songkick-oauth2-provider 0.10.0 → 0.10.1

data/History.txt

@@ -0,0 +1,12 @@
+=== 0.10.1 / 2012-10-29
+
+* Add uniqueness constraints to the database for various Authorization properties
+* Make Authorization.new() and Authorization.create() private
+* Disallow client_secret from being sent in a query string
+* Use SecureRandom where available to generate tokens
+
+
+=== 0.10.0 / 2012-08-27
+
+* Initial release, implements http://tools.ietf.org/html/draft-ietf-oauth-v2-10
+

data/example/environment.rb

@@ -1,11 +1,12 @@
-dir = File.expand_path('..', __FILE__)
-$:.unshift(dir + '/../lib')
-$:.unshift(dir)
+require 'rubygems'
+require 'bundler/setup'
 
+require 'active_record'
 require 'songkick/oauth2/provider'
 Songkick::OAuth2::Provider.realm = 'Notes App'
 
-require 'models/connection'
-require 'models/user'
-require 'models/note'
+dir = File.expand_path('..', __FILE__)
+require dir + '/models/connection'
+require dir + '/models/user'
+require dir + '/models/note'
 

data/example/models/connection.rb

@@ -1,9 +1,9 @@
-require 'rubygems'
-require 'active_record'
+require 'fileutils'
 
-dir = File.expand_path(File.dirname(__FILE__))
+dbfile = File.expand_path('../../db/notes.sqlite3', __FILE__)
+FileUtils.mkdir_p(File.dirname(dbfile))
 
 ActiveRecord::Base.establish_connection(
   :adapter  => 'sqlite3',
-  :database => dir + '/../db/notes.sqlite3')
+  :database => dbfile)
 

data/example/schema.rb

@@ -1,13 +1,9 @@
-dir = File.expand_path('..', __FILE__)
-$:.unshift(dir + '/../lib')
-
 require 'rubygems'
-require 'songkick/oauth2/provider'
-require 'fileutils'
+require 'bundler/setup'
 
-require dir + '/models/connection'
-
-FileUtils.mkdir_p(dir + '/db')
+require 'songkick/oauth2/provider'
+require 'active_record'
+require File.expand_path('../models/connection', __FILE__)
 
 ActiveRecord::Schema.define do |version|
   create_table :users, :force => true do |t|

data/lib/songkick/oauth2/model.rb

@@ -11,6 +11,25 @@ module Songkick
       
       Schema = Songkick::OAuth2::Schema
       
+      DUPLICATE_RECORD_ERRORS = [
+        /^Mysql::Error:\s+Duplicate\s+entry\b/,
+        /^PG::Error:\s+ERROR:\s+duplicate\s+key\b/,
+        /\bConstraintException\b/
+      ]
+      
+      # ActiveRecord::RecordNotUnique was introduced in Rails 3.0 so referring
+      # to it while running earlier versions will raise an error. The above
+      # error strings should match PostgreSQL, MySQL and SQLite errors on
+      # Rails 2. If you're running a different adapter, add a suitable regex to
+      # the list:
+      # 
+      #     Songkick::OAuth2::Model::DUPLICATE_RECORD_ERRORS << /DB2 found a dup/
+      # 
+      def self.duplicate_record_error?(error)
+        error.class.name == 'ActiveRecord::RecordNotUnique' or
+        DUPLICATE_RECORD_ERRORS.any? { |re| re =~ error.message }
+      end
+      
       def self.find_access_token(access_token)
         Authorization.find_by_access_token_hash(Songkick::OAuth2.hashify(access_token))
       end

data/lib/songkick/oauth2/model/authorization.rb

@@ -19,14 +19,13 @@ module Songkick
         
         attr_accessible nil
         
+        class << self
+          private :create, :new
+        end
+        
         extend Hashing
         hashes_attributes :access_token, :refresh_token
         
-        def self.for(resource_owner, client)
-          return nil unless resource_owner and client
-          resource_owner.oauth2_authorizations.find_by_client_id(client.id)
-        end
-        
         def self.create_code(client)
           Songkick::OAuth2.generate_id do |code|
             client.authorizations.count(:conditions => {:code => code}).zero?
@@ -47,23 +46,29 @@ module Songkick
           end
         end
         
