rack-oauth2 1.12.0 → 2.2.0

data/rack-oauth2.gemspec

@@ -2,19 +2,20 @@ Gem::Specification.new do |s|
   s.name = 'rack-oauth2'
   s.version = File.read('VERSION')
   s.authors = ['nov matake']
-  s.description = %q{OAuth 2.0 Server & Client Library. Both Bearer and MAC token type are supported.}
-  s.summary = %q{OAuth 2.0 Server & Client Library - Both Bearer and MAC token type are supported}
+  s.description = %q{OAuth 2.0 Server & Client Library. Both Bearer token type are supported.}
+  s.summary = %q{OAuth 2.0 Server & Client Library - Both Bearer token type are supported}
   s.email = 'nov@matake.jp'
   s.extra_rdoc_files = ['LICENSE', 'README.rdoc']
   s.rdoc_options = ['--charset=UTF-8']
-  s.homepage = 'http://github.com/nov/rack-oauth2'
+  s.homepage = 'https://github.com/nov/rack-oauth2'
   s.license = 'MIT'
   s.require_paths = ['lib']
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.files = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.add_runtime_dependency 'rack', '< 2.1'
-  s.add_runtime_dependency 'httpclient'
+  s.add_runtime_dependency 'rack', '>= 2.1.0'
+  s.add_runtime_dependency 'faraday', '~> 2.0'
+  s.add_runtime_dependency 'faraday-follow_redirects'
   s.add_runtime_dependency 'activesupport'
   s.add_runtime_dependency 'attr_required'
   s.add_runtime_dependency 'json-jwt', '>= 1.11.0'
@@ -23,4 +24,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec'
   s.add_development_dependency 'rspec-its'
   s.add_development_dependency 'webmock'
+  s.add_development_dependency 'rexml'
 end

data/spec/helpers/webmock_helper.rb

@@ -13,7 +13,7 @@ module WebMockHelper
 
   def request_for(method, options = {})
     request = {}
-    params = options.try(:[], :params) || {}
+    params = options&.[](:params) || {}
     case method
     when :post, :put, :delete
       request[:body] = params
@@ -28,7 +28,13 @@ module WebMockHelper
 
   def response_for(response_file, options = {})
     response = {}
-    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', response_file))
+    format = options[:format] || :json
+    if format == :json
+      response[:headers] = {
+        'Content-Type': 'application/json'
+      }
+    end
+    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{format}"))
     if options[:status]
       response[:status] = options[:status]
     end

data/spec/rack/oauth2/access_token/authenticator_spec.rb

@@ -2,25 +2,16 @@ require 'spec_helper'
 
 describe Rack::OAuth2::AccessToken::Authenticator do
   let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
-  let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
+  let(:request) { Faraday::Request.new(:get, URI.parse(resource_endpoint)) }
   let(:authenticator) { Rack::OAuth2::AccessToken::Authenticator.new(token) }
 
   shared_examples_for :authenticator do
     it 'should let the token authenticate the request' do
       expect(token).to receive(:authenticate).with(request)
-      authenticator.filter_request(request)
+      authenticator.authenticate(request)
     end
   end
 
-  context 'when Legacy token is given' do
-    let(:token) do
-      Rack::OAuth2::AccessToken::Legacy.new(
-        access_token: 'access_token'
-      )
-    end
-    it_behaves_like :authenticator
-  end
-
   context 'when Bearer token is given' do
     let(:token) do
       Rack::OAuth2::AccessToken::Bearer.new(
@@ -29,15 +20,4 @@ describe Rack::OAuth2::AccessToken::Authenticator do
     end
     it_behaves_like :authenticator
   end
-
-  context 'when MAC token is given' do
-    let(:token) do
-      Rack::OAuth2::AccessToken::MAC.new(
-        access_token: 'access_token',
-        mac_key: 'secret',
-        mac_algorithm: 'hmac-sha-256'
-      )
-    end
-    it_behaves_like :authenticator
-  end
 end

data/spec/rack/oauth2/access_token/bearer_spec.rb

@@ -7,11 +7,11 @@ describe Rack::OAuth2::AccessToken::Bearer do
     )
   end
   let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
-  let(:request) { HTTPClient.new.send(:create_request, :post, URI.parse(resource_endpoint), {}, {hello: "world"}, {}) }
+  let(:request) { Faraday::Request.new(:post, URI.parse(resource_endpoint), '', {hello: "world"}, {}) }
 
