rodauth-oauth 0.10.4 → 1.0.0.pre.beta1

data/lib/rodauth/features/oauth_client_credentials_grant.rb

@@ -1,33 +1,35 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_client_credentials_grant, :OauthClientCredentialsGrant) do
     depends :oauth_base
 
-    auth_value_method :use_oauth_client_credentials_grant_type?, false
+    def oauth_grant_types_supported
+      super | %w[client_credentials]
+    end
 
     private
 
-    def create_oauth_token(grant_type)
-      return super unless grant_type == "client_credentials" && use_oauth_client_credentials_grant_type?
+    def create_token(grant_type)
+      return super unless supported_grant_type?(grant_type, "client_credentials")
 
-      create_params = {
-        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_tokens_scopes_column => scopes.join(oauth_scope_separator)
-      }
-      generate_oauth_token(create_params, false)
-    end
+      grant_scopes = scopes
 
-    def oauth_server_metadata_body(*)
-      super.tap do |data|
-        data[:grant_types_supported] << "client_credentials" if use_oauth_client_credentials_grant_type?
-      end
-    end
-
-    def check_valid_response_type?
-      return true if use_oauth_implicit_grant_type? && param_or_nil("response_type") == "token"
+      grant_scopes = if grant_scopes
+                       redirect_response_error("invalid_scope") unless check_valid_scopes?
+                       grant_scopes.join(oauth_scope_separator)
+                     else
+                       oauth_application[oauth_applications_scopes_column]
+                     end
 
-      super
+      grant_params = {
+        oauth_grants_type_column => "client_credentials",
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_scopes_column => grant_scopes
+      }
+      generate_token(grant_params, false)
     end
   end
 end

data/lib/rodauth/features/{oauth_device_grant.rb → oauth_device_code_grant.rb}

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
-  Feature.define(:oauth_device_grant, :OauthDeviceGrant) do
+  Feature.define(:oauth_device_code_grant, :OauthDeviceCodeGrant) do
     depends :oauth_authorize_base
 
-    auth_value_method :use_oauth_device_code_grant_type?, false
-
     before "device_authorization"
     before "device_verification"
 
@@ -21,10 +21,12 @@ module Rodauth
     auth_value_method :oauth_grants_user_code_column, :user_code
     auth_value_method :oauth_grants_last_polled_at_column, :last_polled_at
 
-    translatable_method :expired_token_message, "the device code has expired"
-    translatable_method :access_denied_message, "the authorization request has been denied"
-    translatable_method :authorization_pending_message, "the authorization request is still pending"
-    translatable_method :slow_down_message, "authorization request is still pending but poll interval should be increased"
+    translatable_method :oauth_device_search_page_lead, "Insert the user code from the device you'd like to authorize."
+    translatable_method :oauth_device_verification_page_lead, "The device with user code %<user_code>s would like to access your data."
+    translatable_method :oauth_expired_token_message, "the device code has expired"
+    translatable_method :oauth_access_denied_message, "the authorization request has been denied"
+    translatable_method :oauth_authorization_pending_message, "the authorization request is still pending"
+    translatable_method :oauth_slow_down_message, "authorization request is still pending but poll interval should be increased"
 
     auth_value_method :oauth_device_code_grant_polling_interval, 5 # seconds
     auth_value_method :oauth_device_code_grant_user_code_size, 8 # characters
@@ -38,18 +40,18 @@ module Rodauth
     )
 
     # /device-authorization
-    route(:device_authorization) do |r|
-      next unless is_authorization_server? && use_oauth_device_code_grant_type?
-
+    auth_server_route(:device_authorization) do |r|
+      require_oauth_application
       before_device_authorization_route
 
       r.post do
-        require_oauth_application
-
         user_code = generate_user_code
         device_code = transaction do
           before_device_authorization
-          create_oauth_grant(oauth_grants_user_code_column => user_code)
+          create_oauth_grant(
+            oauth_grants_type_column => "device_code",
+            oauth_grants_user_code_column => user_code
+          )
         end
 
         json_response_success \
@@ -63,18 +65,13 @@ module Rodauth
     end
 
     # /device
-    route(:device) do |r|
-      next unless is_authorization_server? && use_oauth_device_code_grant_type?
-
-      before_device_route
+    auth_server_route(:device) do |r|
       require_authorizable_account
+      before_device_route
 
