All grants ready

This commit is contained in:
Tobe O 2017-10-16 02:38:46 -04:00
parent 27770c1a69
commit 257d3ce316
14 changed files with 733 additions and 113 deletions

View file

@ -1,4 +1,4 @@
# auth_oauth2
# oauth2
A class containing handlers that can be used within
[Angel](https://angel-dart.github.io/) to build a spec-compliant
OAuth 2.0 server.
@ -21,7 +21,7 @@ Define a server class as such:
```dart
import 'package:angel_oauth2/angel_oauth2.dart' as oauth2;
class MyServer extends oauth2.Server<Client, User> {}
class MyServer extends oauth2.AuthorizationServer<Client, User> {}
```
Then, implement the `findClient` and `verifyClient` to ensure that the
@ -29,7 +29,7 @@ server class can not only identify a client application via a `client_id`,
but that it can also verify its identity via a `client_secret`.
```dart
class _Server extends Server<PseudoApplication, Map> {
class _Server extends AuthorizationServer<PseudoApplication, Map> {
final Uuid _uuid = new Uuid();
@override
@ -50,7 +50,7 @@ authorization endpoint. In most cases, you will want to show a dialog:
```dart
@override
Future authorize(
Future requestAuthorizationCode(
PseudoApplication client,
String redirectUri,
Iterable<String> scopes,
@ -87,4 +87,15 @@ void pseudoCode() {
}
```
Naturally,
The `authorizationEndpoint` and `tokenEndpoint` handle all OAuth2 grant types.
## Other Grants
By default, all OAuth2 grant methods will throw a `405 Method Not Allowed` error.
To support any specific grant type, all you need to do is implement the method.
The following are available, not including authorization code grant support (mentioned above):
* `implicitGrant`
* `resourceOwnerPasswordCredentialsGrant`
* `clientCredentialsGrant`
Read the [OAuth2 specification](https://tools.ietf.org/html/rfc6749)
for in-depth information on each grant type.

View file

@ -1,3 +1,4 @@
export 'src/exception.dart';
export 'src/response.dart';
export 'src/server.dart';
export 'src/token_type.dart';

View file

@ -1,2 +0,0 @@
library auth_oauth2_server.src.auth_code;

View file

@ -1,36 +1,62 @@
import 'package:angel_http_exception/angel_http_exception.dart';
/// An Angel-friendly wrapper around OAuth2 [ErrorResponse] instances.
class AuthorizationException extends AngelHttpException {
final ErrorResponse errorResponse;
AuthorizationException(this.errorResponse,
{StackTrace stackTrace, int statusCode})
: super(errorResponse,
{StackTrace stackTrace, int statusCode, error})
: super(error ?? errorResponse,
stackTrace: stackTrace, message: '', statusCode: statusCode ?? 401);
@override
Map toJson() {
var m = {
'error': errorResponse.code,
'error_description': errorResponse.description,
};
if (errorResponse.uri != null)
m['error_uri'] = errorResponse.uri.toString();
return m;
}
}
/// Represents an OAuth2 authentication error.
class ErrorResponse {
final String code, description;
/// The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
static const String invalidRequest = 'invalid_request';
// Taken from https://www.docusign.com/p/RESTAPIGuide/Content/OAuth2/OAuth2%20Response%20Codes.htm
// TODO: Use original error messages
static const ErrorResponse invalidRequest = const ErrorResponse(
'invalid_request',
'The request was malformed, or contains unsupported parameters.'),
invalidClient = const ErrorResponse(
'invalid_client', 'The client authentication failed.'),
invalidGrant = const ErrorResponse(
'invalid_grant', 'The provided authorization is invalid.'),
unauthorizedClient = const ErrorResponse('unauthorized_client',
'The client application is not allowed to use this grant_type.'),
unauthorizedGrantType = const ErrorResponse('unsupported_grant_type',
'A grant_type other than “password” was used in the request.'),
invalidScope = const ErrorResponse(
'invalid_scope', 'One or more of the scopes you provided was invalid.'),
unsupportedTokenType = const ErrorResponse('unsupported_token_type',
'The client tried to revoke an access token on a server not supporting this feature.'),
invalidToken = const ErrorResponse(
'invalid_token', 'The presented token is invalid.');
/// The client is not authorized to request an authorization code using this method.
static const String unauthorizedClient = 'unauthorized_client';
const ErrorResponse(this.code, this.description);
/// The resource owner or authorization server denied the request.
static const String accessDenied = 'access_denied';
/// The authorization server does not support obtaining an authorization code using this method.
static const String unsupportedResponseType = 'unsupported_response_type';
/// The requested scope is invalid, unknown, or malformed.
static const String invalidScope = 'invalid_scope';
/// The authorization server encountered an unexpected condition that prevented it from fulfilling the request.
static const String serverError = 'server_error';
/// The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
static const String temporarilyUnavailable = 'temporarily_unavailable';
/// A short string representing the error.
final String code;
/// A relatively detailed description of the source of the error.
final String description;
/// An optional [Uri] directing users to more information about the error.
final Uri uri;
/// The exact value received from the client, if a "state" parameter was present in the client authorization request.
final String state;
const ErrorResponse(this.code, this.description, this.state, {this.uri});
}

View file

@ -1,12 +1,25 @@
class AuthorizationCodeResponse {
/// Represents an OAuth2 authorization token.
class AuthorizationTokenResponse {
/// The string that third parties should use to act on behalf of the user in question.
final String accessToken;
/// An optional key that can be used to refresh the [accessToken] past its expiration.
final String refreshToken;
const AuthorizationCodeResponse(this.accessToken, {this.refreshToken});
/// An optional, but recommended integer that signifies the time left until the [accessToken] expires.
final int expiresIn;
Map<String, String> toJson() {
var map = <String, String> {'access_token': accessToken};
/// Optional, if identical to the scope requested by the client; otherwise, required.
final Iterable<String> scope;
const AuthorizationTokenResponse(this.accessToken,
{this.refreshToken, this.expiresIn, this.scope});
Map<String, dynamic> toJson() {
var map = <String, dynamic>{'access_token': accessToken};
if (refreshToken?.isNotEmpty == true) map['refresh_token'] = refreshToken;
if (expiresIn != null) map['expires_in'] = expiresIn;
if (scope != null) map['scope'] = scope.toList();
return map;
}
}

View file

@ -1,16 +1,29 @@
import 'dart:async';
import 'dart:convert';
import 'package:angel_framework/angel_framework.dart';
import 'exception.dart';
import 'response.dart';
import 'token_type.dart';
String _getParam(RequestContext req, String name, {bool body: false}) {
/// A request handler that performs an arbitrary authorization token grant.
typedef Future<AuthorizationTokenResponse> ExtensionGrant(
RequestContext req, ResponseContext res);
String _getParam(RequestContext req, String name, String state,
{bool body: false}) {
var map = body == true ? req.body : req.query;
var value = map.containsKey(name) ? map[name]?.toString() : null;
if (value?.isNotEmpty != true)
throw new AngelHttpException.badRequest(
message: "Missing required parameter '$name'.");
if (value?.isNotEmpty != true) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.invalidRequest,
'Missing required parameter "$name".',
state,
),
statusCode: 400,
);
}
return value;
}
@ -20,100 +33,366 @@ Iterable<String> _getScopes(RequestContext req, {bool body: false}) {
return map['scope']?.toString()?.split(' ') ?? [];
}
abstract class Server<Client, User> {
const Server();
/// An OAuth2 authorization server, which issues access tokens to third parties.
abstract class AuthorizationServer<Client, User> {
const AuthorizationServer();
static const String _internalServerError =
'An internal server error occurred.';
/// A [Map] of custom authorization token grants. Use this to handle custom grant types, perhaps even your own.
Map<String, ExtensionGrant> get extensionGrants => {};
/// Finds the [Client] application associated with the given [clientId].
