warden_oauth_provider 1.0.0 → 1.0.1

data/README.textile

@@ -49,6 +49,20 @@ During the oauth process, the end-user is redirected to your application to auth
   end
 end</pre>
 
+h2. xauth
+
+The oauth provider has support for xauth, which supports requests for access tokens without user interaction. More information can be found at "dev.twitter.com":https://dev.twitter.com/docs/oauth/xauth. In order to enable xauth, make sure you set the @xauth_enabled@ boolean for a trusted client application to @true@. Furthermore you should define how the strategy should authenticate a valid user of your system by defining a Proc for the @xauth_user@ Warden config option.
+
+<pre>YourApp::Application.config.middleware.use Warden::Manager do |manager|
+  manager.default_strategies :oauth_provider, :http_basic, :password
+  manager.failure_app              = SessionsController
+  manager.oauth_request_token_path = "/oauth/request_token"
+  manager.oauth_access_token_path  = "/oauth/access_token"
+  manager.xauth_user               = Proc.new do |env, username, password|
+    User.authenticate(username, password)  # Return nil when authentication fails or a user when success
+  end
+end</pre>
+
 h2. Reporting bugs
 
 Please report bugs in this gem via Github Issues: https://github.com/bluetools/warden_oauth_provider/issues

data/lib/generators/warden_oauth_provider/install/templates/migration.rb

@@ -8,6 +8,7 @@ class CreateOauthTables < ActiveRecord::Migration
       t.string :key, :limit => 20
       t.string :secret, :limit => 40
       t.integer :user_id
+      t.boolean :xauth_enabled, :default => false
 
       t.timestamps
     end

data/lib/warden_oauth_provider/provider_strategy.rb

@@ -23,12 +23,30 @@ module WardenOauthProvider
         request_token = WardenOauthProvider::Token::Request.create!(:client_application => client_application, :callback_url => oauth_request.oauth_callback)
         custom! [200, {}, ["oauth_token=#{escape(request_token.token)}&oauth_token_secret=#{escape(request_token.secret)}&oauth_callback_confirmed=true"]]
       when warden.config.oauth_access_token_path
+        
+        if xauth_params? and xauth_mode == 'client_auth'
+          
+          # Get the user authentication proc from the settings
+          user_authentication = warden.config.xauth_user || Proc.new { |env, username, password| nil }
+          
+          # Create an access token when the client application has xauth enabled and the user can be authenticated
+          if client_application.xauth_enabled? and (user = user_authentication.call(env, xauth_username, xauth_password))
+            access_token = WardenOauthProvider::Token::Access.create!(:client_application => client_application, :user => user)
+          elsif user.nil?
+            fail!("Authentication failed")
+          else
+            fail!("xauth not allowed for client application")
+          end
+        else 
 
-        # Exchange the access token and return it
-        if access_token = (current_token && current_token.exchange!(oauth_request.oauth_verifier))
-          custom! [200, {}, ["oauth_token=#{escape(access_token.token)}&oauth_token_secret=#{escape(access_token.secret)}"]]
-        else
-          fail!("Request token exchange failed")
+          # Exchange the access token and return it
+          if !(access_token = (current_token && current_token.exchange!(oauth_request.oauth_verifier)))
+            fail!("Request token exchange failed")
+          end
+        end
+        
+        if access_token
+          custom! [200, {}, ["oauth_token=#{escape(access_token.token)}&oauth_token_secret=#{escape(access_token.secret)}"]]        
         end
       else
         
@@ -41,7 +59,7 @@ module WardenOauthProvider
       end
     end
     
-  private
+  protected
   
     def request
       @request ||= Rack::Request.new(env)
@@ -77,6 +95,22 @@ module WardenOauthProvider
       env['warden']
     end
     
+    def xauth_params?
+      request.post? and !xauth_username.nil? and !xauth_password.nil?
+    end
+    
+    def xauth_mode
+      request.params['x_auth_mode']
+    end
+    
+    def xauth_username
+      request.params['x_auth_username']
+    end
+
+    def xauth_password
+      request.params['x_auth_password']
+    end
+        
   end
   
 end

data/lib/warden_oauth_provider/version.rb

@@ -1,3 +1,3 @@
 module WardenOauthProvider
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

data/lib/warden_oauth_provider.rb

@@ -14,6 +14,6 @@ Warden::Strategies.add(:oauth_token, WardenOauthProvider::TokenStrategy)
 
 module Warden
   class Config
-    hash_accessor :oauth_request_token_path, :oauth_access_token_path
+    hash_accessor :oauth_request_token_path, :oauth_access_token_path, :xauth_user
   end
 end

