Merge pull request #76 from tsuyoshizawa/improve-authorization-handler

Improve authorization handler

Author: tsuyoshizawa

play2-oauth2-provider/src/main/scala/scalaoauth2/provider/OAuth2Provider.scala

@@ -16,21 +16,21 @@ trait OAuth2BaseProvider extends Results {
   val tokenEndpoint: TokenEndpoint = TokenEndpoint
 
   implicit def play2oauthRequest(request: RequestHeader): AuthorizationRequest = {
-    AuthorizationRequest(request.headers.toMap, request.queryString)
+    new AuthorizationRequest(request.headers.toMap, request.queryString)
   }
 
   implicit def play2oauthRequest[A](request: Request[A]): AuthorizationRequest = {
     val param: Map[String, Seq[String]] = getParam(request)
-    AuthorizationRequest(request.headers.toMap, param)
+    new AuthorizationRequest(request.headers.toMap, param)
   }
 
   implicit def play2protectedResourceRequest(request: RequestHeader): ProtectedResourceRequest = {
-    ProtectedResourceRequest(request.headers.toMap, request.queryString)
+    new ProtectedResourceRequest(request.headers.toMap, request.queryString)
   }
 
   implicit def play2protectedResourceRequest[A](request: Request[A]): ProtectedResourceRequest = {
     val param: Map[String, Seq[String]] = getParam(request)
-    ProtectedResourceRequest(request.headers.toMap, param)
+    new ProtectedResourceRequest(request.headers.toMap, param)
   }
 
   private[provider] def getParam[A](request: Request[A]): Map[String, Seq[String]] = {

scala-oauth2-core/src/main/scala/scalaoauth2/provider/AuthorizationHandler.scala

@@ -9,7 +9,7 @@ import scala.concurrent.Future
  *
  * <h4>Authorization Code Grant</h4>
  * <ul>
- *   <li>validateClient(clientCredential, grantType)</li>
+ *   <li>validateClient(request)</li>
  *   <li>findAuthInfoByCode(code)</li>
  *   <li>deleteAuthCode(code)</li>
  *   <li>getStoredAccessToken(authInfo)</li>
@@ -26,25 +26,25 @@ import scala.concurrent.Future
  *
  * <h4>Resource Owner Password Credentials Grant</h4>
  * <ul>
- *   <li>validateClient(clientCredential, grantType)</li>
- *   <li>findUser(username, password)</li>
+ *   <li>validateClient(request)</li>
+ *   <li>findUser(request)</li>
  *   <li>getStoredAccessToken(authInfo)</li>
  *   <li>refreshAccessToken(authInfo, token)</li>
  *   <li>createAccessToken(authInfo)</li>
  * </ul>
  *
  * <h4>Client Credentials Grant</h4>
  * <ul>
- *   <li>validateClient(clientCredential, grantType)</li>
- *   <li>findClientUser(clientCredential)</li>
+ *   <li>validateClient(request)</li>
+ *   <li>findUser(request)</li>
  *   <li>getStoredAccessToken(authInfo)</li>
  *   <li>refreshAccessToken(authInfo, token)</li>
  *   <li>createAccessToken(authInfo)</li>
  * </ul>
  *
  * <h4>Implicit Grant</h4>
  * <ul>
- *   <li>validateClient(clientCredential, grantType)</li>
+ *   <li>validateClient(request)</li>
  *   <li>findUser(request)</li>
  *   <li>getStoredAccessToken(authInfo)</li>
  *   <li>createAccessToken(authInfo)</li>
@@ -56,25 +56,14 @@ trait AuthorizationHandler[U] {
   /**
    * Verify proper client with parameters for issue an access token.
    *
-   * @param clientCredential Client sends clientId and clientSecret which are registered by application.
-   * @param grantType Client sends this value which is registered by application.
+   * @param request Request sent by client.
    * @return true if request is a regular client, false if request is a illegal client.
    */
-  def validateClient(clientCredential: ClientCredential, grantType: String): Future[Boolean]
-
-  /**
-   * Find userId with username and password these are used on your system.
-   * If you don't support Resource Owner Password Credentials Grant then doesn't need implementing.
-   *
-   * @param username Client sends this value which is used on your system.
-   * @param password Client sends this value which is used on your system.
-   * @return Including UserId to Option if could find the user, None if couldn't find.
-   */
-  def findUser(username: String, password: String): Future[Option[U]]
+  def validateClient(request: AuthorizationRequest): Future[Boolean]
 
