Update application (versioning, CORS, README)

Author: nbulaj

README.md

@@ -6,11 +6,12 @@ This is an example of using GrapeOAuth2 gem with the Grape API project.
 
 This app is ready to deploy to Heroku [![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy?template=https://github.com/grape-oauth2/grape-oauth2-sample).
 
-Project stack includes: **Grape, Grape-Entity, Grape-OAuth2, ActiveRecord 5, Puma, PostgreSQL, Dotenv, Rubocop, RSpec**.
+Project stack includes: **Grape, Grape::Entity, GrapeOAuth2, ActiveRecord 5, Puma, PostgreSQL, Dotenv, Rack::Cors, Rubocop, RSpec**.
 
 ## Implemented features
 
-* API endpoints (GET, POST);
+* API endpoints with different types of requests (GET, POST);
+* API versioning
 * Resource Owner password credentials authentication;
 * Protected endpoints access with OAuth Tokens;
 * Generate new Access Token via Refresh Token.
@@ -19,7 +20,20 @@ Project stack includes: **Grape, Grape-Entity, Grape-OAuth2, ActiveRecord 5, Pum
 
 To run the application do the following from your command-line:
 
-`> bundle exec rackup config.ru`
+`bundle exec rackup config.ru`
+
+Available API:
+
+```
+  GET  |  /api(.json)                     |      |  Root action   
+ POST  |  /api/oauth/authorize(.json)     |      |  OAuth 2.0 Authorization Endpoint                       
+ POST  |  /api/oauth/token(.json)         |      |  OAuth 2.0 Token Endpoint                               
+ POST  |  /api/oauth/revoke(.json)        |      |  OAuth 2.0 Token Revocation      
+  GET  |  /api/:version/me(.json)         |  v1  |  Information about current resource owner
+  GET  |  /api/:version/posts(.json)      |  v1  |  Get all the posts without authorization                
+  GET  |  /api/:version/posts/:id(.json)  |  v1  |  Read post by ID only if it belongs to authorized author
+ POST  |  /api/:version/posts(.json)      |  v1  |  Create post from authorized user                       
+```
 
 ## Routes
 

app/api.rb

@@ -5,12 +5,12 @@ class API < ::Grape::API
 
     include GrapeOAuth2.api
 
-    mount ::GrapeOAuth2Sample::Endpoints::Posts
-
-    desc 'Root'
+    desc 'Root action'
 
     get '/' do
       { error: ['Please check API documentation'] }
     end
+
+    mount ::GrapeOAuth2Sample::V1::Base
   end
 end

app/endpoints/posts.rb

@@ -0,0 +1,17 @@
+module GrapeOAuth2Sample
+  module V1
+    class Base < ::Grape::API
+      version 'v1', using: :path
+
+      mount ::GrapeOAuth2Sample::V1::Endpoints::Posts
+
+      desc 'Information about current resource owner'
+
+      get '/me' do
+        access_token_required!
+
+        present(current_resource_owner, with: Entities::User)
+      end
+    end
+  end
+end

app/entities/post.rb

@@ -0,0 +1,43 @@
+module GrapeOAuth2Sample
+  module V1
+    module Endpoints
+      class Posts < Grape::API
+        resources :posts do
+          desc 'Get all the posts without authorization'
+
+          get '/' do
+            posts = Post.take(20)
+            present(posts, with: GrapeOAuth2Sample::V1::Entities::Post)
+          end
+
+          desc 'Read post by ID only if it belongs to authorized author'
+
+          params do
+            requires :id, type: Integer, desc: 'ID of the post'
+          end
+
+          get ':id', scopes: [:read] do
+            access_token_required!
+
+            post = current_resource_owner.posts.find(params[:id])
+            present(post, with: GrapeOAuth2Sample::V1::Entities::Post)
+          end
+
+          desc 'Create post from authorized user'
+
+          params do
+            requires :name, type: String, desc: 'Post name'
+            requires :body, type: String, desc: 'Post body'
+          end
+
+          post '/', scopes: [:write] do
+            access_token_required!
+
+            post = current_resource_owner.posts.create!(declared(params))
+            present(post, with: GrapeOAuth2Sample::V1::Entities::Post)
+          end
+        end
+      end
+    end
+  end
+end

app/v1/base.rb

@@ -0,0 +1,11 @@
+module GrapeOAuth2Sample
+  module V1
+    module Entities
+      class Post < Grape::Entity
+        expose :id
+        expose :name
+        expose :body
+      end
+    end
+  end
+end

app/v1/endpoints/posts.rb

@@ -0,0 +1,10 @@
+module GrapeOAuth2Sample
+  module V1
+    module Entities
+      class User < Grape::Entity
+        expose :id
+        expose :username
+      end
+    end
+  end
+end

app/v1/entities/post.rb

@@ -2,5 +2,12 @@ $LOAD_PATH.unshift(File.dirname(__FILE__))
 
 require 'config/application'
 
+use Rack::Cors do
+  allow do
+    origins '*'
+    resource '*', headers: :any, methods: [:get, :post, :put, :delete, :options]
+  end
+end
+
 use OTR::ActiveRecord::ConnectionManagement
 run GrapeOAuth2Sample::API

app/v1/entities/user.rb

@@ -4,6 +4,8 @@
 require 'dotenv'
 Dotenv.load(File.expand_path('.env.local'), File.expand_path('.env'))
 
