rodauth-oauth 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cea0f9a4896e57d535c2ef73eff0c1a9e6b4e25f4d53740c65171b8c098a8ac1
-  data.tar.gz: 96f78feb4157d6f940700fe658b7817b95bd79b61a6f02b9cc530947512a8ff0
+  metadata.gz: 21325edd12e5fc3ded38294dccf9200497df7bf2ecf72e5e90b5faa0f44c76b6
+  data.tar.gz: 5bd3e791aa77e4702763207fd60640db7c42e3c05d764cff5e56fab17df982b8
 SHA512:
-  metadata.gz: 3b2bc30f8793a0ae0ef8a48b46fcd896494d6a941e57e66481d8b8197424c5a6da80761237e26b4eb70acf73ae933be40484d7ca06cf5191790ee83b62eb7411
-  data.tar.gz: 7a1cb3061c3eb9c271b04c35e970306a96018a40408c63c5fd5c815d62f3b4bfdf8c84f32c6947015c8a99a810a8cc904a1f6e10ca3f9eba842ec8575f975a11
+  metadata.gz: 65614673a89008e8a23fd2f3e14617ea6b66eccc5dfad930f6d0205f591077dfb9132ec9927d3a8dce5e313b9310d024aee9761c5a3e9cc0d9cffe4b3e089851
+  data.tar.gz: 97b00f5c89429b79afe5403e2a6ee792611d6f121f6c6ae72582c15c4654daeebeddb3e7348c539e22e7664e886e00feb67df257ed308544bbfe3a4cb53b194e

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # CHANGELOG
 
+## master
+
+## 0.0.2
+
+### Features
+
+* Implementation of PKCE by OAuth Public Clients (https://tools.ietf.org/html/rfc7636);
+* Implementation of grants using "access_type" and "approval_prompt" ([similar to what Google OAuth 2.0 API does](https://wiki.scn.sap.com/wiki/display/Security/Access+Google+APIs+using+the+OAuth+2.0+Client+API));
+
+### Improvements
+
+* Store token/refresh token hashes in the database, instead of the "plain" tokens;
+* Client secret hashed by default, and provided by the application owner;
+
+### Fix
+
+* usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
+
 ## 0.0.1
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.

data/README.md

@@ -3,7 +3,7 @@
 [![pipeline status](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/pipeline.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/commits/master)
 [![coverage report](https://gitlab.com/honeyryderchuck/rodauth-oauth/badges/master/coverage.svg)](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/commits/master)
 
-This is an extension to the `rodauth` gem which adds support for the [OAuth 2.0 protocol](https://tools.ietf.org/html/rfc6749).
+This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framework](https://tools.ietf.org/html/rfc6749) for an authorization server.
 
 ## Features
 
@@ -15,6 +15,7 @@ This gem implements:
   * [Access Token refresh](https://tools.ietf.org/html/rfc6749#section-1.5);
   * [Token revocation](https://tools.ietf.org/html/rfc7009);
   * [Implicit grant (off by default)[https://tools.ietf.org/html/rfc6749#section-4.2];
+  * [PKCE](https://tools.ietf.org/html/rfc7636);
 * Access Type (Token refresh online and offline);
 * OAuth application and token management dashboards;
 
@@ -96,10 +97,9 @@ Generating tokens happens mostly server-to-server, so here's an example using:
 
 ```ruby
 require "httpx"
-httpx = HTTPX.plugin(:authorization)
-response = httpx.with(headers: { "X-your-auth-scheme" => ENV["SERVER_KEY"] })
-                .post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/oauth-token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
+                  client_secret: ENV["OAUTH_CLIENT_SECRET"],
                   grant_type: "authorization_code",
                   code: "oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"
                 })
@@ -111,7 +111,7 @@ puts payload #=> {"token" => "awr23f3h8f9d2h89...", "refresh_token" => "23fkop3k
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","grant_type":"authorization_code","code":"oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"}' https://auth_server/oauth-token
+> curl --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"authorization_code","code":"oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as"}' https://auth_server/oauth-token
 ```
 
 #### Refresh Token
@@ -122,10 +122,9 @@ Refreshing expired tokens also happens mostly server-to-server, here's an exampl
 
 ```ruby
 require "httpx"
-httpx = HTTPX.plugin(:authorization)
-response = httpx.with(headers: { "X-your-auth-scheme" => ENV["SERVER_KEY"] })
-                .post("https://auth_server/oauth-token",json: {
+response = HTTPX.post("https://auth_server/oauth-token",json: {
                   client_id: ENV["OAUTH_CLIENT_ID"],
+                  client_secret: ENV["OAUTH_CLIENT_SECRET"],
                   grant_type: "refresh_token",
                   token: "2r89hfef4j9f90d2j2390jf390g"
                 })
@@ -137,7 +136,7 @@ puts payload #=> {"token" => "awr23f3h8f9d2h89...", "token_type" => "Bearer" ...
