use new rack-oauth2 rails support feature

nov · nov · commit c9a122f7146a · 2016-06-16T22:19:06.000+09:00
diff --git a/Gemfile b/Gemfile
@@ -48,4 +48,5 @@ gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 
 # NOTE: added by nov
 gem 'tpitale-constant_cache', require: 'constant_cache'
+gem 'rack-oauth2', '>= 1.3.1'
 gem 'openid_connect'
diff --git a/app/controllers/authorizations_controller.rb b/app/controllers/authorizations_controller.rb
@@ -1,54 +1,45 @@
 class AuthorizationsController < ApplicationController
+  include Concerns::ConnectEndpoint
+
+  before_action :require_oauth_request
+  before_action :require_response_type_code
+  before_action :require_client
+  before_action :require_authentication
+
   def new
   end
 
   def create
-    authorization.save!
-    separator = if current_client.redirect_uri.include?('?')
-      '&'
+    if params[:commit] == 'approve'
+      authorization = current_account.authorizations.create(
+        client: @client,
+        nonce: oauth_request.nonce
+      )
+      authorization.scopes << requested_scopes
+      oauth_response.code = authorization.code
+      oauth_response.redirect_uri = @redirect_uri
+      oauth_response.approve!
+      redirect_to oauth_response.location
     else
-      '?'
+      oauth_request.access_denied!
     end
-    redirect_to [current_client.redirect_uri, {code: authorization.code, state: accepted_params[:state]}.to_query].join(separator)
   end
 
   private
 
-  def authorization
-    unless @authorization
-      @authorization = current_account.authorizations.build(
-        client: current_client,
-        nonce: accepted_params[:nonce]
-      )
-      @authorization.scopes << requested_scopes
-    end
-    @authorization
-  end
-  helper_method :authorization
-
-  def accepted_params
-    required_params = [:client_id, :response_type, :redirect_uri, :scope]
-    optional_params = [:nonce, :state]
-    required_params.each do |key|
-      params.require key
-    end
-    if params[:response_type] != 'code'
-      raise HttpError::BadRequest.new('only respose_type=code is supported')
-    end
-    params.permit *(required_params + optional_params)
+  def require_client
+    @client = Client.find_by(identifier: oauth_request.client_id) or oauth_request.invalid_request!
+    @redirect_uri = oauth_request.verify_redirect_uri! @client.redirect_uri
   end
-  helper_method :accepted_params
 
   def requested_scopes
-    @requested_scopes ||= Scope.where name: accepted_params[:scope].split
+    @requested_scopes ||= Scope.where(name: oauth_request.scope.split)
   end
   helper_method :requested_scopes
 
-  def current_client
-    @current_client ||= Client.find_by!(
-      identifier: accepted_params[:client_id],
-      redirect_uri: accepted_params[:redirect_uri]
-    )
+  def require_response_type_code
+    unless oauth_request.response_type == :code
+      oauth_request.unsupported_response_type!
+    end
   end
-  helper_method :current_client
 end
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -1,18 +1,28 @@
 module Concerns
   module Authentication
     def current_account
-      # NOTE: implement end-user authentication logic by your own
-      @current_account ||= Account.first || Account.create
+      @current_account
     end
 
     def current_token
       @current_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
     end
 
+    def require_authentication
+      # NOTE: implement end-user authentication logic by your own
+      authenticate(
+        Account.first || Account.create
+      )
+    end
+
     def require_access_token
       unless current_token
         raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new
       end
     end
+
+    def authenticate(account)
+      @current_account = account
+    end
   end
 end
diff --git a/app/controllers/concerns/connect_endpoint.rb b/app/controllers/concerns/connect_endpoint.rb
@@ -0,0 +1,39 @@
+module Concerns
+  module ConnectEndpoint
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :oauth_request
+      rescue_from Rack::OAuth2::Server::Authorize::BadRequest, with: :handle_oauth_error!
+    end
+
+    def oauth_request
+      request.env[Rack::OAuth2::Server::Rails::REQUEST]
+    end
+
+    def oauth_response
+      request.env[Rack::OAuth2::Server::Rails::RESPONSE]
+    end
+
+    def oauth_error
+      request.env[Rack::OAuth2::Server::Rails::ERROR]
+    end
+
+    def handle_oauth_error!(e)
+      if e.redirect?
+        raise e # NOTE: rack middleware should handle this error.
+      else
+        render text: e.message, status: e.status
+      end
+    end
+
+    def require_oauth_request
+      if oauth_error
+        raise oauth_error
+      end
+      unless oauth_request && oauth_response
+        raise 'should\'t happen'
+      end
+    end
+  end
+end
diff --git a/app/controllers/user_infos_controller.rb b/app/controllers/user_infos_controller.rb
@@ -1,5 +1,5 @@
 class UserInfosController < ApplicationController
-  before_filter :require_access_token
+  before_action :require_access_token
 
   def show
     render json: current_token.account.to_response_object(current_token)
diff --git a/app/views/authorizations/new.html.erb b/app/views/authorizations/new.html.erb
@@ -1,14 +1,15 @@
 <article>
-  <h2>Authorization Request by <%= current_client.name %></h2>
-  <%= form_for authorization do |f| %>
+  <h2>Authorization Request by <%= @client.name %></h2>
+  <%= form_tag authorizations_path do %>
     <ul>
       <% requested_scopes.each do |scope| %>
         <li><%= scope.name %></li>
       <% end %>
     </ul>
-    <% accepted_params.each do |key, value| %>
-      <%= hidden_field_tag key, value %>
+    <% [:client_id, :response_type, :redirect_uri, :scope, :state, :nonce].each do |key| %>
+      <%= hidden_field_tag key, oauth_request.send(key) %>
     <% end %>
+    <p><%= submit_tag :deny %></p>
     <p><%= submit_tag :approve %></p>
   <% end %>
 </article>
diff --git a/config/application.rb b/config/application.rb
@@ -13,6 +13,7 @@ class Application < Rails::Application
     # -- all .rb files in that directory are automatically loaded.
     config.autoload_paths += %W(#{config.root}/lib)
 
+    config.middleware.use Rack::OAuth2::Server::Rails::Authorize
     config.middleware.use Rack::OAuth2::Server::Resource::Bearer, 'OpenID Connect' do |req|
       AccessToken.valid.find_by(token: req.access_token) ||
       req.invalid_token!
diff --git a/sample_rp.rb b/sample_rp.rb
@@ -0,0 +1,29 @@
+require 'openid_connect'
+
+OpenIDConnect.debug!
+
+client = OpenIDConnect::Client.new(
+  identifier: 'rp.dev',
+  secret: '42347d901a6686a533067285ed13ee1b475121a6ece10446299f4be62e4e4bfc',
+  redirect_uri: 'http://rp.dev/providers/3/open_id',
+  host: 'op2.dev',
+  scheme: 'http',
+  authorization_endpoint: '/authorizations/new',
+  token_endpoint: '/tokens',
+  userinfo_endpoint: '/user_info'
+)
+
+redirect_uri = client.authorization_uri(
+  scope: [:email, :profile],
+  state: SecureRandom.hex(8),
+  nonce: SecureRandom.hex(8)
+)
+
+puts redirect_uri
+`open "#{redirect_uri}"`
+
+print 'code: ' and STDOUT.flush
+code = gets.chop
+
+client.authorization_code = code
+client.access_token!
