A user can now revoke an application's token iz ms

2011-06-13 16:48:52 -07:00 · 2011-06-13 16:48:52 -07:00 · ef0e48a7ff
commit ef0e48a7ff
parent 3d77186d35
4 changed files with 27 additions and 4 deletions
--- a/app/controllers/authorizations_controller.rb
+++ b/app/controllers/authorizations_controller.rb
@ -1,7 +1,7 @@
 class AuthorizationsController < ApplicationController
  include OAuth2::Provider::Rack::AuthorizationCodesSupport
  before_filter :authenticate_user!, :except => :token
-  before_filter :block_invalid_authorization_code_requests, :except => [:token, :index]
+  before_filter :block_invalid_authorization_code_requests, :except => [:token, :index, :destroy]

  skip_before_filter :verify_authenticity_token, :only => :token

@ -38,6 +38,13 @@ class AuthorizationsController < ApplicationController
    @authorizations = current_user.authorizations
    @applications = current_user.applications
  end
+
+  def destroy
+    ## ID is actually the id of the client
+    auth = current_user.authorizations.where(:client_id => params[:id]).first
+    auth.revoke
+    redirect_to authorizations_path
+  end
 end

 OAuth2::Provider.client_class.instance_eval do
--- a/config/routes.rb
+++ b/config/routes.rb
@ -120,7 +120,7 @@ Diaspora::Application.routes.draw do
  post "/oauth/authorize" => "authorizations#create"

  post "/oauth/token" => "authorizations#token"
-  resources :authorizations, :only => [:index]
+  resources :authorizations, :only => [:index, :destroy]

  resources :services, :only => [:index, :destroy]
  controller :services do
--- a/features/oauth.feature
+++ b/features/oauth.feature
@ -37,6 +37,18 @@ Feature: oauth
    When I try to authorize Chubbies

    When I press "Authorize"
+
    And I am on the authorizations page
    Then I should see "Chubbies"
    And I should see "The best way to chub."
+
+  Scenario: Removing Chubbies from the authorized applications list de-authorizes it
+    When I try to authorize Chubbies
+
+    When I press "Authorize"
+
+    And I am on the authorizations page
+    And I preemptively confirm the alert
+    And I follow "Delete"
+    Then I visit "/account?id=1" on Chubbies
+    Then I should see "Token invalid"
--- a/spec/chubbies/app.rb
+++ b/spec/chubbies/app.rb
@ -57,8 +57,12 @@ module Chubbies
    get '/account' do
      if params['id'] && user = User.where(:id => params['id']).first
        if user.access_token
-          @resource_response = user.access_token.token.get("/api/v0/me")
-          haml :response
+          begin 
+            @resource_response = user.access_token.token.get("/api/v0/me")
+            haml :response
+          rescue OAuth2::AccessDenied 
+            "Token invalid"
+          end
        else
          "No access token."
        end