OAuth Scopes Fix and Refactor

app/api/api.rb

@@ -4,6 +4,7 @@ class API < Grape::API
     rack_response({message: 'Validation failed', errors: errors}.to_json, 422)
   end
 
-  include Oauth
+  include ::V1::Auth
+  helpers ::V1::APIHelper
   mount ::V1::API
 end

app/api/api_helper.rb

@@ -0,0 +1,30 @@
+module APIHelper
+  def logger
+    ::API.logger
+  end
+
+  def current_tenant
+    current_user.tenant
+  end
+
+  # API Errors
+  def bad_request!
+    render_api_error!('(400) Bad Request', 400)
+  end
+
+  def forbidden!
+    render_api_error!('(403) Forbidden', 403)
+  end
+
+  def not_found!
+    render_api_error!('(404) Not found', 404)
+  end
+
+  def unauthorized!
+    render_api_error!('(401) Unauthorized', 401)
+  end
+
+  def render_api_error!(message, status)
+    error!({message: message}, status)
+  end
+end

app/api/oauth.rb → app/api/auth.rb

@@ -1,10 +1,8 @@
-#require 'doorkeeper/grape/authorization_decorator'
+require 'doorkeeper/grape/authorization_decorator'
 
-module Oauth
+module Auth
   extend ActiveSupport::Concern
 
-  #helpers Doorkeeper::Grape::Helpers
-
   included do
     use Rack::OAuth2::Server::Resource::Bearer, 'OAuth2' do |request|
       # Yield access token to store it in the env
@@ -27,8 +25,39 @@ def find_access_token
       @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
     end
 
+    def authenticate!
+      unauthorized! unless current_user
+    end
+
+    def authorize!(action, subject)
+      unless abilities.allowed?(current_user, action, subject)
+        forbidden!
+      end
+    end
+
+    def require_scope!(scopes)
+      return unless find_access_token
+      scopes = [scopes] unless scopes.kind_of? Array
+
+      unless (find_access_token.scopes.to_a & scopes) == scopes
+        forbidden!
+      end
+    end
+
+    def can?(object, action, subject)
+      abilities.allowed?(object, action, subject)
+    end
+
     private
 
+    def abilities
+      @abilities ||= begin
+        abilities = Six.new
+        abilities << Abilities::Ability
+        abilities
+      end
+    end
+
     def find_current_user
       if find_access_token
         lookup_owner
@@ -48,9 +77,7 @@ def lookup_owner
     end
 
     def doorkeeper_request
-      @doorkeeper_request ||= ActionDispatch::Request.new(env)
-      # TODO: Determine which is fastest/best to wrap env with at a later date
-      # @doorkeeper_request ||= Doorkeeper::Grape::AuthorizationDecorator.new(request)
+      @doorkeeper_request ||= Doorkeeper::Grape::AuthorizationDecorator.new(request)
     end
 
     def warden

app/api/v1/api.rb

@@ -6,8 +6,6 @@ class API < Grape::API
     content_type :json, 'application/json'
     version 'v1', using: :path
 
-    helpers ::V1::Helpers::APIHelper
-
     mount ::V1::Resources::Categories
     mount ::V1::Resources::Posts
     mount ::V1::Resources::Media

app/api/v1/resources/applications.rb

@@ -1,17 +1,17 @@
 module V1
   module Resources
     class Applications < Grape::API
-      helpers Helpers::ParamsHelper
+      helpers ::V1::Helpers::ParamsHelper
 
       resource :applications do
         include Grape::Kaminari
-        helpers Helpers::ApplicationsHelper
+        helpers ::V1::Helpers::ApplicationsHelper
 
         paginate per_page: 25
 
         desc 'Show all applications', { entity: ::V1::Entities::Application, nickname: 'showAllApplications' }
         get do
-          require_scope! :'view:applications'
+          require_scope! 'view:applications'
           authorize! :view, ::Application
 
           @applications = ::Application.where(tenant: current_tenant)
@@ -21,7 +21,7 @@ class Applications < Grape::API
 
         desc 'Show an application', { entity: ::V1::Entities::Application, nickname: "showApplication" }
         get ':id' do
-          require_scope! :'view:applications'
+          require_scope! 'view:applications'
           present application!, with: ::V1::Entities::Application
         end
 
@@ -30,7 +30,7 @@ class Applications < Grape::API
           requires :name, type: String, desc: "Application Name"
         end
         post do
-          require_scope! :'modify:applications'
+          require_scope! 'modify:applications'
           authorize! :create, Application
 
           allowed_params = remove_params(::V1::Entities::Application.documentation.keys, :children)
@@ -43,7 +43,7 @@ class Applications < Grape::API
 
         desc 'Update an application', { entity: ::V1::Entities::Application, params: ::V1::Entities::Application.documentation, nickname: "updateApplication" }
         put ':id' do
-          require_scope! :'modify:applications'
+          require_scope! 'modify:applications'
           authorize! :update, application!
 
           allowed_params = remove_params(::V1::Entities::Application.documentation.keys, :children)
@@ -54,7 +54,7 @@ class Applications < Grape::API
 
         desc 'Delete an application', { nickname: "deleteApplication" }
         delete ':id' do
-          require_scope! :'modify:applications'
+          require_scope! 'modify:applications'
           authorize! :delete, application!
 
