simple_oauth2 0.0.0

data/spec/requests/flows/refresh_token_spec.rb

@@ -0,0 +1,282 @@
+require 'spec_helper'
+
+describe 'Token Endpoint' do
+  subject { -> { post url, params } }
+
+  let(:url) { '/oauth/token' }
+  let(:client) { Client.create(name: FFaker::Internet.domain_word, redirect_uri: 'http://localhost:3000/home') }
+  let(:user) { User.create(username: FFaker::Internet.user_name, encrypted_password: FFaker::Internet.password) }
+  let(:client_id) { client.key }
+  let(:client_secret) { client.secret }
+  let(:grant_type) { 'refresh_token' }
+  let(:scopes) { nil }
+  let(:access_token) { AccessToken.create_for(client, user, scopes) }
+  let(:refresh_token) { access_token.refresh_token }
+  let(:params) do
+    {
+      client_id: client_id,
+      client_secret: client_secret,
+      refresh_token: refresh_token,
+      grant_type: grant_type,
+      scope: scopes
+    }
+  end
+
+  describe 'POST /oauth/token' do
+    describe 'RefreshToken flow' do
+      context 'when valid params' do
+        context 'return a new Access Token' do
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            subject.call
+          end
+
+          it { expect(last_response.status).to eq 200 }
+
+          it { expect(AccessToken.count).to eq 2 }
+          it { expect(AccessToken.last.client_id).to eq client.id }
+          it { expect(AccessToken.last.resource_owner_id).to eq user.id }
+          it { expect(AccessToken.last.scopes).to be_empty }
+
+          it { expect(json_body[:access_token]).to eq AccessToken.last.token }
+          it { expect(json_body[:token_type]).to eq 'bearer' }
+          it { expect(json_body[:expires_in]).to eq 7200 }
+          it { expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token }
+        end
+
+        context 'returns a new Access Token even if used token is expired' do
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            access_token.update(expires_at: Time.now - 604_800) # - 7 days
+            subject.call
+          end
+
+          it { expect(access_token.refresh_token).not_to be_nil }
+          it { expect(last_response.status).to eq 200 }
+
+          it { expect(AccessToken.count).to eq 2 }
+          it { expect(AccessToken.last.client_id).to eq client.id }
+          it { expect(AccessToken.last.resource_owner_id).to eq user.id }
+          it { expect(AccessToken.last.scopes).to be_empty }
+
+          it { expect(json_body[:access_token]).to eq AccessToken.last.token }
+          it { expect(json_body[:token_type]).to eq 'bearer' }
+          it { expect(json_body[:expires_in]).to eq 7200 }
+          it { expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token }
+        end
+
+        context 'return a new Access Token with scopes' do
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            subject.call
+          end
+
+          let(:scopes) { 'read' }
+
+          it { expect(AccessToken.count).to eq 2 }
+          it { expect(AccessToken.last.scopes).to eq 'read' }
+
+          it { expect(json_body[:scope]).to eq 'read' }
+        end
+
+        context 'revokes old Access Token if it is configured' do
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            allow(Simple::OAuth2.config).to receive(:on_refresh).and_return(:revoke!)
+            subject.call
+          end
+
+          it { expect(last_response.status).to eq 200 }
+
+          it { expect(AccessToken.count).to eq 2 }
+          it { expect(AccessToken.last.client_id).to eq client.id }
+          it { expect(AccessToken.last.resource_owner_id).to eq user.id }
+
+          it { expect(access_token.reload.revoked?).to be_truthy }
+
+          it { expect(json_body[:access_token]).to eq AccessToken.last.token }
+          it { expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token }
+        end
+
+        context 'destroy old Access Token if it is configured' do
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            allow(Simple::OAuth2.config).to receive(:on_refresh).and_return(:destroy)
+            subject.call
+          end
+
+          it { expect(last_response.status).to eq 200 }
+
+          it { expect(AccessToken.count).to eq 1 }
+          it { expect(AccessToken.where(token: access_token.token).first).to be_nil }
+
+          it { expect(json_body[:access_token]).to eq AccessToken.last.token }
+          it { expect(json_body[:token_type]).to eq 'bearer' }
+          it { expect(json_body[:expires_in]).to eq 7200 }
+          it { expect(json_body[:refresh_token]).to eq AccessToken.last.refresh_token }
+        end
+
+        context 'calls custom block on token refresh if it is configured' do
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            allow(Simple::OAuth2.config).to receive(:on_refresh).and_return(
+              ->(token) { token.update(scopes: scopes) }
+            )
+            subject.call
+          end
+          let(:scopes) { 'for example' }
+
+          it { expect(last_response.status).to eq 200 }
+
+          it { expect(AccessToken.count).to eq 2 }
+          it { expect(access_token.reload.scopes).to eq(scopes) }
+        end
+
+        context 'does nothing on token refresh if :on_refresh is equal to' do
+          let(:callback) { nil }
+
+          before do
+            allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+            allow(Simple::OAuth2.config).to receive(:on_refresh).and_return(callback)
