From ee1f7160675656c9a51730e1b0ffdae9286f1d95 Mon Sep 17 00:00:00 2001 From: Eric Krause Date: Sun, 22 May 2011 22:28:18 -0400 Subject: [PATCH 01/16] rails 3 and ruby 1.9.2 updates --- config/routes.rb | 2 +- spec/rails_app/Gemfile | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config/routes.rb b/config/routes.rb index f9b5bb0..b108ea3 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,5 @@ require 'token_endpoint' -Rails.application.routes.draw do |map| +Rails.application.routes.draw do namespace 'oauth2' do resources :authorizations, :only => :create end diff --git a/spec/rails_app/Gemfile b/spec/rails_app/Gemfile index 84462fd..94e15ec 100644 --- a/spec/rails_app/Gemfile +++ b/spec/rails_app/Gemfile @@ -4,7 +4,8 @@ gem 'rails', '3.0.7' gem 'rspec-rails', '2.6.0' gem 'devise_oauth2_providable', :path => '../../' gem 'shoulda-matchers', '1.0.0.beta2' -gem 'ruby-debug' +# gem 'ruby-debug' +gem 'rake', '0.8.7' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' From 933af3f0121b993a1deee1986c8fd73c7ecaa032 Mon Sep 17 00:00:00 2001 From: Eric Krause Date: Sun, 22 May 2011 22:30:34 -0400 Subject: [PATCH 02/16] changed the spec so that it was comparing json objects, and not strings --- spec/rails_app/spec/integration/token_endpoint_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/rails_app/spec/integration/token_endpoint_spec.rb b/spec/rails_app/spec/integration/token_endpoint_spec.rb index b3900ae..8bce30f 100644 --- a/spec/rails_app/spec/integration/token_endpoint_spec.rb +++ b/spec/rails_app/spec/integration/token_endpoint_spec.rb @@ -26,7 +26,7 @@ :refresh_token => refresh_token.token, :access_token => token.token } - response.body.should == expected.to_json + JSON.parse(response.body).should == JSON.parse(expected.to_json) end end end @@ -56,7 +56,7 @@ :refresh_token => refresh_token.token, :access_token => token.token } - response.body.should == expected.to_json + JSON.parse(response.body).should == JSON.parse(expected.to_json) end end context 'with invalid params' do From 404733a6cecca00b95534f9883a93fad88c7e0d5 Mon Sep 17 00:00:00 2001 From: Eric Krause Date: Sun, 22 May 2011 22:33:54 -0400 Subject: [PATCH 03/16] We use an extra key for authentication. Token endpoint will try to map all required keys to params that were passed in to the hash --- lib/token_endpoint.rb | 7 ++- spec/rails_app/app/models/user.rb | 10 ++++ .../20110523015635_add_pet_column_to_users.rb | 9 +++ spec/rails_app/db/schema.rb | 3 +- .../spec/integration/token_endpoint_spec.rb | 59 ++++++++++++++++++- 5 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 spec/rails_app/db/migrate/20110523015635_add_pet_column_to_users.rb diff --git a/lib/token_endpoint.rb b/lib/token_endpoint.rb index f63fa0f..ce061cd 100644 --- a/lib/token_endpoint.rb +++ b/lib/token_endpoint.rb @@ -33,7 +33,12 @@ def find_refresh_token(req, client) raise InvalidGrantType.new('invalid authorization code') unless code && code.valid_request?(req) client.refresh_tokens.create! :user => code.user when :password - resource = mapping.to.find_for_authentication(mapping.to.authentication_keys.first => req.username) + conditions = Hash.new + mapping.to.authentication_keys.each do |key| + conditions[key] = req.env["rack.request.form_hash"][key.to_s] + end + conditions[:email] = req.username + resource = mapping.to.find_for_authentication(conditions) raise InvalidGrantType.new('user not found') unless resource raise InvalidGrantType.new('user does not support password authentication') unless resource.respond_to?(:valid_password?) valid = resource.valid_for_authentication? { resource.valid_password?