warden-github 0.13.0 → 0.13.1

data/README.md

@@ -1,18 +1,141 @@
-warden-github
-=============
+# warden-github
 
-A [warden](/hassox/warden) strategy that provides oauth authentication to github.  Find out more about enabling your application at github's [oauth quickstart](http://gist.github.com/419219).
+A [warden](https://github.com/hassox/warden) strategy that provides OAuth authentication to GitHub.
 
-To test it out on localhost set your callback url to 'http://localhost:9292/'.
+## The Extension in Action
 
-There's an example app in [example/app.rb](/atmos/warden-github/blob/master/example/app.rb).
+To play with the extension, follow these steps:
 
-Using with GitHub Enterprise
-============================
+1.  Check out a copy of the source.
+2.  [Create an application on GitHub](https://github.com/settings/applications/new) and set the callback URL to `http://localhost:9292`
+3.  Run the following command with the client id and client secret obtained from the previous step:
 
-Export the `OCTOKIT_API_ENDPOINT` environmental variable to the URL of your enterprise install.
+        GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup
 
-The Extension in Action
-=======================
+    This will run the example app [example/simple_app.rb](example/simple_app.rb).
+
+    If you wish to see multiple user scopes in action, run the above command with an additional variable:
+
+        MULTI_SCOPE_APP=1 GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup
+
+    This will run the example app [example/multi_scope_app.rb](example/multi_scope_app.rb).
+
+4.  Point your browser at [http://localhost:9292/](http://localhost:9292) and enjoy!
+
+## Configuration
+
+In order to use this strategy, simply tell warden about it.
+This is done by using `Warden::Manager` as a rack middleware and passing a config block to it.
+Read more about warden setup at the [warden wiki](https://github.com/hassox/warden/wiki/Setup).
+
+For simple usage without customization, simply specify it as the default strategy.
+
+```ruby
+use Warden::Manager do |config|
+  config.failure_app = BadAuthentication
+  config.default_strategies :github
+end
+```
+
+In order to pass custom configurations, you need to configure a warden scope.
+Note that the default warden scope (i.e. when not specifying any explicit scope) is `:default`.
+
+Here's an example that specifies configs for the default scope and a custom admin scope.
+Using multiple scopes allows you to have different user types.
+
+```ruby
+use Warden::Manager do |config|
+  config.failure_app = BadAuthentication
+  config.default_strategies :github
+
+  config.scope_defaults :default, :config => { :scope => 'user:email' }
+  config.scope_defaults :admin, :config => { :client_id     => 'foobar',
+                                             :client_secret => 'barfoo',
+                                             :scope         => 'user,repo',
+                                             :redirect_uri  => '/admin/oauth/callback' }
+end
+```
+
+### Parameters
+
+The config parameters and their defaults are listed below.
+Please refer to the [GitHub OAuth documentation](http://developer.github.com/v3/oauth/) for an explanation of their meaning.
+
+- **client_id:** Defaults to `ENV['GITHUB_CLIENT_ID']` and raises if not present.
+- **client_secret:** Defaults to `ENV['GITHUB_CLIENT_SECRET']` and raises if not present.
+- **scope:** Defaults to `nil`.
+- **redirect_uri:** Defaults to the current path.
+  Note that paths will be expanded to a valid URL using the request url's host.
+
+### Using with GitHub Enterprise
+
+GitHub API communication is done entirely through the [octokit gem](https://github.com/pengwynn/octokit).
+For the OAuth process (which uses another endpoint than the API), the web endpoint is read from octokit.
+In order to configure octokit for GitHub Enterprise you can either define the two environment variables `OCTOKIT_API_ENDPOINT` and `OCTOKIT_WEB_ENDPOINT`, or configure the `Octokit` module as specified in their [README](https://github.com/pengwynn/octokit#using-with-github-enterprise).
+
+### JSON Dependency
+
+This gem and its dependencies do not explicitly depend on any JSON library.
+If you're on ruby 1.8.7 you'll have to include one explicitly.
+ruby 1.9 comes with a json library that will be used if no other is specified.
+
+## Usage
+
+Some warden methods that you will need:
+
+```ruby
+env['warden'].authenticate!                   # => Uses the configs from the default scope.
+env['warden'].authenticate!(:scope => :admin) # => Uses the configs from the admin scope.
+
+# Analogous to previous lines, but does not halt if authentication does not succeed.
+env['warden'].authenticate
+env['warden'].authenticate(:scope => :admin)
+
+env['warden'].authenticated?         # => Checks whether the default scope is logged in.
+env['warden'].authenticated?(:admin) # => Checks whether the admin scope is logged in.
+
+env['warden'].user         # => The user for the default scope.
+env['warden'].user(:admin) # => The user for the admin scope.
+
+env['warden'].session         # => Namespaced session accessor for the default scope.
+env['warden'].session(:admin) # => Namespaced session accessor for the admin scope.
+
+env['warden'].logout           # => Logs out all scopes.
+env['warden'].logout(:default) # => Logs out the default scope.
+env['warden'].logout(:admin)   # => Logs out the admin scope.
+```
+
+For further documentation, refer to the [warden wiki](https://github.com/hassox/warden/wiki).
+
+The user object (`Warden::GitHub::User`) responds to the following methods:
+
+```ruby
+user = env['warden'].user
+
+user.id          # => The GitHub user id.
+user.login       # => The GitHub username.
+user.name
+user.gravatar_id # => The md5 email hash to construct a gravatar image.
+user.email       # => Requires user:email or user scope.
+user.company
+
+# These require user scope.
+user.organization_member?('rails')         # => Checks 'rails' organization membership.
+user.organization_public_member?('github') # => Checks publicly disclosed 'github' organization membership.
+user.team_member?(1234)                    # => Checks membership in team with id 1234.
+
+# API access
+user.api # => Authenticated Octokit::Client for the user.
+```
+
+For more information on API access, refer to the [octokit documentation](http://rdoc.info/gems/octokit).
+
+## Additional Information
+
+- [warden](https://github.com/hassox/warden)
+- [octokit](https://github.com/pengwynn/octokit)
+- [GitHub OAuth Busy Developer's Guide](https://gist.github.com/technoweenie/419219)
+- [GitHub API documentation](http://developer.github.com)
+- [List of GitHub OAuth scopes](http://developer.github.com/v3/oauth/#scopes)
+- [Register a new OAuth application on GitHub](https://github.com/settings/applications/new)
 
-    % GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup

data/config.ru

@@ -15,6 +15,11 @@ rescue LoadError
 end
 
 require 'warden/github'
-require File.expand_path('../example/app', __FILE__)
+
+if ENV['MULTI_SCOPE_APP']
+  require File.expand_path('../example/multi_scope_app', __FILE__)
+else
+  require File.expand_path('../example/simple_app', __FILE__)
+end
 
 run Example.app

data/example/multi_scope_app.rb

@@ -0,0 +1,84 @@
+require File.expand_path('../setup', __FILE__)
+
+module Example
+  class MultiScopeApp < BaseApp
+    enable :inline_templates
+
+    GITHUB_CONFIG = {
+      :client_id     => ENV['GITHUB_CLIENT_ID']     || 'test_client_id',
+      :client_secret => ENV['GITHUB_CLIENT_SECRET'] || 'test_client_secret'
+    }
+
+    use Warden::Manager do |config|
+      config.failure_app = BadAuthentication
+      config.default_strategies :github
+      config.scope_defaults :default, :config => GITHUB_CONFIG
+      config.scope_defaults :admin, :config => GITHUB_CONFIG.merge(:scope => 'user,notifications')
+    end
+
+    get '/' do
+      erb :index
+    end
+
+    get '/login' do
+      env['warden'].authenticate!
+      redirect '/'
+    end
+
+    get '/admin/login' do
+      env['warden'].authenticate!(:scope => :admin)
+      redirect '/'
+    end
+
+    get '/logout' do
+      if params.include?('all')
+        env['warden'].logout
+      else
+        env['warden'].logout(:default)
+      end
+      redirect '/'
+    end
+
+    get '/admin/logout' do
+      env['warden'].logout(:admin)
+      redirect '/'
+    end
+  end
+
+  def self.app
+    @app ||= Rack::Builder.new do
+      run MultiScopeApp
+    end
+  end
+end
+
+__END__
+
+@@ index
+<html>
+  <body>
+    <h1>Multi Scope App Example</h1>
+    <ul>
+    <% if env['warden'].authenticated? %>
+      <li><a href='/logout'>[User] sign out</a></li>
+    <% else %>
+      <li><a href='/login'>[User] sign in</a></li>
+    <% end %>
+    <% if env['warden'].authenticated?(:admin) %>
+      <li><a href='/admin/logout'>[Admin] sign out</a></li>
+    <% else %>
+      <li><a href='/admin/login'>[Admin] sign in</a></li>
+    <% end %>
+    <% if env['warden'].authenticated? && env['warden'].authenticated?(:admin) %>
+      <li><a href='/logout?all=1'>[User &amp; Admin] sign out</a></li>
+    <% end %>
+    </ul>
+    <hr />
+    <dl>
+      <dt>User:</dt>
+      <dd><%= env['warden'].authenticated? ? env['warden'].user.name : 'Not signed in' %></dd>
+      <dt>Admin:</dt>
+      <dd><%= env['warden'].authenticated?(:admin) ? env['warden'].user(:admin).name : 'Not signed in' %></dd>
+    </dl>
+  </body>
+</html>