 ##### cURL
 
 ```
-> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","grant_type":"token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-token
+> curl -H "X-your-auth-scheme: $SERVER_KEY" --data '{"client_id":"$OAUTH_CLIENT_ID","client_secret":"$OAUTH_CLIENT_SECRET","grant_type":"token","token":"2r89hfef4j9f90d2j2390jf390g"}' https://auth_server/oauth-token
 ```
 
 #### Revoking tokens
@@ -291,14 +290,59 @@ end
 
 In this section, the non-standard features are going to be described in more detail.
 
+### Token / Secrets Hashing
+
+Although not human-friendly as passwords, for security reasons, you might not want to store access (and refresh) tokens in the database. If that is the case, You'll have to add the respective hash columns in the table:
+
+```ruby
+# in migration
+String :token_hash, null: false, token: true
+String :refresh_token_hash, token, true
+# and you DO NOT NEED the token and refresh_token columns anymore!
+```
+
+And declare them in the plugin:
+
+```ruby
+plugin :rodauth do
+  enable :oauth
+  oauth_tokens_token_hash_column :token_hash
+  oauth_tokens_token_hash_column :refresh_token_hash
+```
+
+#### Client Secret
+
+By default, it's expected that the "client secret" property from an OAuth application is only known by the owner, and only the hash is stored in the database; this way, the authorization server doesn't know what the client secret is, only the application owner. The provided [OAuth Applications Extensions](#oauth-applications) application form contains a "Client Secret" input field for this reason.
+
+However, this extension is optional, and you might want to generate the secrets and store them as is. In that case, you'll have to re-define some options:
+
+```ruby
+plugin :rodauth do
+  enable :oauth
+  secret_matches? ->(application, secret){ application[:client_secret] == secret }
+end
+```
+
 ### Access Type (default: "offline")
 
 The "access_type" feature allows the authorization server to emit access tokens with no associated refresh token. This means that users with expired access tokens will have to go through the OAuth flow everytime they need a new one.
 
 In order to enable this option, add "access_type=online" to the query params section of the authorization url.
 
-**Note**: this feature does not yet support the "approval_prompt" feature.
+#### Approval Prompt
+
+When using "online grants", one can use an extra query param in the URL, "approval_prompt", which when set to "auto", will skip the authorization form (on the other hand, if one wants to force the authorization form for all grants, then you can set it to "force", or don't set it at all, as it's the default).
+
+This will only work **if there was a previous successful online grant** for the same application, scopes and redirect URI.
+
+#### DB schema
+
+the "oauth_grants" table will have to include the "access_type row":
 
+```ruby
+# in migration
+String :access_type, null: false, default: "offline"
+```
 
 ### Implicit Grant (default: disabled)
 
@@ -315,6 +359,44 @@ end
 
 And add "response_type=token" to the query params section of the authorization url.
 
+### PKCE
+
+The "Proof Key for Code Exchange by OAuth Public Clients" (aka PKCE) flow, which is **particularly recommended for OAuth integration in mobile apps**, is transparently supported by `rodauth-oauth`, by adding the `code_challenge_method=S256&code_challenge=$YOUR_CODE_CHALLENGE` query params to the authorization url. Once you do that, you'll have to pass the `code_verifier` when generating a token:
+
+```ruby
+# with httpx
+require "httpx"
+httpx = HTTPX.plugin(:authorization)
+response = httpx.with(headers: { "X-your-auth-scheme" => ENV["SERVER_KEY"] })
+                .post("https://auth_server/oauth-token",json: {
+                  client_id: ENV["OAUTH_CLIENT_ID"],
+                  grant_type: "authorization_code",
+                  code: "oiweicnewdh32fhoi3hf3ihfo2ih3f2o3as",
+                  code_verifier: your_code_verifier_here
+                })
+response.raise_for_status
+payload = JSON.parse(response.to_s)
+puts payload #=> {"token" =
+```
+
+By default, the pkce integration sets "S256" as the default challenge method. If you value security, you **should not use plain**. However, if you really need to, you can set it in the `rodauth` plugin:
+
+```ruby
+plugin :rodauth do
+  enable :oauth
+  oauth_pkce_challenge_method "plain"
+end
+```
+
+Although PKCE flow is supported out-of-the-box, it's not enforced by default. If you want to, you can force it, thereby forcing clients to generate a challenge:
+
+```ruby
+plugin :rodauth do
+  enable :oauth
+  oauth_require_pkce true
+end
+```
+
 ## Ruby support policy
 
 The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support.

