mpguerra
diff --git a/‎Procfile
Lines changed: 1 addition & 0 deletions b/‎Procfile
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 53 additions & 0 deletions b/‎README.md
Lines changed: 53 additions & 0 deletions
diff --git a/‎authorize.lua
Lines changed: 73 additions & 0 deletions b/‎authorize.lua
Lines changed: 73 additions & 0 deletions
diff --git a/‎authorized_callback.lua
Lines changed: 53 additions & 0 deletions b/‎authorized_callback.lua
Lines changed: 53 additions & 0 deletions
diff --git a/‎get_token.lua
Lines changed: 63 additions & 0 deletions b/‎get_token.lua
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1 @@
+web: start_nginx.sh
@@ -0,0 +1,53 @@
+## 3Scale API Proxy with OAuth2 Authorization Code Flow hosted on Heroku
+
+This is based on Taytay's excellent implementation of a 3scale API Proxy using Heroku: Taytay/api-proxy-3scale-heroku
+
+Please check out his [repo](Taytay/api-proxy-3scale-heroku) for the README and basic instructions on setting this up. 
+
+I have added some OAuth extensions on top of this to implement an API Gateway acting as an OAuth2 provider for my simple Address Book App API. I will outline how these work (as well as any additional set up steps where they differ from the original repo) and how to use them in conjunction with the example [Address Book App API](mpguerra/address-book-app-api)
+
+Usage
+---------
+
+#### Step 1: Get 3Scale and Heroku Accounts ####
+
+##### Step 1a: Get RedisToGo addon for Heroku #####
+
+TODO: Instructions for installing and connecting to ReidsToGo
+
+#### Step 2: Configure 3Scale Api Proxy and download Nginx config files ####
+
+You will need to choose oauth authentication mode from the API Settings for Authentication Mode.
+
+#### Step 3: Clone this repo ####
+
+#### Step 4: Rename the generated .conf files ####
+
+#### Step 5: Modify nginx.conf ####
+Make the following mandatory modifications to the nginx.conf file:
+
+    #1. Add this line to the top of the file
+    daemon off;
+    #2. replace 'listen 80;' with:
+    listen ${{PORT}};
+    #3. replace 'access_by_lua_file lua_tmp.lua;' with:
+    access_by_lua_file nginx_3scale_access.lua;
+
+See the sample **nginx.sample.conf** file for details, and for notes on other optional changes you can make.
+
+
+Test your API proxy using an app_id and app_key you get from your 3scale control panel. More info about these credentials [here](https://support.3scale.net/howtos/api-configuration/nginx-proxy)
+
+    $ curl http://<heroku-app-name>.herokuapp.com/v1/word/awesome.json\?app_id\=YOUR_USER_APP_ID\&app_key\=YOUR_USER_APP_KEY
+
+    {"word":"awesome","sentiment":4}%
+
+
+Credits
+-------
+
+The [OpenResty buildpack](https://github.com/leafo/heroku-openresty) did the hard Heroku work! Thanks!
+
+Our thanks to Taylor Brown [Taytay](http://taytay.com/) for providing the base configuration and files. 
+
+I'm Maria Pilar Guerra-Arias (aka Pili) an API Solution Engineer at [3scale](http://www.3scale.net)
@@ -0,0 +1,73 @@
+local cjson = require 'cjson'
+local ts = require 'threescale_utils'
+local redis = require 'resty.redis'
+local red = redis:new()
+
+function check_return_url(client_id, return_url)
+  local res = ngx.location.capture("/_threescale/redirect_uri_matches",
+				  { vars = { red_url = return_url ,
+				    	     client_id = client_id }})
+  return (res.status == 200)
+end
+
+-- returns 2 values: ok, err
+-- if ok == true, err is undefined
+-- if ok == false, err contains the errors
+function authorize(params)
+   -- scope is required because the provider needs to know which plan
+   -- is the user trying to log to
+   local required_params = {'client_id', 'redirect_uri', 'response_type', 'scope'}
+
+   if ts.required_params_present(required_params, params) and
+      params["response_type"] == 'code' and
+      check_return_url(params.client_id, params.redirect_uri) then
+      redirect_to_login(params)
+   elseif params["response_type"] ~= 'code' then
+      return false, 'unsupported_response_type'
+   else
+      return false, 'invalid_request'
+   end
+      ts.error("we should never be here")
+   end
+
+-- returns a unique string for the client_id. it will be short lived
+function nonce(client_id)
+   return ts.sha1_digest(math.random() .. "#login:" .. client_id)
+end
+
+function generate_access_token(client_id)
+   return ts.sha1_digest(math.random() .. client_id)
+end
+
+-- redirects_to the login form of the API provider with a secret
+-- 'state' which will be used when the form redirects the user back to
+-- this server.
