Added OAuth 2.0 middleware (only for accessing protected resources at this point)

Author: Michael Bleigh

.rspec

@@ -1,2 +1,3 @@
 --color
 --format=nested
+--backtrace

lib/grape.rb

@@ -4,4 +4,7 @@
 require 'grape/middleware/base'
 require 'grape/middleware/prefixer'
 require 'grape/middleware/versioner'
-require 'grape/middleware/formatter'
+require 'grape/middleware/formatter'
+require 'grape/middleware/error'
+
+require 'grape/middleware/auth/oauth2'

lib/grape/middleware/auth/oauth2.rb

@@ -0,0 +1,55 @@
+module Grape::Middleware::Auth
+  class OAuth2 < Grape::Middleware::Base
+    def default_options
+      {
+        :token_class => 'AccessToken',
+        :realm => 'OAuth API'
+      }
+    end
+    
+    def before
+      if request['oauth_token']
+        verify_token(request['oauth_token'])
+      elsif env['Authorization'] && t = parse_authorization_header
+        verify_token(t)
+      end
+    end
+    
+    def token_class
+      @klass ||= eval(options[:token_class])
+    end
+    
+    def verify_token(token)
+      if token = token_class.verify(token)
+        if token.expired?
+          error_out(401, 'expired_token')
+        else
+          if token.permission_for?(env)
+            env['api.token'] = token
+          else
+            error_out(403, 'insufficient_scope')
+          end
+        end
+      else
+        error_out(401, 'invalid_token')
+      end
+    end
+    
+    def parse_authorization_header
+      if env['Authorization'] =~ /oauth (.*)/i
+        $1
+      end
+    end
+    
+    def error_out(status, error)
+      throw :error, {
+        :message => 'The token provided has expired.',
+        :status => status,
+        :headers => {
+          'WWW-Authenticate' => "OAuth realm='#{options[:realm]}', error='#{error}'"
+        }
+      }
+    end
+  end
+end
+    

lib/grape/middleware/base.rb

@@ -25,7 +25,7 @@ def before; end
       def after; end
 
       def request
-        Rack::Request.new(env)
+        Rack::Request.new(self.env)
       end
 
       def response

lib/grape/middleware/error.rb

@@ -3,7 +3,18 @@
 module Grape
   module Middleware
     class Error < Base
+      def call!(env)
+        @env = env
+        err = catch :error do
+          @app.call(@env)
+        end
+        
+        error_response(err)
+      end
 
+      def error_response(error = {})
+        Rack::Response.new([(error[:message] || options[:default_message])], error[:status] || 403, error[:headers] || {}).finish
+      end
     end
   end
 end

lib/grape/middleware/formatter.rb

@@ -28,8 +28,7 @@ def before
         if content_types.key?(fmt)
           env['api.format'] = fmt          
         else
-          env['api.error.status'] = 406
-          env['api.error.message'] = 'The requested format is not supported.'
+          throw :error, :status => 406, :message => 'The requested format is not supported.'
         end
       end
 

spec/grape/middleware/auth/oauth2_spec.rb

@@ -0,0 +1,88 @@
+require 'spec_helper'
+
+describe Grape::Middleware::Auth::OAuth2 do
+  class FakeToken
+    def self.verify(token)
+      FakeToken.new(token) if %w(g e).include?(token[0..0])
+    end
+    
+    def initialize(token)
+      self.token = token
+    end
+    
+    def expired?
+      self.token[0..0] == 'e'
+    end
+    
+    def permission_for?(env)
+      env['PATH_INFO'] == '/forbidden' ? false : true
+    end
+    
+    attr_accessor :token
+  end
+
+  def app
+    Rack::Builder.app do
+      use Grape::Middleware::Auth::OAuth2, :token_class => 'FakeToken'
+      run lambda{|env| [200, {}, [ (env['api.token'].token rescue '') ]]}
+    end
+  end
+  
+  context 'with the token in the query string' do
+    context 'and a valid token' do
+      before { get '/awesome?oauth_token=g123' }
+      
+      it 'should set env["api.token"]' do
+        last_response.body.should == 'g123'
+      end
+    end
+    
+    context 'and an invalid token' do
+      before do
+        @err = catch :error do
+          get '/awesome?oauth_token=b123'
+        end
+      end
+      
+      it 'should throw an error' do
+        @err[:status].should == 401
+      end
+      
+      it 'should set the WWW-Authenticate header in the response' do
+        @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='invalid_token'"
+      end
+    end
+  end
+  
+  context 'with an expired token' do
+    before do
+      @err = catch :error do
+        get '/awesome?oauth_token=e123'
+      end
+    end
+    
+    it { @err[:status].should == 401 }
+    it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='expired_token'" }
+  end
+  
+  context 'with the token in the header' do
+    before { get '/awesome', {}, 'Authorization' => 'OAuth g123' }
+    it { last_response.body.should == 'g123' }
+  end
+  
+  context 'with the token in the POST body' do
+    before { post '/awesome', {'oauth_token' => 'g123'} }
+    it { last_response.body.should == 'g123'}
+  end
+  
+  context 'when accessing something outside its scope' do
+    before do
+      @err = catch :error do
+        get '/forbidden?oauth_token=g123'
+      end
+    end
+    
+    it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='insufficient_scope'" }
+    it { @err[:status].should == 403 }
+  end
+end

spec/grape/middleware/error_spec.rb

@@ -1,5 +1,49 @@
 require 'spec_helper'
 
 describe Grape::Middleware::Error do
+  class ErrApp
+    class << self    
+      attr_accessor :error
+      attr_accessor :format
+      
+      def call(env)
+        throw :error, self.error
+      end
+    end
+  end
 
+  def app
+    Rack::Builder.app do
+      use Grape::Middleware::Error, :default_message => 'Aww, hamburgers.'
+      run ErrApp
+    end
+  end
+  
+  it 'should set the status code appropriately' do
+    ErrApp.error = {:status => 410}
+    get '/'
+    last_response.status.should == 410
+  end
+  
+  it 'should set the error message appropriately' do
+    ErrApp.error = {:message => 'Awesome stuff.'}
+    get '/'
+    last_response.body.should == 'Awesome stuff.'
+  end
+  
+  it 'should default to a 403 status' do
+    ErrApp.error = {}
+    get '/'
+    last_response.status.should == 403
+  end
+  
+  it 'should have a default message' do
+    ErrApp.error = {}
+    get '/'
+    last_response.body.should == 'Aww, hamburgers.'
+  end
+  
+  context 'with formatting' do
+    
+  end
 end

spec/grape/middleware/formatter_spec.rb

@@ -28,8 +28,8 @@
     end
 
     it 'should throw an error on an unrecognized format' do
-      subject.call({'PATH_INFO' => '/info.barklar'})
-      subject.env['api.error.status'].should == 406
+      err = catch(:error){ subject.call({'PATH_INFO' => '/info.barklar'}) }
+      err.should == {:status => 406, :message => "The requested format is not supported."}
     end
   end
 end