   /**
    * Authenticate the user that issued the authorization request.
-   * If you don't support Implicit Grant, then doesn't need implementing.
+   * Client credential, Password and Implicit Grant call this method.
    *
    * @param request Request sent by client.
    */
@@ -138,14 +127,4 @@ trait AuthorizationHandler[U] {
    */
   def findAuthInfoByRefreshToken(refreshToken: String): Future[Option[AuthInfo[U]]]
 
-  /**
-   * Find user by clientId and clientSecret.
-   *
-   * If you don't support Client Credentials Grant then doesn't need implementing.
-   *
-   * @param clientCredential Client sends clientId and clientSecret which are registered by application.
-   * @return Return user that matched both values.
-   */
-  def findClientUser(clientCredential: ClientCredential, scope: Option[String]): Future[Option[U]]
-
 }

scala-oauth2-core/src/main/scala/scalaoauth2/provider/AuthorizationRequest.scala

@@ -1,6 +1,10 @@
 package scalaoauth2.provider
 
-case class AuthorizationRequest(headers: Map[String, Seq[String]], params: Map[String, Seq[String]]) extends RequestBase(headers, params) {
+import org.apache.commons.codec.binary.Base64
+
+case class ClientCredential(clientId: String, clientSecret: Option[String])
+
+class AuthorizationRequest(headers: Map[String, Seq[String]], params: Map[String, Seq[String]]) extends RequestBase(headers, params) {
 
   /**
    * Returns grant_type.
@@ -12,21 +16,7 @@ case class AuthorizationRequest(headers: Map[String, Seq[String]], params: Map[S
    * 
    * @return grant_type
    */
-  def grantType: Option[String] = param("grant_type")
-
-  /**
-   * Returns client_id.
-   * 
-   * @return client_id
-   */
-  def clientId: Option[String] = param("client_id")
-
-  /**
-   * Returns client_secret.
-   * 
-   * @return client_secret
-   */
-  def clientSecret: Option[String] = param("client_secret")
+  def grantType: String = requireParam("grant_type")
 
   /**
    * Returns scope.
@@ -35,42 +25,84 @@ case class AuthorizationRequest(headers: Map[String, Seq[String]], params: Map[S
    */
   def scope: Option[String] = param("scope")
 
+  lazy val clientCredential: Option[ClientCredential] = {
+    header("Authorization").flatMap {
+      """^\s*Basic\s+(.+?)\s*$""".r.findFirstMatchIn
+    } match {
+      case Some(matcher) =>
+        val authorization = matcher.group(1)
+        val decoded = new String(Base64.decodeBase64(authorization.getBytes), "UTF-8")
+        if (decoded.indexOf(':') > 0) {
+          decoded.split(":", 2) match {
+            case Array(clientId, clientSecret) => Some(ClientCredential(clientId, if (clientSecret == "") None else Some(clientSecret)))
+            case Array(clientId) => Some(ClientCredential(clientId, None))
+          }
+        } else {
+          None
+        }
+      case _ => param("client_id").map { clientId =>
+        ClientCredential(clientId, param("client_secret"))
+      }
+    }
+  }
+}
+
+case class RefreshTokenRequest(request: AuthorizationRequest) extends AuthorizationRequest(request.headers, request.params) {
   /**
-   * Returns redirect_uri.
-   * 
-   * @return redirect_uri
-   */
-  def redirectUri: Option[String] = param("redirect_uri")
+    * returns refresh_token.
+    *
+    * @return code.
+    * @throws InvalidRequest if the parameter is not found
+    */
+  def refreshToken: String = requireParam("refresh_token")
 