data/example/setup.rb

@@ -0,0 +1,25 @@
+require 'sinatra'
+require 'yajl/json_gem'
+
+module Example
+  class BaseApp < Sinatra::Base
+    enable  :sessions
+    enable  :raise_errors
+    disable :show_exceptions
+
+    get '/debug' do
+      content_type :text
+      env['rack.session'].to_yaml
+    end
+  end
+
+  class BadAuthentication < Sinatra::Base
+    get '/unauthenticated' do
+      status 403
+      <<-EOS
+      <h2>Unable to authenticate, sorry bud.</h2>
+      <p>#{env['warden'].message}</p>
+      EOS
+    end
+  end
+end

data/example/simple_app.rb

@@ -0,0 +1,85 @@
+require File.expand_path('../setup', __FILE__)
+
+module Example
+  class SimpleApp < BaseApp
+    enable :inline_templates
+
+    GITHUB_CONFIG = {
+      :client_id     => ENV['GITHUB_CLIENT_ID']     || 'test_client_id',
+      :client_secret => ENV['GITHUB_CLIENT_SECRET'] || 'test_client_secret',
+      :scope         => 'user'
+    }
+
+    use Warden::Manager do |config|
+      config.failure_app = BadAuthentication
+      config.default_strategies :github
+      config.scope_defaults :default, :config => GITHUB_CONFIG
+    end
+
+    get '/' do
+      erb :index
+    end
+
+    get '/profile' do
+      env['warden'].authenticate!
+      erb :profile
+    end
+
+    get '/login' do
+      env['warden'].authenticate!
+      redirect '/'
+    end
+
+    get '/logout' do
+      env['warden'].logout
+      redirect '/'
+    end
+  end
+
+  def self.app
+    @app ||= Rack::Builder.new do
+      run SimpleApp
+    end
+  end
+end
+
+__END__
+
+@@ layout
+<html>
+  <body>
+    <h1>Simple App Example</h1>
+    <ul>
+      <li><a href='/'>Home</a></li>
+      <li><a href='/profile'>View profile</a><% if !env['warden'].authenticated? %> (implicit sign in)<% end %></li>
+    <% if env['warden'].authenticated? %>
+      <li><a href='/logout'>Sign out</a></li>
+    <% else %>
+      <li><a href='/login'>Sign in</a> (explicit sign in)</li>
+    <% end %>
+    </ul>
+    <hr />
+    <%= yield %>
+  </body>
+</html>
+
+@@ index
+<% if env['warden'].authenticated? %>
+  <h2>
+    <img src='http://gravatar.com/avatar/<%= env['warden'].user.gravatar_id %>.png?r=PG&s=50' />
+    Welcome <%= env['warden'].user.name %>
+  </h2>
+<% else %>
+  <h2>Welcome stranger</h2>
+<% end %>
+
+@@ profile
+<h2>Profile</h2>
+<dl>
+  <dt>Rails Org Member:</dt>
+  <dd><%= env['warden'].user.organization_member?('rails') %></dd>
+  <dt>Publicized Rails Org Member:</dt>
+  <dd><%= env['warden'].user.organization_public_member?('rails') %></dd>
+  <dt>Rails Committer Team Member:</dt>
+  <dd><%= env['warden'].user.team_member?(632) %></dd>
+</dl>

