tpitale-rack-oauth2-server 2.2.1

data/lib/rack/oauth2/admin/views/client.tmpl

@@ -0,0 +1,58 @@
+<div class="client">
+  <div class="details">
+    <h2 class="name">{{if imageUrl}}<img src="${imageUrl}">{{/if}} ${displayName}</h2>
+    <div class="actions">
+      <a href="#/client/${id}/edit" rel="edit">Edit</a>
+      {{if !revoked}}
+        <a href="#/client/${id}/revoke" data-method="post" data-confirm="There is no undo. Are you really really sure?" rel="revoke">Revoke</a>
+      {{/if}}
+      <a href="#/client/${id}" data-method="delete" data-confirm="There is no undo. Are you really really sure?" rel="delete">Delete</a>
+    </div>
+    <div class="meta">Site: <a href="${link}">${link}</a></div>
+    <div class="meta">
+      Created {{html $.shortdate(revoked)}}
+      {{if revoked}}Revoked {{html $.shortdate(revoked)}}{{/if}}
+    </div>
+    {{each notes}}<p class="notes">${this}</p>{{/each}}
+  </div>
+  <div class="metrics">
+    <div id="fig"></div>
+    <ul class="badges">
+      <li title="Access tokens granted, lifetime total"><big>${$.thousands(tokens.total)}</big><small>Granted</small></li>
+      <li title="Access tokens granted, last 7 days"><big>${$.thousands(tokens.week)}</big><small>This Week</small></li>
+      <li title="Access tokens revoked, last 7 days"><big>${$.thousands(tokens.revoked)}</big><small>Revoked (Week)</small></li>
+    </ul>
+  </div>
+  <table class="tokens">
+    <thead>
+      <th>Token</th>
+      <th>Identity</th>
+      <th>Scope</th>
+      <th>Created</th>
+      <th>Accessed</th>
+      <th>Revoked</th>
+    </thead>
+    <tbody>
+      {{each tokens.list}}
+      <tr>
+        <td class="token">${token}</td>
+        <td class="identity">{{if link}}<a href="${link}">${identity}</a>{{else}}${identity}{{/if}}</td>
+        <td class="scope">${scope}</td>
+        <td class="created">{{html $.shortdate(created)}}</td>
+        <td class="accessed">{{if last_access}}{{html $.shortdate(last_access)}}{{/if}}</td>
+        <td class="revoke">
+          {{if revoked}}
+            {{html $.shortdate(revoked)}}
+          {{else}}
+            <a href="#/token/${token}/revoke" data-method="post" data-confirm="Are you sure?" rel="revoke">Revoke</a>
+          {{/if}}
+        </td>
+      </tr>
+      {{/each}}
+    </tbody>
+  </table>
+  <div class="pagination">
+    {{if tokens.previous}}<a href="#/client/${id}/page/${tokens.page - 1}" rel="previous">Previous</a>{{/if}}
+    {{if tokens.next}}<a href="#/client/${id}/page/${tokens.page + 1}" rel="next">Next</a>{{/if}}
+  </div>
+</div>

data/lib/rack/oauth2/admin/views/clients.tmpl

@@ -0,0 +1,52 @@
+<div class="client">
+  <div class="metrics">
+    <div id="fig"></div>
+    <ul class="badges">
+      <li title="Access tokens granted, lifetime total"><big>${$.thousands(tokens.total)}</big><small>Granted</small></li>
+      <li title="Access tokens granted, last 7 days"><big>${$.thousands(tokens.week)}</big><small>This Week</small></li>
+      <li title="Access tokens revoked, last 7 days"><big>${$.thousands(tokens.revoked)}</big><small>Revoked (Week)</small></li>
+    </ul>
+  </div>
+  <a href="#/new" style="float:left">Add New Client</a>
+  <table class="clients">
+    <thead>
+      <th>Application</th>
+      <th>ID/Secret</th>
+      <th>Created</th>
+      <th>Revoked</th>
+    </thead>
+    {{each clients}}
+    <tr class="${revoked ? "revoked" : "active"}">
+      <td class="name">
+        <a href="#/client/${id}">
+          {{if imageUrl}}<img src="${imageUrl}">{{/if}}
+          ${displayName.trim() == "" ? "untitled" : displayName}
+        </a>
+      </td>
+      <td class="secrets">
+        <a href="" rel="toggle">Reveal</a>
+        <dl>
+          <dt>ID</dt><dd>${id}</dd>
+          <dt>Secret</dt><dd>${secret}</dd>
+          <dt>Redirect</dt><dd>${redirectUri}</dd>
+        </dl>
+      </td>
+      <td class="created">{{html $.shortdate(created)}}</td>
+      <td class="revoke">{{if revoked}}{{html $.shortdate(revoked)}}{{/if}}</td>
+    </tr>
+    {{/each}}
+  </table>
+</div>
+<script type="text/javascript">
+  $("td.secrets a[rel=toggle]").click(function(evt) {
+    evt.preventDefault();
+    var dl = $(this).next("dl");
+    if (dl.is(":visible")) {
+      $(this).html("Reveal");
+      dl.hide();
+    } else {
+      $(this).html("Hide");
+      dl.show();
+    }
+  });
+</script>

