chitsaou https://ruby-china.org/chitsaou 一鸭七吃 en-us 求救: ElasticSearch 对 String field 的自订排序顺序 <p>有个功能不知道怎么用 ElasticSearch 实现。</p> <p>简单描述是这样:</p> <ul> <li>有一个 Post model,里面有 "state" 这个 field,用状态机表示,有 published, draft, taken_down 等狀态。</li> <li>使用了 ElasticSearch 建索引。(利用了 elasticsearch-model 这个 gem)</li> <li>前端希望它可以照 state 排序,但排序的顺序是 draft -&gt; taken_down -&gt; published</li> </ul> <p>也就是说,希望可以对 ElasticSearch 下指令,让它依 state 排序,但顺序可以自订。</p> <p>翻了 ElasticSearch 的文档,有提到 sort by function score,但不明白具体怎么实作,Google 一些关键字也没有我看得懂的(汗</p> <p>所以想请教一下有没有人做过类似的功能,怎么实现的?</p> chitsaou Fri, 21 Mar 2014 17:07:18 +0800 https://ruby-china.org/topics/18073 https://ruby-china.org/topics/18073 「简单易懂的 OAuth 2.0」演讲 Slides <p>今天在 Ruby Tuesday Taipei 分享了「简单易懂的 OAuth 2.0」,前半段是我所知道的 OAuth 2 的世界,从零开始介绍整个通信协定,后半段简单讲解了我如何整合 Doorkeeper + Grape API。</p> <p>基本上看完了之后,你可以知道 OAuth 2 整个通讯协定怎么跑,以及如何造一个 OAuth 2 认证服务器。</p> <p><a href="https://speakerdeck.com/chitsaou/jian-dan-yi-dong-de-oauth-2-dot-0" rel="nofollow" target="_blank">https://speakerdeck.com/chitsaou/jian-dan-yi-dong-de-oauth-2-dot-0</a></p> <p>300 页慎入…我现在把他视为教材了</p> <p><img src="//l.ruby-china.com/photo/2013/0e784cc42628086eae3ec3e7d9ef3cd6.png" title="" alt=""></p> <p>p.s. 本来想要找一个跟通用 Web 开发有关的节点,但找不到,只好先放在 Ruby 了…</p> chitsaou Wed, 27 Nov 2013 00:04:20 +0800 https://ruby-china.org/topics/15825 https://ruby-china.org/topics/15825 OAuth 2.0 教程: Grape API 整合 Doorkeeper <p>最近我要实作使用 OAuth 2 认证的 API,我先是看了 Spec (RFC 6740、RFC 6750),然后研究了既有的 Rails solution,但因为 API 是用 Grape 盖的,又 Doorkeeper / Rack::OAuth2 / Grape 内建的 OAuth 2 认证全都无法直接拿来用,所以只好自己实现 API 认证这部份。</p> <p>我把实现的过程写成了教程: <a href="http://blog.yorkxin.org/posts/2013/10/10/oauth2-tutorial-grape-api-doorkeeper" rel="nofollow" target="_blank">http://blog.yorkxin.org/posts/2013/10/10/oauth2-tutorial-grape-api-doorkeeper</a></p> <p>简单来说是这样:</p> <ol> <li>用 Devise 造 User (Resource Owner) 系统</li> <li>用 Grape 造 API (Resource Server)</li> <li>用 Doorkeeper 造 OAuth 2 Provider (Authorization Server)</li> <li>自己用 Rack::OAuth2 接 Grape 来造出 API 上的 Guard</li> </ol> <p>其中第四项我搞最久,希望可以帮后来的同学省到时间 :)</p> <hr> <p>应要求全文转贴 :) 不过很抱歉是繁体的,原本想用 OpenCC 转换却不会用它的命令列工具…</p> <hr> <p>這篇文章示範如何使用 OAuth 2 保護 API,其中 API 是用 Grape 造出來的,掛在 Rails 底下。</p> <p>整個實作流程會造出這些東西:</p> <ul> <li> <strong>Resource Owner</strong> - 可以授權給第三方 App 的角色,也就是 User。</li> <li> <strong>Authorization Server</strong> - 用來處理與 OAuth 2 授權有關的事務,像是: <ul> <li> <strong>Clients</strong> - 需要有 Clients (Apps) 的 CRUD。</li> <li> <strong>Access Token</strong> (Model) - 需要有個 Model 來儲存 Access Token。</li> <li> <strong>Authorization Endpoint</strong> - 這裡來處理 Auth Code Grant 和 Implicit Grant。</li> <li> <strong>Token Endpoint</strong> - 這裡來真正核發 Token。</li> </ul> </li> <li> <strong>Resource Server</strong> - 給 App 存取的地方,也就是 API,一部份需要 Access Token 才能存取的叫做 Protected Resource。 <ul> <li> <strong>Resource Server 上面的 Guard</strong> - 用途是「保護某些 API,必須要帶 Access Token 才能存取」,俗稱保全。</li> </ul> </li> </ul> <p>本文使用這些套件來實作:</p> <ul> <li>Resource Owner (User) - <strong><a href="https://github.com/plataformatec/devise" rel="nofollow" target="_blank" title="">Devise</a></strong> </li> <li>Authorization Server (OAuth 2 Provider) - <strong><a href="https://github.com/applicake/doorkeeper" rel="nofollow" target="_blank" title="">Doorkeeper</a></strong> </li> <li>Resource Server (API) - <strong><a href="https://github.com/intridea/grape" rel="nofollow" target="_blank" title="">Grape</a></strong> </li> <li>Guard - 用 <strong><a href="https://github.com/nov/rack-oauth2" rel="nofollow" target="_blank" title="">Rack::OAuth2</a></strong> 來整合 Grape</li> </ul> <p>因為 Doorkeeper 的 <code>doorkeeper_for</code> 只能用在 Rails,而 Guard 只是一個 Rack Middleware,所以這裡要自己拼湊。詳情請見先前的文章 <a href="http://blog.yorkxin.org/posts/2013/10/08/oauth2-ruby-and-rails-integration-review" rel="nofollow" target="_blank" title="">〈Ruby / Rails 的 OAuth 2 整合方案簡單評比〉</a>。</p> <p>所有過程我都會放在 <a href="https://github.com/chitsaou/oauth2-api-sample" rel="nofollow" target="_blank" title="">chitsaou/oauth2-api-sample</a> 這個 repository,各 step 有對應的 step-x tag,例如 Step 1 完成的結果可以在 step-1 這個 tag 看到。</p> <hr> <h2 id="Step 1: 造 Resource Owner 邏輯 (User)">Step 1: 造 Resource Owner 邏輯 (User)</h2> <p>用 Devise 做。這個應該是 Rails Developer 的基本功,所以不解釋了,請見 <a href="https://github.com/chitsaou/oauth2-api-sample/tree/step-1" rel="nofollow" target="_blank" title="">step-1 tag</a>。</p> <p>可以試著打開 <code>/pages/secret</code> ,會要求登入。