Merge branch 'release/0.2.3'

Signed-off-by: Alex Bilbie <alex@alexbilbie.com>

.gitattributes

@@ -0,0 +1,4 @@
+tests/ export-ignore
+phpunit.xml export-ignore
+build.xml export-ignore
+test export-ignore

.gitignore

@@ -0,0 +1,5 @@
+/vendor/
+/composer.lock
+/docs/build/
+/build/logs/
+/build/coverage/

README.md

@@ -1,7 +1,47 @@
-# PHP OAuth server
+# PHP OAuth Framework
 
-The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) server that supports a number of different authentication flows, and two extensions, [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/) and [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
+The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authentication server, resource server and client library with support for a major OAuth 2 providers.
 
-The library will be a [composer](http://getcomposer.org/) package and will be framework agnostic.
+## Package Installation
 
-This code will be developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which has been funded by [JISC](http://jisc.ac.uk) under the access and identity management programme.
+The framework is provided as a Composer package which can be installed by adding the package to your composer.json file:
+
+```javascript
+{
+	"require": {  
+		"lncd\Oauth2": "*"  
+	}
+}
+```
+
+## Package Integration
+
+Check out the [wiki](https://github.com/lncd/OAuth2/wiki)
+
+## Current Features
+
+### Authentication Server
+
+The authentication server is a flexible class that supports the standard authorization code grant.
+
+### Resource Server
+
+The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct permission to access resources.
+
+
+
+
+## Future Goals
+
+### Authentication Server
+
+* Support for [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/).
+* Support for [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
+
+### Client support
+
+* Merge in https://github.com/philsturgeon/codeigniter-oauth2
+
+---
+
+This code will be developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which has been funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.

build.xml

@@ -1,10 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project name="PHP OAuth 2.0 Server" default="build">
-	<target name="build" depends="prepare,lint,phploc,pdepend,phpmd-ci,phpcs-ci,phpcpd,phpdox,phpcb"/>
+
+	<target name="build" depends="prepare,lint,phploc,pdepend,phpmd-ci,phpcs-ci,phpcpd,composer,phpunit,phpdox,phpcb"/>
 	
 	<target name="build-parallel" depends="prepare,lint,tools-parallel,phpcb"/>
 	
-	<target name="minimal" depends="prepare,lint,phploc,pdepend,phpcpd,phpdox,phpcb" />
+	<target name="minimal" depends="prepare,lint,phploc,pdepend,phpcpd,composer,phpunit,phpdox,phpcb" />
 	
 	<target name="tools-parallel" description="Run tools in parallel">
 		<parallel threadCount="2">
@@ -109,6 +110,20 @@
 			<arg path="${basedir}/src" />
 		</exec>
 	</target>
+
+	<target name="composer" description="Install Composer requirements">
+		<exec executable="composer.phar" failonerror="true">
+			<arg value="install" />
+			<arg value="--dev" />
+		</exec>
+	</target>
+
+	<target name="phpunit" description="Run unit tests with PHPUnit">
+		<exec executable="${basedir}/vendor/bin/phpunit" failonerror="true">
+			<arg value="--configuration" />
+			<arg value="${basedir}/build/phpunit.xml" />
+		</exec>
+	</target>
 	
 	<target name="phpdox" description="Generate API documentation using phpDox">
 		<exec executable="phpdox"/>

build/phpunit.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false">
+	<testsuites>
+		<testsuite name="Authentication Server">
+			<directory suffix="test.php">../tests/authentication</directory>
+		</testsuite>
+		<testsuite name="Resource Server">
+			<directory suffix="test.php">../tests/resource</directory>
+		</testsuite>
+	</testsuites>
+	<filter>
+		<blacklist>
+			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
+			<directory suffix=".php">PHP_LIBDIR</directory>
+			<directory suffix=".php">../vendor/composer</directory>
+		</blacklist>
+	</filter>
+	<logging>
+		<log type="coverage-html" target="coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="35" highLowerBound="70"/>
+		<log type="coverage-clover" target="logs/clover.xml"/>
+		<log type="junit" target="logs/junit.xml" logIncompleteSkipped="false"/>
+	</logging>
+</phpunit>

composer.json

@@ -1,12 +1,15 @@
 {
 	"name": "lncd/Oauth2",
-	"description": "OAuth 2.0 server - UNDER DEVELOPMENT - NOT READY FOR PRIMETIME",
-	"version": "0.0.1",
+	"description": "OAuth 2.0 Framework",
+	"version": "0.2.3",
 	"homepage": "https://github.com/lncd/OAuth2",
 	"license": "MIT",
 	"require": {
 		"php": ">=5.3.0"
 	},
+	"require-dev": {
+		"EHER/PHPUnit": "*"
+	},
 	"repositories": [
 		{
 			"type": "git",
@@ -16,12 +19,15 @@
 	"keywords": [
 		"oauth",
 		"oauth2",
-		"server"
+		"server",
+		"authorization",
+		"authentication",
+		"resource"
 	],
 	"authors": [
 		{
 			"name": "Alex Bilbie",
-			"email": "oauth2server@alexbilbie.com",
+			"email": "oauth2@alexbilbie.com",
 			"homepage": "http://www.httpster.org",
 			"role": "Developer"
 		}

src/Oauth2/Authentication/Server.php

@@ -2,17 +2,17 @@
 
 namespace Oauth2\Authentication;
 
-class OAuthServerClientException extends \Exception
+class ClientException extends \Exception
 {
 
 }
 
-class OAuthServerUserException extends \Exception
+class UserException extends \Exception
 {
 
 }
 
-class OAuthServerException extends \Exception
+class ServerException extends \Exception
 {
 