+          end
+
+          context 'nil' do
+            before { subject.call }
+
+            it { expect(Simple::OAuth2::Strategies::RefreshToken).not_to receive(:run_callback_on_refresh_token) }
+            it { expect(last_response.status).to eq 200 }
+          end
+
+          context ':nothing' do
+            let(:callback) { :nothing }
+            before { subject.call }
+
+            it { expect(Simple::OAuth2::Strategies::RefreshToken).not_to receive(:run_callback_on_refresh_token) }
+            it { expect(last_response.status).to eq 200 }
+          end
+
+          context 'String' do
+            let(:callback) { 'SomeClass' }
+            let(:error) do
+              ":on_refresh is not a block and Access Token class doesn't respond to #{callback}!"
+            end
+
+            it { expect { subject.call }.to raise_error(ArgumentError, error) }
+          end
+        end
+      end
+
+      context 'when invalid params' do
+        before do
+          allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+          subject.call
+        end
+
+        context 'without client_id' do
+          let(:client_id) {}
+
+          it { expect(AccessToken.count).to eq 1 }
+
+          it { expect(json_body[:error]).to eq('invalid_request') }
+          it { expect(json_body[:error_description]).to eq("'client_id' required.") }
+          it { expect(last_response.status).to eq 400 }
+        end
+
+        context 'with invalid client_id' do
+          let(:client_id) { 'invalid' }
+          let(:error_description) do
+            'The client identifier provided is invalid, the client failed to authenticate, '\
+            'the client did not include its credentials, provided multiple client credentials, '\
+            'or used unsupported credentials type.'
+          end
+
+          it { expect(AccessToken.count).to eq 1 }
+
+          it { expect(json_body[:error]).to eq('invalid_client') }
+          it { expect(json_body[:error_description]).to eq(error_description) }
+          it { expect(last_response.status).to eq 401 }
+        end
+
+        context 'without client_secret' do
+          let(:client_secret) {}
+          let(:error_description) do
+            'The client identifier provided is invalid, the client failed to authenticate, '\
+            'the client did not include its credentials, provided multiple client credentials, '\
+            'or used unsupported credentials type.'
+          end
+
+          it { expect(AccessToken.count).to eq 1 }
+
+          it { expect(json_body[:error]).to eq('invalid_client') }
+          it { expect(json_body[:error_description]).to eq(error_description) }
+          it { expect(last_response.status).to eq 401 }
+        end
+
+        context 'with invalid client_secret' do
+          let(:client_secret) { 'invalid' }
+          let(:error_description) do
+            'The client identifier provided is invalid, the client failed to authenticate, '\
+            'the client did not include its credentials, provided multiple client credentials, '\
+            'or used unsupported credentials type.'
+          end
+
+          it { expect(AccessToken.count).to eq 1 }
+
+          it { expect(json_body[:error]).to eq('invalid_client') }
+          it { expect(json_body[:error_description]).to eq(error_description) }
+          it { expect(last_response.status).to eq 401 }
+        end
+
+        context 'without refresh_token' do
+          let(:refresh_token) {}
+
+          it { expect(AccessToken.count).to be_zero }
+
+          it { expect(json_body[:error]).to eq('invalid_request') }
+          it { expect(json_body[:error_description]).to eq("'refresh_token' required.") }
+          it { expect(last_response.status).to eq 400 }
+        end
+
+        context 'with invalid refresh_token' do
+          let(:refresh_token) { 'invalid' }
+          let(:error_description) do
+            'The provided access grant is invalid, expired, or revoked '\
+            '(e.g. invalid assertion, expired authorization token, '\
+            'bad end-user password credentials, or mismatching authorization code and redirection URI).'
+          end
+
+          it { expect(AccessToken.count).to be_zero }
+
+          it { expect(json_body[:error]).to eq('invalid_grant') }
+          it { expect(json_body[:error_description]).to eq(error_description) }
+          it { expect(last_response.status).to eq 400 }
+        end
+
+        context 'without grant_type' do
+          let(:grant_type) {}
+
+          it { expect(AccessToken.count).to eq 1 }
+
+          it { expect(json_body[:error]).to eq('invalid_request') }
+          it { expect(json_body[:error_description]).to eq("'grant_type' required.") }
+          it { expect(last_response.status).to eq 400 }
+        end
+
+        context 'with invalid grant_type' do
+          let(:grant_type) { 'invalid' }
+          let(:error_description) do
+            'The access grant included - '\
+            'its type or another attribute - '\
+            'is not supported by the authorization server.'
+          end
+
+          it { expect(AccessToken.count).to eq 1 }
+
+          it { expect(json_body[:error]).to eq('unsupported_grant_type') }
+          it { expect(json_body[:error_description]).to eq(error_description) }
+          it { expect(last_response.status).to eq 400 }
+        end
+      end
+    end
+  end
+end

