wndhydrnt
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎oauth2/__init__.py‎
Lines changed: 24 additions & 15 deletions b/‎oauth2/__init__.py‎
Lines changed: 24 additions & 15 deletions
diff --git a/‎oauth2/client_authenticator.py‎
Lines changed: 89 additions & 0 deletions b/‎oauth2/client_authenticator.py‎
Lines changed: 89 additions & 0 deletions
diff --git a/‎oauth2/datatype.py‎
Lines changed: 68 additions & 15 deletions b/‎oauth2/datatype.py‎
Lines changed: 68 additions & 15 deletions
@@ -11,6 +11,10 @@ dist/
 build/
 _build/
 
+# coverage
+.coverage
+cover/
+
 # Vagrant
 .vagrant/
 Berksfile.lock
 
@@ -3,6 +3,7 @@
 Improvements:
 
   - Corrected class references in doc strings (Josh Johnston)
+  - Proper handling of errors raised by store adapters
 
 Bugfixes:
 
 
@@ -94,10 +94,13 @@ def user_has_denied_access(self, request):
 """
 
 import json
-from oauth2.error import OAuthInvalidError, OAuthUserError
+from oauth2.client_authenticator import ClientAuthenticator
+from oauth2.error import OAuthInvalidError, \
+    ClientNotFoundError, OAuthInvalidNoRedirectError, UnsupportedGrantError
 from oauth2.web import Request, Response
 from oauth2.tokengenerator import Uuid4
-from oauth2.grant import Scope
+from oauth2.grant import Scope, AuthorizationCodeGrant, ImplicitGrant, \
+    ClientCredentialsGrant, ResourceOwnerGrant, RefreshToken
 
 VERSION = "0.6.0"
 
@@ -121,15 +124,16 @@ def __init__(self, access_token_store, auth_code_store, client_store,
                              :class:`oauth2.web.SiteAdapter`.
         :param token_generator: Object to generate unique tokens.
         :param response_class: Class of the response object.
-                               Default: :class:`oauth2.web.Response`.
+                               Defaults to :class:`oauth2.web.Response`.
 
         """
         self.grant_types = []
         self._input_handler = None
 
         self.access_token_store = access_token_store
         self.auth_code_store = auth_code_store
-        self.client_store = client_store
+        self.client_authenticator = ClientAuthenticator(
+            client_store=client_store)
         self.response_class = response_class
         self.site_adapter = site_adapter
         self.token_generator = token_generator
@@ -160,18 +164,25 @@ def dispatch(self, request, environ):
             grant_type.read_validate_params(request)
 
             return grant_type.process(request, response, environ)
-        except OAuthUserError as error:
+        except OAuthInvalidNoRedirectError:
             response = self.response_class()
-            return grant_type.redirect_oauth_error(error, response)
-        except OAuthInvalidError as error:
+            response.add_header("Content-Type", "text/plain")
+            response.status_code = 400
+            return response
+        except OAuthInvalidError as err:
+            print(err.error)
+            print(err.explanation)
+            response = self.response_class()
+            return grant_type.handle_error(error=err, response=response)
+        except UnsupportedGrantError:
             response = self.response_class()
-            response.add_header("Content-type", "application/json")
+            response.add_header("Content-Type", "application/json")
             response.status_code = 400
-            json_body = {"error": error.error}
-            if error.explanation is not None:
-                json_body["error_description"] = error.explanation
+            response.body = json.dumps({
+                "error": "unsupported_response_type",
+                "error_description": "Grant not supported"
+            })
 
-            response.body = json.dumps(json_body)
             return response
 
     def enable_unique_tokens(self):
@@ -196,6 +207,4 @@ def _determine_grant_type(self, request):
             if grant_handler is not None:
                 return grant_handler
 
