rack-oauth2-server 2.0.0.beta4 → 2.0.0.beta5

data/CHANGELOG

@@ -1,4 +1,4 @@
-2010-11-16 version 2.0.0
+2010-11-18 version 2.0.0
 
 MAJOR CHANGE:
 Keeping with OAuth 2.0 spec terminology, we'll call it scope all around. Some

data/README.rdoc

@@ -332,7 +332,7 @@ I'll let you figure that one for yourself.
 
 We haz it, and it's pretty rad:
 
-http://github.com/downloads/flowtown/rack-oauth2-server/OAuth%20Console%20-%20All%20Clients.png
+http://labnotes.org/wp-content/uploads/2010/11/OAuth-Admin-All-Clients.png
 
 To get the Web admin running, you'll need to do the following. First, you'll
 need to register a new client application that can access the OAuth Web admin,
@@ -479,6 +479,30 @@ server you +curl+. Useful for development, testing, just don't use it with any
 production access tokens.
 
 
+== Methods You'll Want To Use From Your App
+
+You can use the Server module to create, fetch and otherwise work with access
+tokens and grants. Available methods include:
+
+- access_grant -- Creates and returns a new access grant. You can use that for
+  one-time token, e.g. users who forgot their password and need to login using
+  an email message.
+- token_for -- Returns access token for particular identity. You can use that to
+  give access tokens to clients other than through the OAuth 2.0 protocol, e.g.
+  if you let users authenticate using Facebook Connect or Twitter OAuth.
+- get_access_token -- Resolves access token (string) into access token
+  (AccessToken object).
+- list_access_tokens -- Returns all access tokens for a given identity, which
+  you'll need if you offer a UI for uses to review and revoke access tokens they
+  previously granted.
+- get_client -- Resolves client identifier into a Client object.
+- register -- Registers a new client application. Can also be used to change
+  existing registration (if you know the client's ID and secret). Idempotent, so
+  perfect for running during setup and migration.
+- get_auth_request -- Resolves authorization request handle into an AuthRequest
+  object. Could be useful during the authorization flow.
+
+
 == Mandatory ASCII Diagram
 
 This is briefly what the authorization flow looks like, how the workload is

data/VERSION

@@ -1 +1 @@
-2.0.0.beta4
+2.0.0.beta5

data/lib/rack/oauth2/models/access_grant.rb

@@ -12,11 +12,13 @@ module Rack
           end
 
           # Create a new access grant.
-          def create(identity, client, scope, redirect_uri = nil)
+          def create(identity, client, scope, redirect_uri = nil, expires = nil)
             scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
+            expires_at = Time.now.to_i + (expires || 300)
             fields = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
                        :client_id=>client.id, :redirect_uri=>client.redirect_uri || redirect_uri,
-                       :created_at=>Time.now.utc.to_i, :granted_at=>nil, :access_token=>nil, :revoked=>nil }
+                       :created_at=>Time.now.to_i, :expires_at=>expires_at, :granted_at=>nil,
+                       :access_token=>nil, :revoked=>nil }
             collection.insert fields
             Server.new_instance self, fields
           end
@@ -41,6 +43,8 @@ module Rack
         attr_reader :created_at
         # Tells us when (and if) access token was created.
         attr_accessor :granted_at
+        # Tells us when this grant expires.
+        attr_accessor :expires_at
         # Access token created from this grant. Set and spent.
         attr_accessor :access_token
         # Timestamp if revoked.
@@ -57,7 +61,7 @@ module Rack
           client = Client.find(client_id) or raise InvalidGrantError
           access_token = AccessToken.get_token_for(identity, client, scope)
           self.access_token = access_token.token
-          self.granted_at = Time.now.utc.to_i
+          self.granted_at = Time.now.to_i
           self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)
           reload = self.class.collection.find_one({ :_id=>code, :revoked=>nil }, { :fields=>%w{access_token} })
           raise InvalidGrantError unless reload && reload["access_token"] == access_token.token
@@ -65,7 +69,7 @@ module Rack
         end
 
         def revoke!
-          self.revoked = Time.now.utc.to_i
+          self.revoked = Time.now.to_i
           self.class.collection.update({ :_id=>code, :revoked=>nil }, { :$set=>{ :revoked=>revoked } })
         end
 

data/lib/rack/oauth2/models/access_token.rb

@@ -19,7 +19,7 @@ module Rack
             scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
             unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>client.id, :revoked=>nil })
               token = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope,
-                        :client_id=>client.id, :created_at=>Time.now.utc.to_i,
+                        :client_id=>client.id, :created_at=>Time.now.to_i,
                         :expires_at=>nil, :revoked=>nil }
               collection.insert token
             end
@@ -48,7 +48,7 @@ module Rack
           def count(filter = {})
             select = {}
             if filter[:days]
-              now = Time.now.utc.to_i
+              now = Time.now.to_i
               range = { :$gt=>now - filter[:days] * 86400, :$lte=>now }
               select[ filter[:revoked] ? :revoked : :created_at ] = range
             elsif filter.has_key?(:revoked)
@@ -93,7 +93,7 @@ module Rack
 