data/spec/requests/flows/token_spec.rb

@@ -0,0 +1,113 @@
+require 'spec_helper'
+
+describe 'Authorization Endpoint' do
+  subject { -> { post url, params } }
+
+  let(:url) { '/oauth/authorization' }
+  let!(:user) { User.create(username: FFaker::Internet.user_name, encrypted_password: FFaker::Internet.password) }
+  let(:client) { Client.create(name: FFaker::Internet.domain_word, redirect_uri: 'http://localhost:3000/home') }
+  let(:client_id) { client.key }
+  let(:redirect_uri) { client.redirect_uri }
+  let(:response_type) { 'token' }
+  let(:state) { nil }
+  let(:scope) { nil }
+  let(:params) do
+    {
+      client_id: client_id,
+      redirect_uri: redirect_uri,
+      response_type: response_type,
+      state: state,
+      scope: scope
+    }
+  end
+
+  describe 'POST /oauth/custom_authorization' do
+    let(:url) { '/oauth/custom_authorization' }
+
+    before { subject.call }
+
+    context 'invokes custom block' do
+      it { expect(last_response.status).to eq(400) }
+    end
+  end
+
+  describe 'POST /oauth/authorization' do
+    describe 'Token flow' do
+      before { subject.call }
+
+      context 'when valid params' do
+        let(:access_token) { AccessToken.last.token }
+        let(:response_header) do
+          "#{client.redirect_uri}#access_token=#{access_token}&expires_in=7200&token_type=bearer"
+        end
+
+        it { expect(AccessToken.count).to eq 1 }
+        it { expect(AccessToken.last.scopes).to be_empty }
+        it { expect(AccessToken.last.resource_owner.username).to eq user.username }
+        it { expect(last_response.status).to eq 302 }
+        it { expect(last_response.headers['Location']).to eq response_header }
+
+        context 'without redirect_uri' do
+          let(:redirect_uri) {}
+
+          it { expect(last_response.headers['Location']).to eq response_header }
+        end
+
+        context 'with state' do
+          let(:state) { 'zxc' }
+          let(:response_header_with_state) do
+            "#{client.redirect_uri}#access_token=#{access_token}&expires_in=7200&state=#{state}&token_type=bearer"
+          end
+
+          it { expect(last_response.headers['Location']).to eq response_header_with_state }
+        end
+
+        context 'with scopes' do
+          let(:scope) { 'read,write' }
+
+          it { expect(AccessToken.last.scopes).to eq 'read,write' }
+        end
+      end
+
+      context 'when invalid params' do
+        context 'without client_id' do
+          let(:client_id) {}
+
+          it { expect(last_response.status).to eq 400 }
+          it { expect(json_body[:error]).to eq('bad_request') }
+        end
+
+        context 'with invalid client_id' do
+          let(:client_id) { 'invalid' }
+
+          it { expect(last_response.status).to eq 400 }
+          it { expect(json_body[:error]).to eq('bad_request') }
+        end
+
+        context 'with invalid redirect_uri' do
+          let(:redirect_uri) { 'invalid' }
+
+          it { expect(last_response.status).to eq 400 }
+          it { expect(json_body[:error]).to eq('bad_request') }
+        end
+
+        context 'without response_type' do
+          let(:response_type) {}
+
+          it { expect(last_response.status).to eq 400 }
+          it { expect(json_body[:error]).to eq('invalid_request') }
+          it { expect(json_body[:error_description]).to eq "'response_type' required." }
+        end
+
+        context 'with invalid response_type' do
+          let(:response_type) { 'invalid' }
+          let(:error_description) { 'The requested response type is not supported by the authorization server.' }
+
+          it { expect(last_response.status).to eq 400 }
+          it { expect(json_body[:error]).to eq 'unsupported_response_type' }
+          it { expect(json_body[:error_description]).to eq error_description }
+        end
+      end
+    end
+  end
+end