 }
@@ -23,13 +23,13 @@ class Server
      * Reference to the database abstractor
      * @var object
      */
-    private $db;
+    private $_db = null;
 
     /**
      * Server configuration
      * @var array
      */
-    private $config = array(
+    private $_config = array(
         'scope_delimeter'       =>  ',',
         'access_token_ttl'   =>  null
     );
@@ -38,7 +38,7 @@ class Server
      * Supported response types
      * @var array
      */
-    private $response_types =   array(
+    private $_responseTypes =   array(
         'code'
     );
     
@@ -46,7 +46,7 @@ class Server
      * Supported grant types
      * @var array
      */
-    private $grant_types    =   array(
+    private $_grantTypes    =   array(
         'authorization_code'
     );
 
@@ -97,7 +97,7 @@ class Server
     public function __construct($options = null)
     {
         if ($options !== null) {
-            $this->options = array_merge($this->config, $options);
+            $this->options = array_merge($this->_config, $options);
         }
     }
 
@@ -110,7 +110,7 @@ class Server
      */
     public function registerDbAbstractor($db)
     {
-        $this->db = $db;
+        $this->_db = $db;
     }
 
     /**
@@ -127,7 +127,7 @@ class Server
         // Client ID
         if ( ! isset($authParams['client_id']) && ! isset($_GET['client_id'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
 
         } else {
 
@@ -138,7 +138,7 @@ class Server
         // Redirect URI
         if ( ! isset($authParams['redirect_uri']) && ! isset($_GET['redirect_uri'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
 
         } else {
 
@@ -147,27 +147,26 @@ class Server
         }
 
         // Validate client ID and redirect URI
-        $clientDetails = $this->db->validateClient($params['client_id'], null, $params['redirect_uri']);
+        $clientDetails = $this->_dbCall('validateClient', $params['client_id'], null, $params['redirect_uri']);
 
         if ($clientDetails === false) {
 
-            throw new OAuthServerClientException(
-                $this->errors['invalid_client'], 8);
+            throw new ClientException($this->errors['invalid_client'], 8);
         }
 
         // Response type
         if ( ! isset($authParams['response_type']) && ! isset($_GET['response_type'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'response_type'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'response_type'), 0);
 
         } else {
 
             $params['response_type'] = (isset($authParams['response_type'])) ? $authParams['response_type'] : $_GET['response_type'];
 
             // Ensure response type is one that is recognised
-            if ( ! in_array($params['response_type'], $this->response_types)) {
+            if ( ! in_array($params['response_type'], $this->_responseTypes)) {
 
-                throw new OAuthServerClientException($this->errors['unsupported_response_type'], 3);
+                throw new ClientException($this->errors['unsupported_response_type'], 3);
 
             }
         }
@@ -175,12 +174,9 @@ class Server
         // Get and validate scopes
         if (isset($authParams['scope']) || isset($_GET['scope'])) {
 
-            $scopes = $_GET['scope'];
-            if (isset($authParams['client_id'])) {
-                $authParams['scope'];
-            }
+            $scopes = (isset($_GET['scope'])) ? $_GET['scope'] : $authParams['scope'];
 
-            $scopes = explode($this->config['scope_delimeter'], $scopes);
+            $scopes = explode($this->_config['scope_delimeter'], $scopes);
 
             // Remove any junk scopes
             for ($i = 0; $i < count($scopes); $i++) {
@@ -193,18 +189,18 @@ class Server
 
             if (count($scopes) === 0) {
 
-                throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'scope'), 0);
+                throw new ClientException(sprintf($this->errors['invalid_request'], 'scope'), 0);
             }
 
             $params['scopes'] = array();
 
             foreach ($scopes as $scope) {
 
-                $scopeDetails = $this->db->getScope($scope);
-
+                $scopeDetails = $this->_dbCall('getScope', $scope);
+                
                 if ($scopeDetails === false) {
 
-                    throw new OAuthServerClientException(sprintf($this->errors['invalid_scope'], $scope), 4);
+                    throw new ClientException(sprintf($this->errors['invalid_scope'], $scope), 4);
 
                 }
 
@@ -227,7 +223,7 @@ class Server
     public function newAuthoriseRequest($type, $typeId, $authoriseParams)
     {
         // Remove any old sessions the user might have
-        $this->db->deleteSession(
+        $this->_dbCall('deleteSession',
             $authoriseParams['client_id'],
             $type,
             $typeId
@@ -276,7 +272,7 @@ class Server
         // new authorisation code otherwise create a new session
         if ($accessToken !== null) {
 
-            $this->db->updateSession(
+            $this->_dbCall('updateSession',
                 $clientId,
                 $type,
                 $typeId,
@@ -288,10 +284,10 @@ class Server
         } else {
 
             // Delete any existing sessions just to be sure
-            $this->db->deleteSession($clientId, $type, $typeId);
+            $this->_dbCall('deleteSession', $clientId, $type, $typeId);
                
             // Create a new session     
-            $sessionId = $this->db->newSession(
+            $sessionId = $this->_dbCall('newSession',
                 $clientId,
                 $redirectUri,
                 $type,
@@ -305,7 +301,7 @@ class Server
             // Add the scopes
             foreach ($scopes as $key => $scope) {
 
-                $this->db->addSessionScope($sessionId, $scope['scope']);
+                $this->_dbCall('addSessionScope', $sessionId, $scope['scope']);
 
             }
 
@@ -327,19 +323,18 @@ class Server
     {
         $params = array();
 
-        // Grant type (must be 'authorization_code')
         if ( ! isset($authParams['grant_type']) && ! isset($_POST['grant_type'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'grant_type'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'grant_type'), 0);
 
         } else {
 
             $params['grant_type'] = (isset($authParams['grant_type'])) ? $authParams['grant_type'] : $_POST['grant_type'];
 