   describe '.authenticate' do
     it 'should set Authorization header' do
-      expect(request.header).to receive(:[]=).with('Authorization', 'Bearer access_token')
+      expect(request.headers).to receive(:[]=).with('Authorization', 'Bearer access_token')
       token.authenticate(request)
     end
   end

data/spec/rack/oauth2/access_token_spec.rb

@@ -49,23 +49,6 @@ describe Rack::OAuth2::AccessToken do
 
   let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
   [:get, :delete, :post, :put].each do |method|
-    describe method do
-      it 'should delegate to HTTPClient with Authenticator filter' do
-        expect(token.httpclient).to receive(method).with(resource_endpoint)
-        token.httpclient.request_filter.last.should be_a Rack::OAuth2::AccessToken::Authenticator
-        token.send method, resource_endpoint
-      end
-    end
-
-    context 'in debug mode' do
-      it do
-        Rack::OAuth2.debug do
-          token.httpclient.request_filter[-2].should be_a Rack::OAuth2::AccessToken::Authenticator
-          token.httpclient.request_filter.last.should be_a Rack::OAuth2::Debugger::RequestFilter
-        end
-      end
-    end
-
     context 'when extension params given' do
       subject do
         Rack::OAuth2::AccessToken::Bearer.new(

data/spec/rack/oauth2/client_spec.rb

@@ -1,12 +1,15 @@
 require 'spec_helper.rb'
 
 describe Rack::OAuth2::Client do
+  let(:client_id) { 'client_id' }
+  let(:client_secret) { 'client_secret' }
   let :client do
     Rack::OAuth2::Client.new(
-      identifier: 'client_id',
-      secret: 'client_secret',
+      identifier: client_id,
+      secret: client_secret,
       host: 'server.example.com',
-      redirect_uri: 'https://client.example.com/callback'
+      redirect_uri: 'https://client.example.com/callback',
+      revocation_endpoint: '/oauth2/revoke'
     )
   end
   subject { client }
@@ -15,6 +18,7 @@ describe Rack::OAuth2::Client do
   its(:secret)     { should == 'client_secret' }
   its(:authorization_endpoint) { should == '/oauth2/authorize' }
   its(:token_endpoint)         { should == '/oauth2/token' }
+  its(:revocation_endpoint)    { should == '/oauth2/revoke' }
 
   context 'when identifier is missing' do
     it do
@@ -89,7 +93,7 @@ describe Rack::OAuth2::Client do
           mock_response(
             :post,
             'https://server.example.com/oauth2/token',
-            'tokens/bearer.json',
+            'tokens/bearer',
             request_header: {
               'Authorization' => 'Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ='
             }
@@ -97,13 +101,49 @@ describe Rack::OAuth2::Client do
           client.access_token!
         end
 
