Add support for token refresh to the OAuth plugin

[nyergler]

The OAuth plugin currently does not support token refresh, as described in the OAuth specification. This is needed to allow Android clients (among others) to refresh their tokens as they expire. It appears there was some planning for this, as a refresh_token field exists in the OAuthToken model, but it is currently unpopulated.

This work may overlap with work on #517.

[joar]

I've pushed a fix for this in the oauth/refresh_tokens branch at git@github.com:joar/mediagoblin.git

mediagoblin/plugins/oauth/__init__.py

@@ -34 +34 @@
     _log.debug('OAuth config: {0}'.format(config))
 
     routes = [
-       ('mediagoblin.plugins.oauth.authorize',
+        ('mediagoblin.plugins.oauth.authorize',
             '/oauth/authorize',
             'mediagoblin.plugins.oauth.views:authorize'),
         ('mediagoblin.plugins.oauth.authorize_client',

mediagoblin/plugins/oauth/migrations.py

@@ -102 +102 @@
     client_id = Column(Integer, ForeignKey(OAuthClient_v0.id), nullable=False)
 
 
+class OAuthRefreshToken_v0(declarative_base()):
+    __tablename__ = 'oauth__refresh_tokens'
+
+    id = Column(Integer, primary_key=True)
+    created = Column(DateTime, nullable=False,
+                     default=datetime.now)
+
+    token = Column(Unicode, index=True)
+
+    user_id = Column(Integer, ForeignKey(User.id), nullable=False,
+            index=True)
+
+    # XXX: Is it OK to use OAuthClient_v0.id in this way?
+    client_id = Column(Integer, ForeignKey(OAuthClient_v0.id), nullable=False)
+
+
 @RegisterMigration(1, MIGRATIONS)
 def remove_and_replace_token_and_code(db):
     metadata = MetaData(bind=db.bind)
@@ -122 +138 @@
     OAuthCode_v0.__table__.create(db.bind)
 
     db.commit()
+
+
+@RegisterMigration(2, MIGRATIONS)
+def remove_refresh_token_field(db):
+    metadata = MetaData(bind=db.bind)
+
+    token_table = Table('oauth__tokens', metadata, autoload=True,
+                        autoload_with=db.bind)
+
+    refresh_token = token_table.columns['refresh_token']
+
+    refresh_token.drop()
+    db.commit()
+
+@RegisterMigration(3, MIGRATIONS)
+def create_refresh_token_table(db):
+    OAuthRefreshToken_v0.__table__.create(db.bind)
+
+    db.commit()

mediagoblin/plugins/oauth/models.py

@@ -19 +19 @@
 
 from datetime import datetime, timedelta
 
-from mediagoblin.db.base import Base
-from mediagoblin.db.models import User
 
 from sqlalchemy import (
         Column, Unicode, Integer, DateTime, ForeignKey, Enum)
 from sqlalchemy.orm import relationship
+from mediagoblin.db.base import Base
+from mediagoblin.db.models import User
+from mediagoblin.plugins.oauth.tools import generate_identifier, \
+    generate_secret, generate_token, generate_code, generate_refresh_token
 
 # Don't remove this, I *think* it applies sqlalchemy-migrate functionality onto
 # the models.
@@ -41 +43 @@
     name = Column(Unicode)
     description = Column(Unicode)
 
-    identifier = Column(Unicode, unique=True, index=True)
-    secret = Column(Unicode, index=True)
+    identifier = Column(Unicode, unique=True, index=True,
+                        default=generate_identifier)
+    secret = Column(Unicode, index=True, default=generate_secret)
 
     owner_id = Column(Integer, ForeignKey(User.id))
     owner = relationship(User, backref='registered_clients')
@@ -54 +57 @@
         u'public',
         name=u'oauth__client_type'))
 