data/lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -24,6 +24,12 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :revoked_at
       t.string :scopes, null: false
       t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      # for using access_types
+      t.string :access_type, null: false, default: "offline"
+      # uncomment to enable PKCE
+      # t.string :code_challenge
+      # t.string :code_challenge_method
+
       t.index(%i[oauth_application_id code], unique: true)
     end
 
@@ -37,7 +43,13 @@ class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
       t.integer :oauth_application_id
       t.foreign_key :oauth_applications, column: :oauth_application_id
       t.string :token, null: false, token: true
+      # uncomment if setting oauth_tokens_token_hash_column
+      # and delete the token column
+      # t.string :token_hash, token: true
       t.string :refresh_token
+      # uncomment if setting oauth_tokens_refresh_token_hash_column
+      # and delete the refresh_token column
+      # t.string :refresh_token_hash, token: true
       t.datetime :expires_in, null: false
       t.datetime :revoked_at
       t.string :scopes, null: false

data/lib/rodauth/features/oauth.rb

@@ -14,6 +14,23 @@ module Rodauth
       using(RegexpExtensions)
     end
 
+    unless String.method_defined?(:delete_suffix!)
+      module SuffixExtensions
+        refine(String) do
+          def delete_suffix!(suffix)
+            suffix = suffix.to_s
+            chomp! if frozen?
+            len = suffix.length
+            return unless len.positive? && index(suffix, -len)
+
+            self[-len..-1] = ""
+            self
+          end
+        end
+      end
+      using(SuffixExtensions)
+    end
+
     SCOPES = %w[profile.read].freeze
 
     depends :login
@@ -51,22 +68,26 @@ module Rodauth
     auth_value_method :oauth_token_expires_in, 60 * 60 # 60 minutes
     auth_value_method :use_oauth_implicit_grant_type, false
 
+    auth_value_method :oauth_require_pkce, false
+    auth_value_method :oauth_pkce_challenge_method, "S256"
+
     # URL PARAMS
 
     # Authorize / token
     %w[
-      grant_type code refresh_token client_id scope
+      grant_type code refresh_token client_id client_secret scope
       state redirect_uri scopes token_type_hint token
-      access_type response_type
+      access_type approval_prompt response_type
+      code_challenge code_challenge_method code_verifier
     ].each do |param|
       auth_value_method :"#{param}_param", param
     end
 
     # Application
-    APPLICATION_REQUIRED_PARAMS = %w[name description scopes homepage_url redirect_uri].freeze
+    APPLICATION_REQUIRED_PARAMS = %w[name description scopes homepage_url redirect_uri client_secret].freeze
     auth_value_method :oauth_application_required_params, APPLICATION_REQUIRED_PARAMS
 
-    (APPLICATION_REQUIRED_PARAMS + %w[client_id client_secret]).each do |param|
+    (APPLICATION_REQUIRED_PARAMS + %w[client_id]).each do |param|
       auth_value_method :"oauth_application_#{param}_param", param
     end
 
@@ -83,6 +104,10 @@ module Rodauth
       auth_value_method :"oauth_tokens_#{column}_column", column
     end
 
+    # Oauth Token Hash
+    auth_value_method :oauth_tokens_token_hash_column, nil
+    auth_value_method :oauth_tokens_refresh_token_hash_column, nil
+
     # OAuth Grants
     auth_value_method :oauth_grants_table, :oauth_grants
     auth_value_method :oauth_grants_id_column, :id
@@ -90,6 +115,7 @@ module Rodauth
       account_id oauth_application_id
       redirect_uri code scopes access_type
       expires_in revoked_at
+      code_challenge code_challenge_method
     ].each do |column|
       auth_value_method :"oauth_grants_#{column}_column", column
     end
@@ -130,8 +156,16 @@ module Rodauth
     auth_value_method :unique_error_message, "is already in use"
     auth_value_method :null_error_message, "is not filled"
 
+    # PKCE
+    auth_value_method :code_challenge_required_error_code, "invalid_request"
+    auth_value_method :code_challenge_required_message, "code challenge required"
+    auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
+    auth_value_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+
     auth_value_methods(
-      :oauth_unique_id_generator
+      :oauth_unique_id_generator,
+      :secret_matches?,
+      :secret_hash
     )
 
     redirect(:oauth_application) do |id|
@@ -178,51 +212,31 @@ module Rodauth
     end
 
     def state
-      state = param(state_param)
-
-      return unless state && !state.empty?
