rack-oauth2 0.1.0 → 0.2.0

data/README.rdoc

@@ -7,7 +7,7 @@ http://tools.ietf.org/html/draft-ietf-oauth-v2-10
 
 == Installation
 
-  gem install fb_graph
+  gem install rack-oauth2
 
 == Resources
 
@@ -17,23 +17,27 @@ http://tools.ietf.org/html/draft-ietf-oauth-v2-10
 
 == Usage
 
-See examples
+=== Rails
 
-=== End User Authorization Endpoint
+==== Resource Owner Authorization & Token Endpoint
 
-* example/server/oauth2_controller.rb (Rails)
-* example/server/authorize.rb (Sinatra)
+http://gist.github.com/584594
 
-=== Token Endpoint
+==== Protected Resource Middleware Setting
 
-* example/server/oauth2_controller.rb (Rails)
-* example/server/token.rb (Sinatra)
+http://gist.github.com/584565
 
-=== Protected Resource Endpoint
+=== Sinatra
 
-TODO:
+==== Resource Owner Authorization Endpoint
 
-=== Note on Patches/Pull Requests
+http://gist.github.com/584595
+
+==== Token Endpoint
+
+http://gist.github.com/584574
+
+== Note on Patches/Pull Requests
  
 * Fork the project.
 * Make your feature addition or bug fix.

data/Rakefile

@@ -5,7 +5,7 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |gem|
     gem.name = 'rack-oauth2'
-    gem.summary = %Q{Rack Middleware for OAuth2 Client & Server}
+    gem.summary = %Q{Rack Middleware for OAuth2 Server}
     gem.description = %Q{Rack Middleware for OAuth2. Currently support only Server/Provider, not Client/Consumer.}
     gem.email = 'nov@matake.jp'
     gem.homepage = 'http://github.com/nov/rack-oauth2'
@@ -30,6 +30,7 @@ Spec::Rake::SpecTask.new(:rcov) do |spec|
   spec.libs << 'lib' << 'spec'
   spec.pattern = 'spec/**/*_spec.rb'
   spec.rcov = true
+  spec.rcov_opts = ['--exclude spec,gems']
 end
 
 task :spec => :check_dependencies

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.2.0

data/lib/rack/oauth2/server/abstract/request.rb

@@ -7,24 +7,30 @@ module Rack
 
           def initialize(env)
             super
-            verify_required_params!
-            @client_id = params['client_id']
+            missing_params = verify_required_params
+            @client_id ||= params['client_id']
             @scope = Array(params['scope'].to_s.split(' '))
+            missing_params << :client_id if @client_id.blank?
+            unless missing_params.blank?
+              invalid_request!("'#{missing_params.join('\', \'')}' required.", :state => @state, :redirect_uri => @redirect_uri)
+            end
+            if params['client_id'].present? && @client_id != params['client_id']
+              invalid_client!("Multiple client credentials are provided.")
+            end
           end
 
           def required_params
-            [:client_id]
+            []
           end
 
-          def verify_required_params!
+          def verify_required_params
             missing_params = []
             required_params.each do |key|
               missing_params << key unless params[key.to_s]
             end
-            unless missing_params.blank?
-              raise BadRequest.new(:invalid_request, "'#{missing_params.join('\', \'')}' required", :state => @state, :redirect_uri => @redirect_uri)
-            end
+            missing_params
           end
+
         end
       end
     end

data/lib/rack/oauth2/server/authorize.rb

@@ -11,6 +11,7 @@ module Rack
         end
 
         class Request < Abstract::Request
+          include Error::Authorize
           attr_accessor :response_type, :redirect_uri, :state
 
           def initialize(env)
@@ -32,9 +33,10 @@ module Rack
             when 'code_and_token'
               CodeAndToken
             else
-              raise BadRequest.new(:unsupported_response_type, "'#{params['response_type']}' isn't supported.", :state => state, :redirect_uri => redirect_uri)
+              unsupported_response_type!("'#{params['response_type']}' isn't supported.")
             end
           end
+
         end
 
         class Response < Abstract::Response

data/lib/rack/oauth2/server/error.rb

@@ -14,14 +14,6 @@ module Rack
           @realm        = options[:realm]
           @scope        = Array(options[:scope])
           @redirect_uri = Util.parse_uri(options[:redirect_uri]) if options[:redirect_uri]
-          @www_authenticate = 
-          @channel = if options[:www_authenticate].present?
-            :www_authenticate
-          elsif @redirect_uri.present?
-            :query_string
-          else
-            :json_body
-          end
         end
 