</p> <h2 id="Step 2: 造 Resource Server (API)">Step 2: 造 Resource Server (API)</h2> <p>用 Grape 是因為不想要讓 API 經過太多 Rails 的 stack。</p> <p>這個不難,而且不是本文的重點,所以直接看官方文件就好了。成品可以看 <a href="https://github.com/chitsaou/oauth2-api-sample/tree/step-2" rel="nofollow" target="_blank" title="">step-2 tag</a> 。</p> <h2 id="Step 3: 造 Authorization Server (Provider)">Step 3: 造 Authorization Server (Provider)</h2> <p>既然底是 Rails,那麼就直接上 Doorkeeper 就好了。可以看 <a href="https://github.com/chitsaou/oauth2-api-sample/tree/step-3" rel="nofollow" target="_blank" title="">step-3 tag</a> 。</p> <p><a href="http://railscasts.com/episodes/353-oauth-with-doorkeeper" rel="nofollow" target="_blank" title="">RailsCasts 有 tutorial</a> ,若有買 Pro 不妨去看看。不過其實照官方文件做也不難:</p> <p>安裝 Doorkeeper Gem</p> <pre class="highlight ruby"><code><span class="n">gem</span> <span class="s1">'doorkeeper'</span> </code></pre> <p>別忘了跑 <code>bundle install</code> 。</p> <p>然後跑這些來安裝:</p> <p>$ rails generate doorkeeper:install $ rails generate doorkeeper:migration $ rake db:migrate</p> <p>再照他文件說的去接 Devise 來認證 Resource Owner:</p> <pre class="highlight ruby"><code><span class="c1"># 認證 Resource Owner 的方法,直接接 Devise</span> <span class="n">resource_owner_authenticator</span> <span class="k">do</span> <span class="n">current_user</span> <span class="o">||</span> <span class="n">warden</span><span class="p">.</span><span class="nf">authenticate!</span><span class="p">(</span><span class="ss">:scope</span> <span class="o">=&gt;</span> <span class="ss">:user</span><span class="p">)</span> <span class="k">end</span> </code></pre> <p>這樣就好了。</p> <p>Doorkeeper 會建這些 model:</p> <ul> <li> <strong>OauthApplication</strong> - Clients 的註冊資料庫</li> <li> <strong>OauthAccessGrant</strong> - Auth Code 流程第一步產生的 Auth Grants 的資料庫</li> <li> <strong>OauthAccessToken</strong> - 真正核發出去的 Access Tokens,包含對應的 Refresh Token(預設關閉)</li> </ul> <p>Doorkeeper 開的 Routes 有這些:</p> <p>| Method (REST) | Path | 用途 | |---------------|------------------------------------|------------------------------------| | new | /oauth/authorize | Authorization Endpoint | | create | /oauth/authorize | User 許可 Authorization 時的 action | | destroy | /oauth/authorize | User 拒絕 Authorization 時的 action | | show | /oauth/authorize/:code | (應該是用來 Local 測試的) | | update | /oauth/authorize | (不明的 update grant) | | create | /oauth/token | Token Endpoint | | show | /oauth/token/info | Token Debug Endpoint | | resources | /oauth/applications | Clients 管理界面 | | index | /oauth/authorized_applications | Resource Owner 管理授權過的 Clients | | destroy | /oauth/authorized_applications/:id | Resource Owner 管理授權過的 Clients |</p> <p>其中 Authorization Endpoint 的 show 只會顯示 grant code,可能是 Local Testing 要用的;而 update 則是沒有任何 action 去接它,不確定是不是 dead feature。</p> <p>可以發現到:</p> <ul> <li>幫你蓋好了 Authorization Endpoint 和 Token Endpoint</li> <li>還附加 Token Debug Endpoint,在 Implicit Flow 可以驗證 Token 的真實性。</li> <li>還有附 Clients 管理界面</li> <li>還可以讓 User 管理授權過的 Clients</li> </ul> <p>所以一個 Authorization Server 該有的東西它都提供了。</p> <h3 id="Step 3.1: 開測試用的 Client">Step 3.1: 開測試用的 Client</h3> <p>蓋完 Authorization Server 之後,要去開一個 Client。可以打開 <code>/oauth/applications</code> ,其中 Client 的 redierct URI 填入 <code>http://localhost:12345/auth/demo/callback</code> ,實際上沒有跑 Web server 在 localhost:12345 也沒關係,最終目的是拿到 code 或 token。</p> <p><img src="//l.ruby-china.com/photo/410a127f0e3e7a24017a3545327edbce.png" title="" alt=""></p> <h3 id="Step 3.2: 拿取 Access Token">Step 3.2: 拿取 Access Token</h3> <p>現在可以來試著拿 Access Token 了,我們要用人腦模擬 Client,來跑 <a href="http://blog.yorkxin.org/posts/2013/09/30/oauth2-4-1-auth-code-grant-flow" rel="nofollow" target="_blank" title="">Authorization Code Grant 的流程</a>。</p> <p>步驟如下:</p> <p>首先打開剛剛生的 Client 的 show 頁面,會看到有 Application ID、Secret 等資訊的頁面。最下面有一個 Authorize 的連結,點下去會打開到這個網址(假設這個 Rails App 開在 localhost:9999,下同)(中間斷行比較好讀):</p> <p><a href="http://localhost:9999/oauth/authorize" rel="nofollow" target="_blank">http://localhost:9999/oauth/authorize</a> ?client_id=4a407c6a8d3c75e17a5560d0d0e4507c77b047940db6df882c86aaeac2c788d6 &amp;redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Fauth%2Fdemo%2Fcallback &amp;response_type=code</p> <p>就像之前在流程文裡介紹過的,它用 GET 去 Authorization Endpoint 求 Grant Code,附上自己的 Client ID 和 Redirection URI。</p> <p>接著會問你要 Authorize 還是 Deny,當然選 Authorize。