Commit 73c3de1

mo <mo.khan@gmail.com>
2018-09-05 15:01:27
include the state parameter.
main
1 parent bfb3c89
Changed files (4)
app
controllers
oauth_controller.rb
models
client.rb
views
oauth
show.html.erb
spec
requests
oauth_spec.rb
app/controllers/oauth_controller.rb
@@ -8,6 +8,6 @@ class OauthController < ApplicationController
   def create
     client = Client.find_by!(uuid: params[:client_id])
     authorization = client.authorizations.create!(user: current_user)
-    redirect_to client.redirect_uri_path(code: authorization.code)
+    redirect_to client.redirect_uri_path(code: authorization.code, state: params[:state])
   end
 end
app/models/client.rb
@@ -13,7 +13,9 @@ class Client < ApplicationRecord
     uuid
   end
 
-  def redirect_uri_path(code:)
-    redirect_uri + '?code=' + code
+  def redirect_uri_path(code:, state: nil)
+    result = redirect_uri + '?code=' + code
+    result += "&state=#{state}" if state.present?
+    result
   end
 end
app/views/oauth/show.html.erb
@@ -6,6 +6,7 @@
 
       <%= form_for :authorization, url: oauth_index_path, method: :post do |form| %>
         <%= hidden_field_tag :client_id, @client.to_param %>
+        <%= hidden_field_tag :state, params[:state] %>
         <%= form.button t('.authorize'), type: 'submit', class: 'btn btn-primary', data: { disable_with: t('.loading') } %>
       <% end %>
     </div>
spec/requests/oauth_spec.rb
@@ -7,21 +7,26 @@ RSpec.describe '/oauth' do
     before { http_login(current_user) }
 
     describe "GET /oauth/:client_id" do
+      let(:state) { SecureRandom.uuid  }
+
       context "when the client id is known" do
         let(:client) { create(:client) }
-        before { get "/oauth/#{client.to_param}" }
+        before { get "/oauth/#{client.to_param}", params: { client_id: client.to_param, response_type: 'code', state: state } }
 
         specify { expect(response).to have_http_status(:ok) }
         specify { expect(response.body).to include(client.name) }
+        specify { expect(response.body).to include(state) }
       end
     end
 
     describe "POST /oauth" do
       context "when the client id is known" do
         let(:client) { create(:client) }
-        before { post "/oauth", params: { client_id: client.to_param } }
+        let(:state) { SecureRandom.uuid }
+
+        before { post "/oauth", params: { client_id: client.to_param, state: state } }
 
-        specify { expect(response).to redirect_to(client.redirect_uri_path(code: Authorization.last.code)) }
+        specify { expect(response).to redirect_to(client.redirect_uri_path(code: Authorization.last.code, state: state)) }
       end
     end
   end