-        def self.for_response_type(response_type, attributes = {})
-          instance = self.for(attributes[:owner], attributes[:client]) ||
+        def self.for(owner, client, attributes = {})
+          return nil unless owner and client
+          
+          unless client.is_a?(Client)
+            raise ArgumentError, "The argument should be a #{Client}, instead it was a #{client.class}"
+          end
+          
+          instance = owner.oauth2_authorization_for(client) ||
                      new do |authorization|
-                       authorization.owner  = attributes[:owner]
-                       authorization.client = attributes[:client]
+                       authorization.owner  = owner
+                       authorization.client = client
                      end
           
-          case response_type
+          case attributes[:response_type]
             when CODE
-              instance.code ||= create_code(attributes[:client])
+              instance.code ||= create_code(client)
             when TOKEN
               instance.access_token  ||= create_access_token
-              instance.refresh_token ||= create_refresh_token(attributes[:client])
+              instance.refresh_token ||= create_refresh_token(client)
             when CODE_AND_TOKEN
-              instance.code = create_code(attributes[:client])
+              instance.code = create_code(client)
               instance.access_token  ||= create_access_token
-              instance.refresh_token ||= create_refresh_token(attributes[:client])
+              instance.refresh_token ||= create_refresh_token(client)
           end
           
           if attributes[:duration]
@@ -72,12 +77,18 @@ module Songkick
             instance.expires_at = nil
           end
           
-          if attributes[:scope]
-            scopes = instance.scopes + attributes[:scope].split(/\s+/)
-            instance.scope = scopes.entries.join(' ')
-          end
+          scopes = instance.scopes + (attributes[:scopes] || [])
+          scopes += attributes[:scope].split(/\s+/) if attributes[:scope]
+          instance.scope = scopes.entries.join(' ')
           
           instance.save && instance
+          
+        rescue Object => error
+          if Model.duplicate_record_error?(error)
+            retry
+          else
+            raise error
+          end
         end
         
         def exchange!

data/lib/songkick/oauth2/model/client.rb

@@ -1,5 +1,3 @@
-require 'bcrypt'
-
 module Songkick
   module OAuth2
     module Model
@@ -13,7 +11,7 @@ module Songkick
             
         has_many :authorizations, :class_name => 'Songkick::OAuth2::Model::Authorization', :dependent => :destroy
         
-        validates_uniqueness_of :client_id
+        validates_uniqueness_of :client_id, :name
         validates_presence_of   :name, :redirect_uri
         validate :check_format_of_redirect_uri
         

data/lib/songkick/oauth2/model/resource_owner.rb

@@ -2,50 +2,20 @@ module Songkick
   module OAuth2
     module Model
       
-      module AuthorizationAssociation
-        def find_or_create_for_client(client)
-          unless client.is_a?(Client)
-            raise ArgumentError, "The argument should be a #{Client}, instead it was a #{client.class}"
-          end
-          
-          # find_or_create_by_client_id does not work across AR versions
-          authorization = find_by_client_id(client.id) || build
-          authorization.client = client
-          authorization.owner = owner
-          authorization.save
-          authorization
-        end
-
-      private
-
-        def owner
-          respond_to?(:proxy_association) ? proxy_association.owner : proxy_owner
-        end
-      end
-
       module ResourceOwner
         def self.included(klass)
           klass.has_many :oauth2_authorizations,
-                         :class_name => 'Songkick::OAuth2::Model::Authorization',
+                         :class_name => Authorization.name,
                          :as => :oauth2_resource_owner,
-                         :dependent => :destroy,
-                         :extend => AuthorizationAssociation
+                         :dependent => :destroy
         end
         
