module Rack module OAuth2 class Server # Access token. This is what clients use to access resources. # # An access token is a unique code, associated with a client, an identity # and scope. It may be revoked, or expire after a certain period. class AccessToken class << self # Find AccessToken from token. Does not return revoked tokens. def from_token(token) Server.new_instance self, collection.find_one({ :_id=>token, :revoked=>nil }) end # Get an access token (create new one if necessary). def get_token_for(identity, scope, client_id) unless token = collection.find_one({ :identity=>identity.to_s, :scope=>scope, :client_id=>client_id }) token = { :_id=>Server.secure_random, :identity=>identity.to_s, :scope=>scope, :client_id=>client_id, :created_at=>Time.now.utc, :expires_at=>nil, :revoked=>nil } collection.insert token end Server.new_instance self, token end # Find all AccessTokens for an identity. def from_identity(identity) collection.find({ :identity=>identity }).map { |fields| Server.new_instance self, fields } end def collection Server.database["oauth2.access_tokens"] end end # Access token. As unique as they come. attr_reader :_id alias :token :_id # The identity we authorized access to. attr_reader :identity # Client that was granted this access token. attr_reader :client_id # The scope granted in this token. attr_reader :scope # When token was granted. attr_reader :created_at # When token expires for good. attr_reader :expires_at # Timestamp if revoked. attr_accessor :revoked # Revokes this access token. def revoke! self.revoked = Time.now.utc AccessToken.collection.update({ :_id=>token }, { :$set=>{ :revoked=>revoked } }) end Server.create_indexes do # Used to revoke all pending access grants when revoking client. collection.create_index [[:client_id, Mongo::ASCENDING]] # Used to get/revoke access tokens for an identity, also to find and # return existing access token. collection.create_index [[:identity, Mongo::ASCENDING]] end end end end end