data/lib/warden/github/config.rb

@@ -0,0 +1,146 @@
+require 'uri'
+
+module Warden
+  module GitHub
+    # This class encapsulates the configuration of the strategy. A strategy can
+    # be configured through Warden::Manager by defining a scope's default. Thus,
+    # it is possible to use the same strategy with different configurations by
+    # using multiple scopes.
+    #
+    # To configure a scope, use #scope_defaults inside the Warden::Manager
+    # config block. The first arg is the name of the scope (the default is
+    # :default, so use that to configure the default scope), the second arg is
+    # an options hash which should contain:
+    #
+    #   - :strategies : An array of strategies to use for this scope. Since this
+    #                   strategy is called :github, include it in the array.
+    #
+    #   - :config :     A hash containing the configs that are used for OAuth.
+    #                   Valid parameters include :client_id, :client_secret,
+    #                   :scope, :redirect_uri. Please refer to the OAuth
+    #                   documentation of the GitHub API for the meaning of these
+    #                   parameters.
+    #
+    #                   If :client_id or :client_secret are not specified, they
+    #                   will be fetched from ENV['GITHUB_CLIENT_ID'] and
+    #                   ENV['GITHUB_CLIENT_SECRET'], respectively.
+    #
+    #                   :scope defaults to nil.
+    #
+    #                   If no :redirect_uri is specified, the current path will
+    #                   be used. If a path is specified it will be appended to
+    #                   the request host, forming a valid URL.
+    #
+    # Examples
+    #
+    #   use Warden::Manager do |config|
+    #     config.failure_app = BadAuthentication
+    #
+    #     # The following line doesn't specify any custom configurations, thus
+    #     # the default scope will be using the implict client_id,
+    #     # client_secret, and redirect_uri.
+    #     config.default_strategies :github
+    #
+    #     # This configures an additional scope that uses the github strategy
+    #     # with custom configuration.
+    #     config.scope_defaults :admin, :config => { :client_id => 'foobar',
+    #                                                :client_secret => 'barfoo',
+    #                                                :scope => 'user,repo',
+    #                                                :redirect_uri => '/admin/oauth/callback' }
+    #   end
+    class Config
+      BadConfig = Class.new(StandardError)
+
+      include ::Warden::Mixins::Common
+
+      attr_reader :env, :warden_scope
+
+      def initialize(env, warden_scope)
+        @env = env
+        @warden_scope = warden_scope
+      end
+
+      def client_id
+        custom_config[:client_id] ||
+          deprecated_config(:github_client_id) ||
+          ENV['GITHUB_CLIENT_ID'] ||
+          fail(BadConfig, 'Missing client_id configuration.')
+      end
+
+      def client_secret
+        custom_config[:client_secret] ||
+          deprecated_config(:github_secret) ||
+          ENV['GITHUB_CLIENT_SECRET'] ||
+          fail(BadConfig, 'Missing client_secret configuration.')
+      end
+
+      def redirect_uri
+        uri_or_path =
+          custom_config[:redirect_uri] ||
+          deprecated_config(:github_callback_url) ||
+          request.path
+
+        normalized_uri(uri_or_path).to_s
+      end
+
+      def scope
+        custom_config[:scope] || deprecated_config(:github_scopes)
+      end
+
+      def to_hash
+        { :client_id     => client_id,
+          :client_secret => client_secret,
+          :redirect_uri  => redirect_uri,
+          :scope         => scope }
+      end
+
+      private
+
+      def custom_config
+        @custom_config ||=
+          env['warden'].
+            config[:scope_defaults].
+            fetch(warden_scope, {}).
+            fetch(:config, {})
+      end
+
+      def deprecated_config(name)
+        env['warden'].config[name].tap do |config|
+          unless config.nil?
+            warn "[warden-github] Deprecated configuration #{name} used. Please refer to the README for updated configuration instructions."
+          end
+        end
+      end
+
+      def normalized_uri(uri_or_path)
+        uri = URI(request.url)
+        uri.path = extract_path(URI(uri_or_path))
+        uri.query = nil
+        uri.fragment = nil
+
+        correct_scheme(uri)
+      end
+
+      def extract_path(uri)
+        path = uri.path
+
+        if path.start_with?('/')
+          path
+        else
+          "/#{path}"
+        end
+      end
+
+      def correct_scheme(uri)
+        if uri.scheme != 'https' && env['HTTP_X_FORWARDED_PROTO'] == 'https'
+          uri.scheme = 'https'
+          # Reparsing will use a different URI subclass, namely URI::HTTPS which
+          # knows the default port for https and strips it if present.
+          uri = URI(uri.to_s)
+        end
+
+        uri
+      end
+    end
+  end
+end

data/lib/warden/github/membership_cache.rb

@@ -0,0 +1,48 @@
+module Warden
+  module GitHub
+    # A hash subclass that acts as a cache for organization and team
+    # membership states. Only membership states that are true are cached. These
+    # are invalidated after a certain time.
+    class MembershipCache < ::Hash
+      CACHE_TIMEOUT = 60 * 5
+
+      # Fetches a membership status by type and id (e.g. 'org', 'my_company')
+      # from cache. If no cached value is present or if the cached value
+      # expired, the block will be invoked and the return value, if true,
+      # cached for e certain time.
+      def fetch_membership(type, id)
+        type = type.to_s
+        id = id.to_s if id.is_a?(Symbol)
+
+        if cached_membership_valid?(type, id)
+          true
+        elsif block_given? && yield
+          cache_membership(type, id)
+          true
+        else
+          false
+        end
+      end
+
+      private
+
+      def cached_membership_valid?(type, id)
+        timestamp = fetch(type).fetch(id)
+
+        if Time.now.to_i > timestamp + CACHE_TIMEOUT
+          fetch(type).delete(id)
+          false
+        else
+          true
+        end
+      rescue IndexError
+        false
+      end
+
+      def cache_membership(type, id)
+        hash = self[type] ||= {}
+        hash[id] = Time.now.to_i
+      end
+    end
+  end
+end

data/lib/warden/github/strategy.rb

@@ -67,7 +67,7 @@ module Warden
       def validate_flow!
         if params['state'] != state
           abort_flow!('State mismatch')
-        elsif (error = params['error']) && !error.blank?
+        elsif (error = params['error']) && !error.empty?
           abort_flow!(error.gsub(/_/, ' '))
         end
       end
@@ -88,32 +88,11 @@ module Warden
 
       def oauth
         @oauth ||= OAuth.new(
-          :code          => params['code'],
-          :state         => state,
-          :scope         => env['warden'].config[:github_scopes],
-          :client_id     => env['warden'].config[:github_client_id],
-          :client_secret => env['warden'].config[:github_secret],
-          :redirect_uri  => redirect_uri)
+          config.to_hash.merge(:code => params['code'], :state => state))
       end
 
