rack-oauth2-server 1.2.2 → 1.3.0

data/CHANGELOG

@@ -1,3 +1,17 @@
+2010-11-07 version 1.3.0
+
+Added OAuth authorization console.
+
+Added param_authentication option: turn this on if you need to support
+oauth_token query parameter or form field. Disabled by default.
+
+Added host option: only check requests sent to that host (e.g. only check
+requests to api.example.com).
+
+Added path option: only check requests under this path (e.g. only check
+requests for /api/...).
+
+
 2010-11-03 version 1.2.2
 
 Store ObjectId references in database.

data/Gemfile

@@ -2,6 +2,8 @@ source :rubygems
 gemspec
 
 group :development do
+  gem "sinatra"
+  gem "thin"
   gem "yard"
 end
 
@@ -13,5 +15,6 @@ group :test do
   gem "rails", "~>2.3"
   gem "shoulda"
   gem "sinatra"
+  gem "therubyracer", "~>0.8.0.pre"
   gem "timecop"
 end

data/README.rdoc

@@ -72,6 +72,10 @@ The configuration options are:
 - +:authorize_path+ --  Path for requesting end-user authorization. By
   convention defaults to +/oauth/authorize+.
 - +:database+ -- +Mongo::DB+ instance.
+- +:host+ -- Only check requests sent to this host.
+- +:path+ -- Only check requests for resources under this path.
+- +:param_authentication+ -- If true, supports authentication using query/form
+  parameters.
 - +:realm+ -- Authorization realm that will show up in 401 responses. Defaults
   to use the request host name.
 - +:scopes+ -- Array listing all supported scopes, e.g. ["read", "write"].
@@ -113,6 +117,11 @@ In Rails, the entire flow would look something like this:
 
   class OauthController < ApplicationController
     def authorize
+      if current_user
+        render :action=>"authorize"
+      else
+        redirect_to :action=>"login", :authorization=>oauth.authorization
+      end
     end
 
     def grant
@@ -132,7 +141,11 @@ method.
 In Sinatra/Padrino, it would look something like this:
 
   get "/oauth/authorize" do
-    render "oauth/authorize"
+    if current_user
+      render "oauth/authorize"
+    else
+      redirect "/oauth/login?authorization=#{oauth.authorization}"
+    end
   end
 
   post "/oauth/grant" do
@@ -159,13 +172,19 @@ The view would look something like this:
 
 == Step 4: Protect Your Path
 
-Rack::OAuth2::Server intercepts all incoming requests and looks for either
-OAuth authentication header, or +oauth_token+ parameter. If it finds either
-one, and the access token is still valid, it sets the request header
-+oauth.identity+ to the value you supplied during authorization (step 3).
+Rack::OAuth2::Server intercepts all incoming requests and looks for an
+Authorization header that uses OAuth authentication scheme, like so:
+
+  Authorization: OAuth e57807eb99f8c29f60a27a75a80fec6e
+
+It can also support the +oauth_token+ query parameter or form field, if you set
++param_authentication+ to true. This option is off by default to prevent
+conflict with OAuth 1.0 callback.
 
-You can use +oauth.identity+ to resolve the access token back to user, account
-or whatever you put there.
+If Rack::OAuth2::Server finder a valid access token in the request, it sets the
+request header +oauth.identity+ to the value you supplied during authorization
+(step 3). You can use +oauth.identity+ to resolve the access token back to
+user, account or whatever you put there.
 
 If the access token is invalid or revoked, it returns 401 (Unauthorized) to the
 client. However, if there's no access token, the request goes through. You

data/Rakefile

@@ -26,7 +26,7 @@ end
 
 desc "Run all tests"
 Rake::TestTask.new do |task|
-  task.test_files = FileList['test/*_test.rb']
+  task.test_files = FileList['test/**/*_test.rb']
   if Rake.application.options.trace
     #task.warning = true
     task.verbose = true

