Feature/custom accesstoken and refreshtoken

.gitignore

@@ -25,6 +25,7 @@ __pycache__
 pip-log.txt
 
 # Unit test / coverage reports
+.cache
 .coverage
 .tox
 nosetests.xml

.travis.yml

@@ -1,27 +1,25 @@
 language: python
-python: "2.7"
+python:
+  - "3.5"
+
+sudo: false
 
 env:
-  - TOX_ENV=py26-django14
-  - TOX_ENV=py26-django15
-  - TOX_ENV=py26-django16
-  - TOX_ENV=py27-django14
-  - TOX_ENV=py27-django15
-  - TOX_ENV=py27-django16
-  - TOX_ENV=py27-django17
   - TOX_ENV=py27-django18
-  - TOX_ENV=py33-django15
-  - TOX_ENV=py33-django16
-  - TOX_ENV=py33-django17
+  - TOX_ENV=py27-django19
+  - TOX_ENV=py32-django18
   - TOX_ENV=py33-django18
-  - TOX_ENV=py34-django15
-  - TOX_ENV=py34-django16
-  - TOX_ENV=py34-django17
   - TOX_ENV=py34-django18
+  - TOX_ENV=py34-django19
+  - TOX_ENV=py35-django18
+  - TOX_ENV=py35-django19
   - TOX_ENV=docs
 
+matrix:
+  fast_finish: true
+
 install:
-  - pip install tox
+  - pip install tox "virtualenv<14"
   - pip install coveralls
 
 script:

AUTHORS

@@ -13,3 +13,8 @@ David Fischer
 Ash Christopher
 Rodney Richardson
 Hiroki Kiyohara
+Diego Garcia
+Bas van Oostveen
+Bart Merenda
+Paul Oswald
+Jens Timmerman

CONTRIBUTING.rst

@@ -2,4 +2,4 @@ Contributing
 ============
 
 Thanks for your interest! We love contributions, so please feel free to fix bugs, improve things, provide documentation. Just `follow the
-guidelines <https://django-oauth-toolkit.readthedocs.org/en/latest/contributing.html>`_ and submit a PR.
+guidelines <https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html>`_ and submit a PR.

README.rst

@@ -32,13 +32,23 @@ Contributing
 ------------
 
 We love contributions, so please feel free to fix bugs, improve things, provide documentation. Just `follow the
-guidelines <https://django-oauth-toolkit.readthedocs.org/en/latest/contributing.html>`_ and submit a PR.
+guidelines <https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html>`_ and submit a PR.
+
+Reporting security issues
+-------------------------
+
+If you believe you've found an issue with security implications, please send a detailed description via email to **[email protected]**.
+Mail sent to that address reaches the Django OAuth Toolkit core team, who can solve (or forward) the security issue as soon as possible. After
+our acknowledge, we may decide to open a public discussion in our mailing list or issues tracker.
+
+Once you’ve submitted an issue via email, you should receive a response from the core team within 48 hours, and depending on the action to be
+taken, you may receive further followup emails.
 
 Requirements
 ------------
 
-* Python 2.6, 2.7, 3.3, 3.4
-* Django 1.4, 1.5, 1.6, 1.7, 1.8
+* Python 2.7, 3.2, 3.3, 3.4, 3.5
+* Django 1.7, 1.8, 1.9
 
 Installation
 ------------
@@ -70,7 +80,7 @@ Notice that `oauth2_provider` namespace is mandatory.
 Documentation
 --------------
 
-The `full documentation <https://django-oauth-toolkit.readthedocs.org/>`_ is on *Read the Docs*.
+The `full documentation <https://django-oauth-toolkit.readthedocs.io/>`_ is on *Read the Docs*.
 
 License
 -------
@@ -87,6 +97,28 @@ Roadmap / Todo list (help wanted)
 Changelog
 ---------
 
+Development
+~~~~~~~~~~~
+
+* #396: added an IsAuthenticatedOrTokenHasScope Permission
+* #357: Support multiple-user clients by allowing User to be NULL for Applications
+
+0.10.0 [2015-12-14]
+~~~~~~~~~~~~~~~~~~~
+
+* **#322: dropping support for python 2.6 and django 1.4, 1.5, 1.6**
+* #310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant
+* #333: Added possibility to specify the default list of scopes returned when scope parameter is missing
+* #325: Added management views of issued tokens
+* #249: Added a command to clean expired tokens
+* #323: Application registration view uses custom application model in form class
+* #299: 'server_class' is now pluggable through Django settings
+* #309: Add the py35-django19 env to travis
+* #308: Use compact syntax for tox envs
+* #306: Django 1.9 compatibility
+* #288: Put additional information when generating token responses
+* #297: Fixed doc about SessionAuthenticationMiddleware
+* #273: Generic read write scope by resource
 
