Support Bearer Token (#132)

* Support Bearer Token * change method name * Add tests * rcfile.bearer_tokens is nil if .twurlrc doesn't exist * Add "oauth2_tokens" command and support --oauth2 with -c option so users can make an OAuth2 request without creating a user profile if they want... (e.g., a user who only use bearer token) * Change "--oauth2" option name to "--bearer" * Fix AppOnlyTokenInformationController * Fix NoMethodError * Update README * Fix Typo
twitter · Dec 26, 2019 · e9cb1a0 · e9cb1a0
1 parent 3a1a055
commit e9cb1a0
Show file tree

Hide file tree

Showing 14 changed files with 422 additions and 33 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,4 @@
-Twurl
-=====
+# Twurl
 
 [![MIT License](https://img.shields.io/apm/l/atomic-design-ui.svg?)](https://github.com/twitter/twurl/blob/master/LICENSE)
  [![Gem Version](https://badge.fury.io/rb/twurl.svg)](https://badge.fury.io/rb/twurl)
@@ -13,17 +12,15 @@ as defining aliases for common requests, as well as support for
 multiple access tokens to easily switch between different client
 applications and Twitter accounts.
 
-Installing Twurl
-----------------
+## Installing Twurl
 
 Twurl can be installed using RubyGems:
 
 ```sh
 gem install twurl
 ```
 
-Getting Started
----------------
+## Getting Started
 
 If you haven't already, the first thing to do is apply for a developer account to access Twitter APIs:
 
@@ -47,8 +44,7 @@ Authenticate to Twitter, and then enter the returned PIN back into
 the terminal.  Assuming all that works well, you will be authorized
 to make requests with the API. Twurl will tell you as much.
 
-Making Requests
----------------
+## Making Requests
 
 The simplest request just requires that you specify the path you
 want to request.
@@ -73,26 +69,46 @@ the -X (or --request-method) option.
 twurl -X POST /1.1/statuses/destroy/1234567890.json
 ```
 
-Accessing Different Hosts
--------------------------
+## Using Bearer Tokens (Application-only authentication)
+
+You can generate a bearer token using `--bearer` option in combination with the `authorize` subcommand.
+
+```sh
+twurl authorize --bearer --consumer-key key       \
+                         --consumer-secret secret
+```
+
+And then, you can make a request using a generated bearer token using `--bearer` request option.
+
+```sh
+twurl --bearer '/1.1/search/tweets.json?q=hello'
+```
+
+To list your generated bearer tokens, you can use the `bearer_tokens` subcommand.
+
+```sh
+twurl bearer_tokens
+```
+
+This will print a pair of consumer_key and its associated bearer token. Note, tokens are omitted from this output.
+
+## Accessing Different Hosts
 
 You can access different hosts for other Twitter APIs using the -H flag.
 
 ```sh
 twurl -H "ads-api.twitter.com" "/5/accounts"
 ```
 
-Uploading Media
----------------
+## Uploading Media
 
 To upload binary files, you can format the call as a form post. Below, the binary is "/path/to/media.jpg" and the form field is "media":
 
 ```sh
 twurl -H "upload.twitter.com" -X POST "/1.1/media/upload.json" --file "/path/to/media.jpg" --file-field "media"
 ```
 
-Creating aliases
-----------------
+## Creating aliases
 
 ```sh
 twurl alias h /1.1/statuses/home_timeline.json
@@ -111,10 +127,9 @@ twurl alias tweet /1.1/statuses/update.json
 twurl tweet -d "status=Aliases in twurl are convenient"
 ```
 
-Changing your default profile
------------------------------
+## Changing your default profile
 
-The first time you authorize a client application to make requests on behalf of your account, twurl stores your access token information in its .twurlrc file. Subsequent requests will use this profile as the default profile. You can use the 'accounts' subcommand to see what client applications have been authorized for what user names:
+The first time you authorize a client application to make requests on behalf of your account, twurl stores your access token information in its `~/.twurlrc` file. Subsequent requests will use this profile as the default profile. You can use the `accounts` subcommand to see what client applications have been authorized for what user names:
 
 ```sh
 twurl accounts
@@ -125,7 +140,7 @@ twurl accounts
     guT9RsJbNQgVe6AwoY9BA
 ```
 
-Notice that one of those consumer keys is marked as the default. To change the default use the 'set' subcommand, passing then either just the username, if it's unambiguous, or the username and consumer key pair if it isn't unambiguous:
+Notice that one of those consumer keys is marked as the default. To change the default use the `set` subcommand, passing then either just the username, if it's unambiguous, or the username and consumer key pair if it isn't unambiguous:
 
