Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Use concerns for token models to update future functionality without …

…regenerating models

BREAKING CHANGE: For security reasons only store digest of token
Migration coming to update this.
  • Loading branch information...
commit af4196943aee69ab031b5e284a87319cf4e26e17 1 parent e9e7e77
@pelle authored
Showing with 385 additions and 152 deletions.
  1. +1 −7 lib/generators/active_record/oauth_provider_templates/access_token.rb
  2. +2 −11 lib/generators/active_record/oauth_provider_templates/client_application.rb
  3. +3 −2 lib/generators/active_record/oauth_provider_templates/migration.rb
  4. +2 −18 lib/generators/active_record/oauth_provider_templates/oauth2_token.rb
  5. +4 −23 lib/generators/active_record/oauth_provider_templates/oauth2_verifier.rb
  6. +9 −24 lib/generators/active_record/oauth_provider_templates/oauth_token.rb
  7. +3 −28 lib/generators/active_record/oauth_provider_templates/request_token.rb
  8. +0 −9 lib/generators/mongoid/oauth_provider_templates/client_application.rb
  9. +3 −3 lib/generators/mongoid/oauth_provider_templates/oauth_token.rb
  10. +3 −10 lib/generators/mongoid/oauth_provider_templates/request_token.rb
  11. +1 −0  lib/oauth-provider.rb
  12. +13 −0 lib/oauth/provider/models/access_token.rb
  13. +26 −0 lib/oauth/provider/models/authorizable.rb
  14. +20 −0 lib/oauth/provider/models/authorized.rb
  15. +26 −0 lib/oauth/provider/models/bearer_token.rb
  16. +35 −0 lib/oauth/provider/models/request_token.rb
  17. +24 −0 lib/oauth/provider/models/secret.rb
  18. +20 −0 lib/oauth/provider/models/short_expiry.rb
  19. +22 −0 lib/oauth/provider/models/token.rb
  20. +27 −0 lib/oauth/provider/models/verifier.rb
  21. +2 −2 lib/oauth/rack/oauth_filter.rb
  22. +43 −9 spec/dummy_provider_models.rb
  23. +0 −2  spec/oauth/provider/authorizer_spec.rb
  24. +13 −0 spec/oauth/provider/models/access_token_spec.rb
  25. +12 −0 spec/oauth/provider/models/oauth2_token_spec.rb
  26. +13 −0 spec/oauth/provider/models/oauth2_verifier_spec.rb
  27. +12 −0 spec/oauth/provider/models/oauth_token_spec.rb
  28. +21 −0 spec/oauth/provider/models/request_token_spec.rb
  29. +22 −4 spec/rack/oauth_filter_spec.rb
  30. +3 −0  spec/spec_helper.rb
View
8 lib/generators/active_record/oauth_provider_templates/access_token.rb
@@ -1,6 +1,5 @@
class AccessToken < OauthToken
- validates_presence_of :user, :secret
- before_create :set_authorized_at
+ include Oauth::Provider::Models::AccessToken
# Implement this to return a hash or array of the capabilities the access token has
# This is particularly useful if you have implemented user defined permissions.
@@ -8,9 +7,4 @@ class AccessToken < OauthToken
# {:invalidate=>"/oauth/invalidate",:capabilities=>"/oauth/capabilities"}
# end
- protected
-
- def set_authorized_at
- self.authorized_at = Time.now
- end
end
View
13 lib/generators/active_record/oauth_provider_templates/client_application.rb
@@ -15,15 +15,6 @@ class ClientApplication < ActiveRecord::Base
attr_accessor :token_callback_url
- def self.find_token(token_key)
- token = OauthToken.find_by_token(token_key, :include => :client_application)
- if token && token.authorized?