</p> <p>接著會跑到一個瀏覽器打不開的網址,是先前設定的 Redirection URI,不過沒關係,我們已經得到 Grant Code 了(中間斷行比較好讀):</p> <p><a href="http://localhost:12345/auth/demo/callback" rel="nofollow" target="_blank">http://localhost:12345/auth/demo/callback</a> ?code=21e1c81db4e619a23d4ed46134884104225d4189baa005220bd9b358be8b591a ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Grant Code </p> <p>如果在 Step 3.1 照網頁上的指示填入 <code>urn:ietf:wg:oauth:2.0:oob</code> ,最後會出現 grant code 的 show 頁面,直接把 grant code 曬給你,這是 local 用來測試用的,類似 <a href="https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi" rel="nofollow" target="_blank" title="">Google OAuth 2.0 的流程</a>。</p> <p>到這裡,Client 就拿到 Grant Code 了,依照流程,接下來是 Client 要另外從後台偷偷去 Authorization Server 把這個 Grant Code 換成 Access Token。</p> <p>因為要填的資料太多了,我抓一下 <a href="http://www.getpostman.com/" rel="nofollow" target="_blank" title="">Postman</a> 的畫面,填完最後按下「Send」就會拿到 Access Token 了!</p> <p><img src="//l.ruby-china.com/photo/e2ebd08f77ae98c63c4e38c40618b37d.png" title="" alt=""></p> <h2 id="Step 4: 造 Resource Server 上的 Guard">Step 4: 造 Resource Server 上的 Guard</h2> <p>造 Guard 這件事比較難,就像我<a href="http://blog.yorkxin.org/posts/2013/10/08/oauth2-ruby-and-rails-integration-review" rel="nofollow" target="_blank" title="">前一篇文章</a>說過的,在 API 是 Grape 的情況下, <strong>沒有一個 Guard 是可以直接拿來用的</strong> ;即使你用 Rails 做 API 好了,<code>doorkeeper_for</code> 現在也還只是半成品。我目前的做法是把 Rack::OAuth2 的 Bearer Token middleware 接到 Grape 上面,邏輯參考了 <code>doorkeeper_for</code> 的實作方式。</p> <p>這裡會寫得比較仔細。可以看 <a href="https://github.com/chitsaou/oauth2-api-sample/tree/step-4" rel="nofollow" target="_blank" title="">step-4 tag</a> 。</p> <p>我寫成一個 module,用 <a href="http://api.rubyonrails.org/classes/ActiveSupport/Concern.html" rel="nofollow" target="_blank" title="">ActiveSupport::Concern</a> 去簡化 module 化的程式,放在 <code>api/concerns/api_guard.rb</code>。</p> <h3 id="Step 4.1: 安裝 Rack Middleware 來抓取 Access Token (String)">Step 4.1: 安裝 Rack Middleware 來抓取 Access Token (String)</h3> <p>Rack::OAuth2 這個 Rack Middleware 在安裝 (<code>use</code>) 的時候要傳一個 block,它會去 call,但 call 的條件是「Request 有帶 OAuth 2 Token」這樣才會 call,意思是說:</p> <ul> <li>如果 Request 有帶 <code>Authorization: Bearer XXX</code> 或 <code>?access_token=xxx</code> 才會 call</li> <li>如果 Request 不帶上述的參數,就不會 call,直接 <strong>pass 到下一個 middleware stack</strong> (!)</li> </ul> <p>而且這個 Middleware 在 call 之後其實會把 return value 直接存進 <code>request.env["某個 key"]</code> 裡面,意思就是說 <strong>「它只是給你 fetch access token 用的」</strong> ,不能拿來「確認 Access Token 有效並放行 API access」,這件事要在 API 層做。</p> <p>那麼就來安裝這個 Middleware 吧,但只拿來 fetch access token string:</p> <pre class="highlight ruby"><code><span class="n">included</span> <span class="k">do</span> <span class="c1"># OAuth2 Resource Server Authentication</span> <span class="n">use</span> <span class="no">Rack</span><span class="o">::</span><span class="no">OAuth2</span><span class="o">::</span><span class="no">Server</span><span class="o">::</span><span class="no">Resource</span><span class="o">::</span><span class="no">Bearer</span><span class="p">,</span> <span class="s1">'The API'</span> <span class="k">do</span> <span class="o">|</span><span class="n">request</span><span class="o">|</span> <span class="c1"># The authenticator only fetches the raw token string</span> <span class="c1"># Must yield access token to store it in the env</span> <span class="n">request</span><span class="p">.</span><span class="nf">access_token</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.2: 做一個 private method 來取出先前拿到的 Access Token (String)">Step 4.2: 做一個 private method 來取出先前拿到的 Access Token (String)</h3> <p>前文提到 Middleware 會把 Token 存在 <code>request.env</code> 裡面,具體就是 <code>request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]</code> ,所以就把它拿出來吧。</p> <pre class="highlight ruby"><code><span class="n">helpers</span> <span class="k">do</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">get_token_string</span> <span class="c1"># The token was stored after the authenticator was invoked.</span> <span class="c1"># It could be nil. The authenticator does not check its existence.</span> <span class="n">request</span><span class="p">.</span><span class="nf">env</span><span class="p">[</span><span class="no">Rack</span><span class="o">::</span><span class="no">OAuth2</span><span class="o">::</span><span class="no">Server</span><span class="o">::</span><span class="no">Resource</span><span class="o">::</span><span class="no">ACCESS_TOKEN</span><span class="p">]</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.3: 做一個 private method 來把 Token String 變成 Instance">Step 4.3: 做一個 private method 來把 Token String 變成 Instance</h3> <p>Token String 只是單純的字串,還需要去 Database 裡面撈才能換成 Instance。