 0.9.0 [2015-07-28]
 ~~~~~~~~~~~~~~~~~~

docs/advanced_topics.rst

@@ -55,9 +55,9 @@ That's all, now Django OAuth Toolkit will use your model wherever an Application
 Skip authorization form
 =======================
 
-Depending on the OAuth2 flow in use and the access token policy, users might be prompted  for the
-same authorization multiple times: sometimes this is acceptable or even desiderable but other it isn't.
-To control DOT behaviour you can use `approval_prompt` parameter when hitting the authorization endpoint.
+Depending on the OAuth2 flow in use and the access token policy, users might be prompted for the
+same authorization multiple times: sometimes this is acceptable or even desirable but other times it isn't.
+To control DOT behaviour you can use the `approval_prompt` parameter when hitting the authorization endpoint.
 Possible values are:
 
 * `force` - users are always prompted for authorization.

docs/changelog.rst

@@ -1,6 +1,31 @@
 Changelog
 =========
 
+Development
+~~~~~~~~~~~
+
+* #396: added an IsAuthenticatedOrTokenHasScope Permission
+* #357: Support multiple-user clients by allowing User to be NULL for Applications
+
+
+0.10.0 [2015-12-14]
+------------------
+
+* **#322: dropping support for python 2.6 and django 1.4, 1.5, 1.6**
+* #310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant
+* #333: Added possibility to specify the default list of scopes returned when scope parameter is missing
+* #325: Added management views of issued tokens
+* #249: Added a command to clean expired tokens
+* #323: Application registration view uses custom application model in form class
+* #299: 'server_class' is now pluggable through Django settings
+* #309: Add the py35-django19 env to travis
+* #308: Use compact syntax for tox envs
+* #306: Django 1.9 compatibility
+* #288: Put additional information when generating token responses
+* #297: Fixed doc about SessionAuthenticationMiddleware
+* #273: Generic read write scope by resource
+
+
 0.9.0 [2015-07-28]
 ------------------
 

docs/conf.py

@@ -19,9 +19,12 @@
 here = os.path.abspath(os.path.dirname(__file__))
 sys.path.insert(0, here)
 sys.path.insert(0, os.path.dirname(here))
-sys.path.insert(0, os.path.join(os.path.dirname(here), 'example'))
 
 os.environ['DJANGO_SETTINGS_MODULE'] = 'oauth2_provider.tests.settings'
+
+import django
+django.setup()
+
 import oauth2_provider
 
 # -- General configuration -----------------------------------------------------

docs/contributing.rst

@@ -47,7 +47,7 @@ of the pull request.
 Pull upstream changes into your fork regularly
 ==============================================
 
-It's a good practice to pull upstream changes from master into your fork on a regular basis, infact if you work on
+It's a good practice to pull upstream changes from master into your fork on a regular basis, in fact if you work on
 outdated code and your changes diverge too far from master, the pull request has to be rejected.
 
 To pull in upstream changes::
@@ -85,7 +85,7 @@ Add the tests!
 --------------
 
 Whenever you add code, you have to add tests as well. We cannot accept untested code, so unless it is a peculiar
-situation you previously discussed with the core commiters, if your pull request reduces the test coverage it will be
+situation you previously discussed with the core committers, if your pull request reduces the test coverage it will be
 **immediately rejected**.
 
 Code conventions matter

docs/index.rst

@@ -21,8 +21,8 @@ If you need support please send a message to the `Django OAuth Toolkit Google Gr
 Requirements
 ------------
 
-* Python 2.6, 2.7, 3.3, 3.4
-* Django 1.4, 1.5, 1.6, 1.7
+* Python 2.7, 3.2, 3.3, 3.4, 3.5
+* Django 1.7, 1.8, 1.9
 
 Index
 =====
@@ -38,6 +38,7 @@ Index
    models
    advanced_topics
    settings
+   management_commands
    glossary
 
 .. toctree::

docs/install.rst

@@ -29,7 +29,6 @@ Sync your database
 
 .. sourcecode:: sh
 
-    $ python manage.py syncdb
     $ python manage.py migrate oauth2_provider
 
 Next step is our :doc:`first tutorial <tutorial/tutorial_01>`.

docs/management_commands.rst

@@ -0,0 +1,20 @@
+Management commands
+===================
+
+Django OAuth Toolkit exposes some useful management commands that can be run via shell or by other means (eg: cron)
+
+.. _cleartokens:
+
+cleartokens