-
-      state
+      param_or_nil(state_param)
     end
 
     def scopes
-      scopes = param(scopes_param)
-
-      return [oauth_application_default_scope] unless scopes && !scopes.empty?
-
-      scopes.split(" ")
+      (param_or_nil(scopes_param) || oauth_application_default_scope).split(" ")
     end
 
     def client_id
-      client_id = param(client_id_param)
-
-      return unless client_id && !client_id.empty?
+      param_or_nil(client_id_param)
+    end
 
-      client_id
+    def client_secret
+      param_or_nil(client_secret_param)
     end
 
     def redirect_uri
-      redirect_uri = param(redirect_uri_param)
-
-      return oauth_application[oauth_applications_redirect_uri_column] unless redirect_uri && !redirect_uri.empty?
-
-      redirect_uri
+      param_or_nil(redirect_uri_param) || oauth_application[oauth_applications_redirect_uri_column]
     end
 
     def token_type_hint
-      token_type_hint = param(token_type_hint_param)
-
-      return "access_token" unless token_type_hint && !token_type_hint.empty?
-
-      token_type_hint
+      param_or_nil(token_type_hint_param) || "access_token"
     end
 
     def token
-      token = param(token_param)
-
-      return unless token && !token.empty?
-
-      token
+      param_or_nil(token_param)
     end
 
     def oauth_application
@@ -250,10 +264,9 @@ module Rodauth
         # check if there is a token
         # check if token has not expired
         # check if token has been revoked
-        db[oauth_tokens_table].where(oauth_tokens_token_column => token)
-                              .where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                              .where(oauth_tokens_revoked_at_column => nil)
-                              .first
+        oauth_token_by_token(token).where(Sequel[oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                   .where(oauth_tokens_revoked_at_column => nil)
+                                   .first
       end
     end
 
@@ -317,8 +330,100 @@ module Rodauth
 
     private
 
+    def secret_matches?(oauth_application, secret)
+      BCrypt::Password.new(oauth_application[oauth_applications_client_secret_column]) == secret
+    end
+
+    def secret_hash(secret)
+      password_hash(secret)
+    end
+
     def oauth_unique_id_generator
-      SecureRandom.uuid
+      SecureRandom.hex(32)
+    end
+
+    def generate_token_hash(token)
+      Base64.urlsafe_encode64(Digest::SHA256.digest(token))
+    end
+
+    unless method_defined?(:password_hash)
+      # From login_requirements_base feature
+      if ENV["RACK_ENV"] == "test"
+        def password_hash_cost
+          BCrypt::Engine::MIN_COST
+        end
+      else
+        # :nocov:
+        def password_hash_cost
+          BCrypt::Engine::DEFAULT_COST
+        end
+        # :nocov:
+      end
+
+      def password_hash(password)
+        BCrypt::Password.create(password, cost: password_hash_cost)
+      end
+    end
+
+    def generate_oauth_token(params = {}, should_generate_refresh_token = true)
+      create_params = {
+        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in
+      }.merge(params)
+
+      token = oauth_unique_id_generator
+      refresh_token = nil
+
+      if oauth_tokens_token_hash_column
+        create_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+      else
+        create_params[oauth_tokens_token_column] = token
+      end
+
+      if should_generate_refresh_token
+        refresh_token = oauth_unique_id_generator
+
+        if oauth_tokens_refresh_token_hash_column
+          create_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+        else
+          create_params[oauth_tokens_refresh_token_column] = refresh_token
+        end
+      end
+      oauth_token = _generate_oauth_token(create_params)
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
+      oauth_token
+    end
+
+    def _generate_oauth_token(params = {})
+      ds = db[oauth_tokens_table]
+
+      begin
+        if ds.supports_returning?(:insert)
+          ds.returning.insert(params)
+        else
+          id = ds.insert(params)
+          ds.where(oauth_tokens_id_column => id).first
+        end
+      rescue Sequel::UniqueConstraintViolation
+        retry
+      end
+    end
+
+    def oauth_token_by_token(token)
+      if oauth_tokens_token_hash_column
+        db[oauth_tokens_table].where(oauth_tokens_token_hash_column => generate_token_hash(token))
+      else
+        db[oauth_tokens_table].where(oauth_tokens_token_column => token)
+      end
+    end
+
+    def oauth_token_by_refresh_token(token)
+      if oauth_tokens_refresh_token_hash_column
+        db[oauth_tokens_table].where(oauth_tokens_refresh_token_hash_column => generate_token_hash(token))
+      else
+        db[oauth_tokens_table].where(oauth_tokens_refresh_token_column => token)
+      end
     end
 
     # Oauth Application
@@ -363,9 +468,11 @@ module Rodauth
       }
 
       # set client ID/secret pairs
+
       create_params.merge! \
         oauth_applications_client_id_column => oauth_unique_id_generator,
-        oauth_applications_client_secret_column => oauth_unique_id_generator
+        oauth_applications_client_secret_column => \
+          secret_hash(oauth_application_params[oauth_application_client_secret_param])
 
       create_params[oauth_applications_scopes_column] = if create_params[oauth_applications_scopes_column]
                                                           create_params[oauth_applications_scopes_column].join(",")
@@ -404,10 +511,31 @@ module Rodauth
     # Authorize
 
     def validate_oauth_grant_params
-      unless oauth_application && check_valid_redirect_uri? && check_valid_access_type?
+      unless oauth_application && check_valid_redirect_uri? && check_valid_access_type? &&
+             check_valid_approval_prompt? && check_valid_response_type?
         redirect_response_error("invalid_request")
       end
       redirect_response_error("invalid_scope") unless check_valid_scopes?
+
+      validate_pkce_challenge_params
+    end
+
+    def try_approval_prompt
+      approval_prompt = param_or_nil(approval_prompt_param)
+
+      return unless approval_prompt && approval_prompt == "auto"
+
+      return if db[oauth_grants_table].where(
+        oauth_grants_account_id_column => account_id,
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_redirect_uri_column => redirect_uri,
+        oauth_grants_scopes_column => scopes.join(","),
+        oauth_grants_access_type_column => "online"
+      ).count.zero?
+
+      # if there's a previous oauth grant for the params combo, it means that this user has approved before.
+
+      request.env["REQUEST_METHOD"] = "POST"
     end
 
     def create_oauth_grant
@@ -420,10 +548,20 @@ module Rodauth
         oauth_grants_scopes_column => scopes.join(",")
       }
 
-      unless (access_type = param("access_type")).empty?
+      if (access_type = param_or_nil(access_type_param))
         create_params[oauth_grants_access_type_column] = access_type
       end
 
+      # PKCE flow
+      if (code_challenge = param_or_nil(code_challenge_param))
+        code_challenge_method = param_or_nil(code_challenge_method_param)
+
+        create_params[oauth_grants_code_challenge_column] = code_challenge
+        create_params[oauth_grants_code_challenge_method_column] = code_challenge_method
+      elsif oauth_require_pkce
+        redirect_response_error("code_challenge_required")
+      end
+
       ds = db[oauth_grants_table]
 
       begin
@@ -441,60 +579,63 @@ module Rodauth
     # Access Tokens
 
     def validate_oauth_token_params
-      redirect_response_error("invalid_request") unless param(client_id_param)
+      redirect_response_error("invalid_request") unless param_or_nil(client_id_param)
 
-      unless (grant_type = param(grant_type_param))
+      unless param_or_nil(client_secret_param)
+        redirect_response_error("invalid_request") unless param_or_nil(code_verifier_param)
+      end
+
+      unless (grant_type = param_or_nil(grant_type_param))
         redirect_response_error("invalid_request")
       end
 
       case grant_type
       when "authorization_code"
-        redirect_response_error("invalid_request") unless param(code_param)
+        redirect_response_error("invalid_request") unless param_or_nil(code_param)
 
       when "refresh_token"
-        redirect_response_error("invalid_request") unless param(refresh_token_param)
+        redirect_response_error("invalid_request") unless param_or_nil(refresh_token_param)
       else
         redirect_response_error("invalid_request")
       end
     end
 
-    def generate_oauth_token(params = {})
-      create_params = {
-        oauth_grants_expires_in_column => Time.now + oauth_token_expires_in,
-        oauth_tokens_token_column => oauth_unique_id_generator
-      }.merge(params)
+    def create_oauth_token
+      oauth_application = db[oauth_applications_table].where(
+        oauth_applications_client_id_column => param(client_id_param)
+      ).first
 
-      ds = db[oauth_tokens_table]
+      redirect_response_error("invalid_request") unless oauth_application
 
-      begin
-        if ds.supports_returning?(:insert)
-          ds.returning.insert(create_params)
-        else
-          id = ds.insert(create_params)
-          ds.where(oauth_tokens_id_column => id).first
-        end