參考了 <code>doorkeeper_for</code> 的做法,我直接呼叫它的 <code>AccessToken.authenticate</code> ,撈不到會直接回 <code>nil</code>:</p> <pre class="highlight ruby"><code><span class="n">helpers</span> <span class="k">do</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">find_access_token</span><span class="p">(</span><span class="n">token_string</span><span class="p">)</span> <span class="no">Doorkeeper</span><span class="o">::</span><span class="no">AccessToken</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="n">token_string</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.4: 做一個 service 來驗證 Access Token 是否合法">Step 4.4: 做一個 service 來驗證 Access Token 是否合法</h3> <p>OAuth2::AccessTokenValidationService 我放在 app/service 裡面,其中會驗證是否過期 (expired) 、是否被撤銷 (revoked) ,這兩個都是 Doorkeeper::AccessToken 內建的 methods。但此外還要驗證所需的 scopes 是否包含在 Access Token 的 scopes 裡面。回傳的驗證結果會是 <code>VALID</code> 、 <code>EXPIRED</code> 、 <code>REVOKED</code> 、 <code>INSUFFICIENT_SCOPE</code> 四個常數的其中一個(定義在該 module 裡面)。</p> <p>在 Grape Endpoint 放一個 <code>validate_access_token</code> helper 來方便處理這件事,它會直接回傳結果,也就是上述四個之中的一個,caller 就可以根據驗證結果決定要怎麼回 response。</p> <pre class="highlight ruby"><code><span class="n">helpers</span> <span class="k">do</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">validate_access_token</span><span class="p">(</span><span class="n">access_token</span><span class="p">,</span> <span class="n">scopes</span><span class="p">)</span> <span class="no">OAuth2</span><span class="o">::</span><span class="no">AccessTokenValidationService</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="n">access_token</span><span class="p">,</span> <span class="ss">scopes: </span><span class="n">scopes</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> <p>在 Service 裡面要驗證 scopes,我的演算法其實很簡單,就是集合比較而已;有的網站會有「A scope 包含 B scope」的設計,如果要做成這樣的話,就不能用單純的集合比較了。純集合比較的演算法是這樣:</p> <ul> <li>如果沒有要求任何 scopes,那其實任何 Access Token 都符合,就回 true。</li> <li>如果有要求任何 scopes,那麼「授權過的 scopes」就得是「所需的 scopes」的宇集,剛好 Ruby 有內建 Set 這個資料結構,把兩個 Array 都轉成 Set 就能方便比較了。</li> </ul> <pre class="highlight ruby"><code><span class="kp">protected</span> <span class="k">def</span> <span class="nf">sufficent_scope?</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">scopes</span><span class="p">)</span> <span class="k">if</span> <span class="n">scopes</span><span class="p">.</span><span class="nf">blank?</span> <span class="c1"># if no any scopes required, the scopes of token is sufficient.</span> <span class="k">return</span> <span class="kp">true</span> <span class="k">else</span> <span class="c1"># If there are scopes required, then check whether</span> <span class="c1"># the set of authorized scopes is a superset of the set of required scopes</span> <span class="n">required_scopes</span> <span class="o">=</span> <span class="no">Set</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">scopes</span><span class="p">)</span> <span class="n">authorized_scopes</span> <span class="o">=</span> <span class="no">Set</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">token</span><span class="p">.</span><span class="nf">scopes</span><span class="p">)</span> <span class="k">return</span> <span class="n">authorized_scopes</span> <span class="o">&gt;=</span> <span class="n">required_scopes</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.5: 製作 Guard 來擋住沒有合法 Access Token 的 Requests">Step 4.5: 製作 Guard 來擋住沒有合法 Access Token 的 Requests</h3> <p>現在要真正寫 <code>guard!</code> method 來擋 API use 了。</p> <p>為了讓程式流程看起來更簡潔,根據不同的錯誤情況,定義了不同的 Exception,各 Exception 要怎麼處理,則可以交由 Grape 的 <code>rescue_from</code> 處理(我是這樣做的),或 Exception 裡面直接 raise Rack::OAuth2 內建的 exception。</p> <p>邏輯是這樣:</p> <ol> <li>先去抓出 Token String <ul> <li>如果沒給 Token,表示 Client 不知道要認證,丟 MissingTokenError</li> <li>照 spec 是要回 401 但是不給任何錯誤訊息</li> </ul> </li> <li>如果有給 Token 但是資料庫裡面找不到,丟 TokenNotFound <ul> <li>照 spec 是要回 401 加上 Invalid Token Error</li> </ul> </li> <li>如果找得到 Token 則進一步驗證是否可以用來存取該 API(根據有否過期、被撤銷,如果有要求 scope 的話則再檢查 scope) <ul> <li>若驗證結果是 VALID,則把 <code>@current_user</code> 指定給該 Access Token 綁定的 Resource Owner (User)</li> <li>若驗證結果不是 VALID,則丟出相對應的 Exceptions</li> <li>照 spec,如果是因為 scope 不足,則是回 403 加上 Insufficient Scope Error,其他情況則是要回 401 加上 Invalid Token Error</li> </ul> </li> </ol> <pre class="highlight ruby"><code><span class="n">helpers</span> <span class="k">do</span> <span class="k">def</span> <span class="nf">guard!