+  override lazy val clientCredential = request.clientCredential
+}
+
+case class PasswordRequest(request: AuthorizationRequest) extends AuthorizationRequest(request.headers, request.params) {
   /**
-   * returns code.
-   * 
-   * @return code.
-   * @throws InvalidRequest If not found code
-   */
-  def requireCode: String = requireParam("code")
+    * returns username.
+    *
+    * @return username.
+    * @throws InvalidRequest if the parameter is not found
+    */
+  def username = requireParam("username")
 
   /**
-   * returns username.
-   *
-   * @return username.
-   * @throws InvalidRequest If not found username
-   */
-  def requireUsername: String = requireParam("username")
+    * returns password.
+    *
+    * @return password.
+    * @throws InvalidRequest if the parameter is not found
+    */
+  def password = requireParam("password")
+
+  override lazy val clientCredential = request.clientCredential
+}
+
+case class ClientCredentialsRequest(request: AuthorizationRequest) extends AuthorizationRequest(request.headers, request.params) {
+  override lazy val clientCredential = request.clientCredential
+}
 
+case class AuthorizationCodeRequest(request: AuthorizationRequest) extends AuthorizationRequest(request.headers, request.params) {
   /**
-   * returns password.
-   *
-   * @return code.
-   * @throws InvalidRequest If not found password
-   */
-  def requirePassword: String = requireParam("password")
+    * returns code.
+    *
+    * @return code.
+    * @throws InvalidRequest if code is not found
+    */
+  def code: String = requireParam("code")
 
   /**
-   * returns refresh_token.
-   *
-   * @return code.
-   * @throws InvalidRequest If not found refresh_token
-   */
-  def requireRefreshToken: String = requireParam("refresh_token")
+    * Returns redirect_uri.
+    *
+    * @return redirect_uri
+    */
+  def redirectUri: Option[String] = param("redirect_uri")
+
+  override lazy val clientCredential = request.clientCredential
+
+}
+
+case class ImplicitRequest(request: AuthorizationRequest) extends AuthorizationRequest(request.headers, request.params) {
+  override lazy val clientCredential = request.clientCredential
 }

scala-oauth2-core/src/main/scala/scalaoauth2/provider/ClientCredentialFetcher.scala

@@ -13,7 +13,7 @@ trait GrantHandler {
    */
   def clientCredentialRequired = true
 
-  def handleRequest[U](request: AuthorizationRequest, maybeClientCredential: Option[ClientCredential], authorizationHandler: AuthorizationHandler[U]): Future[GrantHandlerResult]
+  def handleRequest[U](request: AuthorizationRequest, authorizationHandler: AuthorizationHandler[U]): Future[GrantHandlerResult]
 
   /**
    * Returns valid access token.
@@ -44,9 +44,10 @@ trait GrantHandler {
 
 class RefreshToken extends GrantHandler {
 
-  override def handleRequest[U](request: AuthorizationRequest, maybeClientCredential: Option[ClientCredential], handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
-    val clientCredential = maybeClientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
-    val refreshToken = request.requireRefreshToken
+  override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
+    val refreshTokenRequest = new RefreshTokenRequest(request)
+    val clientCredential = refreshTokenRequest.clientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
+    val refreshToken = refreshTokenRequest.refreshToken
 
     handler.findAuthInfoByRefreshToken(refreshToken).flatMap { authInfoOption =>
       val authInfo = authInfoOption.getOrElse(throw new InvalidGrant("Authorized information is not found by the refresh token"))
@@ -61,19 +62,17 @@ class RefreshToken extends GrantHandler {
 
 class Password extends GrantHandler {
 
-  override def handleRequest[U](request: AuthorizationRequest, maybeClientCredential: Option[ClientCredential], handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
-    if (clientCredentialRequired && maybeClientCredential.isEmpty) {
+  override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
+    val passwordRequest = new PasswordRequest(request)
+    if (clientCredentialRequired && passwordRequest.clientCredential.isEmpty) {
       throw new InvalidRequest("Client credential is required")
     }
 
