songkick-oauth2-provider 0.10.0

data/example/config.ru

@@ -0,0 +1,3 @@
+require File.expand_path('../application', __FILE__)
+run Sinatra::Application
+

data/example/environment.rb

@@ -0,0 +1,11 @@
+dir = File.expand_path('..', __FILE__)
+$:.unshift(dir + '/../lib')
+$:.unshift(dir)
+
+require 'songkick/oauth2/provider'
+Songkick::OAuth2::Provider.realm = 'Notes App'
+
+require 'models/connection'
+require 'models/user'
+require 'models/note'
+

data/example/models/connection.rb

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'active_record'
+
+dir = File.expand_path(File.dirname(__FILE__))
+
+ActiveRecord::Base.establish_connection(
+  :adapter  => 'sqlite3',
+  :database => dir + '/../db/notes.sqlite3')
+

data/example/models/note.rb

@@ -0,0 +1,4 @@
+class Note < ActiveRecord::Base
+  belongs_to :user
+end
+

data/example/models/user.rb

@@ -0,0 +1,6 @@
+class User < ActiveRecord::Base
+  include Songkick::OAuth2::Model::ResourceOwner
+  include Songkick::OAuth2::Model::ClientOwner
+  has_many :notes
+end
+

data/example/public/style.css

@@ -0,0 +1,78 @@
+body {
+  font: 16px/1.4 FreeSans, Helvetica, Arial, sans-serif;
+  background: #353e4b;
+}
+
+.sub {
+  width: 640px;
+  margin: 0 auto;
+  padding: 1em 2em;
+}
+
+.header {
+  text-shadow: #23282e 0px -2px 0px;
+}
+
+.header h1 {
+  color: #e5dec7;
+  font-size: 4em;
+  letter-spacing: -0.06em;
+  margin: 0;
+}
+
+.header h2 {
+  color: #b3a784;
+  font-size: 1.5em;
+  font-weight: normal;
+  letter-spacing: -0.06em;
+  margin: 0 0 0.5em;
+}
+
+.content .sub {
+  background: #fff;
+  color: #333;
+  -webkit-border-radius: 16px;
+  -moz-border-radius: 16px;
+  border-radius: 16px;
+}
+
+h3 {
+  color: #888;
+  font-size: 1.5em;
+  font-weight: normal;
+  margin: 0 0 1em;
+}
+
+fieldset {
+  border: none;
+  border-top: 1px solid #ccc;
+  padding: 12px 0 0 0;
+  margin: 12px 0 0 0;
+}
+
+table {
+  border-collapse: collapse;
+}
+
+table th, table td {
+  border-top: 1px solid #eee;
+  padding: 8px 16px;
+}
+
+table th {
+  border-right: 2px solid #ccc;
+  text-align: left;
+}
+
+a {
+  color: #9ba749;
+  font-weight: bold;
+  text-decoration: none;
+}
+
+.footer {
+  font-size: 0.8em;
+  color: #999;
+  text-shadow: #23282e 0px -1px 0px;
+}
+

data/example/schema.rb

@@ -0,0 +1,27 @@
+dir = File.expand_path('..', __FILE__)
+$:.unshift(dir + '/../lib')
+
+require 'rubygems'
+require 'songkick/oauth2/provider'
+require 'fileutils'
+
+require dir + '/models/connection'
+
+FileUtils.mkdir_p(dir + '/db')
+
+ActiveRecord::Schema.define do |version|
+  create_table :users, :force => true do |t|
+    t.timestamps
+    t.string :username
+  end
+  
+  create_table :notes, :force => true do |t|
+    t.timestamps
+    t.belongs_to :user
+    t.string     :title
+    t.text       :body
+  end
+end
+
+Songkick::OAuth2::Model::Schema.up
+

data/example/views/authorize.erb

@@ -0,0 +1,28 @@
+<h3>Authorize OAuth client</h3>
+
+<p>This application <b><%= @oauth2.client.name %></b> wants the following
+  permissions:</p>
+
+<ul>
+  <% @oauth2.scopes.each do |scope| %>
+    <% next unless PERMISSIONS[scope] %>
+    <li><%= PERMISSIONS[scope] %></li>
+  <% end %>
+</ul>
+
+<form method="post" action="/oauth/allow">
+  <% @oauth2.params.each do |key, value| %>
+    <input type="hidden" name="<%= key %>" value="<%= value %>">
+  <% end %>
+  <input type="hidden" name="user_id" value="<%= @user.id %>">
+  
+  <fieldset>
+    <input type="checkbox" name="allow" id="allow" value="1">
+    <label for="allow">Allow this application</label>
+  </fieldset>
+  
+  <fieldset>
+    <input type="submit" value="Go!">
+  </fieldset>
+</form>
+