+        context 'when Basic auth method is used' do
+          context 'when client_id is a url' do
+            let(:client_id) { 'https://client.example.com'}
+
+            it 'should be encoded in "application/x-www-form-urlencoded"' do
+              mock_response(
+                :post,
+                'https://server.example.com/oauth2/token',
+                'tokens/bearer',
+                request_header: {
+                  'Authorization' => 'Basic aHR0cHMlM0ElMkYlMkZjbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
+                }
+              )
+              client.access_token!
+            end
+          end
+        end
+
+        context 'when basic_without_www_form_urlencode method is used' do
+          context 'when client_id is a url' do
+             let(:client_id) { 'https://client.example.com'}
+
+             it 'should be encoded in "application/x-www-form-urlencoded"' do
+               mock_response(
+                 :post,
+                 'https://server.example.com/oauth2/token',
+                 'tokens/bearer',
+                 request_header: {
+                   'Authorization' => 'Basic aHR0cHM6Ly9jbGllbnQuZXhhbXBsZS5jb206Y2xpZW50X3NlY3JldA=='
+                 }
+               )
+               client.access_token! :basic_without_www_form_urlencode
+             end
+           end
+        end
+
         context 'when jwt_bearer auth method specified' do
           context 'when client_secret is given' do
             it 'should be JWT bearer client assertion w/ auto-generated HS256-signed JWT assertion' do
               mock_response(
                 :post,
                 'https://server.example.com/oauth2/token',
-                'tokens/bearer.json',
+                'tokens/bearer',
                 params: {
                   client_assertion: /^eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9\..+/, # NOTE: HS256
                   client_assertion_type: Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER,
@@ -131,7 +171,7 @@ describe Rack::OAuth2::Client do
                 mock_response(
                   :post,
                   'https://server.example.com/oauth2/token',
-                  'tokens/bearer.json',
+                  'tokens/bearer',
                   params: {
                     client_assertion: /^eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9\..+/, # NOTE: RS256
                     client_assertion_type: Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER,
@@ -148,7 +188,7 @@ describe Rack::OAuth2::Client do
               let :client do
                 Rack::OAuth2::Client.new(
                   identifier: 'client_id',
-                  private_key: OpenSSL::PKey::EC.new('prime256v1').generate_key,
+                  private_key: OpenSSL::PKey::EC.generate('prime256v1'),
                   host: 'server.example.com',
                   redirect_uri: 'https://client.example.com/callback'
                 )
@@ -158,7 +198,7 @@ describe Rack::OAuth2::Client do
                 mock_response(
                   :post,
                   'https://server.example.com/oauth2/token',
-                  'tokens/bearer.json',
+                  'tokens/bearer',
                   params: {
                     client_assertion: /^eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9\..+/, # NOTE: ES256
                     client_assertion_type: Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER,
@@ -185,7 +225,7 @@ describe Rack::OAuth2::Client do
               mock_response(
                 :post,
                 'https://server.example.com/oauth2/token',
-                'tokens/bearer.json',
+                'tokens/bearer',
                 params: {
                   client_assertion: 'any.jwt.assertion',
                   client_assertion_type: Rack::OAuth2::URN::ClientAssertionType::JWT_BEARER,
@@ -204,7 +244,7 @@ describe Rack::OAuth2::Client do
             mock_response(
               :post,
               'https://server.example.com/oauth2/token',
-              'tokens/bearer.json',
+              'tokens/bearer',
               params: {
                 client_id: 'client_id',
                 client_secret: 'client_secret',
@@ -222,7 +262,7 @@ describe Rack::OAuth2::Client do
             mock_response(
               :post,
               'https://server.example.com/oauth2/token',
-              'tokens/bearer.json',
+              'tokens/bearer',
               params: {
                 client_id: 'client_id',
                 client_secret: 'client_secret',
@@ -242,7 +282,7 @@ describe Rack::OAuth2::Client do
             mock_response(
               :post,
               'https://server.example.com/oauth2/token',
-              'tokens/bearer.json',
+              'tokens/bearer',
               params: {
                 grant_type: 'client_credentials',
                 scope: 'a b'
@@ -258,7 +298,7 @@ describe Rack::OAuth2::Client do
           mock_response(
             :post,
             'https://server.example.com/oauth2/token',
-            'tokens/bearer.json',
+            'tokens/bearer',
             params: {
               grant_type: 'client_credentials',
               resource: 'something'
@@ -269,13 +309,30 @@ describe Rack::OAuth2::Client do
       end
     end
 
+    context 'local_http_config handling' do
+      it do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/bearer',
+          request_header: {
+            'Authorization' => 'Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=',
+            'X-Foo' => 'bar'
+          }
+        )
+        client.access_token! do |request|
+          request.headers['X-Foo'] = 'bar'
+        end
+      end
+    end
+
     context 'when bearer token is given' do
       before do
         client.authorization_code = 'code'
         mock_response(
           :post,
           'https://server.example.com/oauth2/token',
-          'tokens/bearer.json'
+          'tokens/bearer'
         )
       end
       it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
@@ -290,7 +347,7 @@ describe Rack::OAuth2::Client do
           mock_response(
             :post,
             'https://server.example.com/oauth2/token',
-            'tokens/_Bearer.json'
+            'tokens/_Bearer'
           )
         end
         it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
@@ -298,112 +355,146 @@ describe Rack::OAuth2::Client do
       end
     end
 
-    context 'when mac token is given' do
+    context 'when unknown-type token is given' do
       before do
         client.authorization_code = 'code'
         mock_response(
           :post,
           'https://server.example.com/oauth2/token',
-          'tokens/mac.json'
+          'tokens/unknown'
         )
       end
-      it { should be_instance_of Rack::OAuth2::AccessToken::MAC }
-      its(:token_type) { should == :mac }
-      its(:access_token) { should == 'access_token' }
-      its(:refresh_token) { should == 'refresh_token' }
-      its(:expires_in) { should == 3600 }
+      it do
+        expect { client.access_token! }.to raise_error(StandardError, 'Unknown Token Type')
+      end
     end
 