-      rescue Sequel::UniqueConstraintViolation
-        retry
+      if (client_secret = param_or_nil(client_secret_param))
+        redirect_response_error("invalid_request") unless secret_matches?(oauth_application, client_secret)
       end
-    end
 
-    def create_oauth_token
       case param(grant_type_param)
       when "authorization_code"
+
         # fetch oauth grant
         oauth_grant = db[oauth_grants_table].where(
           oauth_grants_code_column => param(code_param),
           oauth_grants_redirect_uri_column => param(redirect_uri_param),
-          oauth_grants_oauth_application_id_column => db[oauth_applications_table].where(
-            oauth_applications_client_id_column => param(client_id_param),
-            oauth_applications_account_id_column => oauth_applications_account_id_column
-          ).select(oauth_applications_id_column)
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+          oauth_grants_revoked_at_column => nil
         ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                            .where(oauth_grants_revoked_at_column => nil)
                                             .first
 
         redirect_response_error("invalid_grant") unless oauth_grant
 
+        # PKCE
+        if oauth_grant[oauth_grants_code_challenge_column]
+          code_verifier = param_or_nil(code_verifier_param)
+
+          unless code_verifier && check_valid_grant_challenge?(oauth_grant, code_verifier)
+            redirect_response_error("invalid_request")
+          end
+        elsif oauth_require_pkce
+          redirect_response_error("code_challenge_required")
+        end
+
         create_params = {
           oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
           oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
@@ -502,43 +643,48 @@ module Rodauth
           oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
         }
 
-        if oauth_grant[oauth_grants_access_type_column] == "offline"
-          create_params[oauth_tokens_refresh_token_column] = oauth_unique_id_generator
-        end
         # revoke oauth grant
         db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
                               .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
 
-        generate_oauth_token(create_params)
+        generate_oauth_token(create_params, oauth_grant[oauth_grants_access_type_column] == "offline")
+
       when "refresh_token"
-        # fetch oauth grant
-        oauth_token = db[oauth_tokens_table].where(
-          oauth_tokens_refresh_token_column => param(refresh_token_param),
-          oauth_tokens_oauth_application_id_column => db[oauth_applications_table].where(
-            oauth_applications_client_id_column => param(client_id_param),
-            oauth_applications_account_id_column => account_id
-          ).select(oauth_applications_id_column)
+        # fetch oauth token
+        oauth_token = oauth_token_by_refresh_token(param(refresh_token_param)).where(
+          oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column]
         ).where(oauth_grants_revoked_at_column => nil).first
 
         redirect_response_error("invalid_grant") unless oauth_token
 
+        token = oauth_unique_id_generator
+
         update_params = {
           oauth_tokens_oauth_application_id_column => oauth_token[oauth_grants_oauth_application_id_column],
-          oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in,
-          oauth_tokens_token_column => oauth_unique_id_generator
+          oauth_tokens_expires_in_column => Time.now + oauth_token_expires_in
         }
 
+        if oauth_tokens_token_hash_column
+          update_params[oauth_tokens_token_hash_column] = generate_token_hash(token)
+        else
+          update_params[oauth_tokens_token_column] = token
+        end
+
         ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
-        begin
+
+        oauth_token = begin
           if ds.supports_returning?(:update)
             ds.returning.update(update_params)
           else
             ds.update(update_params)
             ds.first
           end
-        rescue Sequel::UniqueConstraintViolation
-          retry
+                      rescue Sequel::UniqueConstraintViolation
+                        retry
         end
+
+        oauth_token[oauth_tokens_token_column] = token
+        oauth_token
       else
         redirect_response_error("invalid_grant")
       end
@@ -556,39 +702,40 @@ module Rodauth
     end
 
     def revoke_oauth_token
-      # one can only revoke tokens which haven't been revoked before, and which are
-      # either our tokens, or tokens from applications we own.