 ```sh
 twurl set default testiverse
@@ -147,8 +162,11 @@ twurl accounts
     guT9RsJbNQgVe6AwoY9BA
 ```
 
-Contributors
-------------
+### Profiles and Bearer Tokens
+
+While changing the default profile allows you to select which access token (OAuth1.0a) to use, bearer tokens don't link to any user profiles as the Application-only authentication doesn't require user context. That is, you can make an application-only request regardless of your default profile if you specify the `-c` (--consumer-key) option once you generate a bearer token with this consumer key. By default, twurl reads the current profile's consumer key and its associated bearer token from `~/.twurlrc` file.
+
+## Contributors
 
 Marcel Molina / @noradio
 

diff --git a/lib/twurl/app_only_oauth_client.rb b/lib/twurl/app_only_oauth_client.rb
@@ -0,0 +1,78 @@
+require 'base64'
+require_relative 'oauth_client'
+
+module Twurl
+  class AppOnlyOAuthClient < Twurl::OAuthClient
+
+    AUTHORIZATION_FAILED_MESSAGE = "Authorization failed. Check that your consumer key and secret are correct."
+
+    attr_reader :consumer_key, :consumer_secret, :bearer_token
+
+    def initialize(options = {})
+      @consumer_key    = options['consumer_key']
+      @consumer_secret = options['consumer_secret']
+      @bearer_token    = options['bearer_token']
+    end
+
+    def save
+      self.class.rcfile.bearer_token(consumer_key, bearer_token)
+    end
+
+    def exchange_credentials_for_access_token
+      response = fetch_oauth2_token
+      if response.nil? || response[:access_token].nil?
+        raise Exception, AUTHORIZATION_FAILED_MESSAGE
+      end
+      @bearer_token = response[:access_token]
+    end
+
+    def perform_request_from_options(options, &block)
+      request = build_request_from_options(options)
+      request['user-agent'] = user_agent
+      request['authorization'] = "Bearer #{bearer_token}"
+
+      http_client.request(request, &block)
+    end
+
+    def needs_to_authorize?
+      bearer_token.nil?
+    end
+
+    def request_data
+      {'grant_type' => 'client_credentials'}
+    end
+
+    def http_client
+      uri = URI.parse(Twurl.options.base_url)
+      http = if Twurl.options.proxy
+        proxy_uri = URI.parse(Twurl.options.proxy)
+        Net::HTTP.new(uri.host, uri.port, proxy_uri.host, proxy_uri.port)
+      else
+        Net::HTTP.new(uri.host, uri.port)
+      end
+      set_http_client_options(http)
+    end
+
+    def set_http_client_options(http)
+      http.set_debug_output(Twurl.options.debug_output_io) if Twurl.options.trace
+      http.read_timeout = http.open_timeout = Twurl.options.timeout || 60
+      http.open_timeout = Twurl.options.connection_timeout if Twurl.options.connection_timeout
+      # Only override if Net::HTTP support max_retries (since Ruby >= 2.5)
+      http.max_retries = 0 if http.respond_to?(:max_retries=)
+      if Twurl.options.ssl?
+        http.use_ssl     = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+      http
+    end
+
+    def fetch_oauth2_token
+      request = Net::HTTP::Post.new('/oauth2/token')
+      request.body = URI.encode_www_form(request_data)
+      request['user-agent'] = user_agent
+      request['authorization'] = "Basic #{Base64.strict_encode64("#{consumer_key}:#{consumer_secret}")}"
+      response = http_client.request(request).body
+      JSON.parse(response,:symbolize_names => true)
+    end
+  end
+end
diff --git a/lib/twurl/app_only_token_information_controller.rb b/lib/twurl/app_only_token_information_controller.rb
@@ -0,0 +1,18 @@
+module Twurl
+  class AppOnlyTokenInformationController < AbstractCommandController
+    NO_ISSUED_TOKENS_MESSAGE = "No issued application-only (Bearer) tokens"
+
+    def dispatch
+      rcfile = OAuthClient.rcfile
+      if rcfile.empty? || rcfile.bearer_tokens.nil?
+        CLI.puts NO_ISSUED_TOKENS_MESSAGE
+      else
+        tokens = rcfile.bearer_tokens
+        CLI.puts "[consumer_key: bearer_token]"
+        tokens.each_key do |consumer_key|
+          CLI.puts "#{consumer_key}: (omitted)"
+        end
+      end
+    end
+  end
+end
diff --git a/lib/twurl/cli.rb b/lib/twurl/cli.rb
@@ -1,6 +1,6 @@
 module Twurl
   class CLI
-    SUPPORTED_COMMANDS     = %w(authorize accounts alias set)
+    SUPPORTED_COMMANDS     = %w(authorize accounts bearer_tokens alias set)
     DEFAULT_COMMAND        = 'request'
     PATH_PATTERN           = /^\/\w+/
     PROTOCOL_PATTERN       = /^\w+:\/\//
@@ -28,6 +28,8 @@ def dispatch(options)
                        AuthorizationController
                      when 'accounts'
                        AccountInformationController
+                     when 'bearer_tokens'
+                       AppOnlyTokenInformationController
                      when 'alias'
                        AliasesController
                      when 'set'
@@ -90,6 +92,7 @@ def parse_options(args)
             json_format
             timeout
             connection_timeout
+            app_only
           end
         end
 
@@ -345,6 +348,12 @@ def connection_timeout
           options.connection_timeout = connection_timeout
         end
       end
+
+      def app_only
+        on('--bearer', "Use application-only authentication (Bearer Token)") do |app_only|