-      def redirect_uri
-        absolute_uri(request, callback_path, env['HTTP_X_FORWARDED_PROTO'])
-      end
-
-      def callback_path
-        env['warden'].config[:github_callback_url] || request.path
-      end
-
-      def absolute_uri(request, suffix = nil, proto = "http")
-        port_part = case request.scheme
-                    when "http"
-                      request.port == 80 ? "" : ":#{request.port}"
-                    when "https"
-                      request.port == 443 ? "" : ":#{request.port}"
-                    end
-
-        proto = "http" if proto.nil?
-        "#{proto}://#{request.host}#{port_part}#{suffix}"
+      def config
+        @config ||= ::Warden::GitHub::Config.new(env, scope)
       end
     end
   end

data/lib/warden/github/user.rb

@@ -30,7 +30,9 @@ module Warden
       #
       # Returns: true if the user is publicized as an org member
       def organization_public_member?(org_name)
-        api.organization_public_member?(org_name, login)
+        memberships.fetch_membership(:org_pub, org_name) do
+          api.organization_public_member?(org_name, login)
+        end
       end
 
       # Backwards compatibility:
@@ -42,7 +44,9 @@ module Warden
       #
       # Returns: true if the user has access, false otherwise
       def organization_member?(org_name)
-        api.organization_member?(org_name, login)
+        memberships.fetch_membership(:org, org_name) do
+          api.organization_member?(org_name, login)
+        end
       end
 
       # See if the user is a member of the team id
@@ -51,17 +55,20 @@ module Warden
       #
       # Returns: true if the user has access, false otherwise
       def team_member?(team_id)
-        # TODO: Use next line as method body once pengwynn/octokit#206 is public.
-        # api.team_member?(team_id, login)
+        memberships.fetch_membership(:team, team_id) do
+          # TODO: Use next line as method body once pengwynn/octokit#206 is public.
+          # api.team_member?(team_id, login)
 
-        # If the user is able to query the team member
-        # A user is only able to query for team members if they're a member.
-        # Thus, if querying does succeed, they will be in the list and checking
-        # the list won't be necessary.
-        api.team_members(team_id)
-        true
-      rescue Octokit::NotFound
-        false
+          begin
+            # A user is only able to query for team members if they're a member.
+            # Thus, if querying does succeed, they will be in the list and
+            # checking the list won't be necessary.
+            api.team_members(team_id)
+            true
+          rescue Octokit::NotFound
+            false
+          end
+        end
       end
 
       # Access the GitHub API from Octokit
@@ -76,6 +83,12 @@ module Warden
         # marshaled even when explicitly specifying #marshal_dump.
         Octokit::Client.new(:login => login, :oauth_token => token)
       end
+
+      private
+
+      def memberships
+        attribs['member'] ||= MembershipCache.new
+      end
     end
   end
 end

data/lib/warden/github/version.rb

@@ -1,5 +1,5 @@
 module Warden
   module GitHub
-    VERSION = "0.13.0"
+    VERSION = "0.13.1"
   end
 end

data/lib/warden/github.rb

@@ -5,6 +5,7 @@ require 'warden/github/oauth'
 require 'warden/github/version'
 require 'warden/github/strategy'
 require 'warden/github/hook'
+require 'warden/github/config'
+require 'warden/github/membership_cache'
 
-require 'yajl'
-require 'securerandom'
+require 'securerandom'

data/spec/spec_helper.rb

@@ -5,25 +5,13 @@ SimpleCov.start do
 end
 
 require 'warden/github'
-require File.expand_path('../../example/app', __FILE__)
+require File.expand_path('../../example/simple_app', __FILE__)
 require 'rack/test'
-require 'webrat'
 require 'addressable/uri'
-require 'pp'
 require 'webmock/rspec'
 
-Webrat.configure do |config|
-  config.mode = :rack
-  config.application_port = 4567
-end
-
 RSpec.configure do |config|
   config.include(Rack::Test::Methods)
-  config.include(Webrat::Methods)
-  config.include(Webrat::Matchers)
-
-  config.before(:each) do
-  end
 