-            // Ensure response type is one that is recognised
-            if ( ! in_array($params['grant_type'], $this->grant_types)) {
+            // Ensure grant type is one that is recognised
+            if ( ! in_array($params['grant_type'], $this->_grantTypes)) {
 
-                throw new OAuthServerClientException($this->errors['unsupported_grant_type'], 7);
+                throw new ClientException($this->errors['unsupported_grant_type'], 7);
 
             }
         }
@@ -349,13 +344,13 @@ class Server
             
             case 'authorization_code': // Authorization code grant
                 return $this->completeAuthCodeGrant($authParams, $params);
-                break;
+                break;  
 
             case 'refresh_token': // Refresh token
             case 'password': // Resource owner password credentials grant
             case 'client_credentials': // Client credentials grant
             default: // Unsupported
-                throw new OAuthServerException($this->errors['server_error'] . 'Tried to process an unsuppported grant type.', 5);
+                throw new ServerException($this->errors['server_error'] . 'Tried to process an unsuppported grant type.', 5);
                 break;
         }
     }
@@ -375,7 +370,7 @@ class Server
         // Client ID
         if ( ! isset($authParams['client_id']) && ! isset($_POST['client_id'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
 
         } else {
 
@@ -386,7 +381,7 @@ class Server
         // Client secret
         if ( ! isset($authParams['client_secret']) && ! isset($_POST['client_secret'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'client_secret'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'client_secret'), 0);
 
         } else {
 
@@ -397,7 +392,7 @@ class Server
         // Redirect URI
         if ( ! isset($authParams['redirect_uri']) && ! isset($_POST['redirect_uri'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
 
         } else {
 
@@ -406,7 +401,7 @@ class Server
         }
 
         // Validate client ID and redirect URI
-        $clientDetails = $this->db->validateClient(
+        $clientDetails = $this->_dbCall('validateClient',
             $params['client_id'],
             $params['client_secret'], 
             $params['redirect_uri']
@@ -414,14 +409,13 @@ class Server
 
         if ($clientDetails === false) {
 
-            throw new OAuthServerClientException($this->errors['invalid_client'], 8);
+            throw new ClientException($this->errors['invalid_client'], 8);
         }
 
         // The authorization code
-        if ( ! isset($authParams['code']) && 
-            ! isset($_POST['code'])) {
+        if ( ! isset($authParams['code']) && ! isset($_POST['code'])) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'code'), 0);
+            throw new ClientException(sprintf($this->errors['invalid_request'], 'code'), 0);
 
         } else {
 
@@ -431,7 +425,7 @@ class Server
 
         // Verify the authorization code matches the client_id and the
         //  request_uri
-        $session = $this->db->validateAuthCode(
+        $session = $this->_dbCall('validateAuthCode',
             $params['client_id'],
             $params['redirect_uri'],
             $params['code']
@@ -439,7 +433,7 @@ class Server
 
         if ( ! $session) {
 
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_grant'], 'code'), 9);
+            throw new ClientException(sprintf($this->errors['invalid_grant'], 'code'), 9);
         
         } else {
 
@@ -448,9 +442,9 @@ class Server
 
             $accessToken = $this->generateCode();
 
-            $accessTokenExpires = ($this->config['access_token_ttl'] === null) ? null : time() + $this->config['access_token_ttl'];
+            $accessTokenExpires = ($this->_config['access_token_ttl'] === null) ? null : time() + $this->_config['access_token_ttl'];
 
-            $this->db->updateSession(
+            $this->_dbCall('updateSession',
                 $session['id'],
                 null,
                 $accessToken,
@@ -459,7 +453,7 @@ class Server
             );
 
             // Update the session's scopes to reference the access token
-            $this->db->updateSessionScopeAccessToken(
+            $this->_dbCall('updateSessionScopeAccessToken',
                 $session['id'],
                 $accessToken
             );
@@ -467,7 +461,7 @@ class Server
             return array(
                 'access_token'  =>  $accessToken,
                 'token_type'    =>  'bearer',
-                'expires_in'    =>  $this->config['access_token_ttl']
+                'expires_in'    =>  $this->_config['access_token_ttl']
             );
         }
     }
@@ -497,4 +491,27 @@ class Server
         return $redirectUri;
 
     }
+
+    /**
+     * Call database methods from the abstractor
+     * 
+     * @return mixed The query result
+     */
+    private function _dbCall()
+    {
+        if ($this->_db === null) {
+            throw new ServerException('No registered database abstractor');
+        }
+
+        if ( ! $this->_db instanceof Database) {
+            throw new ServerException('Registered database abstractor is not an instance of Oauth2\Authentication\Database');
+        }
+
+        $args = func_get_args();
+        $method = $args[0];
+        unset($args[0]);
+        $params = array_values($args);
+
+        return call_user_func_array(array($this->_db, $method), $params);
+    }
 }

src/Oauth2/Resource/Database.php

@@ -4,4 +4,56 @@ namespace Oauth2\Resource;
 