(req.password) } diff --git a/spec/rails_app/app/models/user.rb b/spec/rails_app/app/models/user.rb index 3ef27a4..dd196ed 100644 --- a/spec/rails_app/app/models/user.rb +++ b/spec/rails_app/app/models/user.rb @@ -1,3 +1,13 @@ class User < ActiveRecord::Base devise :database_authenticatable, :oauth2_providable + + + def self.find_for_authentication(conditions) + user = find(:first, :readonly => false, :conditions => conditions) + return user + end + + def self.add_authentication_keys + devise :authentication_keys => [:email, :pet] + end end diff --git a/spec/rails_app/db/migrate/20110523015635_add_pet_column_to_users.rb b/spec/rails_app/db/migrate/20110523015635_add_pet_column_to_users.rb new file mode 100644 index 0000000..1f1f061 --- /dev/null +++ b/spec/rails_app/db/migrate/20110523015635_add_pet_column_to_users.rb @@ -0,0 +1,9 @@ +class AddPetColumnToUsers < ActiveRecord::Migration + def self.up + add_column :users, :pet, :string + end + + def self.down + remove_column :users, :pet + end +end diff --git a/spec/rails_app/db/schema.rb b/spec/rails_app/db/schema.rb index a07e196..da021f1 100644 --- a/spec/rails_app/db/schema.rb +++ b/spec/rails_app/db/schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20110511210926) do +ActiveRecord::Schema.define(:version => 20110523015635) do create_table "access_tokens", :force => true do |t| t.integer "user_id" @@ -74,6 +74,7 @@ t.string "name" t.datetime "created_at" t.datetime "updated_at" + t.string "pet" end end diff --git a/spec/rails_app/spec/integration/token_endpoint_spec.rb b/spec/rails_app/spec/integration/token_endpoint_spec.rb index 8bce30f..253cbaa 100644 --- a/spec/rails_app/spec/integration/token_endpoint_spec.rb +++ b/spec/rails_app/spec/integration/token_endpoint_spec.rb @@ -33,7 +33,7 @@ describe 'password grant type' do context 'with valid params' do before do - @user = User.create! :email => 'ryan@socialcast.com', :name => 'ryan sonnek', :password => 'test' + @user = User.create! :email => 'ryan@socialcast.com', :name => 'ryan sonnek', :password => 'test', :pet => "bailey" @client = Client.create! :name => 'example', :redirect_uri => 'http://localhost', :website => 'http://localhost' params = { @@ -80,7 +80,62 @@ :error_description => "The provided access grant is invalid, expired, or revoked (e.g. invalid assertion, expired authorization token, bad end-user password credentials, or mismatching authorization code and redirection URI).", :error => "invalid_grant" } - response.body.should == expected.to_json + JSON.parse(response.body).should == JSON.parse(expected.to_json) + end + end + context 'with extra params for authentication_keys' do + before do + @user = User.create! :email => 'ryan@socialcast.com', :name => 'ryan sonnek', :password => 'test', :pet => 'fluffy' + User.add_authentication_keys + @client = Client.create! :name => 'example', :redirect_uri => 'http://localhost', :website => 'http://localhost' + + params = { + :grant_type => 'password', + :client_id => @client.identifier, + :client_secret => @client.secret, + :username => @user.email, + :password => 'test', + :pet => 'fluffy' + } + + post '/oauth2/token', params + end + it { response.code.to_i.should == 200 } + it 'returns json' do + token = AccessToken.last + refresh_token = RefreshToken.last + expected = { + :token_type => 'bearer', + :expires_in => 899, + :refresh_token => refresh_token.token, + :access_token => token.token + } + JSON.parse(response.body).should == JSON.parse(expected.to_json) + end + end + context 'with invalid params for authentication_keys' do + before do + @user = User.create! :email => 'ryan@socialcast.com', :name => 'ryan sonnek', :password => 'test', :pet => 'fluffy' + @client = Client.create! :name => 'example', :redirect_uri => 'http://localhost', :website => 'http://localhost' + + params = { + :grant_type => 'password', + :client_id => @client.identifier, + :client_secret => @client.secret, + :username => @user.email, + :password => 'bar', + :pet => 'cotton tail' + } + + post '/oauth2/token', params + end + it { response.code.to_i.should == 400 } + it 'returns json' do + expected = { + :error_description => "The provided access grant is invalid, expired, or revoked (e.g. invalid assertion, expired authorization token, bad end-user password credentials, or mismatching authorization code and redirection URI).", + :error => "invalid_grant" + } + JSON.parse(response.body).should == JSON.parse(expected.to_json) end end end From 6e174088b8e660a1fe618ba6fbcc9f186b87fdf6 Mon Sep 17 00:00:00 2001 From: Eric Krause Date: Mon, 23 May 2011 13:26:52 -0400 Subject: [PATCH 04/16] mapping the first authentication_key to username. So now it's not tied only to email which would fail for non-email conditions. --- lib/token_endpoint.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/token_endpoint.rb b/lib/token_endpoint.rb index ce061cd..a45c30b 100644 --- a/lib/token_endpoint.rb +++ b/lib/token_endpoint.rb @@ -37,7 +37,7 @@ def find_refresh_token(req, client) mapping.to.authentication_keys.each do |key| conditions[key] = req.env["rack.request.form_hash"][key.to_s] end - conditions[:email] = req.username + conditions[mapping.to.authentication_keys.first] = req.username resource = mapping.to.find_for_authentication(conditions) raise InvalidGrantType.new('user not found') unless resource raise InvalidGrantType.new('user does not support password authentication') unless resource.respond_to?(:valid_password?) From e8f7f64741355d73e1c884d4fb0b3a85bb965603 Mon Sep 17 00:00:00 2001 From: David Palm Date: Fri, 29 Jul 2011 13:19:43 +0200 Subject: [PATCH 05/16] Allowing use with rails 3.1 --- devise_oauth2_providable.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devise_oauth2_providable.gemspec b/devise_oauth2_providable.gemspec index 2a38e0e..d346d10 100644 --- a/devise_oauth2_providable.gemspec +++ b/devise_oauth2_providable.gemspec @@ -14,7 +14,7 @@ Gem::Specification.new do |s| s.rubyforge_project = "devise_oauth2_providable" - s.add_runtime_dependency(%q, ["~> 3.0.7"]) + s.add_runtime_dependency(%q, ["=> 3.0.7"]) s.add_runtime_dependency(%q, ["~> 1.3.3"]) s.add_runtime_dependency(%q, ["~> 0.6.3"]) s.add_development_dependency(%q, ['>= 2.5.0']) From 918d72edf324f2b26d0dfcca641ce97f758782ce Mon Sep 17 00:00:00 2001 From: David Palm Date: Fri, 29 Jul 2011 13:22:03 +0200 Subject: [PATCH 06/16] typo --- devise_oauth2_providable.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devise_oauth2_providable.gemspec b/devise_oauth2_providable.gemspec index d346d10..26a72a2 100644 --- a/devise_oauth2_providable.gemspec +++ b/devise_oauth2_providable.gemspec @@ -14,7 +14,7 @@ Gem::Specification.new do |s| s.rubyforge_project = "devise_oauth2_providable" - s.add_runtime_dependency(%q, ["=> 3.0.7"]) + s.add_runtime_dependency(%q, [">= 3.0.7"]) s.add_runtime_dependency(%q, ["~> 1.3.3"]) s.add_runtime_dependency(%q, ["~> 0.6.3"]) s.add_development_dependency(%q, ['>= 2.5.0']) From 09d8e9d0861aa99aa22e51b424bebe0f2a25a515 Mon Sep 17 00:00:00 2001 From: David Palm Date: Fri, 29 Jul 2011 13:23:15 +0200 Subject: [PATCH 07/16] Even more liberal on dependencies --- devise_oauth2_providable.gemspec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devise_oauth2_providable.gemspec b/devise_oauth2_providable.gemspec index 26a72a2..2ee3aa4 100644 --- a/devise_oauth2_providable.gemspec +++ b/devise_oauth2_providable.gemspec @@ -15,8 +15,8 @@ Gem::Specification.new do |s| s.rubyforge_project = "devise_oauth2_providable" s.add_runtime_dependency(%q, [">= 3.0.7"]) - s.add_runtime_dependency(%q, ["~> 1.3.3"]) - s.add_runtime_dependency(%q, ["~> 0.6.3"]) + s.add_runtime_dependency(%q, [">= 1.3.3"]) + s.add_runtime_dependency(%q, [">= 0.6.3"]) s.add_development_dependency(%q, ['>= 2.5.0']) s.files = `git ls-files`.split("\n") From 50ae16703a40d25479786c1b2327051ff19570c3 Mon Sep 17 00:00:00 2001 From: David Palm Date: Wed, 17 Aug 2011 12:57:23 +0200 Subject: [PATCH 08/16] ActiveSupport::SecureRandom --> SecureRandom