Class: HenshinBelt::Oauth2

Inherits:

Grape::Middleware::Base

• Object
• Grape::Middleware::Base
• HenshinBelt::Oauth2

Defined in:

lib/henshin_belt/oauth2.rb

Instance Attribute Summary

• #auth_strategy ⇒ Object readonly

  Returns the value of attribute auth_strategy.

Instance Method Summary

• #access_scopes(access) ⇒ Object
• #args ⇒ Object
• #authorize! ⇒ Object
• #before ⇒ Object

  Grape middleware methods.

• #context ⇒ Object
• #endpoint_protected? ⇒ Boolean

  Authorization control.

• #is_args_include_validate? ⇒ Boolean
• #request ⇒ Object
• #scope_authorize!(access) ⇒ Object
• #scopes ⇒ Object
• #sync_scopes_from(resource, to:) ⇒ Object
• #the_request=(env) ⇒ Object
• #token ⇒ Object
• #token_optional? ⇒ Boolean
• #token_required? ⇒ Boolean

Instance Attribute Details

#auth_strategy ⇒ Object (readonly)

Returns the value of attribute auth_strategy.

# File 'lib/henshin_belt/oauth2.rb', line 7

def auth_strategy
  @auth_strategy
end

Instance Method Details

#access_scopes(access) ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 59

def access_scopes(access)
  if HenshinBelt.is_custom_scopes
    access.scopes.map!(&:to_sym) rescue []
  else
    access.scopes.all[0].split(',').map!(&:to_sym) rescue []
  end
end

#args ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 43

def args
  results = {}
  auth_strategy.auth_scopes.map { |s| (results = results.merge(s)) if s.is_a?(Hash) }
  results
end

#authorize! ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 90

def authorize!
  access = Doorkeeper::AccessToken.find_by(token: token)
  if access.present?
    if access.expired?
      raise HenshinBelt::Errors::ExpiredToken
    end
    if access.revoked?
      raise HenshinBelt::Errors::InvalidToken
    end
  else
    raise HenshinBelt::Errors::InvalidToken
  end
  # rubocop:disable Security/Eval
  resource = eval(HenshinBelt.resources).where(id: access.resource_owner_id).last rescue nil
  # rubocop:enable Security/Eval

  sync_scopes_from(resource, to: access)
  if HenshinBelt.is_custom_scopes
    scope_authorize! resource
  else
    scope_authorize! access
  end
  {
    token:               access.token,
    resource_owner:      resource,
    resource_credential: {
      access_token:  access.token,
      scopes:        access_scopes(access),
      token_type:    'bearer',
      expires_in:    access.expires_in,
      refresh_token: access.refresh_token,
      created_at:    access.created_at.to_i
    }
  }
end

#before ⇒ Object

Grape middleware methods

# File 'lib/henshin_belt/oauth2.rb', line 130

def before
  set_auth_strategy(HenshinBelt.auth_strategy)
  auth_strategy.api_context = context
  context.extend(HenshinBelt::AuthMethods)
  context.protected_endpoint = endpoint_protected?

  return unless context.protected_endpoint?

  self.the_request = env
  if token_optional? && context.protected_endpoint?
    context.resource_token       = nil
    context.resource_owner       = nil
    context.resource_credentials = nil
    response = authorize! rescue nil
    if response.present?
      context.resource_owner = response[:resource_owner] rescue nil
      context.resource_credentials = nil
    end
  elsif token.present? && token_required? && context.protected_endpoint?
    response               = authorize!
    context.resource_token = response[:token]
    context.resource_owner = response[:resource_owner] rescue nil
    context.me = response[:resource_owner] rescue nil
    context.resource_credentials = response[:resource_credential] rescue nil
  elsif context.resource_owner.nil? && context.protected_endpoint?
    raise HenshinBelt::Errors::InvalidToken
  else
    raise HenshinBelt::Errors::InvalidToken
  end
end

#context ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 9

def context
  env['api.endpoint']
end

#endpoint_protected? ⇒ Boolean

Authorization control.

Returns:

• (Boolean)

# File 'lib/henshin_belt/oauth2.rb', line 39

def endpoint_protected?
  auth_strategy.endpoint_protected?
end

#is_args_include_validate? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/henshin_belt/oauth2.rb', line 67

def is_args_include_validate?
  if args.key?(:validate) && ![true, false].include?(args[:validate])
    raise HenshinBelt::Errors::InvalidScope.new("Not valid scope '#{args[:validate]}' in `oauth2 scope`")
  end
  args.key?(:validate)
end

#request ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 17

def request
  @_the_request
end

#scope_authorize!(access) ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 74

def scope_authorize!(access)
  if scopes.present? && access
    unless (scopes & (access_scopes access)).present?
      raise HenshinBelt::Errors::InvalidScope.new('OAuth Scope is disallowed')
    end
  end
end

#scopes ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 53

def scopes
  results = []
  auth_strategy.auth_scopes.map { |s| (results << s) unless s.is_a?(Hash) }
  results.map!(&:to_sym)
end

#sync_scopes_from(resource, to:) ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 49

def sync_scopes_from(resource, to:)
  to.update(scopes: resource.scopes.join(',')) rescue nil
end

#the_request=(env) ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 13

def the_request=(env)
  @_the_request = ActionDispatch::Request.new(env)
end

#token ⇒ Object

# File 'lib/henshin_belt/oauth2.rb', line 21

def token
  if request.headers['Authorization'].present?
    if request.headers['Authorization'].include?('bearer')
      token = request.headers['Authorization'].try('split', 'bearer').try(:last).try(:strip)
    elsif request.headers['Authorization'].include?('Bearer')
      token = request.headers['Authorization'].try('split', 'Bearer').try(:last).try(:strip)
    else
      token = request.headers['Authorization']
    end
  else
    token = request.parameters['access_token']
  end
  token
end

#token_optional? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/henshin_belt/oauth2.rb', line 82

def token_optional?
  is_args_include_validate? && [true, false].include?(args[:validate]) && args[:validate].eql?(false)
end

#token_required? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/henshin_belt/oauth2.rb', line 86

def token_required?
  is_args_include_validate? && [true, false].include?(args[:validate]) && args[:validate].eql?(true) || is_args_include_validate?.blank?
end