       r.get do
         if (user_code = param_or_nil("user_code"))
-          oauth_grant = db[oauth_grants_table].where(
-            oauth_grants_user_code_column => user_code,
-            oauth_grants_revoked_at_column => nil
-          ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP).first
+          oauth_grant = valid_oauth_grant_ds(oauth_grants_user_code_column => user_code).first
 
           unless oauth_grant
             set_redirect_error_flash user_code_not_found_error_flash
@@ -90,14 +87,14 @@ module Rodauth
 
       r.post do
         catch_error do
-          unless param_or_nil("user_code")
-            set_redirect_error_flash invalid_grant_message
+          unless (user_code = param_or_nil("user_code")) && !user_code.empty?
+            set_redirect_error_flash oauth_invalid_grant_message
             redirect device_path
           end
 
           transaction do
             before_device_verification
-            create_oauth_token("device_code")
+            create_token("device_code")
           end
         end
         set_notice_flash device_verification_notice_flash
@@ -114,6 +111,10 @@ module Rodauth
       end
     end
 
+    def oauth_grant_types_supported
+      super | %w[urn:ietf:params:oauth:grant-type:device_code]
+    end
+
     private
 
     def generate_user_code
@@ -124,82 +125,61 @@ module Rodauth
                   .rjust(user_code_size, "0")
     end
 
-    def authorized_oauth_application?(oauth_application, client_secret, _)
-      # skip if using device grant
-      #
-      # requests may be performed by devices with no knowledge of client secret.
-      return true if !client_secret && use_oauth_device_code_grant_type?
+    # TODO: think about removing this and recommend PKCE
+    def supports_auth_method?(oauth_application, auth_method)
+      return super unless auth_method == "none"
 
-      super
+      request.path == device_authorization_path || request.params.key?("device_code") || super
     end
 
-    def create_oauth_token(grant_type)
+    def create_token(grant_type)
       if supported_grant_type?(grant_type, "urn:ietf:params:oauth:grant-type:device_code")
-        throw_json_response_error(invalid_oauth_response_status, "invalid_grant_type") unless use_oauth_device_code_grant_type?
 
         oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_type_column => "device_code",
           oauth_grants_code_column => param("device_code"),
           oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
         ).for_update.first
 
-        throw_json_response_error(invalid_oauth_response_status, "invalid_grant") unless oauth_grant
+        throw_json_response_error(oauth_invalid_response_status, "invalid_grant") unless oauth_grant
 
         now = Time.now
 
-        if oauth_grant[oauth_grants_revoked_at_column]
-          oauth_token = db[oauth_tokens_table]
-                        .where(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                        .where(Sequel[oauth_tokens_table][oauth_tokens_revoked_at_column] => nil)
-                        .where(oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column])
-                        .first
+        if oauth_grant[oauth_grants_user_code_column].nil?
+          return create_token_from_authorization_code(
+            { oauth_grants_id_column => oauth_grant[oauth_grants_id_column] },
+            oauth_grant: oauth_grant
+          )
+        end
 
-          throw_json_response_error(invalid_oauth_response_status, "access_denied") unless oauth_token
+        if oauth_grant[oauth_grants_revoked_at_column]
+          throw_json_response_error(oauth_invalid_response_status, "access_denied")
         elsif oauth_grant[oauth_grants_expires_in_column] < now
-          throw_json_response_error(invalid_oauth_response_status, "expired_token")
+          throw_json_response_error(oauth_invalid_response_status, "expired_token")
         else
           last_polled_at = oauth_grant[oauth_grants_last_polled_at_column]
           if last_polled_at && convert_timestamp(last_polled_at) + oauth_device_code_grant_polling_interval > now
-            throw_json_response_error(invalid_oauth_response_status, "slow_down")
+            throw_json_response_error(oauth_invalid_response_status, "slow_down")
           else
             db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
                                   .update(oauth_grants_last_polled_at_column => Sequel::CURRENT_TIMESTAMP)
-            throw_json_response_error(invalid_oauth_response_status, "authorization_pending")
+            throw_json_response_error(oauth_invalid_response_status, "authorization_pending")
           end
         end
-        oauth_token
       elsif grant_type == "device_code"
-        redirect_response_error("invalid_grant_type") unless use_oauth_device_code_grant_type?
 