data/lib/rack/oauth2/admin/views/edit.tmpl

@@ -0,0 +1,80 @@
+{{if id}}<form action="#/client/${id}" method="put" class="client edit">
+{{else}}<form action="#/clients" method="post" class="client new">{{/if}}
+  <div class="fields">
+    <h2>Identification</h2>
+    <img id="image">
+    <label>Display Name
+      <input type="text" name="displayName" value="${displayName}" size="70" required autofocus>
+      <p class="hint">This is the application name that users see when asked to authorize.</p>
+    </label>
+    <label>Site URL
+      <input type="url" name="link" value="${link}" size="70" required>
+      <p class="hint">This is a link to the application's site.</p>
+    </label>
+    <label>Image URL
+      <input type="url" name="imageUrl" value="${imageUrl}" size="70">
+      <p class="hint">This is a link to the application's icon (48x48).</p>
+    </label>
+    <label>Redirect URI
+      <input type="url" name="redirectUri" value="${redirectUri}" size="70" required>
+      <p class="hint">Users redirected back to this URL on successful authorization.</p>
+    </label>
+    <label>Notes
+      <textarea name="notes" cols="50" rows="5">${notes}</textarea>
+      <p class="hint">For internal use.</p>
+    </label>
+    {{if id}}<button>Save Changes</button>
+    {{else}}<button>Create Client</button>{{/if}}
+  </div>
+  <div class="scope">
+    <h2>Scope</h2>
+    {{each common}}
+      <label class="check"><input type="checkbox" name="scope" value="${this}" ${scope.indexOf(this.toString()) < 0 ? null : "checked"}>${this}</label>
+    {{/each}}
+    {{each scope}}
+      {{if common.indexOf(this.toString()) < 0}}
+      <label class="check uncommon"><input type="checkbox" name="scope" value="${this}" checked>${this}</label>
+      {{/if}}
+    {{/each}}
+    <label>Uncommon
+      <input type="text" name="scope" value="" size="35">
+      <p class="hint">Space separated list of uncommon scope.</p>
+    </label>
+  </div>
+  <hr>
+</form>
+<script type="text/javascript">
+  $(function() {
+    var image = $("#image");
+    image.load(function() {
+      image.show().removeClass("loading");
+    }).error(function() {
+      if (image.attr("src"))
+        image.removeClass("loading");
+    });
+
+    var imageUrl = $("input[name=imageUrl]");
+    imageUrl.change(function() {
+      var url = $(this).val().trim();
+      if (url == "") {
+        image.hide();
+      } else {
+        image.attr("src", "admin/images/loading.gif").show().addClass("loading");
+        setTimeout(function() { image.attr("src", url); }, 10);
+      }
+    }).trigger("change");
+
+    $("input[name=link]").change(function() {
+      if (imageUrl.val().trim() == "") {
+        $("#image").show().addClass("loading").attr("src", null);
+        var image = new Image();
+        image.src = $(this).val().trim().replace(/^(https?:\/\/)(.+?)(\/.*|$)/, "$1$2/favicon.ico");
+        image.onload = function() {
+          if (imageUrl.val().trim() == "") {
+            imageUrl.val(image.src).trigger("change");
+          } 
+        }
+      }
+    });
+  })
+</script>