</span><span class="p">(</span><span class="ss">scopes: </span><span class="p">[])</span> <span class="n">token_string</span> <span class="o">=</span> <span class="n">get_token_string</span><span class="p">()</span> <span class="k">if</span> <span class="n">token_string</span><span class="p">.</span><span class="nf">blank?</span> <span class="k">raise</span> <span class="no">MissingTokenError</span> <span class="k">elsif</span> <span class="p">(</span><span class="n">access_token</span> <span class="o">=</span> <span class="n">find_access_token</span><span class="p">(</span><span class="n">token_string</span><span class="p">)).</span><span class="nf">nil?</span> <span class="k">raise</span> <span class="no">TokenNotFoundError</span> <span class="k">else</span> <span class="k">case</span> <span class="n">validate_access_token</span><span class="p">(</span><span class="n">access_token</span><span class="p">,</span> <span class="n">scopes</span><span class="p">)</span> <span class="k">when</span> <span class="no">Oauth2</span><span class="o">::</span><span class="no">AccessTokenValidationService</span><span class="o">::</span><span class="no">INSUFFICIENT_SCOPE</span> <span class="k">raise</span> <span class="no">InsufficientScopeError</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">scopes</span><span class="p">)</span> <span class="k">when</span> <span class="no">Oauth2</span><span class="o">::</span><span class="no">AccessTokenValidationService</span><span class="o">::</span><span class="no">EXPIRED</span> <span class="k">raise</span> <span class="no">ExpiredError</span> <span class="k">when</span> <span class="no">Oauth2</span><span class="o">::</span><span class="no">AccessTokenValidationService</span><span class="o">::</span><span class="no">REVOKED</span> <span class="k">raise</span> <span class="no">RevokedError</span> <span class="k">when</span> <span class="no">Oauth2</span><span class="o">::</span><span class="no">AccessTokenValidationService</span><span class="o">::</span><span class="no">VALID</span> <span class="vi">@current_user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="n">access_token</span><span class="p">.</span><span class="nf">resource_owner_id</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.6: 把 Exception 轉送到 Rack::OAuth2 內建的錯誤回應方式">Step 4.6: 把 Exception 轉送到 Rack::OAuth2 內建的錯誤回應方式</h3> <p>我的做法是用 Grape 的 <code>rescue_from</code> 去接 exceptions,當然要直接 raise 也可以就是了。</p> <p>要注意的是:</p> <ul> <li>Bearer::ErrorMethods 有內建一組 <code>error_description</code> 的預設值,根據不同的 <code>error</code> code 去對應 <ul> <li>但只有在 Rack 的 authenticator 裡面使用相對應的 helper method (如 <code>insufficiet_scope!</code>) 才會填入</li> <li> <strong>直接 call 這個 middleware 則不會自動填入錯誤訊息</strong> </li> <li>所以必須手動填入</li> </ul> </li> <li>沒給 Token 要視為「Client 不知道要 Authenticate」 <ul> <li>所以 <code>error</code> code 不屬於 Spec 裡面定義的任何一個</li> <li> <code>error_description</code> 也不需要給。</li> <li>使用 Bearer::Unauthorized 回 401</li> </ul> </li> <li>Token 找不到、過期 (Expired) 、被撤銷 (Revoked) 的 <code>error</code> code 都是 <code>invalid_token</code> <ul> <li>其實可以用同一個 <code>error_description</code> </li> <li>我的寫法會把三種情況分別丟不同的 Exception,並填入不同的 <code>error_description</code> </li> <li>你實作的時候可以用同一個,這並不會違反 spec</li> <li>使用 Bearer::Unauthorized 回 401</li> </ul> </li> <li>Token 的 scope 不足會使用 <code>insufficient_scope</code> 的 <code>error</code> <ul> <li>使用 Bearer::Forbidden 回 403</li> <li>可是 Rack::OAuth2 的實作並沒有填入 <code>WWW-Authenticate</code> header(只有 401 強制要求要填)</li> <li>所有的 error message(包括 <code>scope</code>)會出現在 JSON response body 裡面</li> <li>我有<a href="https://github.com/chitsaou/rack-oauth2/tree/scope-error-params" rel="nofollow" target="_blank" title="">另外實作一個 fork</a> ,會一併填入 <code>WWW-Authenticate</code> 裡面</li> </ul> </li> <li>這個實作沒有填入 <code>error_uri</code> 和 <code>realm</code> ,其 <code>realm</code> 會使用 Rack::OAuth2 內建的。</li> </ul> <pre class="highlight ruby"><code><span class="n">included</span> <span class="k">do</span> <span class="o">|</span><span class="n">base</span><span class="o">|</span> <span class="n">install_error_responders</span><span class="p">(</span><span class="n">base</span><span class="p">)</span> <span class="k">end</span> <span class="c1"># ... </span> <span class="k">module</span> <span class="nn">ClassMethods</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">install_error_responders</span><span class="p">(</span><span class="n">base</span><span class="p">)</span> <span class="n">error_classes</span> <span class="o">=</span> <span class="p">[</span> <span class="no">MissingTokenError</span><span class="p">,</span> <span class="no">TokenNotFoundError</span><span class="p">,</span> <span class="no">ExpiredError</span><span class="p">,</span> <span class="no">RevokedError</span><span class="p">,</span> <span class="no">InsufficientScopeError</span><span class="p">]</span> <span class="n">base</span><span class="p">.</span><span class="nf">send</span> <span class="ss">:rescue_from</span><span class="p">,</span> <span class="o">*</span><span class="n">error_classes</span><span class="p">,</span> <span class="n">oauth2_bearer_token_error_handler</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">oauth2_bearer_token_error_handler</span> <span class="no">Proc</span><span class="p">.</span><span class="nf">new</span> <span class="p">{</span><span class="o">|</span><span class="n">e</span><span class="o">|</span> <span class="n">response</span> <span class="o">=</span> <span class="k">case</span> <span class="n">e</span> <span class="k">when</span> <span class="no">MissingTokenError</span> <span class="no">Rack</span><span class="o">::</span><span class="no">OAuth2</span><span class="o">::</span><span class="no">Server</span><span class="o">::</span><span class="no">Resource</span><span class="o">::</span><span class="no">Bearer</span><span class="o">::</span><span class="no">Unauthorized</span><span class="p">.</span><span class="nf">new</span> <span class="k">when</span> <span class="no">TokenNotFoundError</span> <span class="no">Rack</span><span class="o">::</span><span class="no">OAuth2</span><span class="o">::</span><span class="no">Server</span><span class="o">::</span><span class="no">Resource</span><span class="o">::</span><span class="no">Bearer</span><span class="o">::</span><span class="no">Unauthorized</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span> <span class="ss">:invalid_token</span><span class="p">,</span> <span class="s2">"Bad Access Token."</span><span class="p">)</span> <span class="c1"># etc. etc.</span> <span class="k">end</span> <span class="n">response</span><span class="p">.</span><span class="nf">finish</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.7: 製作用來擋全 API 的 Guard">Step 4.7: 製作用來擋全 API 的 Guard</h3> <p>這是仿 <code>doorkeeper_for :all</code> 的,用途是「這個 API 底下的所有 Endpoints 都要擋」。在 Grape 的世界裡面,它要是放在 Grape::API 裡面的 class method,所以我寫在 ClassMethods module 裡面,一 call 就是塞 before filter 進去,它底下每個 endpoint 都會過這個 filter。</p> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">ClassMethods</span> <span class="k">def</span> <span class="nf">guard_all!</span><span class="p">(</span><span class="ss">scopes: </span><span class="p">[])</span> <span class="n">before</span> <span class="k">do</span> <span class="n">guard!</span> <span class="ss">scopes: </span><span class="n">scopes</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="Step 4.8: 現在可以用 OAuth 2 來擋 API 了">Step 4.8: 現在可以用 OAuth 2 來擋 API 了</h3> <p>單獨擋一個 Endpoint:</p> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">V1</span> <span class="k">class</span> <span class="nc">SampleAPI</span> <span class="o">&lt;</span> <span class="no">Base</span> <span class="n">get</span> <span class="s2">"secret"</span> <span class="k">do</span> <span class="n">guard!</span> <span class="c1"># Requires a valid OAuth 2 Access Token to use this Endpoint</span> <span class="p">{</span> <span class="ss">:secret</span> <span class="o">=&gt;</span> <span class="s2">"only smart guys can see this ;)"</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> <p>擋一個 API 底下所有 Endpoints:</p> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">V1</span> <span class="k">class</span> <span class="nc">SecretAPI</span> <span class="o">&lt;</span> <span class="no">Base</span> <span class="n">guard_all!</span> <span class="c1"># Requires a valid OAuth 2 Access Token to use all Endpoints</span> <span class="n">get</span> <span class="s2">"secret1"</span> <span class="k">do</span> <span class="p">{</span> <span class="ss">:secret1</span> <span class="o">=&gt;</span> <span class="s2">"Hi, </span><span class="si">#{</span><span class="n">current_user</span><span class="p">.