         def grant_access!(client, options = {})
-          authorization = oauth2_authorizations.find_or_create_for_client(client)
-
-          if scopes = options[:scopes]
-            scopes = authorization.scopes + scopes
-            authorization.scope = scopes.entries.join(' ')
-          end
-          
-          if duration = options[:duration]
-            authorization.expires_at = Time.now + duration.to_i
-          end
-          
-          authorization.save! if authorization.changed?
-          authorization
+          Authorization.for(self, client, options)
+        end
+        
+        def oauth2_authorization_for(client)
+          oauth2_authorizations.find_by_client_id(client.id)
         end
       end
       

data/lib/songkick/oauth2/provider.rb

@@ -1,6 +1,15 @@
+require 'base64'
+require 'bcrypt'
+require 'cgi'
 require 'digest/sha1'
 require 'json'
 require 'logger'
+require 'rack'
+
+begin
+  require 'securerandom'
+rescue LoadError
+end
 
 module Songkick
   module OAuth2
@@ -12,7 +21,11 @@ module Songkick
     autoload :Schema, ROOT + '/oauth2/schema'
     
     def self.random_string
-      rand(2 ** TOKEN_SIZE).to_s(36)
+      if defined? SecureRandom
+        SecureRandom.hex(TOKEN_SIZE / 8).to_i(16).to_s(36)
+      else
+        rand(2 ** TOKEN_SIZE).to_s(36)
+      end
     end
     
     def self.generate_id(&predicate)
@@ -63,6 +76,13 @@ module Songkick
     ACCESS_DENIED          = 'access_denied'
     
     class Provider
+      EXPIRY_TIME = 3600
+
+      autoload :Authorization, ROOT + '/oauth2/provider/authorization'
+      autoload :Exchange,      ROOT + '/oauth2/provider/exchange'
+      autoload :AccessToken,   ROOT + '/oauth2/provider/access_token'
+      autoload :Error,         ROOT + '/oauth2/provider/error'
+
       class << self
         attr_accessor :realm, :enforce_ssl
       end
@@ -109,14 +129,8 @@ module Songkick
       def self.access_token_from_request(*args)
         Router.access_token_from_request(*args)
       end
-      
-      EXPIRY_TIME            = 3600
-      
-      autoload :Authorization, ROOT + '/oauth2/provider/authorization'
-      autoload :Exchange,      ROOT + '/oauth2/provider/exchange'
-      autoload :AccessToken,   ROOT + '/oauth2/provider/access_token'
-      autoload :Error,         ROOT + '/oauth2/provider/error'
     end
+
   end
 end
 

data/lib/songkick/oauth2/provider/authorization.rb

@@ -1,5 +1,3 @@
-require 'cgi'
-
 module Songkick
   module OAuth2
     class Provider
@@ -26,7 +24,7 @@ module Songkick
           
           return unless @owner and not @error
           
-          @model = Model::Authorization.for(@owner, @client)
+          @model = @owner.oauth2_authorization_for(@client)
           return unless @model and @model.in_scope?(scopes) and not @model.expired?
           
           @authorized = true
@@ -50,11 +48,10 @@ module Songkick
         end
         
         def grant_access!(options = {})
-          @model = Model::Authorization.for_response_type(@params[RESPONSE_TYPE],
-            :owner    => @owner,
-            :client   => @client,
-            :scope    => @scope,
-            :duration => options[:duration])
+          @model = Model::Authorization.for(@owner, @client,
+            :response_type => @params[RESPONSE_TYPE],
+            :scope         => @scope,
+            :duration      => options[:duration])
           
           @code          = @model.code
           @access_token  = @model.access_token
@@ -62,7 +59,7 @@ module Songkick
           @expires_in    = @model.expires_in
           
           unless @params[RESPONSE_TYPE] == CODE
-            @expires_in  = @model.expires_in
+            @expires_in = @model.expires_in
           end
           
