rack-oauth2-server 1.3.1 → 1.4.0

data/CHANGELOG

@@ -1,4 +1,30 @@
-2010-11-07 version 1.3.1
+2010-11-09 version 1.4.0
+
+If authorization handle is passed as request parameter (the recommended way),
+then you can call oauth.grant! with a single argument and oauth.deny! with no
+arguments.
+
+You can now call oauth.deny! at any point during the authorization flow, e.g.
+automatically deny all requests based on scope and client.
+
+To deny access, return status code 403 (was, incorrectly 401). Or just use
+oauth.deny!.
+
+Web console gets template_url setting you can use to map access token identity
+into a URL in your application. The substitution variable is "{id}".
+
+Added error page when authorization attempt fails (instead of endless
+redirect).
+
+Fixed mounting of Web console on Rails. If it failed you before, try again.
+
+Fixed documentation for configuration under Rails, clarify that all the
+interesting stuff happens in after_initialize.
+
+Fixed error responses for response_type=token to use fragment identifier.
+
+
+2010-11-08 version 1.3.1
 
 Added command line tool, helps you get started and setup:
   $ oauth2-server setup --db my_db

data/README.rdoc

@@ -30,14 +30,15 @@ when required, but you do need to configure it from within
 example:
 
   Rails::Initializer.run do |config|
-    config.oauth.database = Mongo::Connection.new["my_db"]
-    config.oauth.scopes = %w{read write}
-    config.oauth.authenticator = lambda do |username, password|
-      user = User.find(username)
-      user if user && user.authenticated?(password)
-    end
-
     . . .
+    config.after_initialize do
+      config.oauth.database = Mongo::Connection.new["my_db"]
+      config.oauth.scopes = %w{read write}
+      config.oauth.authenticator = lambda do |username, password|
+        user = User.find(username)
+        user if user && user.authenticated?(password)
+      end
+    end
   end
 
 For Sinatra and Padrino, first require +rack/oauth2/sinatra+ and register
@@ -110,8 +111,8 @@ user back to the client application with an authorization code or access token.
 
 To signal that the user denied the authorization requests your application sets
 the response header oauth.authorization as before, and returns the status code
-401 (Unauthorized). Rack::OAuth2::Server will then redirect the user back to
-the client application with a suitable error code.
+403 (Forbidden). Rack::OAuth2::Server will then redirect the user back to the
+client application with a suitable error code.
 
 In Rails, the entire flow would look something like this:
 
@@ -125,11 +126,11 @@ In Rails, the entire flow would look something like this:
     end
 
     def grant
-      head oauth.grant!(params[:authorization], current_user.id)
+      head oauth.grant!(current_user.id)
     end
 
     def deny
-      head oauth.deny!(params[:authorization])
+      head oauth.deny!
     end
   end
 
@@ -149,11 +150,11 @@ In Sinatra/Padrino, it would look something like this:
   end
 
   post "/oauth/grant" do
-    oauth.grant! params[:authorization], "Superman"
+    oauth.grant! "Superman"
   end
 
   post "/oauth/deny" do
-    oauth.deny! params[:authorization]
+    oauth.deny!
   end
 
 The view would look something like this:
@@ -374,9 +375,7 @@ the console, by granting them access to the +oauth-admin+ scope. For example:
 
   def authorize
     # Only admins allowed to authorize the scope oauth-admin
-    if oauth.scope.include?("oauth-admin") && !current_user.admin?
-      oauth.deny! oauth.authorization
-    end
+    head oauth.deny! if oauth.scope.include?("oauth-admin") && !current_user.admin?
   end
 
 Make sure you do that, or you'll allow anyone access to the OAuth Web console.
@@ -386,9 +385,11 @@ client ID/secret. For example, for Rails add this to +config/environment.rb+:
 
   Rails::Initializer.run do |config|
     . . .
-    config.middleware.use Rack::OAuth2::Server::Admin.mount
-    Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
-    Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
+    config.after_initialize do
+      config.middleware.use Rack::OAuth2::Server::Admin.mount
+      Rack::OAuth2::Server::Admin.set :client_id, "4dca20453e4859cb000007"
+      Rack::OAuth2::Server::Admin.set :client_secret, "981fa734e110496fcf667cbf52fbaf03"
+    end
   end
 
 For Sinatra, Padrino and other Rack-based applications, you'll want to mount
@@ -404,6 +405,11 @@ like so (e.g. in +config.ru+):
 Next, open your browser to http://example.com/oauth/admin, or wherever you
 mounted the console.
 