 interface Database
 {
+    /**
+     * Validate an access token and return the session details.
+     * 
+     * Database query:
+     * 
+     * <code>
+     * SELECT id, owner_type, owner_id FROM oauth_sessions WHERE access_token =
+     *  $accessToken AND stage = 'granted' AND
+     *  access_token_expires > UNIX_TIMESTAMP(now())
+     * </code>
+     * 
+     * Response:
+     * 
+     * <code>
+     * Array
+     * (
+     *     [id] => (int) The session ID
+     *     [owner_type] => (string) The session owner type
+     *     [owner_id] => (string) The session owner's ID
+     * )
+     * </code>
+     * 
+     * @param  string     $accessToken The access token
+     * @return array|bool              Return an array on success or false on failure
+     */
+    public function validateAccessToken($accessToken);
+
+    /**
+     * Returns the scopes that the session is authorised with.
+     * 
+     * Database query:
+     * 
+     * <code>
+     * SELECT scope FROM oauth_session_scopes WHERE access_token =
+     *  '291dca1c74900f5f252de351e0105aa3fc91b90b'
+     * </code>
+     * 
+     * Response:
+     * 
+     * <code>
+     * Array
+     * (
+     *      [0] => (string) A scope
+     *      [1] => (string) Another scope
+     *      ...
+     * )
+     * </code>
+     * 
+     * @param  int   $sessionId The session ID
+     * @return array            A list of scopes
+     */
+    public function sessionScopes($sessionId);
 }

src/Oauth2/Resource/Server.php

@@ -2,7 +2,246 @@
 
 namespace Oauth2\Resource;
 
+class ServerException extends \Exception
+{
+
+}
+
+class ClientException extends \Exception
+{
+
+}
+
 class Server
 {
+    /**
+     * Reference to the database abstractor
+     * @var object
+     */
+    private $_db = null;
+
+    /**
+     * The access token.
+     * @access private
+     */
+    private $_accessToken = null;
+
+    /**
+     * The scopes the access token has access to.
+     * @access private
+     */
+    private $_scopes = array();
+
+    /**
+     * The type of owner of the access token.
+     * @access private
+     */
+    private $_type = null;
+
+    /**
+     * The ID of the owner of the access token.
+     * @access private
+     */
+    private $_typeId = null;
+
+    /**
+     * Server configuration
+     * @var array
+     */
+    private $_config = array(
+        'token_key' =>  'oauth_token'
+    );
+
+    /**
+     * Error codes.
+     * 
+     * To provide i8ln errors just overwrite the keys
+     * 
+     * @var array
+     */
+    public $errors = array(
+        'missing_access_token'  =>  'An access token was not presented with the request',
+        'invalid_access_token'  =>  'The access token is not registered with the resource server',
+        'missing_access_token_details'  =>  'The registered database abstractor did not return a valid access token details response',
+        'invalid_access_token_scopes'   =>  'The registered database abstractor did not return a valid access token scopes response',
+    );
+
+    /**
+     * Constructor
+     * 
+     * @access public
+     * @return void
+     */
+    public function __construct($options = null)
+    {
+        if ($options !== null) {
+            $this->config = array_merge($this->config, $options);
+        }
+    }
+
+    /**
+     * Magic method to test if access token represents a particular owner type
+     * @param  string $method     The method name
+     * @param  mixed  $arguements The method arguements
+     * @return bool               If method is valid, and access token is owned by the requested party then true,
+     */
+    public function __call($method, $arguements = null)
+    {
+        if (substr($method, 0, 2) === 'is') {
+
+            if ($this->_type === strtolower(substr($method, 2))) {
+                return $this->_typeId;
+            }
+            
+            return false;
+        }
+
+        trigger_error('Call to undefined function ' . $method . '()');
+    }
+
+    /**
+     * Register a database abstrator class
+     * 
+     * @access public
+     * @param  object $db A class that implements OAuth2ServerDatabase
+     * @return void
+     */
+    public function registerDbAbstractor($db)
+    {
+        $this->_db = $db;
+    }
     
+    /**
+     * Init function
+     * 
+     * @access public
+     * @return void
+     */
+    public function init()
+    {
+        $accessToken = null;
+
+        
+        $_SERVER['REQUEST_METHOD'] = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : null;
+
+        // Try and get the access token via an access_token or oauth_token parameter
+        switch ($_SERVER['REQUEST_METHOD'])
+        {           
+            case 'POST':
+                $accessToken = isset($_POST[$this->_config['token_key']]) ? $_POST[$this->_config['token_key']] : null;
+                break;
+
+            default:
+            $accessToken = isset($_GET[$this->_config['token_key']]) ? $_GET[$this->_config['token_key']] : null;
+                break;
+        }
+
+        // Try and get an access token from the auth header
+        if (function_exists('getallheaders')) {
+
+            $headers = getallheaders();
+            
+            if (isset($headers['Authorization'])) {
+
+                $rawToken = trim(str_replace('Bearer', '', $headers['Authorization']));
+
+                if ( ! empty($rawToken)) {
+                    $accessToken = base64_decode($rawToken);
+                }
+            }
+        }
+        
+        if ($accessToken) {
+
+            $result = $this->_dbCall('validateAccessToken', $accessToken);
+
+            if ($result === false) {
+
+                throw new ClientException($this->errors['invalid_access_token']);
+
+            } else {
+
+                if ( ! array_key_exists('id', $result) || ! array_key_exists('owner_id', $result) || 
+                     ! array_key_exists('owner_type', $result)) {
+                    throw new ServerException($this->errors['missing_access_token_details']);
+                }
+
+                $this->_accessToken = $accessToken;
+                $this->_type = $result['owner_type'];
+                $this->_typeId = $result['owner_id'];
+
+                // Get the scopes
+                $scopes = $this->_dbCall('sessionScopes', $result['id']);
+
+                if ( ! is_array($scopes))
+                {
+                    throw new ServerException($this->errors['invalid_access_token_scopes']);
+                }
+
+                $this->_scopes = $scopes;
+            }
+
+        } else {
+
+            throw new ClientException($this->errors['missing_access_token']);
+
+        }
+    }
+    
+    /**
+     * Test if the access token has a specific scope
+     * 
+     * @param mixed $scopes Scope(s) to check
+     * 
+     * @access public
+     * @return string|bool
+     */
+    public function hasScope($scopes)
+    {
+        if (is_string($scopes)) {
+
+            if (in_array($scopes, $this->_scopes)) {
+                return true;
+            }
+            
+            return false;
+
+        } elseif (is_array($scopes)) {
+
+            foreach ($scopes as $scope) {
+
+                if ( ! in_array($scope, $this->_scopes)) {
+                    return false;
+                }
+
+            }
+            
+            return true;
+        }
+        
+        return false;
+    }
+
+    /**
+     * Call database methods from the abstractor
+     * 
+     * @return mixed The query result
+     */
+    private function _dbCall()
+    {
+        if ($this->_db === null) {
+            throw new ServerException('No registered database abstractor');
+        }
+
+        if ( ! $this->_db instanceof Database) {
+            throw new ServerException('The registered database abstractor is not an instance of Oauth2\Resource\Database');
+        }
+
+        $args = func_get_args();
+        $method = $args[0];
+        unset($args[0]);
+        $params = array_values($args);
+
+        return call_user_func_array(array($this->_db, $method), $params);
+    }
 }

