rails_api_auth 0.0.6 → 0.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 584f55bb7244f72b626eeb8f43820e254f59ba68
-  data.tar.gz: c4ef92cac5e776a2c7ca94e08c9162b744fb97f0
+  metadata.gz: 643e8f86cbe69072c9b057c1dae39e24fd49982d
+  data.tar.gz: ad2a2f90465fbeed37877dde1f758d5bf4ff7f77
 SHA512:
-  metadata.gz: 4f5cc6e933c27e602bb355697477228c18a64072b056211168c0152ae1150491a35d4a19337d296acc68625e0a97465dab141125d26b04982ce8cf4facda64cb
-  data.tar.gz: d9a311da8ce1eaf373620cad07f6dd161fedf98df6f174b30aa1d95e09584c03a0e689e1d29e5c4a91e9b64376b2a9c1159bc590faa0d23c4829e3d37c1c31b4
+  metadata.gz: '0589164744d500bf57b6cd115e617bab91b1929e036b2fc0889330dd9f2548fa12341b701119ead95eec6c274f5edb23cc75aa1b00e79bb0035ebf6efa1195b9'
+  data.tar.gz: a0d1c552c7081eb31516b95b719938563f55f4688bec551878a66d78db096075d9df5c30d1576be4a82df68116392fca076a44d8f9864bdfd27d77ec6099c9b3

data/README.md

@@ -156,9 +156,15 @@ RailsApiAuth.tap do |raa|
   raa.facebook_redirect_uri = '<your Facebook app redirect uri>'
 
   # Google configurations
-  raa.google_client_id = '<your Google client id>'
+  raa.google_client_id     = '<your Google client id>'
   raa.google_client_secret = '<your Google client secret>'
-  raa.google_redirect_uri = '<your app redirect uri>'
+  raa.google_redirect_uri  = '<your app redirect uri>'
+
+  # Edx configurations
+  raa.edx_client_id     = '<your Edx client id>'
+  raa.edx_client_secret = '<your Edx client secret>'
+  raa.edx_domain        = '<your Edx app domain>'
+  raa.edx_redirect_uri  = 'your Edx app redirect uri'
 
   # Force SSL for Oauth2Controller; defaults to `false` for the development environment, otherwise `true`
   raa.force_ssl = false
@@ -166,9 +172,26 @@ end
 
 ```
 
+### A note on Edx Oauth2 code flows
+
+It is nesescary to include the Edx username in the request when making a call
+rails_api_auth call /token. When rails_api_auth interfaces with Edx's
+user api, the username is need to retrieve user data, not just a valid
+oauth2 token.
+
+E.g.
+
+```ruby
+headers = {
+  username: "alice",
+  auth_code: "alices_authorization_code",
+  grant_type: "edx_auth_code"
+}
+```
+
 ## Contribution
 
-See [CONTRIBUTING](https://github.com/simplabs/rails_api_auth/blob/master/CONTRIBUTING).
+See [CONTRIBUTING](https://github.com/simplabs/rails_api_auth/blob/master/CONTRIBUTING.md).
 
 ## License
 

data/app/controllers/oauth2_controller.rb

@@ -7,6 +7,7 @@ class Oauth2Controller < ApplicationController
 
   force_ssl if: -> { RailsApiAuth.force_ssl }
 
+  # rubocop:disable MethodLength
   def create
     case params[:grant_type]
     when 'password'
@@ -15,11 +16,14 @@ class Oauth2Controller < ApplicationController
       authenticate_with_facebook(params[:auth_code])
     when 'google_auth_code'
       authenticate_with_google(params[:auth_code])
+    when 'edx_auth_code'
+      authenticate_with_edx(params[:username], params[:auth_code])
     else
       oauth2_error('unsupported_grant_type')
     end
   end
 
+  # rubocop:enable MethodLength
   def destroy
     oauth2_error('unsupported_token_type') && return unless params[:token_type_hint] == 'access_token'
 
@@ -48,7 +52,7 @@ class Oauth2Controller < ApplicationController
 
       render json: { access_token: login.oauth2_token }
     rescue FacebookAuthenticator::ApiError
-      render nothing: true, status: 502
+      head 502
     end
 
     def authenticate_with_google(auth_code)
@@ -58,7 +62,18 @@ class Oauth2Controller < ApplicationController
 
       render json: { access_token: login.oauth2_token }
     rescue GoogleAuthenticator::ApiError
-      render nothing: true, status: 502
+      head 502
+    end
+
+    def authenticate_with_edx(username, auth_code)
+      oauth2_error('no_authorization_code') && return unless auth_code.present?