</span><span class="nf">email</span><span class="si">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">end</span> <span class="n">get</span> <span class="s2">"secret2"</span> <span class="k">do</span> <span class="p">{</span> <span class="ss">:secret2</span> <span class="o">=&gt;</span> <span class="s2">"only smart guys can see this ;)"</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre><h3 id="試試看!">試試看!</h3> <p>不帶 Token 就去打 API 會被拒絕:</p> <pre class="highlight plaintext"><code>$ curl -i http://localhost:9999/api/v1/secret/secret1.json HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="The API" Content-Type: application/json Cache-Control: no-cache {"error":"unauthorized"} </code></pre> <p>附 Token 再去打 API 就沒問題了,並且會告訴我這個 User 是誰:</p> <pre class="highlight plaintext"><code>$ curl -i http://localhost:9999/api/v1/secret/secret1.json \ &gt; -H "Authorization: Bearer a14bb554309df32fbb6a3bad6cba25f32a28acc931a74ead06ca904c05281b4c" HTTP/1.1 200 OK Content-Type: application/json Cache-Control: max-age=0, private, must-revalidate {"secret1":"Hi, ducksteven@gmail.com"} </code></pre><h2 id="Step 5: 使用 Scope">Step 5: 使用 Scope</h2> <p>到目前為止,實作出來的 OAuth 2 的 Guard 雖然支援「scopes」,但 Authorization Server 不支援。要怎麼限制某些 API 必須使用「授權了某些 scopes」的 Access Token 才能存取呢?以下是範例,詳細可以參考 Doorkeeper 的文件 <em><a href="https://github.com/applicake/doorkeeper/wiki/Using-Scopes" rel="nofollow" target="_blank" title="">Using Scopes</a></em> 。程式碼見 <a href="https://github.com/chitsaou/oauth2-api-sample/tree/step-5" rel="nofollow" target="_blank" title="">step-5 tag</a> 。</p> <p>首先在 <code>config/initializers/doorkeeper.rb</code> 裡面增加 scopes 的定義,例如</p> <pre class="highlight ruby"><code><span class="c1"># Define access token scopes for your provider</span> <span class="c1"># For more information go to https://github.com/applicake/doorkeeper/wiki/Using-Scopes</span> <span class="n">default_scopes</span> <span class="ss">:public</span> <span class="c1"># 如果 Client 不索取任何 scopes 則預設使用這組 scopes</span> <span class="n">optional_scopes</span> <span class="ss">:top_secret</span><span class="p">,</span> <span class="c1"># 其他可以額外申請的 scopes</span> <span class="ss">:el</span><span class="p">,</span> <span class="ss">:psy</span><span class="p">,</span> <span class="ss">:congroo</span> </code></pre> <p>要重開 Rails server 生效。</p> <p>接著打開 Authorize 的頁面,點下去的網址不會帶有「想要索取的 scopes」,所以先把網址複製下來,後面手動附上 <code>scope=top_secret</code> 參數:(中間斷行比較好讀)</p> <p><a href="http://localhost:9999/oauth/authorize" rel="nofollow" target="_blank">http://localhost:9999/oauth/authorize</a> ?client_id=4a407c6a8d3c75e17a5560d0d0e4507c77b047940db6df882c86aaeac2c788d6 &amp;redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Fauth%2Fdemo%2Fcallback &amp;response_type=code &amp;scope=top_secret</p> <p>到這裡會再問你要不要 Authorize,所以你知道了 Authorization Server 會區別帶有不同 scopes 的 grants。Authorize 之後會得到一組 grant code,再照標準流程拿 Token。我這次拿到的 Token 是 <code>5d840a4e43049eb1e66367bc788059f9bf16b53f853f3cd4f001e51a5c95abfd</code>.</p> <p>現在我在 SampleAPI 裡面新增兩個 endpoint,需要 scopes 才能存取:</p> <pre class="highlight ruby"><code><span class="n">get</span> <span class="s2">"top_secret"</span> <span class="k">do</span> <span class="n">guard!</span> <span class="ss">scopes: </span><span class="p">[</span><span class="ss">:top_secret</span><span class="p">]</span> <span class="p">{</span> <span class="ss">:top_secret</span> <span class="o">=&gt;</span> <span class="s2">"T0P S3CR37 :p"</span> <span class="p">}</span> <span class="k">end</span> <span class="n">get</span> <span class="s2">"choice_of_sg"</span> <span class="k">do</span> <span class="n">guard!</span> <span class="ss">scopes: </span><span class="p">[</span><span class="ss">:el</span><span class="p">,</span> <span class="ss">:psy</span><span class="p">,</span> <span class="ss">:congroo</span><span class="p">]</span> <span class="p">{</span> <span class="ss">:says</span> <span class="o">=&gt;</span> <span class="s2">"El. Psy. Congroo."