         # Revokes this access token.
         def revoke!
-          self.revoked = Time.now.utc.to_i
+          self.revoked = Time.now.to_i
           AccessToken.collection.update({ :_id=>token }, { :$set=>{ :revoked=>revoked } })
         end
         

data/lib/rack/oauth2/models/auth_request.rb

@@ -21,7 +21,7 @@ module Rack
             fields = { :client_id=>client.id, :scope=>scope, :redirect_uri=>client.redirect_uri || redirect_uri,
                        :response_type=>response_type, :state=>state,
                        :grant_code=>nil, :authorized_at=>nil,
-                       :created_at=>Time.now.utc.to_i, :revoked=>nil }
+                       :created_at=>Time.now.to_i, :revoked=>nil }
             fields[:_id] = collection.insert(fields)
             Server.new_instance self, fields
           end
@@ -60,7 +60,7 @@ module Rack
           raise ArgumentError, "Must supply a identity" unless identity
           return if revoked
           client = Client.find(client_id) or return
-          self.authorized_at = Time.now.utc.to_i
+          self.authorized_at = Time.now.to_i
           if response_type == "code" # Requested authorization code
             access_grant = AccessGrant.create(identity, client, scope, redirect_uri)
             self.grant_code = access_grant.code
@@ -75,7 +75,7 @@ module Rack
 
         # Deny access.
         def deny!
-          self.authorized_at = Time.now.utc.to_i
+          self.authorized_at = Time.now.to_i
           self.class.collection.update({ :_id=>id }, { :$set=>{ :authorized_at=>authorized_at } })
         end
 

data/lib/rack/oauth2/models/client.rb

@@ -30,7 +30,7 @@ module Rack
             fields =  { :display_name=>args[:display_name], :link=>args[:link],
                         :image_url=>args[:image_url], :redirect_uri=>redirect_uri,
                         :nodes=>args[:notes].to_s, :scope=>scope,
-                        :created_at=>Time.now.utc.to_i, :revoked=>nil }
+                        :created_at=>Time.now.to_i, :revoked=>nil }
             if args[:id] && args[:secret]
               fields[:_id], fields[:secret] = BSON::ObjectId(args[:id].to_s), args[:secret]
               collection.insert(fields, :safe=>true)
@@ -95,7 +95,7 @@ module Rack
         # Revoke all authorization requests, access grants and access tokens for
         # this client. Ward off the evil.
         def revoke!
-          self.revoked = Time.now.utc.to_i
+          self.revoked = Time.now.to_i
           Client.collection.update({ :_id=>id }, { :$set=>{ :revoked=>revoked } })
           AuthRequest.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
           AccessGrant.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })

data/lib/rack/oauth2/server/errors.rb

@@ -42,8 +42,8 @@ module Rack
       # assertion, expired authorization token, bad end-user password credentials,
       # or mismatching authorization code and redirection URI).
       class InvalidGrantError < OAuthError
-        def initialize
-          super :invalid_grant, "This access grant is no longer valid."
+        def initialize(message)
+          super :invalid_grant, message || "This access grant is no longer valid."
         end
       end
 

data/lib/rack/oauth2/server/railtie.rb

@@ -8,11 +8,10 @@ module Rack
       # Rails 3.x integration.
       class Railtie < ::Rails::Railtie # :nodoc:
         config.oauth = Server::Options.new
-        config.oauth.logger = ::Rails.logger
 
         initializer "rack-oauth2-server" do |app|
-          #app.config.extend ::Rack::OAuth2::Rails::Configuration
           app.middleware.use ::Rack::OAuth2::Server, app.config.oauth
+          config.oauth.logger ||= ::Rails.logger
           class ::ActionController::Base
             helper ::Rack::OAuth2::Rails::Helpers
             include ::Rack::OAuth2::Rails::Helpers

data/lib/rack/oauth2/server.rb

@@ -79,10 +79,12 @@ module Rack
         # @param [String] identity User ID, account ID, etc
         # @param [String] client_id Client identifier
         # @param [Array, nil] scope Array of string, nil if you want 'em all
+        # @param [Integer, nil] expires How many seconds before access grant
+        # expires (default to 5 minutes)
         # @return [String] Access grant authorization code
-        def access_grant(identity, client_id, scope = nil)
+        def access_grant(identity, client_id, scope = nil, expires = nil)
           client = get_client(client_id) or fail "No such client"
-          AccessGrant.create(identity, client, scope || client.scope).code
+          AccessGrant.create(identity, client, scope || client.scope, nil, expires).code
         end
 
