also be used to update
+        # existing client registration, by passing identifier (and secret) of
+        # existing client record. That way, your setup script can create a new
+        # client application and run repeatedly without fail. Also useful for
+        # adding new scopes to your existing client application.
+        #
+        # @param [Hash] args Arguments for registering client application
+        # @option args [String] :id Client identifier. Use this to update
+        # existing client registration (in combination wih secret)
+        # @option args [String] :secret Client secret. Use this to update
+        # existing client registration.
+        # @option args [String] :display_name Name to show when authorizing
+        # access (e.g.  "My Awesome Application")
+        # @option args [String] link Link to client application's Web site 
+        # @option args [String] image_url URL of image to show alongside display
+        # name.
+        # @option args [String] redirect_uri Redirect URL: authorization
+        # requests for this client will always redirect back to this URL.
+        # @option args [Array] scopes Scopes that client application can request
+        #
+        # @example Registering new client application
+        #   Server.register :display_name=>"My Application",
+        #     :link=>"http://example.com", :scopes=>%w{read write},
+        #     :redirect_uri=>"http://example.com/oauth/callback"
+        # @example Migration using configuration file
+        #   config = YAML.load_file(Rails.root + "config/oauth.yml")
+        #   Server.register config["id"], config["secret"],
+        #     :display_name=>"My  Application", :link=>"http://example.com",
+        #     :scopes=>config["scopes"],
+        #     :redirect_uri=>"http://example.com/oauth/callback"
+        def register(args)
+          if args[:id] && args[:secret] && (client = get_client(args[:id]))
+            fail "Client secret does not match" unless client.secret == args[:secret]
+            client.update args
+          else
+            Client.create(args)
+          end
+        end
+
         # Returns AccessToken from token.
+        #
+        # @param [String] token Access token (e.g. from oauth.access_token)
+        # @return [AccessToken]
         def get_access_token(token)
           AccessToken.from_token(token)
         end
 
+        # Returns AccessToken for the specified identity, client application and
+        # scopes. You can use this method to request existing access token, new
+        # token generated if one does not already exists.
+        #
+        # @param [String] identity Identity, e.g. user ID, account ID
+        # @param [String] client_id Client application identifier
+        # @param [String] scope Access scope (e.g. "read write")
+        # @return [AccessToken]
+        def get_token_for(identity, client_id, scope)
+          AccessToken.get_token_for(identity, client_id, scope)
+        end
+
         # Returns all AccessTokens for an identity.
+        #
+        # @param [String] identity Identity, e.g. user ID, account ID
+        # @return [Array<AccessToken>]
         def list_access_tokens(identity)
           AccessToken.from_identity(identity)
         end
@@ -267,7 +331,7 @@ module Rack
             requested_scope = Utils.normalize_scopes(request.POST["scope"])
             allowed_scopes = client.scopes
             raise InvalidScopeError unless (requested_scope - allowed_scopes).empty?
-            access_token = AccessToken.get_token_for(identity, requested_scope, client.id)
+            access_token = AccessToken.get_token_for(identity, client.id, requested_scope)
           else raise UnsupportedGrantType
           end
           logger.info "Access token #{access_token.token} granted to client #{client.display_name}, identity #{access_token.identity}" if logger

data/test/admin/api_test.rb

@@ -18,12 +18,12 @@ class AdminApiTest < Test::Unit::TestCase
 
 
   def without_scope
-    token = Server::AccessToken.get_token_for("Superman", "nobody", client.id)
+    token = Server.get_token_for("Superman", client.id, "nobody")
     header "Authorization", "OAuth #{token.token}"
   end
 
   def with_scope
-    token = Server::AccessToken.get_token_for("Superman", "oauth-admin", client.id)
+    token = Server.get_token_for("Superman", client.id, "oauth-admin")
     header "Authorization", "OAuth #{token.token}"
   end
 