data/lib/rack/oauth2/admin/views/index.html

@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>OAuth Console</title>
+    <link href="admin/css/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
+    <script src="admin/js/jquery.js" type="text/javascript"></script>
+    <script src="admin/js/jquery.tmpl.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.tmpl.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.json.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.storage.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.title.js" type="text/javascript"></script>
+    <script src="admin/js/sammy.oauth2.js" type="text/javascript"></script>
+    <script src="admin/js/underscore.js" type="text/javascript"></script>
+    <script src="admin/js/protovis-r3.2.js" type="text/javascript"></script>
+    <script src="admin/js/application.js" type="text/javascript"></script>
+    <link rel="shortcut icon" href="admin/images/oauth-2.png">
+  </head>
+  <body>
+    <div id="notice" style="display:none"></div>
+    <div id="header">
+      <div class="title">
+        <a href="#/"><img src="admin/images/oauth-2.png"> OAuth Console</a>
+      </div>
+      <a href="admin/authorize" class="signin">Sign in</a>
+      <a href="#/signout" class="signout">Sign out</a>
+    </div>
+    <div id="throbber" class="loading"></div>
+    <div id="main"></div>
+    <div id="footer">
+      <p>Powered by <a href="http://github.com/flowtown/rack-oauth2-server">Rack::OAuth2::Server</a></p>
+    </div>
+    <script>
+      var loading = new Image();
+      loading.src = "admin/images/loading.gif";
+      $(function() { Sammy("#main").run("#/"); });
+    </script>
+  </body>
+</html>

data/lib/rack/oauth2/admin/views/no_access.tmpl

@@ -0,0 +1,4 @@
+<div class="no-access">
+  <h1>${error}</h1>    
+  <p>You can try to <a href="#/">authenticate again</a></p>
+</div>

data/lib/rack/oauth2/models.rb

@@ -0,0 +1,27 @@
+# require "mongo"
+require "openssl"
+require "rack/oauth2/server/errors"
+require "rack/oauth2/server/utils"
+
+module Rack
+  module OAuth2
+    class Server
+      # class << self
+      #   # unused!
+      #   attr_accessor :database
+      # end
+
+      # Long, random and hexy.
+      def self.secure_random
+        OpenSSL::Random.random_bytes(32).unpack("H*")[0]
+      end
+    end
+  end
+end
+
+
+require "rack/oauth2/models/client"
+require "rack/oauth2/models/auth_request"
+require "rack/oauth2/models/access_grant"
+require "rack/oauth2/models/access_token"
+

data/lib/rack/oauth2/models/access_grant.rb

@@ -0,0 +1,54 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # The access grant is a nonce, new grant created each time we need it and
+      # good for redeeming one access token.
+      class AccessGrant < ActiveRecord::Base
+        belongs_to :client, :class_name => 'Rack::OAuth2::Server::Client'
+
+        # Find AccessGrant from authentication code.
+        def self.from_code(code)
+          first(:conditions => {:code => code, :revoked => nil})
+        end
+
+        # Create a new access grant.
+        def self.create(identity, client, scope, redirect_uri = nil, expires = nil)
+          raise ArgumentError, "Identity must be String or Integer" unless String === identity || Integer === identity
+          scope = Utils.normalize_scope(scope) & Utils.normalize_scope(client.scope) # Only allowed scope
+          expires_at = Time.now.to_i + (expires || 300)
+
+          attributes = {
+            :code => Server.secure_random,
+            :identity=>identity,
+            :scope=>scope,
+            :client_id=>client.id,
+            :redirect_uri=>client.redirect_uri || redirect_uri,
+            :created_at=>Time.now.to_i,
+            :expires_at=>expires_at
+          }
+
+          super(attributes)
+        end
+
+        # Authorize access and return new access token.
+        #
+        # Access grant can only be redeemed once, but client can make multiple
+        # requests to obtain it, so we need to make sure only first request is
+        # successful in returning access token, futher requests raise
+        # InvalidGrantError.
+        def authorize!
+          raise InvalidGrantError, "You can't use the same access grant twice" if self.access_token || self.revoked
+          access_token = AccessToken.get_token_for(identity, client, scope)
+          update_attributes(:access_token => access_token.token, :granted_at => Time.now)
+          access_token
+        end
+
+        def revoke!
+          update_attributes(:revoked => Time.now)
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/models/access_token.rb