         # Returns AccessToken from token.
@@ -191,16 +193,16 @@ module Rack
             begin
               access_token = AccessToken.from_token(token)
               raise InvalidTokenError if access_token.nil? || access_token.revoked
-              raise ExpiredTokenError if access_token.expires_at && access_token.expires_at <= Time.now.utc
+              raise ExpiredTokenError if access_token.expires_at && access_token.expires_at <= Time.now.to_i
               request.env["oauth.access_token"] = token
               request.env["oauth.identity"] = access_token.identity
-              logger.info "Authorized #{access_token.identity}" if logger
+              logger.info "RO2S: Authorized #{access_token.identity}" if logger
             rescue OAuthError=>error
               # 5.2.  The WWW-Authenticate Response Header Field
-              logger.info "HTTP authorization failed #{error.code}" if logger
+              logger.info "RO2S: HTTP authorization failed #{error.code}" if logger
               return unauthorized(request, error)
             rescue =>ex
-              logger.info "HTTP authorization failed #{ex.message}" if logger
+              logger.info "RO2S: HTTP authorization failed #{ex.message}" if logger
               return unauthorized(request)
             end
 
@@ -246,13 +248,13 @@ module Rack
           if request.GET["authorization"]
             auth_request = self.class.get_auth_request(request.GET["authorization"]) rescue nil
             if !auth_request || auth_request.revoked
-              logger.error "Invalid authorization request #{auth_request}" if logger
+              logger.error "RO2S: Invalid authorization request #{auth_request}" if logger
               return bad_request("Invalid authorization request")
             end
             response_type = auth_request.response_type # Needed for error handling
             client = self.class.get_client(auth_request.client_id)
             # Pass back to application, watch for 403 (deny!)
-            logger.info "Request #{auth_request.id}: Client #{client.display_name} requested #{auth_request.response_type} with scope #{auth_request.scope.join(" ")}" if logger
+            logger.info "RO2S: Client #{client.display_name} requested #{auth_request.response_type} with scope #{auth_request.scope.join(" ")}" if logger
             request.env["oauth.authorization"] = auth_request.id.to_s
             response = @app.call(request.env)
             raise AccessDeniedError if response[0] == 403
@@ -264,7 +266,7 @@ module Rack
             begin
               redirect_uri = Utils.parse_redirect_uri(request.GET["redirect_uri"])
             rescue InvalidRequestError=>error
-              logger.error "Authorization request with invalid redirect_uri: #{request.GET["redirect_uri"]} #{error.message}" if logger
+              logger.error "RO2S: Authorization request with invalid redirect_uri: #{request.GET["redirect_uri"]} #{error.message}" if logger
               return bad_request(error.message)
             end
 
