class Rack::OAuth2::Server::AccessGrant

The access grant is a nonce, new grant created each time we need it and good for redeeming one access token.

Attributes

_id[R]

Authorization code. We are nothing without it.

access_token[RW]

Access token created from this grant. Set and spent.

client_id[R]

Client that was granted this access token.

code[R]

Authorization code. We are nothing without it.

created_at[R]

Does what it says on the label.

expires_at[RW]

Tells us when this grant expires.

granted_at[RW]

Tells us when (and if) access token was created.

identity[R]

The identity we authorized access to.

redirect_uri[R]

Redirect URI for this grant.

revoked[RW]

Timestamp if revoked.

scope[R]

The scope requested in this grant.

Public Class Methods

collection() click to toggle source
# File lib/rack/oauth2/models/access_grant.rb, line 27
def collection
  prefix = Server.options[:collection_prefix]
  Server.database["#{prefix}.access_grants"]
end
create(identity, client, scope, redirect_uri = nil, expires = nil) click to toggle source

Create a new access grant.

# File lib/rack/oauth2/models/access_grant.rb, line 15
def create(identity, client, scope, redirect_uri = nil, expires = nil)
  raise ArgumentError, "Identity must be String or Integer" unless String === identity || Integer === identity
  scope = Utils.normalize_scope(scope) & client.scope # Only allowed scope
  expires_at = Time.now.to_i + (expires || 300)
  fields = { :_id=>Server.secure_random, :identity=>identity, :scope=>scope,
             :client_id=>client.id, :redirect_uri=>client.redirect_uri || redirect_uri,
             :created_at=>Time.now.to_i, :expires_at=>expires_at, :granted_at=>nil,
             :access_token=>nil, :revoked=>nil }
  collection.insert fields
  Server.new_instance self, fields
end
from_code(code) click to toggle source

Find AccessGrant from authentication code.

# File lib/rack/oauth2/models/access_grant.rb, line 10
def from_code(code)
  Server.new_instance self, collection.find_one({ :_id=>code, :revoked=>nil })
end

Public Instance Methods

authorize!(expires_in = nil) click to toggle source

Authorize access and return new access token.

Access grant can only be redeemed once, but client can make multiple requests to obtain it, so we need to make sure only first request is successful in returning access token, futher requests raise InvalidGrantError.

# File lib/rack/oauth2/models/access_grant.rb, line 61
def authorize!(expires_in = nil)
  raise InvalidGrantError, "You can't use the same access grant twice" if self.access_token || self.revoked
  client = Client.find(client_id) or raise InvalidGrantError
  access_token = AccessToken.get_token_for(identity, client, scope, expires_in)
  self.access_token = access_token.token
  self.granted_at = Time.now.to_i
  self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)
  reload = self.class.collection.find_one({ :_id=>code, :revoked=>nil }, { :fields=>%w{access_token} })
  raise InvalidGrantError unless reload && reload["access_token"] == access_token.token
  return access_token
end
revoke!() click to toggle source
# File lib/rack/oauth2/models/access_grant.rb, line 73
def revoke!
  self.revoked = Time.now.to_i
  self.class.collection.update({ :_id=>code, :revoked=>nil }, { :$set=>{ :revoked=>revoked } })
end