rockoauth 0.1.0

data/example/public/style.css

@@ -0,0 +1,78 @@
+body {
+  font: 16px/1.4 FreeSans, Helvetica, Arial, sans-serif;
+  background: #353e4b;
+}
+
+.sub {
+  width: 640px;
+  margin: 0 auto;
+  padding: 1em 2em;
+}
+
+.header {
+  text-shadow: #23282e 0px -2px 0px;
+}
+
+.header h1 {
+  color: #e5dec7;
+  font-size: 4em;
+  letter-spacing: -0.06em;
+  margin: 0;
+}
+
+.header h2 {
+  color: #b3a784;
+  font-size: 1.5em;
+  font-weight: normal;
+  letter-spacing: -0.06em;
+  margin: 0 0 0.5em;
+}
+
+.content .sub {
+  background: #fff;
+  color: #333;
+  -webkit-border-radius: 16px;
+  -moz-border-radius: 16px;
+  border-radius: 16px;
+}
+
+h3 {
+  color: #888;
+  font-size: 1.5em;
+  font-weight: normal;
+  margin: 0 0 1em;
+}
+
+fieldset {
+  border: none;
+  border-top: 1px solid #ccc;
+  padding: 12px 0 0 0;
+  margin: 12px 0 0 0;
+}
+
+table {
+  border-collapse: collapse;
+}
+
+table th, table td {
+  border-top: 1px solid #eee;
+  padding: 8px 16px;
+}
+
+table th {
+  border-right: 2px solid #ccc;
+  text-align: left;
+}
+
+a {
+  color: #9ba749;
+  font-weight: bold;
+  text-decoration: none;
+}
+
+.footer {
+  font-size: 0.8em;
+  color: #999;
+  text-shadow: #23282e 0px -1px 0px;
+}
+

data/example/schema.rb

@@ -0,0 +1,22 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'rockoauth/provider'
+require 'active_record'
+require File.expand_path('../models/connection', __FILE__)
+
+ActiveRecord::Schema.define do |version|
+  create_table :users, :force => true do |t|
+    t.timestamps
+    t.string :username
+  end
+
+  create_table :notes, :force => true do |t|
+    t.timestamps
+    t.belongs_to :user
+    t.string     :title
+    t.text       :body
+  end
+end
+
+RockOAuth::Model::Schema.up

data/example/views/authorize.erb

@@ -0,0 +1,28 @@
+<h3>Authorize OAuth client</h3>
+
+<p>This application <b><%= @oauth2.client.name %></b> wants the following
+  permissions:</p>
+
+<ul>
+  <% @oauth2.scopes.each do |scope| %>
+    <% next unless PERMISSIONS[scope] %>
+    <li><%= PERMISSIONS[scope] %></li>
+  <% end %>
+</ul>
+
+<form method="post" action="/oauth/allow">
+  <% @oauth2.params.each do |key, value| %>
+    <input type="hidden" name="<%= key %>" value="<%= value %>">
+  <% end %>
+  <input type="hidden" name="user_id" value="<%= @user.id %>">
+
+  <fieldset>
+    <input type="checkbox" name="allow" id="allow" value="1">
+    <label for="allow">Allow this application</label>
+  </fieldset>
+
+  <fieldset>
+    <input type="submit" value="Go!">
+  </fieldset>
+</form>
+

data/example/views/create_user.erb

@@ -0,0 +1,3 @@
+<h3>New User Created</h3>
+
+<p>Your username is: <%= @user.username %></p>

data/example/views/error.erb

@@ -0,0 +1,6 @@
+<h3>Oh noes, an error!</h3>
+
+<p>The application made an invalid OAuth request.</p>
+
+<pre><%= @oauth2.error_description %></pre>
+

data/example/views/home.erb

@@ -0,0 +1,24 @@
+<p>Welcome to the <b>RockOAuth demo</b>. The endpoint you should direct
+  users to is:</p>
+
+<pre>    <%= host %>/oauth/authorize</pre>
+
+<p>This handles both user authorization and token exchange requests. Before you
+can use this though, you&rsquo;ll need to register your application.</p>
+
+<ul>
+  <li><a href="/oauth/apps/new">Register your application</a></li>
+</ul>
+
+<p>This application is a note-taking app. It exposes a JSON API for reading a
+  user&rsquo;s notes, but you need an access token for this. Use the OAuth
+  protocol to get one, or see if you can hack in without permission!</p>
+
+<p>The following resources are available. You&rsquo;ll need to ask the user for
+  the <b><code>read_notes</code></b> permission scope to get at them.</p>
+
+<ul>
+  <li><code>/me</code> &mdash; returns the current user&rsquo;s data</li>
+  <li><code>/users/:username/notes</code></li>
+  <li><code>/users/:username/notes/:note_id</code></li>
+</ul>