- token
- else
- nil
- end
- end
-
def self.verify_request(request, options = {}, &block)
begin
signature = OAuth::Signature.build(request, options, &block)
@@ -51,7 +42,7 @@ def create_request_token(params={})
protected
def generate_keys
- self.key = OAuth::Helper.generate_key(40)[0,40]
- self.secret = OAuth::Helper.generate_key(40)[0,40]
+ self.key = SecureRandom.hex
+ self.secret = SecureRandom.hex
end
end
View
5 lib/generators/active_record/oauth_provider_templates/migration.rb
@@ -17,16 +17,17 @@ def self.up
t.integer :user_id
t.string :type, :limit => 20
t.integer :client_application_id
- t.string :token, :limit => 40
+ t.string :token_digest, :limit => 40
t.string :secret, :limit => 40
t.string :callback_url
t.string :verifier, :limit => 20
t.string :scope
+ t.string :state
t.timestamp :authorized_at, :invalidated_at, :expires_at
t.timestamps
end
- add_index :oauth_tokens, :token, :unique => true
+ add_index :oauth_tokens, :token_digest, :unique => true
create_table :oauth_nonces do |t|
t.string :nonce
View
20 lib/generators/active_record/oauth_provider_templates/oauth2_token.rb
@@ -1,20 +1,4 @@
-class Oauth2Token < AccessToken
- attr_accessor :state
- def as_json(options={})
- d = {:access_token=>token, :token_type => 'bearer'}
- d[:expires_in] = expires_in if expires_at
- d
- end
+class Oauth2Token < OauthToken
+ include Oauth::Provider::Models::BearerToken
- def to_query
- q = "access_token=#{token}&token_type=bearer"
- q << "&state=#{URI.escape(state)}" if @state
- q << "&expires_in=#{expires_in}" if expires_at
- q << "&scope=#{URI.escape(scope)}" if scope
- q
- end
-
- def expires_in
- expires_at.to_i - Time.now.to_i
- end
end
View
27 lib/generators/active_record/oauth_provider_templates/oauth2_verifier.rb
@@ -1,35 +1,16 @@
class Oauth2Verifier < OauthToken
+ include Oauth::Provider::Models::Verifier
+
validates_presence_of :user
- attr_accessor :state
def exchange!(params={})
- OauthToken.transaction do
+ ActiveRecor.transaction do
token = Oauth2Token.create! :user=>user,:client_application=>client_application, :scope => scope
invalidate!
token
end
end
- def code
- token
- end
-
- def redirect_url
- callback_url
- end
-
- def to_query
- q = "code=#{token}"
- q << "&state=#{URI.escape(state)}" if @state
- q
- end
-
- protected
-
- def generate_keys
- self.token = OAuth::Helper.generate_key(20)[0,20]
- self.expires_at = 10.minutes.from_now
- self.authorized_at = Time.now
- end
+
end
View
33 lib/generators/active_record/oauth_provider_templates/oauth_token.rb
@@ -1,30 +1,15 @@
class OauthToken < ActiveRecord::Base
+ include Oauth::Provider::Models::Token
+ include Oauth::Provider::Models::Authorizable
+
belongs_to :client_application
belongs_to :user
- validates_uniqueness_of :token
- validates_presence_of :client_application, :token
- before_validation :generate_keys, :on => :create
-
- def invalidated?
- invalidated_at != nil
- end
-
- def invalidate!
- update_attribute(:invalidated_at, Time.now)
- end
-
- def authorized?
- authorized_at != nil && !invalidated?
- end
-
- def to_query
- "oauth_token=#{token}&oauth_token_secret=#{secret}"
- end
-
- protected
+ validates_presence_of :client_application
- def generate_keys
- self.token = OAuth::Helper.generate_key(40)[0,40]
- self.secret = OAuth::Helper.generate_key(40)[0,40]
+ scope :valid, where(["invalidated_at IS NULL AND authorized_at IS NOT NULL AND (expires_at is null or expires_at >= ?)", Time.now])
+ scope :by_token, lambda { |token| valid.where(:token_digest => Digest::SHA1.hexdigest(token))}
+
+ def self.find_by_valid_token(token)
+ valid.by_token(token).first
end
end
View
31 lib/generators/active_record/oauth_provider_templates/request_token.rb
@@ -1,18 +1,9 @@
class RequestToken < OauthToken
-
- attr_accessor :provided_oauth_verifier
-
- def authorize!(user)
- return false if authorized?
- self.user = user
- self.authorized_at = Time.now
- self.verifier=OAuth::Helper.generate_key(20)[0,20] unless oauth10?
- self.save
- end
-
+ include Oauth::Provider::Models::RequestToken
+
def exchange!
return false unless authorized?
