require 'spec_helper' describe Grape::Middleware::Auth::OAuth2 do class FakeToken def self.verify(token) FakeToken.new(token) if %w(g e).include?(token[0..0]) end def initialize(token) self.token = token end def expired? self.token[0..0] == 'e' end def permission_for?(env) env['PATH_INFO'] == '/forbidden' ? false : true end attr_accessor :token end def app Rack::Builder.app do use Grape::Middleware::Auth::OAuth2, :token_class => 'FakeToken' run lambda{|env| [200, {}, [ (env['api.token'].token rescue '') ]]} end end context 'with the token in the query string' do context 'and a valid token' do before { get '/awesome?oauth_token=g123' } it 'should set env["api.token"]' do last_response.body.should == 'g123' end end context 'and an invalid token' do before do @err = catch :error do get '/awesome?oauth_token=b123' end end it 'should throw an error' do @err[:status].should == 401 end it 'should set the WWW-Authenticate header in the response' do @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_token'" end end end context 'with an expired token' do before do @err = catch :error do get '/awesome?oauth_token=e123' end end it { @err[:status].should == 401 } it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='expired_token'" } end %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION).each do |head| context "with the token in the #{head} header" do before { get '/awesome', {}, head => 'OAuth g123' } it { last_response.body.should == 'g123' } end end context 'with the token in the POST body' do before { post '/awesome', {'oauth_token' => 'g123'} } it { last_response.body.should == 'g123'} end context 'when accessing something outside its scope' do before do @err = catch :error do get '/forbidden?oauth_token=g123' end end it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='insufficient_scope'" } it { @err[:status].should == 403 } end end