@@ -149,7 +149,7 @@ class AdminApiTest < Test::Unit::TestCase
         tokens = []
         1.upto(10).map do |days|
           Timecop.travel -days*86400 do
-            tokens << Server::AccessToken.get_token_for("Superman", days.to_s, client.id)
+            tokens << Server.get_token_for("Superman", client.id, days.to_s)
           end
         end
         # Revoke one token today (within past 7 days), one 10 days ago (beyond)

data/test/oauth/access_token_test.rb

@@ -257,7 +257,7 @@ class AccessTokenTest < Test::Unit::TestCase
 
   context "list tokens" do
     setup do
-      @other = Rack::OAuth2::Server::AccessToken.get_token_for("foobar", "read", client.id).token
+      @other = Rack::OAuth2::Server.get_token_for("foobar", client.id, "read").token
       get "/list_tokens"
     end
 
@@ -273,23 +273,23 @@ class AccessTokenTest < Test::Unit::TestCase
 
   context "get_token_for" do
     should "return two different tokens for two different clients" do
-      myapp = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "read write", "4cca30423321e895cb000001")
-      yourapp = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "read write", "4fff30423321e895cb000001")
+      myapp = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write")
+      yourapp = Rack::OAuth2::Server.get_token_for("Batman", "4fff30423321e895cb000001", "read write")
       assert myapp.token != yourapp.token
     end
     should "return two different tokens for two different identities" do
-      me = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "read write", "4cca30423321e895cb000001")
-      you = Rack::OAuth2::Server::AccessToken.get_token_for("Robin", "read write", "4cca30423321e895cb000001")
+      me = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write")
+      you = Rack::OAuth2::Server.get_token_for("Robin", "4cca30423321e895cb000001", "read write")
       assert me.token != you.token
     end
     should "return two different tokens for two different scope" do
-      write = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "read write", "4cca30423321e895cb000001")
-      math = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "read math", "4cca30423321e895cb000001")
+      write = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write")
+      math = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read math")
       assert write.token != math.token
     end
     should "return same tokens regardless of order of scope" do
-      one = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "read write math", "4cca30423321e895cb000001")
-      two = Rack::OAuth2::Server::AccessToken.get_token_for("Batman", "math write read", "4cca30423321e895cb000001")
+      one = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "read write math")
+      two = Rack::OAuth2::Server.get_token_for("Batman", "4cca30423321e895cb000001", "math write read")
       assert_equal one.token, two.token
     end
   end