data/spec/requests/protected_resources_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+describe 'GET Protected Resources' do
+  subject { -> { get url, params } }
+
+  let(:url) { '/api/v1/status' }
+  let(:client) { Client.create(name: FFaker::Internet.domain_word, redirect_uri: 'http://localhost:3000/home') }
+  let(:user) { User.create(username: FFaker::Internet.user_name, encrypted_password: FFaker::Internet.password) }
+  let(:scopes) { nil }
+  let(:access_token) { AccessToken.create_for(client, user, scopes) }
+  let(:params) { { access_token: access_token.token } }
+
+  before { subject.call }
+
+  context 'with invalid data' do
+    context 'returns Unauthorized without access_token' do
+      let(:params) {}
+
+      it { expect(last_response.status).to eq 401 }
+      it { expect(json_body[:error]).to eq 'unauthorized' }
+      it { expect(last_response.headers['WWW-Authenticate']).to eq('Bearer realm="Custom Realm"') }
+    end
+
+    context 'returns Unauthorized when token scopes are blank' do
+      let(:url) { '/api/v1/status/single_scope' }
+
+      it { expect(last_response.status).to eq 403 }
+      it { expect(json_body[:error]).to eq 'forbidden' }
+    end
+
+    context "returns Unauthorized when token scopes doesn't match required scopes" do
+      let(:url) { '/api/v1/status/multiple_scopes' }
+      let(:scopes) { 'read' }
+
+      it { expect(last_response.status).to eq 403 }
+      it { expect(json_body[:error]).to eq 'forbidden' }
+    end
+  end
+
+  context 'with valid data' do
+    context "returns status for endpoint that doesn't requires any scope" do
+      it { expect(last_response.status).to eq 200 }
+      it { expect(json_body[:value]).to eq('Access') }
+      it { expect(json_body[:current_user_name]).not_to be_nil }
+    end
+
+    context 'returns status for endpoint with specific scope' do
+      let(:url) { '/api/v1/status/single_scope' }
+      let(:scopes) { 'read' }
+
+      it { expect(last_response.status).to eq 200 }
+      it { expect(json_body[:value]).to eq('Access read') }
+      it { expect(json_body[:current_user_name]).not_to be_nil }
+    end
+
+    context 'returns status for endpoint with specific set of scopes' do
+      let(:url) { '/api/v1/status/multiple_scopes' }
+      let(:scopes) { 'read,write' }
+
+      it { expect(last_response.status).to eq 200 }
+      it { expect(json_body[:value]).to eq('Access read, write') }
+      it { expect(json_body[:current_user_name]).not_to be_nil }
+    end
+  end
+end