to remove deprec warnings --- lib/devise_oauth2_providable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_oauth2_providable.rb b/lib/devise_oauth2_providable.rb index f946614..a3cb2a9 100644 --- a/lib/devise_oauth2_providable.rb +++ b/lib/devise_oauth2_providable.rb @@ -9,7 +9,7 @@ module Devise module Oauth2Providable class << self def random_id - ActiveSupport::SecureRandom.hex + SecureRandom.hex end end end From 2fcf6e8df08c73bba91514a0aefe4a5ef097cb9a Mon Sep 17 00:00:00 2001 From: Duncan Beevers Date: Fri, 6 Apr 2012 14:33:57 -0500 Subject: [PATCH 09/16] Engine controllers descend from common base class --- .../devise/oauth2_providable/authorizations_controller.rb | 2 +- app/controllers/devise/oauth2_providable/base_controller.rb | 2 ++ app/controllers/devise/oauth2_providable/tokens_controller.rb | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 app/controllers/devise/oauth2_providable/base_controller.rb diff --git a/app/controllers/devise/oauth2_providable/authorizations_controller.rb b/app/controllers/devise/oauth2_providable/authorizations_controller.rb index 72c39cb..f798afc 100644 --- a/app/controllers/devise/oauth2_providable/authorizations_controller.rb +++ b/app/controllers/devise/oauth2_providable/authorizations_controller.rb @@ -1,6 +1,6 @@ module Devise module Oauth2Providable - class AuthorizationsController < ApplicationController + class AuthorizationsController < Devise::Oauth2Providable::BaseController before_filter :authenticate_user! rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e| diff --git a/app/controllers/devise/oauth2_providable/base_controller.rb b/app/controllers/devise/oauth2_providable/base_controller.rb new file mode 100644 index 0000000..1f664b5 --- /dev/null +++ b/app/controllers/devise/oauth2_providable/base_controller.rb @@ -0,0 +1,2 @@ +class Devise::Oauth2Providable::BaseController < ApplicationController +end diff --git a/app/controllers/devise/oauth2_providable/tokens_controller.rb b/app/controllers/devise/oauth2_providable/tokens_controller.rb index 55b003e..934efbc 100644 --- a/app/controllers/devise/oauth2_providable/tokens_controller.rb +++ b/app/controllers/devise/oauth2_providable/tokens_controller.rb @@ -1,4 +1,4 @@ -class Devise::Oauth2Providable::TokensController < ApplicationController +class Devise::Oauth2Providable::TokensController < Devise::Oauth2Providable::BaseController before_filter :authenticate_user! skip_before_filter :verify_authenticity_token, :only => :create From 54a96f0eb60c4e808700e470f6bf8195833b74f1 Mon Sep 17 00:00:00 2001 From: Duncan Beevers Date: Fri, 6 Apr 2012 14:37:13 -0500 Subject: [PATCH 10/16] Consolidate :authenticate_user! before_filter --- .../devise/oauth2_providable/authorizations_controller.rb | 2 -- app/controllers/devise/oauth2_providable/base_controller.rb | 1 + app/controllers/devise/oauth2_providable/tokens_controller.rb | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/app/controllers/devise/oauth2_providable/authorizations_controller.rb b/app/controllers/devise/oauth2_providable/authorizations_controller.rb index f798afc..2c6cdec 100644 --- a/app/controllers/devise/oauth2_providable/authorizations_controller.rb +++ b/app/controllers/devise/oauth2_providable/authorizations_controller.rb @@ -1,8 +1,6 @@ module Devise module Oauth2Providable class AuthorizationsController < Devise::Oauth2Providable::BaseController - before_filter :authenticate_user! - rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e| @error = e render :error, :status => e.status diff --git a/app/controllers/devise/oauth2_providable/base_controller.rb b/app/controllers/devise/oauth2_providable/base_controller.rb index 1f664b5..d38ee85 100644 --- a/app/controllers/devise/oauth2_providable/base_controller.rb +++ b/app/controllers/devise/oauth2_providable/base_controller.rb @@ -1,2 +1,3 @@ class