data/example/views/layout.erb

@@ -0,0 +1,24 @@
+<!doctype html>
+<html>
+  <head>
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+    <title>OAuth 2.0 demo</title>
+    <link rel="stylesheet" href="/style.css">
+  </head>
+  <body>
+
+    <div class="header"><div class="sub">
+      <h1>OAuth 2.0 demo</h1>
+      <h2>Steal my notes, why don&rsquo;t you</h2>
+    </div></div>
+
+    <div class="content"><div class="sub">
+      <%= yield %>
+    </div></div>
+
+    <div class="footer"><div class="sub">
+      <p>Copyright &copy; 2010 Songkick.com, 2014 Rocketmade.com</p>
+    </div></div>
+
+  </body>
+</html>

data/example/views/login.erb

@@ -0,0 +1,20 @@
+<h3>Sign in</h3>
+
+<p>Who are you? We&rsquo;d ask for a password usually, but seeing as it&rsquo;s
+  <em>you</em>&hellip;</p>
+
+<form method="post" action="/login">
+  <% @oauth2.params.each do |key, value| %>
+    <input type="hidden" name="<%= key %>" value="<%= value %>">
+  <% end %>
+
+  <fieldset>
+    <label for="username">Username</label>
+    <input type="text" name="username" id="username">
+  </fieldset>
+
+  <fieldset>
+    <input type="submit" value="Sign in">
+  </fieldset>
+</form>
+

data/example/views/new_client.erb

@@ -0,0 +1,25 @@
+<h3>Register you application</h3>
+
+<% if @client.errors.any? %>
+  <ul class="errors">
+    <% @client.errors.full_messages.each do |message| %>
+      <li><%= message %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+<form method="post" action="/oauth/apps">
+  <fieldset>
+    <label for="name">Application name</label>
+    <input type="text" name="name" id="name">
+  </fieldset>
+  <fieldset>
+    <label for="redirect_uri">Callback URI</label>
+    <input type="text" name="redirect_uri" id="redirect_uri">
+  </fieldset>
+
+  <fieldset>
+    <input type="submit" value="Register">
+  </fieldset>
+</form>
+

data/example/views/new_user.erb

@@ -0,0 +1,22 @@
+<h3>Register a User</h3>
+
+<% if @user.errors.any? %>
+  <ul class="errors">
+    <% @user.errors.full_messages.each do |message| %>
+      <li><%= message %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+<form method="post" action="/users/create">
+  <fieldset>
+    <label for="name">Username</label>
+    <input type="text" name="username" id="username">
+  </fieldset>
+
+  <fieldset>
+    <input type="submit" value="Register">
+  </fieldset>
+</form>
+
+

data/example/views/show_client.erb

@@ -0,0 +1,15 @@
+<h3>Client app: <%= @client.name %></h3>
+
+<table>
+  <tbody>
+    <tr>
+      <th scope="row">client_id</th>
+      <td><%= @client.client_id %></td>
+    </tr>
+    <tr>
+      <th scope="row">client_secret</th>
+      <td><%= @client_secret %></td>
+    </tr>
+  </tbody>
+</table>
+