@@ -284,7 +286,7 @@ module Rack
             return [303, { "Location"=>uri.to_s }, ["You are being redirected"]]
           end
         rescue OAuthError=>error
-          logger.error "Authorization request error: #{error.code} #{error.message}" if logger
+          logger.error "RO2S: Authorization request error #{error.code}: #{error.message}" if logger
           params = { :error=>error.code, :error_description=>error.message, :state=>state }
           if response_type == "token"
             redirect_uri.fragment = Rack::Utils.build_query(params)
@@ -311,20 +313,20 @@ module Rack
         # 3.1.  Authorization Response
         if auth_request.response_type == "code"
           if auth_request.grant_code
-            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access code #{auth_request.grant_code}" if logger
+            logger.info "RO2S: Client #{auth_request.client_id} granted access code #{auth_request.grant_code}" if logger
             params = { :code=>auth_request.grant_code, :scope=>auth_request.scope.join(" "), :state=>auth_request.state }
           else
-            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} denied authorization" if logger
+            logger.info "RO2S: Client #{auth_request.client_id} denied authorization" if logger
             params = { :error=>:access_denied, :state=>auth_request.state }
           end
           params = Rack::Utils.parse_query(redirect_uri.query).merge(params)
           redirect_uri.query = Rack::Utils.build_query(params)
         else # response type if token
           if auth_request.access_token
-            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access token #{auth_request.access_token}" if logger
+            logger.info "RO2S: Client #{auth_request.client_id} granted access token #{auth_request.access_token}" if logger
             params = { :access_token=>auth_request.access_token, :scope=>auth_request.scope.join(" "), :state=>auth_request.state }
           else
-            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} denied authorization" if logger
+            logger.info "RO2S: Client #{auth_request.client_id} denied authorization" if logger
             params = { :error=>:access_denied, :state=>auth_request.state }
           end
           redirect_uri.fragment = Rack::Utils.build_query(params)
@@ -342,35 +344,36 @@ module Rack
           when "authorization_code"
             # 4.1.1.  Authorization Code
             grant = AccessGrant.from_code(request.POST["code"])
-            raise InvalidGrantError unless grant && client.id == grant.client_id
-            raise InvalidGrantError unless grant.redirect_uri.nil? || grant.redirect_uri == Utils.parse_redirect_uri(request.POST["redirect_uri"]).to_s
+            raise InvalidGrantError, "Wrong client" unless grant && client.id == grant.client_id
+            raise InvalidGrantError, "Wrong redirect URI" unless grant.redirect_uri.nil? || grant.redirect_uri == Utils.parse_redirect_uri(request.POST["redirect_uri"]).to_s
+            raise InvalidGrantError, "This access grant expired" if grant.expires_at && grant.expires_at <= Time.now.to_i
             access_token = grant.authorize!
           when "password"
             raise UnsupportedGrantType unless options.authenticator
             # 4.1.2.  Resource Owner Password Credentials
             username, password = request.POST.values_at("username", "password")
-            raise InvalidGrantError unless username && password
+            raise InvalidGrantError, "Missing username/password" unless username && password
             requested_scope = Utils.normalize_scope(request.POST["scope"])
             allowed_scope = client.scope
             raise InvalidScopeError unless (requested_scope - allowed_scope).empty?
             args = [username, password]
             args << client.id << requested_scope unless options.authenticator.arity == 2
             identity = options.authenticator.call(*args)
-            raise InvalidGrantError unless identity
+            raise InvalidGrantError, "Username/password do not match" unless identity
             access_token = AccessToken.get_token_for(identity, client, requested_scope)
           else
             raise UnsupportedGrantType
           end
-          logger.info "Access token #{access_token.token} granted to client #{client.display_name}, identity #{access_token.identity}" if logger
+          logger.info "RO2S: Access token #{access_token.token} granted to client #{client.display_name}, identity #{access_token.identity}" if logger
           response = { :access_token=>access_token.token }
           response[:scope] = access_token.scope.join(" ")
-          return [200, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, response.to_json]
+          return [200, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, [response.to_json]]
           # 4.3.  Error Response
         rescue OAuthError=>error
-          logger.error "Access token request error: #{error.code} #{error.message}" if logger
+          logger.error "RO2S: Access token request error #{error.code}: #{error.message}" if logger
           return unauthorized(request, error) if InvalidClientError === error && request.basic?
           return [400, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, 
-                  { :error=>error.code, :error_description=>error.message }.to_json]
+                  [{ :error=>error.code, :error_description=>error.message }.to_json]]
         end
       end
 

data/test/oauth/access_grant_test.rb

@@ -176,6 +176,15 @@ class AccessGrantTest < Test::Unit::TestCase
     should_respond_with_access_token
   end
 
+  context "access grant expired" do
+    setup do
+      Timecop.travel 300 do
+        request_access_token
+      end
+    end
+    should_return_error :invalid_grant
+  end
+
 
   # 4.1.2.  Resource Owner Password Credentials
 

data/test/oauth/{server_test.rb → server_methods_test.rb}

@@ -166,6 +166,50 @@ class ServerTest < Test::Unit::TestCase
       end
     end
 
+    context "no expiration" do
+      setup do
+        @code = Server.access_grant("Batman", client.id)
+      end
+
+      should "not expire in a minute" do
+        Timecop.travel 60 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 200, last_response.status
+        end
+      end
+
+      should "expire after 5 minutes" do
+        Timecop.travel 300 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 400, last_response.status
+        end
+      end
+    end
+
+    context "expiration set" do
+      setup do
+        @code = Server.access_grant("Batman", client.id, nil, 1800)
+      end
+
+      should "not expire prematurely" do
+        Timecop.travel 1750 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 200, last_response.status
+        end
+      end
+
+      should "expire after specified seconds" do
+        Timecop.travel 1800 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 400, last_response.status
+        end
+      end
+    end
+
   end