         def finish
@@ -35,39 +27,47 @@ module Rack
             value.blank?
           end
           response = Rack::Response.new
-          case @channel
-          when :www_authenticate
-            response.status = status
-            response.header['WWW-Authenticate'] = "OAuth realm='#{realm}' #{params.collect { |key, value| "#{key}='#{value.to_s}'" }.join(' ')}"
-            response.write params.to_json
-          when :query_string
+          if @redirect_uri.present?
             redirect_uri.query = if redirect_uri.query
               [redirect_uri.query, params.to_query].join('&')
             else
               params.to_query
             end
             response.redirect redirect_uri.to_s
-          when :json_body
+          else
             response.status = status
             response.header['Content-Type'] = 'application/json'
+            if realm.present?
+              response.header['WWW-Authenticate'] = "OAuth realm='#{realm}' #{params.collect { |key, value| "#{key}='#{value.to_s}'" }.join(' ')}"
+            end
             response.write params.to_json
           end
           response.finish
         end
       end
 
+      class BadRequest < Error
+        def initialize(error, description = "", options = {})
+          super(400, error, description, options)
+        end
+      end
+
       class Unauthorized < Error
         def initialize(error, description = "", options = {})
           super(401, error, description, options)
         end
       end
 
-      class BadRequest < Error
+      class Forbidden < Error
         def initialize(error, description = "", options = {})
-          super(400, error, description, options)
+          super(403, error, description, options)
         end
       end
 
     end
   end
-end
+end
+
+require 'rack/oauth2/server/error/authorize'
+require 'rack/oauth2/server/error/token'
+require 'rack/oauth2/server/error/resource'

data/lib/rack/oauth2/server/error/authorize.rb

@@ -0,0 +1,54 @@
+module Rack
+  module OAuth2
+    module Server
+      class Error
+        module Authorize
+
+          DEFAULT_DESCRIPTION = {
+            :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, or is otherwise malformed.",
+            :invalid_client => "The client identifier provided is invalid.",
+            :unauthorized_client => "The client is not authorized to use the requested response type.",
+            :redirect_uri_mismatch => "The redirection URI provided does not match a pre-registered value.",
+            :access_denied => "The end-user or authorization server denied the request.",
+            :unsupported_response_type => "The requested response type is not supported by the authorization server.",
+            :invalid_scope => "The requested scope is invalid, unknown, or malformed."
+          }
+
+          def error!(error, description = nil, options = {})
+            description ||= DEFAULT_DESCRIPTION[error]
+            raise BadRequest.new(error, description, options.merge(:state => state, :redirect_uri => redirect_uri))
+          end
+
+          def invalid_request!(description = nil, options = {})
+            error!(:invalid_request, description, options)
+          end
+      
+          def invalid_client!(description = nil, options = {})
+            error!(:invalid_client, description, options)
+          end
+
+          def unauthorized_client!(description = nil, options = {})
+            error!(:unauthorized_client, description, options)
+          end
+
+          def redirect_uri_mismatch!(description = nil, options = {})
+            error!(:redirect_uri_mismatch, description, options)
+          end
+
+          def access_denied!(description = nil, options = {})
+            error!(:access_denied, description, options)
+          end
+
+          def unsupported_response_type!(description = nil, options = {})
+            error!(:unsupported_response_type, description, options)
+          end
+
+          def invalid_scope!(description = nil, options = {})
+            error!(:invalid_scope, description, options)
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/error/resource.rb

@@ -0,0 +1,50 @@
+module Rack
+  module OAuth2
+    module Server
+      class Error
+        module Resource
+
+          DEFAULT_DESCRIPTION = {
+            :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.",
+            :invalid_token => "The access token provided is invalid.",
+            :expired_token => "The access token provided has expired.",
+            :insufficient_scope => "The request requires higher privileges than provided by the access token."
+          }
+
+          def error!(error, description = nil, options = {})
+            description ||= DEFAULT_DESCRIPTION[error]
+            options[:realm] = realm
+            exception = case error
+            when :invalid_token, :expired_token
+              Unauthorized
+            when :insufficient_scope
+              Forbidden
+            when :invalid_request
+              BadRequest
+            else
+              raise Error.new(options[:status] || 400, error, description, options)
+            end
+            raise exception.new(error, description, options)
+          end
+
+          def invalid_request!(description = nil, options = {})
+            error!(:invalid_request, description, options)
+          end
+      
+          def invalid_token!(description = nil, options = {})
+            error!(:invalid_token, description, options)
+          end
+
+          def expired_token!(description = nil, options = {})
+            error!(:expired_token, description, options)
+          end
+
+          def insufficient_scope!(description = nil, options = {})
+            error!(:insufficient_scope, description, options)
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/error/token.rb