data/spec/requests/revoke_token_spec.rb

@@ -0,0 +1,90 @@
+require 'spec_helper'
+
+describe 'RevokeToken Endpoint' do
+  subject { -> { post url, params } }
+
+  let(:url) { '/oauth/revoke_token' }
+  let(:user) { User.create(username: FFaker::Internet.user_name, encrypted_password: FFaker::Internet.password) }
+  let(:client) { Client.create(name: FFaker::Internet.domain_word, redirect_uri: 'http://localhost:3000/home') }
+  let(:access_token) { AccessToken.create_for(client, user) }
+  let(:client_id) { client.key }
+  let(:refresh_token) { access_token.refresh_token }
+  let(:params) do
+    {
+      client_id: client_id,
+      token: refresh_token
+    }
+  end
+
+  describe 'POST /oauth/revoke_token' do
+    before do
+      allow(Simple::OAuth2.config).to receive(:issue_refresh_token).and_return(true)
+      subject.call
+    end
+
+    context 'with valid params' do
+      it { expect(last_response.status).to eq 200 }
+      it { expect(last_response.header).to be_empty }
+      it { expect(last_response.body).to be_empty }
+
+      it { expect(access_token.reload.refresh_token).to_not be_nil }
+      it { expect(access_token.reload.revoked_at).to_not be_nil }
+    end
+
+    context 'with invalid params' do
+      context 'without client_id' do
+        let(:client_id) {}
+        let(:error_description) do
+          'The client identifier provided is invalid, the client failed to authenticate, '\
+          'the client did not include its credentials, provided multiple client credentials, '\
+          'or used unsupported credentials type.'
+        end
+
+        it { expect(last_response.status).to eq 401 }
+        it { expect(json_body[:error]).to eq 'invalid_client' }
+        it { expect(json_body[:error_description]).to eq error_description }
+
+        it { expect(access_token.reload.refresh_token).to_not be_nil }
+        it { expect(access_token.reload.revoked_at).to be_nil }
+      end
+
+      context 'when client_id invalid' do
+        let(:client_id) { 'invalid' }
+        let(:error_description) do
+          'The client identifier provided is invalid, the client failed to authenticate, '\
+          'the client did not include its credentials, provided multiple client credentials, '\
+          'or used unsupported credentials type.'
+        end
+
+        it { expect(last_response.status).to eq 401 }
+        it { expect(json_body[:error]).to eq 'invalid_client' }
+        it { expect(json_body[:error_description]).to eq error_description }
+
+        it { expect(access_token.reload.refresh_token).to_not be_nil }
+        it { expect(access_token.reload.revoked_at).to be_nil }
+      end
+
+      context 'without token' do
+        let(:refresh_token) {}
+
+        it { expect(last_response.status).to eq 200 }
+        it { expect(last_response.header).to be_empty }
+        it { expect(last_response.body).to be_empty }
+
+        it { expect(access_token.reload.refresh_token).to_not be_nil }
+        it { expect(access_token.reload.revoked_at).to be_nil }
+      end
+
+      context 'when token invalid' do
+        let(:refresh_token) { 'invalid' }
+
+        it { expect(last_response.status).to eq 200 }
+        it { expect(last_response.header).to be_empty }
+        it { expect(last_response.body).to be_empty }
+
+        it { expect(access_token.reload.refresh_token).to_not be_nil }
+        it { expect(access_token.reload.revoked_at).to be_nil }
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,51 @@
+ENV['RAILS_ENV'] ||= 'test'
+ENV['ORM']       ||= 'nobrainer'
+
+ORM_GEMS_MAPPING = {
+  'nobrainer' => 'nobrainer'
+}.freeze
+
+if RUBY_VERSION >= '1.9'
+  require 'simplecov'
+  require 'coveralls'
+
+  SimpleCov.formatters = [
+    SimpleCov::Formatter::HTMLFormatter,
+    Coveralls::SimpleCov::Formatter
+  ]
+
+  SimpleCov.start do
+    add_filter '/spec/'
+    minimum_coverage(90)
+  end
+end
+
+require 'rack/test'
+require 'ffaker'
+require ORM_GEMS_MAPPING[ENV['ORM']]
+require File.expand_path("../dummy/orm/#{ENV['ORM']}/app/twitter", __FILE__)
+
+APP = Rack::Builder.parse_file(File.expand_path("../dummy/orm/#{ENV['ORM']}/config.ru", __FILE__)).first
+
+require 'support/helper'
+
+RSpec.configure do |config|
+  config.include Helper
+
+  config.filter_run_excluding skip_if: true
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+
+  config.order = :random
+  config.color = true
+
+  config.before(:all) do
+    NoBrainer.sync_schema
+  end
+
+  config.before(:each) do
+    NoBrainer.purge!
+    NoBrainer::Loader.cleanup
+  end
+end

data/spec/support/helper.rb

@@ -0,0 +1,11 @@
+module Helper
+  include Rack::Test::Methods
+
+  def app
+    APP
+  end
+
+  def json_body
+    JSON.parse(last_response.body, symbolize_names: true)
+  end
+end