data/spec/all_steps_spec.rb

@@ -32,7 +32,7 @@ describe "OAuth all steps" do
       
       # Step 2 - Authorize
       req = WardenOauthProvider::Token::Request.find_by_token(oauth_request_token)
-      env_step2 = env_with_params("/oauth/authorize", {:oauth_token => oauth_request_token, :username => "John"}, {})
+      env_step2 = env_with_params("/oauth/authorize", {:oauth_token => oauth_request_token, :username => "John", :password => "testtest"}, {})
       response = setup_rack.call(env_step2)
       response.first.should == 302
       location = URI.parse(response[1]["Location"])

data/spec/authorize_spec.rb

@@ -6,7 +6,7 @@ describe "Authorize" do
     
     before(:all) do
       @request_token = Factory.create(:request_token, :client_application => Factory.create(:client_application))
-      env = env_with_params("/oauth/authorize", {:oauth_token => @request_token.token, :username => "John"}, {})
+      env = env_with_params("/oauth/authorize", {:oauth_token => @request_token.token, :username => "John", :password => "testtest"}, {})
       @response = setup_rack.call(env)
       @location = URI.parse(@response[1]["Location"])
       @oauth_response = Hash[*@location.query.split("&").collect { |v| v.split("=") }.flatten]
@@ -34,7 +34,7 @@ describe "Authorize" do
       @request_token = Factory.create(:request_token, :client_application => Factory.create(:client_application))
       @request_token.invalidate!
       
-      env = env_with_params("/oauth/authorize", {:oauth_token => @request_token.token}, {})
+      env = env_with_params("/oauth/authorize", {:oauth_token => @request_token.token, :username => "John", :password => "testtest"}, {})
       @response = setup_rack.call(env)
       @response.first.should == 401
     end

data/spec/helpers/factories.rb

@@ -13,4 +13,5 @@ end
 
 Factory.define(:user) do |f|
   f.name "John"
+  f.password "testtest"
 end

data/spec/helpers/request_helper.rb

@@ -25,11 +25,11 @@ module RequestHelper
     # Required for authorize call to the app
     Warden::Strategies.add(:success) do
       def valid?
-        !params["username"].nil?
+        !params["username"].nil? and !params["password"].nil?
       end
       
       def authenticate!
-        if u = User.where(:name => params["username"]).first
+        if u = User.where(:name => params["username"], :password => params["password"]).first
           success!(u)
         else
           fail!("User unknown")
@@ -41,6 +41,9 @@ module RequestHelper
     opts[:default_strategies]  ||= [:oauth_provider, :success]
     opts[:oauth_request_token_path] ||= "/oauth/request_token"
     opts[:oauth_access_token_path] ||= "/oauth/access_token"
+    opts[:xauth_user]  ||= Proc.new do |env, username, password|
+      User.where(:name => username, :password => password).first
+    end
     
     Rack::Builder.new do
       use opts[:session] || RequestHelper::Session

data/spec/spec_helper.rb

@@ -30,6 +30,7 @@ ActiveRecord::Schema.define do
     t.string :key, :limit => 40
     t.string :secret, :limit => 40
     t.integer :user_id
+    t.boolean :xauth_enabled, :default => false
 
     t.timestamps
   end
@@ -59,6 +60,7 @@ ActiveRecord::Schema.define do
   
   create_table :users, :force => true do |t|
     t.string :name
+    t.string :password
   end
 end
 

data/spec/token_strategy_spec.rb

@@ -46,7 +46,7 @@ describe WardenOauthProvider::TokenStrategy do
     
     # Step 2 - Authorize
     req = WardenOauthProvider::Token::Request.find_by_token(oauth_request_token)
-    env_step2 = env_with_params("/oauth/authorize", {:oauth_token => oauth_request_token, :username => "John"}, {})
+    env_step2 = env_with_params("/oauth/authorize", {:oauth_token => oauth_request_token, :username => "John", :password => "testtest"}, {})
     response = setup_rack(nil, :session => session).call(env_step2)
     response.first.should == 302
     location = URI.parse(response[1]["Location"])
@@ -110,7 +110,7 @@ describe WardenOauthProvider::TokenStrategy do
     
     # Step 2 - Authorize
     req = WardenOauthProvider::Token::Request.find_by_token(oauth_request_token)
-    env_step2 = env_with_params("/oauth/authorize", {:oauth_token => oauth_request_token, :username => "John"}, {})
+    env_step2 = env_with_params("/oauth/authorize", {:oauth_token => oauth_request_token, :username => "John", :password => "testtest"}, {})
     response = setup_rack(nil, :session => session).call(env_step2)
     response.first.should == 302
     location = URI.parse(response[1]["Location"])