+          options.app_only = true
+        end
+      end
     end
   end
 

diff --git a/lib/twurl/oauth_client.rb b/lib/twurl/oauth_client.rb
@@ -13,12 +13,16 @@ def load_from_options(options)
           load_client_for_username_and_consumer_key(options.username, options.consumer_key)
         elsif options.username
           load_client_for_username(options.username)
+        elsif options.command == 'authorize' && options.app_only
+          load_client_for_app_only_auth(options, options.consumer_key)
         elsif options.command == 'authorize'
           load_new_client_from_options(options)
         elsif options.command == 'request' && has_oauth_options?(options)
           load_new_client_from_oauth_options(options)
+        elsif options.command == 'request' && options.app_only && options.consumer_key
+          load_client_for_non_profile_app_only_auth(options)
         else
-          load_default_client
+          load_default_client(options)
         end
       end
 
@@ -59,9 +63,44 @@ def load_new_client_from_oauth_options(options)
         )
       end
 
-      def load_default_client
-        raise Exception, "You must authorize first" unless rcfile.default_profile
-        load_client_for_username_and_consumer_key(*rcfile.default_profile)
+      def load_client_for_app_only_auth(options, consumer_key)
+        if options.command == 'authorize'
+          AppOnlyOAuthClient.new(options)
+        else
+          AppOnlyOAuthClient.new(
+            options.oauth_client_options.merge(
+              'bearer_token' => rcfile.bearer_tokens.to_hash[consumer_key]
+            )
+          )
+        end
+      end
+
+      def load_client_for_non_profile_app_only_auth(options)
+        AppOnlyOAuthClient.new(
+          options.oauth_client_options.merge(
+            'bearer_token' => rcfile.bearer_tokens.to_hash[options.consumer_key]
+          )
+        )
+      end
+
+      def load_default_client(options)
+        return if options.command == 'bearer_tokens'
+
+        exception_message = "You must authorize first."
+        app_only_exception_message = "To use --bearer option, you need to authorize (OAuth1.0a) and create at least one user profile (~/.twurlrc):\n\n" \
+                                     "twurl authorize -c key -s secret\n" \
+                                     "\nor, you can specify issued token's consumer_key directly:\n" \
+                                     "(to see your issued tokens: 'twurl bearer_tokens')\n\n" \
+                                     "twurl --bearer -c key '/path/to/api'"
+
+        raise Exception, "#{options.app_only ? app_only_exception_message : exception_message}" unless rcfile.default_profile
+        if options.app_only
+            raise Exception, "No available bearer token found for consumer_key:#{rcfile.default_profile_consumer_key}" \
+              unless rcfile.has_bearer_token_for_consumer_key?(rcfile.default_profile_consumer_key)
+            load_client_for_app_only_auth(options, rcfile.default_profile_consumer_key)
+        else
+          load_client_for_username_and_consumer_key(*rcfile.default_profile)
+        end
       end
     end
 
@@ -88,7 +127,7 @@ def initialize(options = {})
         :copy => Net::HTTP::Copy
       }
 
-    def perform_request_from_options(options, &block)
+    def build_request_from_options(options, &block)
       request_class = METHODS.fetch(options.request_method.to_sym)
       request = request_class.new(options.path, options.headers)
 
@@ -136,7 +175,11 @@ def perform_request_from_options(options, &block)
           end.join("&")
         end
       end
+      request
+    end
 
+    def perform_request_from_options(options, &block)
+      request = build_request_from_options(options)
       request.oauth!(consumer.http, consumer, access_token)
       request['user-agent'] = user_agent
       consumer.http.request(request, &block)

diff --git a/lib/twurl/rcfile.rb b/lib/twurl/rcfile.rb
@@ -52,6 +52,11 @@ def default_profile
       configuration['default_profile']
     end
 
+    def default_profile_consumer_key
+      username, consumer_key = configuration['default_profile']
+      consumer_key
+    end
+
     def default_profile=(profile)
       configuration['default_profile'] = [profile.username, profile.consumer_key]
     end
@@ -70,6 +75,16 @@ def aliases
       data['aliases']
     end
 
+    def bearer_token(consumer_key, bearer_token)
+      data['bearer_tokens'] ||= {}
+      data['bearer_tokens'][consumer_key] = bearer_token
+      save
+    end
+
+    def bearer_tokens
+      data['bearer_tokens']
+    end
+
     def alias_from_options(options)
       options.subcommands.each do |potential_alias|
         if path = alias_from_name(potential_alias)
@@ -87,6 +102,10 @@ def has_oauth_profile_for_username_with_consumer_key?(username, consumer_key)
       !user_profiles.nil? && !user_profiles[consumer_key].nil?
     end
 
+    def has_bearer_token_for_consumer_key?(consumer_key)
+      bearer_tokens.nil? ? false : bearer_tokens.to_hash.has_key?(consumer_key)
+    end
+
     def <<(oauth_client)
       client_from_file = self[oauth_client.username] || {}
       client_from_file[oauth_client.consumer_key] = oauth_client.to_hash