Class: Rack::OAuth2::Server::AccessGrant

Inherits:
Object
  • Object
show all
Defined in:
lib/rack/oauth2/models/access_grant.rb

Overview

The access grant is a nonce, new grant created each time we need it and good for redeeming one access token.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#_idObject (readonly) Also known as: code

Authorization code. We are nothing without it.



33
34
35
# File 'lib/rack/oauth2/models/access_grant.rb', line 33

def _id
  @_id
end

#access_tokenObject

Access token created from this grant. Set and spent.



50
51
52
# File 'lib/rack/oauth2/models/access_grant.rb', line 50

def access_token
  @access_token
end

#client_idObject (readonly)

Client that was granted this access token.



38
39
40
# File 'lib/rack/oauth2/models/access_grant.rb', line 38

def client_id
  @client_id
end

#created_atObject (readonly)

Does what it says on the label.



44
45
46
# File 'lib/rack/oauth2/models/access_grant.rb', line 44

def created_at
  @created_at
end

#expires_atObject

Tells us when this grant expires.



48
49
50
# File 'lib/rack/oauth2/models/access_grant.rb', line 48

def expires_at
  @expires_at
end

#granted_atObject

Tells us when (and if) access token was created.



46
47
48
# File 'lib/rack/oauth2/models/access_grant.rb', line 46

def granted_at
  @granted_at
end

#identityObject (readonly)

The identity we authorized access to.



36
37
38
# File 'lib/rack/oauth2/models/access_grant.rb', line 36

def identity
  @identity
end

#redirect_uriObject (readonly)

Redirect URI for this grant.



40
41
42
# File 'lib/rack/oauth2/models/access_grant.rb', line 40

def redirect_uri
  @redirect_uri
end

#revokedObject

Timestamp if revoked.



52
53
54
# File 'lib/rack/oauth2/models/access_grant.rb', line 52

def revoked
  @revoked
end

#scopeObject (readonly)

The scope requested in this grant.



42
43
44
# File 'lib/rack/oauth2/models/access_grant.rb', line 42

def scope
  @scope
end

Class Method Details

.collectionObject



27
28
29
# File 'lib/rack/oauth2/models/access_grant.rb', line 27

def collection
  Server.database["oauth2.access_grants"]
end

.create(identity, client, scope, redirect_uri = nil, expires = nil) ⇒ Object

Create a new access grant.

Raises:

  • (ArgumentError)


15
16
17
18
19
20
21
22
23
24
25
# File 'lib/rack/oauth2/models/access_grant.rb', line 15

def create(identity, client, scope, redirect_uri = nil, expires = nil)
  raise ArgumentError, "Identity must be String or Integer" unless String === identity || Integer === identity
  scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
  expires_at = Time.now.to_i + (expires || 300)
  fields = { :_id=>Server.secure_random, :identity=>identity, :scope=>scope,
             :client_id=>client.id, :redirect_uri=>client.redirect_uri || redirect_uri,
             :created_at=>Time.now.to_i, :expires_at=>expires_at, :granted_at=>nil,
             :access_token=>nil, :revoked=>nil }
  collection.insert fields
  Server.new_instance self, fields
end

.from_code(code) ⇒ Object

Find AccessGrant from authentication code.



10
11
12
# File 'lib/rack/oauth2/models/access_grant.rb', line 10

def from_code(code)
  Server.new_instance self, collection.find_one({ :_id=>code, :revoked=>nil })
end

Instance Method Details

#authorize!Object

Authorize access and return new access token.

Access grant can only be redeemed once, but client can make multiple requests to obtain it, so we need to make sure only first request is successful in returning access token, futher requests raise InvalidGrantError.

Raises:



60
61
62
63
64
65
66
67
68
69
70
# File 'lib/rack/oauth2/models/access_grant.rb', line 60

def authorize!
  raise InvalidGrantError, "You can't use the same access grant twice" if self.access_token || self.revoked
  client = Client.find(client_id) or raise InvalidGrantError
  access_token = AccessToken.get_token_for(identity, client, scope)
  self.access_token = access_token.token
  self.granted_at = Time.now.to_i
  self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)
  reload = self.class.collection.find_one({ :_id=>code, :revoked=>nil }, { :fields=>%w{access_token} })
  raise InvalidGrantError unless reload && reload["access_token"] == access_token.token
  return access_token
end

#revoke!Object



72
73
74
75
# File 'lib/rack/oauth2/models/access_grant.rb', line 72

def revoke!
  self.revoked = Time.now.to_i
  self.class.collection.update({ :_id=>code, :revoked=>nil }, { :$set=>{ :revoked=>revoked } })
end