data/spec/xauth_spec.rb

@@ -0,0 +1,149 @@
+require 'spec_helper'
+
+describe 'xauth' do
+  
+  context "success" do
+    before(:all) do
+      @user = Factory(:user)
+      @client_application = Factory.create(:client_application, :xauth_enabled => true)
+    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_signature => @client_application.secret + "%26"
+      })
+      
+      xauth_params = {
+        :x_auth_mode => "client_auth",
+        :x_auth_username => "John",
+        :x_auth_password => "testtest"
+      }
+    
+      env = env_with_params("/oauth/access_token", xauth_params.merge({ :method => "POST" }), {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack.call(env)
+      @oauth_response = Hash[*@response.last.first.split("&").collect { |v| v.split("=") }.flatten]
+    end
+  
+    it "should have an oauth access token" do
+      @oauth_response.keys.should include("oauth_token")
+      @oauth_response["oauth_token"].should_not be_nil
+    end
+  
+    it "should have an oauth access token secret" do
+      @oauth_response.keys.should include("oauth_token_secret")
+      @oauth_response["oauth_token_secret"].should_not be_nil
+    end
+  
+    it "should have stored an access token with the token and secret" do
+      WardenOauthProvider::Token::Access.where(:token => @oauth_response["oauth_token"], :secret => @oauth_response["oauth_token_secret"]).count.should == 1
+    end
+  end
+  
+  context "Failure" do
+    
+    before(:all) do
+      @user = Factory(:user)
+      @client_application = Factory.create(:client_application, :xauth_enabled => true)
+    end
+    
+    it "should response with a 401 if the client application is unknown" do
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => "somerandomstring",
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_signature => @client_application.secret + "%26"
+      })
+      
+      xauth_params = {
+        :x_auth_mode => "client_auth",
+        :x_auth_username => "John",
+        :x_auth_password => "testtest"
+      }
+      
+      env = env_with_params("/oauth/access_token", xauth_params.merge({ :method => "POST" }), {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+    
+    it "should response with a 401 if the credentials are invalid" do
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_signature => @client_application.secret + "%26"
+      })
+      
+      xauth_params = {
+        :x_auth_mode => "client_auth",
+        :x_auth_username => "John",
+        :x_auth_password => "invalidpassword"
+      }
+      
+      env = env_with_params("/oauth/access_token", xauth_params.merge({ :method => "POST" }), {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+    
+    it "should response with a 401 if the client application is not authorized for xauth" do
+      @client_application.update_attribute(:xauth_enabled, false)
+      
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_signature => @client_application.secret + "%26"
+      })
+      
+      xauth_params = {
+        :x_auth_mode => "client_auth",
+        :x_auth_username => "John",
+        :x_auth_password => "testtest"
+      }
+      
+      env = env_with_params("/oauth/access_token", xauth_params.merge({ :method => "POST" }), {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+    
+    it "should response with a 401 if no xauth user proc is given" do
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_signature => @client_application.secret + "%26"
+      })
+      
+      xauth_params = {
+        :x_auth_mode => "client_auth",
+        :x_auth_username => "John",
+        :x_auth_password => "testtest"
+      }
+      
+      env = env_with_params("/oauth/access_token", xauth_params.merge({ :method => "POST" }), {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack(nil, :xauth_user => nil).call(env)
+      @response.first.should == 401
+    end
+  end
+  
+end

data/warden_oauth_provider.gemspec

@@ -7,8 +7,8 @@ Gem::Specification.new do |s|
   s.version     = WardenOauthProvider::VERSION
   s.platform    = Gem::Platform::RUBY
   s.authors     = ["Edwin Vlieg", "Berend van Bruijnsvoort"]
-  s.email       = ["info@moneybird.nl"]
-  s.homepage    = "http://www.moneybird.nl"
+  s.email       = ["info@moneybird.com"]
+  s.homepage    = "https://github.com/bluetools/warden_oauth_provider"
   s.summary     = %q{Warden strategy for OAuth provider}
   s.description = %q{Warden strategy for OAuth provider}
 

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: warden_oauth_provider
 version: !ruby/object:Gem::Version 
-  hash: 23
+  hash: 21
   prerelease: 
   segments: 
   - 1
   - 0
-  - 0
-  version: 1.0.0
+  - 1
+  version: 1.0.1
 platform: ruby
 authors: 
 - Edwin Vlieg
@@ -16,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-07-29 00:00:00 +02:00
+date: 2011-08-30 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -128,7 +128,7 @@ dependencies:
   version_requirements: *id007
 description: Warden strategy for OAuth provider
 email: 
-- info@moneybird.nl
+- info@moneybird.com
 executables: []
 
 extensions: []
@@ -164,9 +164,10 @@ files:
 - spec/spec_helper.rb
 - spec/token_spec.rb
 - spec/token_strategy_spec.rb
+- spec/xauth_spec.rb
 - warden_oauth_provider.gemspec
 has_rdoc: true
-homepage: http://www.moneybird.nl
+homepage: https://github.com/bluetools/warden_oauth_provider
 licenses: []
 
 post_install_message: 
@@ -212,3 +213,4 @@ test_files:
 - spec/spec_helper.rb
 - spec/token_spec.rb
 - spec/token_strategy_spec.rb
+- spec/xauth_spec.rb