+Another option, +template_url+ allows you to link access token identities to
+URLs in your application, using the substitution variable "{id}". For example:
+
+  Rack::OAuth2::Server::Admin.set :template_url, "https://example.com/accounts/{id}"
+
 The OAuth Web console is a single-page client application that operates by
 accessing the OAuth API. The API is mounted at /oauth/admin/api (basically /api
 relative to the console), you can access it yourself if you have an access

data/Rakefile

@@ -39,14 +39,14 @@ Rake::TestTask.new do |task|
 end
 
 namespace :test do
-  task :all=>["test:sinatra", "test:rails2"]
+  task :all=>["test:sinatra", "test:rails"]
   desc "Run all tests against Sinatra"
   task :sinatra do
     sh "rake test FRAMEWORK=sinatra"
   end
   desc "Run all tests against Rails 2.3.x"
-  task :rails2 do
-    sh "rake test FRAMEWORK=rails2"
+  task :rails do
+    sh "rake test FRAMEWORK=rails"
   end
 end
 task :default=>"test:all"

data/VERSION

@@ -1 +1 @@
-1.3.1
+1.4.0

data/bin/oauth2-server

@@ -62,18 +62,18 @@ when "setup"
 Make sure you ONLY authorize administrators to use the oauth-admin scope.
 For example:
 
-  def authorize
+  before_filter do
     # Only admins allowed to authorize the scope oauth-admin
-    if oauth.scope.include?("oauth-admin") && !current_user.admin?
-      oauth.deny! oauth.authorization
-    end
+    head oauth.deny! if oauth.scope.include?("oauth-admin") && !current_user.admin?
   end
 
 Rails 2.x, add the following to config/environment.rb:
 
-  config.middleware.use Rack::OAuth2::Server::Admin.mount "#{uri.path}"
-  Rack::OAuth2::Server::Admin.set :client_id, "#{client.id}"
-  Rack::OAuth2::Server::Admin.set :client_secret, "#{client.secret}"
+  config.after_initialize do
+    config.middleware.use Rack::OAuth2::Server::Admin.mount "#{uri.path}"
+    Rack::OAuth2::Server::Admin.set :client_id, "#{client.id}"
+    Rack::OAuth2::Server::Admin.set :client_secret, "#{client.secret}"
+  end
 
 Sinatra, Padrino and other Rack applications, mount the console:
 

data/lib/rack/oauth2/admin/css/screen.css

@@ -107,8 +107,10 @@ button:active { background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgba(0
 }
 
 #main {
+  margin: 0;
   padding: 0 2em 4em 2em;
   background: #fff;
+  border: 1px solid #fff;
 }
 #footer {
   background: #eee;
@@ -189,7 +191,7 @@ table.clients td.secrets dd:after {
 }
 
 table.tokens td.token {
-  width: 32em;
+  width: 36em;
 }
 table.tokens td.scope {
 }
@@ -264,6 +266,14 @@ table.tokens td.scope {
   margin-left: 60px;
 }
 
