lib/rack/oauth2/server.rb in rack-oauth2-server-2.3.0 vs lib/rack/oauth2/server.rb in rack-oauth2-server-2.4.0
- old
+ new
@@ -77,16 +77,16 @@
# making a request to /oauth/access_token.
#
# @param [String,Integer] identity User ID, account ID, etc
# @param [String] client_id Client identifier
# @param [Array, nil] scope Array of string, nil if you want 'em all
- # @param [Integer, nil] expires How many seconds before access grant
+ # @param [Integer, nil] expires_in How many seconds before access grant
# expires (default to 5 minutes)
# @return [String] Access grant authorization code
- def access_grant(identity, client_id, scope = nil, expires = nil)
+ def access_grant(identity, client_id, scope = nil, expires_in = nil)
client = get_client(client_id) or fail "No such client"
- AccessGrant.create(identity, client, scope || client.scope, nil, expires).code
+ AccessGrant.create(identity, client, scope || client.scope, nil, expires_in).code
end
# Returns AccessToken from token.
#
# @param [String] token Access token (e.g. from oauth.access_token)
@@ -100,14 +100,16 @@
# token generated if one does not already exists.
#
# @param [String,Integer] identity Identity, e.g. user ID, account ID
# @param [String] client_id Client application identifier
# @param [Array, nil] scope Array of names, nil if you want 'em all
+ # @param [Integer, nil] expires How many seconds before access token
+ # expires, defaults to never. If zero or nil, token never expires.
# @return [String] Access token
- def token_for(identity, client_id, scope = nil)
+ def token_for(identity, client_id, scope = nil, expires_in = nil)
client = get_client(client_id) or fail "No such client"
- AccessToken.get_token_for(identity, client, scope || client.scope).token
+ AccessToken.get_token_for(identity, client, scope || client.scope, expires_in).token
end
# Returns all AccessTokens for an identity.
#
# @param [String] identity Identity, e.g. user ID, account ID
@@ -128,10 +130,12 @@
# Defaults to ["code", "token"], and you can change it to just one of
# these names.
# - :authorize_path -- Path for requesting end-user authorization. By
# convention defaults to /oauth/authorize.
# - :database -- Mongo::DB instance (this is a global option).
+ # - :expires_in -- Number of seconds an auth token will live. If nil or
+ # zero, access token never expires.
# - :host -- Only check requests sent to this host.
# - :path -- Only check requests for resources under this path.
# - :param_authentication -- If true, supports authentication using
# query/form parameters.
# - :realm -- Authorization realm that will show up in 401 responses.
@@ -146,11 +150,12 @@
# oauth.authenticator = lambda do |username, password|
# user = User.find_by_username(username)
# user if user && user.authenticated?(password)
# end
Options = Struct.new(:access_token_path, :authenticator, :authorization_types,
- :authorize_path, :database, :host, :param_authentication, :path, :realm, :logger)
+ :authorize_path, :database, :host, :param_authentication, :path, :realm,
+ :expires_in,:logger)
# Global options. This is what we set during configuration (e.g. Rails'
# config/application), and options all handlers inherit by default.
def self.options
@options
@@ -312,11 +317,11 @@
auth_request = self.class.get_auth_request(headers["oauth.authorization"])
redirect_uri = URI.parse(auth_request.redirect_uri)
if status == 403
auth_request.deny!
else
- auth_request.grant! headers["oauth.identity"]
+ auth_request.grant! headers["oauth.identity"], options.expires_in
end
# 3.1. Authorization Response
if auth_request.response_type == "code"
if auth_request.grant_code
logger.info "RO2S: Client #{auth_request.client_id} granted access code #{auth_request.grant_code}" if logger
@@ -348,20 +353,20 @@
client = get_client(request)
case request.POST["grant_type"]
when "none"
# 4.1 "none" access grant type (i.e. two-legged OAuth flow)
requested_scope = request.POST["scope"] ? Utils.normalize_scope(request.POST["scope"]) : client.scope
- access_token = AccessToken.create_token_for(client, requested_scope)
+ access_token = AccessToken.get_token_for(client.id.to_s, client, requested_scope, options.expires_in)
when "authorization_code"
# 4.1.1. Authorization Code
grant = AccessGrant.from_code(request.POST["code"])
raise InvalidGrantError, "Wrong client" unless grant && client.id == grant.client_id
unless client.redirect_uri.nil? || client.redirect_uri.to_s.empty?
raise InvalidGrantError, "Wrong redirect URI" unless grant.redirect_uri == Utils.parse_redirect_uri(request.POST["redirect_uri"]).to_s
end
raise InvalidGrantError, "This access grant expired" if grant.expires_at && grant.expires_at <= Time.now.to_i
- access_token = grant.authorize!
+ access_token = grant.authorize!(options.expires_in)
when "password"
raise UnsupportedGrantType unless options.authenticator
# 4.1.2. Resource Owner Password Credentials
username, password = request.POST.values_at("username", "password")
raise InvalidGrantError, "Missing username/password" unless username && password
@@ -370,10 +375,10 @@
raise InvalidScopeError unless (requested_scope - allowed_scope).empty?
args = [username, password]
args << client.id << requested_scope unless options.authenticator.arity == 2
identity = options.authenticator.call(*args)
raise InvalidGrantError, "Username/password do not match" unless identity
- access_token = AccessToken.get_token_for(identity, client, requested_scope)
+ access_token = AccessToken.get_token_for(identity, client, requested_scope, options.expires_in)
else
raise UnsupportedGrantType
end
logger.info "RO2S: Access token #{access_token.token} granted to client #{client.display_name}, identity #{access_token.identity}" if logger
response = { :access_token=>access_token.token }