Permalink
Browse files

Do not allow the user arg to Provider.access_token() to be nil. If yo…

…u want implicit user lookup, pass :implicit as the user. This prevents accidental authorization in cases where the application developer does not check the result of their User.find() calls.
  • Loading branch information...
1 parent 7775e63 commit 927650971da40af17da3656136556dc82bab3867 @jcoglan jcoglan committed Aug 1, 2013
View
@@ -362,10 +362,10 @@ determine whether to serve the request or not.
It is also common to provide a dynamic resource for getting some basic data
about a user by supplying their access token. This can be done by passing
-<tt>nil</tt> as the resource owner:
+<tt>:implicit</tt> as the resource owner:
get '/me' do
- token = Songkick::OAuth2::Provider.access_token(nil, [], env)
+ token = Songkick::OAuth2::Provider.access_token(:implicit, [], env)
if token.valid?
JSON.unparse('username' => token.owner.username)
else
View
@@ -105,7 +105,7 @@
# Domain API
get '/me' do
- authorization = Songkick::OAuth2::Provider.access_token(nil, [], env)
+ authorization = Songkick::OAuth2::Provider.access_token(:implicit, [], env)
headers authorization.response_headers
status authorization.response_status
@@ -56,8 +56,13 @@ def validate!
return @error = EXPIRED_TOKEN if @authorization.expired?
return @error = INSUFFICIENT_SCOPE unless @authorization.in_scope?(@scopes)
- if @resource_owner and @authorization.owner != @resource_owner
- @error = INSUFFICIENT_SCOPE
+ case @resource_owner
+ when :implicit
+ # no error
+ when nil
+ @error = INVALID_TOKEN
+ else
+ @error = INSUFFICIENT_SCOPE if @authorization.owner != @resource_owner
end
end
end
@@ -52,11 +52,23 @@
it_should_behave_like "valid token"
end
+ describe "with an implicit user" do
+ let :token do
+ Songkick::OAuth2::Provider::AccessToken.new(:implicit, ['profile'], 'magic-key')
+ end
+ it_should_behave_like "valid token"
+ end
+
describe "with no user" do
let :token do
Songkick::OAuth2::Provider::AccessToken.new(nil, ['profile'], 'magic-key')
end
- it_should_behave_like "valid token"
+ it_should_behave_like "invalid token"
+
+ it "returns an error response" do
+ token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='invalid_token'"
+ token.response_status.should == 401
+ end
end
describe "with less scope than was granted" do

0 comments on commit 9276509

Please sign in to comment.