songkick-oauth2-provider 0.10.2 → 0.10.3

data/spec/songkick/oauth2/provider/access_token_spec.rb

@@ -4,26 +4,26 @@ describe Songkick::OAuth2::Provider::AccessToken do
   before do
     @alice = TestApp::User['Alice']
     @bob   = TestApp::User['Bob']
-    
+
     create_authorization(
       :owner        => @alice,
       :client       => Factory(:client),
       :scope        => 'profile',
       :access_token => 'sesame')
-    
+
     @authorization = create_authorization(
       :owner        => @bob,
       :client       => Factory(:client),
       :scope        => 'profile',
       :access_token => 'magic-key')
-    
+
     Songkick::OAuth2::Provider.realm = 'Demo App'
   end
-  
+
   let :token do
     Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'magic-key')
   end
-  
+
   shared_examples_for "valid token" do
     it "is valid" do
       token.should be_valid
@@ -38,7 +38,7 @@ describe Songkick::OAuth2::Provider::AccessToken do
       token.owner.should == @bob
     end
   end
-  
+
   shared_examples_for "invalid token" do
     it "is not valid" do
       token.should_not be_valid
@@ -47,77 +47,89 @@ describe Songkick::OAuth2::Provider::AccessToken do
       token.owner.should be_nil
     end
   end
-  
+
   describe "with the right user, scope and token" do
     it_should_behave_like "valid token"
   end
-  
+
+  describe "with an implicit user" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(:implicit, ['profile'], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+
   describe "with no user" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(nil, ['profile'], 'magic-key')
     end
-    it_should_behave_like "valid token"
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='invalid_token'"
+      token.response_status.should == 401
+    end
   end
-  
+
   describe "with less scope than was granted" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(@bob, [], 'magic-key')
     end
     it_should_behave_like "valid token"
   end
-  
+
   describe "when the authorization has expired" do
     before { @authorization.update_attribute(:expires_at, 1.hour.ago) }
     it_should_behave_like "invalid token"
-    
+
     it "returns an error response" do
       token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='expired_token'"
       token.response_status.should == 401
     end
   end
-  
+
   describe "with a non-existent token" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'is-the-password-books')
     end
     it_should_behave_like "invalid token"
-    
+
     it "returns an error response" do
       token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='invalid_token'"
       token.response_status.should == 401
     end
   end
-  
+
   describe "with a token for the wrong user" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'sesame')
     end
     it_should_behave_like "invalid token"
-    
+
     it "returns an error response" do
       token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
       token.response_status.should == 403
     end
   end
-  
+
   describe "with a token for an ungranted scope" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(@bob, ['offline_access'], 'magic-key')
     end
     it_should_behave_like "invalid token"
-    
+
     it "returns an error response" do
       token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
       token.response_status.should == 403
     end
   end
-  
+
   describe "with no token string" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], nil)
     end
     it_should_behave_like "invalid token"
-    
+
     it "returns an error response" do
       token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App'"
       token.response_status.should == 401

data/spec/songkick/oauth2/provider/authorization_spec.rb

@@ -2,157 +2,168 @@ require 'spec_helper'
 
