rack-oauth2 0.3.0 → 0.3.1

data/README.rdoc

@@ -2,8 +2,8 @@
 
 Rack Middleware for OAuth2. Currently support only Server/Provider, not Client/Consumer.
 
-This gem is based on OAuth 2.0 draft v.10
-http://tools.ietf.org/html/draft-ietf-oauth-v2-10
+This gem is based on OAuth 2.0 draft v.13
+http://tools.ietf.org/html/draft-ietf-oauth-v2-13
 
 == Installation
 
@@ -16,27 +16,13 @@ http://tools.ietf.org/html/draft-ietf-oauth-v2-10
 * Report Issues on GitHub (http://github.com/nov/rack-oauth2/issues)
 * Facebook Page (http://www.facebook.com/pages/RackOAuth2/141477809244105)
 
-== Usage
+== Sample Application (Rails3)
 
-=== Rails
+Running on Heroku
+http://rack-oauth2-sample.heroku.com
 
-==== Resource Owner Authorization & Token Endpoint
-
-http://gist.github.com/584594
-
-==== Protected Resource Middleware Setting
-
-http://gist.github.com/584565
-
-=== Sinatra
-
-==== Resource Owner Authorization Endpoint
-
-http://gist.github.com/584595
-
-==== Token Endpoint
-
-http://gist.github.com/584574
+Source on GitHub
+http://github.com/nov/rack-oauth2-sample
 
 == Note on Patches/Pull Requests
  

data/VERSION

@@ -1 +1 @@
-0.3.0
+0.3.1

data/lib/rack/oauth2/server/authorize/error.rb

@@ -33,7 +33,7 @@ module Rack
             DEFAULT_DESCRIPTION.each do |error, default_description|
               klass.class_eval <<-ERROR
                 def #{error}!(description = "#{default_description}", options = {})
-                  bad_request! :#{error}, description, options.merge(:redirect => true)
+                  bad_request! :#{error}, description, options
                 end
               ERROR
             end
@@ -48,7 +48,7 @@ module Rack
               :fragment
             end
             exception.state = state
-            exception.redirect_uri = redirect_uri if options[:redirect]
+            exception.redirect_uri = verified_redirect_uri
             raise exception
           end
         end

data/lib/rack/oauth2/server/authorize.rb

@@ -12,6 +12,7 @@ module Rack
         class Request < Abstract::Request
           attr_required :response_type
           attr_optional :redirect_uri, :state
+          attr_reader :verified_redirect_uri
 
           def initialize(env)
             super
@@ -34,13 +35,17 @@ module Rack
             end
           end
 
-          def varified_redirect_uri(pre_registered)
-            verified = if redirect_uri.present? && Util.verify_redirect_uri(pre_registered, redirect_uri)
-              redirect_uri
+          def verify_redirect_uri!(pre_registered)
+            @verified_redirect_uri = if redirect_uri.present?
+              if Util.uri_match?(pre_registered, redirect_uri)
+                redirect_uri
+              else
+                bad_request!
+              end
             else
-              self.redirect_uri = pre_registered
+              pre_registered
             end
-            verified.to_s
+            self.verified_redirect_uri.to_s
           end
         end
 

data/lib/rack/oauth2/server/util.rb

@@ -31,14 +31,14 @@ module Rack
             redirect_uri.to_s
           end
 
-          def verify_redirect_uri(registered, given)
-            registered = parse_uri(registered)
+          def uri_match?(base, given)
+            base = parse_uri(base)
             given = parse_uri(given)
-            registered.path = '/' if registered.path.blank?
+            base.path = '/' if base.path.blank?
             given.path = '/' if given.path.blank?
             [:scheme, :host, :port].all? do |key|
-              registered.send(key) == given.send(key)
-            end && /^#{registered.path}/ =~ given.path
+              base.send(key) == given.send(key)
+            end && /^#{base.path}/ =~ given.path
           rescue
             false
           end

data/spec/rack/oauth2/server/authorize/code_spec.rb

@@ -41,6 +41,7 @@ describe Rack::OAuth2::Server::Authorize::Code do
   context 'when denied' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
+        request.verify_redirect_uri! redirect_uri
         request.access_denied!
       end
     end

data/spec/rack/oauth2/server/authorize/token_spec.rb

@@ -66,6 +66,7 @@ describe Rack::OAuth2::Server::Authorize::Token do
   context 'when denied' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
+        request.verify_redirect_uri! redirect_uri
         request.access_denied!
       end
     end

data/spec/rack/oauth2/server/authorize_spec.rb

@@ -50,21 +50,23 @@ describe Rack::OAuth2::Server::Authorize do
     describe '#varified_redirect_uri' do
       context 'when valid redirect_uri is given' do
         it 'should use given redirect_uri' do
-          request.varified_redirect_uri(pre_registered).should == redirect_uri
+          request.verify_redirect_uri!(pre_registered).should == redirect_uri
         end
       end
 
       context 'when invalid redirect_uri is given' do
         let(:pre_registered) { 'http://client2.example.com' }
-        it 'should use pre-registered redirect_uri' do
-          request.varified_redirect_uri(pre_registered).should == pre_registered
+        it do
+          expect do
+            request.verify_redirect_uri!(pre_registered).should == pre_registered
+          end.should raise_error Rack::OAuth2::Server::Authorize::BadRequest
         end
       end
 
       context 'when redirect_uri is missing' do
         let(:env) { Rack::MockRequest.env_for("/authorize?client_id=client") }
         it 'should use pre-registered redirect_uri' do
-          request.varified_redirect_uri(pre_registered).should == pre_registered
+          request.verify_redirect_uri!(pre_registered).should == pre_registered
         end
       end
     end

data/spec/rack/oauth2/server/util_spec.rb

@@ -60,27 +60,27 @@ describe Rack::OAuth2::Server::Util do
     end
   end
 
-  describe '.verify_redirect_uri' do
+  describe '.uri_match?' do
     context 'when invalid URI is given' do
       it do
-        util.verify_redirect_uri('::', '::').should be_false
-        util.verify_redirect_uri(123, 'http://client.example.com/other').should be_false
-        util.verify_redirect_uri('http://client.example.com/other', nil).should be_false
+        util.uri_match?('::', '::').should be_false
+        util.uri_match?(123, 'http://client.example.com/other').should be_false
+        util.uri_match?('http://client.example.com/other', nil).should be_false
       end
     end
 
     context 'when exactry same' do
-      it { util.verify_redirect_uri(uri, uri).should be_true }
+      it { util.uri_match?(uri, uri).should be_true }
     end
 
     context 'when path prefix matches' do
-      it { util.verify_redirect_uri(uri, "#{uri}/deep_path").should be_true }
+      it { util.uri_match?(uri, "#{uri}/deep_path").should be_true }
     end
 
     context 'otherwise' do
       it do
-        util.verify_redirect_uri(uri, 'http://client.example.com/other').should be_false
-        util.verify_redirect_uri(uri, 'http://attacker.example.com/callback').should be_false
+        util.uri_match?(uri, 'http://client.example.com/other').should be_false
+        util.uri_match?(uri, 'http://attacker.example.com/callback').should be_false
       end
     end
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack-oauth2
 version: !ruby/object:Gem::Version 
-  hash: 19
+  hash: 17
   prerelease: 
   segments: 
   - 0
   - 3
-  - 0
-  version: 0.3.0
+  - 1
+  version: 0.3.1
 platform: ruby
 authors: 
 - nov matake
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-06 00:00:00 +09:00
+date: 2011-03-07 00:00:00 +09:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency