Adding initial version of the OAuth token authentication method. This adds basic OAuth support for registering apps, getting and revoking keys, etc... The tokens come with 6 separate permissions bits; read/write user preferences, write diaries, write API and read/write GPS traces. Needs more tests.

app/models/access_token.rb

@@ -0,0 +1,10 @@
+class AccessToken<OauthToken
+  validates_presence_of :user
+  before_create :set_authorized_at
+  
+protected 
+  
+  def set_authorized_at
+    self.authorized_at = Time.now
+  end
+end

app/models/client_application.rb

@@ -0,0 +1,69 @@
+require 'oauth'
+class ClientApplication < ActiveRecord::Base
+  belongs_to :user
+  has_many :tokens, :class_name => "OauthToken"
+  validates_presence_of :name, :url, :key, :secret
+  validates_uniqueness_of :key
+  before_validation_on_create :generate_keys
+  
+  def self.find_token(token_key)
+    token = OauthToken.find_by_token(token_key, :include => :client_application)
+    if token && token.authorized?
+      logger.info "Loaded #{token.token} which was authorized by (user_id=#{token.user_id}) on the #{token.authorized_at}"
+      token
+    else
+      nil
+    end
+  end
+  
+  def self.verify_request(request, options = {}, &block)
+    begin
+      signature = OAuth::Signature.build(request, options, &block)
+      logger.info "Signature Base String: #{signature.signature_base_string}"
+      logger.info "Consumer: #{signature.send :consumer_key}"
+      logger.info "Token: #{signature.send :token}"
+      return false unless OauthNonce.remember(signature.request.nonce, signature.request.timestamp)
+      value = signature.verify
+      logger.info "Signature verification returned: #{value.to_s}"
+      value
+    rescue OAuth::Signature::UnknownSignatureMethod => e
+      logger.info "ERROR"+e.to_s
+      false
+    end
+  end
+  
+  def self.all_permissions
+    PERMISSIONS
+  end
+
+  def oauth_server
+    @oauth_server ||= OAuth::Server.new("http://" + SERVER_URL)
+  end
+  
+  def credentials
+    @oauth_client ||= OAuth::Consumer.new(key, secret)
+  end
+    
+  def create_request_token
+    RequestToken.create :client_application => self
+  end
+
+  # the permissions that this client would like from the user
+  def permissions
+    ClientApplication.all_permissions.select { |p| self[p] }
+  end
+
+protected
+  
+  # this is the set of permissions that the client can ask for. clients
+  # have to say up-front what permissions they want and when users sign up they
+  # can agree or not agree to each of them.
+  PERMISSIONS = [:allow_read_prefs, :allow_write_prefs, :allow_write_diary,
+                 :allow_write_api, :allow_read_gpx, :allow_write_gpx ]
+
+  def generate_keys
+    @oauth_client = oauth_server.generate_consumer_credentials
+    self.key = @oauth_client.key
+    self.secret = @oauth_client.secret
+  end
+end

app/models/oauth_nonce.rb

@@ -0,0 +1,13 @@
+# Simple store of nonces. The OAuth Spec requires that any given pair of nonce and timestamps are unique.
+# Thus you can use the same nonce with a different timestamp and viceversa.
+class OauthNonce < ActiveRecord::Base
+  validates_presence_of :nonce, :timestamp
+  validates_uniqueness_of :nonce, :scope => :timestamp
+  
+  # Remembers a nonce and it's associated timestamp. It returns false if it has already been used
+  def self.remember(nonce, timestamp)
+    oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp)
+    return false if oauth_nonce.new_record?
+    oauth_nonce
+  end
+end

app/models/oauth_token.rb

@@ -0,0 +1,31 @@
+class OauthToken < ActiveRecord::Base
+  belongs_to :client_application
+  belongs_to :user
+  validates_uniqueness_of :token
+  validates_presence_of :client_application, :token, :secret
+  before_validation_on_create :generate_keys
+  
+  def invalidated?
+    invalidated_at != nil
+  end
+  
+  def invalidate!
+    update_attribute(:invalidated_at, Time.now)
+  end
+  
+  def authorized?
+    authorized_at != nil && !invalidated?
+  end
+  
+  def to_query
+    "oauth_token=#{token}&oauth_token_secret=#{secret}"
+  end
+    
+protected
+  
+  def generate_keys
+    @oauth_token = client_application.oauth_server.generate_credentials
+    self.token = @oauth_token[0]
+    self.secret = @oauth_token[1]
+  end
+end

app/models/request_token.rb

@@ -0,0 +1,25 @@
+class RequestToken < OauthToken
+  def authorize!(user)
+    return false if authorized?
+    self.user = user
+    self.authorized_at = Time.now
+    self.save
+  end
+  
+  def exchange!
+    return false unless authorized?
+    RequestToken.transaction do
+      logger.info("£££ In exchange!")
+      params = { :user => user, :client_application => client_application }
+      # copy the permissions from the authorised request token to the access token
+      client_application.permissions.each { |p| 
+        logger.info("£££ copying permission #{p} = #{read_attribute(p).inspect}")
+        params[p] = read_attribute(p)
+      }
+
+      access_token = AccessToken.create(params)
+      invalidate!
+      access_token
+    end
+  end
+end

app/models/user.rb

@@ -11,6 +11,9 @@ class User < ActiveRecord::Base
   has_many :preferences, :class_name => "UserPreference"
   has_many :changesets
 
+  has_many :client_applications
+  has_many :oauth_tokens, :class_name => "OauthToken", :order => "authorized_at desc", :include => [:client_application]
+
   validates_presence_of :email, :display_name
   validates_confirmation_of :email#, :message => ' addresses must match'
   validates_confirmation_of :pass_crypt#, :message => ' must match the confirmation password'