           @authorized = true

data/lib/songkick/oauth2/router.rb

@@ -1,6 +1,3 @@
-require 'base64'
-require 'rack'
-
 module Songkick
   module OAuth2
     class Router
@@ -68,12 +65,14 @@ module Songkick
           request = request_from(env)
           
           if Provider.enforce_ssl and not request.ssl?
-            Provider::Error.new("must make requests using HTTPS")
+            Provider::Error.new('must make requests using HTTPS')
+          elsif request.GET['client_secret']
+            Provider::Error.new('must not send client credentials in the URI')
           end
         end
       end
       
     end
   end
-  end
+end
 

data/lib/songkick/oauth2/schema/20120828112156_songkick_oauth2_schema_original_schema.rb

@@ -9,7 +9,7 @@ class SongkickOauth2SchemaOriginalSchema < ActiveRecord::Migration
       t.string     :client_secret_hash
       t.string     :redirect_uri
     end
-    add_index :oauth2_clients, :client_id
+    add_index :oauth2_clients, [:client_id]
     
     create_table :oauth2_authorizations do |t|
       t.timestamps

data/lib/songkick/oauth2/schema/20121024180930_songkick_oauth2_schema_add_authorization_index.rb

@@ -0,0 +1,14 @@
+class SongkickOauth2SchemaAddAuthorizationIndex < ActiveRecord::Migration
+  INDEX_NAME = 'index_owner_client_pairs'
+  
+  def self.up
+    remove_index :oauth2_authorizations, [:client_id, :access_token_hash]
+    add_index :oauth2_authorizations, [:client_id, :oauth2_resource_owner_type, :oauth2_resource_owner_id], :name => INDEX_NAME, :unique => true
+  end
+  
+  def self.down
+    remove_index :oauth2_authorizations, INDEX_NAME
+    add_index :oauth2_authorizations, [:client_id, :access_token_hash]
+  end
+end
+

data/lib/songkick/oauth2/schema/20121025180447_songkick_oauth2_schema_add_unique_indexes.rb

@@ -0,0 +1,32 @@
+class SongkickOauth2SchemaAddUniqueIndexes < ActiveRecord::Migration
+  FIELDS = [:code, :refresh_token_hash]
+  
+  def self.up
+    FIELDS.each do |field|
+      remove_index :oauth2_authorizations, [:client_id, field]
+      add_index :oauth2_authorizations, [:client_id, field], :unique => true
+    end
+    remove_index :oauth2_authorizations, [:access_token_hash]
+    add_index :oauth2_authorizations, [:access_token_hash], :unique => true
+    
+    remove_index :oauth2_clients, [:client_id]
+    add_index :oauth2_clients, [:client_id], :unique => true
+    
+    add_index :oauth2_clients, [:name], :unique => true
+  end
+  
+  def self.down
+    FIELDS.each do |field|
+      remove_index :oauth2_authorizations, [:client_id, field]
+      add_index :oauth2_authorizations, [:client_id, field]
+    end
+    remove_index :oauth2_authorizations, [:access_token_hash]
+    add_index :oauth2_authorizations, [:access_token_hash]
+    
+    remove_index :oauth2_clients, [:client_id]
+    add_index :oauth2_clients, [:client_id]
+    
+    remove_clients :oauth2_clients, [:name]
+  end
+end
+

data/spec/factories.rb

@@ -19,9 +19,3 @@ Factory.define :client, :class => Songkick::OAuth2::Model::Client do |c|
   c.redirect_uri  'https://client.example.com/cb'
 end
 
-Factory.define :authorization, :class => Songkick::OAuth2::Model::Authorization do |ac|
-  ac.client     Factory(:client)
-  ac.code       { Songkick::OAuth2.random_string }
-  ac.expires_at nil
-end
-

data/spec/request_helpers.rb

@@ -1,9 +1,12 @@
 module RequestHelpers
   require 'net/http'
   
+  def querystring(params)
+    params.map { |k,v| "#{ CGI.escape k.to_s }=#{ CGI.escape v.to_s }" }.join('&')
+  end
+  
   def get(query_params)
-    qs  = params.map { |k,v| "#{ CGI.escape k.to_s }=#{ CGI.escape v.to_s }" }.join('&')
-    uri = URI.parse('http://localhost:8000/authorize?' + qs)
+    uri = URI.parse('http://localhost:8000/authorize?' + querystring(query_params))
     Net::HTTP.get_response(uri)
   end
   
@@ -16,8 +19,11 @@ module RequestHelpers
     Net::HTTP.post_form(URI.parse(url), query_params)
   end
   
-  def post(query_params)
-    Net::HTTP.post_form(URI.parse('http://localhost:8000/authorize'), query_params)
+  def post(body_params, query_params = {})
+    uri = URI.parse('http://localhost:8000/authorize?' + querystring(query_params))
+    Net::HTTP.start(uri.host, uri.port) do |http|
+      http.post(uri.path + '?' + uri.query.to_s, querystring(body_params))
+    end
   end
   
   def validate_response(response, status, body)

data/spec/songkick/oauth2/model/authorization_spec.rb

@@ -5,9 +5,10 @@ describe Songkick::OAuth2::Model::Authorization do
   let(:impostor) { Factory :client }
   let(:owner)    { Factory :owner }
   let(:user)     { Factory :owner }
+  let(:tester)   { Factory(:owner) }
   
   let(:authorization) do
-    create_authorization(:owner => owner, :client => client)
+    create_authorization(:owner => tester, :client => client)
   end
   
   it "is vaid" do
@@ -32,7 +33,7 @@ describe Songkick::OAuth2::Model::Authorization do
         :access_token  => 'existing_access_token')
         
       create_authorization(
-        :owner         => owner,
+        :owner         => user,
         :client        => client,
         :code          => 'existing_code')
         
@@ -110,6 +111,27 @@ describe Songkick::OAuth2::Model::Authorization do
         Songkick::OAuth2::Model::Authorization.create_refresh_token(impostor).should == 'existing_refresh_token'
       end
     end
+    
+    describe "duplicate records" do
+      it "raises an error if a duplicate authorization is created" do
+        lambda {
+          authorization = Songkick::OAuth2::Model::Authorization.__send__(:new)
+          authorization.owner = user
+          authorization.client = client
+          authorization.save
+        }.should raise_error
+      end
+      
+      it "finds an existing record after a race" do
+        user.stub(:oauth2_authorization_for) do
+          user.unstub(:oauth2_authorization_for)
+          raise TypeError, 'Mysql::Error: Duplicate entry'
+        end
+        authorization = Songkick::OAuth2::Model::Authorization.for(user, client)
+        authorization.owner.should == user
+        authorization.client.should == client
+      end
+    end
   end
   
   describe "#exchange!" do
@@ -150,7 +172,7 @@ describe Songkick::OAuth2::Model::Authorization do
   
   describe "#grants_access?" do
     it "returns true given the right user" do
-      authorization.grants_access?(owner).should be_true
+      authorization.grants_access?(tester).should be_true
     end
     
     it "returns false given the wrong user" do
@@ -161,7 +183,7 @@ describe Songkick::OAuth2::Model::Authorization do
       before { authorization.expires_at = 2.days.ago }
       
       it "returns false in all cases" do
-        authorization.grants_access?(owner).should be_false
+        authorization.grants_access?(tester).should be_false
         authorization.grants_access?(user).should be_false
       end
     end
@@ -184,23 +206,23 @@ describe Songkick::OAuth2::Model::Authorization do
     
     describe "#grants_access?" do
       it "returns true given the right user and all authorization scopes" do
-        authorization.grants_access?(owner, 'foo', 'bar').should be_true
+        authorization.grants_access?(tester, 'foo', 'bar').should be_true
       end
       
       it "returns true given the right user and some authorization scopes" do
-        authorization.grants_access?(owner, 'bar').should be_true
+        authorization.grants_access?(tester, 'bar').should be_true
       end
       
       it "returns false given the right user and some unauthorization scopes" do
-        authorization.grants_access?(owner, 'foo', 'bar', 'qux').should be_false
+        authorization.grants_access?(tester, 'foo', 'bar', 'qux').should be_false
       end
       
       it "returns false given an unauthorized scope" do
-        authorization.grants_access?(owner, 'qux').should be_false
+        authorization.grants_access?(tester, 'qux').should be_false
       end
       
