Use proper Rack spec header recognition for the Authentication header.

Author: Michael Bleigh

Gemfile.lock

@@ -0,0 +1,52 @@
+PATH
+  remote: .
+  specs:
+    grape (0.1.4)
+      multi_json
+      multi_xml
+      rack
+      rack-jsonp
+      rack-mount
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    ZenTest (4.5.0)
+    diff-lcs (1.1.2)
+    json_pure (1.5.2)
+    maruku (0.6.0)
+      syntax (>= 1.0.0)
+    multi_json (1.0.3)
+    multi_xml (0.2.2)
+    rack (1.3.0)
+    rack-jsonp (1.2.0)
+      rack
+    rack-mount (0.8.1)
+      rack (>= 1.0.0)
+    rack-test (0.6.0)
+      rack (>= 1.0)
+    rake (0.9.2)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+    syntax (1.0.0)
+    yard (0.7.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  ZenTest
+  bundler
+  grape!
+  json_pure
+  maruku
+  rack-test
+  rake
+  rspec (~> 2.6.0)
+  yard

lib/grape/api.rb

@@ -138,7 +138,7 @@ def helpers(&block)
       end
 
       # Add an authentication type to the API. Currently
-      # only `:http_basic` is supported.
+      # only `:http_basic` and `:oauth2` are supported.
       def auth(type = nil, options = {}, &block)
         if type
           set(:auth, {:type => type.to_sym, :proc => block}.merge(options))

lib/grape/middleware/auth/oauth2.rb

@@ -1,10 +1,12 @@
 module Grape::Middleware::Auth
+  # OAuth 2.0 authorization for Grape APIs.
   class OAuth2 < Grape::Middleware::Base
     def default_options
       {
         :token_class => 'AccessToken',
         :realm => 'OAuth API',
         :parameter => %w(bearer_token oauth_token),
+        :accepted_headers => %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION),
         :header => [/Bearer (.*)/i, /OAuth (.*)/i]
       }
     end
@@ -21,14 +23,21 @@ def token_parameter
     end
 
     def token_header
-      return false unless env['Authorization']
+      return false unless authorization_header
       Array(options[:header]).each do |regexp|
-        if env['Authorization'] =~ regexp
+        if authorization_header =~ regexp
           return $1
         end
       end
       nil
     end
+
+    def authorization_header
+      options[:accepted_headers].each do |head|
+        return env[head] if env[head]
+      end
+      nil
+    end
 
     def token_class
       @klass ||= eval(options[:token_class])
@@ -39,7 +48,7 @@ def verify_token(token)
         if token.respond_to?(:expired?) && token.expired?
           error_out(401, 'expired_token')
         else
-          if token.permission_for?(env)
+          if !token.respond_to?(:permission_for?) || token.permission_for?(env)
             env['api.token'] = token
           else
             error_out(403, 'insufficient_scope')
@@ -50,12 +59,6 @@ def verify_token(token)
       end
     end
 
-    def parse_authorization_header
-      if env['Authorization'] =~ /oauth (.*)/i
-        $1
-      end
-    end
-    
     def error_out(status, error)
       throw :error, {
         :message => error,

spec/grape/middleware/auth/oauth2_spec.rb

@@ -65,9 +65,11 @@ def app
     it { @err[:headers]['WWW-Authenticate'].should == "OAuth realm='OAuth API', error='expired_token'" }
   end
 
-  context 'with the token in the header' do
-    before { get '/awesome', {}, 'Authorization' => 'OAuth g123' }
-    it { last_response.body.should == 'g123' }
+  %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION).each do |head|  
+    context "with the token in the #{head} header" do
+      before { get '/awesome', {}, head => 'OAuth g123' }
+      it { last_response.body.should == 'g123' }
+    end
   end
 
   context 'with the token in the POST body' do