test

@@ -0,0 +1 @@
+vendor/bin/phpunit --coverage-text --configuration build/phpunit.xml

test/index.php

@@ -1,84 +0,0 @@
-<?php
-
-include_once('../src/oauth2server/Dbinterface.php');
-include_once('../src/oauth2server/Server.php');
-use \oauth2server;
-
-class db extends oauth2server\ServerDB {
-	
-	public function validateClient(
-        string $clientId,
-        string $clientSecret = null,
-        string $redirectUri = null
-    ){}
-
-    public function newSession(
-        string $clientId,
-        string $redirectUri,
-        $type = 'user',
-        string $typeId = null,
-        string $authCode = null,
-        string $accessToken = null,
-        $stage = 'request'
-    ){}
-
-    public function updateSession(
-        string $clientId,
-        $type = 'user',
-        string $typeId = null,
-        string $authCode = null,
-        string $accessToken = null,
-        string $stage
-    ){}
-
-    public function deleteSession(
-        string $clientId,
-        string $type,
-        string $typeId
-    ){}
-
-    public function validateAuthCode(
-        string $clientId,
-        string $redirectUri,
-        string $authCode
-    ){}
-
-    /**
-     * Has access token
-     * 
-     * Check if an access token exists for a user (or an application)
-     * 
-     * @access public
-     * @return bool|string Return FALSE is a token doesn't exist or return the 
-     * access token as a string
-     */
-    public function hasAccessToken(
-        string $typeId,
-        string $clientId
-    ){}
-
-    public function getAccessToken(int $sessionId){}
-
-    public function removeAuthCode(int $sessionId){}
-
-    public function setAccessToken(
-        int $sessionId,
-        string $accessToken
-    ){}
-
-    public function addSessionScope(
-        int $sessionId,
-        string $scope
-    ){}
-
-    public function getScope(string $scope){}
-
-    public function updateSessionScopeAccessToken(
-        int $sesstionId,
-        string $accessToken
-    ){}
-
-    public function accessTokenScopes(string $accessToken){}
-}
-
-$server = new oauth2server\Server();

tests/authentication/database_mock.php

@@ -0,0 +1,191 @@
+<?php
+
+use Oauth2\Authentication\Database;
+
+class OAuthdb implements Database
+{
+	private $sessions = array();
+	private $sessions_client_type_id = array();
+	private $sessions_code = array();
+	private $session_scopes = array();
+
+	private $clients = array(0 => array(
+		'client_id'	=>	'test',
+		'client_secret'	=>	'test',
+		'redirect_uri'	=>	'http://example.com/test',
+		'name'	=>	'Test Client'
+	));
+
+	private $scopes = array('test' => array(
+		'id'	=>	1,
+		'scope'	=>	'test',
+		'name'	=>	'test',
+		'description'	=>	'test'
+	));
+
+	public function validateClient(
+        $clientId,
+        $clientSecret = null,
+        $redirectUri = null
+    )
+    {
+    	if ($clientId !== $this->clients[0]['client_id'])
+    	{
+    		return false;
+    	}
+
+    	if ($clientSecret !== null && $clientSecret !== $this->clients[0]['client_secret'])
+    	{
+    		return false;
+    	}
+
+    	if ($redirectUri !== null && $redirectUri !== $this->clients[0]['redirect_uri'])
+    	{
+    		return false;
+    	}
+
+    	return $this->clients[0];
+    }
+
+    public function newSession(
+        $clientId,
+        $redirectUri,
+        $type = 'user',
+        $typeId = null,
+        $authCode = null,
+        $accessToken = null,
+        $accessTokenExpire = null,
+        $stage = 'requested'
+    )
+    {
+    	$id = count($this->sessions);
+
+    	$this->sessions[$id] = array(
+    		'id'	=>	$id,
+    		'client_id'	=>	$clientId,
+    		'redirect_uri'	=>	$redirectUri,
+    		'owner_type'	=>	$type,
+    		'owner_id'	=>	$typeId,
+    		'auth_code'	=>	$authCode,
+    		'access_token'	=>	$accessToken,
+    		'access_token_expire'	=>	$accessTokenExpire,
+    		'stage'	=>	$stage
+    	);
+
+    	$this->sessions_client_type_id[$clientId . ':' . $type . ':' . $typeId] = $id;
+    	$this->sessions_code[$clientId . ':' . $redirectUri . ':' . $authCode] = $id;
+
+    	return true;
+    }
+
+    public function updateSession(
+        $sessionId,
+        $authCode = null,
+        $accessToken = null,
+        $accessTokenExpire = null,
+        $stage = 'requested'
+    )
+    {
+    	$this->sessions[$sessionId]['auth_code'] = $authCode;
+    	$this->sessions[$sessionId]['access_token'] = $accessToken;
+    	$this->sessions[$sessionId]['access_token_expire'] = $accessTokenExpire;
+    	$this->sessions[$sessionId]['stage'] = $stage;
+
+    	return true;
+    }
+
+    public function deleteSession(
+        $clientId,
+        $type,
+        $typeId
+    )
+    {
+    	$key = $clientId . ':' . $type . ':' . $typeId;
+    	if (isset($this->sessions_client_type_id[$key]))
+    	{
+    		unset($this->sessions[$this->sessions_client_type_id[$key]]);
+    	}
+    	return true;
+    }
+
+    public function validateAuthCode(
+        $clientId,
+        $redirectUri,
+        $authCode
+    )
+    {
+    	$key = $clientId . ':' . $redirectUri . ':' . $authCode;
+
+    	if (isset($this->sessions_code[$key]))
+    	{
+    		return $this->sessions[$this->sessions_code[$key]];
+    	}
+
+    	return false;
+    }
+
+    public function hasSession(
+        $type,
+        $typeId,
+        $clientId
+    )
+    {
+    	die('not implemented hasSession');
+    }
+
+    public function getAccessToken($sessionId)
+    {
+    	die('not implemented getAccessToken');
+    }
+
+    public function removeAuthCode($sessionId)
+    {
+    	die('not implemented removeAuthCode');
+    }
+
+    public function setAccessToken(
+        $sessionId,
+        $accessToken
+    )
+    {
+    	die('not implemented setAccessToken');
+    }
+
+    public function addSessionScope(
+        $sessionId,
+        $scope
+    )
+    {
+    	if ( ! isset($this->session_scopes[$sessionId]))
+    	{
+    		$this->session_scopes[$sessionId] = array();
+    	}
+
+    	$this->session_scopes[$sessionId][] = $scope;
+
+    	return true;
+    }
+
+    public function getScope($scope)
+    {
+    	if ( ! isset($this->scopes[$scope]))
+    	{
+    		return false;
+    	}
+
+    	return $this->scopes[$scope];
+    }
+
+    public function updateSessionScopeAccessToken(
+        $sessionId,
+        $accessToken
+    )
+    {
+    	return true;
+    }
+
+    public function accessTokenScopes($accessToken)
+    {
+    	die('not implemented accessTokenScopes');
+    }
+}

