# frozen_string_literal: true require "rodauth/oauth" module Rodauth Feature.define(:oauth_resource_server, :OauthResourceServer) do depends :oauth_token_introspection auth_value_method :is_authorization_server?, false auth_value_methods( :before_introspection_request ) def authorization_token return @authorization_token if defined?(@authorization_token) # check if there is a token bearer_token = fetch_access_token return unless bearer_token # where in resource server, NOT the authorization server. payload = introspection_request("access_token", bearer_token) return unless payload["active"] @authorization_token = payload end def require_oauth_authorization(*scopes) authorization_required unless authorization_token aux_scopes = authorization_token["scope"] token_scopes = if aux_scopes aux_scopes.split(oauth_scope_separator) else [] end authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) } end private def introspection_request(token_type_hint, token) introspect_url = URI("#{authorization_server_url}#{introspect_path}") response = http_request(introspect_url, { "token_type_hint" => token_type_hint, "token" => token }) do |request| before_introspection_request(request) end JSON.parse(response.body) end def before_introspection_request(request); end end end