   def app
     Example.app

data/spec/unit/config_spec.rb

@@ -0,0 +1,176 @@
+require 'spec_helper'
+
+describe Warden::GitHub::Config do
+  let(:warden_scope) { :test_scope }
+
+  let(:env) do
+    { 'warden' => stub(:config => warden_config) }
+  end
+
+  let(:warden_config) do
+    { :scope_defaults => { warden_scope => { :config => scope_config } } }
+  end
+
+  let(:scope_config) do
+    {}
+  end
+
+  let(:request) do
+    stub(:url => 'http://example.com/the/path', :path => '/the/path')
+  end
+
+  subject(:config) do
+    described_class.new(env, warden_scope)
+  end
+
+  before do
+    config.stub(:request => request)
+  end
+
+  def silence_warnings
+    old_verbose, $VERBOSE = $VERBOSE, nil
+    yield
+  ensure
+    $VERBOSE = old_verbose
+  end
+
+  describe '#client_id' do
+    context 'when specified in scope config' do
+      it 'returns the client id' do
+        scope_config[:client_id] = 'foobar'
+        config.client_id.should eq 'foobar'
+      end
+    end
+
+    context 'when specified in deprecated config' do
+      it 'returns the client id' do
+        warden_config[:github_client_id] = 'foobar'
+        silence_warnings do
+          config.client_id.should eq 'foobar'
+        end
+      end
+    end
+
+    context 'when specified in ENV' do
+      it 'returns the client id' do
+        ENV.stub(:[]).with('GITHUB_CLIENT_ID').and_return('foobar')
+        config.client_id.should eq 'foobar'
+      end
+    end
+
+    context 'when not specified' do
+      it 'raises BadConfig' do
+        expect { config.client_id }.to raise_error(described_class::BadConfig)
+      end
+    end
+  end
+
+  describe '#client_secret' do
+    context 'when specified in scope config' do
+      it 'returns the client secret' do
+        scope_config[:client_secret] = 'foobar'
+        config.client_secret.should eq 'foobar'
+      end
+    end
+
+    context 'when specified in deprecated config' do
+      it 'returns the client secret' do
+        warden_config[:github_secret] = 'foobar'
+        silence_warnings do
+          config.client_secret.should eq 'foobar'
+        end
+      end
+    end
+
+    context 'when specified in ENV' do
+      it 'returns the client secret' do
+        ENV.stub(:[]).with('GITHUB_CLIENT_SECRET').and_return('foobar')
+        silence_warnings do
+          config.client_secret.should eq 'foobar'
+        end
+      end
+    end
+
+    context 'when not specified' do
+      it 'raises BadConfig' do
+        expect { config.client_secret }.to raise_error(described_class::BadConfig)
+      end
+    end
+  end
+
+  describe '#redirect_uri' do
+    context 'when specified in scope config' do
+      it 'returns the expanded redirect uri' do
+        scope_config[:redirect_uri] = '/callback'
+        config.redirect_uri.should eq 'http://example.com/callback'
+      end
+    end
+
+    context 'when specified path lacks leading slash' do
+      it 'corrects the path and returns the expanded uri' do
+        scope_config[:redirect_uri] = 'callback'
+        config.redirect_uri.should eq 'http://example.com/callback'
+      end
+    end
+
+    context 'when specified in deprecated config' do
+      it 'returns the expanded redirect uri' do
+        warden_config[:github_callback_url] = '/callback'
+        silence_warnings do
+          config.redirect_uri.should eq 'http://example.com/callback'
+        end
+      end
+    end
+
+    context 'when not specified' do
+      it 'returns the expanded redirect uri with the current path' do
+        config.redirect_uri.should eq 'http://example.com/the/path'
+      end
+    end
+
+    context 'when HTTP_X_FORWARDED_PROTO is set to https' do
+      it 'returns the expanded redirect uri with adjusted scheme' do
+        env['HTTP_X_FORWARDED_PROTO'] = 'https'
+        request.stub(:url => 'http://example.com:443/the/path')
+        config.redirect_uri.should eq 'https://example.com/the/path'
+      end
+    end
+  end
+
+  describe '#scope' do
+    context 'when specified in scope config' do
+      it 'returns the client secret' do
+        scope_config[:scope] = 'user'
+        config.scope.should eq 'user'
+      end
+    end
+
+    context 'when specified in deprecated config' do
+      it 'returns the client secret' do
+        warden_config[:github_scopes] = 'user'
+        silence_warnings do
+          config.scope.should eq 'user'
+        end
+      end
+    end
+
+    context 'when not specified' do
+      it 'returns nil' do
+        config.scope.should be_nil
+      end
+    end
+  end
+
+  describe '#to_hash' do
+    it 'includes all configs' do
+      scope_config.merge!(
+        :scope         => 'user',
+        :client_id     => 'abc',
+        :client_secret => '123',
+        :redirect_uri  => '/foo')
+
+      config.to_hash.keys.
+        should =~ [:scope, :client_id, :client_secret, :redirect_uri]
+    end
+  end
+end

