From dbe2eb1dfef8990e78f950adf713eab60c3202be Mon Sep 17 00:00:00 2001 From: Paul Covell Date: Fri, 1 Jun 2012 18:39:46 -0400 Subject: [PATCH] Cookie parameters can now be used for authentication --- lib/rack/oauth2/server.rb | 20 +++++++++----- test/oauth/access_token_test.rb | 47 +++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 6 deletions(-) diff --git a/lib/rack/oauth2/server.rb b/lib/rack/oauth2/server.rb index 20ea62a..51c7812 100644 --- a/lib/rack/oauth2/server.rb +++ b/lib/rack/oauth2/server.rb @@ -203,7 +203,7 @@ def get_issuer(identifier) # type, no error will result. # Options = Struct.new(:access_token_path, :authenticator, :assertion_handler, :authorization_types, - :authorize_path, :database, :host, :param_authentication, :path, :realm, + :authorize_path, :database, :host, :param_authentication, :cookie_authentication, :path, :realm, :expires_in,:logger, :collection_prefix) # Global options. This is what we set during configuration (e.g. Rails' @@ -223,6 +223,7 @@ def initialize(app, options = nil, &authenticator) @options.authorize_path ||= "/oauth/authorize" @options.authorization_types ||= %w{code token} @options.param_authentication ||= false + @options.cookie_authentication ||= false @options.collection_prefix ||= "oauth2" end @@ -254,11 +255,18 @@ def call(env) if request.authorization # 5.1.1. The Authorization Request Header Field token = request.credentials if request.oauth? - elsif options.param_authentication && !request.GET["oauth_verifier"] # Ignore OAuth 1.0 callbacks - # 5.1.2. URI Query Parameter - # 5.1.3. Form-Encoded Body Parameter - token = request.GET["oauth_token"] || request.POST["oauth_token"] - token ||= request.GET['access_token'] || request.POST['access_token'] + else + if options.param_authentication + # 5.1.2. URI Query Parameter + # 5.1.3. Form-Encoded Body Parameter + token = request.GET["oauth_token"] || request.POST["oauth_token"] + token ||= request.GET['access_token'] || request.POST['access_token'] + end + + if !token && options.cookie_authentication + # 5.1.4. Cookie Value + token ||= request.cookies['oauth_token'] || request.cookies['access_token'] + end end if token diff --git a/test/oauth/access_token_test.rb b/test/oauth/access_token_test.rb index 46a763b..afef3d9 100644 --- a/test/oauth/access_token_test.rb +++ b/test/oauth/access_token_test.rb @@ -165,6 +165,53 @@ def with_expired_token end end end + + # 5.1.4. Cookie Parameter + + context "cookie parameter" do + context "default mode" do + setup { + set_cookie "oauth_token=#{@token}" + get "/private" + } + should_fail_authentication + end + + context "enabled" do + setup do + config.cookie_authentication = true + end + + context "no token" do + setup { + clear_cookies + get "/private" + } + should_fail_authentication + end + + context "valid token" do + setup { + set_cookie "oauth_token=#{@token}" + get "/private" + } + should_return_resource "Shhhh" + end + + context "invalid token" do + setup { + set_cookie "oauth_token=dingdong" + get "/private" + } + should_fail_authentication :invalid_token + end + + teardown do + config.cookie_authentication = false + end + end + end + end context "POST" do