-      ds = db[oauth_tokens_table]
-           .where(oauth_tokens_revoked_at_column => nil)
-           .where(
-             Sequel.or(
-               oauth_tokens_account_id_column => account_id,
-               oauth_tokens_oauth_application_id_column => db[oauth_applications_table].where(
-                 oauth_applications_client_id_column => param(client_id_param),
-                 oauth_applications_account_id_column => account_id
-               ).select(oauth_applications_id_column)
-             )
-           )
       ds = case token_type_hint
            when "access_token"
-             ds.where(oauth_tokens_token_column => token)
+             oauth_token_by_token(token)
            when "refresh_token"
-             ds.where(oauth_tokens_refresh_token_column => token)
+             oauth_token_by_refresh_token(token)
            end
+      # one can only revoke tokens which haven't been revoked before, and which are
+      # either our tokens, or tokens from applications we own.
+      oauth_token = ds.where(oauth_tokens_revoked_at_column => nil)
+                      .where(
+                        Sequel.or(
+                          oauth_tokens_account_id_column => account_id,
+                          oauth_tokens_oauth_application_id_column => db[oauth_applications_table].where(
+                            oauth_applications_client_id_column => param(client_id_param),
+                            oauth_applications_account_id_column => account_id
+                          ).select(oauth_applications_id_column)
+                        )
+                      ).first
 
-      oauth_token = ds.first
       redirect_response_error("invalid_request") unless oauth_token
 
       update_params = { oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP }
 
       ds = db[oauth_tokens_table].where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
 
-      if ds.supports_returning?(:update)
-        ds.returning.update(update_params)
-      else
-        ds.update(update_params)
-        ds.first
-      end
+      oauth_token = if ds.supports_returning?(:update)
+                      ds.returning.update(update_params)
+                    else
+                      ds.update(update_params)
+                      ds.first
+                    end
+
+      oauth_token[oauth_tokens_token_column] = token
+      oauth_token
 
       # If the particular
       # token is a refresh token and the authorization server supports the
@@ -606,11 +753,19 @@ module Rodauth
         throw_json_response_error(invalid_oauth_response_status, error_code)
       else
         redirect_url = URI.parse(redirect_url)
-        query_params = ["error=#{error_code}"]
+        query_params = []
+
+        query_params << if respond_to?(:"#{error_code}_error_code")
+                          "error=#{send(:"#{error_code}_error_code")}"
+                        else
+                          "error=#{error_code}"
+                        end
+
         if respond_to?(:"#{error_code}_message")
           message = send(:"#{error_code}_message")
           query_params << ["error_description=#{CGI.escape(message)}"]
         end
+
         query_params << redirect_url.query if redirect_url.query
         redirect_url.query = query_params.join("&")
         redirect(redirect_url.to_s)
@@ -619,19 +774,30 @@ module Rodauth
 
     def throw_json_response_error(status, error_code)
       set_response_error_status(status)
-      payload = { "error" => error_code }
+      code = if respond_to?(:"#{error_code}_error_code")
+               send(:"#{error_code}_error_code")
+             else
+               error_code
+             end
+      payload = { "error" => code }
       payload["error_description"] = send(:"#{error_code}_message") if respond_to?(:"#{error_code}_message")
-      json_payload = if request.respond_to?(:convert_to_json)
-                       request.send(:convert_to_json, payload)
-                     else
-                       JSON.dump(payload)
-                     end
+      json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
       response["WWW-Authenticate"] = "Bearer" if status == 401
       response.write(json_payload)
       request.halt
     end
 
+    unless method_defined?(:_json_response_body)
+      def _json_response_body(hash)
+        if request.respond_to?(:convert_to_json)
+          request.send(:convert_to_json, hash)
+        else
+          JSON.dump(hash)
+        end
+      end
+    end
+
     def authorization_required
       if json_request?
         throw_json_response_error(authorization_required_error_status, "invalid_client")
@@ -654,25 +820,59 @@ module Rodauth
     ACCESS_TYPES = %w[offline online].freeze
 
     def check_valid_access_type?
-      access_type = param("access_type")
-      access_type.empty? || ACCESS_TYPES.include?(access_type)
+      access_type = param_or_nil(access_type_param)
+      !access_type || ACCESS_TYPES.include?(access_type)
+    end
+
+    APPROVAL_PROMPTS = %w[force auto].freeze
+
+    def check_valid_approval_prompt?