+~~~~~~~~~~~
+
+The ``cleartokens`` management command allows the user to remove those refresh tokens whose lifetime is greater than the
+amount specified by ``REFRESH_TOKEN_EXPIRE_SECONDS`` settings. It is important that this command is run regularly
+(eg: via cron) to avoid cluttering the database with expired refresh tokens.
+
+If ``cleartokens`` runs daily the maximum delay before a refresh token is
+removed is ``REFRESH_TOKEN_EXPIRE_SECONDS`` + 1 day. This is normally not a
+problem since refresh tokens are long lived.
+
+Note: Refresh tokens need to expire before AccessTokens can be removed from the
+database. Using ``cleartokens`` without ``REFRESH_TOKEN_EXPIRE_SECONDS`` has limited effect.

docs/rest-framework/permissions.rst

@@ -48,3 +48,36 @@ For example:
 
 When a request is performed both the `READ_SCOPE` \\ `WRITE_SCOPE` and 'music' scopes are required to be authorized for the current access token.
 
+TokenHasResourceScope
+----------------------
+The `TokenHasResourceScope` permission class allows the access only when the current access token has been authorized for **all** the scopes listed in the `required_scopes` field of the view but according of request's method.
+
+When the current request's method is one of the "safe" methods, the access is allowed only if the access token has been authorized for the `scope:read` scope (for example `music:read`).
+When the request's method is one of "non safe" methods, the access is allowed only if the access token has been authorizes for the `scope:write` scope (for example `music:write`).
+
+.. code-block:: python
+
+    class SongView(views.APIView):
+        authentication_classes = [OAuth2Authentication]
+        permission_classes = [TokenHasResourceScope]
+        required_scopes = ['music']
+
+The `required_scopes` attribute is mandatory (you just need inform the resource scope).
+
+
+IsAuthenticatedOrTokenHasScope
+------------------------------
+The `TokenHasResourceScope` permission class allows the access only when the current access token has been authorized for **all** the scopes listed in the `required_scopes` field of the view but according of request's method.
+And also allows access to Authenticated users who are authenticated in django, but were not authenticated trought the OAuth2Authentication class.
+This allows for protection of the api using scopes, but still let's users browse the full browseable API.
+To restrict users to only browse the parts of the browseable API they should be allowed to see, you can combine this wwith the DjangoModelPermission or the DjangoObjectPermission.
+
+For example:
+
+.. code-block:: python
+
+    class SongView(views.APIView):
+        permission_classes = [IsAuthenticatedOrTokenHasScope, DjangoModelPermission]
+        required_scopes = ['music']
+
+The `required_scopes` attribute is mandatory.

docs/settings.rst

@@ -59,6 +59,11 @@ CLIENT_SECRET_GENERATOR_LENGTH
 The length of the generated secrets, in characters. If this value is too low,
 secrets may become subject to bruteforce guessing.
 
+OAUTH2_SERVER_CLASS
+~~~~~~~~~~~~~~~~~~~~
+The import string for the ``server_class`` (or ``oauthlib.oauth2.Server`` subclass)
+used in the ``OAuthLibMixin`` that implements OAuth2 grant types.
+
 OAUTH2_VALIDATOR_CLASS
 ~~~~~~~~~~~~~~~~~~~~~~
 The import string of the ``oauthlib.oauth2.RequestValidator`` subclass that
@@ -71,7 +76,16 @@ to get a ``Server`` instance.
 
 SCOPES
 ~~~~~~
-A dictionnary mapping each scope name to its human description.
+A dictionary mapping each scope name to its human description.
+
+DEFAULT_SCOPES
+~~~~~~~~~~~~~~
+A list of scopes that should be returned by default.
+This is a subset of the keys of the SCOPES setting.
+By default this is set to '__all__' meaning that the whole set of SCOPES will be returned.
+.. code-block:: python
+
+  DEFAULT_SCOPES = ['read', 'write']
 
 READ_SCOPE
 ~~~~~~~~~~
@@ -81,6 +95,11 @@ WRITE_SCOPE
 ~~~~~~~~~~~
 The name of the *write* scope.
 
+REFRESH_TOKEN_EXPIRE_SECONDS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The number of seconds before a refresh token gets removed from the database by
+the ``cleartokens`` management command. Check :ref:`cleartokens` management command for further info.
+
 REQUEST_APPROVAL_PROMPT
 ~~~~~~~~~~~~~~~~~~~~~~~
 Can be ``'force'`` or ``'auto'``.