-    def generate_identifier(self):
-        self.identifier = unicode(uuid.uuid4())
-
-    def generate_secret(self):
-        self.secret = unicode(
-                bcrypt.hashpw(
-                    unicode(uuid.uuid4()),
-                    bcrypt.gensalt()))
+    def update_secret(self):
+        self.secret = generate_secret()
 
     def __repr__(self):
         return '<{0} {1}:{2} ({3})>'.format(
@@ -76 +73 @@
     id = Column(Integer, primary_key=True)
 
     user_id = Column(Integer, ForeignKey(User.id))
-    user = relationship(User, backref='oauth_clients')
+    user = relationship(User, backref='oauth_client_relations')
 
     client_id = Column(Integer, ForeignKey(OAuthClient.id))
-    client = relationship(OAuthClient, backref='users')
+    client = relationship(OAuthClient, backref='oauth_user_relations')
 
     state = Column(Enum(
         u'approved',
@@ -103 +100 @@
             default=datetime.now)
     expires = Column(DateTime, nullable=False,
             default=lambda: datetime.now() + timedelta(days=30))
-    token = Column(Unicode, index=True)
-    refresh_token = Column(Unicode, index=True)
+    token = Column(Unicode, index=True, default=generate_token)
 
     user_id = Column(Integer, ForeignKey(User.id), nullable=False,
             index=True)
@@ -121 +117 @@
                 self.user,
                 self.client)
 
+class OAuthRefreshToken(Base):
+    __tablename__ = 'oauth__refresh_tokens'
+
+    id = Column(Integer, primary_key=True)
+    created = Column(DateTime, nullable=False,
+                     default=datetime.now)
+
+    token = Column(Unicode, index=True,
+                   default=generate_refresh_token)
+
+    user_id = Column(Integer, ForeignKey(User.id), nullable=False,
+            index=True)
+
+    user = relationship(User)
+
+    client_id = Column(Integer, ForeignKey(OAuthClient.id), nullable=False)
+    client = relationship(OAuthClient)
+
+    def __repr__(self):
+        return '<{0} #{1} [{3}, {4}]>'.format(
+                self.__class__.__name__,
+                self.id,
+                self.user,
+                self.client)
+
 
 class OAuthCode(Base):
     __tablename__ = 'oauth__codes'
@@ -130 +151 @@
             default=datetime.now)
     expires = Column(DateTime, nullable=False,
             default=lambda: datetime.now() + timedelta(minutes=5))
-    code = Column(Unicode, index=True)
+    code = Column(Unicode, index=True, default=generate_code)
 
     user_id = Column(Integer, ForeignKey(User.id), nullable=False,
             index=True)
@@ -150 +171 @@
 
 MODELS = [
         OAuthToken,
+        OAuthRefreshToken,
         OAuthCode,
         OAuthClient,
         OAuthUserClient]

mediagoblin/plugins/oauth/tools.py

@@ +1 @@
+# -*- coding: utf-8 -*-
 # GNU MediaGoblin -- federated, autonomous media hosting
 # Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
 #
@@ -14 +15 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import uuid
+import bcrypt
+
+from datetime import datetime
+
 from functools import wraps
 
-from mediagoblin.plugins.oauth.models import OAuthClient
 from mediagoblin.plugins.api.tools import json_response
 
 
 def require_client_auth(controller):
+    '''
+    View decorator
+
+    - Requires the presence of ``?client_id``
+    '''
+    # Avoid circular import
+    from mediagoblin.plugins.oauth.models import OAuthClient
+
     @wraps(controller)
     def wrapper(request, *args, **kw):
         if not request.GET.get('client_id'):
@@ -41 +54 @@
         return controller(request, client)
 