       it "returns true given the right user" do
-        authorization.grants_access?(owner).should be_true
+        authorization.grants_access?(tester).should be_true
       end
       
       it "returns false given the wrong user" do

data/spec/songkick/oauth2/model/client_spec.rb

@@ -4,7 +4,7 @@ describe Songkick::OAuth2::Model::Client do
   before do
     @client = Songkick::OAuth2::Model::Client.create(:name => 'App', :redirect_uri => 'http://example.com/cb')
     @owner  = Factory(:owner)
-    Factory(:authorization, :client => @client, :owner => @owner)
+    Songkick::OAuth2::Model::Authorization.for(@owner, @client)
   end
   
   it "is valid" do

data/spec/songkick/oauth2/model/resource_owner_spec.rb

@@ -12,7 +12,7 @@ describe Songkick::OAuth2::Model::ResourceOwner do
     end
     
     it "creates an authorization between the owner and the client" do
-      authorization = Songkick::OAuth2::Model::Authorization.new
+      authorization = Songkick::OAuth2::Model::Authorization.__send__(:new)
       Songkick::OAuth2::Model::Authorization.should_receive(:new).and_return(authorization)
       @owner.grant_access!(@client)
     end
@@ -45,7 +45,7 @@ describe Songkick::OAuth2::Model::ResourceOwner do
   
   describe "when there is an existing authorization" do
     before do
-      @authorization = Factory(:authorization, :owner => @owner, :client => @client)
+      @authorization = create_authorization(:owner => @owner, :client => @client)
     end
     
     it "does not create a new one" do
@@ -80,7 +80,7 @@ describe Songkick::OAuth2::Model::ResourceOwner do
   end
   
   it "destroys its authorizations on destroy" do
-    Factory(:authorization, :owner => @owner, :client => @client)
+    Songkick::OAuth2::Model::Authorization.for(@owner, @client)
     @owner.destroy
     Songkick::OAuth2::Model::Authorization.count.should be_zero
   end

data/spec/songkick/oauth2/provider/access_token_spec.rb

@@ -5,13 +5,15 @@ describe Songkick::OAuth2::Provider::AccessToken do
     @alice = TestApp::User['Alice']
     @bob   = TestApp::User['Bob']
     
-    Factory(:authorization,
+    create_authorization(
       :owner        => @alice,
+      :client       => Factory(:client),
       :scope        => 'profile',
       :access_token => 'sesame')
     
-    @authorization = Factory(:authorization,
+    @authorization = create_authorization(
       :owner        => @bob,
+      :client       => Factory(:client),
       :scope        => 'profile',
       :access_token => 'magic-key')
     

data/spec/songkick/oauth2/provider/authorization_spec.rb

@@ -156,7 +156,7 @@ describe Songkick::OAuth2::Provider::Authorization do
   describe "#grant_access!" do
     describe "when there is an existing authorization with no code" do
       before do
-        @model = Factory(:authorization,
+        @model = create_authorization(
           :owner  => resource_owner,
           :client => @client,
           :code   => nil)
@@ -172,7 +172,7 @@ describe Songkick::OAuth2::Provider::Authorization do
     
     describe "when there is an existing authorization with scopes" do
       before do
-        @model = Factory(:authorization,
+        @model = create_authorization(
           :owner  => resource_owner,
           :client => @client,
           :code   => nil,
@@ -190,7 +190,7 @@ describe Songkick::OAuth2::Provider::Authorization do
     
     describe "when there is an existing expired authorization" do
       before do
-        @model = Factory(:authorization,
+        @model = create_authorization(
           :owner      => resource_owner,
           :client     => @client,
           :expires_at => 2.months.ago,

data/spec/songkick/oauth2/provider/exchange_spec.rb

@@ -5,7 +5,7 @@ describe Songkick::OAuth2::Provider::Exchange do
     @client = Factory(:client)
     @alice  = TestApp::User['Alice']
     @bob    = TestApp::User['Bob']
-    @authorization = Factory(:authorization, :client => @client, :owner => @bob, :scope => 'foo bar')
+    @authorization = create_authorization(:client => @client, :owner => @bob, :code => 'a_fake_code', :scope => 'foo bar')
     Songkick::OAuth2.stub(:random_string).and_return('random_string')
   end
   