data/example/views/create_user.erb

@@ -0,0 +1,3 @@
+<h3>New User Created</h3>
+
+<p>Your username is: <%= @user.username %></p>

data/example/views/error.erb

@@ -0,0 +1,6 @@
+<h3>Oh noes, an error!</h3>
+
+<p>The application made an invalid OAuth request.</p>
+
+<pre><%= @oauth2.error_description %></pre>
+

data/example/views/home.erb

@@ -0,0 +1,25 @@
+<p>Welcome to the <b>Songkick OAuth 2.0 demo</b>. The endpoint you should direct
+  users to is:</p>
+
+<pre>    <%= host %>/oauth/authorize</pre>
+
+<p>This handles both user authorization and token exchange requests. Before you
+can use this though, you&rsquo;ll need to register your application.</p>
+
+<ul>
+  <li><a href="/oauth/apps/new">Register your application</a></li>
+</ul>
+
+<p>This application is a note-taking app. It exposes a JSON API for reading a
+  user&rsquo;s notes, but you need an access token for this. Use the OAuth
+  protocol to get one, or see if you can hack in without permission!</p>
+
+<p>The following resources are available. You&rsquo;ll need to ask the user for
+  the <b><code>read_notes</code></b> permission scope to get at them.</p>
+
+<ul>
+  <li><code>/me</code> &mdash; returns the current user&rsquo;s data</li>
+  <li><code>/users/:username/notes</code></li>
+  <li><code>/users/:username/notes/:note_id</code></li>
+</ul>
+

data/example/views/layout.erb

@@ -0,0 +1,25 @@
+<!doctype html>
+<html>
+  <head>
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+    <title>OAuth 2.0 demo</title>
+    <link rel="stylesheet" href="/style.css">
+  </head>
+  <body>
+    
+    <div class="header"><div class="sub">
+      <h1>OAuth 2.0 demo</h1>
+      <h2>Steal my notes, why don&rsquo;t you</h2>
+    </div></div>
+    
+    <div class="content"><div class="sub">
+      <%= yield %>
+    </div></div>
+    
+    <div class="footer"><div class="sub">
+      <p>Copyright &copy; 2010 Songkick.com</p>
+    </div></div>
+    
+  </body>
+</html>
+

data/example/views/login.erb

@@ -0,0 +1,20 @@
+<h3>Sign in</h3>
+
+<p>Who are you? We&rsquo;d ask for a password usually, but seeing as it&rsquo;s
+  <em>you</em>&hellip;</p>
+
+<form method="post" action="/login">
+  <% @oauth2.params.each do |key, value| %>
+    <input type="hidden" name="<%= key %>" value="<%= value %>">
+  <% end %>
+  
+  <fieldset>
+    <label for="username">Username</label>
+    <input type="text" name="username" id="username">
+  </fieldset>
+  
+  <fieldset>
+    <input type="submit" value="Sign in">
+  </fieldset>
+</form>
+

data/example/views/new_client.erb

@@ -0,0 +1,25 @@
+<h3>Register you application</h3>
+
+<% if @client.errors.any? %>
+  <ul class="errors">
+    <% @client.errors.full_messages.each do |message| %>
+      <li><%= message %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+<form method="post" action="/oauth/apps">
+  <fieldset>
+    <label for="name">Application name</label>
+    <input type="text" name="name" id="name">
+  </fieldset>
+  <fieldset>
+    <label for="redirect_uri">Callback URI</label>
+    <input type="text" name="redirect_uri" id="redirect_uri">
+  </fieldset>
+  
+  <fieldset>
+    <input type="submit" value="Register">
+  </fieldset>
+</form>
+

data/example/views/new_user.erb

@@ -0,0 +1,22 @@
+<h3>Register a User</h3>
+
+<% if @user.errors.any? %>
+  <ul class="errors">
+    <% @user.errors.full_messages.each do |message| %>
+      <li><%= message %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+<form method="post" action="/users/create">
+  <fieldset>
+    <label for="name">Username</label>
+    <input type="text" name="username" id="username">
+  </fieldset>
+  
+  <fieldset>
+    <input type="submit" value="Register">
+  </fieldset>
+</form>
+
+

data/example/views/show_client.erb

@@ -0,0 +1,15 @@
+<h3>Client app: <%= @client.name %></h3>
+
+<table>
+  <tbody>
+    <tr>
+      <th scope="row">client_id</th>
+      <td><%= @client.client_id %></td>
+    </tr>
+    <tr>
+      <th scope="row">client_secret</th>
+      <td><%= @client_secret %></td>
+    </tr>
+  </tbody>
+</table>
+