         # fetch oauth grant
-        oauth_grant = db[oauth_grants_table].where(
-          oauth_grants_user_code_column => param("user_code"),
-          oauth_grants_revoked_at_column => nil
-        ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
-                                            .for_update
-                                            .first
-
-        return unless oauth_grant
-
-        # update ownership
-        db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
-                              .update(
-                                oauth_grants_user_code_column => nil,
-                                oauth_grants_account_id_column => account_id
-                              )
-
-        create_params = {
-          oauth_tokens_account_id_column => account_id,
-          oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
-          oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
-          oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
-        }
-        create_oauth_token_from_authorization_code(oauth_grant, create_params)
+        rs = valid_oauth_grant_ds(
+          oauth_grants_user_code_column => param("user_code")
+        ).update(oauth_grants_user_code_column => nil, oauth_grants_type_column => "device_code")
+
+        return unless rs.positive?
       else
         super
       end
     end
 
-    def validate_oauth_token_params
+    def validate_token_params
       grant_type = param_or_nil("grant_type")
 
       if grant_type == "urn:ietf:params:oauth:grant-type:device_code" && !param_or_nil("device_code")
@@ -208,12 +188,21 @@ module Rodauth
       super
     end
 
+    def store_token(grant_params, update_params = {})
+      return super unless grant_params[oauth_grants_user_code_column]
+
+      # do not clean up device code just yet
+      update_params.delete(oauth_grants_code_column)
+
+      update_params[oauth_grants_user_code_column] = nil
+      update_params[oauth_grants_account_id_column] = account_id
+
+      super(grant_params, update_params)
+    end
+
     def oauth_server_metadata_body(*)
       super.tap do |data|
-        if use_oauth_device_code_grant_type?
-          data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:device_code"
-          data[:device_authorization_endpoint] = device_authorization_url
-        end
+        data[:device_authorization_endpoint] = device_authorization_url
       end
     end
   end

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_dynamic_client_registration, :OauthDynamicClientRegistration) do
     depends :oauth_base
@@ -8,12 +10,10 @@ module Rodauth
 
     auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name client_uri]
 
-    PROTECTED_APPLICATION_ATTRIBUTES = %i[account_id client_id].freeze
+    PROTECTED_APPLICATION_ATTRIBUTES = %w[account_id client_id].freeze
 
     # /register
-    route(:register) do |r|
-      next unless is_authorization_server?
-
+    auth_server_route(:register) do |r|
       before_register_route
 
       validate_client_registration_params
@@ -43,8 +43,17 @@ module Rodauth
 
     private
 
-    def registration_metadata
-      oauth_server_metadata_body
+    def _before_register
+      raise %{dynamic client registration requires authentication.
+        Override ´before_register` to perform it.
+        example:
+
+          before_register do
+            account = _account_from_login(request.env["HTTP_X_USER_EMAIL"])
+            authorization_required unless account
+            @oauth_application_params[:account_id] = account[:id]
+          end
+      }
     end
 
     def validate_client_registration_params
@@ -53,7 +62,6 @@ module Rodauth
           register_throw_json_response_error("invalid_client_metadata", register_required_param_message(required_param))
         end
       end
-      metadata = registration_metadata
 
       @oauth_application_params = request.params.each_with_object({}) do |(key, value), params|
         case key
@@ -67,7 +75,7 @@ module Rodauth
           end
           key = oauth_applications_redirect_uri_column
         when "token_endpoint_auth_method"
-          unless oauth_auth_methods_supported.include?(value)
+          unless oauth_token_endpoint_auth_methods_supported.include?(value)
             register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
           end
           # verify if in range
@@ -75,19 +83,19 @@ module Rodauth
         when "grant_types"
           if value.is_a?(Array)
             value = value.each do |grant_type|
-              unless metadata[:grant_types_supported].include?(grant_type)
-                register_throw_json_response_error("invalid_client_metadata", register_invalid_grant_type_message(grant_type))
+              unless oauth_grant_types_supported.include?(grant_type)
+                register_throw_json_response_error("invalid_client_metadata", register_oauth_invalid_grant_type_message(grant_type))
               end
             end.join(" ")
           else
-            set_field_error(key, invalid_client_metadata_message)
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
           end
           key = oauth_applications_grant_types_column
         when "response_types"
           if value.is_a?(Array)
-            grant_types = request.params["grant_types"] || metadata[:grant_types_supported]
+            grant_types = request.params["grant_types"] || oauth_grant_types_supported
             value = value.each do |response_type|
-              unless metadata[:response_types_supported].include?(response_type)
+              unless oauth_response_types_supported.include?(response_type)
                 register_throw_json_response_error("invalid_client_metadata",
                                                    register_invalid_response_type_message(response_type))
               end
@@ -95,7 +103,7 @@ module Rodauth
               validate_client_registration_response_type(response_type, grant_types)
             end.join(" ")
           else
-            set_field_error(key, invalid_client_metadata_message)
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message(key, value))
           end
           key = oauth_applications_response_types_column
           # verify if in range and match grant type
@@ -133,10 +141,10 @@ module Rodauth
           key = oauth_applications_name_column
         else
           if respond_to?(:"oauth_applications_#{key}_column")
-            property = :"oauth_applications_#{key}_column"
-            if PROTECTED_APPLICATION_ATTRIBUTES.include?(property)
+            if PROTECTED_APPLICATION_ATTRIBUTES.include?(key)
               register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
             end
+            property = :"oauth_applications_#{key}_column"
             key = __send__(property)
           elsif !db[oauth_applications_table].columns.include?(key.to_sym)
             register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
@@ -167,16 +175,20 @@ module Rodauth
     end
 