 describe Songkick::OAuth2::Provider::Authorization do
   let(:resource_owner) { TestApp::User['Bob'] }
-  
+
   let(:authorization) { Songkick::OAuth2::Provider::Authorization.new(resource_owner, params) }
-  
+
   let(:params) { { 'response_type' => 'code',
                    'client_id'     => @client.client_id,
                    'redirect_uri'  => @client.redirect_uri }
                }
-  
+
   before do
     @client = Factory(:client)
     Songkick::OAuth2.stub(:random_string).and_return('s1', 's2', 's3')
   end
-  
+
   describe "with valid parameters" do
     it "is valid" do
       authorization.error.should be_nil
     end
   end
-  
+
   describe "with the scope parameter" do
     before { params['scope'] = 'foo bar qux' }
-    
+
     it "exposes the scope as a list of strings" do
       authorization.scopes.should == Set.new(%w[foo bar qux])
     end
-    
+
     it "exposes the scopes the client has not yet granted" do
       authorization.unauthorized_scopes.should == Set.new(%w[foo bar qux])
     end
-    
+
     describe "when the owner has already authorized the client" do
       before do
         create_authorization(:owner => resource_owner, :client => @client, :scope => 'foo bar')
       end
-      
+
       it "exposes the scope as a list of strings" do
         authorization.scopes.should == Set.new(%w[foo bar qux])
       end
-      
+
       it "exposes the scopes the client has not yet granted" do
         authorization.unauthorized_scopes.should == %w[qux]
       end
     end
   end
-  
+
   describe "missing response_type" do
     before { params.delete('response_type') }
-    
+
     it "is invalid" do
       authorization.error.should == "invalid_request"
       authorization.error_description.should == "Missing required parameter response_type"
     end
   end
-  
+
   describe "with a bad response_type" do
     before { params['response_type'] = "no_such_type" }
-    
+
     it "is invalid" do
       authorization.error.should == "unsupported_response_type"
       authorization.error_description.should == "Response type no_such_type is not supported"
     end
-    
+
     it "causes a redirect" do
       authorization.should be_redirect
       authorization.redirect_uri.should == "https://client.example.com/cb?error=unsupported_response_type&error_description=Response+type+no_such_type+is+not+supported"
     end
   end
-  
+
   describe "missing client_id" do
     before { params.delete('client_id') }
-    
+
     it "is invalid" do
       authorization.error.should == "invalid_request"
       authorization.error_description.should == "Missing required parameter client_id"
     end
-    
+
     it "does not cause a redirect" do
       authorization.should_not be_redirect
     end
   end
-  
+
   describe "with an unknown client_id" do
     before { params['client_id'] = "unknown" }
-    
+
     it "is invalid" do
       authorization.error.should == "invalid_client"
       authorization.error_description.should == "Unknown client ID unknown"
     end
-    
+
     it "does not cause a redirect" do
       authorization.should_not be_redirect
     end
   end
-  
+
   describe "missing redirect_uri" do
     before { params.delete('redirect_uri') }
-    
+
     it "is invalid" do
       authorization.error.should == "invalid_request"
       authorization.error_description.should == "Missing required parameter redirect_uri"
     end
-    
+
     it "causes a redirect to the client's registered redirect_uri" do
       authorization.should be_redirect
       authorization.redirect_uri.should == "https://client.example.com/cb?error=invalid_request&error_description=Missing+required+parameter+redirect_uri"
     end
   end
-  
+
   describe "with a mismatched redirect_uri" do
     before { params['redirect_uri'] = "http://songkick.com" }
-    
+
     it "is invalid" do
       authorization.error.should == "redirect_uri_mismatch"
       authorization.error_description.should == "Parameter redirect_uri does not match registered URI"
     end
-    
+
     it "causes a redirect to the client's registered redirect_uri" do
       authorization.should be_redirect
       authorization.redirect_uri.should == "https://client.example.com/cb?error=redirect_uri_mismatch&error_description=Parameter+redirect_uri+does+not+match+registered+URI"
     end
-    
+
     describe "when the client has not registered a redirect_uri" do
       before { @client.update_attribute(:redirect_uri, nil) }
-      
+
       it "is valid" do
         authorization.error.should be_nil
       end
     end
   end
-  
+
+  describe "with a redirect_uri with parameters" do
+    before do
+      authorization.client.redirect_uri = "http://songkick.com?some_parameter"
+      params['redirect_uri'] = "http://songkick.com?some_parameter"
+    end
+
+    it "adds the extra parameters with & instead of ?" do
+      authorization.redirect_uri.should == "http://songkick.com?some_parameter&"
+    end
+  end
+
   # http://en.wikipedia.org/wiki/HTTP_response_splitting
   # scope and state values are passed back in the redirect
-  
+
   describe "with an illegal scope" do
     before { params['scope'] = "http\r\nsplitter" }
-    
+
     it "is invalid" do
       authorization.error.should == "invalid_request"
       authorization.error_description.should == "Illegal value for scope parameter"
     end
   end
-  
+
   describe "with an illegal state" do
     before { params['state'] = "http\r\nsplitter" }
-    
+
     it "is invalid" do
       authorization.error.should == "invalid_request"
       authorization.error_description.should == "Illegal value for state parameter"
     end
   end
-  
+
   describe "#grant_access!" do
     describe "when there is an existing authorization with no code" do
       before do
@@ -161,7 +172,7 @@ describe Songkick::OAuth2::Provider::Authorization do
           :client => @client,