data/test/oauth/server_test.rb

@@ -0,0 +1,203 @@
+require "test/setup"
+
+
+# Tests the Server API
+class ServerTest < Test::Unit::TestCase
+  def setup
+    super
+  end
+
+  context "get_auth_request" do
+    setup { @request = Server::AuthRequest.create(client.id, client.scopes.join(" "), client.redirect_uri, "token", nil) }
+    should "return authorization request" do
+      assert_equal @request.id, Server.get_auth_request(@request.id).id
+    end
+
+    should "return nil if no request found" do
+      assert !Server.get_auth_request("4ce2488e3321e87ac1000004")
+    end
+  end
+
+
+  context "get_client" do
+    should "return authorization request" do
+      assert_equal client.display_name, Server.get_client(client.id).display_name
+    end
+
+    should "return nil if no client found" do
+      assert !Server.get_client("4ce2488e3321e87ac1000004")
+    end
+  end
+
+
+  context "register" do
+    context "no client ID" do
+      setup do
+        @client = Server.register(:display_name=>"MyApp", :link=>"http://example.org", :image_url=>"http://example.org/favicon.ico",
+                                  :redirect_uri=>"http://example.org/oauth/callback", :scopes=>%w{read write})
+      end
+
+      should "create new client" do
+        assert_equal 2, Server::Client.collection.count
+        assert_contains Server::Client.all.map(&:id), @client.id
+      end
+
+      should "set display name" do
+        assert_equal "MyApp", Server.get_client(@client.id).display_name
+      end
+
+      should "set link" do
+        assert_equal "http://example.org", Server.get_client(@client.id).link
+      end
+
+      should "set image URL" do
+        assert_equal "http://example.org/favicon.ico", Server.get_client(@client.id).image_url
+      end
+
+      should "set redirect URI" do
+        assert_equal "http://example.org/oauth/callback", Server.get_client(@client.id).redirect_uri
+      end
+
+      should "set scopes" do
+        assert_equal %w{read write}, Server.get_client(@client.id).scopes
+      end
+
+      should "assign client an ID" do
+        assert_match /[0-9a-f]{24}/, @client.id.to_s
+      end
+
+      should "assign client a secret" do
+        assert_match /[0-9a-f]{64}/, @client.secret
+      end
+    end
+
+    context "with client ID" do
+
+      context "no such client" do
+        setup do
+          @client = Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"MyApp")
+        end
+
+        should "create new client" do
+          assert_equal 2, Server::Client.collection.count
+        end
+
+        should "should assign it the client identifier" do
+          assert_equal "4ce24c423321e88ac5000015", @client.id
+        end
+
+        should "should assign it the client secret" do
+          assert_equal "foobar", @client.secret
+        end
+
+        should "should assign it the other properties" do
+          assert_equal "MyApp", @client.display_name
+        end
+      end
+
+      context "existing client" do
+        setup do
+          Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"MyApp")
+          @client = Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"Rock Star")
+        end
+
+        should "not create new client" do
+          assert_equal 2, Server::Client.collection.count
+        end
+
+        should "should not change the client identifier" do
+          assert_equal "4ce24c423321e88ac5000015", @client.id
+        end
+
+        should "should not change the client secret" do
+          assert_equal "foobar", @client.secret
+        end
+
+        should "should change all the other properties" do
+          assert_equal "Rock Star", @client.display_name
+        end
+      end
+
+      context "secret mismatch" do
+        setup do
+          Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"MyApp")
+        end
+
+        should "raise error" do
+          Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"wrong", :display_name=>"MyApp")
+        end
+      end
+
+    end
+  end
+
+  
+  context "get_access_token" do
+    setup { @token = Server.get_token_for("Batman", client.id, %w{read}).token }
+    should "return authorization request" do
+      assert_equal @token, Server.get_access_token(@token).token
+    end
+
+    should "return nil if no client found" do
+      assert !Server.get_access_token("4ce2488e3321e87ac1000004")
+    end
+  end
+
+
+  context "get_token_for" do
+    setup { @token = Server.get_token_for("Batman", client.id, %w{read write}) }
+
+    should "return access token" do
+      assert Server::AccessToken === @token
+    end
+
+    should "associate token with client" do
+      assert_equal client.id, @token.client_id
+    end
+
+    should "associate token with identity" do
+      assert_equal "Batman", @token.identity
+    end
+
+    should "associate token with scope" do
+      assert_equal %w{read write}, @token.scope
+    end
+
+    should "return same token for same parameters" do
+      assert_equal @token.token, Server.get_token_for("Batman", client.id, %w{write read}).token
+    end
+
+    should "return different token for different identity" do
+      assert @token.token != Server.get_token_for("Superman", client.id, %w{read write}).token
+    end
+
+    should "return different token for different client" do
+      client = Server.register(:display_name=>"MyApp")
+      assert @token.token != Server.get_token_for("Batman", client.id, %w{read write}).token
+    end
+
+    should "return different token for different scope" do
+      assert @token.token != Server.get_token_for("Batman", client.id, %w{read}).token
+    end
+  end
+
+
+  context "list access tokens" do
+    setup do
+      @one = Server.get_token_for("Batman", client.id, %w{read})
+      @two = Server.get_token_for("Superman", client.id, %w{read})
+      @three = Server.get_token_for("Batman", client.id, %w{write})
+    end
+
+    should "return all tokens for identity" do
+      assert_contains Server.list_access_tokens("Batman").map(&:token), @one.token
+      assert_contains Server.list_access_tokens("Batman").map(&:token), @three.token
+    end
+
+    should "not return tokens for other identities" do
+      assert !Server.list_access_tokens("Batman").map(&:token).include?(@two.token)
+    end
+
+  end
+
+end