[openstreetmap/openstreetmap-website] OAuth2 support? (#1408)

mmd notifications at github.com
Mon Oct 12 21:08:16 UTC 2020


For the sake of documenting my doorkeeper mini-proof of concept, I'm listing a few points that I thought might be worthwhile checking.

Gemfile:

```
+ gem "doorkeeper"
```

Beyond the default doorkeeper installation, I also installed:

- https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-views
- https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-PKCE-flow
- https://github.com/doorkeeper-gem/doorkeeper/wiki/Associate-users-to-OAuth-applications-(ownership)

Respective generate commands:

- rails generate doorkeeper:views
- rails generate doorkeeper:pkce
- rails generate doorkeeper:application_owner
- 

Some migrations need an additional `safety_assured` to pass.


app/controllers/api/users_controller.rb:

Enable OAuth token check with "read" scope for details endpoint:

```rails
   class UsersController < ApiController
     before_action :disable_terms_redirect, :only => [:details]
+
+    before_action -> { authorize_if_got_token! :read }, :only => [:details]
+
     before_action :authorize, :only => [:details, :gpx_files]
```

app/controllers/api_controller.rb:

Some ideas taken from https://github.com/tootsuite/mastodon/blob/master/app/controllers/api/base_controller.rb#L114. It's not clear if this a reasonable approach. Additional methods are only relevant for API endpoints.

```
+  # Find the user that owns the access token
+  def current_user
+    if doorkeeper_token
+      User.find(doorkeeper_token.resource_owner_id)
+    else
+      super
+    end
+  end
+
+  def current_resource_owner
+    @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
+  end
+   
+  def authorize_if_got_token!(*scopes)
+    doorkeeper_authorize!(*scopes) if doorkeeper_token
+  end  
 end
```

app/models/user.rb:

(changes were described on some of the doorkeeper wiki pages mentioned earlier on)

```
   has_many :reports
+  
+  has_many  :access_grants, class_name:  "Doorkeeper::AccessGrant",
+                            foreign_key: :resource_owner_id,
+                            dependent:   :delete_all
+
+  has_many  :access_tokens, class_name:  "Doorkeeper::AccessToken",
+                            foreign_key: :resource_owner_id,
+                            dependent:   :delete_all  
+
+  has_many :oauth_applications, class_name: 'Doorkeeper::Application', as: :owner
```

config/routes.rb:

Use /oauth2/... to avoid interference with current oauth/ endpoints

```
 OpenStreetMap::Application.routes.draw do
+  use_doorkeeper :scope => 'oauth2'
+
   # API
```

doorkeeper.rb needs at least a custom implementation for:

* resource_owner_authenticator: 
* admin_authenticator

 


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1408#issuecomment-707346587
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20201012/a296a6f2/attachment.htm>


More information about the rails-dev mailing list