           :code   => nil)
       end
-      
+
       it "generates and returns a code to the client" do
         authorization.grant_access!
         @model.reload
@@ -169,7 +180,7 @@ describe Songkick::OAuth2::Provider::Authorization do
         authorization.code.should == "s1"
       end
     end
-    
+
     describe "when there is an existing authorization with scopes" do
       before do
         @model = create_authorization(
@@ -177,17 +188,17 @@ describe Songkick::OAuth2::Provider::Authorization do
           :client => @client,
           :code   => nil,
           :scope  => 'foo bar')
-        
+
         params['scope'] = 'qux'
       end
-      
+
       it "merges the new scopes with the existing ones" do
         authorization.grant_access!
         @model.reload
         @model.scopes.should == Set.new(%w[foo bar qux])
       end
     end
-    
+
     describe "when there is an existing expired authorization" do
       before do
         @model = create_authorization(
@@ -197,26 +208,26 @@ describe Songkick::OAuth2::Provider::Authorization do
           :code       => 'existing_code',
           :scope      => 'foo bar')
       end
-      
+
       it "renews the authorization" do
         authorization.grant_access!
         @model.reload
         @model.expires_at.should be_nil
       end
-      
+
       it "returns a code to the client" do
         authorization.grant_access!
         authorization.code.should == "existing_code"
         authorization.access_token.should be_nil
       end
-      
+
       it "sets the expiry time if a duration is given" do
         authorization.grant_access!(:duration => 1.hour)
         @model.reload
         @model.expires_in.should == 3600
         authorization.expires_in.should == 3600
       end
-      
+
       it "augments the scope" do
         params['scope'] = 'qux'
         authorization.grant_access!
@@ -224,29 +235,29 @@ describe Songkick::OAuth2::Provider::Authorization do
         @model.scopes.should == Set.new(%w[foo bar qux])
       end
     end
-    
+
     describe "for code requests" do
       before do
         params['response_type'] = 'code'
         params['scope'] = 'foo bar'
       end
-      
+
       it "makes the authorization redirect" do
         authorization.grant_access!
         authorization.client.should_not be_nil
         authorization.should be_redirect
       end
-      
+
       it "creates a code for the authorization" do
         authorization.grant_access!
         authorization.code.should == "s1"
         authorization.access_token.should be_nil
         authorization.expires_in.should be_nil
       end
-      
+
       it "creates an Authorization in the database" do
         authorization.grant_access!
-        
+
         authorization = Songkick::OAuth2::Model::Authorization.first
         authorization.owner.should == resource_owner
         authorization.client.should == @client
@@ -254,10 +265,10 @@ describe Songkick::OAuth2::Provider::Authorization do
         authorization.scopes.should == Set.new(%w[foo bar])
       end
     end
-    
+
     describe "for token requests" do
       before { params['response_type'] = 'token' }
-      
+
       it "creates a token for the authorization" do
         authorization.grant_access!
         authorization.code.should be_nil
@@ -265,10 +276,10 @@ describe Songkick::OAuth2::Provider::Authorization do
         authorization.refresh_token.should == "s2"
         authorization.expires_in.should be_nil
       end
-      
+
       it "creates an Authorization in the database" do
         authorization.grant_access!
-        
+
         authorization = Songkick::OAuth2::Model::Authorization.first
         authorization.owner.should == resource_owner
         authorization.client.should == @client
@@ -277,10 +288,10 @@ describe Songkick::OAuth2::Provider::Authorization do
         authorization.refresh_token_hash.should == Songkick::OAuth2.hashify("s2")
       end
     end
-    
+
     describe "for code_and_token requests" do
       before { params['response_type'] = 'code_and_token' }
-      
+
       it "creates a code and token for the authorization" do
         authorization.grant_access!
         authorization.code.should == "s1"
@@ -288,10 +299,10 @@ describe Songkick::OAuth2::Provider::Authorization do
         authorization.refresh_token.should == "s3"
         authorization.expires_in.should be_nil
       end
-      
+
       it "creates an Authorization in the database" do
         authorization.grant_access!
-        
+
         authorization = Songkick::OAuth2::Model::Authorization.first
         authorization.owner.should == resource_owner
         authorization.client.should == @client
@@ -301,27 +312,27 @@ describe Songkick::OAuth2::Provider::Authorization do
       end
     end
   end
-  
+
   describe "#deny_access!" do
     it "puts the authorization in an error state" do
       authorization.deny_access!
       authorization.error.should == "access_denied"
       authorization.error_description.should == "The user denied you access"
     end
-    
+
     it "does not create an Authorization" do
       Songkick::OAuth2::Model::Authorization.should_not_receive(:create)
       Songkick::OAuth2::Model::Authorization.should_not_receive(:new)
       authorization.deny_access!
     end
   end
-  
+
   describe "#params" do
     before do
       params['scope'] = params['state'] = 'valid'
       params['controller'] = 'invalid'
     end
-    
+
     it "only exposes OAuth-related parameters" do
       authorization.params.should == {
         'response_type' => 'code',
@@ -331,7 +342,7 @@ describe Songkick::OAuth2::Provider::Authorization do
         'scope'         => 'valid'
       }
     end
-    
+
     it "does not expose parameters with no value" do
       params.delete('scope')
       authorization.params.should == {