           application.destroy

app/api/v1/resources/bulk_jobs.rb

@@ -3,14 +3,14 @@ module Resources
     class BulkJobs < Grape::API
       resource :bulk_jobs do
         include Grape::Kaminari
-        helpers Helpers::BulkJobsHelper
+        helpers ::V1::Helpers::BulkJobsHelper
 
         paginate per_page: 25
 
         desc 'Show all bulk jobs', { entity: ::V1::Entities::BulkJob, nickname: 'showAllBulkJobs' }
         get do
           authorize! :view, ::BulkJob
-          require_scope! :'view:bulk_jobs'
+          require_scope! 'view:bulk_jobs'
 
           @bulk_job = ::BulkJob.order(created_at: :desc)
 
@@ -19,7 +19,7 @@ class BulkJobs < Grape::API
 
         desc 'Get bulk job', { entity: ::V1::Entities::BulkJob, nickname: 'showBulkJob' }
         get ':id' do
-          require_scope! :'view:bulk_jobs'
+          require_scope! 'view:bulk_jobs'
           authorize! :view, bulk_job!
 
           present bulk_job, with: ::V1::Entities::BulkJob

app/api/v1/resources/credentials.rb

@@ -1,19 +1,19 @@
 module V1
   module Resources
     class Credentials < Grape::API
-      helpers Helpers::ParamsHelper
+      helpers ::V1::Helpers::ParamsHelper
 
       resource :applications do
         segment '/:id' do
           resource :credentials do
             include Grape::Kaminari
-            helpers Helpers::ApplicationsHelper
+            helpers ::V1::Helpers::ApplicationsHelper
 
             paginate per_page: 25
 
             desc 'Show all credentials', {entity: ::V1::Entities::Credential, nickname: 'showAllCredentials'}
             get do
-              require_scope! :'view:application'
+              require_scope! 'view:application'
               authorize! :view, ::Application
 
               @credentials = application!.credentials
@@ -23,7 +23,7 @@ class Credentials < Grape::API
 
             desc 'Get credential', {entity: ::V1::Entities::Credential, nickname: 'showCredential'}
             get ':credential_id' do
-              require_scope! :'view:application'
+              require_scope! 'view:application'
               authorize! :view, application!
 
               @credential = application!.credentials.find(params[:credential_id])
@@ -33,7 +33,7 @@ class Credentials < Grape::API
 
             desc 'Delete credential', {nickname: 'deleteCredential'}
             delete ':credential_id' do
-              require_scope! :'modify:application'
+              require_scope! 'modify:application'
               authorize! :delete, application!
 
               @credential = application!.credentials.find(params[:credential_id]).delete
@@ -43,7 +43,7 @@ class Credentials < Grape::API
 
             desc 'Create a credential', {entity: ::V1::Entities::Credential, params: ::V1::Entities::Credential.documentation, nickname: 'createCredential'}
             post do
-              require_scope! :'modify:application'
+              require_scope! 'modify:application'
               authorize! :create, ::Application
 
               allowed_params = remove_params(::V1::Entities::Credential.documentation.keys, :id, :created_at, :updated_at)
@@ -56,7 +56,7 @@ class Credentials < Grape::API
 
             desc 'Update a credential', {entity: ::V1::Entities::Credential, params: ::V1::Entities::Credential.documentation, nickname: 'updateCredential'}
             put ':credential_id' do
-              require_scope! :'modify:application'
+              require_scope! 'modify:application'
               authorize! :update, application!
 
               allowed_params = remove_params(::V1::Entities::Credential.documentation.keys, :id, :created_at, :updated_at)

app/api/v1/resources/documents.rb

@@ -3,30 +3,30 @@ module Resources
     class Documents < Grape::API
       resource :documents do
         include Grape::Kaminari
-        helpers Helpers::DocumentsHelper
+        helpers ::V1::Helpers::DocumentsHelper
 
         paginate per_page: 25
 
         desc 'Show all documents', { entity: ::V1::Entities::Document, nickname: 'showAllDocument' }
         get do
           authorize! :view, ::Document
-          require_scope! :'view:documents'
+          require_scope! 'view:documents'
 
           @document = ::Document.order(created_at: :desc)
           ::V1::Entities::Document.represent paginate(@document)
         end
 
         desc 'Get document', { entity: ::V1::Entities::Document, nickname: 'showDocument' }
         get ':id' do
-          require_scope! :'view:documents'
+          require_scope! 'view:documents'
           authorize! :view, document!
 
           present document, with: ::V1::Entities::Document
         end
 
         desc 'Create document', { entity: ::V1::Entities::Document, params: ::V1::Entities::Document.documentation, nickname: 'createDocument' }
         post do
-          require_scope! :'modify:documents'
+          require_scope! 'modify:documents'
           authorize! :create, ::Document
 
           document_params = params[:document] || params
@@ -40,7 +40,7 @@ class Documents < Grape::API
 
         desc 'Update document', { entity: ::V1::Entities::Document, params: ::V1::Entities::Document.documentation, nickname: 'updateDocument' }
         put ':id' do
-          require_scope! :'modify:documents'
+          require_scope! 'modify:documents'
           authorize! :update, document!
 
           document_params = params[:document] || params
@@ -52,7 +52,7 @@ class Documents < Grape::API
 
         desc 'Delete document', { nickname: 'deleteDocument' }
         delete ':id' do
-          require_scope! :'modify:documents'
+          require_scope! 'modify:documents'
           authorize! :delete, document!
 
           begin