+.no-access {
+  margin: 0;
+  padding: 0;
+}
+.no-access h1 {
+  color: red;
+}
+
 .loading {
   background: url("../images/loading.gif") no-repeat 50% 50%;
 }

data/lib/rack/oauth2/admin/js/application.js

@@ -6,28 +6,39 @@ Sammy("#main", function(app) {
 
   // Use OAuth access token in all API requests.
   $(document).ajaxSend(function(e, xhr) {
-    xhr.setRequestHeader("Authorization", "OAuth " + app.session("oauth.token"));
+    if (app.session("oauth.token"))
+      xhr.setRequestHeader("Authorization", "OAuth " + app.session("oauth.token"));
   });
   // For all request (except callback), if we don't have an OAuth access token,
   // ask for one by requesting authorization.
-  this.before({ except: { path: /^#(access_token=|[^\\].*&access_token=)/ } }, function(context) {
+  this.before({ except: { path: /^#\w+=.+/ } }, function(context) {
     if (!app.session("oauth.token"))
       context.redirect(document.location.pathname + "/authorize?state=" + escape(context.path));
   })
+  function hashParams(hash) {
+    var pairs = hash.substring(1).split("&"), params = {};
+    for (var i in pairs) {
+      var splat = pairs[i].split("=");
+      params[splat[0]] = splat[1];
+    }
+    return params;
+  }
   // We recognize the OAuth authorization callback based on one of its
   // parameters. Crude but works here.
-  this.get(/^#(access_token=|[^\\].*&access_token=)/, function(context) {
+  this.get(/^#(access_token=|[^\\].*\&access_token=)/, function(context) {
     // Instead of a hash we get query parameters, so turn those into an object.
-    var params = context.path.substring(1).split("&"), args = {};
-    for (var i in params) {
-      var splat = params[i].split("=");
-      args[splat[0]] = splat[1];
-    }
-    app.session("oauth.token", args.access_token);
+    var params = hashParams(context.path);
+    app.session("oauth.token", params.access_token);
     // When the filter redirected the original request, it passed the original
     // request's URL in the state parameter, which we get back after
     // authorization.
-    context.redirect(args.state.length == 0 ? "#/" : unescape(args.state));
+    context.redirect(params.state.length == 0 ? "#/" : unescape(params.state));
+  });
+  // Authorization error/rejected.
+  this.get(/^#(error=|[^\\].*\&error=)/, function(context) {
+    var params = hashParams(context.path);
+    var error = params.error_description || "You were denied access";
+    context.partial("admin/views/no_access.tmpl", { error: error.replace(/\+/g, " ") });
   });
 
 

data/lib/rack/oauth2/admin/views/client.tmpl

@@ -28,7 +28,7 @@
       {{each tokens.list}}
       <tr>
         <td class="token">${token}</td>
-        <td class="identity">${identity}</td>
+        <td class="identity">{{if link}}<a href="${link}">${identity}</a>{{else}}${identity}{{/if}}</td>
         <td class="scope">${scope}</td>
         <td class="created">{{html $.shortdate(created)}}</td>
         <td class="revoke">

data/lib/rack/oauth2/admin/views/no_access.tmpl

@@ -0,0 +1,4 @@
+<div class="no-access">
+  <h1>${error}</h1>    
+  <p>You can try to <a href="#/">authenticate again</a></p>
+</div>

data/lib/rack/oauth2/server.rb

@@ -2,6 +2,7 @@ require "rack/oauth2/models"
 require "rack/oauth2/server/errors"
 require "rack/oauth2/server/utils"
 require "rack/oauth2/server/helper"
+require "rack/oauth2/server/admin"
 
 
 module Rack
@@ -107,7 +108,7 @@ module Rack
               request.env["oauth.access_token"] = token
               request.env["oauth.identity"] = access_token.identity
               logger.info "Authorized #{access_token.identity}" if logger
-            rescue Error=>error
+            rescue OAuthError=>error
               # 5.2.  The WWW-Authenticate Response Header Field
               logger.info "HTTP authorization failed #{error.code}" if logger
               return unauthorized(request, error)
@@ -154,30 +155,32 @@ module Rack
       # application.
       def request_authorization(request, logger)
         state = request.GET["state"]
-        if request.GET["authorization"]
-          auth_request = self.class.get_auth_request(request.GET["authorization"]) rescue nil
-          if !auth_request || auth_request.revoked
-            logger.error "Invalid authorization request #{auth_request}" if logger
-            return bad_request("Invalid authorization request")
-          end
-          client = self.class.get_client(auth_request.client_id)
+        begin
 