+require 'rack/cors'
+
 require 'otr-activerecord'
 require 'grape'
 require 'grape-entity'
@@ -25,13 +27,16 @@
 end
 
 # Entities
-Dir[File.expand_path('../../app/entities/*.rb', __FILE__)].each do |entity|
+Dir[File.expand_path('../../app/v1/entities/*.rb', __FILE__)].each do |entity|
   require_relative entity
 end
 
 # Endpoints
-Dir[File.expand_path('../../app/endpoints/*.rb', __FILE__)].each do |endpoint|
+Dir[File.expand_path('../../app/v1/endpoints/*.rb', __FILE__)].each do |endpoint|
   require_relative endpoint
 end
 
+# Versioned APIs
+require_relative '../app/v1/base'
+
 require_relative '../app/api'

config.ru

@@ -2,8 +2,9 @@
 OTR::ActiveRecord.configure_from_file!(File.expand_path('../database.yml', __FILE__))
 
 env = ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
+log_file = File.expand_path("../../log/#{env}.log", __FILE__)
 
 ::ActiveRecord::Base.default_timezone = :utc
-::ActiveRecord::Base.logger = Logger.new(File.expand_path("../../log/#{env}.log", __FILE__), File::WRONLY | File::APPEND)
+::ActiveRecord::Base.logger = Logger.new(log_file, File::WRONLY | File::APPEND)
 
 ::ActiveRecord::Migration.verbose = false

config/application.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe 'Me' do
+  let(:application) { Application.create(name: 'App1') }
+  let(:user) { User.create(username: 'Jack Sparrow', password: '12345678') }
+
+  context 'with access token' do
+    it 'returns data without authorization for public route' do
+      access_token = AccessToken.create_for(application, user)
+
+      get 'api/v1/me', access_token: access_token.token
+
+      expect(last_response.status).to eq 200
+      expect(json_body).to include(:id, :username)
+    end
+  end
+
+  context 'without access token' do
+    it 'returns data without authorization for public route' do
+      get 'api/v1/me'
+
+      expect(last_response.status).to eq 401
+      expect(json_body[:error]).to eq('unauthorized')
+    end
+  end
+end

config/database.rb

@@ -12,7 +12,7 @@
         Post.create(name: "post ##{index}", body: 'Body')
       end
 
-      get 'api/posts'
+      get 'api/v1/posts'
 
       expect(last_response.status).to eq 200
       expect(json_body.size).to eq(2)
@@ -21,7 +21,7 @@
 
   context 'protected endpoints' do
     it 'returns Unauthorized without token' do
-      get "api/posts/#{user_post.id}"
+      get "api/v1/posts/#{user_post.id}"
 
       expect(last_response.status).to eq 401
       expect(json_body[:error]).to eq('unauthorized')
@@ -30,7 +30,7 @@
     it 'returns Forbidden with token that does not has required scopes' do
       access_token = AccessToken.create_for(application, user)
 
-      get "api/posts/#{user_post.id}", access_token: access_token.token
+      get "api/v1/posts/#{user_post.id}", access_token: access_token.token
 
       expect(last_response.status).to eq 403
       expect(json_body[:error]).to eq('forbidden')
@@ -40,7 +40,7 @@
       access_token = AccessToken.create_for(application, user, 'read')
       access_token.update(expires_at: (Time.now - 24000).utc)
 
-      get "api/posts/#{user_post.id}", access_token: access_token.token
+      get "api/v1/posts/#{user_post.id}", access_token: access_token.token
 
       expect(last_response.status).to eq 403
       expect(json_body[:error]).to eq('forbidden')
@@ -50,7 +50,7 @@
       access_token = AccessToken.create_for(application, user, 'read')
       access_token.update(revoked_at: (Time.now - 24000).utc)
 
-      get "api/posts/#{user_post.id}", access_token: access_token.token
+      get "api/v1/posts/#{user_post.id}", access_token: access_token.token
 
       expect(last_response.status).to eq 403
       expect(json_body[:error]).to eq('forbidden')
@@ -59,7 +59,7 @@
     it 'returns posts with valid token' do
       access_token = AccessToken.create_for(application, user, 'read')
 
-      get "api/posts/#{user_post.id}", access_token: access_token.token
+      get "api/v1/posts/#{user_post.id}", access_token: access_token.token
 
       expect(last_response.status).to eq 200
       expect(json_body).to include(:id, :name, :body)
@@ -68,7 +68,7 @@
     it 'does not creates a Post with invalid token' do
       access_token = AccessToken.create_for(application, user, 'read')
 
-      post 'api/posts', name: 'Super post', body: 'Body', access_token: access_token.token
+      post 'api/v1/posts', name: 'Super post', body: 'Body', access_token: access_token.token
 
       expect(last_response.status).to eq 403
       expect(Post.count).to be_zero
@@ -78,7 +78,7 @@
       access_token = AccessToken.create_for(application, user, 'read write')
 
       expect {
-        post 'api/posts', name: 'Super post', body: 'Body', access_token: access_token.token
+        post 'api/v1/posts', name: 'Super post', body: 'Body', access_token: access_token.token
       }.to change { Post.count }.from(0).to(1)
 
       expect(last_response.status).to eq 201