- return false unless oauth10? || verifier==provided_oauth_verifier
+ return false unless verifier==provided_oauth_verifier
RequestToken.transaction do
access_token = AccessToken.create(:user => user, :client_application => client_application)
@@ -21,20 +12,4 @@ def exchange!
end
end
- def to_query
- if oauth10?
- super
- else
- "#{super}&oauth_callback_confirmed=true"
- end
- end
-
- def oob?
- callback_url.nil? || callback_url.downcase == 'oob'
- end
-
- def oauth10?
- (defined? OAUTH_10_SUPPORT) && OAUTH_10_SUPPORT && self.callback_url.blank?
- end
-
end
View
9 lib/generators/mongoid/oauth_provider_templates/client_application.rb
@@ -30,15 +30,6 @@ class ClientApplication
attr_accessor :token_callback_url
- def self.find_token(token_key)
- token = OauthToken.where(:token => token_key)
- if token && token.authorized?
- token
- else
- nil
- end
- end
-
def self.verify_request(request, options = {}, &block)
begin
signature = OAuth::Signature.build(request, options, &block)
View
6 lib/generators/mongoid/oauth_provider_templates/oauth_token.rb
@@ -2,7 +2,7 @@ class OauthToken
include Mongoid::Document
include Mongoid::Timestamps
- field :token, :type => String
+ field :token_digest, :type => String
field :secret, :type => String
field :callback_url, :type => String
field :verifier, :type => String
@@ -38,7 +38,7 @@ def to_query
protected
def generate_keys
- self.token = OAuth::Helper.generate_key(40)[0,40]
- self.secret = OAuth::Helper.generate_key(40)[0,40]
+ self.token = SecureRandom.hex
+ self.secret = SecureRandom.hex
end
end
View
13 lib/generators/mongoid/oauth_provider_templates/request_token.rb
@@ -5,13 +5,13 @@ def authorize!(user)
return false if authorized?
self.user = user
self.authorized_at = Time.now
- self.verifier = OAuth::Helper.generate_key(20)[0,20] unless oauth10?
+ self.verifier = SecureRandom.hex
self.save
end
def exchange!
return false unless authorized?
- return false unless oauth10? || verifier == provided_oauth_verifier
+ return false unless verifier == provided_oauth_verifier
AccessToken.create(:user => user, :client_application => client_application).tap do
invalidate!
@@ -19,18 +19,11 @@ def exchange!
end
def to_query
- if oauth10?
- super
- else
- "#{super}&oauth_callback_confirmed=true"
- end
+ "#{super}&oauth_callback_confirmed=true"
end
def oob?
callback_url.nil? || callback_url.downcase == 'oob'
end
- def oauth10?
- (defined? OAUTH_10_SUPPORT) && OAUTH_10_SUPPORT && self.callback_url.blank?
- end
end
View
1  lib/oauth-provider.rb
@@ -12,6 +12,7 @@
require 'oauth/provider/models/bearer_token'
require 'oauth/provider/models/secret'
require 'oauth/provider/models/short_expiry'
+require 'oauth/provider/models/access_token'
require 'oauth/provider/models/request_token'
require 'oauth/provider/models/verifier'
View
13 lib/oauth/provider/models/access_token.rb
@@ -0,0 +1,13 @@
+module Oauth
+ module Provider
+ module Models
+ module AccessToken
+ extend ActiveSupport::Concern
+
+ include Oauth::Provider::Models::Secret
+ include Oauth::Provider::Models::Authorized
+
+ end
+ end
+ end
+end
View
26 lib/oauth/provider/models/authorizable.rb
@@ -0,0 +1,26 @@
+module Oauth
+ module Provider
+ module Models
+ module Authorizable
+ extend ActiveSupport::Concern
+
+ def invalidated?
+ invalidated_at != nil
+ end
+
+ def invalidate!
+ update_attribute(:invalidated_at, Time.now)
+ end
+
+ def authorized?
+ authorized_at != nil && !invalidated?
