Friday, May 23, 2014

Mobile and lightening talks at JSSophia

Last JSSophia event was hosted at CrossKnowledge (big thank you to Matthieu and Stephane). We had a guest speaker Erik, coming from Switzerland to talk about Cordova. Live demo, always comes with surprise specially when not run on your computer ;)

As always in JSSophia meet-up, a very interactive session where you ask, participate, give your view and share with the speaker and the audience. It was really fun to have you Erik :)

Second part was lightening talks, starring:
Mathieu for a 5 minutes, fast paced introduction on Browserify: Bertrand to carry on with noderjs: Sebastien with the wifi back on time, talking about Firefox OS app: Bertrand show us how to debug on Cordova Android: Fred on MEAN: and last but not least, Yacine on Ionic (trolling on jqm): See you at next JSSophia, stay tuned!

Tuesday, May 20, 2014

OAuth2 grant flows

OAuth2 what is it for?

OAuth 2.0 is an authorization framework commonly used to grant applications limited access to a user's resources without exposing the users credentials to the application.

As simple as that. But guess what, there isn't just one way of granting. Let's visit the different OAuth2 grant types as described in the spec.

To go a bit deeper in details from my previous post on OAuth2-discussion-part1, I would list 4 actors:
  • authz server,
  • resource server, those two are generally separate server from your OAuth2 provider, the later responsible for serving resource checking if there a valid token the former, giving authorisation by providing the hop access token,
  • user (resource owner),
  • client (mobile app).
The most common flow is based on Authorisation code grant. See it explained in my last post with GoogleDrive as an exemple.

Delving deeper in OAuth2 specification, there is several grant types in order to provide an access token. From the spec, we can extract four authorisation grants:
  • Authorisation code grant
  • Implicit grant
  • Resource owner credentials grant
  • Client credentials grant

Authorization Code Grant

As said earlier, without doubt the most popular one and most probably the one you need ;)

On native app, this flow can be achieved either using an embedded browser or redirect the user to the native browser and then are redirected back to the app using a custom protocol (in iOS land, we use URL Schemes). For AeroGear-iOS OAuth2 library we use the latter. We’ll discuss more in details why in next blog post.

The authorisation code grant type is used to obtain both access tokens and refresh tokens. In next blog post, I shall also talk in detail about refreshing token flow;

Implicit grant

Ok this one target pure “web” app. From the spec: “In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly (as the result of the resource owner authorization)”.

With the implicit grant you get straight an access token, but you don’t get refresh token. BTW, you can find an exemple of implementation in AeroGear-JS with its demo GoogleDrive cookbook recipe.

Resource Owner Password Credentials Grant

When this grant is implemented the client itself will ask the user for their username and password to get an access token. This is used for trusted client.

Client credentials grant

A variant of the previous one, except only the client credentials are used. Similar use cases. For exemple, Twitter decided to implement client credentials OAuth2 type.

What does it mean?
  • if your application only shows tweets from other users, you can get authorized using OAuth 2.
  • but if you want any users to use your app to post tweets or do anything else on a user's behalf, you should stick to OAuth 1.0a Twitter API.

Here are the 4 basic grant types. At those, you can add Refresh token grant and the extension grant (MAC token, JSON web, SAML). And of course, how much a provider is OAuth2 compliant is also source of variants...
But that will be the subject of another post ;)

Thursday, May 15, 2014

Testing without design footprint

Using OCMock for iOS test

Using mock libraries ease your unit testing in isolation. But as discussed in my previous post, we may end-up with a test oriented (over) layered design. Let's see how to test in isolation using mock but still leave a minimal footprint on your design.

Do your tests:

without checking everything

When a mock object receives a message that hasn't been either stubbed or expected, it throws an exception immediately and your test fails. This is called a strict mock behavior and this is just a pain...

Checking behavior rather than state, you want to write test easy to understand. Using nice mock, any type helps.

NOTE: What is the difference between expect and stub?
You may want to check the original post from Martin Fowler on Mock aren't Stubs.

TD;DR; You expect things that must happen, and stub things that might happen. In OCMock context, when you call verify on your mock (generally at the end of your test), it checks to make sure all of the methods you expected were actually called. If any were not, your test will fail. Methods that were stubbed are not verified.