     return wrapper
+
+
+def create_token(client, user):
+    '''
+    Create an OAuthToken and an OAuthRefreshToken entry in the database
+
+    Returns the data structure expected by the OAuth clients.
+    '''
+    from mediagoblin.plugins.oauth.models import OAuthToken, OAuthRefreshToken
+
+    token = OAuthToken()
+    token.user = user
+    token.client = client
+    token.save()
+
+    refresh_token = OAuthRefreshToken()
+    refresh_token.user = user
+    refresh_token.client = client
+    refresh_token.save()
+
+    # expire time of token in full seconds
+    # timedelta.total_seconds is python >= 2.7 or we would use that
+    td = token.expires - datetime.now()
+    exp_in = 86400*td.days + td.seconds # just ignore µsec
+
+    return {'access_token': token.token, 'token_type': 'bearer',
+            'refresh_token': refresh_token.token, 'expires_in': exp_in}
+
+
+def generate_identifier():
+    ''' Generates a ``uuid.uuid4()`` '''
+    return unicode(uuid.uuid4())
+
+
+def generate_token():
+    ''' Uses generate_identifier '''
+    return generate_identifier()
+
+
+def generate_refresh_token():
+    ''' Uses generate_identifier '''
+    return generate_identifier()
+
+
+def generate_code():
+    ''' Uses generate_identifier '''
+    return generate_identifier()
+
+
+def generate_secret():
+    '''
+    Generate a long string of pseudo-random characters
+    '''
+    # XXX: We might not want it to use bcrypt, since bcrypt takes its time to
+    # generate the result.
+    return unicode(
+            bcrypt.hashpw(
+                unicode(uuid.uuid4()),
+                bcrypt.gensalt()))
+

mediagoblin/plugins/oauth/views.py

@@ -16 +16 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import logging
-import json
 
 from urllib import urlencode
-from uuid import uuid4
-from datetime import datetime
+
+from werkzeug.exceptions import BadRequest
 
 from mediagoblin.tools.response import render_to_response, redirect
 from mediagoblin.decorators import require_active_login
-from mediagoblin.messages import add_message, SUCCESS, ERROR
+from mediagoblin.messages import add_message, SUCCESS
 from mediagoblin.tools.translate import pass_to_ugettext as _
-from mediagoblin.plugins.oauth.models import OAuthCode, OAuthToken, \
-        OAuthClient, OAuthUserClient
+from mediagoblin.plugins.oauth.models import OAuthCode, OAuthClient, \
+        OAuthUserClient, OAuthRefreshToken
 from mediagoblin.plugins.oauth.forms import ClientRegistrationForm, \
         AuthorizationForm
-from mediagoblin.plugins.oauth.tools import require_client_auth
+from mediagoblin.plugins.oauth.tools import require_client_auth, \
+        create_token
 from mediagoblin.plugins.api.tools import json_response
 
 _log = logging.getLogger(__name__)
@@ -51 +51 @@
         client.owner_id = request.user.id
         client.redirect_uri = unicode(request.form['redirect_uri'])
 
-        client.generate_identifier()
-        client.generate_secret()
-
         client.save()
 
         add_message(request, SUCCESS, _('The client {0} has been registered!')\
@@ -92 +89 @@
         form.client_id.data).first()
 
     if not client:
-        _log.error('''No such client id as received from client authorization
-                form.''')
+        _log.error('No such client id as received from client authorization \
+form.')
         return BadRequest()
 
     if form.validate():
@@ -105 +102 @@
         elif form.deny.data:
             relation.state = u'rejected'
         else:
-            return BadRequest
+            return BadRequest()
 
         relation.save()
 
@@ -136 +133 @@
                 return json_response({
                     'status': 400,
                     'errors':
-                        [u'Public clients MUST have a redirect_uri pre-set']},
+                        [u'Public clients should have a redirect_uri pre-set.']},
                         _disable_cors=True)
 
             redirect_uri = client.redirect_uri
@@ -146 +143 @@
             if not redirect_uri:
                 return json_response({
                     'status': 400,
-                    'errors': [u'Can not find a redirect_uri for client: {0}'\
-                            .format(client.name)]}, _disable_cors=True)
+                    'errors': [u'No redirect_uri supplied!']},
+                    _disable_cors=True)
 
         code = OAuthCode()
-        code.code = unicode(uuid4())
         code.user = request.user
         code.client = client
         code.save()
@@ -180 +176 @@
 
 
 def access_token(request):
+    '''
+    Access token endpoint provides access tokens to any clients that have the
+    right grants/credentials
+    '''
+
+    client = None
+    user = None
+
     if request.GET.get('code'):
+        # Validate the code arg, then get the client object from the db.
         code = OAuthCode.query.filter(OAuthCode.code ==
                 request.GET.get('code')).first()
 
-        if code:
-            if code.client.type == u'confidential':
-                client_identifier = request.GET.get('client_id')
-
-                if not client_identifier:
-                    return json_response({
-                        'error': 'invalid_request',
-                        'error_description':
-                            'Missing client_id in request'})
-
-                client_secret = request.GET.get('client_secret')
-
-                if not client_secret:
-                    return json_response({
-                        'error': 'invalid_request',
-                        'error_description':
-                            'Missing client_secret in request'})
-
-                if not client_secret == code.client.secret or \
-                        not client_identifier == code.client.identifier:
-                    return json_response({
-                        'error': 'invalid_client',
-                        'error_description':
-                            'The client_id or client_secret does not match the'
-                            ' code'})
-
-            token = OAuthToken()
-            token.token = unicode(uuid4())
-            token.user = code.user
-            token.client = code.client
-            token.save()
-
-            # expire time of token in full seconds
-            # timedelta.total_seconds is python >= 2.7 or we would use that
-            td = token.expires - datetime.now()
-            exp_in = 86400*td.days + td.seconds # just ignore µsec
-
-            access_token_data = {
-                'access_token': token.token,
-                'token_type': 'bearer',
-                'expires_in': exp_in}
-            return json_response(access_token_data, _disable_cors=True)
-        else:
+        if not code:
             return json_response({
                 'error': 'invalid_request',
                 'error_description':
-                    'Invalid code'})
-    else:
-        return json_response({
-            'error': 'invalid_request',
-            'error_descriptin':
-                'Missing `code` parameter in request'})
+                    'Invalid code.'})
+
+        client = code.client
+        user = code.user
+
+    elif request.args.get('refresh_token'):
+        # Validate a refresh token, then get the client object from the db.
+        refresh_token = OAuthRefreshToken.query.filter(
+            OAuthRefreshToken.token ==
+            request.args.get('refresh_token')).first()
+
+        if not refresh_token:
+            return json_response({
+                'error': 'invalid_request',
+                'error_description':
+                    'Invalid refresh token.'})
+
+        client = refresh_token.client
+        user = refresh_token.user
+
+    if client:
+        client_identifier = request.GET.get('client_id')
+
+        if not client_identifier:
+            return json_response({
+                'error': 'invalid_request',
+                'error_description':
+                    'Missing client_id in request.'})
+
+        if not client_identifier == client.identifier:
+            return json_response({
+                'error': 'invalid_client',
+                'error_description':
+                    'Mismatching client credentials.'})
+
+        if client.type == u'confidential':
+            client_secret = request.GET.get('client_secret')
+
+            if not client_secret:
+                return json_response({
+                    'error': 'invalid_request',
+                    'error_description':
+                        'Missing client_secret in request.'})
+
+            if not client_secret == client.secret:
+                return json_response({
+                    'error': 'invalid_client',
+                    'error_description':
+                        'Mismatching client credentials.'})
+
+
+        access_token_data = create_token(client, user)
+
+        return json_response(access_token_data, _disable_cors=True)
+
+    return json_response({
+        'error': 'invalid_request',
+        'error_description':
+            'Missing `code` or `refresh_token` parameter in request.'})

mediagoblin/tests/test_oauth.py

@@ -16 +16 @@
 
 import json
 import logging
+import urllib
 
 from urlparse import parse_qs, urlparse
 
 from mediagoblin import mg_globals
 from mediagoblin.tools import template, pluginapi
-from mediagoblin.tests.tools import get_app, fixture_add_user
+from mediagoblin.tests.tools import get_app, fixture_add_user, expect_failure
 
 
 _log = logging.getLogger(__name__)
@@ -70 +71 @@
         assert response.status_int == 200
 
         # Should display an error
-        assert ctx['form'].redirect_uri.errors
+        assert len(ctx['form'].redirect_uri.errors)
 
         # Should not pass through
         assert not client
@@ -78 +79 @@
     def test_2_successful_public_client_registration(self):
         ''' Successfully register a public client '''
         self.login()
+        uri = 'http://foo.example'
         self.register_client(u'OMGOMG', 'public', 'OMG!',
-                'http://foo.example')
+                uri)
 
         client = self.db.OAuthClient.query.filter(
                 self.db.OAuthClient.name == u'OMGOMG').first()
 