+ end
+
+ def expires_in
+ expires_at.to_i - Time.now.to_i if expires_at
+ end
+
+ end
+ end
+ end
+end
View
20 lib/oauth/provider/models/authorized.rb
@@ -0,0 +1,20 @@
+module Oauth
+ module Provider
+ module Models
+ module Authorized
+ extend ActiveSupport::Concern
+
+ included do
+ before_create :set_authorized_at
+ end
+
+ protected
+
+ def set_authorized_at
+ self.authorized_at = Time.now
+ end
+
+ end
+ end
+ end
+end
View
26 lib/oauth/provider/models/bearer_token.rb
@@ -0,0 +1,26 @@
+module Oauth
+ module Provider
+ module Models
+ module BearerToken
+ extend ActiveSupport::Concern
+
+ include Oauth::Provider::Models::Authorized
+
+ def as_json(options={})
+ d = {:access_token=>token, :token_type => 'bearer'}
+ d[:expires_in] = expires_in if expires_at
+ d
+ end
+
+ def to_query
+ q = "access_token=#{token}&token_type=bearer"
+ q << "&state=#{URI.escape(state)}" if state
+ q << "&expires_in=#{expires_in}" if expires_at
+ q << "&scope=#{URI.escape(scope)}" if scope
+ q
+ end
+
+ end
+ end
+ end
+end
View
35 lib/oauth/provider/models/request_token.rb
@@ -0,0 +1,35 @@
+module Oauth
+ module Provider
+ module Models
+ module RequestToken
+ extend ActiveSupport::Concern
+
+ include Oauth::Provider::Models::Secret
+ include Oauth::Provider::Models::ShortExpiry
+
+
+ included do
+ attr_accessor :provided_oauth_verifier
+ end
+
+ def authorize!(user)
+ return false if authorized?
+ self.user = user
+ self.authorized_at = Time.now
+ self.verifier = SecureRandom.hex
+ self.save
+ end
+
+
+ def to_query
+ "#{super}&oauth_callback_confirmed=true"
+ end
+
+ def oob?
+ callback_url.nil? || callback_url.downcase == 'oob'
+ end
+
+ end
+ end
+ end
+end
View
24 lib/oauth/provider/models/secret.rb
@@ -0,0 +1,24 @@
+module Oauth
+ module Provider
+ module Models
+ module Secret
+ extend ActiveSupport::Concern
+
+ included do
+ before_create :generate_secret
+ end
+
+ def to_query
+ "oauth_token=#{token}&oauth_token_secret=#{secret}"
+ end
+
+ protected
+
+ def generate_secret
+ self.secret ||= SecureRandom.hex
+ end
+
+ end
+ end
+ end
+end
View
20 lib/oauth/provider/models/short_expiry.rb
@@ -0,0 +1,20 @@
+module Oauth
+ module Provider
+ module Models
+ module ShortExpiry
+ extend ActiveSupport::Concern
+
+ included do
+ before_create :set_expiry
+ end
+
+ protected
+
+ def set_expiry
+ self.expires_at = Time.now() + 600
+ end
+
+ end
+ end
+ end
+end
View
22 lib/oauth/provider/models/token.rb
@@ -0,0 +1,22 @@
+module Oauth
+ module Provider
+ module Models
+ module Token
+ extend ActiveSupport::Concern
+
+ included do
+ before_create :generate_token
+ attr_accessor :token
+ end
+
+ protected
+
+ def generate_token
+ self.token ||= SecureRandom.hex
+ self.token_digest ||= Digest::SHA1.hexdigest(token)
+ end
+
+ end
+ end
+ end
+end
View
27 lib/oauth/provider/models/verifier.rb
@@ -0,0 +1,27 @@
+module Oauth
+ module Provider
+ module Models
+ module Verifier
+ extend ActiveSupport::Concern
+ include Oauth::Provider::Models::Authorized
+ include Oauth::Provider::Models::ShortExpiry
+
+
+ def code
+ token
+ end
+
+ def redirect_url
+ callback_url
+ end
+
+ def to_query
+ q = "code=#{token}"
+ q << "&state=#{URI.escape(state)}" if state
+ q
+ end
+
+ end
+ end
+ end
+end
View
4 lib/oauth/rack/oauth_filter.rb
@@ -24,7 +24,7 @@ def call(env)
env["oauth_plugin"] = true
strategies = []
if token_string = oauth2_token(request)
- if token = Oauth2Token.first(:conditions => ['invalidated_at IS NULL AND authorized_at IS NOT NULL and token = ?', token_string])
+ if token = Oauth2Token.find_by_valid_token(token_string)
env["oauth.token"] = token
env["oauth.version"] = 2
strategies << :oauth20_token
@@ -40,7 +40,7 @@ def call(env)
oauth_token = nil
if request_proxy.token
- oauth_token = client_application.tokens.first(:conditions => ['invalidated_at IS NULL AND authorized_at IS NOT NULL and token = ?', request_proxy.token])
+ oauth_token = client_application.tokens.by_token( request_proxy.token).first
if oauth_token.respond_to?(:provided_oauth_verifier=)
oauth_token.provided_oauth_verifier = request_proxy.oauth_verifier
end
View
52 spec/dummy_provider_models.rb
@@ -1,3 +1,8 @@
+require 'active_model/validations'
+require 'active_model/conversion'
+require 'active_model/naming'
+require 'active_model/callbacks'
+
# Dummy implementation
class ClientApplication
attr_accessor :key
@@ -20,7 +25,17 @@ def secret
end
class OauthToken
- attr_accessor :token
+ # extend ActiveModel::Naming
+ # include ActiveModel::Conversion
+ extend ActiveModel::Callbacks
+ define_model_callbacks :create
+ include ActiveModel::Validations
+ include ActiveModel::Validations::Callbacks
+
+ include Oauth::Provider::Models::Token
+ include Oauth::Provider::Models::Authorizable
+
+ attr_accessor :secret, :token, :token_digest, :expires_at, :invalidated_at, :authorized_at
def self.first(conditions_hash)
case conditions_hash[:conditions].last
@@ -31,19 +46,38 @@ def self.first(conditions_hash)
end
end
- def initialize(token)
- @token = token
+ def initialize(token = nil)
+ self.token = token
+ @secret = 'secret'
end
- def secret
- "secret"
+ def save
+ if valid?
+ _run_create_callbacks do
+ self
+ end
+ end
+ self
end
+
end
-class Oauth2Token < OauthToken ; end
-class Oauth2Verifier < OauthToken ; end
-class AccessToken < OauthToken ; end
-class RequestToken < OauthToken ; end
+class Oauth2Token < OauthToken
+ include Oauth::Provider::Models::BearerToken
+end
+
+class Oauth2Verifier < OauthToken
+ include Oauth::Provider::Models::Verifier
+
+end
+class AccessToken < OauthToken
+ include Oauth::Provider::Models::AccessToken
+end
+
+class RequestToken < OauthToken
+ attr_accessor :user, :verifier
+ include Oauth::Provider::Models::RequestToken
+end
class OauthNonce
# Always remember
View
2  spec/oauth/provider/authorizer_spec.rb
@@ -1,7 +1,5 @@
require 'spec_helper'
require 'multi_json'
-require 'oauth/provider/authorizer'
-require 'dummy_provider_models'
describe OAuth::Provider::Authorizer do
View
13 spec/oauth/provider/models/access_token_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe AccessToken do
+ let(:token) { AccessToken.new.save }
+ subject { token }
+
+ its(:token) {should be}
+ its(:secret) {should be}
+ its(:token_digest) {should == Digest::SHA1.hexdigest( token.token )}
+ it { should be_valid}
+ it { should be_authorized }
+ it { should_not be_invalidated }
+end
View
12 spec/oauth/provider/models/oauth2_token_spec.rb
@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+describe Oauth2Token do
+ let(:token) { Oauth2Token.new.save }
+ subject { token }
+
+ its(:token) {should be}
+ its(:token_digest) {should == Digest::SHA1.hexdigest( token.token )}
+ it { should be_valid}
+ it { should be_authorized }
+ it { should_not be_invalidated }
+end
View
13 spec/oauth/provider/models/oauth2_verifier_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe Oauth2Verifier do
+ let(:token) { Oauth2Verifier.new.save }
+ subject { token }
+
+ its(:token) {should be}
+ its(:code) {should == token.token }
+ its(:token_digest) {should == Digest::SHA1.hexdigest( token.token )}
+ it { should be_valid}
+ it { should be_authorized }
+ it { should_not be_invalidated }
+end
View
12 spec/oauth/provider/models/oauth_token_spec.rb
@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+describe OauthToken do
+ let(:token) { OauthToken.new.save }
+ subject { token }
+
+ its(:token) {should be}
+ its(:token_digest) {should == Digest::SHA1.hexdigest( token.token )}
+ it { should be_valid}
+ it { should_not be_authorized }
+ it { should_not be_invalidated }
+end
View
21 spec/oauth/provider/models/request_token_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe RequestToken do
+ let(:token) { RequestToken.new.save }
+ let(:user) { double("user") }
+ subject { token }
+
+ its(:token) {should be}
+ its(:secret) {should be}
+ its(:token_digest) {should == Digest::SHA1.hexdigest( token.token )}
+ it { should be_valid}
+ it { should_not be_authorized }
+ it { should_not be_invalidated }
+
+ describe "Authorizing" do
+ before(:each) { token.authorize!(user) }
+ its(:user) { should == user }