tests/authentication/server_test.php

@@ -0,0 +1,398 @@
+<?php
+
+class Authentication_Server_test extends PHPUnit_Framework_TestCase {
+
+	function setUp()
+	{
+		$this->oauth = new Oauth2\Authentication\Server();
+
+		require_once('database_mock.php');
+		$this->oauthdb = new OAuthdb();
+		$this->assertInstanceOf('Oauth2\Authentication\Database', $this->oauthdb);
+		$this->oauth->registerDbAbstractor($this->oauthdb);
+	}
+
+	function test_generateCode()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('generateCode');
+		$method->setAccessible(true);
+
+		$result = $method->invoke($this->oauth);
+		$result2 = $method->invoke($this->oauth);
+
+		$this->assertEquals(40, strlen($result));
+		$this->assertNotEquals($result, $result2);
+	}
+
+	function test_redirectUri()
+	{
+		$result1 = $this->oauth->redirectUri('http://example.com/foo');
+		$result2 = $this->oauth->redirectUri('http://example.com/foo', array('foo' => 'bar'));
+		$result3 = $this->oauth->redirectUri('http://example.com/foo', array('foo' => 'bar'), '#');
+
+		$this->assertEquals('http://example.com/foo?', $result1);
+		$this->assertEquals('http://example.com/foo?foo=bar', $result2);
+		$this->assertEquals('http://example.com/foo#foo=bar', $result3);
+	}
+
+	function test_checkClientAuthoriseParams_GET()
+	{
+		$_GET['client_id'] = 'test';
+		$_GET['redirect_uri'] = 'http://example.com/test';
+		$_GET['response_type'] = 'code';
+		$_GET['scope'] = 'test';
+		
+		$expect = array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'response_type'	=>	'code',
+			'scopes'	=>	array(
+					0 => array(
+					'id'	=>	1,
+					'scope'	=>	'test',
+					'name'	=>	'test',
+					'description'	=>	'test'
+				)
+			)
+		);
+
+		$result = $this->oauth->checkClientAuthoriseParams();
+
+		$this->assertEquals($expect, $result);
+	}
+
+	function test_checkClientAuthoriseParams_PassedParams()
+	{
+		unset($_GET['client_id']);
+		unset($_GET['redirect_uri']);
+		unset($_GET['response_type']);
+		unset($_GET['scope']);
+
+		$params = array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'response_type'	=>	'code',
+			'scope'	=>	'test'
+		);
+
+		$this->assertEquals(array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'response_type'	=>	'code',
+			'scopes'	=>	array(0 => array(
+				'id'	=>	1,
+				'scope'	=>	'test',
+				'name'	=>	'test',
+				'description'	=>	'test'
+			))
+		), $this->oauth->checkClientAuthoriseParams($params));
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_checkClientAuthoriseParams_missingClientId()
+	{
+		$this->oauth->checkClientAuthoriseParams();
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_checkClientAuthoriseParams_missingRedirectUri()
+	{
+		$_GET['client_id'] = 'test';
+
+		$this->oauth->checkClientAuthoriseParams();
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_checkClientAuthoriseParams_missingResponseType()
+	{
+		$_GET['client_id'] = 'test';
+		$_GET['redirect_uri'] = 'http://example.com/test';
+
+		$this->oauth->checkClientAuthoriseParams();
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_checkClientAuthoriseParams_missingScopes()
+	{
+		$_GET['client_id'] = 'test';
+		$_GET['redirect_uri'] = 'http://example.com/test';
+		$_GET['response_type'] = 'code';
+		$_GET['scope'] = ' ';
+
+		$this->oauth->checkClientAuthoriseParams();
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    4
+	 */
+	function test_checkClientAuthoriseParams_invalidScopes()
+	{
+		$_GET['client_id'] = 'test';
+		$_GET['redirect_uri'] = 'http://example.com/test';
+		$_GET['response_type'] = 'code';
+		$_GET['scope'] = 'blah';
+
+		$this->oauth->checkClientAuthoriseParams();
+	}
+
+	function test_newAuthoriseRequest()
+	{
+		$result = $this->oauth->newAuthoriseRequest('user', '123', array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'scopes'	=>	array(array(
+				'id'	=>	1,
+				'scope'	=>	'test',
+				'name'	=>	'test',
+				'description'	=>	'test'
+			))
+		));
+
+		$this->assertEquals(40, strlen($result));
+	}
+
+	function test_newAuthoriseRequest_isUnique()
+	{
+		$result1 = $this->oauth->newAuthoriseRequest('user', '123', array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'scopes'	=>	array(array(
+				'id'	=>	1,
+				'scope'	=>	'test',
+				'name'	=>	'test',
+				'description'	=>	'test'
+			))
+		));
+
+		$result2 = $this->oauth->newAuthoriseRequest('user', '123', array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'scopes'	=>	array(array(
+				'id'	=>	1,
+				'scope'	=>	'test',
+				'name'	=>	'test',
+				'description'	=>	'test'
+			))
+		));
+
+		$this->assertNotEquals($result1, $result2);
+	}
+
+	function test_issueAccessToken_POST()
+	{
+		$auth_code = $this->oauth->newAuthoriseRequest('user', '123', array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'scopes'	=>	array(array(
+				'id'	=>	1,
+				'scope'	=>	'test',
+				'name'	=>	'test',