data/VERSION

@@ -0,0 +1 @@
+1.3.0

data/lib/rack/oauth2/admin/css/screen.css

@@ -0,0 +1,233 @@
+body {
+  margin: 0;
+  width: 100%;
+  font: 12pt "Helvetica", "Lucida Sans", "Verdana";
+}
+
+a { text-decoration: none; color: #00c; }
+a:hover, a:focus { text-decoration: underline; color: #00c; }
+h1, h2 {
+  text-shadow: rgba(255,255,255,.2) 0 1px 1px;
+  color: rgb(76, 86, 108);
+}
+h1 { font-size: 18pt; margin: 0.6em 0 }
+h2 { font-size: 16pt; margin: 0.3em 0 }
+
+label {
+  display: block;
+  color: #000;
+  font-weight: 600;
+  font-size: 0.9em;
+  margin: 0.9em 0;
+}
+label input, label textarea, label select { display: block }
+label input, label textarea {
+  font-size: 12pt;
+  line-height: 1.3em;
+}
+label .hint {
+  font-weight: normal;
+  color: #666;
+  margin: 0;
+}
+button {
+  font-size: 11pt;
+  text-shadow: 0 -1px 1px rgba(0,0,0,0.25);
+  border: 1px solid #dddddd;
+  background: #f6f6f6 50% 50% repeat-x;
+  font-weight: bold;
+  color: #0073ea;
+  outline: none;
+  line-height: 1.3em;
+  vertical-align: bottom;
+  padding: 2px 8px;
+	background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgba(226,226,226,0.0)), to(rgba(226,226,226,1.0)));
+  -webkit-border-radius: 4px; -moz-border-radius: 4px;
+	-moz-box-shadow: 0 0 4px rgba(0,0,0,0.0);
+	-webkit-box-shadow: 0 0 4px rgba(0,0,0,0.0);
+}
+button:hover, button:focus {
+	text-shadow: 0 -1px 1px rgba(255,255,255,0.25);
+  border: 1px solid #0073ea;
+  background: #0073ea 50% 50% repeat-x;
+  background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgba(0, 115, 234, 0.5)), to(rgba(0,115,234, 1.0)));
+  color: #fff;
+  text-decoration: none;
+  cursor: pointer;
+	-moz-box-shadow: 0 2px 4px rgba(0,0,0,0.5);
+	-webkit-box-shadow: 0 1px 3px rgba(0,0,0,0.5);
+}
+button:active { background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgba(0, 115, 234, 1.0)), to(rgba(0,115,234, 0.5))); position: relative; top: 1px }
+
+
+/* Message dropping down from the top */
+#notice {
+  position: absolute;
+  top: 0;
+  left: 0;
+  right: 0;
+  line-height: 1.6em;
+  background: #ffd;
+  color: #000;
+  border-bottom: 1px solid #ddd;
+  text-align: center;
+  z-index: 99;
+}
+
+#header {
+  margin: 0 2em;
+}
+#header .title {
+  font-size: 1.4em;
+  font-weight: bold;
+  color: #000;
+  text-decoration: none;
+  margin: 0.6em 0;
+  display: block;
+  text-align: right;
+}
+