data/spec/unit/membership_cache_spec.rb

@@ -0,0 +1,62 @@
+require 'spec_helper'
+
+describe Warden::GitHub::MembershipCache do
+  subject(:cache) do
+    described_class.new
+  end
+
+  describe '#fetch_membership' do
+    it 'returns false by default' do
+      cache.fetch_membership('foo', 'bar').should be_false
+    end
+
+    context 'when cache valid' do
+      before do
+        cache['foo'] = {}
+        cache['foo']['bar'] = Time.now.to_i - described_class::CACHE_TIMEOUT + 5
+      end
+
+      it 'returns true' do
+        cache.fetch_membership('foo', 'bar').should be_true
+      end
+
+      it 'does not invoke the block' do
+        expect { |b| cache.fetch_membership('foo', 'bar', &b) }.
+          to_not yield_control
+      end
+    end
+
+    context 'when cache expired' do
+      before do
+        cache['foo'] = {}
+        cache['foo']['bar'] = Time.now.to_i - described_class::CACHE_TIMEOUT - 5
+      end
+
+      context 'when no block given' do
+        it 'returns false' do
+          cache.fetch_membership('foo', 'bar').should be_false
+        end
+      end
+
+      it 'deletes the cached value' do
+        cache.fetch_membership('foo', 'bar')
+        cache['foo'].should_not have_key('bar')
+      end
+
+      it 'invokes the block' do
+        expect { |b| cache.fetch_membership('foo', 'bar', &b) }.
+          to yield_control
+      end
+    end
+
+    it 'caches the value when block returns true' do
+      cache.fetch_membership('foo', 'bar') { true }
+      cache.fetch_membership('foo', 'bar').should be_true
+    end
+
+    it 'does not cache the value when block returns false' do
+      cache.fetch_membership('foo', 'bar') { false }
+      cache.fetch_membership('foo', 'bar').should be_false
+    end
+  end
+end

data/spec/unit/user_spec.rb

@@ -46,23 +46,23 @@ describe Warden::GitHub::User do
 
   [:organization_public_member?, :organization_member?].each do |method|
     describe "##{method}" do
-      it 'asks the api for the member status' do
-        status = double
-        stub_api(user, method, ['rails', user.login], status)
+      context 'when user is not member' do
+        it 'returns false' do
+          stub_api(user, method, ['rails', user.login], false)
+          user.send(method, 'rails').should be_false
+        end
+      end
 
-        user.send(method, 'rails').should be status
+      context 'when user is member' do
+        it 'returns true' do
+          stub_api(user, method, ['rails', user.login], true)
+          user.send(method, 'rails').should be_true
+        end
       end
     end
   end
 
   describe '#team_member?' do
-    it 'asks the api for team members' do
-      status = double
-      stub_api(user, :team_members, [123], false)
-
-      user.team_member?(123)
-    end
-
     context 'when user is not member' do
       it 'returns false' do
         api = double

data/warden-github.gemspec

@@ -15,18 +15,17 @@ Gem::Specification.new do |s|
 
   s.add_dependency "warden",    ">1.0"
   s.add_dependency "octokit",   ">=1.22.0"
-  s.add_dependency "yajl-ruby", ">=1.1.0"
 
   s.add_development_dependency "rack",      "~>1.4.1"
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec",     "~>2.8"
   s.add_development_dependency "simplecov"
   s.add_development_dependency "webmock",   "~>1.9"
-  s.add_development_dependency "webrat"
   s.add_development_dependency "sinatra"
   s.add_development_dependency "shotgun"
   s.add_development_dependency "addressable", "~>2.2.0"
   s.add_development_dependency "rack-test",   "~>0.5.3"
+  s.add_development_dependency "yajl-ruby"
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: warden-github
 version: !ruby/object:Gem::Version 
-  hash: 43
+  hash: 41
   prerelease: 
   segments: 
   - 0
   - 13
-  - 0
-  version: 0.13.0
+  - 1
+  version: 0.13.1
 platform: ruby
 authors: 
 - Corey Donohoe
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-02-05 00:00:00 -08:00
+date: 2013-02-18 00:00:00 -08:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -49,26 +49,10 @@ dependencies:
         version: 1.22.0
   type: :runtime
   version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: yajl-ruby
-  prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 19
-        segments: 
-        - 1
-        - 1
-        - 0
-        version: 1.1.0
-  type: :runtime
-  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: rack
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -80,11 +64,11 @@ dependencies:
         - 1
         version: 1.4.1
   type: :development
-  version_requirements: *id004
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: rake
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -94,11 +78,11 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id005
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
   name: rspec
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -109,11 +93,11 @@ dependencies:
         - 8
         version: "2.8"
   type: :development
-  version_requirements: *id006
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: simplecov
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -123,11 +107,11 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id007
+  version_requirements: *id006
 - !ruby/object:Gem::Dependency 
   name: webmock
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -138,25 +122,11 @@ dependencies:
         - 9
         version: "1.9"
   type: :development
-  version_requirements: *id008
-- !ruby/object:Gem::Dependency 
-  name: webrat
-  prerelease: false
-  requirement: &id009 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
-  type: :development
-  version_requirements: *id009
+  version_requirements: *id007
 - !ruby/object:Gem::Dependency 
   name: sinatra
   prerelease: false
-  requirement: &id010 !ruby/object:Gem::Requirement 
+  requirement: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -166,11 +136,11 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id010
+  version_requirements: *id008
 - !ruby/object:Gem::Dependency 
   name: shotgun
   prerelease: false
-  requirement: &id011 !ruby/object:Gem::Requirement 
+  requirement: &id009 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -180,11 +150,11 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id011
+  version_requirements: *id009
 - !ruby/object:Gem::Dependency 
   name: addressable
   prerelease: false
-  requirement: &id012 !ruby/object:Gem::Requirement 
+  requirement: &id010 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -196,11 +166,11 @@ dependencies:
         - 0
         version: 2.2.0
   type: :development
-  version_requirements: *id012
+  version_requirements: *id010
 - !ruby/object:Gem::Dependency 
   name: rack-test
   prerelease: false
-  requirement: &id013 !ruby/object:Gem::Requirement 
+  requirement: &id011 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -212,7 +182,21 @@ dependencies:
         - 3
         version: 0.5.3
   type: :development
-  version_requirements: *id013
+  version_requirements: *id011
+- !ruby/object:Gem::Dependency 
+  name: yajl-ruby
+  prerelease: false
+  requirement: &id012 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id012
 description: A warden strategy for easy oauth integration with github
 email: 
 - atmos@atmos.org
@@ -231,9 +215,13 @@ files:
 - README.md
 - Rakefile
 - config.ru
-- example/app.rb
+- example/multi_scope_app.rb
+- example/setup.rb
+- example/simple_app.rb
 - lib/warden/github.rb
+- lib/warden/github/config.rb
 - lib/warden/github/hook.rb
+- lib/warden/github/membership_cache.rb
 - lib/warden/github/oauth.rb
 - lib/warden/github/strategy.rb
 - lib/warden/github/user.rb
@@ -241,6 +229,8 @@ files:
 - spec/fixtures/user.json
 - spec/integration/oauth_spec.rb
 - spec/spec_helper.rb
+- spec/unit/config_spec.rb
+- spec/unit/membership_cache_spec.rb
 - spec/unit/oauth_spec.rb
 - spec/unit/user_spec.rb
 - warden-github.gemspec
@@ -282,5 +272,7 @@ test_files:
 - spec/fixtures/user.json
 - spec/integration/oauth_spec.rb
 - spec/spec_helper.rb
+- spec/unit/config_spec.rb
+- spec/unit/membership_cache_spec.rb
 - spec/unit/oauth_spec.rb
 - spec/unit/user_spec.rb