+      oauth2_error('no_username') && return unless username.present?
+
+      login = EdxAuthenticator.new(username, auth_code).authenticate!
+
+      render json: { access_token: login.oauth2_token }
+    rescue EdxAuthenticator::ApiError
+      head 502
     end
 
     def oauth2_error(error)

data/app/services/edx_authenticator.rb

@@ -0,0 +1,72 @@
+require 'httparty'
+
+# Handles Edx authentication
+#
+# @!visibility private
+class EdxAuthenticator < BaseAuthenticator
+
+  PROVIDER    = 'edx'.freeze
+  DOMAIN      = 'http://' + RailsApiAuth.edx_domain
+  TOKEN_URL   = (DOMAIN + '/oauth2/access_token').freeze
+  PROFILE_URL = (DOMAIN + '/api/user/v1/accounts/%{username}').freeze
+
+  def initialize(username, auth_code)
+    @auth_code = auth_code
+    @username  = username
+  end
+
+  private
+
+    def connect_login_to_account(login, user)
+      login.update_attributes!(uid: user[:username], provider: PROVIDER)
+    end
+
+    def create_login_from_account(user)
+      login_attributes = {
+        identification: user[:email],
+        uid: user[:username],
+        provider: PROVIDER
+      }
+      Login.create!(login_attributes)
+    end
+
+    def access_token
+      response = HTTParty.post(TOKEN_URL, token_options)
+      response.parsed_response['access_token']
+    end
+
+    # Override base authenticator
+    def get_request(url, headers)
+      response = HTTParty.get(url, headers: headers)
+      unless response.code == 200
+        Rails.logger.warn "#{self.class::PROVIDER} API request failed with status #{response.code}."
+        Rails.logger.debug "#{self.class::PROVIDER} API error response was:\n#{response.body}"
+        raise ApiError.new
+      end
+      response
+    end
+
+    def get_user(access_token)
+      headers = { 'Authorization' => "Bearer #{access_token}" }
+      @edx_user ||= begin
+        get_request(user_url, headers).parsed_response.symbolize_keys
+      end
+    end
+
+    def user_url
+      PROFILE_URL % { username: @username }
+    end
+
+    def token_options
+      @token_options ||= {
+        body: {
+          code: @auth_code,
+          client_id: RailsApiAuth.edx_client_id,
+          client_secret: RailsApiAuth.edx_client_secret,
+          redirect_uri: RailsApiAuth.edx_redirect_uri,
+          grant_type: 'authorization_code'
+        }
+      }
+    end
+
+end

data/lib/rails_api_auth.rb

@@ -36,6 +36,22 @@ module RailsApiAuth
   # The Google App's redirect URI.
   mattr_accessor :google_redirect_uri
 
+  # @!attribute [rw] edx_client_id
+  # The Edx client ID.
+  mattr_accessor :edx_client_id
+
+  # @!attribute [rw] edx_client_secret
+  # The Edx client secret.
+  mattr_accessor :edx_client_secret
+
+  # @!attribute [rw] edx_redirect_uri
+  # The Edx App's redirect URI.
+  mattr_accessor :edx_redirect_uri
+
+  # @!attribute [rw] edx_domain
+  # The domain used for the Edx oauth2 provider
+  mattr_accessor :edx_domain
+
   # @!attribute [rw] primary_key_type
   # Configures database column type used for primary keys,
   # currently only accepts :uuid

data/lib/rails_api_auth/version.rb

@@ -1,5 +1,5 @@
 module RailsApiAuth
 
-  VERSION = '0.0.6'.freeze
+  VERSION = '0.0.7'.freeze
 
 end

data/spec/dummy/app/controllers/access_once_controller.rb

@@ -2,10 +2,18 @@ class AccessOnceController < ApplicationController
 
   include RailsApiAuth::Authentication
 
-  before_filter :consume_single_use_oauth2_token!
+  if Rails::VERSION::MAJOR < 4
+    before_filter :consume_single_use_oauth2_token!
+  else
+    before_action :consume_single_use_oauth2_token!