-        raise OAuthInvalidError(error="unsupported_response_type",
-                                explanation="Server does not support given "
-                                "response_type")
+        raise UnsupportedGrantError
@@ -0,0 +1,89 @@
+from oauth2.error import OAuthInvalidNoRedirectError, RedirectUriUnknown, \
+    OAuthInvalidError, ClientNotFoundError
+
+
+class ClientAuthenticator(object):
+    def __init__(self, client_store, source=None):
+        """
+        Constructor.
+
+        :param client_store: An instance of :class:`oauth2.store.ClientStore`.
+        :param source: A callable that returns a tuple
+                       (<client_id>, <client_secret>). Defaults to
+                       `oauth2.client_authenticator.request_body_source`.
+        """
+        self.client_store = client_store
+        self.source = source
+
+        if self.source is None:
+            self.source = request_body_source
+
+    def by_identifier(self, request):
+        """
+        Authenticates a client by its identifier.
+
+        :param request: An instance of :class:`oauth2.web.Request`.
+
+        :return: An instance of :class:`oauth2.datatype.Client`.
+        :raises: :class OAuthInvalidNoRedirectError:
+        """
+        client_id = request.get_param("client_id")
+
+        if client_id is None:
+            raise OAuthInvalidNoRedirectError(error="missing_client_id")
+
+        try:
+            client = self.client_store.fetch_by_client_id(client_id)
+        except ClientNotFoundError:
+            raise OAuthInvalidNoRedirectError(error="unknown_client")
+
+        redirect_uri = request.get_param("redirect_uri")
+        if redirect_uri is not None:
+            try:
+                client.redirect_uri = redirect_uri
+            except RedirectUriUnknown:
+                raise OAuthInvalidNoRedirectError(
+                    error="invalid_redirect_uri")
+
+        return client
+
+    def by_identifier_secret(self, request):
+        """
+        Authenticates a client by its identifier and secret (aka password).
+
+        :param request: An instance of :class:`oauth2.web.Request`.
+
+        :return: An instance of :class:`oauth2.datatype.Client`.
+        """
+        client_id, client_secret = self.source(request=request)
+
+        try:
+            client = self.client_store.fetch_by_client_id(client_id)
+        except ClientNotFoundError:
+            raise OAuthInvalidError(error="invalid_client",
+                                    explanation="No client found")
+
+        grant_type = request.post_param("grant_type")
+        if client.grant_type_supported(grant_type) is False:
+            raise OAuthInvalidError(error="unauthorized_client",
+                                    explanation="Grant type not allowed")
+
+        if client.secret != client_secret:
+            raise OAuthInvalidError(error="invalid_client",
+                                    explanation="Invalid client credentials")
+
+        return client
+
+
+def request_body_source(request):
+    client_id = request.post_param("client_id")
+    if client_id is None:
+        raise OAuthInvalidError(error="invalid_request",
+                                explanation="Missing client identifier")
+
+    client_secret = request.post_param("client_secret")
+    if client_secret is None:
+        raise OAuthInvalidError(error="invalid_request",
+                                explanation="Missing client credentials")
+
+    return client_id, client_secret
@@ -4,6 +4,8 @@
 """
 
 import time
+from oauth2.error import RedirectUriUnknown
+
 
 class AccessToken(object):
     """
@@ -24,7 +26,7 @@ def __init__(self, client_id, grant_type, token, data={}, expires_at=None,
     def expires_in(self):
         """
         Returns the time until the token expires.
-        
+
         :return: The remaining time until expiration in seconds or 0 if the
                  token has expired.
         """
@@ -37,7 +39,7 @@ def expires_in(self):
     def is_expired(self):
         """
         Determines if the token has expired.
-        
+
         :return: `True` if the token has expired. Otherwise `False`.
         """
         if self.expires_at is None:
@@ -48,14 +50,6 @@ def is_expired(self):
 
         return True
 
-    def to_json(self):
-        json = {"access_token": self.token, "token_type": "Bearer"}
-
-        if self.refresh_token is not None:
-            json["refresh_token"] = self.refresh_token
-            json["expires_in"] = self.expires_in
-
-        return json
 
 class AuthorizationCode(object):
     """
@@ -76,17 +70,76 @@ def is_expired(self):
             return True
         return False
 
+
 class Client(object):
     """
     Representation of a client application.
     """
-    def __init__(self, identifier, secret, redirect_uris=[]):
+    def __init__(self, identifier, secret, authorized_grants=None,
+                 authorized_response_types=None, redirect_uris=None):
+        """
+        :param identifier: The unique identifier of a client.
+        :param secret: The secret the clients uses to authenticate.
+        :param authorized_grants: A list of grants under which the client can
+                                  request tokens.
+                                  All grants are allowed if this value is set
+                                  to `None` (default).
+        :param authorized_response_types: A list of response types of which
+                                          the client can request tokens.
+                                          All response types are allowed if
+                                          this value is set to `None`
+                                          (default).
+        :redirect_uris: A list of redirect uris this client can use.
+        """
+        self.authorized_grants = authorized_grants
+        self.authorized_response_types = authorized_response_types
         self.identifier = identifier
         self.secret = secret
-        self.redirect_uris = redirect_uris
 
-    def has_redirect_uri(self, uri):
+        if redirect_uris is None:
+            self.redirect_uris = []
+        else:
+            self.redirect_uris = redirect_uris
+
+        self._redirect_uri = None
+
+    @property
+    def redirect_uri(self):
+        if self._redirect_uri is None:
+            # redirect_uri is an optional param.
+            # If not supplied, we use the first entry stored in db as default.
+            return self.redirect_uris[0]
+        return self._redirect_uri
+
+    @redirect_uri.setter
+    def redirect_uri(self, value):
+        if value not in self.redirect_uris:
+            raise RedirectUriUnknown
+        self._redirect_uri = value
+
+    def grant_type_supported(self, grant_type):
+        """
+        Checks if the Client is authorized receive tokens for the given grant.
+
+        :param grant_type: The type of the grant.
+
+        :return: Boolean
+        """
+        if self.authorized_grants is None:
+            return True
+
+        return grant_type in self.authorized_grants
+
+    def response_type_supported(self, response_type):
         """
-        Checks if a uri is associated with the client.
+        Checks if the client is allowed to receive tokens for the given
+        response type.
+
+        :param response_type: The response type.
+
+        :return: Boolean
         """
-        return uri in self.redirect_uris
+        if self.authorized_response_types is None:
+            return True
+
+        return response_type in self.authorized_response_types