-    val username = request.requireUsername
-    val password = request.requirePassword
-
-    handler.findUser(username, password).flatMap { userOption =>
-      val user = userOption.getOrElse(throw new InvalidGrant("username or password is incorrect"))
-      val scope = request.scope
-      val clientId = maybeClientCredential.map { _.clientId }
-      val authInfo = AuthInfo(user, clientId, scope, None)
+    handler.findUser(passwordRequest).flatMap { maybeUser =>
+      val user = maybeUser.getOrElse(throw new InvalidGrant("username or password is incorrect"))
+      val scope = passwordRequest.scope
+      val maybeClientId = passwordRequest.clientCredential.map(_.clientId)
+      val authInfo = AuthInfo(user, maybeClientId, scope, None)
 
       issueAccessToken(handler, authInfo)
     }
@@ -82,11 +81,12 @@ class Password extends GrantHandler {
 
 class ClientCredentials extends GrantHandler {
 
-  override def handleRequest[U](request: AuthorizationRequest, maybeClientCredential: Option[ClientCredential], handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
-    val clientCredential = maybeClientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
-    val scope = request.scope
+  override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
+    val clientCredentialsRequest = new ClientCredentialsRequest(request)
+    val clientCredential = clientCredentialsRequest.clientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
+    val scope = clientCredentialsRequest.scope
 
-    handler.findClientUser(clientCredential, scope).flatMap { optionalUser =>
+    handler.findUser(clientCredentialsRequest).flatMap { optionalUser =>
       val user = optionalUser.getOrElse(throw new InvalidGrant("client_id or client_secret or scope is incorrect"))
       val authInfo = AuthInfo(user, Some(clientCredential.clientId), scope, None)
 
@@ -98,11 +98,12 @@ class ClientCredentials extends GrantHandler {
 
 class AuthorizationCode extends GrantHandler {
 
-  override def handleRequest[U](request: AuthorizationRequest, maybeClientCredential: Option[ClientCredential], handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
-    val clientCredential = maybeClientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
+  override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
+    val authorizationCodeRequest = new AuthorizationCodeRequest(request)
+    val clientCredential = authorizationCodeRequest.clientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
     val clientId = clientCredential.clientId
-    val code = request.requireCode
-    val redirectUri = request.redirectUri
+    val code = authorizationCodeRequest.code
+    val redirectUri = authorizationCodeRequest.redirectUri
 
     handler.findAuthInfoByCode(code).flatMap { optionalAuthInfo =>
       val authInfo = optionalAuthInfo.getOrElse(throw new InvalidGrant("Authorized information is not found by the code"))
@@ -124,13 +125,14 @@ class AuthorizationCode extends GrantHandler {
 
 class Implicit extends GrantHandler {
 
-  override def handleRequest[U](request: AuthorizationRequest, maybeClientCredential: Option[ClientCredential], handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
-    val clientId = request.clientId.getOrElse(throw new InvalidRequest("Client id is required"))
+  override def handleRequest[U](request: AuthorizationRequest, handler: AuthorizationHandler[U]): Future[GrantHandlerResult] = {
+    val implicitRequest = new ImplicitRequest(request)
+    val clientCredential = implicitRequest.clientCredential.getOrElse(throw new InvalidRequest("Client credential is required"))
 
-    handler.findUser(request).flatMap { userOption =>
-      val user = userOption.getOrElse(throw new InvalidGrant("user cannot be authenticated"))
-      val scope = request.scope
-      val authInfo = AuthInfo(user, Some(clientId), scope, None)
+    handler.findUser(implicitRequest).flatMap { maybeUser =>
+      val user = maybeUser.getOrElse(throw new InvalidGrant("user cannot be authenticated"))
+      val scope = implicitRequest.scope
+      val authInfo = AuthInfo(user, Some(clientCredential.clientId), scope, None)
 
       issueAccessToken(handler, authInfo)
     }