data/lib/songkick/oauth2/model.rb

@@ -0,0 +1,20 @@
+require 'active_record'
+
+module Songkick
+  module OAuth2
+    module Model
+      autoload :ClientOwner,   ROOT + '/oauth2/model/client_owner'
+      autoload :ResourceOwner, ROOT + '/oauth2/model/resource_owner'
+      autoload :Hashing,       ROOT + '/oauth2/model/hashing'
+      autoload :Authorization, ROOT + '/oauth2/model/authorization'
+      autoload :Client,        ROOT + '/oauth2/model/client'
+      
+      Schema = Songkick::OAuth2::Schema
+      
+      def self.find_access_token(access_token)
+        Authorization.find_by_access_token_hash(Songkick::OAuth2.hashify(access_token))
+      end
+    end
+  end
+end
+

data/lib/songkick/oauth2/model/authorization.rb

@@ -0,0 +1,126 @@
+module Songkick
+  module OAuth2
+    module Model
+      
+      class Authorization < ActiveRecord::Base
+        self.table_name = :oauth2_authorizations
+        
+        belongs_to :oauth2_resource_owner, :polymorphic => true
+        alias :owner  :oauth2_resource_owner
+        alias :owner= :oauth2_resource_owner=
+        
+        belongs_to :client, :class_name => 'Songkick::OAuth2::Model::Client'
+        
+        validates_presence_of :client, :owner
+        
+        validates_uniqueness_of :code,               :scope => :client_id, :allow_nil => true
+        validates_uniqueness_of :refresh_token_hash, :scope => :client_id, :allow_nil => true
+        validates_uniqueness_of :access_token_hash,                        :allow_nil => true
+        
+        attr_accessible nil
+        
+        extend Hashing
+        hashes_attributes :access_token, :refresh_token
+        
+        def self.for(resource_owner, client)
+          return nil unless resource_owner and client
+          resource_owner.oauth2_authorizations.find_by_client_id(client.id)
+        end
+        
+        def self.create_code(client)
+          Songkick::OAuth2.generate_id do |code|
+            client.authorizations.count(:conditions => {:code => code}).zero?
+          end
+        end
+        
+        def self.create_access_token
+          Songkick::OAuth2.generate_id do |token|
+            hash = Songkick::OAuth2.hashify(token)
+            count(:conditions => {:access_token_hash => hash}).zero?
+          end
+        end
+        
+        def self.create_refresh_token(client)
+          Songkick::OAuth2.generate_id do |refresh_token|
+            hash = Songkick::OAuth2.hashify(refresh_token)
+            client.authorizations.count(:conditions => {:refresh_token_hash => hash}).zero?
+          end
+        end
+        
+        def self.for_response_type(response_type, attributes = {})
+          instance = self.for(attributes[:owner], attributes[:client]) ||
+                     new do |authorization|
+                       authorization.owner  = attributes[:owner]
+                       authorization.client = attributes[:client]
+                     end
+          
+          case response_type
+            when CODE
+              instance.code ||= create_code(attributes[:client])
+            when TOKEN
+              instance.access_token  ||= create_access_token
+              instance.refresh_token ||= create_refresh_token(attributes[:client])
+            when CODE_AND_TOKEN
+              instance.code = create_code(attributes[:client])
+              instance.access_token  ||= create_access_token
+              instance.refresh_token ||= create_refresh_token(attributes[:client])
+          end
+          
+          if attributes[:duration]
+            instance.expires_at = Time.now + attributes[:duration].to_i
+          else
+            instance.expires_at = nil
+          end
+          
+          if attributes[:scope]
+            scopes = instance.scopes + attributes[:scope].split(/\s+/)
+            instance.scope = scopes.entries.join(' ')
+          end
+          
+          instance.save && instance
+        end
+        
+        def exchange!
+          self.code          = nil
+          self.access_token  = self.class.create_access_token
+          self.refresh_token = nil
+          save!
+        end
+        
+        def expired?
+          return false unless expires_at
+          expires_at < Time.now
+        end
+        
+        def expires_in
+          expires_at && (expires_at - Time.now).ceil
+        end
+        
+        def generate_code
+          self.code ||= self.class.create_code(client)
+          save && code
+        end
+        
+        def generate_access_token
+          self.access_token ||= self.class.create_access_token
+          save && access_token
+        end
+        
+        def grants_access?(user, *scopes)
+          not expired? and user == owner and in_scope?(scopes)
+        end
+        
+        def in_scope?(request_scope)
+          [*request_scope].all?(&scopes.method(:include?))
+        end
+        
+        def scopes
+          scopes = scope ? scope.split(/\s+/) : []
+          Set.new(scopes)
+        end
+      end
+      
+    end
+  end
+end
+