</span> <span class="p">}</span> <span class="k">end</span> </code></pre> <p>用之前申請過的 Access Token 來打 <code>top_secret</code> 這個 API 會被拒絕(中間斷行比較好讀):</p> <pre class="highlight plaintext"><code>$ curl -i http://localhost:9999/api/v1/sample/top_secret.json \ &gt; -H "Authorization: Bearer a14bb554309df32fbb6a3bad6cba25f32a28acc931a74ead06ca904c05281b4c" HTTP/1.1 403 Forbidden Content-Type: application/json Cache-Control: no-cache { "error":"insufficient_scope", "error_description":"The request requires higher privileges than provided by the access token.", "scope":"top_secret" } </code></pre> <p>若用新拿到的 Token 就會過了:</p> <pre class="highlight plaintext"><code>$ curl -i http://localhost:9999/api/v1/sample/top_secret.json \ &gt; -H "Authorization: Bearer 5d840a4e43049eb1e66367bc788059f9bf16b53f853f3cd4f001e51a5c95abfd" HTTP/1.1 200 OK Content-Type: application/json Cache-Control: max-age=0, private, must-revalidate {"top_secret":"T0P S3CR37 :p"} </code></pre> <p>然而如果拿這個 Token 去打 <code>choice_of_sg</code> 就會被拒絕(中間斷行比較好讀):</p> <pre class="highlight plaintext"><code>$ curl -i http://localhost:9999/api/v1/sample/choice_of_sg.json \ &gt; -H "Authorization: Bearer 5d840a4e43049eb1e66367bc788059f9bf16b53f853f3cd4f001e51a5c95abfd" HTTP/1.1 403 Forbidden Content-Type: application/json Cache-Control: no-cache { "error":"insufficient_scope", "error_description":"The request requires higher privileges than provided by the access token.", "scope":"el psy congroo" } </code></pre> <p>當然,因為 scope 不符啊。這時候就要再重新申請一個 Token,照前面說過的流程,要先有一個 Authorize 的 URL:</p> <p><a href="http://localhost:9999/oauth/authorize" rel="nofollow" target="_blank">http://localhost:9999/oauth/authorize</a> ?client_id=4a407c6a8d3c75e17a5560d0d0e4507c77b047940db6df882c86aaeac2c788d6 &amp;redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Fauth%2Fdemo%2Fcallback &amp;response_type=code &amp;scope=el%20psy%20congroo ^^^ ^^^ space</p> <p>多重 scope 的情況下,各 scope 之間用空格 <code>%20</code> 分開。</p> <p>最後我拿到的新 Token 是 <code>0b39839282957d8f80c01901c2468ed52341707594897ec9767af392306f1e55</code> 。再用它去打 <code>choice_of_sg</code> API 就會回我了:</p> <pre class="highlight plaintext"><code>curl -i http://localhost:9999/api/v1/sample/choice_of_sg.json \ -H "Authorization: Bearer 0b39839282957d8f80c01901c2468ed52341707594897ec9767af392306f1e55" HTTP/1.1 200 OK Content-Type: application/json Cache-Control: max-age=0, private, must-revalidate {"says":"El. Psy. Congroo."} </code></pre> <hr> <h2 id="結語">結語</h2> <p>以上的 Tutorial 只簡單示範了如何從零建造一個 OAuth 2 Authorization Server 並且用 OAuth 2 Bearer Token 來保護 Grape API。以下這些問題沒有處理:</p> <ul> <li>要可以限制「誰才可以開 Clients」 (例如站長,或是有登入的使用者),我想應該是 Doorkeeper 的 <code>admin_authenticator</code> 和 <code>enable_application_owner</code> options 。</li> <li>沒有示範 Refresh Token</li> <li>Doorkeeper 不能設定只要開啟哪些 Grant Flows <ul> <li>這我有開一個 fork 出來實作,也貼了 <a href="https://github.com/applicake/doorkeeper/pull/295" rel="nofollow" target="_blank" title="">Pull Request</a> ,等他 merge。</li> </ul> </li> <li>因為 Guard 是自己寫的,Doorkeeper 的一些功能完全不使用,例如 <code>access_token_methods</code> (設定 Client 可以用哪些方式向 API 出示 Token)</li> <li>承上,也沒有使用到 Doorkeeper 內建的錯誤訊息 i18n 機制</li> <li>Guard 的 Error Response 的 "realm" 不同步</li> <li>Guard 的 <code>insufficient_scope</code> Error 沒有把參數放在 <code>WWW-Authenticate</code> header <ul> <li> <a href="https://github.com/chitsaou/rack-oauth2/tree/scope-error-params" rel="nofollow" target="_blank" title="">我的 fork</a> 有實作這個,還沒開 PR 給原版。</li> <li>雖然在 403 放這個 header doesn't make sense,但總覺得還是統一放在這裡比較好啊…</li> </ul> </li> <li>Scope 的 matching 只用了簡單的集合比較,不適用於某些 A scope 吃 B scope 情況</li> </ul> <p>又,寫完的 Guard 並沒有包成 Gem 還是什麼的……之後應該會包一下吧。</p> <p>有任何問題(包括指教本文的謬誤)歡迎在下面的留言板提出 :)</p> chitsaou Thu, 10 Oct 2013 21:09:09 +0800 https://ruby-china.org/topics/14656 https://ruby-china.org/topics/14656 Git.io 缩址按一下就产生 (Chrome Extension) <p><a href="http://git.io/help" rel="nofollow" target="_blank" title="">Git.io</a> 是 Github 官方的缩址服务,当然也就只支持 Github 的网址。它的操作方式是发送一个 POST 请求到 <code>http://git.io</code> 并附上表单内容为 <code>url=https://github.com/...</code> ,通过 <code>curl</code> 的话就是:</p> <p>curl -i <a href="http://git.io" rel="nofollow" target="_blank">http://git.io</a> -F "url=<a href="https://github.com/.." rel="nofollow" target="_blank">https://github.com/..</a>."</p> <p>不知道大家有没有常常要做 Git.io 缩址的需求,但我每次一有需求就必须打开终端机再输入以上指令,我又不常用 curl,等于每有需求就得先查文件。</p> <p>于是我觉得太麻烦了,就做了一个 Chrome Extension: <a href="https://chrome.google.com/webstore/detail/baceaeopmlhkjbljoiinmbnnmpokgiml" rel="nofollow" target="_blank" title="">Git.io URL Shortener</a> ,在浏览 Github 相关网页的时候,网址列后方就会出现一个 git.io 的小图示,按一下就可以产生短址了,再按一下短址就能复制到剪贴簿;不过我还没有把「立即复制到剪贴簿」的选项实作出来。</p> <p><img src="//l.ruby-china.com/photo/99e290d6037e211e78bba6135a12c23a.png" title="" alt=""></p> <p>当然 source code 也是<a href="https://github.com/chitsaou/git-io-shortener" rel="nofollow" target="_blank" title="">公开的</a>。</p> <p>各位同学有需要的话就来用一下吧,也欢迎大家给我反馈。 </p> chitsaou Tue, 17 Apr 2012 01:17:29 +0800 https://ruby-china.org/topics/2643 https://ruby-china.org/topics/2643