Permalink
Browse files

Block access if the resource owner is not specified but a scope is.

  • Loading branch information...
1 parent 54b5642 commit 1cf35323869cf254acc5559b2a3697bc44fb8da1 @jcoglan jcoglan committed Nov 27, 2010
Showing with 29 additions and 17 deletions.
  1. +15 −9 README.rdoc
  2. +5 −7 lib/oauth2/provider/access_token.rb
  3. +8 −0 spec/oauth2/provider_spec.rb
  4. +1 −1 spec/test_app/provider/application.rb
View
@@ -159,25 +159,31 @@ simple, for example a call to get a user's notes:
get '/user/:username/notes' do
user = User.find_by_username(params[:username])
- token = OAuth2::Provider.access_token(request)
- if user.grants_access?(token, 'read_notes')
+ token = OAuth2::Provider.access_token(user, ['read_notes'], request)
+
+ headers token.response_headers
+ status token.response_status
+
+ if token.valid?
JSON.unparse('notes' => user.notes)
else
JSON.unparse('error' => 'No notes for you!')
end
end
-<tt>OAuth2::ResourceOwner#grants_access?</tt> takes a <tt>token</tt> object from
-the <tt>Provider.access_token</tt> method, and zero or more scopes that are
-required to access the resource. If the token was not granted for the required
-scopes, has expired or is simply invalid, the call returns <tt>false</tt>.
+<tt>OAuth2::Provider.access_token()</tt> takes a <tt>ResourceOwner</tt>, a list
+of scopes required to access the resource, and a request object. If the token
+was not granted for the required scopes, has expired or is simply invalid,
+headers and a status code are set to indicate this to the client. <tt>token.valid?</tt>
+is the call you should use to determine whether to server the request or not.
It is also common to provide a dynamic resource for getting some basic data
-about a user by supplying their access token. This is also simple:
+about a user by supplying their access token. This can be done by passing
+<tt>nil</tt> as the resource owner:
get '/me' do
- token = OAuth2::Provider.access_token(request)
- if token
+ token = OAuth2::Provider.access_token(nil, [], request)
+ if token.valid?
JSON.unparse('username' => token.owner.username)
else
JSON.unparse('error' => 'Keep out!')
@@ -43,14 +43,12 @@ def valid?
private
def validate!
- return @error = '' unless @access_token
- return @error = INVALID_TOKEN unless @authorization
+ return @error = '' unless @access_token
+ return @error = INVALID_TOKEN unless @authorization
+ return @error = EXPIRED_TOKEN if @authorization.expired?
+ return @error = INSUFFICIENT_SCOPE unless @authorization.in_scope?(@scopes)
- return @error = EXPIRED_TOKEN if @authorization.expired?
-
- return unless @resource_owner
-
- unless @resource_owner.grants_access?(@authorization, *@scopes)
+ if @resource_owner and @authorization.owner != @resource_owner
@error = INSUFFICIENT_SCOPE
end
end
@@ -402,6 +402,14 @@
response['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
end
+ it "cannot get the current user when the key is for the wrong scope" do
+ @authorization.update_attribute(:scope, 'wall')
+ response = request('/me', 'oauth_token' => 'magic-key')
+ JSON.parse(response.body)['data'].should == 'No soup for you'
+ response.code.to_i.should == 403
+ response['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
+ end
+
it "blocks access when the key is expired" do
@authorization.update_attribute(:expires_at, 2.hours.ago)
response = request('/user_profile', 'oauth_token' => 'magic-key')
@@ -54,7 +54,7 @@ def serve_protected_resource
[:get, :post].each do |method|
__send__ method, '/me' do
- protect_resource_for do |auth|
+ protect_resource_for(nil, ['profile']) do |auth|
if auth.valid?
JSON.unparse('data' => auth.owner.name)
else

0 comments on commit 1cf3532

Please sign in to comment.