Here we want to check the OAuth2 HTTP protocol.

        it(@"should issue a request for exchanging authz code for access token", ^{
            __block BOOL wasSuccessCallbackCalled = NO;
            void (^callbackSuccess)(id obj) = ^ void (id object) {wasSuccessCallbackCalled = YES;};
            void (^callbackFailure)(NSError *error) = ^ void (NSError *error) {};
            id mockAGHTTPClient = [OCMockObject mockForClass:[AGHttpClient class]]; // [1]
            NSString* code = @"CODE"; 
            AGRestOAuth2Module* myRestAuthzModule = [[AGRestOAuth2Module alloc] initWithConfig:config client:mockAGHTTPClient]; // [3]
            NSMutableDictionary* paramDict = [@{@"code":code, @"client_id":config.clientId, @"redirect_uri": config.redirectURL, @"grant_type":@"authorization_code"} mutableCopy];
            [[mockAGHTTPClient expect] POST:config.accessTokenEndpoint parameters:paramDict success:[OCMArg any] failure:[OCMArg any]]; // [2]
            [myRestAuthzModule exchangeAuthorizationCodeForAccessToken:code success:callbackSuccess failure:callbackFailure];
            [mockAGHTTPClient verify];
            [mockAGHTTPClient stopMocking];

In [1], we create a mock with an expectation [2], the important part for the test is checking URL endpoint and parameters, for the other arguments I'll simply put any type: [OCMArg any].

without Dependency Injection

In the previous example, in [3] we see an example where we inject our mock within a real object. there is some cases where DI is not easy, could we still mock without injecting?

For example here I want to mock the following call [[UIApplication sharedApplication] openURL:url] within the method under test requestAuthorizationCodeSuccess:failure:, here is a way to
        it(@"should issue a request for authz code when no previous access grant was requested before", ^{
            __block BOOL wasSuccessCallbackCalled = NO;
            void (^callbackSuccess)(id obj) = ^ void (id object) {wasSuccessCallbackCalled = YES;};
            void (^callbackFailure)(NSError *error) = ^ void (NSError *error) {};
            //given a mock UIApplication
            id mockApplication = [OCMockObject mockForClass:[UIApplication class]];
            [[[mockApplication stub] andReturn:mockApplication] sharedApplication];
            [[mockApplication expect] openURL:[OCMArg any]];
            AGRestOAuth2Module* myRestAuthzModule = [[AGRestOAuth2Module alloc] initWithConfig:config];
            [myRestAuthzModule requestAuthorizationCodeSuccess:callbackSuccess failure:callbackFailure];

            [mockApplication verify];
            [mockApplication stopMocking];

without splitting my classes in several layers

Without debating "one class should do one thing only" suppose, you have a class with several methods, you want to test one method and mock the other ones.

Here requestAccessSuccess:failure: method delegate its call to either refreshAccessTokenSuccess:failure: or exchangeAccessTokenSuccess:failure: depending if an access token and expiration date are present.

        it(@"should issue a refresh request when access token has expired", ^{
            void (^callbackSuccess)(id obj) = ^ void (id object) {};
            void (^callbackFailure)(NSError *error) = ^ void (NSError *error) {};
            restAuthzModule.session.accessTokens = @"ACCESS_TOKEN";
            restAuthzModule.session.refreshTokens = @"REFRESH_TOKEN";
            restAuthzModule.session.accessTokensExpirationDate = 0;
            // Create a partial mock of restAuthzModule
            id mock = [OCMockObject partialMockForObject:restAuthzModule];
            [[mock expect] refreshAccessTokenSuccess:[OCMArg any] failure:[OCMArg any]];
            [restAuthzModule requestAccessSuccess:callbackSuccess failure:callbackFailure];
            [mock verify];
            [mock stopMocking];

I guess you got the idea. Test, whatever you need to test, don't go to close to the implementation.
Some may call it TDD vs. BDD, but I simply go: "Use what works best for you".

Wednesday, May 14, 2014

Is TDD dead for real?

After all the buzz around #isTDDDead on twitter, reading post from dhh, listening to RailsConf 2014 keynote, watching live streaming debate, I'm back coding. And I wonder...

After quite a few years spent in the trenches of XP, working with PowerMock/EasyMock/Mockito and all *Mock* pattern libraries, strong advocate of isolation testing, following test pyramid approach, automate testing at all layers as guide, what is this #isTDDDead all about?

It's not about automating test, it's not about unit test, both still seeing as a useful tool for developers. It's more about test first approach whatever your do, it's about 80% coverage criteria, it's about management measurement to make you feel sorry about your "dirty dirty code" (quoting dhh here). Wanting to unit test whatever it costs ie: overuse of mocks, dependency injection or single responsibility principle, refactoring code to make it testable. Test first approach and mockc overuse can lead to too-much layered design. Code where a class is doing just one single little thing and you need to dig deeper to eventually know what's it's all about. Cleaner code? Not so sure...

Back to code, today writing objective-C (I wish I can write french poetry too), I want to unit test my OAuth2 flow, guess what? I need to use mock. And you know what, I'll use OCMock, it might be in a different way though.

I can sleep happy, TDD is not dead or maybe it is but it's more like a Phoenix.

Back to code.

Sculpte, lime, cisèle;
Que ton rêve flottant
Se scelle
Dans le bloc résistant !