-        else
+          if request.GET["authorization"]
+            auth_request = self.class.get_auth_request(request.GET["authorization"]) rescue nil
+            if !auth_request || auth_request.revoked
+              logger.error "Invalid authorization request #{auth_request}" if logger
+              return bad_request("Invalid authorization request")
+            end
+            response_type = auth_request.response_type # Needed for error handling
+            client = self.class.get_client(auth_request.client_id)
 
-          # 3.  Obtaining End-User Authorization
-          begin
-            redirect_uri = Utils.parse_redirect_uri(request.GET["redirect_uri"])
-          rescue InvalidRequestError=>error
-            logger.error "Authorization request with invalid redirect_uri: #{request.GET["redirect_uri"]} #{error.message}" if logger
-            return bad_request(error.message)
-          end
+          else
+
+            # 3.  Obtaining End-User Authorization
+            begin
+              redirect_uri = Utils.parse_redirect_uri(request.GET["redirect_uri"])
+            rescue InvalidRequestError=>error
+              logger.error "Authorization request with invalid redirect_uri: #{request.GET["redirect_uri"]} #{error.message}" if logger
+              return bad_request(error.message)
+            end
 
-          begin
             # 3. Obtaining End-User Authorization
+            response_type = request.GET["response_type"].to_s # Need this first, for error handling
             client = get_client(request)
             raise RedirectUriMismatchError unless client.redirect_uri.nil? || client.redirect_uri == redirect_uri.to_s
             requested_scope = request.GET["scope"].to_s.split.uniq.join(" ")
-            response_type = request.GET["response_type"].to_s
             raise UnsupportedResponseTypeError unless options.authorization_types.include?(response_type)
             if scopes = options.scopes
               allowed_scope = scopes.respond_to?(:all?) ? scopes : scopes.split
@@ -186,17 +189,24 @@ module Rack
             # Create object to track authorization request and let application
             # handle the rest.
             auth_request = AuthRequest.create(client.id, requested_scope, redirect_uri.to_s, response_type, state)
-          rescue Error=>error
-            logger.error "Authorization request error: #{error.code} #{error.message}" if logger
-            params = Rack::Utils.parse_query(redirect_uri.query).merge(:error=>error.code, :error_description=>error.message, :state=>state)
+            request.env["oauth.authorization"] = auth_request.id.to_s
+          end
+          # Pass back to application, watch for 403 (deny!)
+          logger.info "Request #{auth_request.id}: Client #{client.display_name} requested #{auth_request.response_type} with scope #{auth_request.scope}" if logger
+          response = @app.call(request.env)
+          raise AccessDeniedError if response[0] == 403
+          return response
+        rescue OAuthError=>error
+          logger.error "Authorization request error: #{error.code} #{error.message}" if logger
+          params = { :error=>error.code, :error_description=>error.message, :state=>state }
+          if response_type == "token"
+            redirect_uri.fragment = Rack::Utils.build_query(params)
+          else # response type is code, or invalid
+            params = Rack::Utils.parse_query(redirect_uri.query).merge(params)
             redirect_uri.query = Rack::Utils.build_query(params)
-            return redirect_to(redirect_uri)
           end
+          return redirect_to(redirect_uri)
         end
-
-        request.env["oauth.authorization"] = auth_request.id.to_s
-        logger.info "Request #{auth_request.id}: Client #{client.display_name} requested #{auth_request.response_type} with scope #{auth_request.scope}" if logger
-        return @app.call(request.env)
       end
 