FutureOr<Client> findClient(String clientId);
// TODO: Is this ever used???
/// Verify that a [client] is the one identified by the [clientSecret].
Future<bool> verifyClient(Client client, String clientSecret);
Future<String> authCodeGrant(Client client, String redirectUri, User user,
Iterable<String> scopes, String state);
/// Prompt the currently logged-in user to grant or deny access to the [client].
///
/// In many applications, this will entail showing a dialog to the user in question.
requestAuthorizationCode(
Client client,
String redirectUri,
Iterable<String> scopes,
String state,
RequestContext req,
ResponseContext res) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unsupportedResponseType,
'Authorization code grants are not supported.',
state,
),
statusCode: 405,
);
}
authorize(Client client, String redirectUri, Iterable<String> scopes,
String state, RequestContext req, ResponseContext res);
/// Create an implicit authorization token.
///
/// Note that in cases where this is called, there is no guarantee
/// that the user agent has not been compromised.
Future<AuthorizationTokenResponse> implicitGrant(
Client client,
String redirectUri,
Iterable<String> scopes,
String state,
RequestContext req,
ResponseContext res) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unsupportedResponseType,
'Authorization code grants are not supported.',
state,
),
statusCode: 405,
);
}
Future<AuthorizationCodeResponse> exchangeAuthCodeForAccessToken(
/// Exchanges an authorization code for an authorization token.
Future<AuthorizationTokenResponse> exchangeAuthorizationCodeForToken(
String authCode,
String redirectUri,
RequestContext req,
ResponseContext res);
ResponseContext res) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unsupportedResponseType,
'Authorization code grants are not supported.',
req.query['state'] ?? '',
),
statusCode: 405,
);
}
/// Refresh an authorization token.
Future<AuthorizationTokenResponse> refreshAuthorizationToken(
Client client,
String refreshToken,
Iterable<String> scopes,
RequestContext req,
ResponseContext res) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unsupportedResponseType,
'Refreshing authorization tokens is not supported.',
req.body['state'] ?? '',
),
statusCode: 405,
);
}
/// Issue an authorization token to a user after authenticating them via [username] and [password].
Future<AuthorizationTokenResponse> resourceOwnerPasswordCredentialsGrant(
Client client,
String username,
String password,
Iterable<String> scopes,
RequestContext req,
ResponseContext res) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unsupportedResponseType,
'Resource owner password credentials grants are not supported.',
req.body['state'] ?? '',
),
statusCode: 405,
);
}
/// Performs a client credentials grant. Only use this in situations where the client is 100% trusted.
Future<AuthorizationTokenResponse> clientCredentialsGrant(
Client client, RequestContext req, ResponseContext res) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unsupportedResponseType,
'Client credentials grants are not supported.',
req.body['state'] ?? '',
),
statusCode: 405,
);
}
/// A request handler that invokes the correct logic, depending on which type
/// of grant the client is requesting.
Future authorizationEndpoint(RequestContext req, ResponseContext res) async {
var responseType = _getParam(req, 'response_type');
String state = '';
if (responseType != 'code')
throw new AngelHttpException.badRequest(
message: "Invalid response_type, expected 'code'.");
try {
state = req.query['state']?.toString() ?? '';
var responseType = _getParam(req, 'response_type', state);
if (responseType == 'code') {
// Ensure client ID
var clientId = _getParam(req, 'client_id');
// TODO: Handle confidential clients
var clientId = _getParam(req, 'client_id', state);
// Find client
var client = await findClient(clientId);
if (client == null)
throw new AuthorizationException(ErrorResponse.invalidClient);
if (client == null) {
throw new AuthorizationException(new ErrorResponse(
ErrorResponse.unauthorizedClient,
'Unknown client "$clientId".',
state,
));
}
// Grab redirect URI
var redirectUri = _getParam(req, 'redirect_uri');
var redirectUri = _getParam(req, 'redirect_uri', state);
// Grab scopes
var scopes = _getScopes(req);
var state = req.query['state']?.toString() ?? '';
return await authorize(client, redirectUri, scopes, state, req, res);
return await requestAuthorizationCode(
client, redirectUri, scopes, state, req, res);
}
Future tokenEndpoint(RequestContext req, ResponseContext res) async {
await req.parse();
var grantType = _getParam(req, 'grant_type', body: true);
if (grantType != 'authorization_code')
throw new AngelHttpException.badRequest(
message: "Invalid grant_type; expected 'authorization_code'.");
var code = _getParam(req, 'code', body: true);
var redirectUri = _getParam(req, 'redirect_uri', body: true);
var response =
await exchangeAuthCodeForAccessToken(code, redirectUri, req, res);
return {'token_type': TokenType.bearer}..addAll(response.toJson());
}
Future handleFormSubmission(RequestContext req, ResponseContext res) async {
await req.parse();
// Ensure client ID
var clientId = _getParam(req, 'client_id', body: true);
// Find client
if (responseType == 'token') {
var clientId = _getParam(req, 'client_id', state);
var client = await findClient(clientId);
if (client == null)
throw new AuthorizationException(ErrorResponse.invalidClient);
if (client == null) {
throw new AuthorizationException(new ErrorResponse(
ErrorResponse.unauthorizedClient,
'Unknown client "$clientId".',
state,
));
}
// Verify client secret
var clientSecret = _getParam(req, 'client_secret', body: true);
if (!await verifyClient(client, clientSecret))
throw new AuthorizationException(ErrorResponse.invalidClient);
// Grab redirect URI
var redirectUri = _getParam(req, 'redirect_uri', body: true);
var redirectUri = _getParam(req, 'redirect_uri', state);
// Grab scopes
var scopes = _getScopes(req, body: true);
var scopes = _getScopes(req);
var token =
await implicitGrant(client, redirectUri, scopes, state, req, res);
var state = req.query['state']?.toString() ?? '';
Uri target;
var authCode = await authCodeGrant(
client, redirectUri, req.properties['user'], scopes, state);
res.headers['content-type'] = 'application/x-www-form-urlencoded';
res.write('code=' + Uri.encodeComponent(authCode));
if (state.isNotEmpty) res.write('&state=' + Uri.encodeComponent(state));
try {
target = Uri.parse(redirectUri);
var queryParameters = <String, String>{};
queryParameters.addAll({
'access_token': token.accessToken,
'token_type': 'bearer',
'state': state,
});
if (token.expiresIn != null)
queryParameters['expires_in'] = token.expiresIn.toString();
if (token.scope != null)
queryParameters['scope'] = token.scope.join(' ');
var fragment = queryParameters.keys
.fold<StringBuffer>(new StringBuffer(), (buf, k) {
if (buf.isNotEmpty) buf.write('&');
return buf
..write(
'$k=' + Uri.encodeComponent(queryParameters[k]),
);
}).toString();
target = target.replace(fragment: fragment);
res.redirect(target.toString());
return false;
} on FormatException {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.invalidRequest,
'Invalid URI provided as "redirect_uri" parameter',
state,
),
statusCode: 400);
}
}
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.invalidRequest,
'Invalid or no "response_type" parameter provided',
state,
),
statusCode: 400);
} on AngelHttpException {
rethrow;
} catch (e, st) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.serverError,
_internalServerError,
state,
),
error: e,
statusCode: 500,
stackTrace: st,
);
}
}
static final RegExp _rgxBasic = new RegExp(r'Basic ([^$]+)');
static final RegExp _rgxBasicAuth = new RegExp(r'([^:]*):([^$]*)');
/// A request handler that either exchanges authorization codes for authorization tokens,
/// or refreshes authorization tokens.
Future tokenEndpoint(RequestContext req, ResponseContext res) async {
String state = '';
Client client;
try {
AuthorizationTokenResponse response;
await req.parse();
state = req.body['state'] ?? '';
var grantType = _getParam(req, 'grant_type', state, body: true);
if (grantType != 'authorization_code') {
var match =
_rgxBasic.firstMatch(req.headers.value('authorization') ?? '');
if (match != null) {
match = _rgxBasicAuth
.firstMatch(new String.fromCharCodes(BASE64URL.decode(match[1])));
}
if (match == null) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unauthorizedClient,
'Invalid or no "Authorization" header.',
state,
),
statusCode: 400,
);
} else {
var clientId = match[1], clientSecret = match[2];
client = await findClient(clientId);
if (client == null) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unauthorizedClient,
'Invalid "client_id" parameter.',
state,
),
statusCode: 401,
);
}
if (!await verifyClient(client, clientSecret)) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.unauthorizedClient,
'Invalid "client_secret" parameter.',
state,
),
statusCode: 401,
);
}
}
}
if (grantType == 'authorization_code') {
var code = _getParam(req, 'code', state, body: true);
var redirectUri = _getParam(req, 'redirect_uri', state, body: true);
response = await exchangeAuthorizationCodeForToken(
code, redirectUri, req, res);
} else if (grantType == 'refresh_token') {
var refreshToken = _getParam(req, 'refresh_token', state, body: true);
var scopes = _getScopes(req);
response = await refreshAuthorizationToken(
client, refreshToken, scopes, req, res);
} else if (grantType == 'password') {
var username = _getParam(req, 'username', state, body: true);
var password = _getParam(req, 'password', state, body: true);
var scopes = _getScopes(req);
response = await resourceOwnerPasswordCredentialsGrant(
client, username, password, scopes, req, res);
} else if (grantType == 'client_credentials') {
response = await clientCredentialsGrant(client, req, res);
if (response.refreshToken != null) {
// Remove refresh token
response = new AuthorizationTokenResponse(
response.accessToken,
expiresIn: response.expiresIn,
scope: response.scope,
);
}
} else if (extensionGrants.containsKey(grantType)) {
response = await extensionGrants[grantType](req, res);
}
if (response != null) {
return {'token_type': AuthorizationTokenType.bearer}
..addAll(response.toJson());
}
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.invalidRequest,
'Invalid or no "grant_type" parameter provided',
state,
),
statusCode: 400,
);
} on AngelHttpException {
rethrow;
} catch (e, st) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.serverError,
_internalServerError,
state,
),
error: e,
statusCode: 500,
stackTrace: st,
);
}
}
}

View file

@ -1,3 +0,0 @@
import 'package:angel_auth/angel_auth.dart';
import 'server.dart';

View file

@ -1,3 +1,4 @@
abstract class TokenType {
/// The various types of OAuth2 authorization tokens.
abstract class AuthorizationTokenType {
static const String bearer = 'bearer', mac = 'mac';
}

View file

@ -6,7 +6,7 @@ version: 1.0.0-alpha
environment:
sdk: ">=1.19.0"
dependencies:
angel_auth: ^1.1.0-alpha
angel_framework: ^1.0.0-dev
dev_dependencies:
angel_test: ^1.1.0-alpha
oauth2: ^1.0.0

View file

@ -115,7 +115,7 @@ main() {
});
}
class _Server extends Server<PseudoApplication, Map> {
class _Server extends AuthorizationServer<PseudoApplication, Map> {
final Uuid _uuid = new Uuid();
@override
@ -130,7 +130,7 @@ class _Server extends Server<PseudoApplication, Map> {
}
@override
Future authorize(
Future requestAuthorizationCode(
PseudoApplication client,
String redirectUri,
Iterable<String> scopes,
@ -151,13 +151,7 @@ class _Server extends Server<PseudoApplication, Map> {
}
@override
Future<String> authCodeGrant(PseudoApplication client, String redirectUri,
Map user, Iterable<String> scopes, String state) {
throw new UnsupportedError('Nope');
}
@override
Future<AuthorizationCodeResponse> exchangeAuthCodeForAccessToken(
Future<AuthorizationTokenResponse> exchangeAuthorizationCodeForToken(
String authCode,
String redirectUri,
RequestContext req,
@ -165,7 +159,7 @@ class _Server extends Server<PseudoApplication, Map> {
var authCodes = req.grab<Map<String, String>>('authCodes');
var state = authCodes[authCode];
var refreshToken = state == 'can_refresh' ? '${authCode}_refresh' : null;
return new AuthorizationCodeResponse('${authCode}_access',
return new AuthorizationTokenResponse('${authCode}_access',
refreshToken: refreshToken);
}
}

View file

@ -0,0 +1,105 @@
import 'dart:async';
import 'dart:convert';
import 'dart:io';
import 'package:angel_framework/angel_framework.dart';
import 'package:angel_test/angel_test.dart';
import 'package:angel_oauth2/angel_oauth2.dart';
import 'package:angel_validate/angel_validate.dart';
import 'package:test/test.dart';
import 'common.dart';
main() {
TestClient client;
setUp(() async {
var app = new Angel()..lazyParseBodies = true;
var oauth2 = new _AuthorizationServer();
app.group('/oauth2', (router) {
router
..get('/authorize', oauth2.authorizationEndpoint)
..post('/token', oauth2.tokenEndpoint);
});
app.errorHandler = (e, req, res) async {
res.json(e.toJson());
};
client = await connectTo(app);
});
tearDown(() => client.close());
test('authenticate via client credentials', () async {
var response = await client.post(
'/oauth2/token',
headers: {
'Authorization': 'Basic ' + BASE64URL.encode('foo:bar'.codeUnits),
},
body: {
'grant_type': 'client_credentials',
},
);
print('Response: ${response.body}');
expect(response, allOf(
hasStatus(200),
hasContentType(ContentType.JSON),
hasValidBody(new Validator({
'token_type': equals('bearer'),
'access_token': equals('foo'),
})),
));
});
test('force correct id', () async {
var response = await client.post(
'/oauth2/token',
headers: {
'Authorization': 'Basic ' + BASE64URL.encode('fooa:bar'.codeUnits),
},
body: {
'grant_type': 'client_credentials',
},
);
print('Response: ${response.body}');
expect(response, hasStatus(401));
});
test('force correct secret', () async {
var response = await client.post(
'/oauth2/token',
headers: {
'Authorization': 'Basic ' + BASE64URL.encode('foo:bara'.codeUnits),
},
body: {
'grant_type': 'client_credentials',
},
);
print('Response: ${response.body}');
expect(response, hasStatus(401));
});
}
class _AuthorizationServer
extends AuthorizationServer<PseudoApplication, PseudoUser> {
@override
PseudoApplication findClient(String clientId) {
return clientId == pseudoApplication.id ? pseudoApplication : null;
}
@override
Future<bool> verifyClient(
PseudoApplication client, String clientSecret) async {
return client.secret == clientSecret;
}
@override
Future<AuthorizationTokenResponse> clientCredentialsGrant(
PseudoApplication client, RequestContext req, ResponseContext res) async {
return new AuthorizationTokenResponse('foo');
}
}

View file

@ -6,3 +6,15 @@ class PseudoApplication {
const PseudoApplication(this.id, this.secret, this.redirectUri);
}
const List<PseudoUser> pseudoUsers = const [
const PseudoUser(username: 'foo', password: 'bar'),
const PseudoUser(username: 'michael', password: 'jackson'),
const PseudoUser(username: 'jon', password: 'skeet'),
];
class PseudoUser {
final String username, password;
const PseudoUser({this.username, this.password});
}

View file

@ -0,0 +1,69 @@
import 'dart:async';
import 'package:angel_framework/angel_framework.dart';
import 'package:angel_test/angel_test.dart';
import 'package:angel_oauth2/angel_oauth2.dart';
import 'package:angel_validate/angel_validate.dart';
import 'package:test/test.dart';
import 'common.dart';
main() {
TestClient client;
setUp(() async {
var app = new Angel()..lazyParseBodies = true;
var oauth2 = new _AuthorizationServer();
app.group('/oauth2', (router) {
router
..get('/authorize', oauth2.authorizationEndpoint)
..post('/token', oauth2.tokenEndpoint);
});
app.errorHandler = (e, req, res) async {
res.json(e.toJson());
};
client = await connectTo(app);
});
tearDown(() => client.close());
test('authenticate via implicit grant', () async {
var response = await client.get(
'/oauth2/authorize?response_type=token&client_id=foo&redirect_uri=http://foo.com&state=bar',
);
print('Headers: ${response.headers}');
expect(
response,
allOf(
hasStatus(302),
hasHeader('location', 'http://foo.com#access_token=foo&token_type=bearer&state=bar'),
));
});
}
class _AuthorizationServer
extends AuthorizationServer<PseudoApplication, PseudoUser> {
@override
PseudoApplication findClient(String clientId) {
return clientId == pseudoApplication.id ? pseudoApplication : null;
}
@override
Future<bool> verifyClient(
PseudoApplication client, String clientSecret) async {
return client.secret == clientSecret;
}
@override
Future<AuthorizationTokenResponse> implicitGrant(
PseudoApplication client,
String redirectUri,
Iterable<String> scopes,
String state,
RequestContext req,
ResponseContext res) async {
return new AuthorizationTokenResponse('foo');
}
}

114
test/password_test.dart Normal file
View file

@ -0,0 +1,114 @@
import 'dart:async';
import 'dart:convert';
import 'dart:io';
import 'package:angel_framework/angel_framework.dart';
import 'package:angel_test/angel_test.dart';
import 'package:angel_oauth2/angel_oauth2.dart';
import 'package:angel_validate/angel_validate.dart';
import 'package:test/test.dart';
import 'common.dart';
main() {
TestClient client;
setUp(() async {
var app = new Angel()..lazyParseBodies = true;
var oauth2 = new _AuthorizationServer();
app.group('/oauth2', (router) {
router
..get('/authorize', oauth2.authorizationEndpoint)
..post('/token', oauth2.tokenEndpoint);
});
app.errorHandler = (e, req, res) async {
res.json(e.toJson());
};
client = await connectTo(app);
});
tearDown(() => client.close());
test('authenticate via username+password', () async {
var response = await client.post(
'/oauth2/token',
headers: {
'Authorization': 'Basic ' + BASE64URL.encode('foo:bar'.codeUnits),
},
body: {
'grant_type': 'password',
'username': 'michael',
'password': 'jackson',
},
);
print('Response: ${response.body}');
expect(response, allOf(
hasStatus(200),
hasContentType(ContentType.JSON),
hasValidBody(new Validator({
'token_type': equals('bearer'),
'access_token': equals('foo'),
})),
));
});
test('force correct username+password', () async {
var response = await client.post(
'/oauth2/token',
headers: {
'Authorization': 'Basic ' + BASE64URL.encode('foo:bar'.codeUnits),
},
body: {
'grant_type': 'password',
'username': 'michael',
'password': 'jordan',
},
);
print('Response: ${response.body}');
expect(response, hasStatus(401));
});
}
class _AuthorizationServer
extends AuthorizationServer<PseudoApplication, PseudoUser> {
@override
PseudoApplication findClient(String clientId) {
return clientId == pseudoApplication.id ? pseudoApplication : null;
}
@override
Future<bool> verifyClient(
PseudoApplication client, String clientSecret) async {
return client.secret == clientSecret;
}
@override
Future<AuthorizationTokenResponse> resourceOwnerPasswordCredentialsGrant(
PseudoApplication client,
String username,
String password,
Iterable<String> scopes,
RequestContext req,
ResponseContext res) async {
var user = pseudoUsers.firstWhere(
(u) => u.username == username && u.password == password,
orElse: () => null);
if (user == null) {
throw new AuthorizationException(
new ErrorResponse(
ErrorResponse.accessDenied,
'Invalid username or password.',
req.body['state'] ?? '',
),
statusCode: 401,
);
}
return new AuthorizationTokenResponse('foo');
}
}