@@ -321,11 +321,11 @@ describe Songkick::OAuth2::Provider::Exchange do
   
   describe "using refresh_token grant type" do
     before do
-      @refresher = Factory(:authorization, :client => @client,
-                                           :owner  => @bob,
-                                           :scope  => 'foo bar',
-                                           :code   => nil,
-                                           :refresh_token => 'roflscale')
+      @refresher = create_authorization(:client => @client,
+                                        :owner  => @alice,
+                                        :scope  => 'foo bar',
+                                        :code   => nil,
+                                        :refresh_token => 'roflscale')
     end
     
     let(:params) { { 'client_id'     => @client.client_id,

data/spec/songkick/oauth2/provider_spec.rb

@@ -322,7 +322,11 @@ describe Songkick::OAuth2::Provider do
   describe "access token request" do
     before do
       @client = Factory(:client)
-      @authorization = Factory(:authorization, :client => @client, :owner => @owner, :expires_at => 3.hours.from_now)
+      @authorization = create_authorization(
+          :owner      => @owner,
+          :client     => @client,
+          :code       => 'a_fake_code',
+          :expires_at => 3.hours.from_now)
     end
     
     let(:auth_params)  { { 'client_id'     => @client.client_id,
@@ -341,6 +345,7 @@ describe Songkick::OAuth2::Provider do
       describe "with valid parameters" do
         it "does not respond to GET" do
           Songkick::OAuth2::Provider::Authorization.should_not_receive(:new)
+          params.delete('client_secret')
           response = get(params)
           validate_json_response(response, 400,
             'error'             => 'invalid_request',
@@ -348,6 +353,16 @@ describe Songkick::OAuth2::Provider do
           )
         end
         
+        it "does not allow client credentials to be passed in the query string" do
+          Songkick::OAuth2::Provider::Authorization.should_not_receive(:new)
+          query_string = {'client_id' => params.delete('client_id'), 'client_secret' => params.delete('client_secret')}
+          response = post(params, query_string)
+          validate_json_response(response, 400,
+            'error'             => 'invalid_request',
+            'error_description' => 'Bad request: must not send client credentials in the URI'
+          )
+        end
+        
         describe "enforcing SSL" do
           before { Songkick::OAuth2::Provider.enforce_ssl = true }
           
@@ -375,7 +390,7 @@ describe Songkick::OAuth2::Provider do
         it "returns a successful response" do
           Songkick::OAuth2.stub(:random_string).and_return('random_access_token')
           response = post_basic_auth(auth_params, query_params)
-          validate_json_response(response, 200, 'access_token'  => 'random_access_token', 'expires_in' => 10800)
+          validate_json_response(response, 200, 'access_token' => 'random_access_token', 'expires_in' => 10800)
         end
         
         describe "with a scope parameter" do
@@ -445,8 +460,9 @@ describe Songkick::OAuth2::Provider do
   
   describe "protected resource request" do
     before do
-      @authorization = Factory(:authorization,
+      @authorization = create_authorization(
         :owner        => @owner,
+        :client       => @client,
         :access_token => 'magic-key',
         :scope        => 'profile')
     end

data/spec/spec_helper.rb

@@ -2,11 +2,29 @@ require 'rubygems'
 require 'bundler/setup'
 
 require 'active_record'
-require File.expand_path('../../lib/songkick/oauth2/provider', __FILE__)
+require 'songkick/oauth2/provider'
 
