From ef0e48a7ffc76a12f81315d57e22340efea10312 Mon Sep 17 00:00:00 2001
From: Ilya Zhitomirskiy <ilya@laptop.(none)>
Date: Mon, 13 Jun 2011 16:48:52 -0700
Subject: [PATCH] A user can now revoke an application's token iz ms

---
 app/controllers/authorizations_controller.rb |  9 ++++++++-
 config/routes.rb                             |  2 +-
 features/oauth.feature                       | 12 ++++++++++++
 spec/chubbies/app.rb                         |  8 ++++++--
 4 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/app/controllers/authorizations_controller.rb b/app/controllers/authorizations_controller.rb
index 2dbc4aaf5..b2a0540a5 100644
--- a/app/controllers/authorizations_controller.rb
+++ b/app/controllers/authorizations_controller.rb
@@ -1,7 +1,7 @@
 class AuthorizationsController < ApplicationController
   include OAuth2::Provider::Rack::AuthorizationCodesSupport
   before_filter :authenticate_user!, :except => :token
-  before_filter :block_invalid_authorization_code_requests, :except => [:token, :index]
+  before_filter :block_invalid_authorization_code_requests, :except => [:token, :index, :destroy]
 
   skip_before_filter :verify_authenticity_token, :only => :token
 
@@ -38,6 +38,13 @@ class AuthorizationsController < ApplicationController
     @authorizations = current_user.authorizations
     @applications = current_user.applications
   end
+
+  def destroy
+    ## ID is actually the id of the client
+    auth = current_user.authorizations.where(:client_id => params[:id]).first
+    auth.revoke
+    redirect_to authorizations_path
+  end
 end
 
 OAuth2::Provider.client_class.instance_eval do
diff --git a/config/routes.rb b/config/routes.rb
index d4d7dfc21..c161c421d 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -120,7 +120,7 @@ Diaspora::Application.routes.draw do
   post "/oauth/authorize" => "authorizations#create"
 
   post "/oauth/token" => "authorizations#token"
-  resources :authorizations, :only => [:index]
+  resources :authorizations, :only => [:index, :destroy]
 
   resources :services, :only => [:index, :destroy]
   controller :services do
diff --git a/features/oauth.feature b/features/oauth.feature
index 5ac510cbe..b67b2b814 100644
--- a/features/oauth.feature
+++ b/features/oauth.feature
@@ -37,6 +37,18 @@ Feature: oauth
     When I try to authorize Chubbies
 
     When I press "Authorize"
+
     And I am on the authorizations page
     Then I should see "Chubbies"
     And I should see "The best way to chub."
+
+  Scenario: Removing Chubbies from the authorized applications list de-authorizes it
+    When I try to authorize Chubbies
+
+    When I press "Authorize"
+
+    And I am on the authorizations page
+    And I preemptively confirm the alert
+    And I follow "Delete"
+    Then I visit "/account?id=1" on Chubbies
+    Then I should see "Token invalid"
diff --git a/spec/chubbies/app.rb b/spec/chubbies/app.rb
index ad6db8474..04f4bcdb4 100644
--- a/spec/chubbies/app.rb
+++ b/spec/chubbies/app.rb
@@ -57,8 +57,12 @@ module Chubbies
     get '/account' do
       if params['id'] && user = User.where(:id => params['id']).first
         if user.access_token
-          @resource_response = user.access_token.token.get("/api/v0/me")
-          haml :response
+          begin 
+            @resource_response = user.access_token.token.get("/api/v0/me")
+            haml :response
+          rescue OAuth2::AccessDenied 
+            "Token invalid"
+          end
         else
           "No access token."
         end