lib/grape-doorkeeper/grape_oauth2.rb
module GrapeDoorkeeper
# OAuth 2.0 authorization for Grape APIs.
class OAuth2Base < Grape::Middleware::Base
def default_options
{
token_class: 'AccessToken',
realm: 'OAuth API',
parameter: %w(bearer_token oauth_token access_token),
accepted_headers: %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION),
header: [/Bearer (.*)/i, /OAuth (.*)/i],
required: true
}
end
def before
verify_token(token_parameter || token_header)
end
def request
@request ||= Grape::Request.new(env)
end
def params
@params ||= request.params
end
def token_parameter
Array(options[:parameter]).each do |p|
return params[p] if params[p]
end
nil
end
def token_header
return false unless authorization_header
Array(options[:header]).each do |regexp|
return $1 if authorization_header =~ regexp
end
nil
end
def authorization_header
options[:accepted_headers].each do |head|
return env[head] if env[head]
end
nil
end
def token_class
@klass ||= eval(options[:token_class]) # rubocop:disable Eval
end
def verify_token(token)
token = token_class.verify(token)
if token
if token.respond_to?(:expired?) && token.expired?
error_out(401, 'invalid_grant')
else
if !token.respond_to?(:permission_for?) || token.permission_for?(env)
env['api.token'] = token
else
error_out(403, 'insufficient_scope')
end
end
elsif !!options[:required]
error_out(401, 'invalid_grant')
end
end
def error_out(status, error)
throw :error,
message: error,
status: status,
headers: {
'WWW-Authenticate' => "OAuth realm='#{options[:realm]}', error='#{error}'"
}
end
end
end