Devise::Oauth2Providable::BaseController < ApplicationController + before_filter :authenticate_user! end diff --git a/app/controllers/devise/oauth2_providable/tokens_controller.rb b/app/controllers/devise/oauth2_providable/tokens_controller.rb index 934efbc..a4cc3ed 100644 --- a/app/controllers/devise/oauth2_providable/tokens_controller.rb +++ b/app/controllers/devise/oauth2_providable/tokens_controller.rb @@ -1,5 +1,4 @@ class Devise::Oauth2Providable::TokensController < Devise::Oauth2Providable::BaseController - before_filter :authenticate_user! skip_before_filter :verify_authenticity_token, :only => :create def create From 50c0c437f244d209b042642043dd9cd7298eda88 Mon Sep 17 00:00:00 2001 From: Duncan Beevers Date: Tue, 22 May 2012 15:02:15 -0500 Subject: [PATCH 11/16] No isolate_namespace --- lib/devise/oauth2_providable/engine.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/devise/oauth2_providable/engine.rb b/lib/devise/oauth2_providable/engine.rb index 0869344..4f170d5 100644 --- a/lib/devise/oauth2_providable/engine.rb +++ b/lib/devise/oauth2_providable/engine.rb @@ -7,7 +7,6 @@ class Engine < Rails::Engine config.devise_oauth2_providable.authorization_code_expires_in = 1.minute engine_name 'oauth2' - isolate_namespace Devise::Oauth2Providable initializer "devise_oauth2_providable.initialize_application", :before=> :load_config_initializers do |app| app.config.filter_parameters << :client_secret end From a1c37415bc0ee3da1591e4e942b708cf9b007e35 Mon Sep 17 00:00:00 2001 From: Duncan Beevers Date: Wed, 23 May 2012 22:44:38 -0500 Subject: [PATCH 12/16] TokensController can be subclassed --- .../oauth2_providable/strategies/oauth2_grant_type_strategy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb b/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb index 5b31afe..b45aca3 100644 --- a/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb +++ b/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb @@ -4,7 +4,7 @@ module Devise module Strategies class Oauth2GrantTypeStrategy < Authenticatable def valid? - params[:controller] == 'devise/oauth2_providable/tokens' && request.post? && params[:grant_type] == grant_type + env['action_controller.instance'].kind_of?(Devise::Oauth2Providable::TokensController) && request.post? && params[:grant_type] == grant_type end # defined by subclass From 0c113ced0992214b348953b821f30fec6458843e Mon Sep 17 00:00:00 2001 From: Duncan Beevers Date: Wed, 23 May 2012 22:44:38 -0500 Subject: [PATCH 13/16] TokensController can be subclassed --- .../oauth2_providable/strategies/oauth2_grant_type_strategy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb b/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb index 5b31afe..b45aca3 100644 --- a/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb +++ b/lib/devise/oauth2_providable/strategies/oauth2_grant_type_strategy.rb @@ -4,7 +4,7 @@ module Devise module Strategies class Oauth2GrantTypeStrategy < Authenticatable def valid? - params[:controller] == 'devise/oauth2_providable/tokens' && request.post? && params[:grant_type] == grant_type + env['action_controller.instance'].kind_of?(Devise::Oauth2Providable::TokensController) && request.post? && params[:grant_type] == grant_type end # defined by subclass From 6438cd87d170d8f4ad50fcdc7a5490e035498e46 Mon Sep 17 00:00:00 2001 From: David Palm Date: Mon, 23 Jul 2012 11:34:10 +0200 Subject: [PATCH 14/16] Don't load deleted rake tasks --- Rakefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Rakefile b/Rakefile index 240f5c0..136f689 100644 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,6 @@ require "bundler/gem_tasks" APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__) -load 'rails/tasks/engine.rake' require 'rspec/core/rake_task' RSpec::Core::RakeTask.new('spec') From cc31b2dc696e21460b920c37d4eda38cab6ce9a4 Mon Sep 17 00:00:00 2001 From: David Palm