data/lib/rockoauth/model/authorization.rb

@@ -0,0 +1,132 @@
+module RockOAuth
+  module Model
+
+    class Authorization < ActiveRecord::Base
+      self.table_name = :oauth2_authorizations
+
+      belongs_to :oauth2_resource_owner, :polymorphic => true
+      alias :owner  :oauth2_resource_owner
+      alias :owner= :oauth2_resource_owner=
+
+        belongs_to :client, :class_name => 'RockOAuth::Model::Client'
+
+      validates_presence_of :client, :owner
+
+      validates_uniqueness_of :code,               :scope => :client_id, :allow_nil => true
+      validates_uniqueness_of :refresh_token_hash, :scope => :client_id, :allow_nil => true
+      validates_uniqueness_of :access_token_hash,                        :allow_nil => true
+
+      class << self
+        private :create, :new
+      end
+
+      extend Hashing
+      hashes_attributes :access_token, :refresh_token
+
+      def self.create_code(client)
+        RockOAuth.generate_id do |code|
+          Helpers.count(client.authorizations, :code => code).zero?
+        end
+      end
+
+      def self.create_access_token
+        RockOAuth.generate_id do |token|
+          hash = RockOAuth.hashify(token)
+          Helpers.count(self, :access_token_hash => hash).zero?
+        end
+      end
+
+      def self.create_refresh_token(client)
+        RockOAuth.generate_id do |refresh_token|
+          hash = RockOAuth.hashify(refresh_token)
+          Helpers.count(client.authorizations, :refresh_token_hash => hash).zero?
+        end
+      end
+
+      def self.for(owner, client, attributes = {})
+        return nil unless owner and client
+
+        unless client.is_a?(Client)
+          raise ArgumentError, "The argument should be a #{Client}, instead it was a #{client.class}"
+        end
+
+        instance = owner.oauth2_authorization_for(client) ||
+          new do |authorization|
+          authorization.owner  = owner
+          authorization.client = client
+        end
+
+        case attributes[:response_type]
+        when CODE
+          instance.code ||= create_code(client)
+        when TOKEN
+          instance.access_token  ||= create_access_token
+          instance.refresh_token ||= create_refresh_token(client)
+        when CODE_AND_TOKEN
+          instance.code = create_code(client)
+          instance.access_token  ||= create_access_token
+          instance.refresh_token ||= create_refresh_token(client)
+        end
+
+        if attributes[:duration]
+          instance.expires_at = Time.now + attributes[:duration].to_i
+        else
+          instance.expires_at = nil
+        end
+
+        scopes = instance.scopes + (attributes[:scopes] || [])
+        scopes += attributes[:scope].split(/\s+/) if attributes[:scope]
+        instance.scope = scopes.empty? ? nil : scopes.entries.join(' ')
+
+        instance.save && instance
+
+      rescue Object => error
+        if Model.duplicate_record_error?(error)
+          retry
+        else
+          raise error
+        end
+      end
+
+      def exchange!
+        self.code          = nil
+        self.access_token  = self.class.create_access_token
+        self.refresh_token = nil
+        save!
+      end
+
+      def expired?
+        return false unless expires_at
+        expires_at < Time.now
+      end
+
+      def expires_in
+        expires_at && (expires_at - Time.now).ceil
+      end
+
+      def generate_code
+        self.code ||= self.class.create_code(client)
+        save && code
+      end
+
+      def generate_access_token
+        self.access_token ||= self.class.create_access_token
+        save && access_token
+      end
+
+      def grants_access?(user, *scopes)
+        not expired? and user == owner and in_scope?(scopes)
+      end
+
+      def in_scope?(request_scope)
+        [*request_scope].all?(&scopes.method(:include?))
+      end
+
+      def scopes
+        scopes = scope ? scope.split(/\s+/) : []
+        Set.new(scopes)
+      end
+    end
+
+  end
+end

data/lib/rockoauth/model/client.rb

@@ -0,0 +1,54 @@
+module RockOAuth
+  module Model
+
+    class Client < ActiveRecord::Base
+      self.table_name = :oauth2_clients
+
+      belongs_to :oauth2_client_owner, :polymorphic => true
+      alias :owner  :oauth2_client_owner
+      alias :owner= :oauth2_client_owner=
+
+        has_many :authorizations, :class_name => 'RockOAuth::Model::Authorization', :dependent => :destroy
+
+      validates_uniqueness_of :client_id, :name
+      validates_presence_of   :name, :redirect_uri
+      validate :check_format_of_redirect_uri
+
+      before_create :generate_credentials
+
+      def self.create_client_id
+        RockOAuth.generate_id do |client_id|
+          Helpers.count(self, :client_id => client_id).zero?
+        end
+      end
+
+      attr_reader :client_secret
+
+      def client_secret=(secret)
+        @client_secret = secret
+        hash = BCrypt::Password.create(secret)
+        hash.force_encoding('UTF-8') if hash.respond_to?(:force_encoding)
+        self.client_secret_hash = hash
+      end
+
+      def valid_client_secret?(secret)
+        BCrypt::Password.new(client_secret_hash) == secret
+      end
+
+      private
+
+      def check_format_of_redirect_uri
+        uri = URI.parse(redirect_uri)
+        errors.add(:redirect_uri, 'must be an absolute URI') unless uri.absolute?
+      rescue
+        errors.add(:redirect_uri, 'must be a URI')
+      end
+
+      def generate_credentials
+        self.client_id = self.class.create_client_id
+        self.client_secret = RockOAuth.random_string
+      end
+    end
+
+  end
+end

data/lib/rockoauth/model/client_owner.rb

@@ -0,0 +1,13 @@
+module RockOAuth
+  module Model
+
+    module ClientOwner
+      def self.included(klass)
+        klass.has_many :oauth2_clients,
+        :class_name => 'RockOAuth::Model::Client',
+        :as => :oauth2_client_owner
+      end
+    end
+
+  end
+end

data/lib/rockoauth/model/hashing.rb

@@ -0,0 +1,26 @@
+module RockOAuth
+  module Model
+
+    module Hashing
+      def hashes_attributes(*attributes)
+        attributes.each do |attribute|
+          define_method("#{attribute}=") do |value|
+            instance_variable_set("@#{attribute}", value)
+            __send__("#{attribute}_hash=", value && RockOAuth.hashify(value))
+          end
+          attr_reader attribute
+        end
+
+        class_eval <<-RUBY
+            def reload(*args)
+              super
+              #{ attributes.inspect }.each do |attribute|
+              instance_variable_set('@' + attribute.to_s, nil)
+            end
+          end
+          RUBY
+        end
+      end
+
+    end
+  end