+function redirect_to_login(params)
+   local n = nonce(params.client_id)
+
+   params.scope = params.scope
+   ts.connect_redis(red)
+   local pre_token = generate_access_token(params.client_id)
+
+   local ok, err = red:hmset(ngx.var.service_id .. "#tmp_data:".. n,
+			     {client_id = params.client_id,
+			      redirect_uri = params.redirect_uri,
+			      plan_id = params.scope,
+			      pre_access_token = pre_token})
+
+   if not ok then
+      ts.error(ts.dump(err))
+   end
+
+   -- TODO: If the login_url has already the parameter state bad
+   -- things are to happen
+   ngx.redirect(ngx.var.login_url .. "?&scope=".. params.scope .. "&state=" .. n .. "&tok=".. pre_token)
+   ngx.exit(ngx.HTTP_OK)
+end
+
+local params = ngx.req.get_uri_args()
+local _ok, a_err = authorize(params)
+
+if not a_ok then
+   ngx.redirect(ngx.var.login_url .. "?&scope=" .. params.scope .. "&state=" .. (params.state or '') .. "&error=" .. a_err)
+end
@@ -0,0 +1,53 @@
+-- authorized_callback.lua
+
+-- Once the client has been authorized by the API provider in their
+-- login, the provider is supposed to send the client (via redirect)
+-- to this endpoint, with the same status code that we sent him at the
+-- moment of the first redirect
+
+local cjson = require 'cjson'
+local ts = require 'threescale_utils'
+local redis = require 'resty.redis'
+local red = redis:new()
+
+local ok, err
+local params = ngx.req.get_uri_args()
+
+if ts.required_params_present({'state'}, params) then
+   ts.connect_redis(red)
+   local tmp_data = ngx.var.service_id .. "#tmp_data:".. params.state
+   ok , err = red:exists(tmp_data)
+   if 0 == ok then
+      -- TODO: Redirect? to the initial state?
+      ts.missing_args("state does not exist. Probably expired")
+   end
+   ok, err = red:hgetall(tmp_data)
+   if not ok then
+      ts.error("no values for tmp_data hash: ".. ts.dump(err))
+   end
+
+   local client_data = red:array_to_hash(ok)  -- restoring client data
+
+   -- Delete the tmp_data:
+   red:del(tmp_data)
+
+   local code = ts.sha1_digest(ngx.time() .. "#code:" .. client_data.client_id)
+   ok, err =  red:hmset("c:".. client_data.client_id, {client_id = client_data.client_id,
+						       client_secret = client_data.secret_id,
+						       redirect_uri = client_data.redirect_uri,
+						       pre_access_token = client_data.pre_access_token,
+						       code = code,
+                         user_id = params.username })
+
+   ok, err =  red:expire("c:".. client_data.client_id, 60 * 10) -- code expires in 10 mins
+
+   if not ok then
+      ngx.say("failed to hmset: ", err)
+      ngx.exit(ngx.HTTP_OK)
+   end
+
+   ngx.req.set_header("Content-Type", "application/x-www-form-urlencoded")
+   return ngx.redirect(client_data.redirect_uri .. "?code="..code .. "&state=" .. (client_data.state or ""))
+else
+   ts.missing_args("{ 'error': '".. "invalid_client_data from login form" .. "'}")
+end
@@ -0,0 +1,63 @@
+local cjson = require 'cjson'
+local redis = require 'resty.redis'
+local ts = require 'threescale_utils'
+local red = redis:new()
+
+function generate_token(client_id)
+   return ts.sha1_digest(ngx.time() .. client_id)
+end
+
+-- Returns the access token (stored in redis) for the client identified by the id
+-- This needs to be called within a minute of it being stored, as it expires and is deleted
+function generate_access_token_for(client_id)
+   local ok, err = ts.connect_redis(red)
+   ok, err =  red:hgetall("c:".. client_id) -- code?
+   ts.log(ok)
+   if ok[1] == nil then
+      ngx.say("expired_code")
+      return ngx.exit(ngx.HTTP_OK)
+   else
+      return red:array_to_hash(ok).pre_access_token..":"..red:array_to_hash(ok).user_id
+   end
+end
+
+local function store_token(client_id, token)
+  local stored = ngx.location.capture("/_threescale/oauth_store_token",
+    {method = ngx.HTTP_POST,
+    body = "provider_key=" ..ngx.var.provider_key ..
+    "&app_id=".. client_id ..
+    "&token=".. token})
+  if stored.status ~= 200 then
+    ngx.say("eeeerror")
+    ngx.exit(ngx.HTTP_OK)
+  end
+
+  access_token = token:split(":")[1]
+
+  ngx.header.content_type = "application/json; charset=utf-8"
+  ngx.say({'{"access_token": "'.. access_token .. '", "token_type": "bearer"}'})
+  ngx.exit(ngx.HTTP_OK)
+end
+
+function get_token()
+
+   local params = {}
+   if "GET" == ngx.req.get_method() then
+      params = ngx.req.get_uri_args()
+   else
+      ngx.req.read_body()
+      params = ngx.req.get_post_args()
+   end
+
+   local required_params = {'client_id', 'redirect_uri', 'client_secret', 'code', 'grant_type'}
+
+   if ts.required_params_present(required_params, params) and params['grant_type'] == 'authorization_code'  then
+      local token = generate_access_token_for(params.client_id)
+      store_token(params.client_id, token)
+   else
+      ngx.log(0, "NOPE")
+      ngx.exit(ngx.HTTP_FORBIDDEN)
+   end
+end
+
+local s = get_token()