+  end
 
   def index
-    render text: 'zuper content', status: 200
+    if Rails::VERSION::MAJOR < 4
+      render text: 'zuper content', status: 200
+    else
+      render plain: 'zuper content', status: 200
+    end
   end
 
 end

data/spec/dummy/app/controllers/authenticated_controller.rb

@@ -2,10 +2,18 @@ class AuthenticatedController < ApplicationController
 
   include RailsApiAuth::Authentication
 
-  before_filter :authenticate!
+  if Rails::VERSION::MAJOR < 4
+    before_filter :authenticate!
+  else
+    before_action :authenticate!
+  end
 
   def index
-    render text: 'zuper content', status: 200
+    if Rails::VERSION::MAJOR < 4
+      render text: 'zuper content', status: 200
+    else
+      render plain: 'zuper content', status: 200
+    end
   end
 
 end

data/spec/dummy/app/controllers/custom_authenticated_controller.rb

@@ -2,10 +2,18 @@ class CustomAuthenticatedController < ApplicationController
 
   include RailsApiAuth::Authentication
 
-  before_filter :authenticate_with_account!
+  if Rails::VERSION::MAJOR < 4
+    before_filter :authenticate_with_account!
+  else
+    before_action :authenticate_with_account!
+  end
 
   def index
-    render text: 'zuper content', status: 200
+    if Rails::VERSION::MAJOR < 4
+      render text: 'zuper content', status: 200
+    else
+      render plain: 'zuper content', status: 200
+    end
   end
 
   private

data/spec/dummy/config/application.rb

@@ -2,6 +2,7 @@ require File.expand_path('../boot', __FILE__)
 
 require 'active_record/railtie'
 require 'action_controller/railtie'
+require 'sprockets/railtie'
 
 Bundler.require(*Rails.groups)
 

data/spec/dummy/config/environments/production.rb

@@ -22,7 +22,11 @@ Dummy::Application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  config.serve_static_files = ENV['RAILS_SERVE_STATIC_FILES'].present?
+  if Rails::VERSION::MAJOR < 5
+    config.serve_static_files = ENV['RAILS_SERVE_STATIC_FILES'].present?
+  else
+    config.public_file_server.enabled = false
+  end
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor = :uglifier

data/spec/dummy/config/environments/test.rb

@@ -13,8 +13,13 @@ Dummy::Application.configure do
   config.eager_load = false
 
   # Configure static file server for tests with Cache-Control for performance.
-  config.serve_static_files   = true
-  config.static_cache_control = 'public, max-age=3600'
+  if Rails::VERSION::MAJOR < 5
+    config.serve_static_files   = true
+    config.static_cache_control = 'public, max-age=3600'
+  else
+    config.public_file_server.enabled = true
+    config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
+  end
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true

data/spec/dummy/config/initializers/rails_api_auth.rb

@@ -8,4 +8,9 @@ RailsApiAuth.tap do |raa|
   raa.google_client_id = 'google_client_id'
   raa.google_client_secret = 'google_client_secret'
   raa.google_redirect_uri = 'google_redirect_uri'
+
+  raa.edx_client_id     = 'edx_client_id'
+  raa.edx_client_secret = 'edx_client_secret'
+  raa.edx_domain        = 'edxdomain.org'
+  raa.edx_redirect_uri  = 'edx_redirect_uri'
 end

data/spec/models/login_spec.rb

@@ -7,8 +7,8 @@ describe Login do
 
   describe 'validations' do
     before do
-      Login.any_instance.stub(:ensure_oauth2_token).and_return(true)
-      Login.any_instance.stub(:assign_single_use_oauth2_token).and_return(true)
+      allow_any_instance_of(Login).to receive(:ensure_oauth2_token).and_return(true)
+      allow_any_instance_of(Login).to receive(:assign_single_use_oauth2_token).and_return(true)
     end
 
     it { is_expected.to validate_presence_of(:identification) }

data/spec/requests/access_once_spec.rb

@@ -1,5 +1,11 @@
 describe 'an access-once route' do
-  subject { get '/access-once', {}, headers }
+  if Rails::VERSION::MAJOR < 5
+    # rubocop:disable Rails/HttpPositionalArguments
+    subject { get '/access-once', {}, headers }
+    # rubocop:enable Rails/HttpPositionalArguments
+  else
+    subject { get '/access-once', params: {}, headers: headers }