+				'description'	=>	'test'
+			))
+		));
+
+		$_POST['client_id'] = 'test';
+		$_POST['client_secret'] = 'test';
+		$_POST['redirect_uri'] = 'http://example.com/test';
+		$_POST['grant_type'] = 'authorization_code';
+		$_POST['code'] = $auth_code;
+
+		$result = $this->oauth->issueAccessToken();
+
+		$this->assertCount(3, $result);
+		$this->assertArrayHasKey('access_token', $result);
+		$this->assertArrayHasKey('token_type', $result);
+		$this->assertArrayHasKey('expires_in', $result);
+	}
+
+	function test_issueAccessToken_PassedParams()
+	{
+		$auth_code = $this->oauth->newAuthoriseRequest('user', '123', array(
+			'client_id'	=>	'test',
+			'redirect_uri'	=>	'http://example.com/test',
+			'scopes'	=>	array(array(
+				'id'	=>	1,
+				'scope'	=>	'test',
+				'name'	=>	'test',
+				'description'	=>	'test'
+			))
+		));
+
+		$params['client_id'] = 'test';
+		$params['client_secret'] = 'test';
+		$params['redirect_uri'] = 'http://example.com/test';
+		$params['grant_type'] = 'authorization_code';
+		$params['code'] = $auth_code;
+
+		$result = $this->oauth->issueAccessToken($params);
+
+		$this->assertCount(3, $result);
+		$this->assertArrayHasKey('access_token', $result);
+		$this->assertArrayHasKey('token_type', $result);
+		$this->assertArrayHasKey('expires_in', $result);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_issueAccessToken_missingGrantType()
+	{
+		$this->oauth->issueAccessToken();
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    7
+	 */
+	function test_issueAccessToken_unsupportedGrantType()
+	{
+		$params['grant_type'] = 'blah';
+
+		$this->oauth->issueAccessToken($params);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_completeAuthCodeGrant_missingClientId()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('completeAuthCodeGrant');
+		$method->setAccessible(true);
+
+		$method->invoke($this->oauth);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_completeAuthCodeGrant_missingClientSecret()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('completeAuthCodeGrant');
+		$method->setAccessible(true);
+
+		$authParams['client_id'] = 'test';
+
+		$method->invoke($this->oauth, $authParams);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_completeAuthCodeGrant_missingRedirectUri()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('completeAuthCodeGrant');
+		$method->setAccessible(true);
+
+		$authParams['client_id'] = 'test';
+		$authParams['client_secret'] = 'test';
+
+		$method->invoke($this->oauth, $authParams);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    8
+	 */
+	function test_completeAuthCodeGrant_invalidClient()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('completeAuthCodeGrant');
+		$method->setAccessible(true);
+
+		$authParams['client_id'] = 'test';
+		$authParams['client_secret'] = 'test123';
+		$authParams['redirect_uri'] = 'http://example.com/test';
+
+		$method->invoke($this->oauth, $authParams);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    0
+	 */
+	function test_completeAuthCodeGrant_missingCode()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('completeAuthCodeGrant');
+		$method->setAccessible(true);
+
+		$authParams['client_id'] = 'test';
+		$authParams['client_secret'] = 'test';
+		$authParams['redirect_uri'] = 'http://example.com/test';
+
+		$method->invoke($this->oauth, $authParams);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ClientException
+	 * @expectedExceptionCode    9
+	 */
+	function test_completeAuthCodeGrant_invalidCode()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('completeAuthCodeGrant');
+		$method->setAccessible(true);
+
+		$authParams['client_id'] = 'test';
+		$authParams['client_secret'] = 'test';
+		$authParams['redirect_uri'] = 'http://example.com/test';
+		$authParams['code'] = 'blah';
+
+		$method->invoke($this->oauth, $authParams);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ServerException
+	 * @expectedExceptionMessage No registered database abstractor
+	 */
+	function test_noRegisteredDatabaseAbstractor()
+	{
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('_dbCall');
+		$method->setAccessible(true);
+
+		$dbAbstractor = $reflector->getProperty('_db');
+		$dbAbstractor->setAccessible(true);
+		$dbAbstractor->setValue($this->oauth, null);
+
+		$result = $method->invoke($this->oauth);
+	}
+
+	/**
+	 * @expectedException        Oauth2\Authentication\ServerException
+	 * @expectedExceptionMessage Registered database abstractor is not an instance of Oauth2\Authentication\Database
+	 */
+	function test_invalidRegisteredDatabaseAbstractor()
+	{
+		$fake = new stdClass;
+		$this->oauth->registerDbAbstractor($fake);
+
+		$reflector = new ReflectionClass($this->oauth);
+		$method = $reflector->getMethod('_dbCall');
+		$method->setAccessible(true);
+
+		$result = $method->invoke($this->oauth);
+	}
+
+}