data/example/app.rb

@@ -1,98 +0,0 @@
-require 'sinatra'
-require 'yajl/json_gem'
-
-module Example
-  class App < Sinatra::Base
-    enable  :sessions
-    enable  :raise_errors
-    disable :show_exceptions
-
-    use Warden::Manager do |manager|
-      manager.default_strategies :github
-      manager.failure_app = BadAuthentication
-
-      manager[:github_client_id]    = ENV['GITHUB_CLIENT_ID']     || 'ee9aa24b64d82c21535a'
-      manager[:github_secret]       = ENV['GITHUB_CLIENT_SECRET'] || 'ed8ff0c54067aefb808dab1ca265865405d08d6f'
-
-      manager[:github_scopes]       = ''
-    end
-
-    helpers do
-      def ensure_authenticated
-        unless env['warden'].authenticate!
-          throw(:warden)
-        end
-      end
-
-      def user
-        env['warden'].user
-      end
-    end
-
-    get '/' do
-      if user
-        <<-EOS
-        <h2>Hello #{user.name}!</h2>
-        <ul>
-          <li><a href='/profile'>View profile</a></li>
-          <li><a href='/logout'>Sign out</a></li>
-        </ul>
-        EOS
-      else
-        <<-EOS
-        <h2>Hello stranger!</h2>
-        <ul>
-          <li><a href='/profile'>View profile</a> (implicit sign in)</li>
-          <li><a href='/login'>Sign in</a> (explicit sign in)</li>
-        </ul>
-        EOS
-      end
-    end
-
-    get '/profile' do
-      ensure_authenticated
-      <<-EOS
-      <h2>Hello #{user.name}!</h2>
-      <ul>
-        <li><a href='/'>Home</a></li>
-        <li><a href='/logout'>Sign out</a></li>
-      </ul>
-      <h3>Profile</h3>
-      <h4>Rails Org Member: #{user.organization_member?('rails')}.</h4>
-      <h4>Publicized Rails Org Member: #{user.organization_public_member?('rails')}.</h4>
-      <h4>Rails Committer Team Member: #{user.team_member?(632)}.</h4>
-      EOS
-    end
-
-    get '/login' do
-      ensure_authenticated
-      redirect '/'
-    end
-
-    get '/logout' do
-      env['warden'].logout
-      redirect '/'
-    end
-
-    get '/debug' do
-      content_type :text
-      env['rack.session'].to_yaml
-    end
-  end
-
-  class BadAuthentication < Sinatra::Base
-    get '/unauthenticated' do
-      status 403
-      <<-EOS
-      <h2>Unable to authenticate, sorry bud.</h2>
-      <p>#{env['warden'].message}</p>
-      EOS
-    end
-  end
-
-  def self.app
-    @app ||= Rack::Builder.new do
-      run App
-    end
-  end
-end