data/lib/rockoauth/model/helpers.rb

@@ -0,0 +1,14 @@
+module RockOAuth
+  module Model
+
+    module Helpers
+      def self.count(model, conditions={})
+        if model.respond_to?(:where)
+          model.where(conditions).count
+        else
+          model.count(:conditions => conditions)
+        end
+      end
+    end
+  end
+end

data/lib/rockoauth/model/resource_owner.rb

@@ -0,0 +1,22 @@
+module RockOAuth
+  module Model
+
+    module ResourceOwner
+      def self.included(klass)
+        klass.has_many :oauth2_authorizations,
+        :class_name => Authorization.name,
+        :as => :oauth2_resource_owner,
+        :dependent => :destroy
+      end
+
+      def grant_access!(client, options = {})
+        Authorization.for(self, client, options)
+      end
+
+      def oauth2_authorization_for(client)
+        oauth2_authorizations.find_by_client_id(client.id)
+      end
+    end
+
+  end
+end

data/lib/rockoauth/model.rb

@@ -0,0 +1,38 @@
+require 'active_record'
+
+module RockOAuth
+  module Model
+    autoload :Helpers,       ROOT + '/model/helpers'
+    autoload :ClientOwner,   ROOT + '/model/client_owner'
+    autoload :ResourceOwner, ROOT + '/model/resource_owner'
+    autoload :Hashing,       ROOT + '/model/hashing'
+    autoload :Authorization, ROOT + '/model/authorization'
+    autoload :Client,        ROOT + '/model/client'
+
+    Schema = RockOAuth::Schema
+
+    DUPLICATE_RECORD_ERRORS = [
+                               /^Mysql::Error:\s+Duplicate\s+entry\b/,
+                               /^PG::Error:\s+ERROR:\s+duplicate\s+key\b/,
+                               /\bConstraintException\b/
+                              ]
+
+    # ActiveRecord::RecordNotUnique was introduced in Rails 3.0 so referring
+    # to it while running earlier versions will raise an error. The above
+    # error strings should match PostgreSQL, MySQL and SQLite errors on
+    # Rails 2. If you're running a different adapter, add a suitable regex to
+    # the list:
+    #
+    #     RockOAuth::Model::DUPLICATE_RECORD_ERRORS << /DB2 found a dup/
+    #
+    def self.duplicate_record_error?(error)
+      error.class.name == 'ActiveRecord::RecordNotUnique' or
+        DUPLICATE_RECORD_ERRORS.any? { |re| re =~ error.message }
+    end
+
+    def self.find_access_token(access_token)
+      return nil if access_token.nil?
+      Authorization.find_by_access_token_hash(RockOAuth.hashify(access_token))
+    end
+  end
+end

data/lib/rockoauth/provider/access_token.rb

@@ -0,0 +1,70 @@
+module RockOAuth
+  class Provider
+
+    class AccessToken
+      attr_reader :authorization
+
+      def initialize(resource_owner = nil, scopes = [], access_token = nil, error = nil)
+        @resource_owner = resource_owner
+        @scopes         = scopes
+        @access_token   = access_token
+        @error          = error && INVALID_REQUEST
+
+        authorize!(access_token, error)
+        validate!
+      end
+
+      def client
+        valid? ? @authorization.client : nil
+      end
+
+      def owner
+        valid? ? @authorization.owner : nil
+      end
+
+      def response_headers
+        return {} if valid?
+        error_message =  "OAuth realm='#{ Provider.realm }'"
+        error_message << ", error='#{ @error }'" unless @error == ''
+        {'WWW-Authenticate' => error_message}
+      end
+
+      def response_status
+        case @error
+        when INVALID_REQUEST, INVALID_TOKEN, EXPIRED_TOKEN then 401
+        when INSUFFICIENT_SCOPE                            then 403
+        when ''                                            then 401
+        else 200
+        end
+      end
+
+      def valid?
+        @error.nil?
+      end
+
+      private
+
+      def authorize!(access_token, error)
+        return unless @authorization = Model.find_access_token(access_token)
+        @authorization.update_attribute(:access_token, nil) if error
+      end
+
+      def validate!
+        return @error = ''                 unless @access_token
+        return @error = INVALID_TOKEN      unless @authorization
+        return @error = EXPIRED_TOKEN      if @authorization.expired?
+        return @error = INSUFFICIENT_SCOPE unless @authorization.in_scope?(@scopes)
+
+        case @resource_owner
+        when :implicit
+          # no error
+        when nil
+          @error = INVALID_TOKEN
+        else
+          @error = INSUFFICIENT_SCOPE if @authorization.owner != @resource_owner
+        end
+      end
+    end
+
+  end
+end