-    context 'when no-type token is given (JSON)' do
+    context 'when error response is given' do
       before do
-        client.authorization_code = 'code'
         mock_response(
           :post,
           'https://server.example.com/oauth2/token',
-          'tokens/legacy.json'
+          'errors/invalid_request',
+          status: 400
         )
       end
-      it { should be_instance_of Rack::OAuth2::AccessToken::Legacy }
-      its(:token_type) { should == :legacy }
-      its(:access_token) { should == 'access_token' }
-      its(:refresh_token) { should == 'refresh_token' }
-      its(:expires_in) { should == 3600 }
+      it do
+        expect { client.access_token! }.to raise_error Rack::OAuth2::Client::Error
+      end
+    end
 
-      context 'when token_type is forced' do
+    context 'when no body given' do
+      context 'when error given' do
         before do
-          client.force_token_type! :bearer
+          mock_response(
+            :post,
+            'https://server.example.com/oauth2/token',
+            'blank',
+            format: 'txt',
+            status: 400
+          )
+        end
+        it do
+          expect { client.access_token! }.to raise_error Rack::OAuth2::Client::Error
         end
-        it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
-        its(:token_type) { should == :bearer }
       end
     end
+  end
 
-    context 'when no-type token is given (key-value)' do
-      before do
+  describe '#revoke!' do
+    context 'local_http_config handling' do
+      it do
         mock_response(
           :post,
-          'https://server.example.com/oauth2/token',
-          'tokens/legacy.txt'
+          'https://server.example.com/oauth2/revoke',
+          'blank',
+          format: 'txt',
+          status: 200,
+          body: {
+            token: 'access_token',
+            token_type_hint: 'access_token'
+          },
+          request_header: {
+            'Authorization' => 'Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=',
+            'X-Foo' => 'bar'
+          }
         )
-      end
-      it { should be_instance_of Rack::OAuth2::AccessToken::Legacy }
-      its(:token_type) { should == :legacy }
-      its(:access_token) { should == 'access_token' }
-      its(:expires_in) { should == 3600 }
-
-      context 'when expires_in is not given' do
-        before do
-          mock_response(
-            :post,
-            'https://server.example.com/oauth2/token',
-            'tokens/legacy_without_expires_in.txt'
-          )
+        client.revoke!(access_token: 'access_token') do |request|
+          request.headers['X-Foo'] = 'bar'
         end
-        its(:expires_in) { should be_nil }
       end
     end
 
-    context 'when unknown-type token is given' do
+    context 'when access_token given' do
       before do
-        client.authorization_code = 'code'
         mock_response(
           :post,
-          'https://server.example.com/oauth2/token',
-          'tokens/unknown.json'
+          'https://server.example.com/oauth2/revoke',
+          'blank',
+          format: 'txt',
+          status: 200,
+          body: {
+            token: 'access_token',
+            token_type_hint: 'access_token'
+          }
         )
       end
       it do
-        expect { client.access_token! }.to raise_error(StandardError, 'Unknown Token Type')
+        client.revoke!(access_token: 'access_token').should == :success
       end
     end
 
-    context 'when error response is given' do
+    context 'when refresh_token given' do
       before do
         mock_response(
           :post,
-          'https://server.example.com/oauth2/token',
-          'errors/invalid_request.json',
+          'https://server.example.com/oauth2/revoke',
+          'blank',
+          format: 'txt',
+          status: 200,
+          body: {
+            token: 'refresh_token',
+            token_type_hint: 'refresh_token'
+          }
+        )
+      end
+
+      context 'as argument' do
+        it do
+          client.revoke!(refresh_token: 'refresh_token').should == :success
+        end
+      end
+
+      context 'as grant' do
+        it do
+          client.refresh_token = 'refresh_token'
+          client.revoke!
+        end
+      end
+    end
+
+    context 'when error response given' do
+      before do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/revoke',
+          'errors/invalid_request',
           status: 400
         )
       end
+
       it do
-        expect { client.access_token! }.to raise_error Rack::OAuth2::Client::Error
+        expect do
+          client.revoke! access_token: 'access_token'
+        end.to raise_error Rack::OAuth2::Client::Error
       end
     end
 