Date: Mon, 23 Jul 2012 11:41:25 +0200 Subject: [PATCH 15/16] Don't be anal about development gem dependencies --- devise_oauth2_providable.gemspec | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/devise_oauth2_providable.gemspec b/devise_oauth2_providable.gemspec index 74b6a2c..02472fe 100644 --- a/devise_oauth2_providable.gemspec +++ b/devise_oauth2_providable.gemspec @@ -16,13 +16,13 @@ Gem::Specification.new do |s| s.add_runtime_dependency(%q, [">= 3.1.0"]) s.add_runtime_dependency(%q, [">= 1.4.3"]) - s.add_runtime_dependency(%q, ["~> 0.11.0"]) - s.add_development_dependency(%q, ['2.6.1']) + s.add_runtime_dependency(%q, [">= 0.11.0"]) + s.add_development_dependency(%q, ['>=2.6.1']) s.add_development_dependency(%q, ['1.3.5']) - s.add_development_dependency(%q, ['1.0.0.beta3']) - s.add_development_dependency(%q, ['0.9.6.2']) - s.add_development_dependency(%q, ['2.2.0']) - s.add_development_dependency(%q, ['0.0.1']) + s.add_development_dependency(%q, ['>=1.0.0.beta3']) + s.add_development_dependency(%q, ['>=0.9.6.2']) + s.add_development_dependency(%q, ['>=2.2.0']) + s.add_development_dependency(%q, ['>=0.0.1']) s.add_development_dependency(%q, ['0.9.2.2']) s.files = `git ls-files`.split("\n") From 770c59ba4ef5e42a8781a87cf548fa803e8da99d Mon Sep 17 00:00:00 2001 From: David Palm Date: Mon, 23 Jul 2012 11:41:47 +0200 Subject: [PATCH 16/16] Pass along the "state" param as asked for in the IETF draft: http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-10.12 (see http://homakov.blogspot.it/2012/07/saferweb-most-common-oauth2.html for more details) --- .../devise/oauth2_providable/authorizations_controller.rb | 1 + .../devise/oauth2_providable/authorizations/_form.html.erb | 1 + .../devise/oauth2_providable/authorizations/new.html.erb | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise/oauth2_providable/authorizations_controller.rb b/app/controllers/devise/oauth2_providable/authorizations_controller.rb index 2c6cdec..6502fa6 100644 --- a/app/controllers/devise/oauth2_providable/authorizations_controller.rb +++ b/app/controllers/devise/oauth2_providable/authorizations_controller.rb @@ -30,6 +30,7 @@ def respond(status, header, response) def authorize_endpoint(allow_approval = false) Rack::OAuth2::Server::Authorize.new do |req, res| @client = Client.find_by_identifier(req.client_id) || req.bad_request! + @state = req.state res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@client.redirect_uri) if allow_approval if params[:approve].present? diff --git a/app/views/devise/oauth2_providable/authorizations/_form.html.erb b/app/views/devise/oauth2_providable/authorizations/_form.html.erb index 57bfee6..77c89b5 100644 --- a/app/views/devise/oauth2_providable/authorizations/_form.html.erb +++ b/app/views/devise/oauth2_providable/authorizations/_form.html.erb @@ -2,6 +2,7 @@ <%= hidden_field_tag :client_id, client.identifier %> <%= hidden_field_tag :response_type, response_type %> <%= hidden_field_tag :redirect_uri, redirect_uri %> + <%= hidden_field_tag :state, state %> <%= submit_tag action.to_s.capitalize %> <%= hidden_field_tag action, true %> <% end %> diff --git a/app/views/devise/oauth2_providable/authorizations/new.html.erb b/app/views/devise/oauth2_providable/authorizations/new.html.erb index f1f2ae5..952ee85 100644 --- a/app/views/devise/oauth2_providable/authorizations/new.html.erb +++ b/app/views/devise/oauth2_providable/authorizations/new.html.erb @@ -1,4 +1,4 @@

<%= link_to @client.name, @client.website %> is requesting permission to access your resources.

-<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :approve %> -<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :deny %> +<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :state => @state, :action => :approve %> +<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :state => @state, :action => :deny %>