+#main {
+  margin: 0 2em;
+}
+
+table {
+  width: 100%;
+  table-layout: auto;
+  empty-cells: show;
+  border-collapse: separate;
+  border-spacing: 0px;
+}
+table th {
+  text-align: left;
+  border-bottom: 1px solid #ccc;
+  margin-right: 48px;
+}
+table td {
+  text-align: left;
+  vertical-align: top;
+  border-bottom: 1px solid #ddf;
+  line-height: 32px;
+  margin: 0;
+  padding: 0;
+}
+table tr:hover td {
+  background: #ddf;
+}
+table td.created, table td.revoke {
+  width: 6em;
+}
+table tr.revoked td, table tr.revoked a {
+  color: #888;
+}
+table button {
+  margin-top: -2px;
+  font-size: 10pt;
+}
+
+table.clients td.name {
+  padding-left: 32px;
+}
+table.clients td.name img {
+  width: 24px;
+  height: 24px;
+  border: none;
+  margin: 4px 4px -4px -32px;
+}
+table.clients td.secrets {
+  width: 28em;
+}
+table.clients td.secrets dl {
+  display: none;
+  width: 40em;
+  margin: 0 -12em 0.6em 0;
+  line-height: 1.3em;
+}
+table.clients td.secrets dt {
+  width: 4em;
+  float: left;
+  color: #888;
+  margin-bottom: 0.3em;
+}
+table.clients td.secrets dd:after {
+  content: ".";
+  display: block;
+  clear: both;
+  visibility: hidden;
+  line-height: 0;
+  height: 0;
+}
+
+table.tokens td.token {
+  width: 32em;
+}
+table.tokens td.scope {
+}
+
+.pagination {
+  width: 100%;
+  margin-top: 2em;
+}
+.pagination a[rel=next] {
+  float: right;
+}
+.pagination a[rel=previous] {
+  float: left;
+}
+
+.badges {
+  list-style: none;
+  margin: 1.1em 0;
+  padding: 0;
+  text-align: right;
+  width: 100%;
+}
+.badges li {
+  display: inline-block;
+  margin-left: 8px;
+  min-width: 8em;
+}
+.badges  big {
+  font-size: 22pt;
+  display: block;
+  text-align: center;
+}
+.badges small {
+  font-size: 11pt;
+  display: block;
+  text-align: center;
+}
+
+.client .details {
+  float: left;
+}
+.client .details .name {
+  font-size: 15pt;
+  font-weight: bold;
+}
+.client .details img {
+  border: none;
+  width: 24px;
+  height: 24px;
+  vertical-align: bottom;
+}
+.client .details a[rel=edit] {
+  margin: 0 0.3em 0 1em;
+}
+.client .details .meta {
+  color: #888;
+  font-size: 10pt;
+}
+.client.new>#image, .client.edit>#image {
+  float: left;
+  margin: 0 12px 0 0;
+  width: 48px;
+  height: 48px;
+}
+.client.new>*, .client.edit>* {
+  margin-left: 60px;
+}
+
+.loading {
+  background: url("../images/loading.gif") no-repeat 50% 50%;
+}

