Do not allow the user arg to Provider.access_token() to be nil. If yo…

…u want implicit user lookup, pass :implicit as the user. This prevents accidental authorization in cases where the application developer does not check the result of their User.find() calls.
inside-track · Aug 1, 2013 · 9276509 · 9276509
1 parent 7775e63
commit 9276509
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 6 deletions.
diff --git a/README.rdoc b/README.rdoc
@@ -362,10 +362,10 @@ determine whether to serve the request or not.
 
 It is also common to provide a dynamic resource for getting some basic data
 about a user by supplying their access token. This can be done by passing
-<tt>nil</tt> as the resource owner:
+<tt>:implicit</tt> as the resource owner:
 
   get '/me' do
-    token = Songkick::OAuth2::Provider.access_token(nil, [], env)
+    token = Songkick::OAuth2::Provider.access_token(:implicit, [], env)
     if token.valid?
       JSON.unparse('username' => token.owner.username)
     else

diff --git a/example/application.rb b/example/application.rb
@@ -105,7 +105,7 @@
 # Domain API
 
 get '/me' do
-  authorization = Songkick::OAuth2::Provider.access_token(nil, [], env)
+  authorization = Songkick::OAuth2::Provider.access_token(:implicit, [], env)
   headers authorization.response_headers
   status  authorization.response_status
 

diff --git a/lib/songkick/oauth2/provider/access_token.rb b/lib/songkick/oauth2/provider/access_token.rb
@@ -56,8 +56,13 @@ def validate!
           return @error = EXPIRED_TOKEN      if @authorization.expired?
           return @error = INSUFFICIENT_SCOPE unless @authorization.in_scope?(@scopes)
 
-          if @resource_owner and @authorization.owner != @resource_owner
-            @error = INSUFFICIENT_SCOPE
+          case @resource_owner
+          when :implicit
+            # no error
+          when nil
+            @error = INVALID_TOKEN
+          else
+            @error = INSUFFICIENT_SCOPE if @authorization.owner != @resource_owner
           end
         end
       end

diff --git a/spec/songkick/oauth2/provider/access_token_spec.rb b/spec/songkick/oauth2/provider/access_token_spec.rb
@@ -52,11 +52,23 @@
     it_should_behave_like "valid token"
   end
 
+  describe "with an implicit user" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(:implicit, ['profile'], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+
   describe "with no user" do
     let :token do
       Songkick::OAuth2::Provider::AccessToken.new(nil, ['profile'], 'magic-key')
     end
-    it_should_behave_like "valid token"
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='invalid_token'"
+      token.response_status.should == 401
+    end
   end
 
   describe "with less scope than was granted" do