+ its(:verifier) { should be}
+ it { should be_authorized }
+ end
+end
View
26 spec/rack/oauth_filter_spec.rb
@@ -42,7 +42,9 @@ def app
it "should sign with oauth 1 access token" do
client_application = ClientApplication.new "my_consumer"
ClientApplication.stub!(:find_by_key).and_return(client_application)
- client_application.tokens.stub!(:first).and_return(AccessToken.new("my_token"))
+ token = AccessToken.new("my_token")
+
+ client_application.tokens.stub!(:by_token).and_return([token])
get '/',{},{"HTTP_AUTHORIZATION"=>'OAuth oauth_consumer_key="my_consumer", oauth_nonce="oiFHXoN0172eigBBUfgaZLdQg7ycGekv8iTdfkCStY", oauth_signature="y35B2DqTWaNlzNX0p4wv%2FJAGzg8%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1295040394", oauth_token="my_token", oauth_version="1.0"'}
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -52,7 +54,7 @@ def app
it "should sign with oauth 1 request token" do
client_application = ClientApplication.new "my_consumer"
ClientApplication.stub!(:find_by_key).and_return(client_application)
- client_application.tokens.stub!(:first).and_return(RequestToken.new("my_token"))
+ client_application.tokens.stub!(:by_token).and_return([RequestToken.new("my_token")])
get '/',{},{"HTTP_AUTHORIZATION"=>'OAuth oauth_consumer_key="my_consumer", oauth_nonce="oiFHXoN0172eigBBUfgaZLdQg7ycGekv8iTdfkCStY", oauth_signature="y35B2DqTWaNlzNX0p4wv%2FJAGzg8%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1295040394", oauth_token="my_token", oauth_version="1.0"'}
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -71,7 +73,7 @@ def app
it "should sign with oauth 1 access token" do
client_application = ClientApplication.new "my_consumer"
ClientApplication.stub!(:find_by_key).and_return(client_application)
- client_application.tokens.stub!(:first).and_return(AccessToken.new("my_token"))
+ client_application.tokens.stub!(:by_token).and_return([AccessToken.new("my_token")])
get '/',{},{"HTTP_AUTHORIZATION"=>'OAuth oauth_consumer_key="my_consumer",oauth_nonce="oiFHXoN0172eigBBUfgaZLdQg7ycGekv8iTdfkCStY",oauth_signature="y35B2DqTWaNlzNX0p4wv%2FJAGzg8%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1295040394",oauth_token="my_token",oauth_version="1.0"'}
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -81,7 +83,7 @@ def app
it "should sign with oauth 1 request token" do
client_application = ClientApplication.new "my_consumer"
ClientApplication.stub!(:find_by_key).and_return(client_application)
- client_application.tokens.stub!(:first).and_return(RequestToken.new("my_token"))
+ client_application.tokens.stub!(:by_token).and_return([RequestToken.new("my_token")])
get '/',{},{"HTTP_AUTHORIZATION"=>'OAuth oauth_consumer_key="my_consumer",oauth_nonce="oiFHXoN0172eigBBUfgaZLdQg7ycGekv8iTdfkCStY",oauth_signature="y35B2DqTWaNlzNX0p4wv%2FJAGzg8%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1295040394",oauth_token="my_token",oauth_version="1.0"'}
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -94,6 +96,8 @@ def app
describe "token given through a HTTP Auth Header" do
context "authorized and non-invalidated token" do
it "authenticates" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('valid_token').and_return(Oauth2Token.new("valid_token"))
+
get '/', {}, { "HTTP_AUTHORIZATION" => "Bearer valid_token" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -103,6 +107,7 @@ def app
context "non-authorized token" do
it "doesn't authenticate" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('not_authorized').and_return(nil)
get '/', {}, { "HTTP_AUTHORIZATION" => "Bearer not_authorized" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -112,6 +117,7 @@ def app
context "authorized and invalidated token" do
it "doesn't authenticate with an invalidated token" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('invalidated').and_return(nil)
get '/', {}, { "HTTP_AUTHORIZATION" => "Bearer invalidated" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -124,6 +130,7 @@ def app
describe "token given through a HTTP Auth Header" do