@@ -0,0 +1,129 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Access token. This is what clients use to access resources.
+      #
+      # An access token is a unique code, associated with a client, an identity
+      # and scope. It may be revoked, or expire after a certain period.
+      class AccessToken < ActiveRecord::Base
+        belongs_to :client, :class_name => 'Rack::OAuth2::Server::Client' # counter_cache?
+
+        # Creates a new AccessToken for the given client and scope.
+        def self.create_token_for(client, scope)
+          scope = Utils.normalize_scope(scope) & Utils.normalize_scope(client.scope) # Only allowed scope
+
+          attributes = {
+            :code => Server.secure_random,
+            :scope => scope,
+            :client => client
+          }
+
+          create(attributes)
+
+          # Client.collection.update({ :_id=>client.id }, { :$inc=>{ :tokens_granted=>1 } })
+          # Server.new_instance self, token
+        end
+
+        # Find AccessToken from token. Does not return revoked tokens.
+        def self.from_token(token) # token == code??
+          first(:conditions => {:code => token, :revoked => nil})
+        end
+
+        # Get an access token (create new one if necessary).
+        def self.get_token_for(identity, client, scope)
+          raise ArgumentError, "Identity must be String or Integer" unless String === identity || Integer === identity
+          scope = Utils.normalize_scope(scope) & Utils.normalize_scope(client.scope) # Only allowed scope
+
+          token = first(:conditions => {:identity=>identity, :scope=>scope, :client_id=>client.id, :revoked=>nil})
+
+          token ||= begin
+            attributes = {
+              :code => Server.secure_random,
+              :identity => identity,
+              :scope => scope,
+              :client_id => client.id
+            }
+
+            create(attributes)
+            # Client.collection.update({ :_id=>client.id }, { :$inc=>{ :tokens_granted=>1 } })
+          end
+
+          token
+        end
+
+        alias_attribute :token, :code
+
+        # Find all AccessTokens for an identity.
+        def self.from_identity(identity)
+          all(:condition => {:identity => identity})
+        end
+
+        # Returns all access tokens for a given client, Use limit and offset
+        # to return a subset of tokens, sorted by creation date.
+        def self.for_client(client_id, offset = 0, limit = 100)
+          all(:conditions => {:client_id => client.id}, :offset => offset, :limit => limit, :order => :created_at)
+        end
+
+        # Returns count of access tokens.
+        #
+        # @param [Hash] filter Count only a subset of access tokens
+        # @option filter [Integer] days Only count that many days (since now)
+        # @option filter [Boolean] revoked Only count revoked (true) or non-revoked (false) tokens; count all tokens if nil
+        # @option filter [String, ObjectId] client_id Only tokens grant to this client
+        def self.count(filter = {})
+          conditions = []
+          if filter[:days]
+            now = Time.now
+            start_time = now - (filter[:days] * 86400)
+
+            key = filter[:revoked] ? 'revoked' : 'created_at'
+            conditions = ["#{key} > ? AND #{key} <= ?", start_time, now]
+          elsif filter.has_key?(:revoked)
+            conditions = ["revoked " + (filter[:revoked] ? "IS NOT NULL" : "IS NULL")]
+          end
+
+          if filter.has_key?(:client_id)
+            conditions.first = conditions.empty? ? "client_id = ?" : " AND client_id = ?"
+            conditions << filter[:client_id]
+          end
+
+          super(:conditions => conditions)
+        end
+
+        # def self.historical(filter = {})
+        #   # days = filter[:days] || 60
+        #   # select = { :$gt=> { :created_at=>Time.now - 86400 * days } }
+        #   # select = {}
+        # 
+        #   if filter.has_key?(:client_id)
+        #     conditions << "client_id = ?" << filter[:client_id]
+        #   end
+        # 
+        #   raw = Server::AccessToken.collection.group("function (token) { return { ts: Math.floor(token.created_at / 86400) } }",
+        #     select, { :granted=>0 }, "function (token, state) { state.granted++ }")
+        #   raw.sort { |a, b| a["ts"] - b["ts"] }
+        # end
+
+        # Updates the last access timestamp.
+        def access!
+          today = (Time.now.to_i / 3600) * 3600
+          if last_access.nil? || last_access < today
+            AccessToken.update_all({:last_access=>today, :prev_access=>last_access}, {:code => code})
+            reload
+          end
+        end
+
+        # Revokes this access token.
+        def revoke!
+          revoked = Time.now
+          AccessToken.update_all({:revoked=>revoked}, {:id => id})
+          reload
+
+          # Client.collection.update({ :_id=>client_id }, { :$inc=>{ :tokens_revoked=>1 } })
+        end
+      end
+
+    end
+  end
+end