tests/resource/database_mock.php

@@ -0,0 +1,31 @@
+<?php
+
+use Oauth2\Resource\Database;
+
+class ResourceDB implements Database
+{
+	private $accessTokens = array(
+		'test12345' => array(
+			'id'	=>	1,
+			'owner_type'	=>	'user',
+			'owner_id'	=>	123
+		)
+	);
+
+	private $sessionScopes = array(
+		1	=>	array(
+			'foo',
+			'bar'
+		)
+	);
+
+	public function validateAccessToken($accessToken)
+	{
+		return (isset($this->accessTokens[$accessToken])) ? $this->accessTokens[$accessToken] : false;
+	}
+
+	public function sessionScopes($sessionId)
+	{
+		return (isset($this->sessionScopes[$sessionId])) ? $this->sessionScopes[$sessionId] : array();
+	}
+}

tests/resource/server_test.php

@@ -0,0 +1,121 @@
+<?php
+
+class Resource_Server_test extends PHPUnit_Framework_TestCase {
+
+	function setUp()
+	{
+		require_once('database_mock.php');
+		$this->server = new Oauth2\Resource\Server();
+		$this->db = new ResourceDB();
+
+		$this->assertInstanceOf('Oauth2\Resource\Database', $this->db);
+		$this->server->registerDbAbstractor($this->db);
+	}
+
+	function test_init_POST()
+	{
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_POST['oauth_token'] = 'test12345';
+
+		$this->server->init();
+
+		$reflector = new ReflectionClass($this->server);
+
+		$_accessToken = $reflector->getProperty('_accessToken');
+		$_accessToken->setAccessible(true);
+
+		$_type = $reflector->getProperty('_type');
+		$_type->setAccessible(true);
+
+		$_typeId = $reflector->getProperty('_typeId');
+		$_typeId->setAccessible(true);
+
+		$_scopes = $reflector->getProperty('_scopes');
+		$_scopes->setAccessible(true);
+
+		$this->assertEquals($_accessToken->getValue($this->server), $_POST['oauth_token']);
+		$this->assertEquals($_type->getValue($this->server), 'user');
+		$this->assertEquals($_typeId->getValue($this->server), 123);
+		$this->assertEquals($_scopes->getValue($this->server), array('foo', 'bar'));
+	}
+
+	function test_init_GET()
+	{
+		$_GET['oauth_token'] = 'test12345';
+
+		$this->server->init();
+
+		$reflector = new ReflectionClass($this->server);
+
+		$_accessToken = $reflector->getProperty('_accessToken');
+		$_accessToken->setAccessible(true);
+
+		$_type = $reflector->getProperty('_type');
+		$_type->setAccessible(true);
+
+		$_typeId = $reflector->getProperty('_typeId');
+		$_typeId->setAccessible(true);
+
+		$_scopes = $reflector->getProperty('_scopes');
+		$_scopes->setAccessible(true);
+
+		$this->assertEquals($_accessToken->getValue($this->server), $_GET['oauth_token']);
+		$this->assertEquals($_type->getValue($this->server), 'user');
+		$this->assertEquals($_typeId->getValue($this->server), 123);
+		$this->assertEquals($_scopes->getValue($this->server), array('foo', 'bar'));
+	}
+
+	function test_init_header()
+	{
+		// Test with authorisation header
+		$this->markTestIncomplete('Authorisation header test has not been implemented yet.');
+	}
+
+	/**
+	 * @expectedException        \Oauth2\Resource\ClientException
+	 * @expectedExceptionMessage An access token was not presented with the request
+	 */
+	function test_init_missingToken()
+	{
+		$this->server->init();
+	}
+
+	/**
+	 * @expectedException        \Oauth2\Resource\ClientException
+	 * @expectedExceptionMessage The access token is not registered with the resource server
+	 */
+	function test_init_wrongToken()
+	{
+		$_POST['oauth_token'] = 'blah';
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+
+		$this->server->init();
+	}
+
+	function test_hasScope()
+	{
+		$_POST['oauth_token'] = 'test12345';
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+
+		$this->server->init();
+
+		$this->assertEquals(true, $this->server->hasScope('foo'));
+		$this->assertEquals(true, $this->server->hasScope('bar'));
+		$this->assertEquals(true, $this->server->hasScope(array('foo', 'bar')));
+
+		$this->assertEquals(false, $this->server->hasScope('foobar'));
+		$this->assertEquals(false, $this->server->hasScope(array('foobar')));
+	}
+
+	function test___call()
+	{
+		$_POST['oauth_token'] = 'test12345';
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+
+		$this->server->init();
+
+		$this->assertEquals(123, $this->server->isUser());
+		$this->assertEquals(false, $this->server->isMachine());
+	}
+
+}