     def do_register(return_params = request.params.dup)
+      applications_ds = db[oauth_applications_table]
+      application_columns = applications_ds.columns
+
       # set defaults
       create_params = @oauth_application_params
-      create_params[oauth_applications_scopes_column] ||= return_params["scopes"] = oauth_application_default_scope.join(" ")
-      create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
-        return_params["token_endpoint_auth_method"] = "client_secret_basic"
-        "client_secret_basic"
-      end
-      create_params[oauth_applications_grant_types_column] ||= begin
-        return_params["grant_types"] = %w[authorization_code]
+      create_params[oauth_applications_scopes_column] ||= return_params["scopes"] = oauth_application_scopes.join(" ")
+      if create_params[oauth_applications_grant_types_column] ||= begin
+        return_params["grant_types"] = %w[authorization_code] # rubocop:disable Lint/AssignmentInCondition
         "authorization_code"
+      end
+        create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
+          return_params["token_endpoint_auth_method"] = "client_secret_basic"
+          "client_secret_basic"
+        end
       end
       create_params[oauth_applications_response_types_column] ||= begin
         return_params["response_types"] = %w[code]
@@ -188,22 +200,24 @@ module Rodauth
         return_params["client_id"] = client_id
         return_params["client_id_issued_at"] = Time.now.utc.iso8601
         if create_params.key?(oauth_applications_client_secret_column)
-          create_params[oauth_applications_client_secret_column] = secret_hash(create_params[oauth_applications_client_secret_column])
+          set_client_secret(create_params, create_params[oauth_applications_client_secret_column])
           return_params.delete("client_secret")
         else
           client_secret = oauth_unique_id_generator
-          create_params[oauth_applications_client_secret_column] = secret_hash(client_secret)
+          set_client_secret(create_params, client_secret)
           return_params["client_secret"] = client_secret
           return_params["client_secret_expires_at"] = 0
+
+          create_params.delete_if { |k, _| !application_columns.include?(k) }
         end
-        db[oauth_applications_table].insert(create_params)
+        applications_ds.insert(create_params)
       end
 
       return_params
     end
 
     def register_throw_json_response_error(code, message)
-      throw_json_response_error(invalid_oauth_response_status, code, message)
+      throw_json_response_error(oauth_invalid_response_status, code, message)
     end
 
     def register_required_param_message(key)
@@ -214,6 +228,10 @@ module Rodauth
       "The param '#{key}' is not supported by this server."
     end
 
+    def register_invalid_client_metadata_message(key, value)
+      "The value '#{value}' is not supported by this server for param '#{key}'."
+    end
+
     def register_invalid_contacts_message(contacts)
       "The contacts '#{contacts}' are not allowed by this server."
     end
@@ -230,7 +248,7 @@ module Rodauth
       "The given scopes (#{scopes}) are not allowed by this server."
     end
 