+        # redirect_uri should be set
+        assert client.redirect_uri == uri
+
         # Client should have been registered
         assert client
 
@@ -111 +116 @@
         redirect_uri = 'https://foo.example'
         response = self.app.get('/oauth/authorize', {
                 'client_id': client.identifier,
-                'scope': 'admin',
+                'scope': 'all',
                 'redirect_uri': redirect_uri})
 
         # User-agent should NOT be redirected
@@ -137 +142 @@
         return authorization_response, client_identifier
 
     def get_code_from_redirect_uri(self, uri):
+        ''' Get the value of ?code= from an URI '''
         return parse_qs(urlparse(uri).query)['code'][0]
 
     def test_token_endpoint_successful_confidential_request(self):
@@ -162 +168 @@
         assert type(token_data['expires_in']) == int
         assert token_data['expires_in'] > 0
 
+        # There should be a refresh token provided in the token data
+        assert len(token_data['refresh_token'])
+
+        return client_id, token_data
+
     def test_token_endpont_missing_id_confidential_request(self):
         ''' Unsuccessful request against token endpoint, missing client_id '''
         code_redirect, client_id = self.test_4_authorize_confidential_client()
@@ -181 +192 @@
         assert 'error' in token_data
         assert not 'access_token' in token_data
         assert token_data['error'] == 'invalid_request'
-        assert token_data['error_description'] == 'Missing client_id in request'
+        assert len(token_data['error_description'])
+
+    def test_refresh_token(self):
+        ''' Try to get a new access token using the refresh token '''
+        # Get an access token and a refresh token
+        client_id, token_data =\
+            self.test_token_endpoint_successful_confidential_request()
+
+        client = self.db.OAuthClient.query.filter(
+            self.db.OAuthClient.identifier == client_id).first()
+
+        token_res = self.app.get('/oauth/access_token',
+                     {'refresh_token': token_data['refresh_token'],
+                      'client_id': client_id,
+                      'client_secret': client.secret
+                      })
+
+        assert token_res.status_int == 200
+
+        new_token_data = json.loads(token_res.body)
+
+        assert not 'error' in new_token_data
+        assert 'access_token' in new_token_data
+        assert 'token_type' in new_token_data
+        assert 'expires_in' in new_token_data
+        assert type(new_token_data['expires_in']) == int
+        assert new_token_data['expires_in'] > 0

mediagoblin/tests/tools.py

@@ -19 +19 @@
 import pkg_resources
 import shutil
 
+import nose
+
 from functools import wraps
 
 from paste.deploy import loadapp
@@ -235 +237 @@
     entry.slug = slug
     entry.uploader = uploader or fixture_add_user().id
     entry.media_type = u'image'
-    
+
     if gen_slug:
         entry.generate_slug()
     if save:
@@ -263 +265 @@
     Session.expunge(coll)
 
     return coll
+
+
+def expect_failure(test):
+    @wraps(test)
+    def wrapper(*args, **kwargs):
+        try:
+            test(*args, **kwargs)
+        except Exception:
+            raise nose.SkipTest
+        else:
+            raise AssertionError(
+                'Test is expected to fail, did you add a feature?')
+    return wrapper

[Christopher Allan Webber]

Yeowch, that's a huge diff and is kind of making this bug report long! I wonder if we should be careful about that...

anyway, adding nyergler as CC'ed. I don't think I'm well qualified to review this. Maybe Nathan is?

If it comes close to 0.4.0 and nobody else has time to review I can do a rough review and we can just merge it but I'm not really well qualified at all.

[nyergler]

I read ​https://github.com/joar/mediagoblin/compare/master...oauth;refresh_tokens carefully and believe this is merge-able. I haven't tried executing it, but have don't see anything glaring. The relational model for our OAuth plugin is a little weird (foreign keys to both client and user, when I believe a client is specific to a user already), but this patch is consistent with the existing code.

I say merge it!

[nyergler]

Merged in ​https://gitorious.org/mediagoblin/mediagoblin/commit/64598a79a9648416e9cc49349e57190792cc59f2.