@@ -0,0 +1,59 @@
+module Rack
+  module OAuth2
+    module Server
+      class Error
+        module Token
+
+          DEFAULT_DESCRIPTION = {
+            :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.",
+            :invalid_client => "The client identifier provided is invalid, the client failed to authenticate, the client did not include its credentials, provided multiple client credentials, or used unsupported credentials type.",
+            :unauthorized_client => "The authenticated client is not authorized to use the access grant type provided.",
+            :invalid_grant => "The provided access grant is invalid, expired, or revoked (e.g. invalid assertion, expired authorization token, bad end-user password credentials, or mismatching authorization code and redirection URI).",
+            :unsupported_grant_type => "The access grant included - its type or another attribute - is not supported by the authorization server.",
+            :unsupported_response_type => "The requested response type is not supported by the authorization server.",
+            :invalid_scope => "The requested scope is invalid, unknown, malformed, or exceeds the previously granted scope."
+          }
+
+          def error!(error, description = nil, options = {})
+            description ||= DEFAULT_DESCRIPTION[error]
+            exception = if options.delete(:unauthorized)
+              Unauthorized
+            else
+              BadRequest
+            end
+            raise exception.new(error, description, options)
+          end
+
+          def invalid_request!(description = nil, options = {})
+            error!(:invalid_request, description, options)
+          end
+      
+          def invalid_client!(description = nil, options = {})
+            error!(:invalid_client, description, options.merge(:unauthorized => via_authorization_header))
+          end
+
+          def unauthorized_client!(description = nil, options = {})
+            error!(:unauthorized_client, description, options)
+          end
+
+          def invalid_grant!(description = nil, options = {})
+            error!(:invalid_grant, description, options)
+          end
+
+          def unsupported_grant_type!(description = nil, options = {})
+            error!(:unsupported_grant_type, description, options)
+          end
+
+          def unsupported_response_type!(description = nil, options = {})
+            error!(:unsupported_response_type, description, options)
+          end
+
+          def invalid_scope!(description = nil, options = {})
+            error!(:invalid_scope, description, options)
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/resource.rb

@@ -5,13 +5,13 @@ module Rack
     module Server
       class Resource < Abstract::Handler
 
-        def initialize(app, realm=nil, &authenticator)
+        def initialize(app, realm = nil, &authenticator)
           @app = app
           super(realm, &authenticator)
         end
 
         def call(env)
-          request = Request.new(env)
+          request = Request.new(env, realm)
           if request.oauth2?
             authenticate!(request)
             env[ACCESS_TOKEN] = request.access_token
@@ -29,9 +29,13 @@ module Rack
         end
 
         class Request < Rack::Request
+          include Error::Resource
 
-          def initialize(env)
+          attr_accessor :realm
+
+          def initialize(env, realm)
             @env = env
+            @realm = realm
             @auth_header = Rack::Auth::AbstractRequest.new(env)
           end
 
@@ -40,15 +44,14 @@ module Rack
           end
 
           def access_token
-            @access_token ||= case
-            when access_token_in_haeder.present? && access_token_in_payload.blank?
-              access_token_in_haeder
-            when access_token_in_haeder.blank? && access_token_in_payload.present?
-              access_token_in_payload
-            when access_token_in_haeder.present? && access_token_in_payload.present?
-              raise BadRequest.new(:invalid_request, 'Both Authorization header and payload includes oauth_token.', :www_authenticate => true)
-            else
+            tokens = [access_token_in_haeder, access_token_in_payload].compact
+            case Array(tokens).size
+            when 0
               nil
+            when 1
+              tokens.first
+            else
+              invalid_request!('Both Authorization header and payload includes oauth_token.', :realm => realm)
             end
           end
 

data/lib/rack/oauth2/server/token.rb

@@ -1,3 +1,5 @@
+require 'rack/auth/basic'
+
 module Rack
   module OAuth2
     module Server
@@ -11,12 +13,21 @@ module Rack
         end
 
         class Request < Abstract::Request
-          attr_accessor :grant_type, :client_secret
+          include Error::Token
+
+          attr_accessor :grant_type, :client_secret, :via_authorization_header
 
           def initialize(env)
-            super
-            @grant_type    = params['grant_type']
-            @client_secret = params['client_secret']
+            auth = Rack::Auth::Basic::Request.new(env)
+            if auth.provided? && auth.basic?
+              @client_id, @client_secret = auth.credentials
+              @via_authorization_header = true
+              super
+            else
+              super
+              @client_secret = params['client_secret']
+            end
+            @grant_type = params['grant_type']
           end
 
           def required_params
@@ -34,7 +45,7 @@ module Rack
             when 'refresh_token'
               RefreshToken
             else
-              raise BadRequest.new(:unsupported_grant_type, "'#{params['grant_type']}' isn't supported.")
+              unsupported_grant_type!("'#{params['grant_type']}' isn't supported.")
             end
           end