       # Get here on completion of the authorization. Authorization response in
@@ -206,29 +216,33 @@ module Rack
         status, headers, body = response
         auth_request = self.class.get_auth_request(headers["oauth.authorization"])
         redirect_uri = URI.parse(auth_request.redirect_uri)
-        if status == 401
+        if status == 403
           auth_request.deny!
         else
           auth_request.grant! headers["oauth.identity"]
         end
         # 3.1.  Authorization Response
-        if auth_request.response_type == "code" && auth_request.grant_code
-          logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access code #{auth_request.grant_code}" if logger
-          params = { :code=>auth_request.grant_code, :scope=>auth_request.scope, :state=>auth_request.state }
+        if auth_request.response_type == "code"
+          if auth_request.grant_code
+            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access code #{auth_request.grant_code}" if logger
+            params = { :code=>auth_request.grant_code, :scope=>auth_request.scope, :state=>auth_request.state }
+          else
+            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} denied authorization" if logger
+            params = { :error=>:access_denied, :state=>auth_request.state }
+          end
           params = Rack::Utils.parse_query(redirect_uri.query).merge(params)
           redirect_uri.query = Rack::Utils.build_query(params)
-          return redirect_to(redirect_uri)
-        elsif auth_request.response_type == "token" && auth_request.access_token
-          logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access token #{auth_request.access_token}" if logger
-          params = { :access_token=>auth_request.access_token, :scope=>auth_request.scope, :state=>auth_request.state }
+        else # response type if token
+          if auth_request.access_token
+            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access token #{auth_request.access_token}" if logger
+            params = { :access_token=>auth_request.access_token, :scope=>auth_request.scope, :state=>auth_request.state }
+          else
+            logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} denied authorization" if logger
+            params = { :error=>:access_denied, :state=>auth_request.state }
+          end
           redirect_uri.fragment = Rack::Utils.build_query(params)
-          return redirect_to(redirect_uri)
-        else
-          logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} denied authorization" if logger
-          params = Rack::Utils.parse_query(redirect_uri.query).merge(:error=>:access_denied, :state=>auth_request.state)
-          redirect_uri.query = Rack::Utils.build_query(params)
-          return redirect_to(redirect_uri)
         end
+        return redirect_to(redirect_uri)
       end
 
       # 4.  Obtaining an Access Token
@@ -264,7 +278,7 @@ module Rack
           response[:scope] = access_token.scope unless access_token.scope.empty?
           return [200, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, response.to_json]
           # 4.3.  Error Response
-        rescue Error=>error
+        rescue OAuthError=>error
           logger.error "Access token request error: #{error.code} #{error.message}" if logger
           return unauthorized(request, error) if InvalidClientError === error && request.basic?
           return [400, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, 

data/lib/rack/oauth2/server/admin.rb

@@ -16,7 +16,7 @@ module Rack
               def mount(klass, path)
                 @klass = klass
                 @path = path
-                @match = /^#{Regexp.escape(path)}\/(.*)$/
+                @match = /^#{Regexp.escape(path)}(\/.*|$)?/
               end
 
               attr_reader :klass, :path, :match
@@ -31,7 +31,7 @@ module Rack
               path = env["PATH_INFO"].to_s
               script_name = env['SCRIPT_NAME']
               if path =~ self.class.match && rest = $1
-                env.merge! "SCRIPT_NAME"=>(script_name + self.class.path), "PATH_INFO"=>"/#{rest}"
+                env.merge! "SCRIPT_NAME"=>(script_name + self.class.path), "PATH_INFO"=>rest
                 return @admin.call(env)
               else
                 return @pass.call(env)
@@ -63,6 +63,9 @@ module Rack
         # Use this URL to authorize access to this console. If not set, goes to
         # /oauth/authorize.
         set :authorize, nil
+        # Map access token identity to URL on your application, by replacing
+        # "{id}" with the token identity (e.g. "http://example.com/user/{id}")
+        set :template_url, nil
 
         # Number of tokens to return in each page.
         set :tokens_per_page, 100
@@ -213,6 +216,7 @@ module Rack
           def token_as_json(token)
             { :token=>token.token, :identity=>token.identity, :scope=>token.scope, :created=>token.created_at,
               :expired=>token.expires_at, :revoked=>token.revoked,
+              :link=>settings.template_url && settings.template_url.gsub("{id}", token.identity),
               :revoke=>"#{request.script_name}/api/token/#{token.token}/revoke" }
           end
         end