+  end
 
   let(:login) { create(:login) }
   let(:headers) do
@@ -52,7 +58,13 @@ describe 'an access-once route' do
 
   context 'when accessed a second time with the same token' do
     before do
-      get '/access-once', {}, headers
+      if Rails::VERSION::MAJOR < 5
+        # rubocop:disable Rails/HttpPositionalArguments
+        get '/access-once', {}, headers
+        # rubocop:enable Rails/HttpPositionalArguments
+      else
+        get '/access-once', params: {}, headers: headers
+      end
     end
 
     it_behaves_like 'when access is not allowed'

data/spec/requests/authenticated_spec.rb

@@ -1,5 +1,11 @@
 describe 'an authenticated route' do
-  subject { get '/authenticated', {}, headers }
+  if Rails::VERSION::MAJOR < 5
+    # rubocop:disable Rails/HttpPositionalArguments
+    subject { get '/authenticated', {}, headers }
+    # rubocop:enable Rails/HttpPositionalArguments
+  else
+    subject { get '/authenticated', params: {}, headers: headers }
+  end
 
   let(:headers) { {} }
 

data/spec/requests/custom_authenticated_spec.rb

@@ -1,11 +1,20 @@
 describe 'a custom authenticated route' do
-  subject { get '/custom-authenticated', {}, headers }
+  if Rails::VERSION::MAJOR < 5
+    # rubocop:disable Rails/HttpPositionalArguments
+    subject { get '/custom-authenticated', {}, headers }
+    # rubocop:enable Rails/HttpPositionalArguments
+    let(:headers) do
+      { 'Authorization' => "Bearer #{login.oauth2_token}" }
+    end
+  else
+    subject { get '/custom-authenticated', params: {}, headers: headers }
+    let(:headers) do
+      { HTTP_AUTHORIZATION: "Bearer #{login.oauth2_token}" }
+    end
+  end
 
   let(:account) { create(:account) }
   let(:login)   { create(:login, account: account) }
-  let(:headers) do
-    { 'Authorization' => "Bearer #{login.oauth2_token}" }
-  end
 
   context 'when the block returns true' do
     let(:account) { create(:account, first_name: 'user x') }

data/spec/requests/oauth2_spec.rb

@@ -3,7 +3,13 @@ describe 'Oauth2 API' do
 
   describe 'POST /token' do
     let(:params) { { grant_type: 'password', username: login.identification, password: login.password } }
-    subject { post '/token', params, 'HTTPS' => ssl }
+    if Rails::VERSION::MAJOR < 5
+      # rubocop:disable Rails/HttpPositionalArguments
+      subject { post '/token', params, 'HTTPS' => ssl }
+      # rubocop:enable Rails/HttpPositionalArguments
+    else
+      subject { post '/token', params: params, headers: { 'HTTPS' => ssl } }
+    end
 
     shared_examples 'when the request gets through' do
       context 'for grant_type "password"' do
@@ -68,6 +74,21 @@ describe 'Oauth2 API' do
         include_examples 'oauth2 shared contexts'
       end
 
+      context 'for grant_type "edx_auth_code"' do
+        let(:authenticated_user_data) do
+          {
+            username: 'user',
+            email: email
+          }
+        end
+        let(:uid_mapped_field) { 'username' }
+        let(:grant_type) { 'edx_auth_code' }
+        let(:profile_url) { EdxAuthenticator::PROFILE_URL }
+
+        include_context 'stubbed edx requests'
+        include_examples 'oauth2 edx shared contexts'
+      end
+
       context 'for an unknown grant type' do
         let(:params) { { grant_type: 'UNKNOWN' } }
 
@@ -126,7 +147,16 @@ describe 'Oauth2 API' do
 
   describe 'POST #destroy' do
     let(:params) { { token_type_hint: 'access_token', token: login.oauth2_token } }
-    subject { post '/revoke', params, 'HTTPS' => ssl }
+
+    if Rails::VERSION::MAJOR < 5
+      # rubocop:disable Rails/HttpPositionalArguments
+      subject { get '/access-once', {}, headers }
+      subject { post '/revoke', params, 'HTTPS' => ssl }
+      # rubocop:enable Rails/HttpPositionalArguments
+    else
+      subject { get '/access-once', params: {}, headers: headers }
+      subject { post '/revoke', params: params, headers: { 'HTTPS' => ssl } }
+    end
 
     shared_examples 'when the request gets through' do
       it 'responds with status 200' do