data/lib/rack/oauth2/admin/js/application.js

@@ -0,0 +1,154 @@
+Sammy("#main", function(app) {
+  this.use(Sammy.Tmpl);
+  this.use(Sammy.Session);
+  this.use(Sammy.Title);
+  this.setTitle("OAuth Console - ");
+
+  // Use OAuth access token in all API requests.
+  $(document).ajaxSend(function(e, xhr) {
+    xhr.setRequestHeader("Authorization", "OAuth " + app.session("oauth.token"));
+  });
+  // For all request (except callback), if we don't have an OAuth access token,
+  // ask for one by requesting authorization.
+  this.before({ except: { path: /^#(access_token=|[^\\].*&access_token=)/ } }, function(context) {
+    if (!app.session("oauth.token"))
+      context.redirect(document.location.pathname + "/authorize?state=" + escape(context.path));
+  })
+  // We recognize the OAuth authorization callback based on one of its
+  // parameters. Crude but works here.
+  this.get(/^#(access_token=|[^\\].*&access_token=)/, function(context) {
+    // Instead of a hash we get query parameters, so turn those into an object.
+    var params = context.path.substring(1).split("&"), args = {};
+    for (var i in params) {
+      var splat = params[i].split("=");
+      args[splat[0]] = splat[1];
+    }
+    app.session("oauth.token", args.access_token);
+    // When the filter redirected the original request, it passed the original
+    // request's URL in the state parameter, which we get back after
+    // authorization.
+    context.redirect(args.state.length == 0 ? "#/" : unescape(args.state));
+  });
+
+
+  var api = document.location.pathname + "/api";
+  // View all clients
+  this.get("#/", function(context) {
+    context.title("All Clients");
+    $.getJSON(api + "/clients", function(json) {
+      context.partial("admin/views/clients.tmpl", { clients: json.list, tokens: json.tokens });
+    });
+  });
+  // Edit client
+  this.get("#/client/:id/edit", function(context) {
+    $.getJSON(api + "/client/" + context.params.id, function(client) {
+      context.title(client.displayName);
+      context.partial("admin/views/edit.tmpl", client)
+    })
+  });
+  this.put("#/client/:id", function(context) {
+    $.ajax({ type: "put", url: api + "/client/" + context.params.id,
+      data: {
+        displayName: context.params.displayName,
+        link: context.params.link,
+        redirectUri: context.params.redirectUri,
+        imageUrl: context.params.imageUrl
+      },
+      success: function(client) {
+        context.redirect("#/client/" + context.params.id);
+        app.trigger("notice", "Saved your changes");
+      },
+      error: function(xhr) {
+        context.partial("admin/views/edit.tmpl", context.params);
+        app.trigger("notice", xhr.responseText);
+      }
+    })
+  });
+  // View single client
+  this.get("#/client/:id", function(context) {
+    $.getJSON(api + "/client/" + context.params.id, function(client) {
+      context.title(client.displayName);
+      context.partial("admin/views/client.tmpl", client)
+    });
+  });
+  this.get("#/client/:id/:page", function(context) {
+    $.getJSON(api + "/client/" + context.params.id + "?page=" + context.params.page, function(client) {
+      context.title(client.displayName);
+      context.partial("admin/views/client.tmpl", client)
+    });
+  });
+  // Create new client
+  this.get("#/new", function(context) {
+    context.title("Add New Client");
+    context.partial("admin/views/edit.tmpl", context.params);
+  });
+  this.post("#/clients", function(context) {
+    context.title("Add New Client");
+    $.ajax({ type: "post", url: api + "/clients",
+      data: {
+        displayName: context.params.displayName,
+        link: context.params.link,
+        redirectUri: context.params.redirectUri,
+        imageUrl: context.params.imageUrl
+      },
+      success: function(client) {
+        app.trigger("notice", "Added new client application " + client.displayName);
+        context.redirect("#/");
+      },
+      error: function(xhr) {
+        app.trigger("notice", xhr.responseText);
+        context.partial("admin/views/edit.tmpl", context.params);
+      }
+    });
+  });
+
+  // Client/token revoke buttons do this.
+  $("a[data-method=post]").live("click", function(evt) {
+    evt.preventDefault();
+    var link = $(this);
+    if (link.attr("data-confirm") && !confirm(link.attr("data-confirm")))
+      return;
+    $.post(link.attr("href"), function(success) {
+      app.trigger("notice", "Revoked!");
+      app.refresh();
+    });
+  });
+  // Link to reveal/hide client ID/secret
+  $("td.secrets a[rel=toggle]").live("click", function(evt) {
+    evt.preventDefault();
+    var dl = $(this).next("dl");
+    if (dl.is(":visible")) {
+      $(this).html("Reveal");
+      dl.hide();
+    } else {
+      $(this).html("Hide");
+      dl.show();
+    }
+  });
+  // Error/notice at top of screen
+  var noticeTimeout;
+  app.bind("notice", function(evt, message) {
+    $("#notice").text(message).fadeIn("fast");
+    if (noticeTimeout) {
+      cancelTimeout(noticeTimeout);
+      noticeTimeout = null;
+    }
+    noticeTimeout = setTimeout(function() {
+      noticeTimeout = null;
+      $("#notice").fadeOut("slow");
+    }, 5000);
+  });
+  $("#notice").live("click", function() { $(this).fadeOut("slow") });
+});
+
+// Adds thousands separator to integer or float (can also pass formatted string
+// if you care about precision).
+$.thousands = function(integer) {
+  return integer.toString().replace(/^(\d+?)((\d{3})+)$/g, function(x,a,b) { return a + b.replace(/(\d{3})/g, ",$1") })
+    .replace(/\.((\d{3})+)(\d+)$/g, function(x,a,b,c) { return "." + a.replace(/(\d{3})/g, "$1,") + c })
+}
+
+$.shortdate = function(integer) {
+  var date = new Date(integer * 1000);
+  return "<span title='" + date.toLocaleString() + "'>" + date.toISOString().substring(0,10) + "</span>";
+}