context "authorized and non-invalidated token" do
it "authenticates" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('valid_token').and_return(Oauth2Token.new("valid_token"))
get '/', {}, { "HTTP_AUTHORIZATION" => "OAuth valid_token" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -133,6 +140,7 @@ def app
context "non-authorized token" do
it "doesn't authenticate" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('not_authorized').and_return(nil)
get '/', {}, { "HTTP_AUTHORIZATION" => "OAuth not_authorized" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -142,6 +150,7 @@ def app
context "authorized and invalidated token" do
it "doesn't authenticate with an invalidated token" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('invalidated').and_return(nil)
get '/', {}, { "HTTP_AUTHORIZATION" => "OAuth invalidated" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -154,6 +163,7 @@ def app
describe "token given through a HTTP Auth Header following the OAuth2 pre draft" do
context "authorized and non-invalidated token" do
it "authenticates" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('valid_token').and_return(Oauth2Token.new("valid_token"))
get '/', {}, { "HTTP_AUTHORIZATION" => "Token valid_token" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -163,6 +173,7 @@ def app
context "non-authorized token" do
it "doesn't authenticate" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('not_authorized').and_return(nil)
get '/', {}, { "HTTP_AUTHORIZATION" => "Token not_authorized" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -172,6 +183,7 @@ def app
context "authorized and invalidated token" do
it "doesn't authenticate with an invalidated token" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('invalidated').and_return(nil)
get '/', {}, { "HTTP_AUTHORIZATION" => "Token invalidated" }
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -184,6 +196,7 @@ def app
describe "token given through the query parameter '#{name}'" do
context "authorized and non-invalidated token" do
it "authenticates" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('valid_token').and_return(Oauth2Token.new("valid_token"))
get "/?#{name}=valid_token"
last_response.should be_ok
@@ -194,6 +207,7 @@ def app
context "non-authorized token" do
it "doesn't authenticate" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('not_authorized').and_return(nil)
get "/?#{name}=not_authorized"
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -203,6 +217,7 @@ def app
context "authorized and invalidated token" do
it "doesn't authenticate with an invalidated token" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('invalidated').and_return(nil)
get "/?#{name}=invalidated"
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -214,6 +229,7 @@ def app
describe "token given through the post parameter '#{name}'" do
context "authorized and non-invalidated token" do
it "authenticates" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('valid_token').and_return(Oauth2Token.new("valid_token"))
post '/', name => 'valid_token'
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -223,6 +239,7 @@ def app
context "non-authorized token" do
it "doesn't authenticate" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('not_authorized').and_return(nil)
post '/', name => 'not_authorized'
last_response.should be_ok
response = MultiJson.decode(last_response.body)
@@ -232,6 +249,7 @@ def app
context "authorized and invalidated token" do
it "doesn't authenticate with an invalidated token" do
+ Oauth2Token.should_receive(:find_by_valid_token).with('invalidated').and_return(nil)
post '/', name => 'invalidated'
last_response.should be_ok
response = MultiJson.decode(last_response.body)
View
3  spec/spec_helper.rb
@@ -1,3 +1,6 @@
$LOAD_PATH.unshift(File.dirname(__FILE__))
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
require 'rspec'
+require 'rails'
+require 'oauth-provider'
+require 'dummy_provider_models'
Please sign in to comment.
Something went wrong with that request. Please try again.