-    context 'when no body given' do
-      context 'when error given' do
-        before do
-          mock_response(
-            :post,
-            'https://server.example.com/oauth2/token',
-            'blank',
-            status: 400
-          )
-        end
-        it do
-          expect { client.access_token! }.to raise_error Rack::OAuth2::Client::Error
-        end
+    context 'when no token given' do
+      it do
+        expect do
+          client.revoke!
+        end.to raise_error ArgumentError
       end
     end
   end
@@ -413,7 +504,8 @@ describe Rack::OAuth2::Client do
       Rack::OAuth2::Client.new(
         identifier: 'client_id',
         secret: 'client_secret',
-        redirect_uri: 'https://client.example.com/callback'
+        redirect_uri: 'https://client.example.com/callback',
+        revocation_endpoint: '/oauth2/revoke'
       )
     end
 
@@ -428,5 +520,11 @@ describe Rack::OAuth2::Client do
         expect { client.access_token! }.to raise_error 'No Host Info'
       end
     end
+
+    describe '#revoke!' do
+      it do
+        expect { client.revoke! access_token: 'access_token' }.to raise_error 'No Host Info'
+      end
+    end
   end
 end

data/spec/rack/oauth2/oauth2_spec.rb

@@ -28,47 +28,4 @@ describe Rack::OAuth2 do
       Rack::OAuth2.debugging?.should == true
     end
   end
-
-  describe '.http_config' do
-    context 'when request_filter added' do
-      context 'when "debug!" is called' do
-        after { Rack::OAuth2.reset_http_config! }
-
-        it 'should put Debugger::RequestFilter at last' do
-          Rack::OAuth2.debug!
-          Rack::OAuth2.http_config do |config|
-            config.request_filter << Proc.new {}
-          end
-          Rack::OAuth2.http_client.request_filter.last.should be_instance_of Rack::OAuth2::Debugger::RequestFilter
-        end
-
-        it 'should reset_http_config' do
-          Rack::OAuth2.debug!
-          Rack::OAuth2.http_config do |config|
-            config.request_filter << Proc.new {}
-          end
-          size = Rack::OAuth2.http_client.request_filter.size
-          Rack::OAuth2.reset_http_config!
-          Rack::OAuth2.http_client.request_filter.size.should == size - 1
-        end
-
-      end
-    end
-  end
-
-  describe ".http_client" do
-    context "when local_http_config is used" do
-      it "should correctly set request_filter" do
-        clnt1 = Rack::OAuth2.http_client
-        clnt2 = Rack::OAuth2.http_client("my client") do |config|
-          config.request_filter << Proc.new {}
-        end
-        clnt3 = Rack::OAuth2.http_client
-
-        clnt1.request_filter.size.should == clnt3.request_filter.size
-        clnt1.request_filter.size.should == clnt2.request_filter.size - 1
-
-      end
-    end
-  end
 end

data/spec/rack/oauth2/server/authorize/error_spec.rb

@@ -23,27 +23,27 @@ describe Rack::OAuth2::Server::Authorize::BadRequest do
       context 'when protocol_params_location = :query' do
         before { error.protocol_params_location = :query }
         it 'should redirect with error in query' do
-          state, header, response = error.finish
+          state, headers, response = error.finish
           state.should == 302
-          header["Location"].should == "#{redirect_uri}?error=invalid_request"
+          headers["Location"].should == "#{redirect_uri}?error=invalid_request"
         end
       end
 
       context 'when protocol_params_location = :fragment' do
         before { error.protocol_params_location = :fragment }
         it 'should redirect with error in fragment' do
-          state, header, response = error.finish
+          state, headers, response = error.finish
           state.should == 302
-          header["Location"].should == "#{redirect_uri}#error=invalid_request"
+          headers["Location"].should == "#{redirect_uri}#error=invalid_request"
         end
       end
 
       context 'otherwise' do
         before { error.protocol_params_location = :other }
         it 'should redirect without error' do
-          state, header, response = error.finish
+          state, headers, response = error.finish
           state.should == 302
-          header["Location"].should == redirect_uri
+          headers["Location"].should == redirect_uri
         end
       end
     end

data/spec/rack/oauth2/server/resource/bearer/error_spec.rb

@@ -12,8 +12,8 @@ describe Rack::OAuth2::Server::Resource::Bearer::Unauthorized do
 
   describe '#finish' do
     it 'should use Bearer scheme' do
-      status, header, response = error.finish
-      header['WWW-Authenticate'].should include 'Bearer'
+      status, headers, response = error.finish
+      headers['WWW-Authenticate'].should include 'Bearer'
     end
   end
 end