-dbfile = File.expand_path('../test.sqlite3', __FILE__)
-File.unlink(dbfile) if File.file?(dbfile)
-ActiveRecord::Base.establish_connection(:adapter  => 'sqlite3', :database => dbfile)
+case ENV['DB']
+  when 'mysql'
+    ActiveRecord::Base.establish_connection(
+        :adapter  => 'mysql',
+        :host     => '127.0.0.1',
+        :username => 'root',
+        :database => 'oauth2_test')
+  when 'postgres'
+    ActiveRecord::Base.establish_connection(
+        :adapter  => 'postgresql',
+        :host     => '127.0.0.1',
+        :username => 'postgres',
+        :database => 'oauth2_test')
+  else
+    dbfile = File.expand_path('../test.sqlite3', __FILE__)
+    File.unlink(dbfile) if File.file?(dbfile)
+    
+    ActiveRecord::Base.establish_connection(
+        :adapter  => 'sqlite3',
+        :database => dbfile)
+end
 
 require 'logger'
 ActiveRecord::Base.logger = Logger.new(STDERR)
@@ -53,7 +71,7 @@ RSpec.configure do |config|
 end
 
 def create_authorization(params)
-  Songkick::OAuth2::Model::Authorization.create do |authorization|
+  Songkick::OAuth2::Model::Authorization.__send__(:create) do |authorization|
     params.each do |key, value|
       authorization.__send__ "#{key}=", value
     end

metadata

@@ -1,193 +1,200 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: songkick-oauth2-provider
-version: !ruby/object:Gem::Version 
-  hash: 55
+version: !ruby/object:Gem::Version
+  version: 0.10.1
   prerelease: 
-  segments: 
-  - 0
-  - 10
-  - 0
-  version: 0.10.0
 platform: ruby
-authors: 
+authors:
 - James Coglan
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-08-28 00:00:00 +01:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2012-10-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activerecord
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: bcrypt-ruby
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bcrypt-ruby
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: json
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: rack
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: appraisal
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 0
-        - 4
-        - 0
+      - !ruby/object:Gem::Version
         version: 0.4.0
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: activerecord
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 3
-        - 2
-        - 0
+      - !ruby/object:Gem::Version
         version: 3.2.0
   type: :development
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency 
-  name: rspec
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id007
-- !ruby/object:Gem::Dependency 
-  name: sqlite3
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id008
-- !ruby/object:Gem::Dependency 
-  name: sinatra
   prerelease: false
-  requirement: &id009 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 27
-        segments: 
-        - 1
-        - 3
-        - 0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
         version: 1.3.0
   type: :development
-  version_requirements: *id009
-- !ruby/object:Gem::Dependency 
-  name: thin
   prerelease: false
-  requirement: &id010 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.0
+- !ruby/object:Gem::Dependency
+  name: thin
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id010
-- !ruby/object:Gem::Dependency 
-  name: factory_girl
   prerelease: false
-  requirement: &id011 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 2
-        - 0
-        version: "2.0"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :development
-  version_requirements: *id011
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: 
 email: james@songkick.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - README.rdoc
-files: 
+files:
+- History.txt
 - README.rdoc
 - example/public/style.css
 - example/views/login.erb
@@ -218,7 +225,9 @@ files:
 - lib/songkick/oauth2/provider/error.rb
 - lib/songkick/oauth2/provider/access_token.rb
 - lib/songkick/oauth2/schema.rb
+- lib/songkick/oauth2/schema/20121024180930_songkick_oauth2_schema_add_authorization_index.rb
 - lib/songkick/oauth2/schema/20120828112156_songkick_oauth2_schema_original_schema.rb
+- lib/songkick/oauth2/schema/20121025180447_songkick_oauth2_schema_add_unique_indexes.rb
 - lib/songkick/oauth2/router.rb
 - lib/songkick/oauth2/model.rb
 - spec/test_app/provider/views/authorize.erb
@@ -234,40 +243,30 @@ files:
 - spec/songkick/oauth2/provider/access_token_spec.rb
 - spec/songkick/oauth2/provider_spec.rb
 - spec/spec_helper.rb
-has_rdoc: true
-homepage: http://www.songkick.com
+homepage: http://github.com/songkick/oauth2-provider
 licenses: []
-
 post_install_message: 
-rdoc_options: 
+rdoc_options:
 - --main
 - README.rdoc
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.6.2
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: Simple OAuth 2.0 provider toolkit
 test_files: []
-