-    def register_invalid_grant_type_message(grant_type)
+    def register_oauth_invalid_grant_type_message(grant_type)
       "The grant type #{grant_type} is not allowed by this server."
     end
 

data/lib/rodauth/features/oauth_grant_management.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oauth_grant_management, :OauthTokenManagement) do
+    depends :oauth_management_base, :oauth_token_revocation
+
+    view "oauth_grants", "My Oauth Grants", "oauth_grants"
+
+    button "Revoke", "oauth_grant_revoke"
+
+    auth_value_method :oauth_grants_path, "oauth-grants"
+
+    %w[type token refresh_token expires_in revoked_at].each do |param|
+      translatable_method :"oauth_grants_#{param}_label", param.gsub("_", " ").capitalize
+    end
+    translatable_method :oauth_no_grants_text, "No oauth grants yet!"
+
+    auth_value_method :oauth_grants_route, "oauth-grants"
+    auth_value_method :oauth_grants_id_pattern, Integer
+    auth_value_method :oauth_grants_per_page, 20
+
+    auth_value_methods(
+      :oauth_grant_path
+    )
+
+    def oauth_grants_path(opts = {})
+      route_path(oauth_grants_route, opts)
+    end
+
+    def oauth_grant_path(id)
+      "#{oauth_grants_path}/#{id}"
+    end
+
+    def load_oauth_grant_management_routes
+      request.on(oauth_grants_route) do
+        check_csrf if check_csrf?
+        require_account
+
+        request.post(oauth_grants_id_pattern) do |id|
+          db[oauth_grants_table]
+            .where(oauth_grants_id_column => id)
+            .where(oauth_grants_account_id_column => account_id)
+            .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+          set_notice_flash revoke_oauth_grant_notice_flash
+          redirect oauth_grants_path || "/"
+        end
+
+        request.is do
+          request.get do
+            page = Integer(param_or_nil("page") || 1)
+            per_page = per_page_param(oauth_grants_per_page)
+
+            scope.instance_variable_set(:@oauth_grants, db[oauth_grants_table]
+              .select(Sequel[oauth_grants_table].*, Sequel[oauth_applications_table][oauth_applications_name_column])
+              .join(oauth_applications_table, Sequel[oauth_grants_table][oauth_grants_oauth_application_id_column] =>
+                Sequel[oauth_applications_table][oauth_applications_id_column])
+              .where(Sequel[oauth_grants_table][oauth_grants_account_id_column] => account_id)
+              .where(oauth_grants_revoked_at_column => nil)
+              .order(Sequel.desc(oauth_grants_id_column))
+              .paginate(page, per_page))
+            oauth_grants_view
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -1,23 +1,33 @@
 # frozen_string_literal: true
 
+require "rodauth/oauth"
+
 module Rodauth
   Feature.define(:oauth_implicit_grant, :OauthImplicitGrant) do
     depends :oauth_authorize_base
 
-    auth_value_method :use_oauth_implicit_grant_type?, false
-
-    private
+    def oauth_grant_types_supported
+      super | %w[implicit]
+    end
 
-    def check_valid_response_type?
-      response_type = param_or_nil("response_type")
+    def oauth_response_types_supported
+      super | %w[token]
+    end
 
-      response_type.nil? || response_type == "token" || super
+    def oauth_response_modes_supported
+      super | %w[fragment]
     end
 
+    private
+
     def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
-      return super unless param("response_type") == "token" && use_oauth_implicit_grant_type?
+      response_type = param("response_type")
+      return super unless response_type == "token" && supported_response_type?(response_type)
 
       response_mode ||= "fragment"
+
+      redirect_response_error("invalid_request") unless supported_response_mode?(response_mode)
+
       response_params.replace(_do_authorize_token)
 
       response_params["state"] = param("state") if param_or_nil("state")
@@ -26,14 +36,15 @@ module Rodauth
     end
 
     def _do_authorize_token
-      create_params = {
-        oauth_tokens_account_id_column => account_id,
-        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
-        oauth_tokens_scopes_column => scopes
+      grant_params = {
+        oauth_grants_type_column => "implicit",
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_scopes_column => scopes,
+        oauth_grants_account_id_column => account_id
       }
-      oauth_token = generate_oauth_token(create_params, false)
+      oauth_grant = generate_token(grant_params, false)
 
-      json_access_token_payload(oauth_token)
+      json_access_token_payload(oauth_grant)
     end
 
     def authorize_response(params, mode)
@@ -46,18 +57,8 @@ module Rodauth
       redirect(redirect_url.to_s)
     end
 
-    def oauth_server_metadata_body(*)
-      super.tap do |data|
-        if use_oauth_implicit_grant_type?
-          data[:response_types_supported] << "token"
-          data[:response_modes_supported] << "fragment"
-          data[:grant_types_supported] << "implicit"
-        end
-      end
-    end
-
     def check_valid_response_type?
-      return true if use_oauth_implicit_grant_type? && param_or_nil("response_type") == "token"
+      return true if param_or_nil("response_type") == "token"
 
       super
     end