+      approval_prompt = param_or_nil(approval_prompt_param)
+      !approval_prompt || APPROVAL_PROMPTS.include?(approval_prompt)
     end
 
     def check_valid_response_type?
-      response_type = param("response_type")
+      response_type = param_or_nil(response_type_param)
 
-      return true if response_type.empty? || response_type == "code"
+      return true if response_type.nil? || response_type == "code"
 
       return use_oauth_implicit_grant_type if response_type == "token"
 
       false
     end
 
+    # PKCE
+
+    def validate_pkce_challenge_params
+      if param_or_nil(code_challenge_param)
+
+        challenge_method = param_or_nil(code_challenge_method_param)
+        redirect_response_error("code_challenge_required") unless oauth_pkce_challenge_method == challenge_method
+      else
+        return unless oauth_require_pkce
+
+        redirect_response_error("code_challenge_required")
+      end
+    end
+
+    def check_valid_grant_challenge?(grant, verifier)
+      challenge = grant[oauth_grants_code_challenge_column]
+
+      case grant[oauth_grants_code_challenge_method_column]
+      when "plain"
+        challenge == verifier
+      when "S256"
+        generated_challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier))
+        generated_challenge.delete_suffix!("=") while generated_challenge.end_with?("=")
+
+        challenge == generated_challenge
+      else
+        redirect_response_error("unsupported_transform_algorithm")
+      end
+    end
+
     # /oauth-token
     route(:oauth_token) do |r|
-      throw_json_response_error(authorization_required_error_status, "invalid_client") unless logged_in?
-
-      # access-token
       r.post do
         catch_error do
           validate_oauth_token_params
@@ -687,18 +887,14 @@ module Rodauth
           response.status = 200
           response["Content-Type"] ||= json_response_content_type
           json_response = {
-            "token" => oauth_token[:token],
+            "token" => oauth_token[oauth_tokens_token_column],
             "token_type" => oauth_token_type,
             "expires_in" => oauth_token_expires_in
           }
 
-          json_response["refresh_token"] = oauth_token[:refresh_token] if oauth_token[:refresh_token]
+          json_response["refresh_token"] = oauth_token[oauth_tokens_refresh_token_column] if oauth_token[:refresh_token]
 
-          json_payload = if request.respond_to?(:convert_to_json)
-                           request.send(:convert_to_json, json_response)
-                         else
-                           JSON.dump(json_response)
-                         end
+          json_payload = _json_response_body(json_response)
           response.write(json_payload)
           request.halt
         end
@@ -727,15 +923,11 @@ module Rodauth
             response.status = 200
             response["Content-Type"] ||= json_response_content_type
             json_response = {
-              "token" => oauth_token[:token],
-              "refresh_token" => oauth_token[:refresh_token],
-              "revoked_at" => oauth_token[:revoked_at]
+              "token" => oauth_token[oauth_tokens_token_column],
+              "refresh_token" => oauth_token[oauth_tokens_refresh_token_column],
+              "revoked_at" => oauth_token[oauth_tokens_revoked_at_column]
             }
-            json_payload = if request.respond_to?(:convert_to_json)
-                             request.send(:convert_to_json, json_response)
-                           else
-                             JSON.dump(json_response)
-                           end
+            json_payload = _json_response_body(json_response)
             response.write(json_payload)
             request.halt
           else
@@ -751,15 +943,14 @@ module Rodauth
     # /oauth-authorize
     route(:oauth_authorize) do |r|
       require_account
+      validate_oauth_grant_params
+      try_approval_prompt if request.get?
 
       r.get do
-        validate_oauth_grant_params
         authorize_view
       end
 
       r.post do
-        validate_oauth_grant_params
-
         code = nil
         query_params = []
         fragment_params = []
@@ -775,9 +966,9 @@ module Rodauth
               oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
               oauth_tokens_scopes_column => scopes
             }
-            oauth_token = generate_oauth_token(create_params)
+            oauth_token = generate_oauth_token(create_params, false)
 
-            fragment_params << ["access_token=#{oauth_token[:token]}"]
+            fragment_params << ["access_token=#{oauth_token[oauth_tokens_token_column]}"]
             fragment_params << ["token_type=#{oauth_token_type}"]
             fragment_params << ["expires_in=#{oauth_token_expires_in}"]
           when "code", "", nil

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.0.1"
+    VERSION = "0.0.2"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-27 00:00:00.000000000 Z
+date: 2020-05-29 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email: