A user can now revoke an application's token iz ms
This commit is contained in:
Ilya Zhitomirskiy
parent
3d77186d35
commit
ef0e48a7ff
4 changed files with 27 additions and 4 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
class AuthorizationsController < ApplicationController
|
class AuthorizationsController < ApplicationController
|
||||||
include OAuth2::Provider::Rack::AuthorizationCodesSupport
|
include OAuth2::Provider::Rack::AuthorizationCodesSupport
|
||||||
before_filter :authenticate_user!, :except => :token
|
before_filter :authenticate_user!, :except => :token
|
||||||
before_filter :block_invalid_authorization_code_requests, :except => [:token, :index]
|
before_filter :block_invalid_authorization_code_requests, :except => [:token, :index, :destroy]
|
||||||
|
|
||||||
skip_before_filter :verify_authenticity_token, :only => :token
|
skip_before_filter :verify_authenticity_token, :only => :token
|
||||||
|
|
||||||
|
|
@ -38,6 +38,13 @@ class AuthorizationsController < ApplicationController
|
||||||
@authorizations = current_user.authorizations
|
@authorizations = current_user.authorizations
|
||||||
@applications = current_user.applications
|
@applications = current_user.applications
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def destroy
|
||||||
|
## ID is actually the id of the client
|
||||||
|
auth = current_user.authorizations.where(:client_id => params[:id]).first
|
||||||
|
auth.revoke
|
||||||
|
redirect_to authorizations_path
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
OAuth2::Provider.client_class.instance_eval do
|
OAuth2::Provider.client_class.instance_eval do
|
||||||
|
|
|
||||||
|
|
@ -120,7 +120,7 @@ Diaspora::Application.routes.draw do
|
||||||
post "/oauth/authorize" => "authorizations#create"
|
post "/oauth/authorize" => "authorizations#create"
|
||||||
|
|
||||||
post "/oauth/token" => "authorizations#token"
|
post "/oauth/token" => "authorizations#token"
|
||||||
resources :authorizations, :only => [:index]
|
resources :authorizations, :only => [:index, :destroy]
|
||||||
|
|
||||||
resources :services, :only => [:index, :destroy]
|
resources :services, :only => [:index, :destroy]
|
||||||
controller :services do
|
controller :services do
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,18 @@ Feature: oauth
|
||||||
When I try to authorize Chubbies
|
When I try to authorize Chubbies
|
||||||
|
|
||||||
When I press "Authorize"
|
When I press "Authorize"
|
||||||
|
|
||||||
And I am on the authorizations page
|
And I am on the authorizations page
|
||||||
Then I should see "Chubbies"
|
Then I should see "Chubbies"
|
||||||
And I should see "The best way to chub."
|
And I should see "The best way to chub."
|
||||||
|
|
||||||
|
Scenario: Removing Chubbies from the authorized applications list de-authorizes it
|
||||||
|
When I try to authorize Chubbies
|
||||||
|
|
||||||
|
When I press "Authorize"
|
||||||
|
|
||||||
|
And I am on the authorizations page
|
||||||
|
And I preemptively confirm the alert
|
||||||
|
And I follow "Delete"
|
||||||
|
Then I visit "/account?id=1" on Chubbies
|
||||||
|
Then I should see "Token invalid"
|
||||||
|
|
|
||||||
|
|
@ -57,8 +57,12 @@ module Chubbies
|
||||||
get '/account' do
|
get '/account' do
|
||||||
if params['id'] && user = User.where(:id => params['id']).first
|
if params['id'] && user = User.where(:id => params['id']).first
|
||||||
if user.access_token
|
if user.access_token
|
||||||
|
begin
|
||||||
@resource_response = user.access_token.token.get("/api/v0/me")
|
@resource_response = user.access_token.token.get("/api/v0/me")
|
||||||
haml :response
|
haml :response
|
||||||
|
rescue OAuth2::AccessDenied
|
||||||
|
"Token invalid"
|
||||||
|
end
|
||||||
else
|
else
|
||||||
"No access token."
|
"No access token."
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue